Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
What type of account should I create if I'm the only user
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
kbzium
Tux's lil' helper
Tux's lil' helper


Joined: 31 Jul 2012
Posts: 146

PostPosted: Mon Aug 06, 2012 8:17 pm    Post subject: What type of account should I create if I'm the only user Reply with quote

Hello,

I know that being a root all the time may cause problems (you can do something terribly wrong by mistake). But not having any rights, makes me mad as I must su - whenever I need something. So what's tbe best configuration for you? What priviliges should I add to my normal account? Wheel only? And that for sound? What about groups?


Thanks!
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54097
Location: 56N 3W

PostPosted: Mon Aug 06, 2012 8:50 pm    Post subject: Reply with quote

kbzium,

Use root only when you need to. Use a normal user whenever you can.
You do not need to use su - to get root when you only need it for a few commands.

Code:
emerge sudo


Now you can prefix root commands with sudo, as in
Code:
sudo fdisk -l /dev/sda

Its up to you if you make it ask for a password or not. If you do, it has a timeout so you don't have to enter the password for every command.

If you use passwords, it wants your normal user password, not roots.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
cwr
Veteran
Veteran


Joined: 17 Dec 2005
Posts: 1969

PostPosted: Wed Aug 08, 2012 4:41 pm    Post subject: Reply with quote

I really wouldn't run as root if I were you - it's far too easy to blow stuff
away. Use sudo, as Neddy suggests, and give yourself wheel privileges.
(There are a couple of other groups you might want to belong to, but I
can't recall them - they will become apparent in normal use.)

Will
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Wed Aug 08, 2012 10:25 pm    Post subject: Reply with quote

add a normal user, then put yourself into these groups once you get to the point where youve installed X

Code:

wheel audio cdrom video games cdrw users plugdev meat


this should be more than sufficient. My install is a few years old now and i have not needed to add my main account to any more groups.

if i really want to do a ton of administrative stuff?

sudo su -
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
grunch
n00b
n00b


Joined: 09 Sep 2004
Posts: 8
Location: Wisconsin, USA

PostPosted: Wed Aug 08, 2012 10:53 pm    Post subject: Reply with quote

cwr wrote:
I really wouldn't run as root if I were you - it's far too easy to blow stuff
away. Use sudo, as Neddy suggests, and give yourself wheel privileges.
(There are a couple of other groups you might want to belong to, but I
can't recall them - they will become apparent in normal use.)

Will


I'll be the third to suggest using sudo(8). I use it so much that I sometimes (though rarely) find myself using it when I don't need escalated privileges (bad habit).

Here's the list of groups for which my user ID is a member:

Code:

0(root), 4(adm), 7(lp), 9(kmem), 14(uucp), 18(audio), 19(cdrom), 27(video), 35(games), 60(mysql), 80(cdrw), 81(apache), 85(usb), 100(users), 103(crontab), 106(lpadmin), 250(portage), 980(vboxusers), 981(rtkit), 983(pulse-access), 985(tcpdump), 987(kvm), 988(qemu), 989(kismet), 994(wireshark), 995(realtime), 996(scanner), 997(plugdev)


I'm certain I don't need to be in all these groups ...

Obviously, your group numbers may be different, so use the names not the group numbers if you choose to add your user ID to any of these on your system.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Wed Aug 08, 2012 11:32 pm    Post subject: Reply with quote

I used to put myself on as wheel first thing after every install.

Seriously, that's bad. Anything you do, you're running it with escalated privileges and that means if you get some sort of malware that's what the malware gets too. Ask me how I know.

Right now my sole tool of convenience is sudo, and even that requires my insanely complicated password when I use it. It's easy enough to become root if you have to, but frankly there's not even a real reason to run a service as root most of the time.

