I am using Ubuntu 20.04 to host my application. The device that hosts the application will deliver to the client, meaning I would like to strip the regular desktop user from every permission.
After a research, I added to the user .bashrc file false aliases something like:
alias ls="printf ''"
The problem is that the user can still write every command under a specific path:
bin/su
bin/cd
This way he has complete power over the system. I would love to get some help with this issue.
Thank you all!
solution for restrict the terminal
Create a group for terminal users
addgroup terminalusers
usermod -a -G terminalusers <user>
chown root:terminalusers /usr/bin/mate-terminal
chmod 750 /usr/bin/mate-terminal
After this process, the terminal would be blocked
Buenos - you can block every application you want with the command which
This should do
addgroup <group-username>
usermod -a -G <group-username> <user>
chown root:<group-username> /usr/bin/<terminal-name>
chmod 750 /usr/bin/bash #permissions can be as per requirement like 760 etc
Ubuntu uses bash. On other distros we may have to see which shell and terminal they use e.g. gnome version of ubuntu has gnome terminal and bash. Kali has zsh (which I think is better).
When I try to run simple docker commands like:
$ docker ps -a
I get an error message:
Got permission denied ... /var/run/docker.sock: connect: permission denied
When I check permissions with
$ ls -al /var/run/
I see this line:
srw-rw---- root docker docker.sock
So, I follow an advice from many forums and add local user to docker group:
$ sudo usermod -aG docker $USER
But it does not help. I still get the very same error message. How can I fix it?
For those new to the shell, the command:
$ sudo usermod -aG docker $USER
needs to have $USER defined in your shell. This is often there by default, but you may need to set the value to your login id in some shells.
Changing the groups of a user does not change existing logins, terminals, and shells that a user has open. To avoid performing a login again, you can simply run:
$ newgrp docker
to get access to that group in your current shell.
Once you have done this, the user effectively has root access on the server, so only do this for users that are trusted with unrestricted sudo access.
Reason: The error message means that the current user can’t access the docker engine, because the user hasn't enough permissions to access the UNIX socket to communicate with the engine.
Quick Fix:
Run the command as root using sudo.
sudo docker ps
Change the permissions of /var/run/docker.sock for the current user.
sudo chown $USER /var/run/docker.sock
Caution: Running sudo chmod 777 /var/run/docker.sock will solve your problem but it will open the docker socket for everyone which is a security vulnerability as pointed out by #AaylaSecura. Hence it shouldn't be used, except for testing purposes on the local system.
Permanent Solution:
Add the current user to the docker group.
sudo usermod -a -G docker $USER
Note: You have to log out and log in again for the changes to take effect.
Refer to this blog to know more about managing Docker as a non-root user.
Make sure your $USER variable is set
$ echo $USER
$ sudo usermod -aG docker $USER
logout
Upon login, restart the docker service
$ sudo systemctl restart docker
$ docker ps
enter the command and explore docker without sudo command
sudo chmod 666 /var/run/docker.sock
As mentioned earlier in the comment the changes won't apply until your re-login. If you were doing a SSH and opening a new terminal, it would have worked in new terminal
But since you were using GUI and opening the new terminal the changes were not applied. That is the reason the error didn't go away
So below command did do its job, its just a re-login was missed
sudo usermod -aG docker $USER
You need to manage docker as a non-root user.
To create the docker group and add your user:
Create the docker group.
$ sudo groupadd docker
Add your user to the docker group.
$ sudo usermod -aG docker $USER
Log out and log back in so that your group membership is re-evaluated.
If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.
On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.
On Linux, you can also run the following command to activate the changes to groups:
$ newgrp docker
Verify that you can run docker commands without sudo.
$ docker run hello-world
As my user is and AD user, I have to add the AD user to the local group by manually editing /etc/group file. Unforrtunately the adduser commands do not seem to be nsswitch aware and do not recognize a user not locally defined when adding someone to a group.
Then reboot or refresh /etc/group. Now, you can use docker without sudo.
Regards.
***Important Note on these answers: the docker group is not always "docker" sometimes it is "dockerroot", for example the case of Centos 7 installation by
sudo yum install -y docker
The first thing you should do, after installing Docker, is
sudo tail /etc/group
it should say something like
......
sshd:x:74:
postdrop:x:90:
postfix:x:89:
yourusername:x:1000:yourusername
cgred:x:996:
dockerroot:x:995:
In this case, it is "dockerroot" not "docker". So,
sudo usermod -aG dockerroot yourusername
logout
When I try to run simple docker commands like: $ docker ps -a
I get an error message: Got permission denied ... /var/run/docker.sock: connect: permission denied.
[…] How can I fix it?
TL;DR: There are two ways (the first one, also mentioned in the question itself, was extensively addressed by other answers, but comes with security concerns; so I'll elaborate on this issue, and develop the second solution that can also be applicable for this fairly sensible use case).
Just to recall the context, the Docker daemon socket is owned by root:docker:
$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 janv. 28 14:23 /var/run/docker.sock
so with this default setup, one needs to prepend all docker CLI commands by sudo.
To avoid this, one can either:
add one's user account ($USER) to the docker group − but that's quite risky to do this on one's personal workstation, as this would amount to provide all programs run by the user with root permissions without any sudo password prompt nor auditing.
See also:
this page in the official Docker documentation:
https://docs.docker.com/engine/security/#docker-daemon-attack-surface
this page that documents the related exploit:
https://fosterelli.co/privilege-escalation-via-docker.html
one can otherwise prepend sudo automatically without typing sudo docker manually: to this aim, a solution consists in adding the following alias in the ~/.bashrc (see e.g. this thread for details):
__docker() {
if [[ "${BASH_SOURCE[*]}" =~ "bash-completion" ]]; then
docker "$#"
else
sudo docker "$#"
fi
}
alias docker=__docker
Then one can test this by opening a new terminal and typing:
docker run --pul〈TAB〉 # → docker run --pull
# autocompletion works
docker run --pull always --rm -it debian:11 # ask one's password
\docker run --help # bypass the alias (thanks to the \) and ask no password
With the help of the below command I was able to execute the docker command without sudo
sudo setfacl -m user:$USER:rw /var/run/docker.sock
bash into container as root user
docker exec -it --user root <dc5> bash
create docker group if it's not already created
groupadd -g 999 docker
add user to docker group
usermod -aG docker jenkins
change permissions
chmod 777 /var/run/docker.sock
You have to use pns executer instead of docker.
run the following patch which modifies the configmap and you are all set.
kubectl -n argo patch cm workflow-controller-configmap -p '{"data": {"containerRuntimeExecutor": "pns"}}' ;
ref: https://www.youtube.com/watch?v=XySJb-WmL3Q&list=PLGHfqDpnXFXLHfeapfvtt9URtUF1geuBo&index=2&t=3996s
I was a happy guy until when, accidentally, I did this command in my Mac Os X (Yosemite 10.10.5) a few moments a go:
$ sudo chown -R my.user:staff usr/
Then, terribly, when I try to use sudo a horrible error occurs:
$ sudo su -
sudo: effective uid is not 0, is sudo installed setuid root?
Any one have any idea about how to solve these and save my life, please?
Obs: I can't open new terminals but I still have two terminals opened, one logged with my.user and other with root.
Maybe if you changed the owner to actually used by you user, you can change without sudo the ownership to root by chown -R root:root /usr?
I found this tutorial and it saved me from ruin:
Open Disk Utility, which is in the Utilities folder of your Applications folder.
Select the startup disk from the list of volumes.
Click the First Aid tab.
To check permissions, click Verify Disk Permissions. To repair permissions, click Repair Disk Permissions.
https://support.apple.com/en-us/HT201560
OS: CentOS 7. When I (root) execute the command below, it says that "sudo" group cannot be found.
[root#localhost etc]# usermod -G sudo chauncey
usermod:“sudo” group doesn't exits
I also check file in /etc/group, and "sudo" doesn't exists in it. So, how can I create a "sudo" group correctly?
In centos, you adduser to wheel group instead of sudo.
usermod - aG wheel username
Sudo is not directly a group. The groups/users having sudoer rights are defined in a configuration file that you can access using sudo visudo. Check out this file to find out how it is configured on your system. Here is a good introduction https://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html.
In your case, you have different ways to give sudo rights to chauncey.
find the group(s) having sudo rights in the sudoers file and add chauncey to one of these groups. For example, say you have this line in sudoers:
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
then, add chauncey to admin with sudo usermod -a -G admin chauncey.
create a new sudo group (sudo groupadd sudo) and add this lines (sudo visudo). Then once again add chauncey to the group
# the 'sudo' group has all the sudo privileges
%sudo ALL=(ALL:ALL) ALL
set a special rule for this user in the sudoers file using the following (note that there is no %, which is used to denote a group):
chauncey ALL=(ALL:ALL) ALL
Note that for all the rules I mentioned, I used the default ALL everywhere. The first one is the user(s) allowed, the second one is the host, the third one is the user as you are running the command and the last one is the commands allowed. You can tune your rules if ALL is too broad for your usecase.
I recently installed LAMP on my Ubuntu 14.04 laptop. But I didn't have full/root access to the files var/www and etc/apache2/sites-enabled/000-default.conf so I did some research to change permissions and admissions to the directory, using this command in the terminal:
sudo chown -R username:group directory
It worked perfectly. But now I can't do any sudo commands in the terminal. I wanted to restart the apache server but here is what it showed me:
sudo: /etc/sudoers is owned by uid 1000, should be 0
sudo: no valid sudoers sources found, quitting
sudo: impossible d'initialiser le greffon de règles
(my computer is in french btw).
What I want to know is how to set it back to sudo. I hope I explained myself good enough. If you need additional info that I didn't state please tell me. I will add it. Thnx.
Seems like you chown'd /etc/sudoers.
Try:
sudo chown root:root /etc/sudoers
Then if you want read/write privileges, see which group the folder /var/www belongs to (probably www-data)
To add yourself to the www-data group, try:
sudo useradd -a -G www-data yourUserName
Also, as a side note; be careful of recursive commands!!! If you're not sure what a command does, test it on a single file before making it recursive. For example:
DO NOT RUN THIS CODE, I DON'T INCLUDE SUDO ON PURPOSE SO YOU DONT HOSE EVERYTHING
rm -r /
Will delete everything inside / (a lot of stuff!)