liinux' administrative control

Where Penguins and Daemons chill together in the warmth of the Sun.

Moderators: SecretSquirrel, notfred

liinux' administrative control

Postposted on Tue Oct 23, 2007 2:39 am

So alot of people are complaining about UAC in Vista, so I thought I'd give my 2 cents about linux' implementation of administrative security. (at least via Ubuntu).

It is really annoying not to be able to do things as non-root that I should be able to. For example, when I log into my server via ssh/WinSCP, I log in as the user I created. However, via that method, there is no way to get root access to files in the graphical file shell (or whatever you want to call it). I was trying to restore some files from the backup but I couldn't since I wasn't root. There was nothing I could do about it, except to log off, and then ssh in as root. That's rather annoying.

Also, once you open a program, there is no way to upgrade it's status. For example, if I go to edit a config file, and spend a good amount of time changing stuff, once I go to save I find out that I had forgotten to 'sudo pico' and well all my stuff is lost. Quite annoying.

Having to put in a password is annoying too. Especially if you consider that one should have a password that isn't something simple for security reasons. When I log in and immediate go to run my update script, why should I have to put my password in again? I just used it to log in 2 seconds ago.

So yeah, just some thoughts.

PS, gnome still doesn't work right with buttons. You have have to mouse-off then mouse-over before they become activated. Not very clever.
Usacomp2k3
Gerbil God
 
Posts: 21323
Joined: Thu Apr 01, 2004 4:53 pm
Location: Orlando, FL

Re: liinux' administrative control

Postposted on Tue Oct 23, 2007 2:45 am

Usacomp2k3 wrote:Also, once you open a program, there is no way to upgrade it's status. For example, if I go to edit a config file, and spend a good amount of time changing stuff, once I go to save I find out that I had forgotten to 'sudo pico' and well all my stuff is lost. Quite annoying.

Having to put in a password is annoying too. Especially if you consider that one should have a password that isn't something simple for security reasons. When I log in and immediate go to run my update script, why should I have to put my password in again? I just used it to log in 2 seconds ago.


x2

But i do imagine, if ubuntu had a less secure system, it might be more open to be infected and so forth. Can you think of a good alternative to the password issue that would prevent improper programs or intruders(as unlikely as it is) from being able to do root functions.
Looking for Knowledge wrote:When drunk.....
I want to have sex, but find I am more likely to be shot down than when I am sober.
Heiwashin
Grand Gerbil Poohbah
 
Posts: 3027
Joined: Wed Dec 13, 2006 1:21 pm
Location: Denham Springs, LA

Postposted on Tue Oct 23, 2007 5:33 am

I actually think it is smart of Ubuntu to do that.

If you are editing a file as non-root in ANY linuz distro then you run into the problems of permissions when saving. Just save it to somewhere in your home directory and then sudo copy it over. If you really want root control, then just activate the root account and run as root. Or set your username to a UID of 0.

Or you can read and learn here

http://64.233.169.104/search?q=cache:nU ... =firefox-a

Also, I don't think you can actually change the UID of a current process in Windows, am I right? There are ways to do it in linux, just read above.
The world is indeed full of peril. But there is much that is fair. And though in all lands love is mingled with grief, it grows the greater. J. R. R. Tolkien
tesmar
Graphmaster Gerbil
 
Posts: 1075
Joined: Thu Oct 13, 2005 10:18 pm

Re: liinux' administrative control

Postposted on Tue Oct 23, 2007 6:13 am

First, note that you CAN get graphical root access to files as a regular user by opening a terminal and running "sudo nautilus".

The thing about Linux is it is designed to be a multi-user operating system by default. There is a clear separation between the things a regular user is allowed to do and the things the administrator is allowed to do. I understand it can be annoying in the single-user case, but if you are concerned about using a strong password, you should be pleased to have a strong user model.

The thing is, with Ubuntu, if I want to add some packages I enter my password once to allow synaptic to run. Then it can do whatever I want. Under Vista, UAC would prompt me to "Cancel or Allow" once for every package I wanted to install. That's what's annoying about it -- not that it prompts you, but that it prompts inappropriately even after you've "allowed" the app already. If you're already frustrated from troubleshooting a problem, this behaviour is maddening. In Linux you can switch to root and the computer will do exactly what you damn well tell it to do. :wink:

Usacomp2k3 wrote:PS, gnome still doesn't work right with buttons. You have have to mouse-off then mouse-over before they become activated. Not very clever.

This is a GTK bug (I believe) which has been around for years. It's ridiculous that it hasn't been fixed.
Swampangel
Gerbil Team Leader
 
Posts: 287
Joined: Sun Aug 31, 2003 10:54 am
Location: Nova Scotia, Canada

Re: liinux' administrative control

Postposted on Tue Oct 23, 2007 7:14 am

Usacomp2k3 wrote:It is really annoying not to be able to do things as non-root that I should be able to. For example, when I log into my server via ssh/WinSCP, I log in as the user I created. However, via that method, there is no way to get root access to files in the graphical file shell (or whatever you want to call it). I was trying to restore some files from the backup but I couldn't since I wasn't root. There was nothing I could do about it, except to log off, and then ssh in as root. That's rather annoying.


Sure you can. You can either use sudo to execute the graphical window as someone above mentioned, or you could research X11 forwarding. Maybe it's called X11 forwarding over SSH. Either way, I've done this many times.

A lot of people make the mistake of when su-ing to root, they forget the '-'. so don't do this:

Code: Select all
sudo su


instead, do this:

Code: Select all
sudo su -


Usacomp2k3 wrote:Also, once you open a program, there is no way to upgrade it's status. For example, if I go to edit a config file, and spend a good amount of time changing stuff, once I go to save I find out that I had forgotten to 'sudo pico' and well all my stuff is lost. Quite annoying.


You're right, you can't update a running process. I get around this by saving a copy of the file to my home directory and then doing a sudo cp or sudo mv of my copy to the config location. But this is a whole lot better than allowing your dumb <insert> to edit your /etc/passwd file so it's unreadable.

Usacomp2k3 wrote:Having to put in a password is annoying too. Especially if you consider that one should have a password that isn't something simple for security reasons. When I log in and immediate go to run my update script, why should I have to put my password in again? I just used it to log in 2 seconds ago.


sudo does have a timeout that maybe Ubuntu has set really low? Now it won't fix you, "I just logged in" issue, but after running one sudo command, you should have a couple minutes (I believe the default is 2) where you can run another sudo command without entering your password.

non-root that I should be able to. For example, when I log into my server via ssh/WinSCP, I log in as the user I created. However, via that method, there is no way to get root access to files in the graphical file shell (or whatever you want to call it). I was trying to restore some files from the backup but I couldn't since I wasn't root. There was nothing I could do about it, except to log off, and then ssh in as root. That's rather annoying.[/quote]

Sure you can. You can either use sudo to execute the graphical window as someone above mentioned, or you could research X11 forwarding. Maybe it's called X11 forwarding over SSH. Either way, I've done this many times.

Usacomp2k3 wrote:Also, once you open a program, there is no way to upgrade it's status. For example, if I go to edit a config file, and spend a good amount of time changing stuff, once I go to save I find out that I had forgotten to 'sudo pico' and well all my stuff is lost. Quite annoying.


You're right, you can't update a running process. I get around this by saving a copy of the file to my home directory and then doing a sudo cp or sudo mv of my copy to the config location. But this is a whole lot better than allowing your dumb <insert> to edit your /etc/passwd file so it's unreadable.

Usacomp2k3 wrote:So yeah, just some thoughts.


They're really good thoughts too. I've pointed out some of the work-arounds, but it would have been much better if the way to go about these were so intuitive that you didn't have to post them to a message board in order to get answers. Some of the issues there aren't workarounds for. That is mainly because there is a slight difference in Archetiture between windows and Unix, such that some issues are really a matter of culture and the culture is not willing to sacrifice itself for ease of use.
Corith
Gerbil
 
Posts: 69
Joined: Fri Feb 09, 2007 11:32 am

Re: liinux' administrative control

Postposted on Tue Oct 23, 2007 9:18 am

Corith wrote:
You're right, you can't update a running process. I get around this by saving a copy of the file to my home directory and then doing a sudo cp or sudo mv of my copy to the config location. But this is a whole lot better than allowing your dumb <insert> to edit your /etc/passwd file so it's unreadable.




You can update a running process, just note my above post.
The world is indeed full of peril. But there is much that is fair. And though in all lands love is mingled with grief, it grows the greater. J. R. R. Tolkien
tesmar
Graphmaster Gerbil
 
Posts: 1075
Joined: Thu Oct 13, 2005 10:18 pm

Postposted on Tue Oct 23, 2007 12:21 pm

Wouldn't saving the file to your home directory then change the files user/group?
Usacomp2k3
Gerbil God
 
Posts: 21323
Joined: Thu Apr 01, 2004 4:53 pm
Location: Orlando, FL

Postposted on Tue Oct 23, 2007 12:24 pm

Usacomp2k3 wrote:Wouldn't saving the file to your home directory then change the files user/group?
No. Location doesn't change user/group - that's controlled by who saves it.

Creating a new file in your home directory based on a config file will obviously be owned by you and not root, but that has little to do with where you save it (as long as you have permission to write there of course).
...
mattsteg
Gerbil God
 
Posts: 15761
Joined: Thu Dec 27, 2001 7:00 pm
Location: Applauding the new/old variable width forums

Postposted on Tue Oct 23, 2007 12:31 pm

mattsteg wrote:
Usacomp2k3 wrote:Wouldn't saving the file to your home directory then change the files user/group?
No. Location doesn't change user/group - that's controlled by who saves it.

Creating a new file in your home directory based on a config file will obviously be owned by you and not root, but that has little to do with where you save it (as long as you have permission to write there of course).

I understand about location not meaning so let me rephrase the question:
"Wouldn't saving the file after forgetting to sudo it then reset the user/group"
Usacomp2k3
Gerbil God
 
Posts: 21323
Joined: Thu Apr 01, 2004 4:53 pm
Location: Orlando, FL

Postposted on Tue Oct 23, 2007 12:53 pm

You are going to end up with the config file saved in your home directory with your user,group,permissions on it. You will need to make sure those are set properly when you copy it over.

Most editors report when the file you are opening is read-only, that's how I notice that I forgot to sudo.
notfred
Grand Gerbil Poohbah
 
Posts: 3775
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Postposted on Tue Oct 23, 2007 12:59 pm

notfred wrote:You are going to end up with the config file saved in your home directory with your user,group,permissions on it. You will need to make sure those are set properly when you copy it over.

Most editors report when the file you are opening is read-only, that's how I notice that I forgot to sudo.

It's still not very elegant.

I guess it's mostly a brain-shifty. I used to Windows graying out things when it's read-only or just not letting you edit.

Having to save somewhere else and then do a chmod is kind of a pain. Tesmar's link, while effective, isn't exactly simple or something I'm probably going to spend time trying to figure out.
Usacomp2k3
Gerbil God
 
Posts: 21323
Joined: Thu Apr 01, 2004 4:53 pm
Location: Orlando, FL

Postposted on Tue Oct 23, 2007 1:18 pm

Usacomp2k3 wrote:
notfred wrote:You are going to end up with the config file saved in your home directory with your user,group,permissions on it. You will need to make sure those are set properly when you copy it over.

Most editors report when the file you are opening is read-only, that's how I notice that I forgot to sudo.

It's still not very elegant.

I guess it's mostly a brain-shifty. I used to Windows graying out things when it's read-only or just not letting you edit.

Having to save somewhere else and then do a chmod is kind of a pain. Tesmar's link, while effective, isn't exactly simple or something I'm probably going to spend time trying to figure out.



If I have time I can work on a little prog that will let you put in the current process and then enter the UID you want to switch it to. Are you running X86 or X64?
The world is indeed full of peril. But there is much that is fair. And though in all lands love is mingled with grief, it grows the greater. J. R. R. Tolkien
tesmar
Graphmaster Gerbil
 
Posts: 1075
Joined: Thu Oct 13, 2005 10:18 pm

Postposted on Tue Oct 23, 2007 1:31 pm

Usacomp2k3 wrote:Tesmar's link, while effective, isn't exactly simple or something I'm probably going to spend time trying to figure out.

That's really not going to help you... that link shows how a process can change its own uid/euid using very standard syscalls. You can't externally change the UID of a running process in Linux without adding special kernel support. The (probably unmaintained) kchuid kernel module attempts to add this functionality.

The editor itself could support changing the uid, but that's about it in most Unix-like OSs.
bitvector
Grand Gerbil Poohbah
 
Posts: 3234
Joined: Wed Jun 22, 2005 4:39 pm
Location: Mountain View, CA

Postposted on Tue Oct 23, 2007 1:32 pm

tesmar wrote:
Usacomp2k3 wrote:
notfred wrote:You are going to end up with the config file saved in your home directory with your user,group,permissions on it. You will need to make sure those are set properly when you copy it over.

Most editors report when the file you are opening is read-only, that's how I notice that I forgot to sudo.

It's still not very elegant.

I guess it's mostly a brain-shifty. I used to Windows graying out things when it's read-only or just not letting you edit.

Having to save somewhere else and then do a chmod is kind of a pain. Tesmar's link, while effective, isn't exactly simple or something I'm probably going to spend time trying to figure out.



If I have time I can work on a little prog that will let you put in the current process and then enter the UID you want to switch it to. Are you running X86 or X64?

Don't do something like that just for my sake. Since I don't really do anything but admin stuff on the machine, 'sudo nautilus' is easy enough to remember. If it were my full-time OS, then maybe, but I'm not anywhere close to that. It is on my athlong xp 2400, so x86.
Usacomp2k3
Gerbil God
 
Posts: 21323
Joined: Thu Apr 01, 2004 4:53 pm
Location: Orlando, FL

Postposted on Tue Oct 23, 2007 2:15 pm

bitvector wrote:
Usacomp2k3 wrote:Tesmar's link, while effective, isn't exactly simple or something I'm probably going to spend time trying to figure out.

That's really not going to help you... that link shows how a process can change its own uid/euid using very standard syscalls. You can't externally change the UID of a running process in Linux without adding special kernel support. The (probably unmaintained) kchuid kernel module attempts to add this functionality.

The editor itself could support changing the uid, but that's about it in most Unix-like OSs.


You will need to make a new kernel module to do that. The program you listed is def out of date, and prob needs a 2.6 refresh. This is what I would do, if I had time.
The world is indeed full of peril. But there is much that is fair. And though in all lands love is mingled with grief, it grows the greater. J. R. R. Tolkien
tesmar
Graphmaster Gerbil
 
Posts: 1075
Joined: Thu Oct 13, 2005 10:18 pm


Return to Linux, Unix, and Assorted Madness

Who is online

Users browsing this forum: No registered users and 1 guest