Better users management

Referring to KDE, but most likely other DEs work the same way. Since many installations have multi-user setups, Manjaro misses a better user management at the moment. Here are specific missing features and their benefits:

  1. Option to allow standard user to change his password. In short, it's a huge security weakness. Searched the forum and found similar questions earlier, and a few users suggested that system is more secure if only super admin can change user's password. Actually, it's the opposite, and here's a recent (last week's) story - a friend of mine has Manjaro installed on his office (a small local company) and he is super admin, while office workers are standard users. One of users suspected his password became known to a colleague, so he wanted to change it. Obviously, Manjaro didn't allow it, so he called to admin asking for help, but he was out of country and couldn't assist. So user had keep his old (possibly leaked) password. A few days later (office is monitored by cams) one of colleagues logged in to his account and performed some stuff (no need for more details here). As you see from real life example, it's a terrible decision to prevent users from changing their own passwords.

  2. If option #1 is implemented, we can also implement an option to force users changing passwords every X days/weeks/months for better security. It's available in many other distros, and such option would add the same security benefits to Manjaro as well.

  3. Single, but more powerful user management tool. Manjaro KDE has 2 tools to manage users. Both have the same limited features and very similar look. In short, they duplicate each other, and I see no logical reason why 2 duplicated tools are included by default. Instead, we could have only one, but a more powerful tools which enables not only to add/edit/delete users, but also change their permissions the easy way. For example, Ubuntu based (and some other) distros allow to enable/disable individual features (USb storage mounting, etc.) in user management window. Manjaro has a similar feature, but it's much more complicated because it only allows to assign users to specific groups (like "optical", "lp", etc.) but these are not clear to 99% of users.

Hope I explained all the features clearly enough. If not, please let me know. Waiting for other users' feedback and comments.

1 Like

As far as I know, users can change the password of their own account:
From man passwd:

8 Likes

I think the problem here is not that the password of a Standarduser can be changed by that Standarduser from terminal by using the command:
passwd Standarduser
and most users don't know, but the fact that from the two GUI to make that change

  • User Accounts - that should be used just by the Administrator
    and
  • Account Details - that should be used by any user for it's own account, for KWallet, avatar, etc ... and in case of changing the password should only ask for the old user password

none work without the Administrator password ... I don't think the issue is with Manjaro tho, but the way uses the polkit in KDE Plasma. I might be wrong, but definitely should be addressed/fixed somehow :slight_smile:

5 Likes

Manjaro isn't really intended to be used as a business-oriented distribution. There are ways to tie it into an IDP, e.g. an LDAP server, but this is really up to the organisation's network administrators to implement.

Covered already.

While it's possible to do (see man passwd: -w, -x) it's not really a local system function. If you have one password for multiple PCs but change the password on one, then you'd have to change the password on all of them.

This is where an IDP comes in, e.g. https://wiki.archlinux.org/index.php/Samba/Active_Directory_domain_controller

This seems more reasonable to address. What are the tools?

3 Likes

In Gnome there is one tool and any Standarduser can change their password from that, with no requirement for Administrator password.

4 Likes

To be more precise
User account is MSM Module
Account details is a plasma module from KDE

There is maybe a bug in the plasma module as I saw once it was using a different polkit rules asking user password to change its own account and sometimes the sudo account (you see the difference in the polkit action name) but it seems it does not work as intended

The MSM module is not implemented to authorize users to change their own password

9 Likes

Way better explained than me! Thanks for that!!!

I recently learned it's actually possible for standard user to change his account password via command line, but how many of them will know that? System admins might know it, but they can also change their passwords via GUI. And standard user (who will be waaaaaay less experienced than admin) won't know how to change his password via command line.

Which leads to a question - if standard user can change his password via CLI, why is it forbidden for him to do the same using GUI? Especially because a majority of standard users will only be using GUI.

but the fact that from the two GUI to make that change

  • User Accounts - that should be used just by the Administrator
    and
  • Account Details - that should be used by any user for it's own account, for KWallet, avatar, etc ... and in case of changing the password should only ask for the old user password

none work without the Administrator password ...

Yes, this is exactly what I wanted to say.

You can use kdialog to ask input graphically and then alter the password through a script.

From here:

kdialog --password "Please enter the server access code:"

You can assign the current and new password to variables. Lets say oldPass and newPass. Then alter it. Example:

(echo $oldPass; echo $newPass; echo $newPass) | passwd

And provide feedback of the success using a different dialog. Example:

kdialog --msgbox "Password correct.\n About to connect to server"

The exit status of the dialogs are also explained here.

1 Like

Good explanation, but I just had one question:

User account is MSM Module

Could you define this please? I did some searching for this term connected to Linux or KDE but I couldn't find a conclusive answer (I did get several Android specific matches for some reason).

And picking up on something @toxpal mentioned:

Manjaro installed on his office

This is the second time in the last while that I've come across mentions of using Manjaro in a business setting! I would not have thought it a likely candidate for that kind of deployment. Is this just happening coincidentally, or is there any aspirations from the development team to break into that sector? Maybe in a sort of SUSE/OpenSUSE arrangement?

MSM = Manjaro Settings Manager
on plasma all MSM modules are availables in KDE system settings in "manjaro" category.
Like as kernels, Hardware, languages, etc.
Those modules are manjaro specific tools.

they are also available inside MSM itself. (as application and not settings modules inside KDE settings)

Manjaro Settings Manager (all the different modules below are also availables in KDE settings in Manjaro category)
image

2 Likes

@magtuired, I'm also installing Manjaro for my business needs right now. Here are my reasons:

  1. It's really user friendly.
  2. I don't need need very complex features. I have 4 offices, but I need only 1 machine in each office (no internal networks, workgroups, etc.) for basic tasks, and Manjaro is OK for me.
  3. I run Manjaro and antergos (which is almost the same) on my other machines at home, so I have some experience with this OS, which means I'll be able to manage/troubleshoot office machines easier because of the same OS.

After trying some other distros, I seriously considered openSUSE, but it didn't offer many extra benefits for me, so Manjaro was the final choice because of the reasons above.

If you guys believe it's not the right distro for such needs, let me know.

they are also available inside MSM itself.

Ahhh, ok! Thank you. That makes a lot more sense now. I was wondering what the story was behind the apparent duplication of certain features. Using the search function in particular would sometimes bring up to similar sounding application results.

I'd say

forbidden

is too strong a word to use here. Seems to be a not-yet-implemented feature (an oversight if you will) more than a deliberate attempt to restrict user actions.

I'm not an expert by any means and have only been using Manjaro for 2 years, but I would not personally have thought of using Manjaro in a business setting. Again, that could just be my own ignorance speaking though.

I was self employed for a time and did use Manjaro for my own workflow, but I didn't have to worry about other users.

I don't need need very complex features. I have 4 offices, but I need only 1 machine in each office (no internal networks, workgroups, etc.) for basic tasks, and Manjaro is OK for me.

This use case seems a tiny bit at odds with the ethos of a rolling release distro - i.e. access to the latest and greatest goodies as soon as possible, rather a distro that priorities stability above all.

You're right though, Manjaro is fairly user friendly. I'm just not sure it's designed for office use, say compared to community distributions directly derived from enterprise projects like Centos/Redhat or OpenSUSE/Suse, which perhaps are more easily adaptable to that kind of deployment.

is too strong a word to use here. Seems to be a not-yet-implemented feature (an oversight if you will) more than a deliberate attempt to restrict user actions.

I would say it's forbidden because the feature is there (user has option to enter new password), but password change fails if user has no admin rights. And user has the same option (to change his password) in both tools, but none of them allows to finalize the change. So I'd say, it's forbidden.

I'm just not sure it's designed for office use

Actually, I did one test run for more than a year. Installed antergos (which is slightly more complicated than Manjaro, from my experience) to replace aging Windows 7 on yet another office machine. Primary user was a young woman with 0 experience in Linux. So far, her feedback was very positive and the only problem that occurred during this time was some update which broke dependencies. Fixed in an hour or so by using forums search.

A few months later, she asked me if I can delete Win7 from her personal PC and install antergos KDE for her, which I gladly did. And I believe Manjaro will perform even better.

Yes, it has some annoying/unsolved bugs (compared to antergos) related to printers and scanners (this forum is full of complains about a few specific issues), but I still like it a lot.

No. It's just a bug.
You should create a bug report for that software.

1 Like

Alright, let's agree it's a bug, which will hopefully be fixed.

It is questionable if regular changes of passwords increase security - many users are very annoyed if they are forced to change, and then often tend to use a simple password (knowing they'll have to change it again in X days/weeks/months), or just continue to use their old password with e.g. a "1" appended.

It would be nice to have GUI, but on your point 1 I cannot agree.
There's nothing easier than to type "passwd" in a terminal really... it just has to be communicated correctly.

3 Likes

Yes, especially for average office user who has a panic attack after seeing a CLI :slight_smile:

Forum kindly sponsored by