Re: user privledges
From: Matti Juhani Kurkela (Matti.Kurkela@hut.fi)Date: 02/10/02
- Next message: Alun Jones: "Re: Microsoft finally acknowledges the security drumbeats"
- Previous message: Alun Jones: "Re: Microsoft finally acknowledges the security drumbeats"
- In reply to: Melvin H: "user privledges"
- Next in thread: those who know me have no need of my name: "Re: user privledges"
- Reply: those who know me have no need of my name: "Re: user privledges"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Matti Juhani Kurkela <Matti.Kurkela@hut.fi> Date: 10 Feb 2002 22:45:04 +0200
"Melvin H" <whocares@no-spam.com> writes:
> i know its not a good idea to run linux under the root account for normal
> stuff like web surfing, listening to music etc.... during the install of
> redhat 7.2 i created a user account for myself to use on a daily basis. so
> fare i have just been su - and entering the root pass. in a term. window if
> i need to add a progie or run find / -name x.x.x. etc..
That's just as it should be. However, I don't think that you would
need root access for running "find / -something". Barring the other
users' home directories, in a default installation there should not be
too many directories that normal users can't read. Most of these are
used by some services (for example /var/spool/mqueue or some other
things under /var/spool). The files in that kind of directories are
usually systematically named - so the filenames may resemble alphabet
soup and usually won't be interesting in random searches.
If there are accounts for other people on your computer and you're
taking a peek in their home directories, that's up to you. Even if
they're family members, I would think it would be polite to ask them
first.
> i just downloaded the music match install script for linux. i su - to root
> and executed the script it came up and said that installing as root might
> cause some problems so i logout of the su - (root) account and executed it
> with the normal user account. it started but would not install because i did
> not have write permissions.
You probably could have set up a place for installing the program in
advance. That needs to be done as root, but it doesn't need to be any
more elaborate than:
$ su -
# mkdir /opt/musicmatch (or wherever you want to install the
software)
# chown chris: /opt/musicmatch (or whatever your username is)
# exit
After this, you can probably run the install script and install the
sofware to /opt/musicmatch as a normal user. If the script wants to
add something to /usr/local/bin, you can use similar commands to
grant your normal user account write permissions to /usr/local/bin,
or make the changes manually as the root user after running the
installation script.
> i went back and ran the script in su - (root)
> anyway because i have always used it to install and it is the only account
> allowed to. it installed but now when i try to run the program (mmjb) it
> starts scrolling errors in the term. window and does not stop until i ctr.
> c. it never even tries to start. some error about /usr/local/bin.
It's hard to tell what went wrong without knowing the actual error messages.
> i thought i would run the linuxconf program and change the permissions for
> my normal user account. i loged out of normal user mode (completly out of my
> desktop.. back to basic system without x running) and loged in as
> root....started x...which also starts the ximian desktop and open a term
> window. i now started the linuxconf and did the following:
>
> i went to the normal users tab, found the account i use everyday (lets call
> it chris) named chris. changed his group to wheel and his user id is now
> 503. still on chris account i then went to the privledge tab and did the
> following.
> under the general system control tab i said to GRANT super-user equivalence.
> i also said to GRANT the may view system logs.
> so now i have changed chris to the group (wheel) gave his super-user
> equivalence, and the abilty to view system logs. i choose to exit linux
> which said i need to sync the system and i choose do it now.
I think the "super-user equivalence" means more like "this user is allowed
to use su command" instead of "this user is always equivalent to
root".
The permission to read log files is probably arranged by making your
user account a member of a user group that is allowed to read the log files.
> i now exited the root account and restartd x under chris. i tried to add the
> program again, and once again it said i did not have write permissions. i
> tried to do a simple find / -name x.x.x (where x.x.x is the name or a file
> i know is on the system) and it starts but says permission denied. what
> gives? i have rebooted the system and still can not get it to work. how do i
> create an account that can add a progie?
By default, you can already add programs to the system as
"chris"... but only if you add the program to your home directory or
one of its subdirectories.
So the problem is not exactly "how to give the account 'chris' ability
to add programs" but more like "how to allow account 'chris' to add
programs somewhere else than his home directory".
The solution is to use "chown" and "chmod" commands to set the
ownership and access permissions of /opt and/or /usr/local/bin (or
some parts of them) so you can write to them as your normal user
account.
> like i said i know i am not suppose
> to run the system as root, but i really am getting tired of having to su -
> to root and start a program like netscape just to download
> something.
When you're saying "to download something", are you thinking of
downloading _and installing_ .rpm files? You can do the downloading as
a normal user, and you should get a something-x.x.xx.rpm file in your
home directory. Then you can use su to change to root and install the
.rpm packages using "rpm -ivh something-x.x.xx.rpm" or a similar
command. After that, the .rpm files have served their purpose and can
be archived off to a CD-R (or deleted, if you trust you can find the
same .rpms again if you ever need them).
If you can't download anything to your home directory as your normal
user account, there's something wrong with the access permissions of
your home directory.
> how
> can i add an account that will have some priledges like the find command and
You should be able to use the find command as is.
> being able to download and store something
Certainly, you just need to specify where it should be allowed and
make the necessary changes to access permissions and directory
ownerships. These changes must be done as root.
>and add an rpm
No. A .rpm package can normally add or change any files anywhere in
the system. Preventing unwanted changes to critical system files is
one of the main points of not using root account all the time.
However, there may be ways to make the temporary use of root
permissions easier. For example, you can say
su -c rpm -ivh somepackage-x.xx.xx.rpm
as a normal user. It will ask the root password and start installing.
If you want, you can make this an alias or a script, so you can use
a simple command name of your own choosing instead of typing all that
every time.
For example, you could save this snippet as a file called "installrpm"
and give it execute permissions:
#!/bin/sh
su -c "rpm -ivh $*"
If you put that file in /usr/local/bin, you can simply type a command
like "installrpm package-1.22.33.rpm anotherpackage-0.2.1.rpm", type
the root password and the two packages mentioned will be installed.
Your Linux distribution may also have some GUI tools for handling the
RPM files. That kind of tools are developing so rapidly it would be
hard to give any general instructions about their use. See the
documentation of your distribution.
>or executing a sh
> script without running as root?
Sure. If you can't execute a sh script as your normal user account,
something is broken.
However, if you're running a script as a normal user, the script
*cannot* do anything the user is not able to do manually.
>is it possible to do this without leaving my
> system open for attack? as you can see i am trying to learn unix so please
> help me as the book (unix in a nutshell) i bought does not help that much. i
> have never seen an app. that complained about being installed as root until
> i d/l music match.
Read O'Reilly's "Essential System Administration" by AEleen
Fritsch. You can skip many parts of it, but the chapters that deal
with basic concepts like file access permissions are very helpful.
-- Matti.Kurkela@hut.fi <URL: http://www.hut.fi/u/mkurkela/ >
- Next message: Alun Jones: "Re: Microsoft finally acknowledges the security drumbeats"
- Previous message: Alun Jones: "Re: Microsoft finally acknowledges the security drumbeats"
- In reply to: Melvin H: "user privledges"
- Next in thread: those who know me have no need of my name: "Re: user privledges"
- Reply: those who know me have no need of my name: "Re: user privledges"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
