Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
permissions and groups?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
Spanik
Guru
Guru


Joined: 12 Dec 2003
Posts: 342
Location: Belgium

PostPosted: Sat Oct 11, 2014 12:53 pm    Post subject: permissions and groups? Reply with quote

Until recently I always used a computer from the keyboard and screen on it as a single user. So switching to root to install something or even run something (I know...) wasn't an issue. I admit I never tought about groups and permissions or other admin tasks. But now I made a small system that I only want to access through the network from a windows pc.

I did the installation as root and created a user "remote_win", gave that user permissions to its home directory and made it member of the groups "wheel", "audio", "usb", "video". and "portage". Configured sshd to forward X and not allow root login.

Now I can connect to the box as user "remote_win", start graphical applications and use them. But whenever I want to do something a bit more than edit a .txt file in the home directory or read a .pdf in the /mnt/data it blocks saying that the command is not available or I do not have permission.

Things I'd like to do are:
- read /var/log/dmesg
- use fdisk -l to see if it found my usb stick
- mount a USB hd or stick
- emerge some applications I forgot to install
- use su

I tought that being member of "wheel" would permit usage of su and likewise that being member of "usb" and "wheel" would permit mounting a usb hard disc. Probably I forgot something or all this isn't as simple as it looks.
_________________
Expert in non-working solutions
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 3043
Location: The Peanut Gallery

PostPosted: Mon Oct 13, 2014 8:25 am    Post subject: Reply with quote

Yeah there's other groups; here's what my admin-level user has:
Code:
$ groups                                                                                                       
adm tty disk wheel uucp cron audio cdrom dialout video games cdrw usb users portage

wheel doesn't permit su; su simply takes a password for the user you're trying to switch to (unless you're already root.)

wheel is most often used in conjunction with sudo, so a wheel user can run: sudo cmd .. without a passwd. But in general it means "user trusted to administer" a bit like "admin" conventionally (not sure if "adm" is needed or I put it in, if I'm honest. Most of those are from when I installed.)
Back to top
View user's profile Send private message
baaann
Guru
Guru


Joined: 23 Jan 2006
Posts: 499
Location: uk

PostPosted: Mon Oct 13, 2014 2:12 pm    Post subject: Reply with quote

I think you need to add the "users" group
Here are mine
Code:
wheel audio cdrom video games usb users portage
Back to top
View user's profile Send private message
Spanik
Guru
Guru


Joined: 12 Dec 2003
Posts: 342
Location: Belgium

PostPosted: Wed Oct 15, 2014 6:19 pm    Post subject: Reply with quote

steveL wrote:
wheel doesn't permit su; su simply takes a password for the user you're trying to switch to (unless you're already root.)


Would that explain why I cannot "su root" when logged in through ssh when ssh and sshd are configured to NOT allow root login?

baaann wrote:
I think you need to add the "users" group


I assumed that any user created would be part of that group. After all I can access a partition mounted with access permitted for users.

Guess the easiest way out would be to install sudo?
_________________
Expert in non-working solutions


Last edited by Spanik on Tue Oct 28, 2014 7:17 pm; edited 1 time in total
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 3043
Location: The Peanut Gallery

PostPosted: Thu Oct 16, 2014 3:17 am    Post subject: Reply with quote

Spanik wrote:
steveL wrote:
wheel doesn't permit su; su simply takes a password for the user you're trying to switch to (unless you're already root.)

Would that explain why I cannot "su root" when logged in through ssh when ssh and sshd are configured to NOT allow root login?

No, not to my knowledge, but could be wrong. You'd still need the root password, and there may be PAM interactions, or if you're really unlucky, polickysh1t.

ISTR people needed a bit of javascript(!) to allow wheel in the polickysh1t case.
Quote:
I assumed that any user created would be part of that group. After all I can access a partition mounted with access permitted for users.

Don't assume; unless you know better, and with reason, please just do what we ask. The users group is pretty fundamental.

Quote:
Guess the easiest way out would be to install sudo?

If you want to run any command as your user yes; you can also use sudo su - (note the dash) to switch to root.

See man visudo as well as man sudoers and man sudo once it's installed.

Note: nothing is stopping you using just su. You just need the password of the user you're trying to switch to, not your own.

BTW your quoting is broken: you need to put the person's "name" in double-quotes.
Back to top
View user's profile Send private message
Spanik
Guru
Guru


Joined: 12 Dec 2003
Posts: 342
Location: Belgium

PostPosted: Tue Oct 28, 2014 7:19 pm    Post subject: Reply with quote

OK, think I got it.

My created user is part of the "user" group. That wasn't the problem. And the rest was a wrong use of "su". So far it is PEBKAC.
_________________
Expert in non-working solutions
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 3043
Location: The Peanut Gallery

PostPosted: Wed Oct 29, 2014 7:46 am    Post subject: Reply with quote

Spanik wrote:
OK, think I got it.

Excellent :-)
Back to top
View user's profile Send private message
Spanik
Guru
Guru


Joined: 12 Dec 2003
Posts: 342
Location: Belgium

PostPosted: Sat Nov 01, 2014 4:05 pm    Post subject: Reply with quote

Found a couple of other surprises as well... Apparently I did create both the user "remote_win" and "remote-win" and they didn't were part of the same groups and one of them didn't have its home directory. I'm cleaning the mess right now.

Surprise now is that I don't seem to be able to start kdm as normal user (says only root wants to run kdm) and it refuses to run fdisk as normal user (guess I'll have to belong to the sys group for that). Oh well, learning each day :D
_________________
Expert in non-working solutions
Back to top
View user's profile Send private message
AaylaSecura
Tux's lil' helper
Tux's lil' helper


Joined: 09 Jun 2011
Posts: 75
Location: Coruscant

PostPosted: Sat Nov 01, 2014 6:55 pm    Post subject: Reply with quote

I don't know which of the original problems you've managed to solve, but:

1) I am not 100% sure about the difference is between the output of dmesg (which can be executed by any user) and the contents of /var/log/dmesg (which for unknown to me reason can only be read by root) - on my system /var/log/dmesg contains messages from earlier than what dmesg outputs, but that maybe because dmesg just reads a buffer of limited size and new information going there causes old one to be dropped; at the same time, /var/log/dmesg stops being written to soon after boot, so it's 'out of date' so to say; I don't know why you need to read the file instead of the output of dmesg, but I guess you can either change the permissions or owner group of the file (e.g. chown root:wheel or chmod 644) OR you can allow your user to execute sudo less /var/log/dmesg by adding
remote_win ALL=(root) NOPASSWD: /usr/bin/less /var/log/dmesg to sudoers
2) add remote_win ALL=(root) NOPASSWD: /sbin/fdisk -l to sudoers and make sure your user has permissions to read the device (i.e. the group owning the device is one of the groups your user is in; the permissions and owner of the device can be changed by a udev rule, assuming you use udev)
3) again, make sure your user has permission to read and write to the device, has read and write permissions to the mount point defined in /etc/fstab (or the mount point you specify if using fusermount)
4) I think it's best to do that as root once you 'su'
5) who can su is controlled by PAM, and more specifically what's in /etc/pam.d/su; mine reads:
auth sufficient pam_rootok.so
auth required pam_wheel.so use_uid
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
session required pam_env.so
session optional pam_xauth.so
so users in the wheel group CAN su (2nd line)
also, it does not matter what sshd's configuration is - it simply means you cannot log in to root straight away (with ssh root@host); once you're logged in as your user you can su root if PAM allows you to
6) as for kdm: what's the point of running the login manager once you're logged in on the console; just start a KDE session manually
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 3043
Location: The Peanut Gallery

PostPosted: Sun Nov 02, 2014 12:25 pm    Post subject: Reply with quote

Nice post AaylaSecura; good to see examples of the various configs.

As for kdm, it's easiest to have that started via the xdm service (which starts any DM you like.)
/etc/conf.d/xdm:
Code:
# What display manager do you use ?  [ xdm | gdm | kdm | gpe | entrance ]
# NOTE: If this is set in /etc/rc.conf, that setting will override this one.
DISPLAYMANAGER="kdm"

Set it up with:
Code:
rc-update add xdm default nonetwork
Back to top
View user's profile Send private message
AaylaSecura
Tux's lil' helper
Tux's lil' helper


Joined: 09 Jun 2011
Posts: 75
Location: Coruscant

PostPosted: Sun Nov 02, 2014 2:55 pm    Post subject: Reply with quote

steveL wrote:
Nice post AaylaSecura; good to see examples of the various configs.

As for kdm, it's easiest to have that started via the xdm service (which starts any DM you like.)

Glad to be of help!
I may have misunderstood, but doesn't Spanik want to start KDE after he's logged onto the machine remotely via ssh and forward the X session? If that's the case, starting kdm locally on the machine automatically after boot won't affect his ssh session, and it would also force any user using the machine locally to use kdm.
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 3043
Location: The Peanut Gallery

PostPosted: Mon Nov 03, 2014 11:16 am    Post subject: Reply with quote

AaylaSecura wrote:
I may have misunderstood, but doesn't Spanik want to start KDE after he's logged onto the machine remotely via ssh and forward the X session? If that's the case, starting kdm locally on the machine automatically after boot won't affect his ssh session, and it would also force any user using the machine locally to use kdm.

Doh, I missed that, my bad.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum