LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-15-2010, 02:56 PM   #1
oalette
LQ Newbie
 
Registered: Nov 2010
Posts: 11

Rep: Reputation: 0
User permissions problem


At my work, we have mini EeePc Laptops running xubuntu which are given out to students which allow them to do work in class, and recently i got back one which a user had put a password on, restricting access. =[

Of course i just re-imaged it and it worked perfectly, but thinking about it i didn't want more of these showing up, so i disabled the passwd command by typing 'chmod go-rx /usr/bin/passwd' which worked to my liking. =]

Doing this doesn't really limit the user, as they can go 'sudo passwd' and change my root password, which they could then go 'chmod go+rw /usr/bin/passwd' and mess with the computer, which isn't difficult to find online instructions to do so.

My problem is, i disabled sudo the same way (chmod go-rx) but being the user, i can't manage wireless connections and i can't shutdown, which can be a huge problem. doing (chmod go+rx) fixes this, but then they have sudo again!

does anyone know anyways around this, i would be very grateful if there is a way!

oalette
 
Old 11-15-2010, 03:07 PM   #2
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,824

Rep: Reputation: 613Reputation: 613Reputation: 613Reputation: 613Reputation: 613Reputation: 613
Take away their sudo access? Enter "visudo" and remove their lines.
 
Old 11-15-2010, 03:17 PM   #3
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 373Reputation: 373Reputation: 373Reputation: 373
You should remove the ability to run sudo passwd from the user that the students operate under.

You do this by modifying the sudoers file. You edit the file by invoking sudo visudo. You can read about the contents of the file with man sudoers. You can use an exclamation mark to deny permission to execute specific commands.

Understand that if you are letting the users run as an administrative user (i.e. the user you created during initial install), they can just sudo visudo and change it back. If they are running as an administrative account, there is nothing you can do that they can't undo if they know what you did.

You need to configure the machines to run as a non-root, non-administrative user. Once this is done, give the students the password to the "guest" or "student" account. Then, for maintenance, log in under the account you created on the install.

EDIT: Beaten to the punch by AlucardZero...
 
Old 11-15-2010, 03:35 PM   #4
oalette
LQ Newbie
 
Registered: Nov 2010
Posts: 11

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by AlucardZero View Post
Take away their sudo access? Enter "visudo" and remove their lines.
i can do that and it restricts their access fully, but i am unable to even open up the wireless connections page which also means that the connection will not automatically start. =[

is there anyway to use groups to get round this?

oalette
 
Old 11-15-2010, 03:40 PM   #5
oalette
LQ Newbie
 
Registered: Nov 2010
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks for the answer Dark Helmet, ill have to look into doing a full reinstall. if the install works with a new user which isn't the one i set it up with, then i'll have to deploy across 100 notebooks :S if all else fails i can just block passwd and hope they're not linux geeks ^^

cheers

oalette
 
Old 11-15-2010, 04:06 PM   #6
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 373Reputation: 373Reputation: 373Reputation: 373
Keep in mind that if you set up your system to be a multi-user system (e.g. "admin" for you, and "student" for the students), that a mischievous student can still cause grief: they can change the "student" password.

In that case though, you simply log in as admin, and change the password back (rather than re-imaging the entire system).

There are ways around that problem though. Cron jobs, logoff scripts, making the password files read-only, etc.
 
Old 11-16-2010, 09:02 AM   #7
oalette
LQ Newbie
 
Registered: Nov 2010
Posts: 11

Original Poster
Rep: Reputation: 0
I solved it all by just going chmod a-rx /usr(or etc)/bin/passwd which is what stopped them from changing their own password, and it stops them from changing the root password with sudo (sudo passwd), which is what i needed in the first place

Now, im going to just block things like chmod, firefox, dpkg, and most of the fucntions becuase they only need Rm Connect

cheers for the help from both of you

Oalette.
 
Old 11-16-2010, 02:33 PM   #8
devnull10
Member
 
Registered: Jan 2010
Location: Lancashire
Distribution: Slackware Stable
Posts: 553

Rep: Reputation: 116Reputation: 116
^^ I'd really suggest not doing it this way - chmod'ing key system utils really isn't the way to go. The correct way though is of course to restrict their sudo access. If you have given them full access (and it sounds like you have) then they can do pretty much as much damage as they want on the machine.
Lock it down - set yourself/admins up as being able to sudo and nobody else.

Last edited by devnull10; 11-16-2010 at 02:34 PM.
 
Old 11-16-2010, 02:50 PM   #9
oalette
LQ Newbie
 
Registered: Nov 2010
Posts: 11

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by devnull10 View Post
Lock it down - set yourself/admins up as being able to sudo and nobody else.
if i may ask, how would i be able to do this? making a group and assinging sudo to this group?

if so how?


Oalette.
 
