Recently I upgraded to SUSE 10.2 First thing I did after install was configured sudo. I find it handy when doing operations requiring root privileges. But I always faced problems running GUI applications which require to connect back to X server. For example sudo /sbin/yast2 would always revert to the text based yast in suse, and others would give up with error. After I had done my installation I tried running yast (this time clicking on a link in launch bar.) It showed me the routine pop up asking for root password. And to my surprise, root password wouldn't work. So I typed in my password and Bingo! it worked! Now I was puzzled why would it not accept root password (despite asking me for root password) and would succeed using my password.
So I looked up for the link launching the yast. I found out that the application which asked for root password in GUI mode was kdesu, and the command looked like kdesu /sbin/yast2. After reading brief documentation of kdesu, I learned that kdesu is kde equivalent for su. But then why would it not take my root password and still accept my password? Then I realized that I configure my sudo with targetpw attribute disabled. This will ask me for my password instead of root password to get root privileges. So for my curiosity I ran command kdesu /sbin/yast2 again, and did pstree. The tree showed that kdesu spawned sudo (and not su) This clarified why my password was accepted and not root password.
kdesu is very handy running KDE / GUI applications. You can also run applications as some other user (as in sudo) with -u switch. Say you want to run konqueror as user bozzo you can run kdesu -u bozzo konqueror from Run Command dialog (pressing Alt + F2).
Showing posts with label sudo. Show all posts
Showing posts with label sudo. Show all posts
Super User Do! (sudo)
sudo (Super User do) is an excellent and yet extremely simple utility.
sudo lets ordinary user to execute commands as super user (root)
Any user can execute privileged program using sudo command.
sudo will ask for that users password before executing any command
(Note it doesn't ask you root password) sudo can be configured to
gain finer control over who can execute what. People can be restricted
to execute certain commands such as halt, reboot etc. Yet they can
execute other commands without providing root password.
sudo configuration can also be stored in LDAP. This allows finer control
over distributed set of machines. All machines can read configuration from
LDAP server which localizes the configuration and management of sudo
for multiple machines.
Ubuntu comes with preconfigured sudo. Ubuntu has null root password
that is no one can log into root account directly. First user who registers on
the ubuntu box is given all privileges through sudo on that machine.
If the privileged person wants to login as root he can do so using
command
sudo su
The most important feature of sudo is that it enables logging. sudo logs
the commands you execute with the user name. And this is what many
people use it for.
This sounds very good approach in terms of security, but I don't totally
agree with it. Say there are 3 users who have got full privileges with sudo.
All of them can execute any command by providing their own password
to sudo. This means that we now have nearly 3 root equivalent accounts
and 3 root equivalent passwords to protect! Also the configuration is
rather trickier. When I configured sudo I started with exclusion principle.
Users were disallowed to execute certain programs, rest of the programs
can be executed by users. This is really dangerous as the programs which
you are allowing are virtually infinite set, so its always better to use inclusion
principle here. Only allow certain programs can be executed as root.
Maybe rest of the programs can be allowed to run as some less privileged
user or the same user (As pointed out by Milan :D)
All I can say its something very useful for people using it for personal
desktops or in the environment where there are limited users.
links:
Sodores Manual
sudo (Super User do) is an excellent and yet extremely simple utility.
sudo lets ordinary user to execute commands as super user (root)
Any user can execute privileged program using sudo command.
sudo will ask for that users password before executing any command
(Note it doesn't ask you root password) sudo can be configured to
gain finer control over who can execute what. People can be restricted
to execute certain commands such as halt, reboot etc. Yet they can
execute other commands without providing root password.
sudo configuration can also be stored in LDAP. This allows finer control
over distributed set of machines. All machines can read configuration from
LDAP server which localizes the configuration and management of sudo
for multiple machines.
Ubuntu comes with preconfigured sudo. Ubuntu has null root password
that is no one can log into root account directly. First user who registers on
the ubuntu box is given all privileges through sudo on that machine.
If the privileged person wants to login as root he can do so using
command
sudo su
The most important feature of sudo is that it enables logging. sudo logs
the commands you execute with the user name. And this is what many
people use it for.
This sounds very good approach in terms of security, but I don't totally
agree with it. Say there are 3 users who have got full privileges with sudo.
All of them can execute any command by providing their own password
to sudo. This means that we now have nearly 3 root equivalent accounts
and 3 root equivalent passwords to protect! Also the configuration is
rather trickier. When I configured sudo I started with exclusion principle.
Users were disallowed to execute certain programs, rest of the programs
can be executed by users. This is really dangerous as the programs which
you are allowing are virtually infinite set, so its always better to use inclusion
principle here. Only allow certain programs can be executed as root.
Maybe rest of the programs can be allowed to run as some less privileged
user or the same user (As pointed out by Milan :D)
All I can say its something very useful for people using it for personal
desktops or in the environment where there are limited users.
links:
Sodores Manual
