[Techtalk] Group Permission Security Question

Telsa Gwynne hobbit at aloss.ukuu.org.uk
Sat Oct 18 10:47:50 EST 2003 

On Sat, Oct 18, 2003 at 04:16:46AM -0400 or thereabouts, TechChiq wrote:
> I want to set up so that my main account on my linux box (the one I do
> all my normal work in) can also access some files that have group set to
> "root" (like when files were transferred from another drive I don't know
> how the group didn't get set to write). I keep having to make superuser
> windows or terms for stuff. Is it bad security to set a certain user's
> group mode to "root"? 

There are better ways, I think. I believe traditionally the 
'wheel' group was the name of the group that people got added
to to do root-things, but don't quote me.

The way I'd do it is with a different package, and the package
in question is shipped by just about every distro these days. The
package is "sudo". 

I wrote a long piece about sudo on linuxchix once, but I can't
find it now. 

Essentially, there's a file called /etc/sudoers. It contains a
list of account names and then peculiar syntax after each name.
And it can be used to say "these normal users can use these
commands"; "these users can _not_ use these particular commands";
"these users can do anything root can do"; "these users can start
the modem up"; "these users can mess with the tape drive" (for
backups) etc. 

You edit it with the command "visudo". This will refuse to let
you quit unless the resulting file is in working order, in the
same way that vipw will stop you messing up the password file.
If you don't like vi, you set the editor variable to be your
preferred (text) editor first: 

$ EDITOR=joe visudo  (for example)

I have mine set to let me do root commands. You can use this
line for yourself and Mr Wizard: 

accountname  ALL=(ALL)      ALL

My /etc/sudoers also contains example lines:

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL
#
# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

To do anything more than that, you will need to read man(5) sudoers.
man(8) sudo is more about how you can use the sudo command once it
is set up. The sudoers page is about the syntax for the file.

Once this is done, users can run commands they can't normally
run with

$ sudo commandname

..and then by giving their _own_ password. Not root's. 

There's a sort of time-out effect: if you have a series of
commands, then you only give your password the first time.
You can continue doing "sudo nextcommand" for a few minutes
before it will ask again. (By default, anyway. You may not
want that.) 

sudo will also log which account tried to run what. I find
this really useful. There are some root commands I use very
rarely and I forget their syntax every time. Now, I keep
the mails sudo sent me about who ran what and I can find how
I did it last time. And what my husband did when I wasn't
looking :)

> Also, I have a couple folks that may use my machine so I want to make
> accounts for them too. One would be my boyfriend, who knows little about
> computers (he's learning :) so I would like to set up something where he
> can't blitz nothing. Of course I wouldn't set him to root group! LOL!

You can just create him as a normal user. Normal users can only
delete their own files and files which are world-writable: there
should not be many of those. They can only _create_ their own 
files in $HOME (which is shorthand for their home directory) and 
in /tmp. 

> How would I set up his account? I'm still a bit lime-green 
> on this permission thing...

There is a way at the command-line which works on practically
all distros. Or there is a friendly graphical way on most distros.
But that varies between distros. 

The way at the commandline is -- oh dear. I forget every time.
It might (note "might" :)) be (replacing "accountname" by whatever) : 

# useradd accountname
# passwd accountname

I have decided I like the pretty graphical way on most distros :) 

> Pink Tie 9 (RH9 clone), Kernel 2.4.20-6, KDE 3.1, Wine 20031016

What a useful thing to put in your .sig :) Okay, with RH, it
should be available through Nautilus (the file manager) or the
RH menu if you run GNOME; and I presume through the file manager
and the menu if you run KDE, since RH made the menus very very
similar in each.

Telsa

More information about the Techtalk mailing list