way to reduce passwords

Questions about other topics - please check if your question fits better in another category before posting here
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
janneh

way to reduce passwords

Post by janneh »

Hi,
I've been working on a small app to reduce asking of passwords across Linux Mint platform. For me it seems that passwords at logging and lock screen are good enough. The app browses through pkexec's xml-files and changes them to allow password-free user experience. It is written in python and tk. Here is a preliminary version. It's tested on Linux Mint 18.3 and 19.
Note: it only changes the way pkexec acts, sudo is an another case altogether.
pwp2.png
Disclaimer: I don't take any responsibility if the program fails or does damage to your system
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
User avatar
catweazel
Level 19
Level 19
Posts: 9763
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: way to reduce passwords

Post by catweazel »

janneh wrote: Tue Sep 04, 2018 3:58 am Disclaimer: I don't take any responsibility if the program fails or does damage to your system
Don't try this at home, folks!
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
HaveaMint
Level 6
Level 6
Posts: 1088
Joined: Fri Feb 02, 2018 9:56 pm

Re: way to reduce passwords

Post by HaveaMint »

catweazel wrote: Tue Sep 04, 2018 4:05 am
janneh wrote: Tue Sep 04, 2018 3:58 am Disclaimer: I don't take any responsibility if the program fails or does damage to your system
Don't try this at home, folks!
So ..try it on work PC's? That's why they have IT right. :lol:
"Tune for maximum Smoke and then read the Instructions".
User avatar
Moem
Level 22
Level 22
Posts: 16226
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: way to reduce passwords

Post by Moem »

janneh wrote: Tue Sep 04, 2018 3:58 am For me it seems that passwords at logging and lock screen are good enough.
I strongly disgree. I very much do not want to cripple Mint's built in security.
Why would you do that? What's the advantage?
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
gm10

Re: way to reduce passwords

Post by gm10 »

Well, I have to say this thread is refreshing. Usually the only suggestion you see in the linux community when you're looking to reduce security is just https://www.microsoft.com. Crippling Linux itself is much more creative in comparison. :lol:
User avatar
kc1di
Level 18
Level 18
Posts: 8146
Joined: Mon Sep 08, 2008 8:44 pm
Location: Maine USA

Re: way to reduce passwords

Post by kc1di »

I've always believed that one of the great strength of Linux is it's security, why would anyone want to defeat that?
Easy tips : https://easylinuxtipsproject.blogspot.com/ Pjotr's Great Linux projects page.
Linux Mint Installation Guide: http://linuxmint-installation-guide.rea ... en/latest/
Registered Linux User #462608
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: way to reduce passwords

Post by rene »

janneh wrote: Tue Sep 04, 2018 3:58 am The app browses through pkexec's xml-files and changes them to allow password-free user experience.
You should not do that: the way to override standard polkit policies locally is by creating/editing files in /etc/polkit-1/localauthority/50-local.d/. As an example for the first one from the screenshot, com.linuxmint.mintsources, you'd create a file e.g. /etc/polkit-1/localauthority/50-local.d/com.linuxmint.mintsources.pkla containing

Code: Select all

[com.linuxmint.mintsources]
Identity=unix-user:0;unix-group:sudo;unix-group:admin
Action=com.linuxmint.mintsources
ResultActive=yes
The bit between square brackets is freeform, as is the filename itself save ordering and the .pkla extension; see man pklocalauthority for information. The above "Identity" mimics the standard Ubuntu/Mint AdminIdentities. While rather poorly/obscurely documented, polkit is in fact fairly configurable: the files under /usr/share/polkit-1 should not be touched...

Other than that: do have fun fending off the secuwity-... :-) Crude word removed by a moderator; please mind your language.
User avatar
Pepi
Level 6
Level 6
Posts: 1308
Joined: Wed Nov 18, 2009 7:47 pm

Re: way to reduce passwords

Post by Pepi »

All that code needs is a fuse attached to it :mrgreen:
DAMIEN1307

Re: way to reduce passwords

Post by DAMIEN1307 »

the fuse is already attached...its just waiting for a match to light it...lol...DAMIEN
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: way to reduce passwords

Post by rene »

Pepi wrote: Tue Sep 04, 2018 7:58 am All that code needs is a fuse attached to it :mrgreen:
Because applying it lessens your security in the following manner: .......... (please fill out with black or blue pen).

I'm serious: please do answer. Because I myself know in what (extremely minor) way the above potentially does lessen security, but given the alarmist tone chances are better than 90% you do not and/or did not until you made some effort in view of this explicit request to substantiate yourself. Computer security is a field in which literally more than 90% of people, including more than 90% of people posting security comments on forums such as these, have basically no idea what any of it is about.

This is a very serious problem because the "general population" who use computers only so as to use them indeed, who have other than no knowledge of computer-security very little interest in computer-anything, also lack the required knowledge to separate good advise from the vocal nonsense, yet the latter far outnumbers the former. In the end this makes them less secure: if people don't just end up following all sort of bad advise, they just give up listening to everyone as a result -- and janneh and I as such end up endlessly more secure even with the above mintsources tweak than they are without.

It is truly vital for the maintainability of this all that the internet culture regarding computer security changes; that it is no longer about testosterone-driven boys (of any age and gender but usually in fact boys) donning matrix sunglasses and feeling all hacker, and starts being about having some sort of idea.
gm10

Re: way to reduce passwords

Post by gm10 »

rene wrote: Tue Sep 04, 2018 8:34 am Because applying it lessens your security in the following manner: .......... (please fill out with black or blue pen).

I'm serious: please do answer. Because I myself know in what (extremely minor) way the above potentially does lessen security, but given the alarmist tone chances are better than 90% you do not and/or did not until you made some effort in view of this explicit request to substantiate yourself.
Oh, the classic "you're wrong but I'm not gonna tell you why" bait. Not enough effort put into it to make me want to go grab the popcorn, unfortunately.
rene wrote: Tue Sep 04, 2018 8:34 am This is a very serious problem because the "general population" who use computers only so as to use them indeed, who have other than no knowledge of computer-security very little interest in computer-anything,
It's ok, BIll Gates once thought that every user should have full control of the system, too. He created the whole market for anti-virus products and personal firewalls that way. :lol:
rene wrote: Tue Sep 04, 2018 8:34 am It is truly vital for the maintainability of this all that the internet culture regarding computer security changes; that it is no longer about testosterone-driven boys (of any age and gender but usually in fact boys) donning matrix sunglasses and feeling all hacker, and starts being about having some sort of idea.
Ah, shame, you nearly had me, but that insult was just so weak sauce it shattered your entire house of cards.
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: way to reduce passwords

Post by rene »

gm10 wrote: Tue Sep 04, 2018 8:46 am Oh, the classic "you're wrong but I'm not gonna tell you why" bait.
No, far from it. The quite explicit point I am making is not about polkit, rules, or even this particular instance -- and it's not about you. Specifically you generally know what you are talking about, and I shall as such do you the favour of not again in response suspect you to in this case to not, or to not be able to find out. The question was to Pepi (but I'll settle for DAMIEN1307), again explicitly due to the pressing need to on forums such as these "separate the good advise from the vocal nonsense". Clearly I can not be more explicit about the issue itself before being replied to without destroying that goal.

I do somewhat hope you will also have noticed me to in a majority of postings substantiate what I say, so I do also find this comment to be a bit antagonist rather than substantial, but pot, kettle, black and all. Let's just wait for a description of why it's so bad by those who claimed it is.
gm10

Re: way to reduce passwords

Post by gm10 »

rene wrote: Tue Sep 04, 2018 8:58 am I do somewhat hope you will also have noticed me to in a majority of postings substantiate what I say, so I do also find this comment to be a bit antagonist rather than substantial, but pot, kettle, black and all. Let's just wait for a description of why it's so bad by those who claimed it is.
I do know that indeed, which is why I found the rhetoric you chose actually very surprising, otherwise I would not even have gotten involved. A valuable serious discussion could have been had here if you really wanted to, but that certainly wasn't the approach to get it unfortunately.

The only thing I'll say is that while I agree with your main point about the general user base being ill informed or not at all about best security practices, I'd much rather have them err on the side of caution.
Last edited by gm10 on Tue Sep 04, 2018 9:13 am, edited 1 time in total.
User avatar
sdibaja
Level 5
Level 5
Posts: 900
Joined: Sun May 08, 2011 12:57 pm
Location: Baja California, Mexico

Re: way to reduce passwords

Post by sdibaja »

I am not a regular mint user, but when I install Mint I start with this

Image
Peter
Mate desktop https://wiki.debian.org/MATE
Debian GNU/Linux operating system: https://www.debian.org/download
Hoser Rob
Level 20
Level 20
Posts: 11806
Joined: Sat Dec 15, 2012 8:57 am

Re: way to reduce passwords

Post by Hoser Rob »

catweazel wrote: Tue Sep 04, 2018 4:05 am
janneh wrote: Tue Sep 04, 2018 3:58 am Disclaimer: I don't take any responsibility if the program fails or does damage to your system
Don't try this at home, folks!
Agreed, BAD IDEA. If Windows required passwords to install anything, like 'nix systems, that right there would largely solve the virus problem. Don't expect your friendly WIndows tech to tell you that ... viruses are their bread and butter.
For every complex problem there is an answer that is clear, simple, and wrong - H. L. Mencken
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: way to reduce passwords

Post by rene »

gm10 wrote: Tue Sep 04, 2018 9:09 am A valuable serious discussion could have been had here if you really wanted to, but that certainly wasn't the approach to get it unfortunately.
We're half an hour into this specific bit of it; I'm more patient than that trying to see the discussion unfold; something for which we'll however need to stop leading away from it, I guess.

Generally I do of course not agree with you that this would not be the right approach. As duly sketched, the very first thing that needs doing in all of this is impress upon people who know and/or care not that the vast majority of internet-forum security-advise really is zero-knowledge nonsense. Not as an insult or exaggeration, but actually, factually. Only once that done is the road open to substance.
User avatar
Pepi
Level 6
Level 6
Posts: 1308
Joined: Wed Nov 18, 2009 7:47 pm

Re: way to reduce passwords

Post by Pepi »

rene wrote: Tue Sep 04, 2018 8:34 am
Pepi wrote: Tue Sep 04, 2018 7:58 am All that code needs is a fuse attached to it :mrgreen:
Because applying it lessens your security in the following manner: .......... (please fill out with black or blue pen).

I'm serious: please do answer. Because I myself know in what (extremely minor) way the above potentially does lessen security, but given the alarmist tone chances are better than 90% you do not and/or did not until you made some effort in view of this explicit request to substantiate yourself. Computer security is a field in which literally more than 90% of people, including more than 90% of people posting security comments on forums such as these, have basically no idea what any of it is about.

This is a very serious problem because the "general population" who use computers only so as to use them indeed, who have other than no knowledge of computer-security very little interest in computer-anything, also lack the required knowledge to separate good advise from the vocal nonsense, yet the latter far outnumbers the former. In the end this makes them less secure: if people don't just end up following all sort of bad advise, they just give up listening to everyone as a result -- and janneh and I as such end up endlessly more secure even with the above mintsources tweak than they are without.

It is truly vital for the maintainability of this all that the internet culture regarding computer security changes; that it is no longer about testosterone-driven boys (of any age and gender but usually in fact boys) donning matrix sunglasses and feeling all hacker, and starts being about having some sort of idea.
My Common Sense Is Tingling
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: way to reduce passwords

Post by rene »

I see. A bit anticlimactic surely, but I am afraid I will have to consider my point having been made then: your common sense is off.

You posted in direct response or at least succession to my .pkla one; just to wrap this up: that one, as poster's own tweak, specifically allows root and locally logged in administrator users access to mintsources without having to authenticate. Clearly root or administrator users have themselves access anyway through their own password so what the additional authentication for mintsources is defending against is someone finding your unattended, unlocked PC, and setting up a software source with potentially malicious content (not, mind you, installing anything from it). This is of course extremely minor and in fact in many (i.e., desktop-) situations not applicable at all; not something which, as you put it, "just needs a fuse attached".

If you were not directly responding to me but to the original poster who shows more general ambition, sure, he could in the end create a more substantial issue but that is what I am here stressing: judge on actual individual merit, not through some blanket, overarching "security good" sense, without even an idea of what is being done. If you do not, people who can not tell substance from none are in the end the victim.
gm10

Re: way to reduce passwords

Post by gm10 »

rene wrote: Tue Sep 04, 2018 10:32 am so what the additional authentication for mintsources is defending against is someone finding your unattended, unlocked PC, and setting up a software source with potentially malicious content (not, mind you, installing anything from it). This is of course extremely minor and in fact in many (i.e., desktop-) situations not applicable at all; not something which, as you put it, "just needs a fuse attached".
Or any remote attacker now able to introduce a malicious repository which will fully compromise the system the next time you install updates via Update Manager. This isn't minor. Of course you could argue that if your user account has already been compromised then a root compromise is just waiting to happen, and you'd be right (you'd probably just get your next sudo password key-logged), but that's not a good argument against a multi-layered security protocol. You also know that any determined thief will be able to break the lock on your front door. You'll still use that lock regardless because not using it would be dumb.

Desktop Linux isn't close to being as secure as many of its users believe, but further weakening the security can never be the solution.
User avatar
Pjotr
Level 23
Level 23
Posts: 19886
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: way to reduce passwords

Post by Pjotr »

rene wrote: Tue Sep 04, 2018 10:32 am I see. A bit anticlimactic surely, but I am afraid I will have to consider my point having been made then: your common sense is off.

You posted in direct response or at least succession to my .pkla one; just to wrap this up: that one, as poster's own tweak, specifically allows root and locally logged in administrator users access to mintsources without having to authenticate. Clearly root or administrator users have themselves access anyway through their own password so what the additional authentication for mintsources is defending against is someone finding your unattended, unlocked PC, and setting up a software source with potentially malicious content (not, mind you, installing anything from it). This is of course extremely minor and in fact in many (i.e., desktop-) situations not applicable at all; not something which, as you put it, "just needs a fuse attached".

If you were not directly responding to me but to the original poster who shows more general ambition, sure, he could in the end create a more substantial issue but that is what I am here stressing: judge on actual individual merit, not through some blanket, overarching "security good" sense, without even an idea of what is being done. If you do not, people who can not tell substance from none are in the end the victim.
You're only mentioning mintsources. In the screenshot of the OP's thread starter, I see also synaptic and debian apt.

I don't think it's a good idea to have a local user have full privileges for those (mintsources included), without the need for a password. It's not only about somebody finding my unattended unlocked PC, it's also about "accidentally" executed scripts.... That's a much more likely and threatening scenario. Such scripts could even be hidden on a website you visit, for instance.

I'd say that Pepi's common sense is pretty much right in this matter. :mrgreen:
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Locked

Return to “Other topics”