way to reduce passwords

[kc1di]

You're only mentioning mintsources. In the screenshot of the OP's thread starter, I see also synaptic and debian apt.

I don't think it's a good idea to have a local user have full privileges for those (mintsources included), without the need for a password. It's not only about somebody finding my unattended unlocked PC, it's also about "accidentally" executed scripts.... That's a much more likely and threatening scenario. Such scripts could even be hidden on a website you visit, for instance.

I'd say that Pepi's common sense is pretty much right in this matter.

+1

[rene]

Or any remote attacker now able to [ ... ]

No. I was giving ResultActive=yes permission which applies only for active sessions on local consoles.

You're only mentioning mintsources.

I am not; see last paragraph.

I'll not bother also quoting the "+1" reply but do feel tempted to note that it is of course itself a rather fine illustration of the main problem that I have been describing. We need arguments -- and not just (supposed) authority- ones either. That point's been made a few times now though, so unless something else interesting is added I'll consider this thread concluded. Anyone feel free to benefit from the in it embedded wisdom

[gm10]

Or any remote attacker now able to [ ... ]

No. I was giving ResultActive=yes permission which applies only for active sessions on local consoles.

Remote attacker > remote console. The typical scenario is a malicious website exploiting a browser/browser plugin (flash!) bug or malicious piece of code getting downloaded and executed by the user. Maybe you're running a server of some sort that got compromised.

[trytip]

this just goes to show you how easy you can manipulate pkexec and how much less secure it is than gksu. i did this a while back and still alter .policy of annoying things i need to enter passwords. Timeshift got smart and altered it's startup to use a launcher script avoiding the use of calling on a file stored in /usr/share/polkit-1/actions/ you can try it and see for yourself.
it's your computer do what you want with it don't let pkexec be the boss of you

disclaimer: don't come crying when you broke something, if you haven't learned by now how to undo your changes or restore a timeshift snapshot

[gm10]

this just goes to show you how easy you can manipulate pkexec and how much less secure it is than gksu.

Why? You can do the same thing with sudo via sudoers. And while sudo is all or nothing, polkit is a modular approach. Great step forward.

[trytip]

@gm10
i already altered sudoers a long time ago to allow sudo apps run without password when i couldn't get hddtemp to show in my conky because it needed to run as sudo. i wasn't going to mention it , but yeah you right HACK THE PLANET

[rene]

Maybe you're running a server of some sort that got compromised.

And maybe you're not. That is again the point; this thread is not about distribution defaults but about users making individual choices. About individual situations that need to be judged on individual merits. Not through, I semi-quote myself, blanket, overarching, thoughtless dogma.

[sdibaja]

Nothing to hide, nothing to loose?
... trying to be polite

Mint is loose as goose already, please don't matter it worse. Then you will blame "Linux" for your stupidity.

[gm10]

Maybe you're running a server of some sort that got compromised.

And maybe you're not. That is again the point; this thread is not about distribution defaults but about users making individual choices. About individual situations that need to be judged on individual merits. Not through, I semi-quote myself, blanket, overarching, thoughtless dogma.

And maybe you don't even have an Internet connection and none of this matters. But that is quite certainly not the actual point. Not a single individual situation was judged here, we're giving general advice for the non-expert user that who cannot accurately judge their own situation.

Personally I may be doing a number of things that I advocate against doing on these forums (compromising my security is not one of them though). Because the context is different. I won't be coming here looking for help when my own mess blows up in my face.

Mint is loose as goose already, please don't make it worse. Then you will blame "Linux" for your stupidity.

Quoted for emphasis.

[rene]

Mint is loose as goose already, please don't make it worse. Then you will blame "Linux" for your stupidity.

Quoted for emphasis.

Emphasis on, I gather, there being no indication provided as to why Mint is "loose as goose" but only the blanket statement itself.

OK, veryvery sorry, shall now be really gone -- but heavens, do dogmatists ever annoy me....

[gm10]

Emphasis on, I gather, there being no indication provided as to why Mint is "loose as goose" but only the blanket statement itself.

OK, veryvery sorry, shall now be really gone -- but heavens, do dogmatists ever annoy me....

We could get into how Mint can be hardened, but the emphasis was rather on the target audience, just as I had touched upon in the rest of my post. Mint is probably the most Linux newbie friendly distro of all of them, it draws lots of Windows converts due to its similar desktop layout. Most of us keep that in mind when giving advice here.

Windows users by default log in with an administrative account (the horror), they're used to just clicking away UAC prompts and thus feel greatly inconvenienced by password challenges in Linux. They have no idea why those may or may not matter, so giving them a tool pandering to their laziness, allowing them to disable an entire layer of security with a single click is dangerous advice, that's all that I and everybody else here have been saying no matter how you're trying to paint it.

Your insult attempts are getting tiring.

[Pjotr]

@rene: your messages in this thread seem rather unlike you. I appreciate you as a knowledgeable and helpful forum member (your track record is impressive), but I must say that it puzzles me why you don't address several clear practical technical concerns that have been raised here.

Instead you come with vague theoretical arguments that seem to ignore the aforementioned clear practical technical concerns. Why?

[rene]

Well, unfortunate, but one more then because this one's quite a bit too good to pass up....

Instead you come with vague theoretical arguments that seem to ignore the aforementioned clear practical technical concerns. Why?

Really, are you kidding me? I am the only person in this thread who has not wrt. technology posited anything theoretical and the only person in this thread who has described the (once again extremely minimal) practical technical concern at least of what is my own original and quite practical contribution to it; that .pkla file and the accompanying advise to not go muck around /usr/share/polkit-1.

The two immediately following posts are then from two individuals saying this is all very very dangerous indeed but, having a lot of experience in the specific area of internet-forum security-related contributions, I expect they do not in fact know why that would be the case. Questioned on it it turns out that indeed I am right; that "tinglings" rather than technology, clear and practical or otherwise, are what spurred the condemnation. Satisfied my point having been made, I explain the technology and am ready to call it a day.

We then however unfortunately have a normally technically competent poster either initially unaware of the local/remote difference (although explicitly mentioned in the explanation) or being at the very least unduly alarmist by introducing "any remote attacker now able to introduce a malicious repository" even though this on second thought is explained to be only on the extremely theoretical premise of original poster or I maybe having a compromised internet accessible server running on our Mint desktops.

As said, yeah, and maybe not. This is a thread by an original poster tweaking his individual system, admittedly with help of code he intends to be of wider appeal; tweak ones own system according to ones own individual wishes and in ones own individual circumstances is certainly what anyone should feel free to do, and/but clearly I would not mind comments as to this not necessarily being a good idea for anyone, anytime, anywhere. That is however not what we're getting. What we get in threads such as these, in all threads such as these, is to me very annoying zero-knowledge groupthink, with not a single concern substantiated, let alone "clear(ly) technical(ly)". Really, where the aich did you get that formulation from....

The thing that annoys me most about said groupthink I have already explained: sensible security advise is as far as the even less technically competent and/or inclined are concerned completely drowned out by the massive amount of unsubstantiated nonsense. Not theoretically but actually. Going against groupthink is never popular within any group (clearly; we're butting up against the definition of "group" here) but concerning the particular group here on the forum I am afraid you will just have to put up with it for as long as I post here. Because it is important and because I can assure you that it is very, very much like me.

[Pjotr]

very annoying zero-knowledge groupthink, with not a single concern substantiated, let alone "clear(ly) technical(ly)".

Well then, why not answer this clear practical and technical concern that I've voiced earlier in this thread:

"In the screenshot of the OP's thread starter, I see also synaptic and debian apt.

I don't think it's a good idea to have a local user have full privileges for those (mintsources included), without the need for a password. It's not only about somebody finding my unattended unlocked PC, it's also about "accidentally" executed scripts.... That's a much more likely and threatening scenario. Such scripts could even be hidden on a website you visit, for instance."

Note that out of respect for your track record on this forum, I'm currently still trying to stay polite, friendly and constructive. Even when confronted with a reply that maybe does not entirely meet those standards.

[rene]

Such scripts could even be hidden on a website you visit, for instance.

I have been in that conversation with you before. No, they could not: you have an unrealistic idea of what say Javascript in the browser can do and/or access: hardly anything. It is an example of what I am talking about wrt. missing knowledge.

No, I shall not concern myself further with original poster's ambitions, mainly seeing as how my main point is that they are unjudgeable unless in individual context, but certainly also since this specific subthread that doesn't seem to want to die gracefully is very much specifically about my own mentioned contribution.

No, I shall not concern myself with your last paragraph. My above post is in fact extremely friendly but even if it weren't, people are not wrong or unconstructive, either technically or morally, because they might be considered non-friendly. Or be declared such.

What I myself find to be non-constructive at this point is continuing this thread at all. Poster may still want to return but I have said all that is relevant to me.

[Pjotr]

Such scripts could even be hidden on a website you visit, for instance.

I have been in that conversation with you before. No, they could not: you have an unrealistic idea of what say Javascript in the browser can do and/or access: hardly anything. It is an example of what I am talking about wrt. missing knowledge.

No, I shall not concern myself further with original poster's ambitions, mainly seeing as how my main point is that they are unjudgeable unless in individual context, but certainly also since this specific subthread that doesn't seem to want to die gracefully is very much specifically about my own mentioned contribution.

No, I shall not concern myself with your last paragraph. My above post is in fact extremely friendly but even if it weren't, people are not wrong or unconstructive, either technically or morally, because they might be considered non-friendly. Or be declared such.

What I myself find to be non-constructive at this point is continuing this thread at all. Poster may still want to return but I have said all that is relevant to me.

Suit yourself.

[BG405]

I opened this thread thinking it would be about a password manager or something, but defeating existing security measures?
I notice it's also the OP's first and, so far, only post and that its harmful content has been removed:

Last edited by karlchen on 04 Sep 2018, 14:01, edited 1 time in total.
Reason: Removed attached zipfile holding the python scripts. - Do not post dangerous code. In this case code which reduces inbuilt system security.

If you want a relatively passwordless system, use something like Puppy (older versions at least; not sure about the latest one) which runs as root by default. Not recommended for going online with though!

ETA:
I also see that Timeshift was included which means, presumably, that the snapshots could also be compromised.

[trytip]

i edited/removed my post about installing kdeneon repos in mint19 in case anyone read it with no backup. don't do it. kdeneon does not support 32bit libraries and is only 64bit like kaos linux.

i don't believe anyone here is altering root permissions on a work computer or some kind of enterprise server. a home user should have the ability to turn off passwords or store them in a keyring without the use of any extra services running. lately i see new linux OS completely removing root access to apps like plasma now does not allow krusader ,dolphin,kate in root mode. why?

maybe on their way to please commercial enterprises that may add their plasma as their server os they are pushing the home user aside. many youtubers like Average Linux User when i asked a while back where did root access go with the new plasma, he in turn asked me "why would you need to run any apps with root access?" i didn't respond not knowing if he was serious.

[BG405]

when i asked a while back where did root access go with the new plasma, he in turn asked me "why would you need to run any apps with root access?"

Their thinking may be that running GUI programs as root causes too many problems, preferring the commandline for such tasks. To be honest it's my default for such things anyway. Some programs (such as Wireshark) do require (some) elevated privileges but this can be achieved without running the entire program as root.

What he should have said is "why would you need to run any GUI apps with root access?"

I do agree that removng the ability of Dolphin to run as root is a step backwards as this has always, IMO, been the most capable GUI file manager out there.

[trytip]

@BG405
after watching more of his videos i realize he uses KDE Plasma at his work, so i'm guessing more companies may have or let their workers use an operating of their choice? sure in that environment you'd want your workers to stay in their home directory and not have access to sensitive files, but doesn't excuse plasma for taking it away from home users. i tried hard to like the new plasma and every once in a while i'll get the urge to try the new kaos or kdeneon and the first time i try to maybe copy some icons or themes with dolphin i remember i need to uninstall it and look for one that has root access. some repos don't even have it and you have to look somewhere outside and just too much hassle.

i see many applications and services wanting you to do multi factor authentication, and now it's an option in ubuntu 18? How to Setup Multi-Factor Authentication (MFA) in Ubuntu sure do 2 factor for every service and email and your own computer and try to remember all the 20 character random generated passwords. and what do most people do, they write them all in a note anyway and put it in their wallet.