Restrict Ubuntu user permissions - linux

I am using Ubuntu 20.04 to host my application. The device that hosts the application will deliver to the client, meaning I would like to strip the regular desktop user from every permission.
After a research, I added to the user .bashrc file false aliases something like:
alias ls="printf ''"
The problem is that the user can still write every command under a specific path:
bin/su
bin/cd
This way he has complete power over the system. I would love to get some help with this issue.
Thank you all!

solution for restrict the terminal
Create a group for terminal users
addgroup terminalusers
usermod -a -G terminalusers <user>
chown root:terminalusers /usr/bin/mate-terminal
chmod 750 /usr/bin/mate-terminal
After this process, the terminal would be blocked
Buenos - you can block every application you want with the command which

This should do
addgroup <group-username>
usermod -a -G <group-username> <user>
chown root:<group-username> /usr/bin/<terminal-name>
chmod 750 /usr/bin/bash #permissions can be as per requirement like 760 etc
Ubuntu uses bash. On other distros we may have to see which shell and terminal they use e.g. gnome version of ubuntu has gnome terminal and bash. Kali has zsh (which I think is better).

Related

Bash script switch user on the same scritp

I created bash script on Linux Redhat with vim
My script is working well on an user.
I need to esxute on the same script this command
su - root with password
VGDISPLAY -v |grep "LV Status"
the probem is when I execute my script the part of the normal user is done
and the other part with root not done
my question how can I do to execute this
I need to switch in the same script to root
Best regards
I'd recommend not switching to the root user in the script for specific tasks/commands but assigning SUDO privileges to your user (by which you are running the script), and using sudo command in the script for the tasks/commands that need elevations.
Hint: By sudo command you may run a process on behalf of another user (root probably).
If you are not familiar with sudo command or how to assign SUDO privileges to a user, please see the following link or google it.
https://phoenixnap.com/kb/linux-sudo-command
PS. Providing SUDO privileges to a user is configurable whether to be used for all commands or limited commands. For testing purposes, you may configure the user to be able to run all commands with sudo to gain the privileges, but for production use it is strongly recommended to limit the user to be able to use only necessary commands with sudo and nothing more.

How to give a directory back its sudo admissions/permissions?

I recently installed LAMP on my Ubuntu 14.04 laptop. But I didn't have full/root access to the files var/www and etc/apache2/sites-enabled/000-default.conf so I did some research to change permissions and admissions to the directory, using this command in the terminal:
sudo chown -R username:group directory
It worked perfectly. But now I can't do any sudo commands in the terminal. I wanted to restart the apache server but here is what it showed me:
sudo: /etc/sudoers is owned by uid 1000, should be 0
sudo: no valid sudoers sources found, quitting
sudo: impossible d'initialiser le greffon de règles
(my computer is in french btw).
What I want to know is how to set it back to sudo. I hope I explained myself good enough. If you need additional info that I didn't state please tell me. I will add it. Thnx.
Seems like you chown'd /etc/sudoers.
Try:
sudo chown root:root /etc/sudoers
Then if you want read/write privileges, see which group the folder /var/www belongs to (probably www-data)
To add yourself to the www-data group, try:
sudo useradd -a -G www-data yourUserName
Also, as a side note; be careful of recursive commands!!! If you're not sure what a command does, test it on a single file before making it recursive. For example:
DO NOT RUN THIS CODE, I DON'T INCLUDE SUDO ON PURPOSE SO YOU DONT HOSE EVERYTHING
rm -r /
Will delete everything inside / (a lot of stuff!)

How to supply sudo with password from script?

Please note: this is a guest VM (VBox) running on my local machine, and I'm not worried about security.
I am writing a script that will be executed on a Linux (Ubuntu) VM as the myuser user. This script will create a very large directory tree under /etc/myapp. Currently I have to do all this manually, and it starts with me giving myuser recrusive rwx permissions under /etc like so:
sudo chmod -R 777 /etc
[sudo] password for myuser: <now I enter the password and hit ENTER>
My question: how do I write a bash script that supplies the sudo command with my password so that I can just execute bash myscript.sh and it will make the necessary permission changes for me?
(BASH)
OK, if you've gotta do it, (keeping security warnings in mind):
$ sudo -S < <(echo "<your password>") <your sudo command>
If, as you say, you completely don't care about security...
Run visudo to edit /etc/sudoers with validation in place. Add the following line:
ALL ALL=(ALL) NOPASSWD: ALL
This will prevent sudo from ever asking for a password, for any user, for any command.
You can use expect or autoexpect. It's a bad idea, though.
Never put system passwords into writing. At least, not on a file on said system. Much less on an install script known to require root access. You're making yourself an easy target.
What you do instead, is configure sudo via /etc/sudoers/ to allow exactly that user to execute exactly that script without a password:
myuser ALL=(ALL) NOPASSWD : /path/to/script
Note:
If you remove the /path/to/script part, myuser will be able to sudo anything with no password.
If you change myuser for ALL, everyone will be able to run that script with no password.

Cannot access the shared folder in Virtual Box

I have problem with accessing the shared folder.
My host OS is Windows 7 Enterprise Edition SP1, and the guest OS is Ubuntu Linux 10.04 Desktop Version. I'm using Virtual Box 4.2.10, and I have installed VBox guest add-on and Oracle VM VirtualBox Extension Pack.
When I put commend:
mat#mat-desktop:~$ cd /media/sf_MAT/
bash: cd: /media/sf_MAT/: Permission denied
again with sudo:
sudo cd /media/sf_MAT/
sudo: cd: command not found
What could be the solution?
The issue is that your user "mat" is not in the same group as "vboxsf". This group "vboxsf" is the group which has read/write permissions to that folder. Also the root has permission to that folder because its in the group "vboxsf".
What you need is to add your user "mat" to the same group. Start your terminal and write the following line:
sudo usermod -aG vboxsf mat
sudo - because you need root permission
usermod - the command to change the user properties
-a means append to the group
-G means you will supply the group name now
vboxsf is the group name that you want your user to be in
mat is your username
A reboot, or a logout, may be required for changes to take affect.
After this operation you can verify that your user is indeed in the vboxsf group by doing this:
cat /etc/group | grep "vboxsf"
you will see your username there.
Now you shall be able to access that folder. If any issue, just comment here and I will tell you alternative methods.
Also, if all of this sounds too geeky, you can do the same thing using the graphical tools. One guide is here http://www.howtogeek.com/75705/access-shared-folders-in-a-virtualbox-ubuntu-11.04-virtual-machine/
Also, in new virtual box - 4.3.20 I guess, they have this new feature of drag and drop where you can just drag files and folders to your virtual machine just by dragging. Isn't that nice. :)
Open your Virtual Machine's Terminal. Type sudo su then enter your password.
Write the following commands
sudo usermod -a -G vboxsf your_account_name
sudo chown -R your_account_name:users /media/your_share_folder_name/
Example sudo usermod -a -G vboxsf mat
Example sudo chown -R mat:users /media/sf_MAT/
Now reboot your Virtual Machine and check the shared folder again
I have this problem to. The problem seems to be with your user account not having permission to use the folders. The only solution I have is to enter root using the su command. You can then read, write, and navigate freely. You might have to set a root password first using sudo passwd root.
Reason : sudo cd will not work as sudo works on program and not command. cd is an inbuilt command.
Soluiton: try sudo -i ..this will elevate you to super user.
Now you will be logged in as root and use any command you wish
eg.
sudo -i
cd folder/path
use exit to return back to normal user.
You only need to follow these steps:
in the terminal execute:
sudo adduser yourUserName vboxsf
enter your root password, expect the following message:
Adding user `yourUserName' to group `vboxsf' ...
Adding user yourUserName group vboxsf
Done.
Log out and back in.
You now can access your shared folders (with the limitations you set for them via VirtualBox)
For all other just add new optical drive in storage(Via setting) and add ISO manually(It is inside installed directory) in Host OS. Now click on mounted drive and install in Guest OS.
Reboot enjoy

How do I run a command as a different user from a root cronjob?

I seem to be stuck between an NFS limitation and a Cron limitation.
So I've got root cron (on RHEL5) running a shell script that, among other things, needs to rsync some files over an NFS mount. And the files on the NFS mount are owned by the apache user with mode 700, so only the apache user can run the rsync command -- running as root yields a permission error (NFS being a rare case, apparently, where the root user is not all-powerful?)
When I just want to run the rsync by hand, I can use "sudo -u apache rsync ..." But sudo no workie in cron -- it says "sudo: sorry, you must have a tty to run sudo".
I don't want to run the whole script as apache (i.e. from apache's crontab) because other parts of the script do require root -- it's just that one command that needs to run as apache. And I would really prefer not to change the mode on the files, as that will involve significant changes to other applications.
There's gotta be a way to accomplish "sudo -u apache" from cron??
thanks!
rob
su --shell=/bin/bash --session-command="/path/to/command -argument=something" username &
Works for me (CentOS)
Use su instead of sudo:
su -c "rsync ..." apache
By default on RHEL, sudo isn't allowed for processes without a terminal (tty). That's set in /etc/sudoers.
You can allow tty-less sudo for particular users with these instructions:
https://serverfault.com/questions/111064/sudoers-how-to-disable-requiretty-per-user
If you want to permanently enable you to fiddle around as apache:
chsh apache
this allows you to change the shell for the user
place it in /etc/crontab and specify apache instead of root in the user field

Resources