| View previous topic :: View next topic |
| Author |
Message |
Spanik
l33t
Joined: 12 Dec 2003
Posts: 942
Location: Belgium
|
 Posted: Sat Oct 11, 2014 12:53 pm Post subject: permissions and groups? |
 |
|
Until recently I always used a computer from the keyboard and screen on it as a single user. So switching to root to install something or even run something (I know...) wasn't an issue. I admit I never tought about groups and permissions or other admin tasks. But now I made a small system that I only want to access through the network from a windows pc.
I did the installation as root and created a user "remote_win", gave that user permissions to its home directory and made it member of the groups "wheel", "audio", "usb", "video". and "portage". Configured sshd to forward X and not allow root login.
Now I can connect to the box as user "remote_win", start graphical applications and use them. But whenever I want to do something a bit more than edit a .txt file in the home directory or read a .pdf in the /mnt/data it blocks saying that the command is not available or I do not have permission.
Things I'd like to do are:
- read /var/log/dmesg
- use fdisk -l to see if it found my usb stick
- mount a USB hd or stick
- emerge some applications I forgot to install
- use su
I tought that being member of "wheel" would permit usage of su and likewise that being member of "usb" and "wheel" would permit mounting a usb hard disc. Probably I forgot something or all this isn't as simple as it looks.
_________________
Expert in non-working solutions |
|
| Back to top |
|
 |
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Mon Oct 13, 2014 8:25 am Post subject: |
|
|
Yeah there's other groups; here's what my admin-level user has:
| Code: | $ groups
adm tty disk wheel uucp cron audio cdrom dialout video games cdrw usb users portage |
wheel doesn't permit su; su simply takes a password for the user you're trying to switch to (unless you're already root.)
wheel is most often used in conjunction with sudo, so a wheel user can run: sudo cmd .. without a passwd. But in general it means "user trusted to administer" a bit like "admin" conventionally (not sure if "adm" is needed or I put it in, if I'm honest. Most of those are from when I installed.) |
|
| Back to top |
|
|
baaann
Guru
Joined: 23 Jan 2006
Posts: 558
Location: uk
|
| Posted: Mon Oct 13, 2014 2:12 pm Post subject: |
|
|
I think you need to add the "users" group
Here are mine
| Code: | | wheel audio cdrom video games usb users portage |
|
|
| Back to top |
|
|
Spanik
l33t
Joined: 12 Dec 2003
Posts: 942
Location: Belgium
|
| Posted: Wed Oct 15, 2014 6:19 pm Post subject: |
|
|
| steveL wrote: | | wheel doesn't permit su; su simply takes a password for the user you're trying to switch to (unless you're already root.) |
Would that explain why I cannot "su root" when logged in through ssh when ssh and sshd are configured to NOT allow root login?
| baaann wrote: | | I think you need to add the "users" group |
I assumed that any user created would be part of that group. After all I can access a partition mounted with access permitted for users.
Guess the easiest way out would be to install sudo?
_________________
Expert in non-working solutions
Last edited by Spanik on Tue Oct 28, 2014 7:17 pm; edited 1 time in total |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Thu Oct 16, 2014 3:17 am Post subject: |
|
|
| Spanik wrote: | | steveL wrote: | | wheel doesn't permit su; su simply takes a password for the user you're trying to switch to (unless you're already root.) |
Would that explain why I cannot "su root" when logged in through ssh when ssh and sshd are configured to NOT allow root login? |
No, not to my knowledge, but could be wrong. You'd still need the root password, and there may be PAM interactions, or if you're really unlucky, polickysh1t.
ISTR people needed a bit of javascript(!) to allow wheel in the polickysh1t case.
| Quote: | | I assumed that any user created would be part of that group. After all I can access a partition mounted with access permitted for users. |
Don't assume; unless you know better, and with reason, please just do what we ask. The users group is pretty fundamental.
| Quote: | | Guess the easiest way out would be to install sudo? |
If you want to run any command as your user yes; you can also use sudo su - (note the dash) to switch to root.
See man visudo as well as man sudoers and man sudo once it's installed.
Note: nothing is stopping you using just su. You just need the password of the user you're trying to switch to, not your own.
BTW your quoting is broken: you need to put the person's "name" in double-quotes. |
|
| Back to top |
|
|
Spanik
l33t
Joined: 12 Dec 2003
Posts: 942
Location: Belgium
|
| Posted: Tue Oct 28, 2014 7:19 pm Post subject: |
|
|
OK, think I got it.
My created user is part of the "user" group. That wasn't the problem. And the rest was a wrong use of "su". So far it is PEBKAC.
_________________
Expert in non-working solutions |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Wed Oct 29, 2014 7:46 am Post subject: |
|
|
| Spanik wrote: | | OK, think I got it. |
Excellent :-) |
|
| Back to top |
|
|
Spanik
l33t
Joined: 12 Dec 2003
Posts: 942
Location: Belgium
|
| Posted: Sat Nov 01, 2014 4:05 pm Post subject: |
|
|
Found a couple of other surprises as well... Apparently I did create both the user "remote_win" and "remote-win" and they didn't were part of the same groups and one of them didn't have its home directory. I'm cleaning the mess right now.
Surprise now is that I don't seem to be able to start kdm as normal user (says only root wants to run kdm) and it refuses to run fdisk as normal user (guess I'll have to belong to the sys group for that). Oh well, learning each day 
_________________
Expert in non-working solutions |
|
| Back to top |
|
|
AaylaSecura
Tux's lil' helper
Joined: 09 Jun 2011
Posts: 122
|
| Posted: Sat Nov 01, 2014 6:55 pm Post subject: |
|
|
I don't know which of the original problems you've managed to solve, but:
1) I am not 100% sure about the difference is between the output of dmesg (which can be executed by any user) and the contents of /var/log/dmesg (which for unknown to me reason can only be read by root) - on my system /var/log/dmesg contains messages from earlier than what dmesg outputs, but that maybe because dmesg just reads a buffer of limited size and new information going there causes old one to be dropped; at the same time, /var/log/dmesg stops being written to soon after boot, so it's 'out of date' so to say; I don't know why you need to read the file instead of the output of dmesg, but I guess you can either change the permissions or owner group of the file (e.g. chown root:wheel or chmod 644) OR you can allow your user to execute sudo less /var/log/dmesg by adding
remote_win ALL=(root) NOPASSWD: /usr/bin/less /var/log/dmesg to sudoers
2) add remote_win ALL=(root) NOPASSWD: /sbin/fdisk -l to sudoers and make sure your user has permissions to read the device (i.e. the group owning the device is one of the groups your user is in; the permissions and owner of the device can be changed by a udev rule, assuming you use udev)
3) again, make sure your user has permission to read and write to the device, has read and write permissions to the mount point defined in /etc/fstab (or the mount point you specify if using fusermount)
4) I think it's best to do that as root once you 'su'
5) who can su is controlled by PAM, and more specifically what's in /etc/pam.d/su; mine reads:
auth sufficient pam_rootok.so
auth required pam_wheel.so use_uid
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
session required pam_env.so
session optional pam_xauth.so
so users in the wheel group CAN su (2nd line)
also, it does not matter what sshd's configuration is - it simply means you cannot log in to root straight away (with ssh root@host); once you're logged in as your user you can su root if PAM allows you to
6) as for kdm: what's the point of running the login manager once you're logged in on the console; just start a KDE session manually |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Sun Nov 02, 2014 12:25 pm Post subject: |
|
|
Nice post AaylaSecura; good to see examples of the various configs.
As for kdm, it's easiest to have that started via the xdm service (which starts any DM you like.)
/etc/conf.d/xdm: | Code: | # What display manager do you use ? [ xdm | gdm | kdm | gpe | entrance ]
# NOTE: If this is set in /etc/rc.conf, that setting will override this one.
DISPLAYMANAGER="kdm" |
Set it up with: | Code: | | rc-update add xdm default nonetwork |
|
|
| Back to top |
|
|
AaylaSecura
Tux's lil' helper
Joined: 09 Jun 2011
Posts: 122
|
| Posted: Sun Nov 02, 2014 2:55 pm Post subject: |
|
|
| steveL wrote: | Nice post AaylaSecura; good to see examples of the various configs.
As for kdm, it's easiest to have that started via the xdm service (which starts any DM you like.) |
Glad to be of help!
I may have misunderstood, but doesn't Spanik want to start KDE after he's logged onto the machine remotely via ssh and forward the X session? If that's the case, starting kdm locally on the machine automatically after boot won't affect his ssh session, and it would also force any user using the machine locally to use kdm. |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Mon Nov 03, 2014 11:16 am Post subject: |
|
|
| AaylaSecura wrote: | | I may have misunderstood, but doesn't Spanik want to start KDE after he's logged onto the machine remotely via ssh and forward the X session? If that's the case, starting kdm locally on the machine automatically after boot won't affect his ssh session, and it would also force any user using the machine locally to use kdm. |
Doh, I missed that, my bad. |
|
| Back to top |
|
|
|
Other Things Gentoo
