- Oct 3, 2022
- 557
Hi Everyone,
A standard user in Ubuntu does not automatically obey the least privilege principle.
You have to do 2 things:
a. Deny sudo. So that the user cannot use sudo to accomplish anything. In the admin account, run 'sudo visudo' and add in this line: ' user2 ALL=(ALL) !ALL ', replace the word user2 with the account name in question.
b. Gnome uses polkit to grant privileges, and it has additional action.id's which has to be controlled.
Create a file of any name inside /usr/share/polkit-1/rules.d/ . Include these lines:
polkit.addRule(function(action, subject) {
if ( ( action.id == "org.gtk.vfs.file-operations-helper" ||
action.id == "org.gtk.vfs.file-operations" ||
action.id == "org.freedesktop.policykit.exec"
)
&&
subject.user == "user2") {
return polkit.Result.NO; // Deny actions for user user2
}
});
This rule will forbid user2 from editing root owned configuration files, even if the admin password is compromised. And it will forbid user2 from accessing additional privileges.
If you wish to be extra cautious, just remove all the action.id lines and blanket ban user2 from doing anything that requires consulting polkit. This will ban things like configuring vpn's using Gnome > Settings for the account. And it will ban many other things, but surfing will still work. And, it will slow down Gnome. The primary activity of most users is to surf.
A standard user in Ubuntu does not automatically obey the least privilege principle.
You have to do 2 things:
a. Deny sudo. So that the user cannot use sudo to accomplish anything. In the admin account, run 'sudo visudo' and add in this line: ' user2 ALL=(ALL) !ALL ', replace the word user2 with the account name in question.
b. Gnome uses polkit to grant privileges, and it has additional action.id's which has to be controlled.
Create a file of any name inside /usr/share/polkit-1/rules.d/ . Include these lines:
polkit.addRule(function(action, subject) {
if ( ( action.id == "org.gtk.vfs.file-operations-helper" ||
action.id == "org.gtk.vfs.file-operations" ||
action.id == "org.freedesktop.policykit.exec"
)
&&
subject.user == "user2") {
return polkit.Result.NO; // Deny actions for user user2
}
});
This rule will forbid user2 from editing root owned configuration files, even if the admin password is compromised. And it will forbid user2 from accessing additional privileges.
If you wish to be extra cautious, just remove all the action.id lines and blanket ban user2 from doing anything that requires consulting polkit. This will ban things like configuring vpn's using Gnome > Settings for the account. And it will ban many other things, but surfing will still work. And, it will slow down Gnome. The primary activity of most users is to surf.
Last edited: