linux - How to do admin tasks without becoming root on Debian?

07
2014-07
  • Al Berger

    How can one perform some administrative tasks from non-root account without becoming root on Debian 7? For example, my iptables block all network access for all users including root except one user - 'webuser'. The webuser is admin account, it is in admin and adm groups, it is in sudoers file and can use sudo. When I try as 'webuser' to use apt-get or synaptic via sudo, then after entering the root password the program apparently starts under the root account, not under webuser, and cannot get access to network.

    Is there some configuration settings that can be set for synaptic or apt-get so that these programs could run under non-root account?

    • Answers
  • Bruno9779

    Running package managers under non root account is an horrible idea. It is not possible by default, but you could probably hotwire it somehow, maybe with some chroot magic. And likely bork your system.

    Think of a scenario where you install a library with webuser, the applications that use that library, if installed by root would not have access to it.

    Some applications, like apache, let you configure what user and group the program should be run as (in /etc/httpd/conf/httpd.conf on centos), other do not give you any choice about it. Many applications need to run as a separate user.

    I think you could achieve what you want by creating a group called webuser, with access to the network, adding to it the users of the programs that have access to the network and allowing members of the group to access the network in iptables.

    Note that root will need to be part of webuser group for you package manager to work


    • Related Question

    osx - How to execute a command with admin privileges and access to files of the logged in user?
  • robertj

    I have some problems understanding sudo. I am logged in on a terminal as an non-admin/non-root user. This "normal" user is not in the sudoers file (and shouldnt be, in my opinion).

    Now I try to execute a command that needs admin/root privileges and also access to directories of my normal user – therefore I am not able to simply su into an admin or root user.

    In my understanding sudo -u root should do the trick – however it doesn't accept the password for root (or admin if I try with my normal admin user). It only accepts the password of the "normal" user which seems to indicate that the -u username option doesn't work the way I expect it to work.

    My expectation is that sudo -u root some_command executes some_command with the privileges of root and therefore it asks also for the password of root. Obviously not.

    TL;DR: How do I execute any command that requires admin privileges AND has access to the files of the "logged in (normal) user" without adding the normal user to the sudoers file?

    I have enabled the root user under Mac OS X 10.7.


    • Related Answers
  • Daniel Beck

    sudo always requires the executing user's password (and requires that you have specific permissions to do this, i.e. are one of the sudoers).

    su requires the password of the target account (root by default, but root account has no password on OS X by default). If you use su instead, you can enter the destination account's password and execute a command using that user's privileges.

    su -c some_cmd # as root
su username -c some_cmd # as username

    This works by passing all arguments after the user name to the destination account's login shell. Shells usually support -c <commands> arguments. In GNU coreutils su, there's an actual -c command argument to su that can be placed before the user name.

    You can su to another user account (using the other user account's password), and sudo from there, provided that other account is a sudoer.

    If you want neither to enter another account's password, nor give your regular account sudoers permissions, you're pretty much out of options unless you consider SSH with key authentication or something like that.

  • bmike

    Unless you really "need" to maintain a separate root user on Mac OS X, it's often much easier to just get a root shell using sudo -s

    In your case, non-admin users are not included in /etc/sudoers - so you would have to add by hand the users/groups you intend to have sudo accept.

    # User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

    Once that's done, sudo will inherits almost all of the nice things from your shell like PATH and other variables, but elevates your non-admin user instantly to root. The downside of enabling root is time and the security risk of someone actually logging in locally or remotely as root.

    Keep in mind, sudo is asking for the password of the user that logged in to the loginwindow screen. su - wants the password of the root account, sudo -s uses privilege escalation to use the current user's password to become root without needing any (or in your case, the actual) root password.

  • Erik Neves

    If you are using a standard account (usually for security reasons) and you know an administrator username and password, you can do su -l admin_user. After entering the password, you are now, for all effects, acting as that administrator. Then you can sudo to your heart's content. Now, just logout to go back to your original plain account.