Score:0

Ubuntu

Prevent standard user from changing encryption passphrase

Bob

4/26/23, 3:02 AM

How do I prevent non root attempts by local user to change whole disk encryption passphrase of actual system in Ubuntu 20.04TLS.

Note that I removed my account from the sudoers list then restarted and yet there is no prompt for for root password.

The system is installed on an SD card.

0 + 0

encryption

permissions

passphrase

user10489

4/26/23, 3:21 AM

Which encryption passphase?

Bob

4/26/23, 12:49 PM

System whole disk encryption

user10489

4/26/23, 3:09 PM

And what testing did you do to determine that a non-root user can change that passphrase?

heynnema

4/26/23, 3:17 PM

Does the user have physical access to the computer? Lock out the user's account. Start comments to me with @heynnema or I'll miss them.

Bob

4/26/23, 4:35 PM

@heynnema Yes I want to block physical user access to change the encryption password using the graphical app Disks without locking local user account.

heynnema

4/26/23, 4:40 PM

Is the user account an admin account with sudo access?

Bob

4/27/23, 1:41 AM

@heynnema I removed my account from the sudoers list and yet there's no prompt for root password, and I can change the passphrase without password. I think I have to block the script to be executed by root only still I don't know exactly what script and I don't want to break the system. Do you have an idea how I can do so ? Or if there is another solution for the issue ?

heynnema

4/27/23, 2:16 AM

Did you set a root password? I don't know how to help any further. Hopefully somebody else will chime in with a better solution.

user10489

4/27/23, 6:06 AM

Check contents of /etc/sudoers and /etc/sudoers.d/ to see if your user is configured to sudo without a password.

Bob

4/27/23, 3:31 PM

@user10489 the local user is denied sudo privileges, when I try to unlock the SATA HARD DRIVE where my other system :Debian is installed it does ask for password but when I try to change the passphrase on the SD card where my active system is installed it doesn't ask for password.

Bob

4/27/23, 3:33 PM

So I think it's I have to activate password protection for the SD card.

user10489

4/27/23, 6:39 PM

What is the exact command you are using that you are using to change the disk password?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Prevent standard user from changing encryption passphrase

TH: ป้องกันไม่ให้ผู้ใช้มาตรฐานเปลี่ยนข้อความรหัสผ่านการเข้ารหัส

RO: Împiedicați utilizatorul standard să schimbe fraza de acces de criptare

RU: Запретить обычному пользователю изменять кодовую фразу шифрования

VI: Ngăn người dùng chuẩn thay đổi cụm mật khẩu mã hóa

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.