Old 11-16-2010, 03:57 PM   #10
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 373Reputation: 373Reputation: 373Reputation: 373
@devnull10:
If I understand what the OP has said, the problem comes from the fact that there are only two user accounts on the system:
1. root (which is not used)
2. the user created during the install process (which is used by everyone)

I say that because:
Quote:
Originally Posted by oalette
My problem is, i disabled sudo the same way (chmod go-rx) but being the user, i can't manage wireless connections and i can't shutdown, which can be a huge problem. doing (chmod go+rx) fixes this, but then they have sudo again!
That quote, combined with the knowledge that *buntu systems assign the install-user to the admin group--which gives unrestricted sudo access--leads me to the two-user conclusion. If the students were not using an account in the admin group, they would not have privileges to execute sudo. And if the OP added that user to the sudoers file, then the OP should be familiar with how to lock them down.



@oalette:
That is why I suggested creating a new user. A user created after the initial install will not be added to the admin group. A user that is not in the admin group cannot execute sudo unless you explicitly give them permission.

You can configure sudo to give a user permission to execute a specific set of commands with sudo. For instance, you could allow a user to execute "sudo mount" or "sudo shutdown" or both. You would do that only if there was a need for it.

You need to read the man page for the sudoers file: man sudoers. To modify the sudoers file, you need to run sudo visudo. Once things are configured the way you want, then have the students login with the non-admin account.

As it is now, if they are using an admin account, there is nothing you can do that they cannot undo. Making the passwd file read-only? They can sudo chmod it back. Until you split the system so that the students use a non-admin account, you will be chasing your tail security-wise.

Last edited by Dark_Helmet; 11-16-2010 at 04:52 PM.
 
Old 11-16-2010, 06:21 PM   #11
devnull10
Member
 
Registered: Jan 2010
Location: Lancashire
Distribution: Slackware Stable
Posts: 553

Rep: Reputation: 116Reputation: 116
Ah sorry, I wasn't aware that there were only two accounts. One idea then may be to re-enable the root account and use that for configuration (I know people will argue against this but if the OP is forced to only have two accounts then you can't really have that account having sudo access). Ideally you would create yourself as a user as well with sudo rights and the original "student" account with no sudo rights.

Can you confirm your setup and what you can and cannot do (in terms of adding new users etc).


Remember that someone with sudo access could easily execute "sudo rm -rf /"...
 
Old 11-17-2010, 06:35 AM   #12
impert
Member
 
Registered: Feb 2009
Posts: 282

Rep: Reputation: 54
In fact, what's to stop one of the kids from putting a bootable USB or live CD into one of these machines, installing whatever OS he/she wants, with or without a new password, and getting it to run naughty videos (for instance) on booting up? That's what I'd do if I were thirteen.
But perhaps the BIOS is locked?
 
Old 11-17-2010, 07:23 AM   #13
devnull10
Member
 
Registered: Jan 2010
Location: Lancashire
Distribution: Slackware Stable
Posts: 553

Rep: Reputation: 116Reputation: 116
Any system which is supposed to be locked-down should always have the bios locked.
 
Old 11-19-2010, 02:37 PM   #14
oalette
LQ Newbie
 
Registered: Nov 2010
Posts: 11

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by impert View Post
In fact, what's to stop one of the kids from putting a bootable USB or live CD into one of these machines, installing whatever OS he/she wants, with or without a new password, and getting it to run naughty videos (for instance) on booting up? That's what I'd do if I were thirteen.
But perhaps the BIOS is locked?
Sorry for the slow reply, but ive been busy with server work recently :P
They would only be able to boot from usb, as these laptops do not have dvd drives.

Bios wasn't locked as the other technician who set up the laptops before me didn't do this.
i've managed to do the majority of the laptops, but seeing as i support the school single handed my time is valuable.

I might go by just doing a full re-install and creating a seperate user from the one installing, which people have recommended here.

If i can't get it to work the way i want it, it's not the end of the world, it's just that it would save me the time for re-imaging.

Thanks for all the help you have all given me!

Oalette.
 
Old 11-19-2010, 02:48 PM   #15
impert
Member
 
Registered: Feb 2009
Posts: 282

Rep: Reputation: 54
Quote:
i've managed to do the majority of the laptops, but seeing as i support the school single handed my time is valuable.

I might go by just doing a full re-install and creating a seperate user from the one installing, which people have recommended here.
It sounds as though you're doing them one-by-one. It should be possible to take one of them, get it right, and then clone the installation to all the others. I'm no expert on this -or anything else - but someone here can tell you, I'm sure.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] filesystem permissions question - making so user can't change permissions? c0pe Linux - Security 4 07-12-2010 10:06 AM
mounting cifs as user - permissions problem with SUID bit dh4 Linux - Networking 1 01-11-2010 03:31 PM
how to automount usb drives with user owner and user r/w permissions mike11 Linux - Newbie 1 11-19-2009 03:59 PM
Giving user 'www-data' same permissions as normal user MikeOfAustin Linux - Software 5 06-08-2007 03:50 AM
sound as user permissions problem farpoint Debian 5 07-03-2005 07:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration