Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
03-11-2017, 01:29 AM
|
#16
|
Member
Registered: Nov 2015
Posts: 397
Original Poster
Rep:
|
Quote:
Originally Posted by Turbocapitalist
Can you give some examples of what you are really trying to do? There probably is a safe and reasonable way to get it done, but we'll need more information.
The configuration posted above looks like the exact kind of abuse of sudo that I have blogged about since it is so common. A small amount of the fault lies with sudo being very flexible, but I think nearly all of the problem are the awful defaults provided by most sudo-using distros and worse examples provided out on the net.
Most people using sudo could benefit greatly from reading the manual page for sudoers at least once because if you're doing all-or-nothing permissions, you're doing it wrong See also the slides from his other presentation of the same name, sudo: You're Doing It Wrong. I highly recommend going through the slides or the presentation.
|
I was looking at enabling sudo without password.
Then I thought what if we escalate a regular user
to using commands without using sudo.
How can I do this?
Sorry, as you can see, there is no use case for my case study!
But it would be nice (but not recommended) if I can do that on
my VMs in KVM, but not for production servers.
Thanks for the links.
Last edited by fanoflq; 03-11-2017 at 02:02 AM.
|
|
|
03-11-2017, 01:32 AM
|
#17
|
LQ Guru
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,582
|
Quote:
Originally Posted by fanoflq
I was looking at enabling sudo without password.
|
Yes, but sudo for what in particular? It does not stand on its own, it is there to change the user temporarily when running specific utilities. Which utilities do you want to run?
|
|
|
03-11-2017, 01:43 AM
|
#18
|
Member
Registered: Nov 2015
Posts: 397
Original Poster
Rep:
|
Quote:
Originally Posted by Turbocapitalist
Yes, but sudo for what in particular? It does not stand on its own, it is there to change the user temporarily when running specific utilities. Which utilities do you want to run?
|
I was doing it for any utility using this directive in /etc/sudoers:
user1 ALL= NOPASSWD: ALL
I am doing this as a part of my Linux learning experience.
Nothing specific or special.
Again, I am aware this is not recommended.
But since I am using a VM in KVM,
I am less worried about crashing
and burning due a fatal command.
Thanks to the ease of cloning a VM.
|
|
|
03-11-2017, 07:10 AM
|
#19
|
LQ Guru
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS, Manjaro
Posts: 5,960
|
I think you are doing thought experiments with doing the things that good Sysadms and security people have worked for decades to avoid allowing. But I could be wrong.
Re:
Quote:
# Q1: Is there away to display prompt string as user1@... instead of root@... when user's id has been changed to 0 (root)?
|
If you become another user and check the output of two commands: yoou will see that one reports your current ID, and the other reports your logon name. If you put the logon name into the PS1 variable then it is the one that will appear in the prompt. More information can be found in online documents and your shell man page section on environment variables.
|
|
|
03-11-2017, 12:24 PM
|
#20
|
Member
Registered: Nov 2015
Posts: 397
Original Poster
Rep:
|
Quote:
Originally Posted by fanoflq
Here is my solution:
I login as root.
Then delete line containing user1 from :
/etc/passwd
/etc/group
/etc/shadow
And then reboot to see it I caused any problem.
Then I recreate user1 again via useradd command.
Since I did not delete user1's home directory,
those account will become this "new" user1's account.
All is good.
|
After doing above, I was not able to login.
I found out it was related to root being the user owner of /home/user1.
Code:
#Able to login since user1 is owner of /home/user1.
[root@Centos7-1024ram-minimal home]# ls -ld /home/user1
drwx------. 2 user1 user1 94 Sep 21 18:54 /home/user1
[root@Centos7-1024ram-minimal home]# su - user1
Last login: Sat Mar 11 10:08:36 MST 2017 on pts/0
[user1@Centos7-1024ram-minimal ~]$ exit
logout
#change /home/user1 owner to root.
[root@Centos7-1024ram-minimal home]# chown root:user1 user1
[root@Centos7-1024ram-minimal home]# ls -ld /home/user1
drwx------. 2 root user1 94 Sep 21 18:54 /home/user1
[root@Centos7-1024ram-minimal home]# su - user1
Last login: Sat Mar 11 10:09:34 MST 2017 on pts/0
su: warning: cannot change directory to /home/user1: Permission denied
-bash: /home/user1/.bash_profile: Permission denied
-bash-4.2$ exit
logout
-bash: /home/user1/.bash_logout: Permission denied
Why am I not able to login as root since I am now also
the owner of /home/user1?
|
|
|
03-11-2017, 12:34 PM
|
#21
|
Member
Registered: Nov 2015
Posts: 397
Original Poster
Rep:
|
Quote:
Originally Posted by wpeckham
I think you are doing thought experiments with doing the things that good Sysadms and security people have worked for decades to avoid allowing. But I could be wrong.
Re:
If you become another user and check the output of two commands: yoou will see that one reports your current ID, and the other reports your logon name. If you put the logon name into the PS1 variable then it is the one that will appear in the prompt. More information can be found in online documents and your shell man page section on environment variables.
|
There is no option for logon name as far as i could see in man bash.
Quote:
In man bash:
...
PROMPTING
...
\u the username of the current user
...
|
Code:
#Change user1's id to root.
host@server1 ~ $ ssh root@192.168.122.167
root@192.168.122.167's password:
Last login: Sat Mar 11 10:37:55 2017
[root@Centos7-1024ram-minimal ~]# usermod -ou 0 user1
usermod: warning: /var/spool/mail/user1 not owned by user1
[root@Centos7-1024ram-minimal ~]# su - user1
Last login: Sat Mar 11 10:39:00 MST 2017 from 192.168.122.1 on pts/0
[root@Centos7-1024ram-minimal ~]# pwd
/home/user1
[root@Centos7-1024ram-minimal ~]# ls -ld /home/user1
drwx------. 2 root user1 94 Sep 21 18:54 /home/user1
#Exit to host. ....
#Login as user1
host@server1 ~ $ ssh user1@192.168.122.167
user1@192.168.122.167's password:
Last login: Sat Mar 11 10:40:31 2017
[root@Centos7-1024ram-minimal ~]# export PS1='\u@$(hostname):\w\$
root@Centos7-1024ram-minimal:~# pwd
/home/user1
root@Centos7-1024ram-minimal:~# who
user1 pts/0 2017-03-11 10:41 (192.168.122.1)
root@Centos7-1024ram-minimal:~# ls -l /home/user1
total 0
root@Centos7-1024ram-minimal:~# ls -ld /home/user1
drwx------. 2 root user1 94 Sep 21 18:54 /home/user1
root@Centos7-1024ram-minimal:~# id user1
uid=0(root) gid=0(root) groups=0(root)
Last edited by fanoflq; 03-11-2017 at 12:51 PM.
|
|
|
03-11-2017, 12:45 PM
|
#22
|
LQ Addict
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
|
Quote:
Originally Posted by fanoflq
# Q0 : Is there a better way to allow root privilege WITHOUT using sudo for any user?
|
No.
The system is not designed like that.
There is nothing to be gained by playing with turning a user into root. It server no purpose in the real world and as a thought experiment it's like trying to imagine whether it's just about possible to build a car out of chocolate that randomly explodes and kills all passengers.
I don't even see any way this kind of thing could be used for gaining unauthorised access as it's almost the opposite scenario of being root nad trying to make a user root without the user knowing.
|
|
|
03-11-2017, 01:17 PM
|
#23
|
Member
Registered: Feb 2004
Location: Austin Texas
Distribution: Mandrake 9.2
Posts: 702
|
Quote:
Originally Posted by fanoflq
Is this question unsolvable?
# Q2: How do I change user1's user id from 0 back to the original user ID?
|
Create a new user, (user2), and give that new user administrative (sudo) authority. Log in as that user.
Run the command to make sure that user2 is not uid=1000
Enter the usermod commands:
Code:
sudo usermod -u 1000 user1
Code:
sudo groupmod -g 1000 user1
Code:
sudo usermod -g 1000 user1
|
|
|
03-11-2017, 02:38 PM
|
#24
|
LQ Guru
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS, Manjaro
Posts: 5,960
|
Quote:
Originally Posted by fanoflq
There is no option for logon name as far as i could see in man bash.
|
I did not say that there was. I meant that you could find more about the use and setting of the PS1 variable, options, and effects on the man page for your shell. The commands I provided will provide the name string you need, and that may be embedded in the prompt to the prompt effect you desired. In fact you can use almost any arbitrary string or command result in the prompt if you can only delimit it properly. That can result in great fun, or confusion, or both.
Confusion seems pertinent to this conversation.
|
|
|
03-11-2017, 02:51 PM
|
#25
|
Member
Registered: Nov 2015
Posts: 397
Original Poster
Rep:
|
TxLonghorn:
Your post is not making sense if you follow my posts
on my I was unable to change user id for user1 from 0 to 1000.
|
|
|
03-11-2017, 05:24 PM
|
#26
|
LQ Guru
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware (15 current), Slack15, Ubuntu studio, MX Linux, FreeBSD 13.1, WIn10
Posts: 10,342
|
enabling user with ROOT privileges WITHOUT using sudo
the easiest way to do it without a lot of fiddling around, just give him or her the root user password.
|
|
|
03-11-2017, 06:24 PM
|
#27
|
LQ Veteran
Registered: May 2008
Posts: 7,053
|
Like others I'm still very unclear about what the OP is trying to achieve, but one approach I use with my scripts is to get them to reinvoke themselves with sudo like this:
Code:
#!/bin/bash -p
########################################################################
# Sanitise the environment:
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
unset IFS TAR_OPTIONS GREP_OPTIONS
umask 0022
########################################################################
# Reinvoke this script as root:
# Note:
# checking for $SUDO_UID will mean that the script will reinvoke
# itself even when run by the superuser directly. This is both
# intentional and necessary as we use $SUDO_UID later.
if [ "$EUID" != '0' ] || [ -z "$SUDO_UID" ]; then
exec sudo -u root -- "$(readlink -e "$0")" "$@"
exit 1
fi
########################################################################
Which means I don't have to remember to run it via sudo.
This example is from a wrapper script I've written around Slackware's makepkg command so that I can build packages from a non-root user. It goes with a sudoers rule:
Code:
# Allow member of group 'build' a.k.a. "Software packagers"
# to run buildpkg
%build ALL=(root) NOPASSWD: /usr/local/bin/buildpkg
|
|
|
All times are GMT -5. The time now is 02:19 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|