I'm assuming that this is a user rights problem, although with my limited knowledge it may very well be something else. I've got a Suse 10 box that authenticates against my Active Directory. Everything works great and my users can log on. However, there is one account that I wish to have administrative privileges on the machine. To that end, I have placed that user in the root group. He is able to log in and work with the box, but I've noticed two problems:
1. The PATH variable isn't set to the same as it is for root. I'm not using any sort of bashrc script for root except what is in bashrc.local, so I assumed that it would be the same. This isn't a big deal because I can create a bashrc script for that user if I need. 2. When running Yast, the installation source is the same (an FTP site that I use), but when I go to install something while running as this user, Yast tells me "Cannot access installation media SUSE LINUX Version 10.0 CD 1." Show details tells me "ERROR (Media:unable to write file) [/media.1/media]." The first problem can be solved by using the "su -" command. Note that
OK. I understand what you're saying here, but I'm from a Windows
environment and not really used to Linux permissions. Basically, I have
three users who are administrators on this server (all my servers
actually). The whole purpose of authentication against the Active
Directory is so that I can provide single sign-on capability to these
users and just give root a complex password that I don't have to give
out to everyone. If they have to su to do anything on the box, then
there's really no point in using AD authentication. Is this the case,
or is there some way I can assign certain permissions to these users?
-----Original Message-----
From: Jerry Feldman [mailto:gaf@blu.org]
Sent: Monday, March 13, 2006 8:12 AM
To: suse-linux-e@suse.com
Subject: Re: [SLE] Stupid newbie user rights question
On Monday 13 March 2006 8:54 am, Drew Burchett wrote:
the
hyphen allows him/her to become root and makes the terminal perform as a
login shell. This will cause him/her to get root's PATH.
Note that he needs to use either the "su" command or "sudo" or "sux" to
become root. Just because he is in root's group does not extend roots
ownership privileges to him. And, you never want to regular user to have
admin permissions per se. The convention is that everyone, including
admins
run as normal users and become root (or log in as root) when they need
to.
I think your second issue is probably related to this, and an "su -"
should
solve both.
--
Jerry Feldman
On Monday March 13 2006 08:26, Drew Burchett wrote:
OK. I understand what you're saying here, but I'm from a Windows environment and not really used to Linux permissions. Basically, I have three users who are administrators on this server (all my servers actually). The whole purpose of authentication against the Active Directory is so that I can provide single sign-on capability to these users and just give root a complex password that I don't have to give out to everyone. If they have to su to do anything on the box, then there's really no point in using AD authentication. Is this the case, or is there some way I can assign certain permissions to these users?
What you're looking for is sudo. You can set it up so that they can have as much permission (e.g. running only specific commands) or all rights and all they have to know is their own password if setup correctly. man sudo is your friend. Also /usr/share/doc/packages/sudo is probably worth perusing. Remember to use visudo as root to make the changes to the file when you get ready to implement. -- ~R~ ---------------------------------------------------------- If you sit down at a poker game and don't see a sucker, get up. You're the sucker.
On Monday 13 March 2006 9:26 am, Drew Burchett wrote:
OK. I understand what you're saying here, but I'm from a Windows environment and not really used to Linux permissions. Basically, I have three users who are administrators on this server (all my servers actually). The whole purpose of authentication against the Active Directory is so that I can provide single sign-on capability to these users and just give root a complex password that I don't have to give out to everyone. If they have to su to do anything on the box, then there's really no point in using AD authentication. Is this the case, or is there some way I can assign certain permissions to these users? The way Unix and Linux systems are set up and have been set up, is that regular users are authenticated either locally or remotely (by NIS or AD). However, the root privilege is assigned on a per system basis.
The su(1) command allows a user who knows the root password to become the
super user (eg root).
The sudo(1) command uses a protected file, /etc/sudoers, that extends
privileges to users. You can give them all the privileges, and require a
password (their user password, not root's). You can also set up sudoers to
not require a password for specific users, and you can restrict a user to a
limited number of tasks.
----
Unix/Linux permission scheme:
Every file (and directory) has a set of permissions for the owner, the
group, and everyone else. These are read, write execute. These work
reasonably well.
-rwxr-xr-x 1 root root 490716 2005-09-09 12:12 /bin/bash
Note that /usr/bin/bash is read, write, execute for the owner (root), and
read-execute for the group and everyone else.
drwxr-xr-x 2 root root 65192 2006-03-13 07:42 bin
In this case, bin is a directory (/usr/bin in this case)
The execute bit on a directory means that you allow someone to cd into the
directory. The read-bit means that you allow someone to look into the
directory such as with ls.
drwxr-x-- 2 root root 65192 2006-03-13 07:42 foo
In the above case only root and those in root's group can enter or see the
directory but only root can make changes in the directory.
In addition, you can install ACLs, but you must actually set them up.
--
Jerry Feldman
On Monday 13 March 2006 8:26 am, Drew Burchett wrote:
OK. I understand what you're saying here, but I'm from a Windows environment and not really used to Linux permissions. Basically, I have three users who are administrators on this server (all my servers actually).
First, do not top-post. It breaks up the flow of the thread. Treat emails like a one page book; start reading/writing at the top of the page and continue to the bottom. Thanks. This is a basic difference between Windows and Linux. Having a single sign-on for any admins and/or the super-user root account across all your Linux machines is a sure way to get them all compromised at once. The Unix/Linux way is to secure each machine independently so there is less risk of more than one being compromised at a time. There are numerous ways to accomplish your system administration by multiple users being allowed super-user root priviledges on Linux machines. SSH keys, adding admin users to the wheel group, adding admin users to the /etc/sudoers file, etc. A quick google using "linux users as root" gives a short and sweet description from RedHat: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-wsta... This is by no means exhaustive. This is just the beginning.
The whole purpose of authentication against the Active Directory is so that I can provide single sign-on capability to these users and just give root a complex password that I don't have to give out to everyone. If they have to su to do anything on the box, then there's really no point in using AD authentication. Is this the case, or is there some way I can assign certain permissions to these users?
To be successful with Linux and maintain decent system security, you really need to quit thinking the Microsoft way. Single sign-on would be easy but it also becomes totally insecure from internal and external security problems (rogue adnmins, email viruses and spyware and trojans, etc). There are better and more secure ways of doing what you want to do. The magic wand of "single sign-on" just ain't that easy or desirable in Linux security. Good luck, Stan
On 13/03/06 09:21, S Glasoe wrote:
<snip> A quick google using "linux users as root" gives a short and sweet description from RedHat: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-wsta... This is by no means exhaustive. This is just the beginning.
Bloody hell, google.ca only gives me 45 results, and this is not one of them. Can't force myself onto google.com either, as that simply redirects me to the Canadian site. In fact, there is nothing of interest in any of those 45 returns.
On Mon, 2006-03-13 at 15:11 -0600, Darryl Gregorash wrote:
On 13/03/06 09:21, S Glasoe wrote:
<snip> A quick google using "linux users as root" gives a short and sweet description from RedHat: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-wsta... This is by no means exhaustive. This is just the beginning.
Bloody hell, google.ca only gives me 45 results, and this is not one of them. Can't force myself onto google.com either, as that simply redirects me to the Canadian site.
try http://www.google.ca/linux
In fact, there is nothing of interest in any of those 45 returns.
I had ten pages of results at ten results per page, I did not see that result returned, but I just scanned the first page.
On 13/03/06 15:23, Mike McMullin wrote:
On Mon, 2006-03-13 at 15:11 -0600, Darryl Gregorash wrote:
On 13/03/06 09:21, S Glasoe wrote:
<snip> A quick google using "linux users as root" gives a short and sweet description from RedHat: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-wsta... This is by no means exhaustive. This is just the beginning.
Bloody hell, google.ca only gives me 45 results, and this is not one of them. Can't force myself onto google.com either, as that simply redirects me to the Canadian site.
try http://www.google.ca/linux
In fact, there is nothing of interest in any of those 45 returns.
I had ten pages of results at ten results per page, I did not see that result returned, but I just scanned the first page.
2 results.
On 14/03/06, Darryl Gregorash
On 13/03/06 15:23, Mike McMullin wrote:
On Mon, 2006-03-13 at 15:11 -0600, Darryl Gregorash wrote:
On 13/03/06 09:21, S Glasoe wrote:
<snip> A quick google using "linux users as root" gives a short and sweet description from RedHat: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-wsta... This is by no means exhaustive. This is just the beginning.
Bloody hell, google.ca only gives me 45 results, and this is not one of them. Can't force myself onto google.com either, as that simply redirects me to the Canadian site.
try http://www.google.ca/linux
In fact, there is nothing of interest in any of those 45 returns.
I had ten pages of results at ten results per page, I did not see that result returned, but I just scanned the first page.
2 results.
--
Hmmm, 41,300,000 English pages in google.com, 843,000 English pages in google.co.uk & 4,920,000 English pages in the Linux specific google.co.uk As an offshoot to the main thread it does show how Google can give differing results depending on how it is used. Something to bear in mind. -- ============================================== I am only human, please forgive me if I make a mistake it is not deliberate. ============================================== Xmas may be over but, PLEASE DON'T drink and drive you'll make it to the next one that way. Kevan Farmer Linux user #373362 Cheslyn Hay Staffordshire WS6 7HR
Mike McMullin wrote:
On Mon, 2006-03-13 at 15:11 -0600, Darryl Gregorash wrote:
<snip> A quick google using "linux users as root" gives a short and sweet description from RedHat: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-wsta... This is by no means exhaustive. This is just the beginning. Bloody hell, google.ca only gives me 45 results, and this is not one of
On 13/03/06 09:21, S Glasoe wrote: them. Can't force myself onto google.com either, as that simply redirects me to the Canadian site.
try http://www.google.ca/linux
In fact, there is nothing of interest in any of those 45 returns.
I had ten pages of results at ten results per page, I did not see that result returned, but I just scanned the first page.
Hmm, when I tried that it was the second hit. I'm in the UK. The exact URL Google shows for my query is: http://www.google.ca/linux?hl=en&q=linux+users+as+root&btnG=Search&meta= Cheers, Dave
On Tue, 2006-03-14 at 10:21 +0000, Dave Howorth wrote:
Mike McMullin wrote:
On Mon, 2006-03-13 at 15:11 -0600, Darryl Gregorash wrote:
<snip> A quick google using "linux users as root" gives a short and sweet description from RedHat: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-wsta... This is by no means exhaustive. This is just the beginning. Bloody hell, google.ca only gives me 45 results, and this is not one of
On 13/03/06 09:21, S Glasoe wrote: them. Can't force myself onto google.com either, as that simply redirects me to the Canadian site.
try http://www.google.ca/linux
In fact, there is nothing of interest in any of those 45 returns.
I had ten pages of results at ten results per page, I did not see that result returned, but I just scanned the first page.
Hmm, when I tried that it was the second hit. I'm in the UK. The exact URL Google shows for my query is:
http://www.google.ca/linux?hl=en&q=linux+users+as+root&btnG=Search&meta=
Got that result too. Must have been looking at the result Title. Darryl has a problem. :(
On 14/03/06 11:12, Mike McMullin wrote:
<snip>
Darryl has a problem. :(
Indeed I do; my ISP help desk just did the search for me, and got over 14 million results. :( Time, I think, to reinstall Mozilla, from scratch.
On Tue, 2006-03-14 at 20:47 -0600, Darryl Gregorash wrote:
On 14/03/06 11:12, Mike McMullin wrote:
<snip>
Darryl has a problem. :(
Indeed I do; my ISP help desk just did the search for me, and got over 14 million results. :(
Time, I think, to reinstall Mozilla, from scratch.
Why not try locating and renaming the directory that mozilla uses to store it's configuration files, and refire up mozilla and try retry your search.
On 15/03/06 08:52, Mike McMullin wrote:
On Tue, 2006-03-14 at 20:47 -0600, Darryl Gregorash wrote:
On 14/03/06 11:12, Mike McMullin wrote:
<snip>
Darryl has a problem. :(
Indeed I do; my ISP help desk just did the search for me, and got over 14 million results. :(
Time, I think, to reinstall Mozilla, from scratch.
Why not try locating and renaming the directory that mozilla uses to store it's configuration files, and refire up mozilla and try retry your search.
I already tried that, unless you mean some place other than ~/.mozilla
On Wed, 2006-03-15 at 13:39 -0600, Darryl Gregorash wrote:
On 15/03/06 08:52, Mike McMullin wrote:
On Tue, 2006-03-14 at 20:47 -0600, Darryl Gregorash wrote:
On 14/03/06 11:12, Mike McMullin wrote:
<snip>
Darryl has a problem. :(
Indeed I do; my ISP help desk just did the search for me, and got over 14 million results. :(
Time, I think, to reinstall Mozilla, from scratch.
Why not try locating and renaming the directory that mozilla uses to store it's configuration files, and refire up mozilla and try retry your search.
I already tried that, unless you mean some place other than ~/.mozilla
That was the directory that I had in mind. How well do you make out in other browsers, like Opera, Fire Fox, Galleon, Netscape and Konqi?
On 13/03/06 15:11, Darryl Gregorash wrote:
On 13/03/06 09:21, S Glasoe wrote:
<snip> A quick google using "linux users as root" gives a short and sweet description from RedHat: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-wsta... This is by no means exhaustive. This is just the beginning.
Bloody hell, google.ca only gives me 45 results, and this is not one of them. Can't force myself onto google.com either, as that simply redirects me to the Canadian site.
In fact, there is nothing of interest in any of those 45 returns.
Well, silly me; I had assumed that Stan meant a search on the phrase "linux users as root", rather than a simple word search.
On Wednesday 15 March 2006 8:51 pm, Darryl Gregorash wrote:
On 13/03/06 15:11, Darryl Gregorash wrote:
On 13/03/06 09:21, S Glasoe wrote:
<snip> A quick google using "linux users as root" gives a short and sweet description from RedHat: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1 -wstation-privileges.html This is by no means exhaustive. This is just the beginning.
Bloody hell, google.ca only gives me 45 results, and this is not one of them. Can't force myself onto google.com either, as that simply redirects me to the Canadian site.
In fact, there is nothing of interest in any of those 45 returns.
Well, silly me; I had assumed that Stan meant a search on the phrase "linux users as root", rather than a simple word search.
Oops. I didn't even think of that or to add the standard disclaimer 'without the quotes'. But yes, I did a simple word search and I did not mean to imply a phrase search. Was too busy to do anything but slightly monitor the ensuing hilarity. Stan
participants (8)
-
Darryl Gregorash -
Dave Howorth -
Drew Burchett -
Jerry Feldman -
Kevanf1 -
Mike McMullin -
Roger Haxton -
S Glasoe