HideAdminToolsToUsers
Launchpad Entry: https://launchpad.net/distros/ubuntu/+spec/hide-admin-tools-to-users
Created: 2005-10-31 by MartinPitt
Contributors: MartinPitt, SebastienBacher, MichaelVogt
Packages affected: sudo, gnome-panel, update-notifier, all administrative packages with a desktop file
Summary
Normal users who are not allowed to execute admin programs should not have the admin tools included in their menus, nor get update-notifier messages in the notification area of the panel.
Rationale
It can be confusing if they try to access these functions and then they are not able to do what they believed.
Use cases
- Martin is the local administrator of his home machine and wants to have easy access to the administrative programs in the Gnome menu.
- Annett also uses this home machine, but is not allowed to change the system configuration. She does not want to see stuff that is not useful for her.
However, Annett is in the lpadmin group, so she does want to see the Printer administration menu entry.
Design
Backend
We need a backend to detect whether the user has the privilege to execute a particular command as a particular user. Currently gnome-menus checks whether the user is in the admin group, but this breaks upgrades from Debian and Warty and does not respect local sudo configuration.
To avoid duplicating code and possibly introducing security holes, sudo itself should be used to answer this question.
It happens that the sudo CVS HEAD version enhanced the -l option to accept a command, and deliver in the exit code whether the user is allowed to execute that command. Thus it is not necessary to write any code on our own; the upstream patch just needs to be applied to the Ubuntu package.
With this patch, sudo -l command will exit with 0 if command can be executed by the user, and with 1 if not.
In addition we need to change sudo's "Default listpw" option to "false", since by default sudo asks for the user password. This introduces a small information disclosure, but such information can likely be found in other places like bash history, or by just trying.
In order to avoid blocking if the administrator manually enables the "listpw" option, sudo should be called with the '-S' option and with /dev/null as stdin.
Desktop files
Additional fields must be added to the desktop files which define the required privileges for the application:
X-Ubuntu-RootRequired = true (false is the default and does not need to be stated)
X-Ubuntu-GroupRequired = <group>
gnome-system-tools (and other tools requiring root privileges) need to use X-Ubuntu-RootRequired = true, gnome-cups-admin uses X-Ubuntu-GroupRequired = lpadmin.
gnome-menus
gnome-menus need to check the additional fields in the desktop file and use sudo -l to check X-Ubuntu-RootRequired. gnome-panel already has a patch to check for group membership; this can be used to check X-Ubuntu-GroupRequired.
update-notifier
update-notifier needs to check whether the user can execute update-manager as root and hide the icon if not.
Implementation
Code
Apply the [http://www.courtesan.com/pipermail/sudo-cvs/2004-November/000119.html "check for command" patch] to sudo.
The sudo postinst script needs to add the option Default listpw=false option to the default /etc/sudoers file.
- The changes to gnome-panel and update-notifier are straightforward and don't need to be spec'ed.
Data preservation and migration
In order to support upgrades from Breezy, the listpw option should be changed in an already existing /etc/sudoers file. Since this file is not a conffile, we can change it in the postinst without problems. The option should be placed below the "# Defaults" comment, or after the first comment block if the Defaults comment is not found.
Outstanding issues