this post was submitted on 09 Apr 2024
296 points (98.7% liked)

Linux

48965 readers
1035 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I thought I'll make this thread for all of you out there who have questions but are afraid to ask them. This is your chance!

I'll try my best to answer any questions here, but I hope others in the community will contribute too!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 24 points 9 months ago* (last edited 9 months ago) (8 children)

Is there a way to remove having to enter my password for everything?

Wake computer from Screensaver? Password.
Install something? Password.
Updates (biggest one. Updates should in my opinion just work without, because being up to date is important for security reasons)? Password.

I understand sudo needs a password,but all the other stuff I just want off. The frequency is rediculous. I don't ever leave my house with my computer, and I don't want to enter a password for my wife everytime she wants to use it.

[–] [email protected] 18 points 9 months ago (1 children)

I understand sudo needs a password

You can configure sudo to not need a password for certain commands. Unfortunately the syntax and documentation for that is not easily readable. Doas which can be installed and used along side sudo is easier.

For software updates you can go for unattended-upgrades though if you turn off your computer when it is upgrading software you may have to fix the broken pieces.

[–] [email protected] 4 points 9 months ago (1 children)

I've tried unattended-upgrades once. And I couldn't get it to work back then. It might be more user friendly now. Or it could just be me.

[–] [email protected] 5 points 9 months ago

It's not really user friendly, at least not how I know it. But useful for servers and when desktop computers are on for a long time. It would be a matter of enabling or disabling it with : sudo dpkg-reconfigure unattended-upgrades granted that you have the unattended-upgrades package installed. In that case I'm not sure when the background updates will start, though according to the Debian wiki the time for this can be configured.

But with Ubuntu a desktop user should be able to configure software updated to be done automatically via a GUI. https://help.ubuntu.com/community/AutomaticSecurityUpdates#Using_GNOME_Update_Manager

[–] Nibodhika 5 points 9 months ago

I understand sudo needs a password,but all the other stuff I just want off.

Sudo doesn't need a password, in fact I have it configured not to on the computers that don't leave the house. To do this open /etc/sudoers file (or some file inside /etc/sudoers.d/) and add a line like:

nibodhika ALL=(ALL:ALL) NOPASSWD:ALL

You probably already have a similar one, either for your user or for a certain group (usually wheel), just need to add the NOPASSWD part.

As for the other parts you can configure the computer to not lock the screen (just turn it off) and for updates it depends on distro/DE but having passwordless sudo allows you to update via the terminal without password (although it should be possible to configure the GUI to work passwordless too)

[–] [email protected] 5 points 9 months ago

Passwords are meant to protect against using privileged processes as the user. This comes from a very traditional multi-user system, where users should not touch the system.

If the actions that require authentication are supported by polkit (kde shows the ID when expanding the message) you can add a policy file in /etc/polkit-1/rules.d/

Take this file as an example

[–] [email protected] 5 points 9 months ago* (last edited 9 months ago)

The things you listed can be customized.

Disable screen lock and it stops locking. This is a setting in gnome, probably in KDE, maybe in others.

Polkit can allow installing and updating in packagekit (like gnome software) without the password. I think this is default in Fedora, at least for the user marked as administrative. openSUSE actually has a gui for changing some of these privileges in the Security and Hardening settings.

[–] shadowintheday2 5 points 9 months ago* (last edited 9 months ago) (1 children)

You can configure this behavior for CLI, and by proxy could run GUI programs that require elevation through the CLI:

https://wiki.archlinux.org/title/Sudo#Using_visudo

Defaults passwd_timeout=0(avoids long running process/updates to timeout waiting for sudo password)

Defaults timestamp_type=global (This makes password typing and it's expiry valid for ALL terminals, so you don't need to type sudo's password for everything you open after)

Defaults timestamp_timeout=10(change to any amount of minutes you wish)

The last one may be the difference between having to type the password every 5 minutes versus 1-2 times a day. Make sure you take security implications into account.

[–] [email protected] 3 points 9 months ago

I think something like

%wheel ALL= NOPASSWD: /bin/apt

should be the right way of disabling the password for apt.

[–] [email protected] 3 points 9 months ago* (last edited 9 months ago)

For wake from screensaver/sleep, this should be configurable. Your window manager is locking your session, so you probably just need to turn that option off.

For installations and updates, I suspect you're used to Windows-style UAC where it just asks you Yes or No for admin access in a modal overlay. As I understand it, this is easier said than done on linux due to an insistence on never running GUI applications as admin, which makes sense given how responsibilities are divided and the security and technical challenges involved. I will say, I agree 100% that this is a serious area that's lacking for linux, but I also (think I) understand why no one has implemented something similar to UAC. I'll try to give the shortest version I can:

All programs (on both Windows and Linux) are run as a user. It's always possible for any program to have a bug in it that gives another program to opportunity to exploit the bug to hijack that program, and start executing arbitrary, malicious code as that user. For this reason, the philosophical stance on all OSes is, if it's gonna happen, let's not give them admin access to the whole machine if we can avoid it, so let's try to run as much as possible as an unprivileged user.

On linux, the kernel-level processes and admin (root-level) account are fundamentally detached from running anything graphical. This means that it's very hard to securely, and generically, pop up a window with just a Yes or No box to grant admin-level permissions. You can't trust the window manager, it's also unprivileged, but even if you could, it might be designed in a supremely insecure way, and allow just any app with a window to see and interact with any other app's windows (Xorg), so it's not safe to just pop up a simple Yes/No box, because then any other unprivileged application could just request root permissions, and then click Yes itself before you even see it. Polkit is possible because even if another app can press OK, you still need to enter the password (it's not clear to me how you avoid other unprivileged apps from seeing the keystrokes typed into the polkit prompt).

On windows, since the admin/kernel level stuff is so tightly tied to the specific GUI that a user will be using, it can overlay its own GUI on top of all the other windows, and securely pop in to just say, "hey, this app wants to run as admin, is that cool?" and no other app running in user mode even knows it's happening, not even their own window manager which is also running unprivileged. The default setting of UAC is to just prompt Yes/No, but if you crank it to max security you get something like linux (prompt for the password every time), and if you crank it to lowest security you get something closer to what others are commenting (disable the prompt, run things as root, and cross your fingers that nothing sneaks in).

I do think that this is a big deal when it comes to the adoption of linux over windows, so I would like to see someone come up with a kernel module or whatever is needed to make it happen. If someone who knows linux better than me can correct me where I'm wrong, I'd love to learn more, but that is how I understand it currently.

[–] [email protected] 2 points 9 months ago

Asking the real question here. I hope there is a one way solution per application. But I doubt it. I hope you don't get the usual answer that it's "absolutely necessary" for security.

[–] [email protected] 0 points 9 months ago (1 children)

These are all valid reasons to request a password 🤔

  • Wake computer from Screensaver? Password.

Check your screen saver settings. Dunno which desktop environment you're using. KDE should allow you to not enter a password for this.

  • Install something? Password.
  • Updates (biggest one. Updates should in my opinion just work without, because being up to date is important for security reasons)? Password.

Installing stuff runs sudo in the background hence the password prompt. Updates = installing stuff. Look up "passwordless sudo". At this point, when do you even want a password to be shown? If you don't need a password, get rid of it entirely.

Anti Commercial AI thingyCC BY-NC-SA 4.0

[–] [email protected] 1 points 9 months ago (1 children)

At this point, when do you even want a password to be shown? If you don’t need a password, get rid of it entirely.

Do you still do this by just pressing enter when you change your password? (i.e. entering no password as your password)

[–] [email protected] 1 points 9 months ago

Yep, using an empty password should work. They keyring will also need an empty password.

Anti Commercial AI thingyCC BY-NC-SA 4.0