Tuesday, September 26, 2023
 Popular · Latest · Hot · Upcoming
rated 0 times [  9] [ 0]  / answers: 1 / hits: 3048  / 10 Months ago, tue, december 20, 2022, 1:26:51

I am setting up an Ubuntu (10.10) machine that will be used by several people. It is a shared machine in a small office. Its primary roles are hosting virtual machines with VirtualBox and serving files with Samba.

For Samba, several user accounts need to be set up so that various people can connect to the Samba shares from their own workstations. However, there is also an account that is dedicated to just running virtual machines, that multiple people will be using. Sometimes people try to do things with this account that require elevated privileges - this causes Gnome's "please enter an administrative user's password" dialog to pop up. However, this dialog requests my password - when I set up the machine, mine was the first account created, so it seems to be assuming that I am the only user granted sudo powers.

I want to designate another user as the "administrator of first resort," so to speak, and it can't be the shared-account user, because everyone has to know the password of that account, so I want its privileges strictly limited. It can't be my account, since no effing way am I telling other people my password, and I won't be present at the site often enough to enter it myself. There is, though, someone who can do this in person, so I added them to /etc/sudoers. How can I tell Ubuntu that when it needs to elevate privileges for something, it should ask for their account first?

To summarize:

  • Accounts on the machine: Alice, Bob, Carol, Dave, Eliza.

  • When Ubuntu was installed, Alice was the first user, added during the install process.

  • "Dave" is actually an account that many people use, who can't be in /etc/sudoers because its password is public knowledge.

  • Bob has been set to be an "Administrative" account in Gnome and is appropriately entered in /etc/sudoers - Bob is the boss at this office.

  • When actions that need elevated privileges are attempted while logged in as Bob, Carol, Eliza, or Dave, the system should request Bob's credentials.

  • When actions that need elevated privileges are attempted while logged in as Alice, the system should request Alice's credentials (although Alice is sort of a buckaroo sysadmin and has a habit of using su - to do extended admin tasks).

What config changes do I need to make to bring about the desired state here?

More From » root


First of all let to point out that privileged actions are allowed for a non-root user through two different mechanisms.

  1. sudo

  2. PolicyKit

The first one is used when you explicitly run a command with sudo or a menu item whose command is wrapped with gksu (like Synaptic Package Manager).

In this case the password required is that of the invoking user, usually the user logged in.

The second one is used when a PolicyKit-aware application try to perform a privileged action. In such a case the application asks the PolicyKit Local Authority (through D-Bus) if the action can be executed. The Local Authority then, through an Authentication Agent, asks the active user to prove its identity. The dialog windows is like the following (unfortunately with text in italian :)

enter image description here

You can identify PolicyKit from the little black triangle and the label Details.
As you can see, if more that one user is in the admin group, you can choose from the list which user to use for authentication.

Given all this, both sudo and PolicyKit are much more complicated, with respect to the configurations that can be achieved: you can configure action that can be executed without password, executed only by a particular user or group, etc.

Coming to your question, when the mechanism used by the application is PolicyKit, independently from the current logged in user, the password required would be that of Bob or Alice (the only two admin user, if I understand correctly), and you can change from the list which user you want to use for authentication.

When the mechanism used by the application is sudo (for admin tasks performed through GUI this is becoming less frequent), you have no immediate and simple mean to choose the user for authentication.

[#41472] Wednesday, December 21, 2022, 10 Months  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.

Total Points: 114
Total Questions: 122
Total Answers: 126

Location: Mauritania
Member since Sun, Oct 17, 2021
2 Years ago