Identity Crisis! (Account Permissions) SOLVED

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
treehouse
Level 1
Level 1
Posts: 47
Joined: Tue Oct 13, 2015 1:01 pm

Identity Crisis! (Account Permissions) SOLVED

Post by treehouse » Wed Oct 28, 2015 7:02 pm

I'd like some help please understanding how account types and permissions work. After my first installation attempt of Linux Mint 17.2 32bit, I got fed up having to put in my password every time I did anything systemmy. I reinstalled, this time leaving the checkbox unticked for encrypting the installation. However, on putting in the details for my account, I did put a password in, although I checked the box for automatic login on startup.

It does log me in automatically now, but still requires "Authentication" for installing software, etc. I was about to ask for help here and then thought I'd tweak the settings and see if I could fix it - it's a pain when I'm just setting things up and downloading software. I found my account permissions and see that it was set to "Custom" (with the other options apparently Administrator or User), so I put myself as an Admistrator - which says I can make any any system changes, install software, etc. I also checked all the boxes in the list of Advanced permissions, which bizarrely seemed to exlude a load of things like connecting to wireless or ethernet, printers, scanners, audio and whatnot, although I've been using the wifi and ethernet, and the audio seems to be working!

However, I still can't access software installation apps without being prompted to "Authenticate" this. Further messing about in the Assistive Technologies Preferences led to the button "Accessible Login", but a message pops up informing me that "You must be root to configure MDM" - not even asking for authentication, just Eff off. ;) This seems all a bit insane, to be quite frank, but maybe I've finally found the secret door...

Under System, there's the "Login Window" Preferences. I have to authenticate myself to get into this as well, but then in the bottom tab-icon, "Options", it has one box "Allow root login". At this point, I've messed about with so many of the deeper security options, I hardly dare tick the darned thing. Should I? Or - I poked about next in Startup Applications, and there I see a few things that look like they might be there to frisk me on the way to the inner sanctum.

Any chance I can use this "Allow root login" or something else to access my computer fully without constantly having to authenticate myself with a password? :x Why did my account settings have so many disabled permissions that I was already apparently using? What is "root", and how is it different from a "superuser"? If I hadn't put a password in on installing, would it have refused to install, or let me do what I want with my new Linux without interference?
Last edited by treehouse on Sat Nov 07, 2015 1:44 pm, edited 1 time in total.

User avatar
Pjotr
Level 21
Level 21
Posts: 13723
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Identity Crisis! (Account Permissions)

Post by Pjotr » Wed Oct 28, 2015 7:21 pm

You have a messed up system. FUBAR. :shock:

Do a clean re-install of Linux Mint 17.2, set it to automatic login and learn to live with the password requirement for system administration like installing software. It's the very core of Linux security.

Be wise, go with the flow, and you'll have an operating system which is as stable and secure as a Leopard tank: http://www.bundesheer.at/english/dynmod ... efecht.jpg
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

treehouse
Level 1
Level 1
Posts: 47
Joined: Tue Oct 13, 2015 1:01 pm

Re: Identity Crisis! (Account Permissions)

Post by treehouse » Wed Oct 28, 2015 8:00 pm

Pjotr, apart from tweaking a few permissions, I've just done a clean install with automatic login. The tweaks I've made are almost certainly reversible. Your telling me I've got a messed up system and to reinstall for a third time is on what basis?

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: Identity Crisis! (Account Permissions)

Post by Cosmo. » Wed Oct 28, 2015 8:22 pm

You can have either a system, where every user - inclusive an attacker from the distance - has full accesss.

Or you can have Linux, with fine balanced security model.

It is your choice, both together is obviously impossible.

Note, that in a fresh installed system the number of system tasks (updates, installs, system configurations) is extraordinarily hight. As soon as this step is finished, you should not get asked often for your password. It is a small price for great security.

Or in other words: No scurity = no Linux.

treehouse
Level 1
Level 1
Posts: 47
Joined: Tue Oct 13, 2015 1:01 pm

Re: Identity Crisis! (Account Permissions)

Post by treehouse » Wed Oct 28, 2015 9:30 pm

So is it impossible to run Linux without using the password? And if it were possible, anyone could just mess with it over the internet? Can remote attackers crack your password? Is it important that it's long, obscure and has special characters? What if i write a script to insert it into the relevant field, can attackers read the script?

Yes, it's when there's lots of software and settings to fix that it's annoying, but I tend to use different software a fair bit as new programs are being developed, and the software manager offers updates fairly often anyway.

There's no alternative - like logging in with the password and then not having to use it again for that session?

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: Identity Crisis! (Account Permissions)

Post by Cosmo. » Wed Oct 28, 2015 9:47 pm

treehouse wrote:What if i write a script to insert it into the relevant field
At least impossible for graphical programs. There a secure password fields.
treehouse wrote:Yes, it's when there's lots of software and settings to fix that it's annoying, but I tend to use different software a fair bit as new programs are being developed, and the software manager offers updates fairly often anyway.
I've read this often enough, but using Linux a long time I know from own experience, that this is not in real life as you expressed. I get - more or less - the same updates offered as you and I know, how often this happens, You also don't need to apply every update the minute after you get informed.
treehouse wrote:There's no alternative - like logging in with the password and then not having to use it again for that session?
No. What you describe is more or less Windows.

User avatar
Pjotr
Level 21
Level 21
Posts: 13723
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Identity Crisis! (Account Permissions)

Post by Pjotr » Thu Oct 29, 2015 5:08 am

treehouse wrote:Pjotr, apart from tweaking a few permissions, I've just done a clean install with automatic login. The tweaks I've made are almost certainly reversible. Your telling me I've got a messed up system and to reinstall for a third time is on what basis?
Apart from the settings that you can reverse, the *consequences* of those settings changes during the period that they were active, might be less easy to reverse. So your system has potentially become less predictable and maybe even less stable.

So it's not "FUBAR" as I wrote previously (I had drunk a few glasses of wine last night, when I wrote that....), but "potentially tainted". :mrgreen:

I would take no chances and invest a couple of hours in creating a clean, 100 % reliable system. That'll take about 30 minutes for installing it, and some 90 minutes for post-install tweaking and configuring. Just two hours.... :)
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

treehouse
Level 1
Level 1
Posts: 47
Joined: Tue Oct 13, 2015 1:01 pm

Re: Identity Crisis! (Account Permissions)

Post by treehouse » Thu Oct 29, 2015 3:52 pm

Pjotr wrote:Apart from the settings that you can reverse, the *consequences* of those settings changes during the period that they were active, might be less easy to reverse. So your system has potentially become less predictable and maybe even less stable.

So it's not "FUBAR" as I wrote previously (I had drunk a few glasses of wine last night, when I wrote that....), but "potentially tainted". :mrgreen:

I would take no chances and invest a couple of hours in creating a clean, 100 % reliable system. That'll take about 30 minutes for installing it, and some 90 minutes for post-install tweaking and configuring. Just two hours.... :)
Thanks, Pjotr, but the period that those changes were active was about 2 minutes, while I tried a few things before posting this (which I'm doing on a different machine). Besides, as a newbie, I'm pretty sure I'll mess with settings again, and Linux is so unfathomable to me at the moment, I'm pretty sure I'm going to make it less than 100% secure and stable.

While you're logged in as a superuser, having entered your password, is your system then insecure and open to attack? If not, why not? If so, then wouldn't it make sense to do a fresh install again after you've installed updates just to be on the safe side. :wink:

And, having read about what to do to improve security, I see that a fresh install hasn't got the firewall enabled. Isn't that compromising the system (especially, say, combined with the above, when you've given your authorization to get into settings)? Couldn't someone say that having run Linux without a firewall for a week and regularly entered my password might have compromised its stability and security? Should we all just keep reinstalling again every time we connect to another computer?

I appreciate the help, I'm just a bit sceptical about your position on this. Windows, I'm reliably informed, is much less secure than Linux - is that ONLY because users have to enter a password every time they change settings? I thought it was largely because the things you can install are open-source and thus checked by a kind of peer-review process for any nasties. I thought the whole architecture was more secure. I didn't realise it all hung on users keeping secret passwords.

I've been running Windows systems WITHOUT A PASSWORD for decades and never had one go fubar. Disks wore out and failed due to not scanning for bad sectors before that. OSs were updated several times. I had the odd virus to clean out before I got up to speed on things. And all I had was a basic firewall and decent anti-malware.

Concerning the permissions I've set - making my account an Administrator and checking all the boxes for permission to access things - can you actually tell me what precisely is wrong with this, what the risk is, that could make my system unsecured or unstable? Is Linux so fragile, really?

Cosmo, I'm also pretty sceptical about whether something like AutoKey can't enter text into an authentication field - I'll maybe try this and find out, although it's not a safe method to avoid the issue. As for a single password entry for the session being "more or less Windows", this doesn't immediately make it a stupid or dangerous suggestion. It's not "Windows", it's a method of authenticating a user session.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: Identity Crisis! (Account Permissions)

Post by Cosmo. » Thu Oct 29, 2015 4:53 pm

treehouse wrote:While you're logged in as a superuser, having entered your password, is your system then insecure and open to attack?
Yes.
treehouse wrote:If so, then wouldn't it make sense to do a fresh install again after you've installed updates just to be on the safe side. :wink:
What? You make an update and then you a fresh install on top? What is the sense of this? (Also with smilie really strange)
treehouse wrote:Windows, I'm reliably informed, is much less secure than Linux - is that ONLY because users have to enter a password every time they change settings? I thought it was largely because the things you can install are open-source and thus checked by a kind of peer-review process for any nasties. I thought the whole architecture was more secure. I didn't realise it all hung on users keeping secret passwords.
You mix 2 things: The architectural prerequisites, which cannot get controlled by the users, but only by the community, which also cannot get changed by the users, but only by the developers. And the responsibility for the single system, which is not in the responsibility of the developers or the community, but only of the user. The system has no other chance to decide if the physical user behind the keyboard is the person who claims this to be - except by getting the correct password.
treehouse wrote:As for a single password entry for the session being "more or less Windows", this doesn't immediately make it a stupid or dangerous suggestion. It's not "Windows", it's a method of authenticating a user session.
No, what you asked for is not only the authentication of a user session (as this works in both OS by design rather similar we would have to discussion about that). What you want is a kind of free pass for system changes by using the user authentication at session start.

treehouse
Level 1
Level 1
Posts: 47
Joined: Tue Oct 13, 2015 1:01 pm

Re: Identity Crisis! (Account Permissions)

Post by treehouse » Fri Oct 30, 2015 7:10 am

Cosmo. wrote:
treehouse wrote:While you're logged in as a superuser, having entered your password, is your system then insecure and open to attack?
Yes.
treehouse wrote:If so, then wouldn't it make sense to do a fresh install again after you've installed updates just to be on the safe side. :wink:
What? You make an update and then you a fresh install on top? What is the sense of this? (Also with smilie really strange)
Yes, it is strange. I was extrapolating on Pjotr's logic. He seemed to suggest that I should do a fresh install because I made myself an admin on my own laptop, and that the security of my system depends on being behind the password to avoid someone (even remotely) tampering with my system. I was making the point that in order to make system changes you have to make your system somewhat open to attack, so by the same logic, it is no longer trustworthy after you have input your password and downloaded anything, or sat for 5 minutes connected to the internet. I am questioning the level of security needed, that's all, and suggesting that Pjotr's view is a bit paranoid. I'm trying to work out what I must, can and cannot do, what would be very unwise and what would be just a little bit risky.

I just thought this would be a good place to ask a few relatively simple questions - do I REALLY have to prove that I'm the same person who logged on a minute ago whenever the system needs updating? - Why doesn't setting myself as an Administrator and selecting every permission I can find (apart from "root", which I stopped short of to get more advice first) avoid this minor, but significant, annoyance? - Does logging on as root fix this? - If it's really utterly vital that we maintain this level of security, why does it let me have a short, simple password and not require a complicated one with special characters? - Why is the freaking default firewall not even on?
treehouse wrote:As for a single password entry for the session being "more or less Windows", this doesn't immediately make it a stupid or dangerous suggestion. It's not "Windows", it's a method of authenticating a user session.
No, what you asked for is not only the authentication of a user session (as this works in both OS by design rather similar we would have to discussion about that). What you want is a kind of free pass for system changes by using the user authentication at session start.
Yes, I'm saying that maybe just the session start (and after hibernate/sleep etc.) would be secure enough, depending on circumstances. This is pretty much default behaviour for Windows users. So if Linux requires more security at the terminal, is this because it's actually less secure behind the scenes? Windows operates in an environment awash with viruses and built on endless plugging of holes, but I can download stuff and install it without repeatedly inputing my login password, and easily switch even the initial login to automatic.

User avatar
Pjotr
Level 21
Level 21
Posts: 13723
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Identity Crisis! (Account Permissions)

Post by Pjotr » Fri Oct 30, 2015 7:20 am

treehouse wrote:Why is the freaking default firewall not even on?
By default the firewall isn't activated, because behind the ports that are exposed to the internet, there aren't any listening services. At least not in a standard installation. An attacker can't do anything without a listening service that keeps a port open.
treehouse wrote:Yes, I'm saying that maybe just the session start (and after hibernate/sleep etc.) would be secure enough, depending on circumstances. This is pretty much default behaviour for Windows users. So if Linux requires more security at the terminal, is this because it's actually less secure behind the scenes? Windows operates in an environment awash with viruses and built on endless plugging of holes, but I can download stuff and install it without repeatedly inputing my login password, and easily switch even the initial login to automatic.
I quote from my first answer in this thread:
Pjotr wrote:Learn to live with the password requirement for system administration like installing software. It's the very core of Linux security.
If all this doesn't convince you, you might be happier using Windows instead of Linux. Well, nothing is stopping you.... :wink:
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: Identity Crisis! (Account Permissions)

Post by Cosmo. » Fri Oct 30, 2015 7:35 am

The view of Pjotr is not a bit paranoid, it is not paranoid at all. There are people, which know more about Linux than Potr and me together and they are knowledgeable since some more time. There are people, who have created the architecture of Linux. OK: If you think, that the most important people for Linux are paranoids, than you should take the consequence and don't use an OS, that has been made only by paranoids. If you don't think so, than you seem to be in the position of the man sitting in his car and hearing a warning in the radio: "Attention, there is a car on the highway driving in the opposite direction." The man says: "One car? All cars drive into the wrong direction."

I wrote yesterday, that what you want is more or less Windows. Here follows your confirmation about this:
treehouse wrote:Yes, I'm saying that maybe just the session start (and after hibernate/sleep etc.) would be secure enough, depending on circumstances. This is pretty much default behaviour for Windows users.
It does not make sense, to repeat the argumentation again and again, it will only be a repetition.

User avatar
austin.texas
Level 20
Level 20
Posts: 12054
Joined: Tue Nov 17, 2009 3:57 pm
Location: at /home

Re: Identity Crisis! (Account Permissions)

Post by austin.texas » Fri Oct 30, 2015 9:12 am

There are certainly ways to eliminate some of the password requests. It is up to the user to decide if the decrease in security is acceptable.
When you run the live Mint DVD, you will notice that you can install software and run sudo commands with no password request. That is accomplished by creating a file /etc/sudoers.d/casper which contains the line

Code: Select all

mint  ALL=(ALL) NOPASSWD: ALL
("mint" is your user name when using the live Mint DVD)
All you have to do to replicate that behavior is to open a text editor as root.

Code: Select all

gksu gedit
Enter the line above, using your actual user name instead of "mint".
Save the file as /etc/sudoers.d/casper
Reboot.

Alternatively, you can just allow the members of the sudo group to operate without the password request by adding only this line.

