R creates a group called staff and I want to be able to update packages without starting R as sudo. So I added myself to staff using:
sudo usermod -G adm,dialout,cdrom,plugdev,lpadmin,admin,sambashare,staff matt
(side question is there a way to add yourself to a group without listing every other group you're a member of?)
If i check /etc/groups i see
staff:x:50:matt
and the same for /etc/shadow
staff:*::matt
however if i run groups or id i'm not a member of staff. Also, I can't make changes to anything in /usr/local/lib/R.
Did you log the "matt" account out and back in after running the sudo usermod command? Changes to the groups a user is in under unix only take affect at login time.
https://superuser.com/questions/272061/reload-a-linux-users-group-assignments-without-logging-out
check that out ~
both
newgrp groupname
OR
su - username
will do the trick well ~
In answer to your side question, yes you can add a user to a group without listing them all. If you run a Debian based system, you can do it with
sudo adduser matt staff
The adduser utility is just a friendly wrapper around useradd/usermod etc.
If you don't have the adduser utility, you can still do it with usermod:
sudo usermod -a -G staff matt
The -a flag means append (as opposed to overwrite).
I know the original question is for Linux but OSX users can do the same with this command:
sudo dseditgroup -o edit -a newusertoadd -t user grouptobeaddedto
Explanation: The operation succeeded - that's why your name appears in the right linux files on /etc/passwd & /etc/group but as soon as you open a new terminal process the bash will be updated with this setting and you can perform id matt as well.
Clarification: You added yourself to additional group so you should have used append option -a (and not editing the all bunch of groups names to your user).
sudo usermod -aG staff matt
Related
How can I check if the current user has all privileges to use useradd and groupadd for creation of users and groups?
I don't want to request root privileges (e.g. requireing to be root or calling sudo) for my bash script unnecessarily. Instead I just want to ensure that the privileges are there to just use those commands.
The commands:
$ ls -l $(which useradd) $(which groupadd)
-rwxr-xr-x 1 root root 93136 Mai 28 2020 /usr/sbin/groupadd
-rwxr-xr-x 1 root root 147160 Mai 28 2020 /usr/sbin/useradd
As useradd and groupadd commands need some extra priviledges to run, you can setup access to sudo for specific commands like useradd and groupadd like below :-
Please go through it once, it will make most of the things clear to you
Controlling Access To sudo
The /etc/sudoers file configures the programs that users can access using sudo, along with whether or not a password will be needed.
The system administrator adds users to this file using the /usr/sbin/visudo command. Each non-comment line in the file has two parts:
A username ("<USER_NAME>"), or a group name ("%<GROUP_NAME>").
A list of machine names where a program may be run, or the keyword ALL. Following an equal sign (=), a list of user identities the command may be run as, enclosed in round brackets (parenthesis); the wildcard ALL may also appear. Finally, a list of applications that may be run as the named users; the keyword ALL is a wildcard.
The following examples should help make this clear:
<USER_NAME> ALL=(ALL) ALL
# User <USER_NAME> can execute any command as any user, but must know the password to the <USER_NAME> account.
<USER_NAME> ALL=(root) shutdown
# User <USER_NAME> can execute only command shutdown, but must know the password to the <USER_NAME> account.
<USER_NAME> ALL=(root) NOPASSWD: /usr/bin/id
# User <USER_NAME> can execute only the application /usr/bin/id; no password will be needed.
<USER_NAME> ALL=() NOPASSWD: /usr/bin/id
# User <USER_NAME> can execute only the application /usr/bin/id; no password will be needed.
Once the system administrator has entered the necessary setup into the /etc/sudoers file, users can safely access privileged system resources and activities like this:
$ sudo useradd username
No awkward quoting on the command line, just prefix the command you want with the word sudo. If you want to run the command as a user other than root, just add the -u username switch:
$ sudo -u <USER_NAME> useradd username
There will be a log entry written to the /var/log/secure file to show who did the deed.
Of course, the sysadmin can configure sudo not to request a password. In this case, the command is immediately executed although the audit trail entry will still be written.
Reference :- Sudo Tutorial
Please reach in the comments section for any help
Will be glad to help !!!
Assuming that you need root or sudo to add new users (same for group), you can check if the user has sudo rights, by checking if he is in the corresponding groups.
getent group sudo // shows all users in groupd sudo
Dont know what system/distro you are on - but on arch for example sudoers are in group wheel...
On Linux debian-linux 5.10.0-6-amd64 #1 SMP Debian 5.10.28-1 (2021-04-09) x86_64 GNU/Linux,
you can try this way in your script.
groupadd 2>/dev/null ; if test $? -eq 2 ; then echo ok ; else echo bad ; fi
If you can access groupadd or useradd, the return value is 2 because there is missings arguments.
If you can't acess groupadd or useradd, the return value is 127.
In my project i have to create a group on my centos server and add two users; i do:
sudo groupadd editorial
then i try to add my two users to group like this:
sudo usermod -a -G editorial nginx
sudo usermod -a -G editorial ec2-user
ok, no errors, but when i check my group:
sudo groups editorial
in output i get:
groups: editorial: no such user
why i cannot add my user to group?
Thanks in advance
Your form of the command is wrong. You separate the supplemental groups with commas not whitepsace, man usermod:
-G A list of supplementary groups which the user is also a member of. Each
group is separated from the next by a comma, with no intervening whitespace.
Example:
sudo usermod -a -G editorial,nginx nameofuser
And this questions is somewhat a close call, if you are writing a script to do this, then that is probably OK on StackOverflow, but if this is just a general "How do I use usermod", that should probably go to Super User or Unix & Linux
silly question.. but have you done "$sudo useradd nameofuser" before trying usermod?
OS: CentOS 7. When I (root) execute the command below, it says that "sudo" group cannot be found.
[root#localhost etc]# usermod -G sudo chauncey
usermod:“sudo” group doesn't exits
I also check file in /etc/group, and "sudo" doesn't exists in it. So, how can I create a "sudo" group correctly?
In centos, you adduser to wheel group instead of sudo.
usermod - aG wheel username
Sudo is not directly a group. The groups/users having sudoer rights are defined in a configuration file that you can access using sudo visudo. Check out this file to find out how it is configured on your system. Here is a good introduction https://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html.
In your case, you have different ways to give sudo rights to chauncey.
find the group(s) having sudo rights in the sudoers file and add chauncey to one of these groups. For example, say you have this line in sudoers:
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
then, add chauncey to admin with sudo usermod -a -G admin chauncey.
create a new sudo group (sudo groupadd sudo) and add this lines (sudo visudo). Then once again add chauncey to the group
# the 'sudo' group has all the sudo privileges
%sudo ALL=(ALL:ALL) ALL
set a special rule for this user in the sudoers file using the following (note that there is no %, which is used to denote a group):
chauncey ALL=(ALL:ALL) ALL
Note that for all the rules I mentioned, I used the default ALL everywhere. The first one is the user(s) allowed, the second one is the host, the third one is the user as you are running the command and the last one is the commands allowed. You can tune your rules if ALL is too broad for your usecase.
Is it possible avoid sudo word while executing the higher privileged commands to a non-root user via a sudo policy such non-root users should not be able to know that he is executing higher privileged commands and also the usage of sudo might be complex.
Example:
Normal Execution of Sudo Command.
$ sudo -u root /usr/bin/tcpdump
non-root users should execute tcpdump like below.
$ tcpdump
Thanks in advance.
Note: I have defined a Sudo Policy for non-root users. So, when a non-root user executes tcpdump, in the backend it should execute as
sudo -u root tcpdump.
Yes. It is possible.
You should:
1- Create a new specific new group where some users would belong:
groupadd nonroot
2- Add your privileged users to that group:
2.1- Edit /etc/group:
vim /etc/group
2.2- Find the line of new created group. It should look like that:
nonroot:x:127:
2.3- At the end, add your privilaged users:
nonroot:x:127:user1,user2
3- Change the group of your binary:
chgrp nonroot /usr/bin/tcpdump
4- Give group execution permissions to the binary:
chmod g+x /usr/bin/tcpdump
You have to have in count that if the binary reads, writes or executes files which user1 has no permissions, you'll have modify them in the same way.
If you cannot change the group of the binary, check the right answer of post bellow, which is a similar way:
Allow users of a certain group to run a command without sudo
Hope it helps.
NOTE: Commands may differ between different linux/unix distros.
I can see at least two possibilities:
Wrap it in a script (an alias is also possible, but if users can use different shells or just start them manually, it can turn into a maintenence hell)
Set the suid bit on tcpdump, but that means everyone who can invoke tcpdump always does so as the owner.
You might want to explore using sudoers file.
Using CentOS as an example (should be similar for Debian), create a file within sudoers.d with the relevant name, e.g. tcpdump and include the following:
user ALL=NOPASSWD: /usr/bin/tcpdump command
Replace the user and command to suit your purpose. You can find out more here.
This coupled with a alias tcpdump='sudo tcpdump for the user should fit your use case.
im really new to Linux permissions so I would appreciate help with this simple query.
Ubuntu 14.04.1
I have 2 users root and user1
I have a directory /var/www/html/gallery
The directory is empty
I would like to create a new group add root and user1 to that group and make that group have read, write and delete permissions(FULL PERMISSIONS), to the directory, /var/www/html/gallery
Can someone please help me ?
Thank you.
Root is usually not added to any group because root is allowed to do everything he or she wants.
So you have multiple options now:
1) you don't create a group and give the permissons to user1 (simplest solution)
chown -R user1:user1 /var/www/html/gallery
chmod -R 700 /var/www/html/gallery
2) you create the group anyways and just add one user. that just makes sense when you want to add some more users to the group later
you can use acl for permissions,
sudo apt-get install acl
sudo groupadd connoisseurs
sudo usermod -a -G connoisseurs Teddy
sudo setfacl -m g:connoisseurs:rwx /var/www/html/gallery
you can vary permissions with r,w,x combinations.