• Non-sudo user can install packages via yaourt


    Hi there!

    I’m running Antergos.

    My user philo has sudo-privileges, my wifes account jenny doesn’t.
    I happened to try to install a package via yaourt with her account by accident… and it succeeded.
    It does not work with pacman.

    Yaourt was already preinstalled with Antergos, I didn’t install it manually.

    I repeated it:

    [[email protected] ~]$ yaourt -S firefox
    Password: (entered my wife’s password)
    su: Authentication failure
    Password: (entered MY password)
    resolving dependencies…
    looking for conflicting packages…

    Packages (3) mime-types-9-1 mozilla-common-1.4-4 firefox-42.0-3

    Total Installed Size: 94.73 MiB

    :: Proceed with installation? [Y/n] y
    (3/3) checking keys in keyring [#############################################################################] 100%
    (3/3) checking package integrity [#############################################################################] 100%
    (3/3) loading package files [#############################################################################] 100%
    (3/3) checking for file conflicts [#############################################################################] 100%
    (3/3) checking available disk space [#############################################################################] 100%
    (1/3) installing mozilla-common [#############################################################################] 100%
    relogin or source /etc/profile.d/mozilla-common.sh
    (2/3) installing mime-types [#############################################################################] 100%
    (3/3) installing firefox [#############################################################################] 100%
    Optional dependencies for firefox
    networkmanager: Location detection via available WiFi networks [installed]
    gst-plugins-good: h.264 video [installed]
    gst-libav: h.264 video [installed]
    upower: Battery API [installed]
    [[email protected] ~]$

    I first entered my wife’s password. Then I got the authentication error, then I entered MY sudo password and the installation succeeded.
    Uninstallation also works that way.

    Isn’t that strange?

    My sudoers-file: 0_1450175061455_sudoers.txt
    User jenny is not included.

    output of id jenny:
    uid=1001(jenny) gid=1001(jenny) groups=1001(jenny),92(audio)

    Any ideas why that’s possible?

    Please tell me if you need additional information.

    THX in advance!

    Best regards

    phiL0co

  • All I see is that Yaourt is asking you for an admin password you give it one and it work you don’t it doen’t. That seem normal to me. If someone who don’t know an admin password try to install a package he will not be abble to do it.

    isn’t that normal ?

    Long Live Antergos
    [Major Linux Problems on the Desktop or Why Linux is not (yet) Ready for the Desktop, 2016 edition] (http://linuxfonts.narod.ru/why.linux.is.not.ready.for.the.desktop.current.html)

  • This is expected behavior.

    My user philo has sudo-privileges, my wifes account jenny doesn’t

    That is why your password works. Sudo is set up with root, which is your account.

    Give her sudo, she should be able to install then.

    I7 [email protected]/32GB Ram/3440 x 1440 + 1440p/EVGA 1080 FTW/512GB SSD/2TB HD/Antergos Base w/ Plasma

  • You’re right. The package can only be installed if you know the sudo password. So it seems there’s no security flaw.

    But nonetheless it seems like user jenny can use user philo’s sudo-password, because the prompt doesn’t exactly say which password it requires.
    I think that’s the main problem. It’s pretty obscure.

  • Let’s say, there would be a second user with sudo privileges, for example bob.
    In this case, which user’s password would yaourt then ask for? philo’s or bob’s?

yaourt20 sudo11 Posts 5Views 1274
Log in to reply