Announcement

Collapse
No announcement yet.

sudo permissions for a user

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    sudo permissions for a user

    I am trying to better understand sudo permissions under kubuntu.

    From what I have read, in kubuntu there is no "root" user, but if you have admin privileges you are able to run sudo commands. If there is only one user (in my case that is true), you will automatically be set with admin account. I have checked in system settings - users and this is the case for me, so I am able to run sudo in a terminal when asked.

    My question is, is it possible to be setup in a way that I don't need to run sudo at all, and there are no permission restrictions?

    I am writing a python script to build some file structures and am getting the following.

    os.mkdir(root_asset_path)
    PermissionError: [Errno 13] Permission denied:






    #2
    Anything is possible. Most of those possibilities are unwise. Permissions are a fundamental security method setup during a standard Linux installation, and they are intended to prevent unwanted/unintended/undesired system level changes.

    The use of sudo is a simple measure to allow the system owner (you) to effect normal views and updates.

    You can do what you want to your own system, but you can also introduce a lot of risk.

    You can also run sudo such that it doesn't time out. That's also risky, but it is useful in some cases. When you do that, you can simply type the word
    Code:
    exit
    to back to your normal shell.

    Perusing
    Code:
    man sudo
    is interesting.
    The next brick house on the left
    Intel i7 11th Gen | 16GB | 1TB | KDE Plasma 5.27.11​| Kubuntu 24.04 | 6.8.0-31-generic



    Comment


      #3
      Sure.
      One could enable the root account, though this can have some oddball, random side effects, though rare.
      sudo su will get you a persistent root status for admin purposes running scripts and multiple tasks to perform.

      With some research into sudo configuration, and more probably Policykit's config, I am sure you can do this.

      Comment


        #4
        "sudo su" or "su -" both require a root account password. "sudo -i" puts you in a root shell without having a password assigned to root.

        There's nothing wrong with creating a root account password and using it. Most distros other than *buntus default that way. Just don't ever do "non-root" stuff with the root account, like run graphical applications. This is what causes problems. Using sudo or sudo -i is considered "safer" (still not for GUI apps).

        An easy read: https://www.maketecheasier.com/diffe...%20root%20user.

        Please Read Me

        Comment


          #5
          Originally posted by jim204 View Post
          From what I have read, in kubuntu there is no "root" user
          There is, with home directory /root; the thing is, you can't log in as root. root still owns most of the OS files.
          My question is, is it possible to be setup in a way that I don't need to run sudo at all, and there are no permission restrictions?
          Of course, but it is not a good idea IMO.
          I am writing a python script to build some file structures and am getting the following ... error
          IMO you should know where in the file system the error is occurring, and adjust the permissions there. Using group permissions fits a lot of cases, and some Linux root-owned directories have groups set up already; f.ex. /var/local has the group set to "staff" and you can add yourself to the "staff" group to be able to write there. (System settings doesn't handle groups any more, use f.ex. sudo adduser jim staff).

          As others have said, sudo -i gets you a root shell. IMO, use of this should be minimized, as it's quite dangerous. And running GUI apps is usually bad and can be very bad.

          Another approach is to tell sudo that some commands are ok. F.ex. , I have /etc/sudoers.d/ethtool that has this line
          Code:
          john     ALL=(ALL) NOPASSWD:/sbin/ethtool
          so I can run sudo ethtool in scripts.
          Last edited by jlittle; Feb 02, 2022, 03:26 PM.
          Regards, John Little

          Comment


            #6
            Thanks for the replies. Ok, so the general consensus is running sudo all the time is a bad idea. I assume its failing because it needs permissions to create a directory. So you are saying there is a way to set permissions up on directories so making directories is possible without sudo access? Is that what you mean by group access

            I realized I could just run, sudo /path/to//python/file/py although I haven't tried that yet.

            Comment


              #7
              Originally posted by jim204 View Post
              So you are saying there is a way to set permissions up on directories so making directories is possible without sudo access? Is that what you mean by group access.
              Yes.

              To give definite advice, you'd have to tell us which directories, and their present owners and groups, and an idea of what your script wants to do. Some familiarity with the output of ls -l would be good, don't hesitate to ask to have something explained.

              Regards, John Little

              Comment


                #8
                ls -l returns the following, this is the directory the script is trying to create a sub dir in.The script simply, runs a mkdir command.
                drwxr-xr-x 2 root root 4096


                ps. I ran the same python file including sudo in the command line and it successfully ran, creating the directory.It would be good to change the permissions on this root folder/drive to enable write permissions though.



                Comment


                  #9
                  Originally posted by jim204 View Post
                  drwxr-xr-x 2 root root 4096
                  The parts in order

                  d = directory
                  rwx = owners permissions (read, write, execute)
                  r-x = groups permissions (read, execute)
                  r-x = others permissions (read, execute)
                  root root = owner and group
                  4096 = inode allocation (you can ignore this)

                  The "execute" bit when set on a directory means "permission to enter the directory." When set on a file, it means "this file is executable." In the above example, you are not the owner or a member of the group, so you are an "other." the "r-w" set for others means you can read (list) the directory contents and "cd" into it, but not save (write) anything into it.

                  You can either give yourself full ownership of the directory, or create a group and give the group permission to write to it. Which you choose will depend on your needs. Since root can do anything, it does not need permission to access the directory so if you are the only user needing to access this folder (other than root), just change it to your owner and group:
                  Code:
                  sudo chown 1000:1000 /directory
                  This chown (change owner) command will modify the ownership and group to you assuming you're the primary user on this system. You can use your username:groupname instead, like if you log in as "jim" and your primary group is "jim" then the command is
                  Code:
                  sudo chown jim:jim /directory
                  Obviously, use the full path to the directory in place of /directory
                  This is the simplest way.

                  If you want other users on the system to also have access to this directory, then IMO the best way is to create a group and give it permission, then add any users you want to give access to group membership - including yourself. For example, on my systems I make a directory called "/shared" for all user to access so we can share files. I also have a group of the same name "shared". I then set the group of the directory to "shared", give the group permissions, and add members to the group. Using this directory and users bob and ted it goes like this:

                  First we make the group:
                  Code:
                  sudo groupadd shared
                  Then we make the directory and modify it as described above:
                  Code:
                  sudo mkdir /shared
                  sudo chown :shared /shared
                  sudo chmod g+w /shared
                  Now we have this:
                  Code:
                  drwxrwxr-x 0 root shared 0
                  To add users to the group:
                  sudo usermod -G -a shared bob
                  sudo usermod -G -a shared ted

                  Now bob and ted can access the directory.
                  Note: If you add yourself to a group while you're logged in, you have to log out and back in again for the group change to take effect.

                  There's one more thing: Files have ownership just like directories. How does this work? If you stop here, then any files created in the folder will still have the owner:group of it's creator. So if you wanted to modify or edit a file created by root or any other user, you'd still have to use sudo.

                  To "fix" this we use a "sticky bit" for group permissions. This will make any file created in this directory assume group and group permissions and thus any member of the group can edit, execute, or delete any file in the folder. To do this we change the above chmod command to this:
                  Code:
                  sudo chmod g+ws /shared
                  This changes the directory to this:
                  Code:
                  drwxrwsr-x 0 root shared 0
                  Note the "s" instead of the "x". Now any file created in this folder will have the group "shared" automatically assigned so both bob and ted can save, edit, and delete files in /shared. You will retain your individual ownership of your files, just share them.

                  There are more complicated and controlled ways to do this, but this is the easiest to set up and should work for your purposes.
                  Last edited by Snowhog; Feb 03, 2022, 08:09 AM.

                  Please Read Me

                  Comment


                    #10
                    Originally posted by jim204 View Post
                    ls -l returns the following, this is the directory the script is trying to create a sub dir in.The script simply, runs a mkdir command.
                    drwxr-xr-x 2 root root 4096
                    but what is the name of the directory?

                    I ask to be able to form an idea as to whether changing its permissions or group is a good idea.
                    Last edited by Snowhog; Feb 03, 2022, 04:53 PM.
                    Regards, John Little

                    Comment


                      #11
                      @oshunluvr thanks for the in depth explanation. As it is just me working in this directory, I think the simplest way would just be to give full ownership to myself. I can look into creating groups later down the line, if needed.

                      Comment


                        #12
                        that's a good question

                        Comment

                        Working...
                        X