Code: Select all

%sudo    ALL=(ALL:ALL) ALL
Or, you can just eliminate the password request for new system updates by creating /etc/sudoers.d/casper with these lines:

Code: Select all

Cmnd_Alias UPDATE = /usr/lib/linuxmint/mintUpdate/checkAPT.py
ALL ALL = NOPASSWD:UPDATE
Last edited by austin.texas on Sat Nov 21, 2015 9:13 am, edited 2 times in total.
Mint 18.2 Cinnamon, Quad core AMD A8-3870 with Radeon HD Graphics 6550D, 8GB DDR3, Ralink RT2561/RT61 802.11g PCI
Linux Linx 2018

chipps61

Re: Identity Crisis! (Account Permissions)

Post by chipps61 » Fri Oct 30, 2015 9:30 am

austin.texas... that was the best reply to this type of post that I have ever seen. Two thumbs up.

User avatar
karlchen
Level 20
Level 20
Posts: 11402
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Identity Crisis! (Account Permissions)

Post by karlchen » Fri Oct 30, 2015 9:41 am

Why is it that always exactly those users that know least about computers and security risks cry out loudest that the most annoying thing about Linux is it security concept?
Why is it that always those pieces of advice get most [Like] clicks by computer illiterates that help them shoot their own foot by undermining the built-in Linux security measures?
Image
Linux Mint 19.2 32-bit xfce Desktop, Total Commander 9.22a 32-bit
Haß gleicht einer Krankheit, dem Miserere, wo man vorne herausgibt, was eigentlich hinten wegsollte. (Goethe)

chipps61

Re: Identity Crisis! (Account Permissions)

Post by chipps61 » Fri Oct 30, 2015 9:57 am

karlchen, I am hardly a computer illiterate. I program in a production environment for a living, and have for 20+ years. That was simply a useful reply to an often asked question, instead of the usual "don't do that, idiot!" type of thing that you see everywhere. Was refreshing to see.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: Identity Crisis! (Account Permissions)

Post by Cosmo. » Fri Oct 30, 2015 10:18 am

chipps61 wrote:That was simply a useful reply to an often asked question
Repeating the same statement with other words is
  • neither an answer to the (rhetorical?) questions of karlchen
    nor makes it anything on arguing better.
Instead it replaces security architecture by a kind of anti-security steamroller! For those, who find that "useful"....

deleted

Re: Identity Crisis! (Account Permissions)

Post by deleted » Fri Oct 30, 2015 10:33 am

I summed up the "user" to a Windows friend of mine.
In Windows, if you are an admin, then you are running as admin.
In Linux, if you are an admin, you _can_ run with elevated privileges (via sudo).
That is, in Linux, your admin account isn't running with elevated privileges, until you sudo. (which really isn't often)
-Zumwalt

chipps61

Re: Identity Crisis! (Account Permissions)

Post by chipps61 » Fri Oct 30, 2015 10:51 am

I would agree with the comment by austin.texas that it is up to the user to decide if the decrease in security is acceptable. Obviously this is an opinion that many of you do not share, and that’s fine - I'm 50+ years old and not likely to change my beliefs any time soon. I also believe that the risks of changing the default password behavior should be clearly stated, and they have been, repeatedly, with strong assertion. You may all now have the last word, I’ve really nothing else to say on the subject.

User avatar
Pjotr
Level 21
Level 21
Posts: 13723
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Identity Crisis! (Account Permissions)

Post by Pjotr » Fri Oct 30, 2015 12:05 pm

Mostly, people become Linux users because they dare to deviate. Which in itself is a good thing. Very recognizable even: been there, done that....

In some cases, these beginners also choose to deviate from the advice of experienced Linux users. Which is not so good, because almost inevitably this leads to problems for them, sooner or later. Like strange, unpredictable system behaviour, instability and insecurity.

Even worse: some of those beginners, when confronted with those problems, become very vocal adversaries of Linux.... Which, although totally undeserved, is bad publicity for Linux. :(
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Post Reply

Return to “Newbie Questions”