Change user password in settings: root authorisation requested

Hello,

If a user password is changed in systemsettings, root authorisation is requested willfully, with a UI text confirming that it’s mandatory even if it’s the user password being updated. That’s odd. No such request is made when doing that in a terminal.

Anybody knows why this should be so?

Because passwords not only protects the system from humans, but from malware itself.

If you weren’t asked for the root password, any program in the user-space will be able to create users and change their passwords.

When an user doesn’t have access to the system components, only to their files and apps, the system is way harder to tamper by malware.

Ok.

How should we consider KDE in the enterprise? It’s doubtful users know the root password. A compromised password will leave the user’s data vulnerable, the data having more value than the system; and the system admin of the company is busy.

Moreover, it’s doubtful malware would do that via systemsettings nor the libraries it calls.

Anyway, I just wanted to know if it’s on purpose.

1 Like

Malware can’t set user password without first knowing existing password.
Making users requires root password anyway, even on CLI.

Making users require root password, on CLI or GUI, is not wise. KDE will be badly perceived by random Joe.

1 Like

Systemsettings just calls the underlying commands, which they require the password themselves.

The point is protecting /usr/bin from being substituted with something else.

This sole concept is the main reason why Linux has so little malware, compared with Windows.

Hi - just to check, what distribution are you using? I just changed my password in a KDE Neon VM, and was only asked for my own password - not the root user’s.

@AlbertoSalviaNovella The underlying command line utilities don’t require the root user’s password in order to change your own :slight_smile:

I’m using Arch.

Operating System: Arch Linux
KDE Plasma Version: 6.3.4
KDE Frameworks Version: 6.12.0
Qt Version: 6.9.0
Graphics Platform: Wayland

Then this is a bug. I would report it.

And just to check, when you use System Settings > Users to try to change the currently logged-in user’s password, you’re prompted (in the highlighted area) for the root user’s password, not your own?

@AlbertoSalviaNovella If the OP here is getting prompted for a root password, then that’s confirmation of this bug being reproduced in Plasma 6: 378984 – Root password required for user Password change - if they were only getting prompted for their own password, that would be the desired behavior.

Yes, I agree that’s what’s expected.

Password policy has nothing to do with KDE Plasma nor any other Desktop Environment in Linux; Gnome, Unity etc.

They are just different graphical user interfaces.

The policy depends on the underlying Linux distribution and it varies between them:

  • In Ubuntu-based distributions (like KDE Neon) root password is not set by default and every user is given sudo-rights.
  • Debian (which I use) by default is quite the opposite to Ubuntu: sudo is not set at all and with a basic user password one can not do much more than to login to user interface - even installing programs require root-password.
    In Debian philosophy the whole consept of sudo is critizised. It is claimed to open up security vulnerabilities. In Debian it is recommended to use su or su - instead.
    (Of course one can give a user sudo-rights by using visudo.)
  • In Arch Linux you are supposed to configure user rights you self by using visudo:
    See https://wiki.archlinux.org/title/Sudo

This silly bug is already present since 2017! 378984 – Root password required for user Password change

While you’re at it, you should research the policy org.freedesktop.accounts.change-own-password

2 Likes

Requiring the user to enter a root password (they dont know) certainly has! I feel a little stupid for having to instruct my users to enter a terminal and type passwd in a graphical UI (there is no problem using the terminal)

klaus@msien:~> passwd
Changing password for klaus.
Current password: 
New password: 
Retype new password: 
passwd: password updated successfully
klaus@msien:~> 

So clearly it is possible for a none root user on OpenSUSE - and it does not require/use sudo. If KDE prevented by something on some distributions, then either KDE is doing it wrong or the Distribution have put some wrong safeguards in protecting user passwords.

For me the question is, should I report it on KDE bugtrack or (in my case) on SUSE bugtrack?

I repeat: KDE does not choose the password policy - but the distributions do.

The right address to complain is the distribution, in your case OpenSUSE.
As with your example, changing user password is possible the way you described in all or most distributions.

I enquired on Arch’s mailing list and here is a valuable explanation and a fix. It’s a polkit rule to add.

I can’t help but denounce a cultural drift towards an ever far ‘security or confidentiality’ goal, the result of which seeming doubtful apart from creating troubles for simple tasks.