Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Operating Systems
ChromeOS & Linux
Least Privilege for Ubuntu 24.04 Standard User
Message
<blockquote data-quote="Victor M" data-source="post: 1085789" data-attributes="member: 96560"><p>Hi Everyone,</p><p></p><p>A standard user in Ubuntu does not automatically obey the least privilege principle.</p><p></p><p>You have to do 2 things:</p><p></p><p>a. Deny sudo. So that the user cannot use sudo to accomplish anything. In the admin account, run 'sudo visudo' and add in this line: ' user2 ALL=(ALL) !ALL ', replace the word user2 with the account name in question.</p><p></p><p>b. Gnome uses polkit to grant privileges, and it has additional action.id's which has to be controlled.</p><p>Create a file of any name inside /usr/share/polkit-1/rules.d/ . Include these lines:</p><p></p><p>polkit.addRule(function(action, subject) {</p><p> if ( ( action.id == "org.gtk.vfs.file-operations-helper" ||</p><p> action.id == "org.gtk.vfs.file-operations" ||</p><p> action.id == "org.freedesktop.policykit.exec"</p><p> )</p><p> &&</p><p> subject.user == "user2") {</p><p> return polkit.Result.NO; // Deny actions for user user2</p><p> }</p><p>});</p><p></p><p>This rule will forbid user2 from editing root owned configuration files, even if the admin password is compromised. And it will forbid user2 from accessing additional privileges.</p><p></p><p>If you wish to be extra cautious, just remove all the action.id lines and blanket ban user2 from doing anything that requires consulting polkit. This will ban things like configuring vpn's using Gnome > Settings for the account. And it will ban many other things, but surfing will still work. And, it will slow down Gnome. The primary activity of most users is to surf.</p></blockquote><p></p>
[QUOTE="Victor M, post: 1085789, member: 96560"] Hi Everyone, A standard user in Ubuntu does not automatically obey the least privilege principle. You have to do 2 things: a. Deny sudo. So that the user cannot use sudo to accomplish anything. In the admin account, run 'sudo visudo' and add in this line: ' user2 ALL=(ALL) !ALL ', replace the word user2 with the account name in question. b. Gnome uses polkit to grant privileges, and it has additional action.id's which has to be controlled. Create a file of any name inside /usr/share/polkit-1/rules.d/ . Include these lines: polkit.addRule(function(action, subject) { if ( ( action.id == "org.gtk.vfs.file-operations-helper" || action.id == "org.gtk.vfs.file-operations" || action.id == "org.freedesktop.policykit.exec" ) && subject.user == "user2") { return polkit.Result.NO; // Deny actions for user user2 } }); This rule will forbid user2 from editing root owned configuration files, even if the admin password is compromised. And it will forbid user2 from accessing additional privileges. If you wish to be extra cautious, just remove all the action.id lines and blanket ban user2 from doing anything that requires consulting polkit. This will ban things like configuring vpn's using Gnome > Settings for the account. And it will ban many other things, but surfing will still work. And, it will slow down Gnome. The primary activity of most users is to surf. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
