LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-11-2017, 01:29 AM   #16
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Original Poster
Rep: Reputation: Disabled

Quote:
Originally Posted by Turbocapitalist View Post
Can you give some examples of what you are really trying to do? There probably is a safe and reasonable way to get it done, but we'll need more information.

The configuration posted above looks like the exact kind of abuse of sudo that I have blogged about since it is so common. A small amount of the fault lies with sudo being very flexible, but I think nearly all of the problem are the awful defaults provided by most sudo-using distros and worse examples provided out on the net.

Most people using sudo could benefit greatly from reading the manual page for sudoers at least once because if you're doing all-or-nothing permissions, you're doing it wrong See also the slides from his other presentation of the same name, sudo: You're Doing It Wrong. I highly recommend going through the slides or the presentation.

I was looking at enabling sudo without password.
Then I thought what if we escalate a regular user
to using commands without using sudo.
How can I do this?

Sorry, as you can see, there is no use case for my case study!
But it would be nice (but not recommended) if I can do that on
my VMs in KVM, but not for production servers.

Thanks for the links.

Last edited by fanoflq; 03-11-2017 at 02:02 AM.
 
Old 03-11-2017, 01:32 AM   #17
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,444
Blog Entries: 3

Rep: Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211
Quote:
Originally Posted by fanoflq View Post
I was looking at enabling sudo without password.
Yes, but sudo for what in particular? It does not stand on its own, it is there to change the user temporarily when running specific utilities. Which utilities do you want to run?
 
Old 03-11-2017, 01:43 AM   #18
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Yes, but sudo for what in particular? It does not stand on its own, it is there to change the user temporarily when running specific utilities. Which utilities do you want to run?
I was doing it for any utility using this directive in /etc/sudoers:
user1 ALL= NOPASSWD: ALL

I am doing this as a part of my Linux learning experience.
Nothing specific or special.

Again, I am aware this is not recommended.
But since I am using a VM in KVM,
I am less worried about crashing
and burning due a fatal command.
Thanks to the ease of cloning a VM.
 
Old 03-11-2017, 07:10 AM   #19
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,194

Rep: Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384
I think you are doing thought experiments with doing the things that good Sysadms and security people have worked for decades to avoid allowing. But I could be wrong.
Re:
Quote:
# Q1: Is there away to display prompt string as user1@... instead of root@... when user's id has been changed to 0 (root)?
If you become another user and check the output of two commands:
Code:
whoami
who am i
yoou will see that one reports your current ID, and the other reports your logon name. If you put the logon name into the PS1 variable then it is the one that will appear in the prompt. More information can be found in online documents and your shell man page section on environment variables.
 
Old 03-11-2017, 12:24 PM   #20
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by fanoflq View Post
Here is my solution:

I login as root.
Then delete line containing user1 from :
/etc/passwd
/etc/group
/etc/shadow

And then reboot to see it I caused any problem.
Then I recreate user1 again via useradd command.

Since I did not delete user1's home directory,
those account will become this "new" user1's account.
All is good.
After doing above, I was not able to login.
I found out it was related to root being the user owner of /home/user1.

Code:
#Able to login since user1 is owner of /home/user1.
[root@Centos7-1024ram-minimal home]# ls -ld /home/user1
drwx------. 2 user1 user1 94 Sep 21 18:54 /home/user1
[root@Centos7-1024ram-minimal home]# su - user1
Last login: Sat Mar 11 10:08:36 MST 2017 on pts/0
[user1@Centos7-1024ram-minimal ~]$ exit
logout

#change /home/user1 owner to root.
[root@Centos7-1024ram-minimal home]# chown root:user1 user1
[root@Centos7-1024ram-minimal home]# ls -ld /home/user1
drwx------. 2 root user1 94 Sep 21 18:54 /home/user1
[root@Centos7-1024ram-minimal home]# su - user1
Last login: Sat Mar 11 10:09:34 MST 2017 on pts/0
su: warning: cannot change directory to /home/user1: Permission denied
-bash: /home/user1/.bash_profile: Permission denied
-bash-4.2$ exit
logout
-bash: /home/user1/.bash_logout: Permission denied
Why am I not able to login as root since I am now also
the owner of /home/user1?
 
Old 03-11-2017, 12:34 PM   #21
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by wpeckham View Post
I think you are doing thought experiments with doing the things that good Sysadms and security people have worked for decades to avoid allowing. But I could be wrong.
Re:

If you become another user and check the output of two commands:
Code:
whoami
who am i
yoou will see that one reports your current ID, and the other reports your logon name. If you put the logon name into the PS1 variable then it is the one that will appear in the prompt. More information can be found in online documents and your shell man page section on environment variables.
There is no option for logon name as far as i could see in man bash.
Quote:
In man bash:
...
PROMPTING
...
\u the username of the current user
...


Code:
#Change user1's id to root.
host@server1 ~ $ ssh root@192.168.122.167                                                                                    
root@192.168.122.167's password: 
Last login: Sat Mar 11 10:37:55 2017
[root@Centos7-1024ram-minimal ~]# usermod -ou 0 user1
usermod: warning: /var/spool/mail/user1 not owned by user1
[root@Centos7-1024ram-minimal ~]# su - user1
Last login: Sat Mar 11 10:39:00 MST 2017 from 192.168.122.1 on pts/0
[root@Centos7-1024ram-minimal ~]# pwd
/home/user1
[root@Centos7-1024ram-minimal ~]# ls -ld /home/user1
drwx------. 2 root user1 94 Sep 21 18:54 /home/user1

#Exit to host.  ....

#Login as user1
host@server1 ~ $ ssh user1@192.168.122.167
user1@192.168.122.167's password: 
Last login: Sat Mar 11 10:40:31 2017
[root@Centos7-1024ram-minimal ~]# export PS1='\u@$(hostname):\w\$ 
root@Centos7-1024ram-minimal:~# pwd
/home/user1
root@Centos7-1024ram-minimal:~# who
user1    pts/0        2017-03-11 10:41 (192.168.122.1)
root@Centos7-1024ram-minimal:~# ls -l /home/user1
total 0
root@Centos7-1024ram-minimal:~# ls -ld /home/user1
drwx------. 2 root user1 94 Sep 21 18:54 /home/user1
root@Centos7-1024ram-minimal:~# id user1
uid=0(root) gid=0(root) groups=0(root)

Last edited by fanoflq; 03-11-2017 at 12:51 PM.
 
Old 03-11-2017, 12:45 PM   #22
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,522

Rep: Reputation: 2319Reputation: 2319Reputation: 2319Reputation: 2319Reputation: 2319Reputation: 2319Reputation: 2319Reputation: 2319Reputation: 2319Reputation: 2319Reputation: 2319
Quote:
Originally Posted by fanoflq View Post
# Q0 : Is there a better way to allow root privilege WITHOUT using sudo for any user?
No.
The system is not designed like that.
There is nothing to be gained by playing with turning a user into root. It server no purpose in the real world and as a thought experiment it's like trying to imagine whether it's just about possible to build a car out of chocolate that randomly explodes and kills all passengers.
I don't even see any way this kind of thing could be used for gaining unauthorised access as it's almost the opposite scenario of being root nad trying to make a user root without the user knowing.
 
Old 03-11-2017, 01:17 PM   #23
TxLonghorn
Member
 
Registered: Feb 2004
Location: Austin Texas
Distribution: Mandrake 9.2
Posts: 702

Rep: Reputation: 231Reputation: 231Reputation: 231
Quote:
Originally Posted by fanoflq View Post
Is this question unsolvable?


# Q2: How do I change user1's user id from 0 back to the original user ID?
Create a new user, (user2), and give that new user administrative (sudo) authority. Log in as that user.
Run the command
Code:
id
to make sure that user2 is not uid=1000
Enter the usermod commands:
Code:
sudo usermod -u 1000 user1
Code:
sudo groupmod -g 1000 user1
Code:
sudo usermod -g 1000 user1
 
Old 03-11-2017, 02:38 PM   #24
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,194

Rep: Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384
Quote:
Originally Posted by fanoflq View Post
There is no option for logon name as far as i could see in man bash.
I did not say that there was. I meant that you could find more about the use and setting of the PS1 variable, options, and effects on the man page for your shell. The commands I provided will provide the name string you need, and that may be embedded in the prompt to the prompt effect you desired. In fact you can use almost any arbitrary string or command result in the prompt if you can only delimit it properly. That can result in great fun, or confusion, or both.

Confusion seems pertinent to this conversation.
 
Old 03-11-2017, 02:51 PM   #25
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Original Poster
Rep: Reputation: Disabled
TxLonghorn:

Your post is not making sense if you follow my posts
on my I was unable to change user id for user1 from 0 to 1000.
 
Old 03-11-2017, 05:24 PM   #26
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware FreeBSD Win10 MX
Posts: 9,609

Rep: Reputation: 2071Reputation: 2071Reputation: 2071Reputation: 2071Reputation: 2071Reputation: 2071Reputation: 2071Reputation: 2071Reputation: 2071Reputation: 2071Reputation: 2071
enabling user with ROOT privileges WITHOUT using sudo

the easiest way to do it without a lot of fiddling around, just give him or her the root user password.
Code:
su 
password
 
Old 03-11-2017, 06:24 PM   #27
GazL
LQ Guru
 
Registered: May 2008
Posts: 5,386
Blog Entries: 18

Rep: Reputation: 3196Reputation: 3196Reputation: 3196Reputation: 3196Reputation: 3196Reputation: 3196Reputation: 3196Reputation: 3196Reputation: 3196Reputation: 3196Reputation: 3196
Like others I'm still very unclear about what the OP is trying to achieve, but one approach I use with my scripts is to get them to reinvoke themselves with sudo like this:
Code:
#!/bin/bash -p
########################################################################
# Sanitise the environment:

PATH="/bin:/sbin:/usr/bin:/usr/sbin"
unset IFS TAR_OPTIONS GREP_OPTIONS
umask 0022

########################################################################
# Reinvoke this script as root:

#   Note:
#     checking for $SUDO_UID will mean that the script will reinvoke
#     itself even when run by the superuser directly.  This is both
#     intentional and necessary as we use $SUDO_UID later.

if [ "$EUID" != '0' ] || [ -z "$SUDO_UID" ]; then
   exec sudo -u root -- "$(readlink -e "$0")" "$@"
   exit 1
fi

########################################################################
Which means I don't have to remember to run it via sudo.

This example is from a wrapper script I've written around Slackware's makepkg command so that I can build packages from a non-root user. It goes with a sudoers rule:
Code:
# Allow member of group 'build' a.k.a. "Software packagers"
# to run buildpkg
%build ALL=(root) NOPASSWD: /usr/local/bin/buildpkg
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about the sudo command, specifically how to have sudo act as if user is root slacker_ Linux - Newbie 17 09-22-2013 04:48 PM
Always give root (sudo) privileges in Ubuntu 11.10? mkirsch72 Linux - General 11 02-16-2012 11:19 PM
Grant Configuring SUDO Root Privileges to Regular Users +Problem+ redir Fedora 2 02-26-2007 12:10 PM
Linux - How to add a new user with the same root/super-user's privileges? asgarcymed Linux - General 8 12-23-2006 08:45 PM
Root privileges for user ar1 Linux - Security 2 01-07-2005 10:33 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration