View previous topic :: View next topic |
Author |
Message |
kbzium Tux's lil' helper
Joined: 31 Jul 2012 Posts: 146
|
Posted: Mon Aug 06, 2012 8:17 pm Post subject: What type of account should I create if I'm the only user |
|
|
Hello,
I know that being a root all the time may cause problems (you can do something terribly wrong by mistake). But not having any rights, makes me mad as I must su - whenever I need something. So what's tbe best configuration for you? What priviliges should I add to my normal account? Wheel only? And that for sound? What about groups?
Thanks! |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54234 Location: 56N 3W
|
Posted: Mon Aug 06, 2012 8:50 pm Post subject: |
|
|
kbzium,
Use root only when you need to. Use a normal user whenever you can.
You do not need to use su - to get root when you only need it for a few commands.
Now you can prefix root commands with sudo, as in Code: | sudo fdisk -l /dev/sda |
Its up to you if you make it ask for a password or not. If you do, it has a timeout so you don't have to enter the password for every command.
If you use passwords, it wants your normal user password, not roots. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
cwr Veteran
Joined: 17 Dec 2005 Posts: 1969
|
Posted: Wed Aug 08, 2012 4:41 pm Post subject: |
|
|
I really wouldn't run as root if I were you - it's far too easy to blow stuff
away. Use sudo, as Neddy suggests, and give yourself wheel privileges.
(There are a couple of other groups you might want to belong to, but I
can't recall them - they will become apparent in normal use.)
Will |
|
Back to top |
|
|
cach0rr0 Bodhisattva
Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
Posted: Wed Aug 08, 2012 10:25 pm Post subject: |
|
|
add a normal user, then put yourself into these groups once you get to the point where youve installed X
Code: |
wheel audio cdrom video games cdrw users plugdev meat
|
this should be more than sufficient. My install is a few years old now and i have not needed to add my main account to any more groups.
if i really want to do a ton of administrative stuff?
sudo su - _________________ Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
Back to top |
|
|
grunch n00b
Joined: 09 Sep 2004 Posts: 8 Location: Wisconsin, USA
|
Posted: Wed Aug 08, 2012 10:53 pm Post subject: |
|
|
cwr wrote: | I really wouldn't run as root if I were you - it's far too easy to blow stuff
away. Use sudo, as Neddy suggests, and give yourself wheel privileges.
(There are a couple of other groups you might want to belong to, but I
can't recall them - they will become apparent in normal use.)
Will |
I'll be the third to suggest using sudo(8). I use it so much that I sometimes (though rarely) find myself using it when I don't need escalated privileges (bad habit).
Here's the list of groups for which my user ID is a member:
Code: |
0(root), 4(adm), 7(lp), 9(kmem), 14(uucp), 18(audio), 19(cdrom), 27(video), 35(games), 60(mysql), 80(cdrw), 81(apache), 85(usb), 100(users), 103(crontab), 106(lpadmin), 250(portage), 980(vboxusers), 981(rtkit), 983(pulse-access), 985(tcpdump), 987(kvm), 988(qemu), 989(kismet), 994(wireshark), 995(realtime), 996(scanner), 997(plugdev)
|
I'm certain I don't need to be in all these groups ...
Obviously, your group numbers may be different, so use the names not the group numbers if you choose to add your user ID to any of these on your system. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Wed Aug 08, 2012 11:32 pm Post subject: |
|
|
I used to put myself on as wheel first thing after every install.
Seriously, that's bad. Anything you do, you're running it with escalated privileges and that means if you get some sort of malware that's what the malware gets too. Ask me how I know.
Right now my sole tool of convenience is sudo, and even that requires my insanely complicated password when I use it. It's easy enough to become root if you have to, but frankly there's not even a real reason to run a service as root most of the time.
What could you possibly be doing every day that needs special access? If your normal user needs special access, then IMO that means you're doing something wrong. You should be able to run your system with unmodified permissions most of the time and do whatever you need to do without more authority than a default user gets. |
|
Back to top |
|
|
Odward n00b
Joined: 21 Mar 2012 Posts: 65
|
Posted: Thu Aug 09, 2012 5:12 am Post subject: |
|
|
1clue wrote: | I used to put myself on as wheel first thing after every install.
Seriously, that's bad. Anything you do, you're running it with escalated privileges and that means if you get some sort of malware that's what the malware gets too. Ask me how I know. |
Am I misunderstanding your statement or am I misunderstanding wheel. I thought the wheel group only gave you the Ability to su on that account. Not 'anything you do is escalated.'
Unless you meant that you normally would su First and then proceed to daily use of your system.
After installing Gentoo I ended up adding myself to the groups that cach0rr0 listed, with the exception of 'meat' as I'm not sure what that's about. I am in the habit of using su
on the command line when something requires permissions, although perhaps sudo is better suited to the task. I have given myself the ability to use sudo for a few commands,
but pretty minimal so far.
To the OP I can agree with cach0rr0's suggestions for groups as it's been sufficient for me, although I understand your needs may differ significantly. I su mostly for emerges
and some config edits, but neither of those are daily tasks. If you can't stand to utilize su or sudo 'ever' I don't know what to suggest =) But besides all the wrong You can do
with a single mistake as root, the same is true for what 1clue mentioned, if you're surfing the web as root and some malware runs on linux you just gave it root access to your box. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Thu Aug 09, 2012 12:11 pm Post subject: |
|
|
Not sure what to say here. Back when I learned it, it seemed that almost anything in /sbin or /usr/sbin was in the 'wheel' group. Can't remember what distro, maybe redhat or slackware? That was about 15 years ago I think. Just did a quick google on it and current usage shows just the su command.
If wheel is just used on the su command it doesn't seem so bad, but still sudo gives a much finer control over special authority. |
|
Back to top |
|
|
grunch n00b
Joined: 09 Sep 2004 Posts: 8 Location: Wisconsin, USA
|
Posted: Thu Aug 09, 2012 1:39 pm Post subject: |
|
|
My understanding of group implementations on *nix, and specifically Gentoo's use of them is that group membership gives one the ability to perform certain tasks without other privilege escalation requirements. It has historically been applied to file access controls, and more recently to process permissions and somewhat to SElinux access controls.
I just ran the following
Code: | find /usr/bin /bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin -group wheel -ls
424010 48 -rwxr-x--- 1 root wheel 48264 Jan 20 2012 /usr/sbin/cron
423974 40 -rws--x--- 1 root wheel 39656 Jan 21 2012 /usr/sbin/tcptraceroute
| and
Code: | sudo fgrep wheel /etc/sudoers
%wheel ALL=(ALL) ALL
| From this, I believe that being in group 'wheel' gives a user the rights to run two commands (cron and tcptraceroute), and (in this case) run any command with root (or any other user's) privileges. Further, users in group 'wheel' will run tcptraceroute with root privileges. So if tcptraceroute has bugs that allow a user to break out of the normal execution path they may be able to do nasty things on my system. That's where SElinux would kick in and further restrict the user's actions.
And running this to find all set-group-id executables that are either owned by 'root' or in group 'root'
Code: | find /usr/bin /bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin -perm -g=s -ls | fgrep root | shows
Code: | 822846 112 -r-xr-s--x 1 root games 113288 Jan 9 2012 /usr/bin/gnotravex
822597 132 -r-xr-s--x 1 root games 131584 Jan 9 2012 /usr/bin/mahjongg
792144 128 -r-xr-s--x 1 root games 128128 Jan 9 2012 /usr/bin/glines
791929 176 -r-xr-s--x 1 root games 177992 Jan 9 2012 /usr/bin/gnobots2
792324 20 -rwxr-s--x 1 root mail 18720 Jan 9 2012 /usr/bin/dotlockfile
792140 160 -r-xr-s--x 1 root games 161200 Jan 9 2012 /usr/bin/gnibbles
794000 16 -rwxr-s--x 1 root tty 14592 Jul 9 20:30 /usr/bin/write
792139 124 -r-xr-s--x 1 root games 124280 Jan 9 2012 /usr/bin/gnotski
786616 52 -r-xr-s--x 1 root man 52936 Jan 9 2012 /usr/bin/man
791654 124 -r-xr-s--x 1 root games 124728 Jan 9 2012 /usr/bin/gtali
786911 40 -rwx--s--x 1 root locate 39352 Mar 3 20:59 /usr/bin/locate
792199 40 -rwxr-s--x 1 root crontab 39992 Jan 20 2012 /usr/bin/crontab
792138 136 -r-xr-s--x 1 root games 136320 Jan 9 2012 /usr/bin/gnomine
791925 152 -r-xr-s--x 1 root games 155576 Jan 9 2012 /usr/bin/quadrapassel
396883 40 -rwx--s--x 1 root ssmtp 39576 Jan 9 2012 /usr/sbin/ssmtp
|
From this I learned that none of my SGID executables will acutally give a user root permissions.
There's much more to it than this, but I feel comfortable in reiterating that one's user ID should be in the groups for which one wants to run commands, and one should use sudo only as needed to perform tasks that require escalated privileges. |
|
Back to top |
|
|
cwr Veteran
Joined: 17 Dec 2005 Posts: 1969
|
Posted: Fri Aug 10, 2012 7:49 am Post subject: |
|
|
grunch wrote: | My understanding of group implementations on *nix, and specifically Gentoo's use of them is that group membership gives one the ability to perform certain tasks without other privilege escalation requirements. It has historically been applied to file access controls, and more recently to process permissions and somewhat to SElinux access controls.
I just ran the following
Code: | find /usr/bin /bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin -group wheel -ls
424010 48 -rwxr-x--- 1 root wheel 48264 Jan 20 2012 /usr/sbin/cron
423974 40 -rws--x--- 1 root wheel 39656 Jan 21 2012 /usr/sbin/tcptraceroute
| and
Code: | sudo fgrep wheel /etc/sudoers
%wheel ALL=(ALL) ALL
| From this, I believe that being in group 'wheel' gives a user the rights to run two commands (cron and tcptraceroute), and (in this case) run any command with root (or any other user's) privileges. Further, users in group 'wheel' will run tcptraceroute with root privileges. So if tcptraceroute has bugs that allow a user to break out of the normal execution path they may be able to do nasty things on my system. That's where SElinux would kick in and further restrict the user's actions.
|
No, cron isn't suid root, and tcptraceroute is, so cron will be run with the privileges of whoever starts it, and tcptraceroute will be
run with root privileges whoever starts it.
wheel=ALL looks dodgy to me; I'd prefer not to give wheel effectively root privileges.
Will |
|
Back to top |
|
|
cach0rr0 Bodhisattva
Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
Posted: Sat Aug 11, 2012 8:50 am Post subject: |
|
|
Odward wrote: |
After installing Gentoo I ended up adding myself to the groups that cach0rr0 listed, with the exception of 'meat' as I'm not sure what that's about. I am in the habit of using su |
laughing at this way harder than I probably should. The down side of me posting late at night I suppose. I meant to remove that to avoid confusion
'meat' is my username
Code: |
$ id
uid=1000(meat) gid=1000(meat) groups=1000(meat),10(wheel),18(audio),19(cdrom),27(video),35(games),80(cdrw),100(users),105(plugdev)
|
_________________ Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Sat Aug 11, 2012 9:35 am Post subject: Re: What type of account should I create if I'm the only use |
|
|
kbzium wrote: | I must su - whenever I need something. |
In ~/.bashrc
And include in /etc/pam.d/su
Code: | # Uncomment the following line to implicitly trust users in the "wheel" group.
auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid |
Then just use s, without needing to enter a password. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|