If a user password is changed in systemsettings, root authorisation is requested willfully, with a UI text confirming that it’s mandatory even if it’s the user password being updated. That’s odd. No such request is made when doing that in a terminal.
How should we consider KDE in the enterprise? It’s doubtful users know the root password. A compromised password will leave the user’s data vulnerable, the data having more value than the system; and the system admin of the company is busy.
Moreover, it’s doubtful malware would do that via systemsettings nor the libraries it calls.
Hi - just to check, what distribution are you using? I just changed my password in a KDE Neon VM, and was only asked for my own password - not the root user’s.
@AlbertoSalviaNovella The underlying command line utilities don’t require the root user’s password in order to change your own
And just to check, when you use System Settings > Users to try to change the currently logged-in user’s password, you’re prompted (in the highlighted area) for the root user’s password, not your own?
Password policy has nothing to do with KDE Plasma nor any other Desktop Environment in Linux; Gnome, Unity etc.
They are just different graphical user interfaces.
The policy depends on the underlying Linux distribution and it varies between them:
In Ubuntu-based distributions (like KDE Neon) root password is not set by default and every user is given sudo-rights.
Debian (which I use) by default is quite the opposite to Ubuntu: sudo is not set at all and with a basic user password one can not do much more than to login to user interface - even installing programs require root-password.
In Debian philosophy the whole consept of sudo is critizised. It is claimed to open up security vulnerabilities. In Debian it is recommended to use su or su - instead.
(Of course one can give a user sudo-rights by using visudo.)
Requiring the user to enter a root password (they dont know) certainly has! I feel a little stupid for having to instruct my users to enter a terminal and type passwd in a graphical UI (there is no problem using the terminal)
klaus@msien:~> passwd
Changing password for klaus.
Current password:
New password:
Retype new password:
passwd: password updated successfully
klaus@msien:~>
So clearly it is possible for a none root user on OpenSUSE - and it does not require/use sudo. If KDE prevented by something on some distributions, then either KDE is doing it wrong or the Distribution have put some wrong safeguards in protecting user passwords.
For me the question is, should I report it on KDE bugtrack or (in my case) on SUSE bugtrack?
I repeat: KDE does not choose the password policy - but the distributions do.
The right address to complain is the distribution, in your case OpenSUSE.
As with your example, changing user password is possible the way you described in all or most distributions.
I enquired on Arch’s mailing list and here is a valuable explanation and a fix. It’s a polkit rule to add.
I can’t help but denounce a cultural drift towards an ever far ‘security or confidentiality’ goal, the result of which seeming doubtful apart from creating troubles for simple tasks.