My user is in the "admin" group, but that's my LDAP group. /etc/sudoers was changed to have the groups allowed be "sudoA" and "adminA" which my local user is in.
Does the polkit `auth_admin` *NOT* do an actual sudo check but just look at the group name? That's ... not good. I'll need to have some people in the LDAP admin group, but not be allowed to use sudo/install software which that policy defeats the purpose of if that's the case (regulations).
The command above gives:
--- start cut ---
$ pkcheck -a io.snapcraft.snapd.manage --process $$ -u ; echo $?
polkit\56retains_authorization_after_challenge=true
polkit\56temporary_authorization_id=tmpauthz2
0
--- end cut ---
Here's my user info with some company specific info commented out:
--- start cut ---
$ id
uid=1031(jason) gid=500(admin) groups=500(admin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare),501(XXX),502(XXX),503(XXX)
--- end cut ---
And /etc/sudoers ...
--- start cut ---
# egrep '^%[a-z]' /etc/sudoers
%adminA ALL=(ALL) ALL
%sudoA ALL=(ALL:ALL) ALL
--- end cut ---
My user is in the "admin" group, but that's my LDAP group. /etc/sudoers was changed to have the groups allowed be "sudoA" and "adminA" which my local user is in.
Does the polkit `auth_admin` *NOT* do an actual sudo check but just look at the group name? That's ... not good. I'll need to have some people in the LDAP admin group, but not be allowed to use sudo/install software which that policy defeats the purpose of if that's the case (regulations).
The command above gives: snapd.manage --process $$ -u ; echo $? 56retains_ authorization_ after_challenge =true 56temporary_ authorization_ id=tmpauthz2
--- start cut ---
$ pkcheck -a io.snapcraft.
polkit\
polkit\
0
--- end cut ---
Here's my user info with some company specific info commented out: 500(admin) ,4(adm) ,24(cdrom) ,27(sudo) ,30(dip) ,46(plugdev) ,116(lpadmin) ,126(sambashare ),501(XXX) ,502(XXX) ,503(XXX)
--- start cut ---
$ id
uid=1031(jason) gid=500(admin) groups=
--- end cut ---
And /etc/sudoers ...
--- start cut ---
# egrep '^%[a-z]' /etc/sudoers
%adminA ALL=(ALL) ALL
%sudoA ALL=(ALL:ALL) ALL
--- end cut ---
-J