How to prevent system applications (like the Software Center) from asking for password?
I’d like Software Center, Update Manager and some other system management applications to work without asking for password (like sudo does if configured with NOPASSWD) but only asking for a confirmation instead, or even without any confirmation. At the same time I wouldn’t like to use no user password at all. Is this reachable?
6 Answers 6
Ubuntu Software Center authorization uses policy kit. When requested for the authentication during the remove action you can expand the «Details» pointer to see the action that is being invoked. It’s org.debian.apt.install-or-remove-packages . You can change the corresponding policy to not request for authentication:
Edit /usr/share/polkit-1/actions/org.debian.apt.policy , search for org.debian.apt.install-or-remove-packages , then find for the defaults section, replace auth_admin and auth_admin_keep with yes .
this is what i see in org.debian.apt.policy, which things do i need to change to yes?
Adding to joão-pinto’s answer, since software center now uses snapcraft’s policies, the file to be modified should be this one:
look for the policy with id io.snapcraft.snapd.manage and change all entries under defaults to yes .
Install, update, or remove packages Authentication is required to install, update, or remove packages yes yes yes
Tested on Ubuntu 20.04.1 LTS
Providing access to everything was not a wise idea. You got to reconsider this. It may not be suitable for serious people. Update is totally different from new app installation. On this permission anybody can install any app snappy domain.
Towards a more generic solution
Since the policies/actions can change from version to version (there are two other answers mentioning two other different files), the best way to handle this is:
- Install some package for testing
- Check /var/log/auth.log
- Identify the file used and the action and make the changes according to this
After installing a package, the entries in /var/log/auth.log were these:
Apr 13 02:06:14 dragon PackageKit: uid 1000 is trying to obtain org.freedesktop.packagekit.package-install auth (only_trusted:1) Apr 13 02:06:25 dragon polkitd(authority=local): Operator of unix-session:1 successfully authenticated as unix-user:jgr to gain TEMPORARY authorization for action org.freedesktop.packagekit.package-install for system-bus-name::1.79 [/usr/bin/python3 /usr/bin/software-properties-gtk] (owned by unix-user:jgr) Apr 13 02:06:25 dragon PackageKit: uid 1000 obtained auth for org.freedesktop.packagekit.package-install
I’ve searched and found the file where the action is:
sudo grep -l -r "org.freedesktop.packagekit.package-install" /usr/share/polkit-1/ /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
Using this information, on my Ubuntu 20.04.2 LTS, I edit the following file: /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy .
The I’ve changed the on action: to:
Make sudo ask for a password
After installing DevStack, I was forced to put my user as root and gain access. I did that and now I would like to undo it. I removed the line from visudo but still no success. What want like to reverse is the following: Using Ubuntu and login with my user («USER») and when i open my terminal i execute the sudo -i command, I was asked to enter the password to have root access. After the changes I made with DevStack, when I execute the sudo -i command, I’m not asked for any password, I just have root access (and I don’t like this). Is there any way to change this back so when I execute the sudo -i command I will be asked for a password? As to add the file of visudo
# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
sudo means: Do things as if you were root. So do you get asked for password if you type su ? If not, I’d know how to «solve» this. (Besides, the -i option is only for instructing the shell to also read the resource files, e. g. .profile / .login etc. Which is to say that sudo ought to show the same (erroneous) behavior with or without -i .)
Remove the files 50_stack_sh, cinder-rootwrap, neutron-rootwrap, nova-rootwrap from /etc/sudoers.d and it will start asking you for the password again.
1 Answer 1
If you want to be allowed to run commands as root, but be prompted to enter your own password, then edit the sudo configuration by running the visudo program. This brings up your favorite text editor to edit the sudo configuration file. Look for the line that authorizes you to run commands as root and remove the text NOPASSWD: from that line. Save the file and exit the editor.
If you don’t want to be allowed to run commands as root without entering the root password, then follow the same procedure as above, but remove the line instead of just removing NOPASSWD: from it. Then, to run commands as root, use su instead of sudo and type the root password. Make sure that you know the root password before doing this!
You may be allowed to run commands as root via sudo either because some rule allows your user (a line starting with your username) or because some rule allows a group that you’re a member of (a line starting with a percent sign and the group name, e.g. %admin … ). If you want to remove yourself from that group, run deluser username groupname , e.g. deluser alice admin . Changing group membership has no effect on your current session, it takes effect the next time you log in.
Note that if sudo asked you for a password, it won’t ask you again for the next few minutes (IIRC the default is 15 minutes on Ubuntu). Depending on the configuration, sudo may keep a separate password delay per terminal or a single one per user.
How do I make sudo ask for the root password?
When I run sudo as a normal unprivileged user, it asks for my password, not the root password. That’s often convenient, but it reduces the amount of information someone would have to have in order to run commands as root. So how can I make sudo ask for the root password instead of the invoking user’s password? I know it’d be done with a line in /etc/sudoers , but I can never seem to properly parse the BNF grammar in the man page to figure out exactly what to write.
I recommend you restrict the commands that are permissible as the non-root user so that you need not worry about exposing arbitrary commands.
@slartibartfast: but then what happens when I need to run a command as root that is not in the preapproved list?
6 Answers 6
Ok, here it is again so you can set the checkmark.
In /etc/sudoers , add this line:
to turn on the rootpw flag, making sudo ask for the root password.
You should always use the visudo command instead of manually editing the /etc/sudoers file. visudo validates the file to make sure it’s correct before saving, so you don’t get locked out of sudo if you make a syntax error. askubuntu.com/a/81054/166411
This solution worked for me on MX Linux 21.3, since the MX Tweaks Option «Password for administrative tasks» only changes graphical calls to sudo (gksudo). e.g. Opening Synaptic, but not for terminal use of sudo. — This is specially problematic because I use sudo calls more than privileged graphical tools, so I can see any terminal output, and since my login password should be extremely large for people to remember when seen, writing it over and over is frustrating.
You need to turn the rootpw flag on.
I know this question is old, but it is the most concise question I’ve found for this use case (which is a minor percentage, true, but nonetheless legitimate and helpful in the right scenario).
After putting all the steps together from various sources — including multiple answers to this question, these steps work on Ubuntu-Gnome 16.04 LTS:
- Set a password for root
- This is CRITICAL to do FIRST! (Ubuntu automatically has no password for the ROOT user due to the standard security configuration.
- If you do not do this first, you will lock yourself out from accessing root privileges. This can be overcome by booting in with a Live Disk, mounting the hard drive, and editing the sudoers file, but it’s best to avoid that.
- Open a terminal and enter: sudo passwd
- Set your new password for the ROOT user.
- Change the SUDO configuration to require the root password
- SUDO requires the user requesting root privileges
- Setting the «rootpw» flag instead tells SUDO to require the password for the root user.
- Open a terminal and enter: sudo visudo
- This will open the «/etc/sudoers» file
- After the other «Defaults» line, add: Defaults rootpw
- Save it (assuming you are in nano, which is the default, this is CTRL+O)
- Close the file (CTRL+X) & exit the terminal
- You’re done!
Just a quick note — I also wanted to make sure that the root user couldn’t be used to login from the graphical login, and so was looking into ways to excluded. Apparently, the root user is excluded by default, and cannot be used to login through the Gnome graphical login — which is a very good thing!
How do I ask password by GUI prompt while using sudo in script?
I use Trisquel GNU/Linux with GNOME Flashback Desktop Environment. I need a GUI password prompt for user for executing command with sudo in script. Example consider following script:
zenity --question --text="Do you want to install this package?" if [[ $? -eq 0 ]]; then sudo apt-get install package else zenity --warning fi
Which is to be executed following way (Run) i.e not inside terminal: So, It is needed to ask for password in order to run command with sudo otherwise it fails to do a job. Therefore, How do I ask password by GUI prompt?
A oneliner could do it: echo $(zenity —password —title=»Enter sudo password») | sudo -S [your command]
1 Answer 1
You can ask password by means of GUI prompt with the help of -A, —askpass options for sudo .
-A, --askpass Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. Otherwise, if sudo.conf(5) contains a line specifying the askpass program, that value will be used. For example: # Path to askpass helper program Path askpass /usr/X11R6/bin/ssh-askpass If no askpass program is available, sudo will exit with an error.
So, you can graphical helper program such as ssh-askpass which prompts a user for a pass-phrase using GNOME:
$ which ssh-askpass /usr/bin/ssh-askpass
So, Add the following line to /etc/sudo.conf :
# Path to askpass helper program Path askpass /usr/bin/ssh-askpass
And you will find GUI password prompt:
You can also user other program like zenity for that. Example I use following:
$ cat /etc/sudo.conf # Path to askpass helper program Path askpass /usr/local/bin/zenity_passphrase
Where zenity_passphrase is a custom script set to be used directly as command:
$ cat $(which zenity_passphrase) #!/bin/bash zenity --password --title="sudo password prompt" --timeout=10
- You can also use gksudo (GTK+ frontend for su and sudo) instead of sudo in the script which asks with GUI prompt ( gksu and gksudo are obsolete and abandoned in 2019-2020):
- You can also use pkexec (polkit application) with some (for others it needs to be configure) applications/commands: