[Techtalk] Group Permission Security Question

[TechChiq]

(I'm replying in full quote here because unfortunately, Evolution is
sending my posts to each person that posted, and not to the whole group,
so I need to remember to set the TO field back to the group. :)

On Sun, 2003-10-19 at 03:16, Telsa Gwynne wrote:
> On Sat, Oct 18, 2003 at 02:46:47PM -0400 or thereabouts, TechChiq wrote:
> > On Sat, 2003-10-18 at 05:47, Telsa Gwynne wrote:
> > 
> > > The way I'd do it is with a different package, and the package
> > > in question is shipped by just about every distro these days. The
> > > package is "sudo". 
> > 
> > Thank you for the info on this. It's something I was looking for!
> 
> :) 
> 
> > Especially trying to get Kppp to run without needing to run it as root
> > and give it a password. I prefer KDE 3.1 so I use the Users and Groups
> > config (lets me add/change user's parameters, expiry, etc. and also it
> > lets me determine what groups a user belongs to, what the primary group
> > for any user is, etc.) I would like some way to determine only certain
> > commands can be used by certain users. I think Sudo might help? I want
> > to do certain things without having to enter a password all the time, or
> > go into a root terminal and enter a password. so far, I found a way
> > (don't remember even!) to mount and unmount CDs as a user. But I want to
> > be able to edit things like fstab, automount files, and other configs if
> > I need to, delete or change files as I need to, and not have to keep
> > typing in a password.But since I use the internet via 56K dial-up I also
> 
> You might want to resend the whole of this mail to techtalk. It
> came to just me (that's the default for replying to mail on the
> list). And I am not sure whether some of what you want is doable
> or not. But there is bound to be someone on the list who knows. 

Thanks for alerting me to this. I hope it is working better this time.
:)

> > don't want some cracker-pot coming in here and having a field day
> > either. Or someone clever making a virus. That's what I like about
> > Linux's permission scheme though. Makes things hard to do much damage
> > unless the program is super user or something. But it makes it hard for
> > a power-user to use stuff. Maybe they should have had a "power-user"
> > automatically configured as well... :)
> > 
> > > $ EDITOR=joe visudo  (for example)
> > 
> > Or I just right click on a file in Konqueror and go edit it with the
> > kedit program. ;)
> 
> Um, no, that's what sudo is designed to avoid. You can edit it
> with any editor. But only using visudo will make sure that you
> leave it as a usable file. 

Oh, ok. That's one thing I want to be able to do (and can't with my
current setup) - edit config files using my normal user account, and not
have to pop a root term, enter a password and try to edit the file. More
work that way. :( But then, maybe much more secure though.

> > > You can just create him as a normal user. Normal users can only
> > > delete their own files and files which are world-writable: there
> > > should not be many of those. They can only _create_ their own 
> > > files in $HOME (which is shorthand for their home directory) and 
> > > in /tmp. 
> > 
> > I also thought of another thing... locking out the root and home dirs to
> > him so that the ONLY dir he can actually navigate to and read/write from
> > would be his own dir. 
> 
> $HOME -- /home/boyfriendname -- ~boyfriendname: those three are
> all shorthand for his home directory. No user can scribble in 
> another's home directory by default. They have to explicitly
> change things to allow other people even to read things in their
> directory.
> 
> You don't want to go down this road: it's a lot harder to do
> that you think, because in Linux, users have to be able to read
> files from all over the system. It's just that they can't read
> other people's private files, and they can't write/edit files
> anywhere other than their own directory and parts of /tmp.

Ok, I see what you're saying. As long as he can't screw up the rest of
the system by accident I guess that would be ok after all.

> > that way so I like the KDE stuff too. But sometimes things are just
> > easier at the command line. :) Heck I can type faster than I can click a
> > kazillion menus sometimes. LOL!
> 
> Nod nod.
> 
> > > What a useful thing to put in your .sig :)
> > 
> > I saw someone putting their linux counter in their sig, and I think
> > their kernel version. Thought it was a good idea. Saves retyping. :) The
> > distro I use is not all that well known. CheapBytes.com sells it (6-CD
> > set of Pink Tie 9) for $12.99. They do sell the "true" RH9 but it's
> > kinda expensive for me. So I put RH9 in there so others would know what
> > the heck I have. :) There are a bunch of differences though, I'm sure.
> > Just not exactly sure what. I would think that RH9 would have a better
> > and more sophisticated package manager, for instance.
> 
> No. I think they'll be exactly the same. I have RH 9 here. It
> uses rpm as the package manager; and it is rpm version 4.2. What
> will be different is that you will have something different in
> /etc/redhat-release and that you will not have the package called
> redhat-artwork or redhat-logos or something like that. That 
> contains their trademarked logos which they have to "protect"
> according to US law. So only RH can sell a distro with those
> pictures in it. Other people can take that package out, put a
> new set of pictures in, and resell the result, though.
> 
> Telsa

What I was talking about, though, is the graphical package manager. I do
have rpm (from the command line) but the graphical one there is has a
list of different "categories" and within them some packages that are
installed. But it doesn't list EVERYTHING. It's so genearalized it
leaves so much out and you can't install or uninstall anything other
than what is listed. If you installed everything, it doesn't list
everything you installed, even! Just only a certain select few things
and then that listing is very general too. :( IOW, I have to do
everything from the command line with RPM management because the GUI
package manager is so limited. :( I thought that was a Pink Tie thing
though.

-- 
TechChiq
--------
Linux User # 331707 Machine # 216034 (http://counter.li.org)
Pink Tie 9 (RH9 clone), Kernel 2.4.20-6, KDE 3.1, Wine 20031016
Win98SE (dual-boot)