What could you possibly be doing every day that needs special access? If your normal user needs special access, then IMO that means you're doing something wrong. You should be able to run your system with unmodified permissions most of the time and do whatever you need to do without more authority than a default user gets.
Back to top
View user's profile Send private message
Odward
n00b
n00b


Joined: 21 Mar 2012
Posts: 65

PostPosted: Thu Aug 09, 2012 5:12 am    Post subject: Reply with quote

1clue wrote:
I used to put myself on as wheel first thing after every install.

Seriously, that's bad. Anything you do, you're running it with escalated privileges and that means if you get some sort of malware that's what the malware gets too. Ask me how I know.


Am I misunderstanding your statement or am I misunderstanding wheel. I thought the wheel group only gave you the Ability to su on that account. Not 'anything you do is escalated.'
Unless you meant that you normally would su First and then proceed to daily use of your system.

After installing Gentoo I ended up adding myself to the groups that cach0rr0 listed, with the exception of 'meat' as I'm not sure what that's about. I am in the habit of using su
on the command line when something requires permissions, although perhaps sudo is better suited to the task. I have given myself the ability to use sudo for a few commands,
but pretty minimal so far.

To the OP I can agree with cach0rr0's suggestions for groups as it's been sufficient for me, although I understand your needs may differ significantly. I su mostly for emerges
and some config edits, but neither of those are daily tasks. If you can't stand to utilize su or sudo 'ever' I don't know what to suggest =) But besides all the wrong You can do
with a single mistake as root, the same is true for what 1clue mentioned, if you're surfing the web as root and some malware runs on linux you just gave it root access to your box.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Thu Aug 09, 2012 12:11 pm    Post subject: Reply with quote

Not sure what to say here. Back when I learned it, it seemed that almost anything in /sbin or /usr/sbin was in the 'wheel' group. Can't remember what distro, maybe redhat or slackware? That was about 15 years ago I think. Just did a quick google on it and current usage shows just the su command.

If wheel is just used on the su command it doesn't seem so bad, but still sudo gives a much finer control over special authority.
Back to top
View user's profile Send private message
grunch
n00b
n00b


Joined: 09 Sep 2004
Posts: 8
Location: Wisconsin, USA

PostPosted: Thu Aug 09, 2012 1:39 pm    Post subject: Reply with quote

My understanding of group implementations on *nix, and specifically Gentoo's use of them is that group membership gives one the ability to perform certain tasks without other privilege escalation requirements. It has historically been applied to file access controls, and more recently to process permissions and somewhat to SElinux access controls.

I just ran the following
Code:
find /usr/bin /bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin -group wheel -ls
424010   48 -rwxr-x---   1 root     wheel       48264 Jan 20  2012 /usr/sbin/cron
423974   40 -rws--x---   1 root     wheel       39656 Jan 21  2012 /usr/sbin/tcptraceroute
and
Code:
sudo fgrep wheel /etc/sudoers
%wheel ALL=(ALL) ALL
From this, I believe that being in group 'wheel' gives a user the rights to run two commands (cron and tcptraceroute), and (in this case) run any command with root (or any other user's) privileges. Further, users in group 'wheel' will run tcptraceroute with root privileges. So if tcptraceroute has bugs that allow a user to break out of the normal execution path they may be able to do nasty things on my system. That's where SElinux would kick in and further restrict the user's actions.

And running this to find all set-group-id executables that are either owned by 'root' or in group 'root'
Code:
find /usr/bin /bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin -perm -g=s -ls | fgrep root
shows
Code:
822846  112 -r-xr-s--x   1 root     games      113288 Jan  9  2012 /usr/bin/gnotravex
822597  132 -r-xr-s--x   1 root     games      131584 Jan  9  2012 /usr/bin/mahjongg
792144  128 -r-xr-s--x   1 root     games      128128 Jan  9  2012 /usr/bin/glines
791929  176 -r-xr-s--x   1 root     games      177992 Jan  9  2012 /usr/bin/gnobots2
792324   20 -rwxr-s--x   1 root     mail        18720 Jan  9  2012 /usr/bin/dotlockfile
792140  160 -r-xr-s--x   1 root     games      161200 Jan  9  2012 /usr/bin/gnibbles
794000   16 -rwxr-s--x   1 root     tty         14592 Jul  9 20:30 /usr/bin/write
792139  124 -r-xr-s--x   1 root     games      124280 Jan  9  2012 /usr/bin/gnotski
786616   52 -r-xr-s--x   1 root     man         52936 Jan  9  2012 /usr/bin/man
791654  124 -r-xr-s--x   1 root     games      124728 Jan  9  2012 /usr/bin/gtali
786911   40 -rwx--s--x   1 root     locate      39352 Mar  3 20:59 /usr/bin/locate
792199   40 -rwxr-s--x   1 root     crontab     39992 Jan 20  2012 /usr/bin/crontab
792138  136 -r-xr-s--x   1 root     games      136320 Jan  9  2012 /usr/bin/gnomine
791925  152 -r-xr-s--x   1 root     games      155576 Jan  9  2012 /usr/bin/quadrapassel
396883   40 -rwx--s--x   1 root     ssmtp       39576 Jan  9  2012 /usr/sbin/ssmtp

From this I learned that none of my SGID executables will acutally give a user root permissions.

There's much more to it than this, but I feel comfortable in reiterating that one's user ID should be in the groups for which one wants to run commands, and one should use sudo only as needed to perform tasks that require escalated privileges.
Back to top
View user's profile Send private message
cwr
Veteran
Veteran


Joined: 17 Dec 2005
Posts: 1969

PostPosted: Fri Aug 10, 2012 7:49 am    Post subject: Reply with quote

grunch wrote:
My understanding of group implementations on *nix, and specifically Gentoo's use of them is that group membership gives one the ability to perform certain tasks without other privilege escalation requirements. It has historically been applied to file access controls, and more recently to process permissions and somewhat to SElinux access controls.

I just ran the following
Code:
find /usr/bin /bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin -group wheel -ls
424010   48 -rwxr-x---   1 root     wheel       48264 Jan 20  2012 /usr/sbin/cron
423974   40 -rws--x---   1 root     wheel       39656 Jan 21  2012 /usr/sbin/tcptraceroute
and
Code:
sudo fgrep wheel /etc/sudoers
%wheel ALL=(ALL) ALL
From this, I believe that being in group 'wheel' gives a user the rights to run two commands (cron and tcptraceroute), and (in this case) run any command with root (or any other user's) privileges. Further, users in group 'wheel' will run tcptraceroute with root privileges. So if tcptraceroute has bugs that allow a user to break out of the normal execution path they may be able to do nasty things on my system. That's where SElinux would kick in and further restrict the user's actions.



No, cron isn't suid root, and tcptraceroute is, so cron will be run with the privileges of whoever starts it, and tcptraceroute will be
run with root privileges whoever starts it.

wheel=ALL looks dodgy to me; I'd prefer not to give wheel effectively root privileges.

Will
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sat Aug 11, 2012 8:50 am    Post subject: Reply with quote

Odward wrote:

After installing Gentoo I ended up adding myself to the groups that cach0rr0 listed, with the exception of 'meat' as I'm not sure what that's about. I am in the habit of using su


laughing at this way harder than I probably should. The down side of me posting late at night I suppose. I meant to remove that to avoid confusion
'meat' is my username :lol:

Code:

$ id
uid=1000(meat) gid=1000(meat) groups=1000(meat),10(wheel),18(audio),19(cdrom),27(video),35(games),80(cdrw),100(users),105(plugdev)

_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Aug 11, 2012 9:35 am    Post subject: Re: What type of account should I create if I'm the only use Reply with quote

kbzium wrote:
I must su - whenever I need something.

In ~/.bashrc
Code:
alias s='su -l'

And include in /etc/pam.d/su
Code:
# Uncomment the following line to implicitly trust users in the "wheel" group.
auth        sufficient  pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth        required    pam_wheel.so use_uid

Then just use s, without needing to enter a password.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum