Linux.com

Home Linux Community Community Blogs

Community Blogs



Using sudo

Now that We have seen how to configure sudo, how do you use it? Sudo is very easy to use, as you will see. To determine what commands you have available to you via sudo, you can execute:

[ankit@black]$ sudo -l
Password:
User ankit may run the following commands on this host:
     (root) /etc/rc.d/init.d/httpd, /etc/rc.d/init.d/mysql
     (root) /bin/rpm, /bin/rm, /sbin/linuxconf
     (root) /usr/bin/swatch, /bin/touch
     (root) NOPASSWD: /bin/su
     (Jason) /home/Jason/bin/eggdrop, /home/Jason/bin/irc/ircd

This will show you exactly what commands you can run, and as what user. To use sudo to restart Apache, for example, you would use:

[ankit@black]$ sudo /etc/rc.d/init.d/httpd restart
Password:

After supplying his password, Apache will restart for Ankit. If he wanted to start eggdrop as Jason, however, he would have to approach it somewhat differently:

[ankit@black]$ sudo -u Jason /home/Jason/bin/eggdrop&
Password:

This will launch eggdrop in the background running as Jason's uid. Because sudo will, by default, try to run something as root, you must supply the user's username if it is a non-root user, as is the case here. Observe what happens if Ankit neglects to specify Jason's username:

[ankit@black]$ sudo /home/Jason/bin/eggdrop
Sorry, user ankit is not allowed to execute '/home/Jason/bin/eggdrop' as root
on black.somehost.com.

As you can see, sudo is very flexible, and very willing to replace su. In fact, I would even go so far as to make su only available through sudo. In order for su to work for non-root users (ie. allow non-root users to become root or any other user), /bin/su must have the setuid bit enabled, so it can run as root. If you remove the setuid bit from /bin/su, then even if a user knows the root password, they cannot su to root or any other user. Stripping setuid from /bin/su and restricting root logins from the console and via SSH is a very effective means of locking down unauthorized root access on your system. To do this, simply give yourself sudo access to run su (as illustrated with Ankit previously), and strip the setuid bit from /bin/su by executing (as root):

[root@black]# chmod u-s /bin/su
[root@black]# ls -l /bin/su
-rwxr-xr-x      1 root     root      18172 June 4 05:29 /bin/su*

Now if you try to run the command su - as a non-root user, even if you type in the right password for root, you will not change to root. In order for someone to use su, they must exist in sudoers with the appropriate permissions, and must run su through sudo like this:

[ankit@black]$ sudo su -
[root@black]#

I find this a much better approach to restricting access to root. By having su as a setuid application, any user on the system can attempt to execute su; if they have the root password or can guess it, they can become root. By having su access restricted through sudo, and with the setuid bit removed, the chances of breaking into root are much more limited. Think of it this way. If someone can compromise your box and obtain shell access as the user "apache" or "nobody", with su setuid, they can attempt to login as root, and if they find the password, there's no stopping them. With su being stripped of the setuid bit, even if someone obtains shell access as the user "apache", they are limited only to being able to do what the user "apache" has rights to. Even if they know your root password, they cannot su to root. They would need to guess Ankit's password in order to become Ankit, who could then become root via sudo. But even then, they could not use su to become Ankit, they would have to log into the system as Ankit.

To take the illustration further, this would mean they would need local console access to login as Ankit (if they had his password), or via SSH (since Ankit knows better than to run telnet). But Ankit's smart. He hasn't gone through the trouble of setting up sudo to let something like this stop him. He's also configured SSH to reject all password logins and only allow key-based authentication. Without Ankit's private key, no one is logging into his account via SSH. So even if your Apache server, or sendmail server, or DNS server, allowed someone to obtain shell access to your system with an unprivileged account, the damage they could do would be minimal. Without su being available to them as an unprivileged user, without having local console access, and without being able to log in to a user's account via SSH without having his private key, an attacker must resort to more difficult means of attacking your server to obtain root access. You can rest assured that you haven't made his job any easier by taking a few simple steps to protect yourself.

 

Compiling Boxee 0.9.11.5777 on openSUSE 11.*

Having used Miro before, I liked the ability to play videos from different sources in a single program without having to visit every site. Miro was recently updated to version 2.0 and I could not find an RPM for openSUSE 11.0. The Packman repository had and RPM for 11.1 and not 11.0  :-(. Attempts at compiling from source failed..

News about Boxee everywhere. I decided to give it a try. Took a while to get it right.  Posting my experience here.

Download

Download boxee source rev 0.9.11.5777 from boxee.tv. Requires registration. Usage requires registration anyway!

Build Requirements

glew and glew-devel
libmad-devel
libtre-devel
SDL_image_devel
SDL_mixer_devel
libbz2-devel
fribidi-devel
lzo-devel
sqlite3-devel
libmysqlclient-devel
libjasper-devel
libcurl-devel
libhal-devel
cmake
nasm

and maybe more.. autoconf..etc., Install missing ones using YaST . An rpm -q package name will tell if it is installed or not.

Compile

Move to the downloaded folder. Uncompress and untar using

#in my case

cd /home/vimal/Software

tar -jxvf boxee-0.9.11.5777-src.tar.bz2

cd boxee-0.9.11.5777-src

#since there was no configure script present, I did an autoconf to generate it

autoconf

#i could only compile and run Boxee from the current folder. I could not get it installed in the final step. Hence, did not specify --prefix to configure

#run configure now
./configure

#followed by make
make

#and make again!
make

#for  reasons unknown, Boxee was not compiled in the first make. There were no errors either.  Issuing make again fixed the problem. This was an accidental find!

At this point the Boxee binary should exist in the directory and it can be launched by

./Boxee

Notes/Tips

  1. It takes a really long time to compile. If you have a dual core cpu, make -j2 really speeds up the compilation. This tip was from the README. 
  2. I disabled vertical sync. Otherwise, the response was very slow. This can be set from within the program under
    Settings ->Appearance->Screen
    or by editing ~/.boxee/UserData/guisettings.xml
    change  value under to 0
    0
  3. Fullscreen and windowed mode can be toggled using \ 
  4. If you have a Wii, and bluetooth on your PC, you can use the wii remote with Boxee. Check out http://antrix.net/journal/techtalk/boxee_wiimote.html

 Boxee in Action

 

No Gaming on Linux.com?

I've noticed a distinct lack of gaming sections on this site.  Sure, the Linux gaming scene isn't exactly thriving, but then those who do use Linux for gaming haven't got an appropriate section.

The areas I'm referring to are the Software Directory and the Answers section, particularly the latter as there are so many other categories.  In fact it's almost notable by its absence.  The only place which does have a place for games is the Forum, where it appears to be one of the busier topics.

The Software Directory really could do with it so we can build a list of what games are actually out there that are natively compatible with Linux.  And while we're on the subject of the Software Directory, it could really do with subcategories.  I've added PostgreSQL to the Applications section, but someone may be looking for a disk partitioner.  They aren't really related, yet they are in the same section.  Plus, Applications is very generic, and probably needs replacing with several other sections.

Unfortunately I have no experience of Joomla (which is what this site appears to be based on), so I'm not sure how configurable it is.

 

Checking out Linux.com for the first time.

All I can say is, great job with the new site.  Linux.com is finally the portal to Linux that it should have been over a decade ago. 

Thanks!

 

How to Install Flock on Ubuntu

This is the quick-and-dirty way to install Flock on Ubuntu and it involves installation to the /home folder.  This will allow the browser to update using regular user permissions; ie the user will not have to run this browser as root (sudo) to update the program.  It will update similarly to the way it updates in Windows.

  1. Download the browser from here.
  2. Copy the downloaded tar file to your /home directory.
  3. Right-click on the archive, and choose "extract here".
  4. A folder will be created in the /home directory.
  5. To create an entry in your menu, (I'm assuming the user is using Gnome), right click on the application menu, navigate to the "internet" menu, and click "new item".  In this "item", name it.  Then click on "browse" to create a command for it.  Go to /home/flock and click on "flock-browser".  Click "open" and the command box will be populated.  To create an icon for this menu item, click on the launchpad looking thing-o button.  This opens a window that shows you the available icons.  The proper icon won't be there, so click on "browse".  Go to /home/flock again, and this time, click on the folder labeled "icons".  Click "open" and now you'll be able to pick which icon you want.  You can further customize this by adding a saying like "Browse the social web" or something.
  6. You're pretty much done.  All that needs to be done is to grab all the plugins from Firefox and copy them to Flock.  To do this, type this command: "sudo ln -s /usr/lib/firefox/plugins /home/flock/plugins".
  7. You're done! Now you should be able to use Flock just like Firefox.  Don't forget to sign in to your blog, twitter, flickr, facebook, etc so you can use it to it's fullest.  I also recommend going to the Mozilla Addons page to get adblock, flashblock and other addons you can't live without.  Also, you can go here and get flock-only extensions.
And there you have it.  Please see this post for some more information on installation.  If you do it this way, however, you won't be able to update via the automatic updater unless you run it as root.
 

Netbooks and Linux

I managed to get an Acer Aspire One a couple months back for £150 brand new.  I was interested to see what Acer's Linpus Lite was like and what I found was shocking.

Acer's edition of Linpus Lite is a horrifically simplified interface, almost as if it were designed for children.  A few big icons in 4 categories, and that's it.  I never did find out if I could actually install anything else.  I was also astonished to find that Firefox was only version 2, and so was OpenOffice.  Overall, it was a very disappointing experience, and naturally I wiped the whole thing off and installed the awesome Ubuntu Netbook Remix.

Now I can begin to understand why so many consumers have returned their Linux netbooks and asked for Windows instead: because the version of Linux they were given was awful!  I cringe at the thought of the number of people who finally decided to give Linux a try, and their first and only experience of using it was Linpus.  Linux's reputation must have taken a beating.  I'm quite sure that the returns would have been dramatically reduced if UNR had been installed instead.  It's far more user-friendly, looks better, performs better, comes with a lot more software, is more configurable and has a huge repository of software to install at the user's will.

 I really hope Acer will ditch the monstrosity they currently use and help restore Linux's reputation to that of a fast, stable, agile and capable platform.

On a related point, I'm also disappointed with many manufacturers who offer Linux netbooks with a lower spec than their Windows counterparts.  They half the memory, or offer 8Gb SSD harddrive instead of 120Gb, or exclude Bluetooth.  Why?  Linux may not be as resource-hungry as Windows, but the public's impression will be that they won't be getting a good machine if they buy a Linux version.  No wonder Windows has won the netbook market: the industry has failed to deliver the right spec and the right OS.

 

Windows 7

A few boring hours today so I decided to give the Windows 7 RC a shot. I've never really used Vista and while I use Win XP at work, this was all a rather new experience to me. Since it is currently free-as-in-beer until March or so (which is a looong time in the beer world) I didn't feel that bad about embracing the monopolists for a short while.

 So after roughly an hour of installation including partitioning and updating I  booted into Windows 7. Frankly, my first impression was that it seems pretty good. I know there's been a lot of flaming over this, but the interface reminds me a great deal of KDE4 and that's entirely a good thing in my book. Still haven't figured out how to disable that annoying double-click-to-do-anything feauture though. 

First problem: No sound. Woo, 

I've heard a lot about it looking and feeling similar to KDE4, and since I've been following that project for quite some time 

 

Product Test: HP F4283 MFP (Multi-Function Printer)

HP F4283 PrinterHere is a quick test and first impressions of the HP F4283 printer on Ubuntu.

 Set-up

The set-up process takes less then 10 minutes - most of which is spent getting rid of all the sticky stuff :-)

Before plugging it into your computer, turn on the power and install the cartridges. The supplied cartridges is (apparently) 1/3 of the normal capacity - according to the sales person. I'll just take their word for it for now.

After the cartridges are installed, an alignment page is print automatically. You take this page and put it in the scanner. Press the scan button on the print and the printer does the alignment (it makes weird noises - I think this is normal).

Now plug it into your computer.

Configuration

Ubuntu Printer Set-upIn Ubuntu (9.04 64-Bit) a window will pop-up. Everything was detected automatically. You can just hit the appropriate button to produce the standard Ubuntu print test page.

This whole process took the greater part of like 10 seconds!

Scanning

On the Gnome menu, go to "Applications -> Graphics" and you should find the XSane option near the bottom of the list. Click on it and wait about 15 to 20 seconds to detect the scanner.

The first scan was a no brainer - can it get any easier then this?

 

 


Quality

The print quality is acceptable for me for documents, but I wouldn't print photos on this printer just yet. The Ubuntu test page showed slight imperfections in the various colour boxes but it's acceptable for day to day use in office document production.

The scanner is acceptable as well. I mostly use it to prep hard documents for faxing anyway, so my expectations are rather low. Yet, the scanned image was supprisingly high quality.

Conclusion

For the price I paid (ZAR499 - just over US$60) was money well spent for me. I am very happy so far.

HP F4283 Product Page

 

Wont be good

With new Linux.Com we got many opportunity for share our experiences. Blogs, groups, submitting articles. all of these good. But one thing about the site will be problem. "Guru Wars" because some of pll want the rewards so badly, they can simply take every unneccesary steps for being number one. This kind ranking systems can be huge problem for our community.

Make c/p and post unlimited blog entries

Join all groups

Be everyones friend

Send some sort answers to all topics at the forums(yeah, gg^^, yow yow)

and be number one! Linux.Com can continue this race, but they must make some changes for the  safety of our minds :D First of all they should close the ranking system to members with this ppl wont know whats their status. Second they should remove guru status from the main page. I really dont care whose ranking better. If they are good i can read their work by myself.

Your Fan

Ceyhun Alyesil

 

10 days till Fedora 11

Fedora 11 Leonidas has many new features:
  • 20- second startup
  • New versions of desktop environments: Gnome 2.26, KDE 4.2, XFCE 4.6
  • New versions of desktop applications: Firefox 3.5, OpenOffice.org 3.1
  • New package format- rpm 4.7
  •  

    Keyboard shortcut for Gwibber

    I've recently joined Twitter and its great! I installed Gwibber and its a nifty client. Being the rodent averse person I am, I had to find a way to have a keyboard shortcut for this trivial task. So, what did I do? I wrote this:

    #!/bin/bash

    ppath=/usr/bin/gwibber
    prg=Gwibber
    prgstr=gwibber
    if [ -z "$(ps -eaf |grep -i $ppath|grep -v grep)" ] ; then
        nohup $prgstr &
        sleep 1
    fi
    [ -z "$(wmctrl -l |grep -i $prg|grep -v grep)" ] && $prgstr
    wmctrl -a "${prg}"

    This launches Gwibber if its already not running. Otherwise, it just brings the window to the foreground. Best part of Gwibber is, it ensures you only have one instance running so this works even when Gwibber is iconified on gnome-panel.Bless you wmctrl

    My HP Laptop had an "Information" key which was lying idle. So, I fired up "xev", got the keycode, assigned it to a virtual key (F21 in this case) and attached the above script to it in Compiz! So now, I just need to press one key to check my Twitter feeds :)

     Next step, modify it to work as a toggle key...

     
    Page 124 of 140

    Upcoming Linux Foundation Courses

    1. LFS426 Linux Performance Tuning
      08 Sep » 11 Sep - New York
      Details
    2. LFS520 OpenStack Cloud Architecture and Deployment
      08 Sep » 11 Sep - Virtual
      Details
    3. LFD320 Linux Kernel Internals and Debugging
      15 Sep » 19 Sep - Virtual
      Details

    View All Upcoming Courses


    Who we are ?

    The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

    More About the foundation...

    Frequent Questions

    Join / Linux Training / Board