LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-02-2006, 08:21 AM   #1
konstantinmiller
LQ Newbie
 
Registered: Apr 2006
Distribution: Slackware
Posts: 7

Rep: Reputation: 0
chmod u-x doesn't work?


Hi!

I would like to prevent some programs being run as root, for example vmware.

/usr/bin/vmware is owned by root and the group vmware, with me as the only member. I did "chmod 050 /usr/bin/vmware", but even after that, root can execute it!

Why?

Thanx for help

Konstantin
 
Old 06-02-2006, 12:34 PM   #2
joelkeeble
Member
 
Registered: Mar 2005
Posts: 50

Rep: Reputation: 15
when you say "me" as the only member who are you? root or a normal user?
are you sure root is not a member of the vmware group? typing "groups" when logged in as root will tell you.

In the long run you cannot prevent root from running the file. just dont run it as root! unless there are other users with root access. You cannot stop these users running anything if they have full root privileges.

why do you want to prevent root running vmware?
 
Old 06-02-2006, 03:20 PM   #3
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
As long as ANY of ugo has x root will be able to run it,
whether root is group member or not.


Cheers,
Tink
 
Old 06-05-2006, 06:41 AM   #4
konstantinmiller
LQ Newbie
 
Registered: Apr 2006
Distribution: Slackware
Posts: 7

Original Poster
Rep: Reputation: 0
joelkeeble: Sorry for confusing. When I said "me" I meant "me as normal user". I'm sure that root is not a member of vmware group. I know that everyone who has root access can do anything and one can't prevent it. All I wanted is to prevent me to run a command as root without being aware of it! VMware was just an example :-)

Thnkster: That would explain that behavior! It seems that I have no possibility to achieve what I want to!
 
Old 06-05-2006, 06:52 AM   #5
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
You could get in the habit of using the "sudo" command to perform things as root.
It is setup using the "visudo" program. If you read the examples in the /etc/sudoers file and read the sudoers man page, you can learn how to prohibit certain commands from being executed.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
This will prevent arron and shanty from running "sudo /usr/bin/more" and "sudo /usr/bin/vi"
 
Old 06-05-2006, 07:24 AM   #6
konstantinmiller
LQ Newbie
 
Registered: Apr 2006
Distribution: Slackware
Posts: 7

Original Poster
Rep: Reputation: 0
Already using it lot, but with sudo I have the problem, that I still have the non-root environment. The /root/.bashrc configuration doesn't get loaded!
 
Old 06-05-2006, 12:34 PM   #7
joelkeeble
Member
 
Registered: Mar 2005
Posts: 50

Rep: Reputation: 15
Why not put some funky stuff in your ~/.bashrc file so that you know when you are root e.g change the colour of the prompt put root in bold read letters.

If you have specific programs you don't want to run as root you could alias the command to warn you. you could write a script or just alias the command to "ls" either way you then know you are root.

I can think of lots of different approaches.

remove the path in your .bashrc to any commands you dont want to be able to run, then to run them you will have to type the whole path.

Being the root user you are supposed to know what you are doing this is one of the reasons root has such control e.g. you can delete the entire root partition using "rm -r /" and you will be given no warning. Yes this is dangerous but only if you are not aware of what you are doing!

You can add a time out line to your .profile file that will log you out of root after 30 sec (or however long you like).

if its just the environment you worry about then you can source roots environment as a normal user.

". /root/.profile"
". /root/.bashrc"
"sudo vmware"

Create a wrapper for sudo that loads your environment first and warns you that you are about to run a command.

Personally I just dont log on as root unless I have a specific command to run. I check the command first then "su -" , run the command and "ctrl + d" to logout. Just be careful, but if you dont trust yourself try some of the above ideas.
 
Old 06-05-2006, 06:53 PM   #8
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
When you use sudo, you need to include the full path to the command. This is by design. Either the sudoers man page or the comments in the sudoers command itself explain the security issues.
 
Old 06-05-2006, 06:58 PM   #9
joelkeeble
Member
 
Registered: Mar 2005
Posts: 50

Rep: Reputation: 15
Guess that makes sense. I don't personally use sudo. I have not yet managed to damage any of my production servers using the root account(fingers crossed).
 
Old 06-05-2006, 10:26 PM   #10
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
I think that the best use of sudo is to allow a group to perform admistrative functions without having to share the root password. Also, sudo commands are logged.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
chmod & now files don't work? moschi Linux - General 8 01-31-2006 10:59 PM
Will this command work? chmod -R 644 *.php abefroman Programming 3 10-22-2005 08:26 AM
did chmod 666 on a directory but it doesn't work r3dhatter Linux - Newbie 6 06-10-2005 10:06 AM
chmod doesn't work stonecrest Linux - Newbie 4 02-27-2005 04:43 AM
mount doesn't work as non su even after chmod 777 dokterneo Slackware 5 08-08-2003 10:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration