[SOLVED] Understanding sudo

battles · 05-14-2014, 05:43 AM

I told someone specifically to not execute a program while in a user other than /root. So he does it anyway,

which led to an ownership problem. My understanding of sudo is that when you do a sudo to anything outside of /root, that the command is actually executed as if you were actually in /root and not executed as though you were in the current non-root user. Is that correct?

pan64 · 05-14-2014, 06:01 AM

you mixed two things: /root is a directory, the home directory of the user root. The user root has special privileges, but it is not related to any directory (home or not home).
the command sudo will allow you to act as another user (see man page: http://linux.die.net/man/8/sudo) - can be configured, usually it is used to execute commands which require root privileges. It is not relevant if you were currently in the /root directory or not.

would be nice to describe your ownership problem better...

battles · 05-14-2014, 06:08 AM

What happened is: he was in user bill. User bill has root privileges (visudo entry). He was told not to start a program that was installed in user bill with sudo prepended. He couldn't get the program to start by just using its name (he wasn't in the correct directory), so he used 'sudo progeamname'. Ther program again didn't start, but /root took ownership of the path to the program. That is what I think happened, anyway.

jamison20000e · 05-14-2014, 06:22 AM

su ("super" - "user") to stay root user in a terminal or sudo -s ("su" - "do"

) [QUOTE=battles;5170606] could have looks at chown

battles · 05-14-2014, 06:31 AM

This definition:
Definition: sudo: Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root...

seems to imply that if a user is given root privileges, when he executes a 'sudo whatever', that it is as if he were actually in the /root user's account executing the 'sudo whatever' command, although he is actually in user bill. Am I understanding this correctly? That is the way if was explained to me.

jamison20000e · 05-14-2014, 06:41 AM

Like pan64 said /root means a directory (usually not much in root's home folder i.e: /root) and root as a user owns, for the most part, all of / (the root (like a tree) or bottom directory (jargon

pun intended) but yes sudo can do as much damage as the user root...

:Edits.

battles · 05-14-2014, 06:45 AM

Can a user be allowed sudo privileges to install a program, but prevented privileges to executing any programs with the sudo command?

jamison20000e · 05-14-2014, 06:53 AM

Probably, I'm no guru on that there may be better users or groups suited?
http://www.sudo.ws/pipermail/sudo-us...ry/004312.html
http://answers.oreilly.com/topic/432...ons-with-sudo/
http://ubuntuforums.org/showthread.php?t=1132821
http://www.techrepublic.com/article/...h-sudo-part-1/

battles · 05-14-2014, 06:55 AM

Thanks all. I'll get my head around this sudo thing eventually.

pan64 · 05-14-2014, 07:05 AM

please read the DESCRIPTION part of the man page of sudo:

Quote:

sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The real
and effective uid and gid are set to match those of the target user, as specified in the password database, and the group vector is
initialized based on the group database (unless the -P option was specified).

sudo supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their
own policy and I/O logging modules to work seemlessly with the sudo front end. The default security policy is sudoers, which is
configured via the file /etc/sudoers, or via LDAP. See the PLUGINS section for more information.

The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate
themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password
is not entered within a configurable time limit. This limit is policy-specific; the default password prompt timeout for the sudoers
security policy is unlimited.

Security policies may support credential caching to allow the user to run sudo again for a period of time without requiring
authentication. The sudoers policy caches credentials for 15 minutes, unless overridden in sudoers(5). By running sudo with the -v
option, a user can update the cached credentials without running a command.

When invoked as sudoedit, the -e option (described below), is implied.

Security policies may log successful and failed attempts to use sudo. If an I/O plugin is configured, the running command's input
and output may be logged as well.

Definition: sudo: Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root (or as anyone else).
This does not mean they can execute sudo whatever but what was allowed and nothing else.

battles · 05-14-2014, 07:40 AM

I guess my final question is:
If bill is logged into user bill, and bill has been give root privileges, then when he executes a sudo progranname, does the execution of sudo progranname execute the program just as though he were doing so from the user root? Maybe that isn't making any sense.

pan64 · 05-14-2014, 07:43 AM

that is the goal of sudo
the user bill entered: sudo programname and programname will be executed as root (instead of bill)

battles · 05-14-2014, 07:51 AM

That is excellent, just what I need to know. That is why when the user executed the program using the prepended (prepended - not an actual word, but it should be) sudo caused him to not be able to execute the program from bill, because root took ownership of the program. It wasn't until after I did a chown that he was able to execute it. What I am trying to find now is if there is some way to give bill sudo privileges to install a sudo program from bill, but not execute a sudo program from bill. He should only be able to dimply execute program from bill.

Thanks!!!

pan64 · 05-14-2014, 08:02 AM

You still missed some points: root did not take ownership of the program but the execution of it. By default users do not own the programs just execute them (as themselves). So bill will execute all the programs (owned by anyone) he started as bill (himself).
for example: ls is a program, you can find it in /bin and touch is another program/

Code:

pan@/tmp$ ls -l /bin/touch /bin/ls
-rwxr-xr-x 1 root root 105840 Nov 19  2012 /bin/ls
-rwxr-xr-x 1 root root  60112 Nov 19  2012 /bin/touch
here you can see that the owner of both apps is root.
But anyone (bill, you and me) allowed to use it as myself.
pan@/tmp$ touch /tmp/aaa
pan@/tmp$ sudo touch /tmp/bbb
pan@/tmp$ ls -l /tmp/aaa /tmp/bbb
-rw-r--r-- 1 pan     pan       0 May 14 14:59 /tmp/aaa
-rw-r--r-- 1 root    root      0 May 14 15:00 /tmp/bbb
as you see /tmp/aaa owned by me and /tmp/bbb is owned by root

battles · 05-14-2014, 08:12 AM

"You still missed some points" – I resent (actually resemble) that remark!

Thanks.