LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-14-2014, 06:43 AM   #1
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Rep: Reputation: 5
Understanding sudo


I told someone specifically to not execute a program while in a user other than /root. So he does it anyway, which led to an ownership problem. My understanding of sudo is that when you do a sudo to anything outside of /root, that the command is actually executed as if you were actually in /root and not executed as though you were in the current non-root user. Is that correct?
 
Old 05-14-2014, 07:01 AM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,104

Rep: Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267
you mixed two things: /root is a directory, the home directory of the user root. The user root has special privileges, but it is not related to any directory (home or not home).
the command sudo will allow you to act as another user (see man page: http://linux.die.net/man/8/sudo) - can be configured, usually it is used to execute commands which require root privileges. It is not relevant if you were currently in the /root directory or not.

would be nice to describe your ownership problem better...
 
Old 05-14-2014, 07:08 AM   #3
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Original Poster
Rep: Reputation: 5
What happened is: he was in user bill. User bill has root privileges (visudo entry). He was told not to start a program that was installed in user bill with sudo prepended. He couldn't get the program to start by just using its name (he wasn't in the correct directory), so he used 'sudo progeamname'. Ther program again didn't start, but /root took ownership of the path to the program. That is what I think happened, anyway.
 
Old 05-14-2014, 07:22 AM   #4
jamison20000e
Senior Member
 
Registered: Nov 2005
Location: ...uncanny valley... infinity\1975; (randomly born:) Milwaukee, WI, US, Earth, end border$! ◣◢┌∩┐ Fe26-E,e...
Distribution: any GPL that works well on my cheapest, has been KDE or CLI but open... http://goo.gl/NqgqJx &c ;-)
Posts: 3,084
Blog Entries: 2

Rep: Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840
su ("super" - "user") to stay root user in a terminal or sudo -s ("su" - "do" ) [QUOTE=battles;5170606] could have looks at chown

Last edited by jamison20000e; 05-14-2014 at 07:26 AM.
 
Old 05-14-2014, 07:31 AM   #5
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Original Poster
Rep: Reputation: 5
This definition:
Definition: sudo: Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root...

seems to imply that if a user is given root privileges, when he executes a 'sudo whatever', that it is as if he were actually in the /root user's account executing the 'sudo whatever' command, although he is actually in user bill. Am I understanding this correctly? That is the way if was explained to me.

Last edited by battles; 05-14-2014 at 07:33 AM.
 
Old 05-14-2014, 07:41 AM   #6
jamison20000e
Senior Member
 
Registered: Nov 2005
Location: ...uncanny valley... infinity\1975; (randomly born:) Milwaukee, WI, US, Earth, end border$! ◣◢┌∩┐ Fe26-E,e...
Distribution: any GPL that works well on my cheapest, has been KDE or CLI but open... http://goo.gl/NqgqJx &c ;-)
Posts: 3,084
Blog Entries: 2

Rep: Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840
Like pan64 said /root means a directory (usually not much in root's home folder i.e: /root) and root as a user owns, for the most part, all of / (the root (like a tree) or bottom directory (jargon pun intended) but yes sudo can do as much damage as the user root...

:Edits.

Last edited by jamison20000e; 05-14-2014 at 07:47 AM.
 
Old 05-14-2014, 07:45 AM   #7
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Original Poster
Rep: Reputation: 5
Can a user be allowed sudo privileges to install a program, but prevented privileges to executing any programs with the sudo command?
 
Old 05-14-2014, 07:53 AM   #8
jamison20000e
Senior Member
 
Registered: Nov 2005
Location: ...uncanny valley... infinity\1975; (randomly born:) Milwaukee, WI, US, Earth, end border$! ◣◢┌∩┐ Fe26-E,e...
Distribution: any GPL that works well on my cheapest, has been KDE or CLI but open... http://goo.gl/NqgqJx &c ;-)
Posts: 3,084
Blog Entries: 2

Rep: Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840
Probably, I'm no guru on that there may be better users or groups suited?
http://www.sudo.ws/pipermail/sudo-us...ry/004312.html
http://answers.oreilly.com/topic/432...ons-with-sudo/
http://ubuntuforums.org/showthread.php?t=1132821
http://www.techrepublic.com/article/...h-sudo-part-1/
 
Old 05-14-2014, 07:55 AM   #9
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Original Poster
Rep: Reputation: 5
Thanks all. I'll get my head around this sudo thing eventually.
 
Old 05-14-2014, 08:05 AM   #10
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,104

Rep: Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267
please read the DESCRIPTION part of the man page of sudo:
Quote:
sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The real
and effective uid and gid are set to match those of the target user, as specified in the password database, and the group vector is
initialized based on the group database (unless the -P option was specified).

sudo supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their
own policy and I/O logging modules to work seemlessly with the sudo front end. The default security policy is sudoers, which is
configured via the file /etc/sudoers, or via LDAP. See the PLUGINS section for more information.

The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate
themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password
is not entered within a configurable time limit. This limit is policy-specific; the default password prompt timeout for the sudoers
security policy is unlimited.

Security policies may support credential caching to allow the user to run sudo again for a period of time without requiring
authentication. The sudoers policy caches credentials for 15 minutes, unless overridden in sudoers(5). By running sudo with the -v
option, a user can update the cached credentials without running a command.

When invoked as sudoedit, the -e option (described below), is implied.

Security policies may log successful and failed attempts to use sudo. If an I/O plugin is configured, the running command's input
and output may be logged as well.
Definition: sudo: Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root (or as anyone else).
This does not mean they can execute sudo whatever but what was allowed and nothing else.
 
1 members found this post helpful.
Old 05-14-2014, 08:40 AM   #11
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Original Poster
Rep: Reputation: 5
I guess my final question is:
If bill is logged into user bill, and bill has been give root privileges, then when he executes a sudo progranname, does the execution of sudo progranname execute the program just as though he were doing so from the user root? Maybe that isn't making any sense.
 
Old 05-14-2014, 08:43 AM   #12
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,104

Rep: Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267
that is the goal of sudo
the user bill entered: sudo programname and programname will be executed as root (instead of bill)
 
Old 05-14-2014, 08:51 AM   #13
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Original Poster
Rep: Reputation: 5
That is excellent, just what I need to know. That is why when the user executed the program using the prepended (prepended - not an actual word, but it should be) sudo caused him to not be able to execute the program from bill, because root took ownership of the program. It wasn't until after I did a chown that he was able to execute it. What I am trying to find now is if there is some way to give bill sudo privileges to install a sudo program from bill, but not execute a sudo program from bill. He should only be able to dimply execute program from bill.

Thanks!!!

Last edited by battles; 05-14-2014 at 08:53 AM.
 
Old 05-14-2014, 09:02 AM   #14
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,104

Rep: Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267
You still missed some points: root did not take ownership of the program but the execution of it. By default users do not own the programs just execute them (as themselves). So bill will execute all the programs (owned by anyone) he started as bill (himself).
for example: ls is a program, you can find it in /bin and touch is another program/
Code:
pan@/tmp$ ls -l /bin/touch /bin/ls
-rwxr-xr-x 1 root root 105840 Nov 19  2012 /bin/ls
-rwxr-xr-x 1 root root  60112 Nov 19  2012 /bin/touch
here you can see that the owner of both apps is root.
But anyone (bill, you and me) allowed to use it as myself.
pan@/tmp$ touch /tmp/aaa
pan@/tmp$ sudo touch /tmp/bbb
pan@/tmp$ ls -l /tmp/aaa /tmp/bbb
-rw-r--r-- 1 pan     pan       0 May 14 14:59 /tmp/aaa
-rw-r--r-- 1 root    root      0 May 14 15:00 /tmp/bbb
as you see /tmp/aaa owned by me and /tmp/bbb is owned by root
 
1 members found this post helpful.
Old 05-14-2014, 09:12 AM   #15
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Original Poster
Rep: Reputation: 5
"You still missed some points" – I resent (actually resemble) that remark!

Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about the sudo command, specifically how to have sudo act as if user is root slacker_ Linux - Newbie 17 09-22-2013 04:48 PM
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 02:36 AM
Understanding sudo leupi Ubuntu 14 11-29-2012 12:57 AM
Unable to redirect all sudo messages to /var/log/sudo driftwood Linux - Server 2 10-18-2012 05:34 AM


All times are GMT -5. The time now is 06:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration