Thanks for taking the time to report your issue. In this case, the tools you're highlighting do not use sudo, but instead use policykit-1 to verify privileges. In order to require the root password instead of your user's password to operate those utilities, you'll need to modify your policykit configuration to do so. Specifically, you'll need to override the configuration in /etc/polkit-1/localauthority.conf.d/51-ubuntu- admin.conf ; you can do this by creating a conf file that begins with a higher number in /etc/polkit-1/localauthority.conf.d/ (e.g. 60-local- admin.conf). Copying the contents of /etc/polkit-1/localauthority.conf.d/50-localauthority.conf into it (specifically setting 'AdminIdentities=unix-user:0') will cause policykit to require the root password when authenticating for administrative privileges.
You can verify this by using pkexec as well as the other tools you listed above; e.g. "pkexec date" should require the root password after changing your configuration. And of course, you'll want to be careful making changes to your policykit configuration, as you could be creating a security exposure for yourself. ** Package changed: sudo (Ubuntu) => policykit-1 (Ubuntu) ** Changed in: policykit-1 (Ubuntu) Status: New => Invalid ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1643931 Title: Security problem with Super User Authorization Status in policykit-1 package in Ubuntu: Invalid Bug description: luca@pc-sala:~$ lsb_release -rd Description: Ubuntu 16.04.1 LTS Release: 16.04 luca@pc-sala:~$ luca@pc-sala:~$ apt-cache policy sudo sudo: Instalados: 1.8.16-0ubuntu1.2 Candidato: 1.8.16-0ubuntu1.2 Tabla de versiĆ³n: *** 1.8.16-0ubuntu1.2 500 500 http://pe.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.8.16-0ubuntu1 500 500 http://pe.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages luca@pc-sala:~$ On my system I have 3 accounts (me, my wife and my son), My account is the only that can use SUDO, the others are desktop users. I need to limit the access to my son (5 years old), so I had to put the password to my login, but my password was very strong: large and complicate. Otherwise I need to use sometimes SUDO (truecrypt, rsync with other devices, etc.). In order to simplify my login and keep the ability to use SUDO I activated the "targetpw" flag in sudoers, so now my login password is quite easy and ROOT account has the strong password. It works, programs like synaptic, sudo, gksu and others accept the root password, but I found a very very strange behaviours in some programs, for example: a) users-admin b) gnome-language-selector c) lightdm-gtk-greeter-settings-pkexec Those programs perform admin tasks and I suppose that when they ask for the password authorization they need the root password. No! They want my personal account password, the root password is not accepted. I think that this is not right, because my system now has a security weakness, and I don't know how many other programs have the same behaviour. This could be a serious security breach. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1643931/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp