termpermissiondenied

HentzenwerkeWhitepaperSeriesRoot,SUandSUDOByWhilHentzenTheLinux"root"userhaswhatmanysystemadminsrefertoas'god'powers–completecontroloverthemachineandenvironment.
Inthenextbreath,anycompetentsysadminwilladmonishyoutoavoidlogginginasrootunlessabsolutelynecessary,andthenthey'lladdforeffect,"andit'salmostnevernecessary.
"ButthenewLinuxadminoruserwillfindthatrootaccessseemstobenecessaryalotmorethantheiradminfriendletson.
Thereasontheexperiencedadmindoesn'tneedtologonasrootisthatthey'vegotacoupleofrootaccesstricksuptheirsleeve,namely,the'su'and'sudo'commands.
Inthisarticle,I'llexplainhowtouse'su'and'sudo'toavoidalotofrootlogins.
HentzenwerkePublishing,Inc.
articles@hentzenwerke.
comwww.
hentzenwerke.
comRoot,SUandSUDOPage21.
Preface1.
1CopyrightCopyright2006andbeyondWhilHentzen.
Somerightsreserved.
ThisworkislicensedundertheCreativeCommonsAttribution-NonCommercial-NoDerivsLicense,whichbasicallymeansthatyoucancopy,distribute,anddisplayonlyunalteredcopiesofthiswork,butinreturn,youmustgivetheoriginalauthorcredit,youmaynotdistributetheworkforcommercialgain,norcreatederivativeworksbasedonitwithoutfirstlicensingthoserightsfromtheauthor.
Toviewacopyofthislicense,visithttp://creativecommons.
org/licenses/by-nc-nd/2.
0/.
1.
2Revisions1.
2.
1HistoryVersionDateSynopsisAuthor1.
0.
02006/11/04OriginalWH1.
2.
2NewversionThenewestversionofthisdocumentwillbefoundatwww.
hentzenwerke.
com.
1.
2.
3FeedbackandcorrectionsIfyouhavequestions,comments,orcorrectionsaboutthisdocument,pleasefeelfreetoemailmeat'articles@hentzenwerke.
com'.
Ialsowelcomesuggestionsforpassagesyoufindunclear.
1.
3ReferencesandacknowledgmentsThankstomanyMLUGmembersforvarioustipsandtricks,andfornotlaughingwhenIaskeddumbquestions.
1.
4DisclaimerNowarranty!
Thismaterialisprovidedasis,withnowarrantyoffitnessforanyparticularpurpose.
Usetheconcepts,examplesandothercontentatyourownrisk.
Theremaybeerrorsandinaccuraciesthatinsomeconfigurationsmaybedamagingtoyoursystem.
Theauthor(s)disavowsallliabilityforthecontentsofthisdocument.
Beforemakinganychangestoyoursystem,ensurethatyouhavebackupsandotherresourcestorestorethesystemtoitsstatebeforemakingthosechanges.
Allcopyrightsareheldbytheirrespectiveowners,unlessspecificallynotedotherwise.
Useofaterminthisdocumentshouldnotberegardedasaffectingthevalidityofanytrademarkorservicemark.
Namingofparticularproductsorbrandsshouldnotbeseenasendorsements.
1.
5PrerequisitesandassumptionsThisdocumentwaswrittenusingFedoraCore6,andassumesabeginner'sfamiliaritywithuseofLinuxviatheGUIandtheCommandWindow.
Ialsoassumethatyou,asaregularuser,haverootaccesstoyourmachine.
TherestofthisarticleusestheCommandWindowforitsexamplesandexercises.
2.
Commandpromptsfortherootuservs.
regularusersThecommandwindowpromptendseitherinadollarsign($)orapoundsign(#).
The$meansthatyouareloggedonasaregularuser.
The#meansyouareloggedonasroot.
HowdoyourememberthedifferenceSomepeoplerefertothepoundsignasa'splat',whichisexactlywhatyou'lldoasarootuserifyouaren'tsureaboutacommandandyou'renotcareful.
3.
ChangingtorootinsidethecommandwindowYoucanchangetorootafteropeningacommandwindowinoneoftwoways:via"su"andvia"su-".
3.
1.
The"su"commandThefirstisbyusingthe'su'command:[bob@mymachine~]$suPassword:HentzenwerkePublishing,Inc.
articles@hentzenwerke.
comwww.
hentzenwerke.
comRoot,SUandSUDOPage3[root@mymachinebob]#Thepasswordisfortherootuser,nottheregularuserwhowasoriginallyloggedin.
Notethatyou'restillintheuser'shomedirectory,butnowyou'reroot,whichmeansthatyouhavegodlikepowers.
You'llalsonoticethatthetitlebarofthecommandwindowhasalsochanged.
Youcanmakeanychangeyouwanttothesystem,suchasinstallsoftware,deletefiles,getintoanyoneelse'shomedirectory,andgenerallycauseallsortsofhavocifyou'renotcareful.
Forexample,"rm-rf/"willdestroyeveryfileonthemachineinaboutfiveblimptsoseconds.
3.
2.
The"su-"commandThesecondwayisusingthe"su-"command:[bob@mymachine~]$su-Password:[root@mymachine~]#Ifyouusethismethod,you'llnotethatboththepromptstringandthetitlebarhavechanged.
Alsonotethatyou'renowintherootuser'shomedirectory("/root")insteadoftheoriginaluser'shomedirectory("/home/bob").
thereasonisthatthe"-"afterthe"su"commandbringsroot'senvironmentalongwithit.
What'sanenvironmentIt'sagroupofsettings,suchastheprompt,systemvariables,andsoon,thatbelongtoaspecificuser.
Thehomedirectory,forexample,isonesuchsetting,andthecommandpromptstringisanother.
Thesecanbedifferent(andoftenare)fordifferentusers.
Whenyouusethe"su"command,you'rejustgainingrootprivileges,butyou'restillworkingintheoriginaluser'senvironment,withtheoriginaluser'spath,prompt,homedirectory,andsystemvariables.
Whenyouusethe"su-"command,youswitchyourenvironmenttothatofroot,andthat'swhyyou'resuddenlylauchedintoroot'shomedirectory.
"su-"isshortfor"su-l"or"su–login",bytheway.
4.
UsingSUDOforasingle"su"commandOftentimesyou'llfindyourselfswitchingtotherootuservia'su'inordertorunjustonecommand.
Itcanbeanuisanceifyou'redoingthisoverandover.
Youmightwanttokeepaspareterminalwindowopenandsetupasroot,butontheotherhand,youmightfindthattobetoomuchofatemptation,orjusttoodangerous.
The"sudo"commandallowsyoutogetaroundthis.
Specifically,"sudo"("SuperUserDO"),afterbeingsetupbyasystemadministrator,givesausertheabilitytorunacommandasanotheruser.
Whensetuptoallowausertorunacommandasroot,"sudo"obviatestheneedfortheregularuserto"su"torootbeforerunningthatcommand.
Asanaside,thecommandsandargumentsthattheregularuserexecutesvia"sudo"arelogged.
4.
1Setup"sudoers"Inordertouse"sudo"asaregularuser,therootuserhastomakeanentryinaspecialfile,"/etc/sudoers",thatprovidespermissionfortheusertorunaspecificallydesignatedcommandasanotherdesignateduseronadesignatedhost.
Thisisdonewithaspecialprogramcalled"visudo".
While"sudoers"isjustaplaintextfile,youareadvisedtoedititasadvised,usingthe'visudo'programinsteadofjustopening"/etc/sudo"withyourfavoritetexteditorisrecommendedforacoupleofreasons.
First,"visudo"willdosyntaxcheckingtomakesurethattheentryorentriesyou'vemadearecorrect,andsecond,conveniently,"visudo"knowswhere"sudoers"islocated.
Somefolkswillclaimthattheyedit"sudoers"withtheirowneditorandhaveneverhadproblems,butthisisn'tforinexperiencedorthefaintofheart.
Inordertogivetheuser"bob"theabilitytorunthe"kill"commandonhost'mymachine',run"visudo"asroot.
You'llseethatthe"/etc/sudoers"fileisopenedwiththevitexteditor,soyou'vegotaccesstostandardvicommandsincommandmodeandviedtiingininsertmode.
Themanualfor"sudo"(seeSection5formoreinfo)providesawealthofinformationonhowtoconstructentriesin"sudoers",astheycanberobustandextremelyflexible,providingtheabilitytocreatealiasesforusers,hostsandcommands.
Themanualcanthusalsobeoverwhelming,sohereareacoupleofsimpleexamples.
Toallow"bob"torunthescript"/etc/somescript"bobmymachine=/etc/somescriptToallow"bob"torunthe/usr/bin/killcommandbobmymachine=/usr/bin/killandtoallow"bob"torunthe/bin/lscommand,HentzenwerkePublishing,Inc.
articles@hentzenwerke.
comwww.
hentzenwerke.
comRoot,SUandSUDOPage4bobmymachine=/bin/ls4.
2Run"sudo"Oncethe"sudoers"commandhasbeenmodified,it'stimefor"bob"tousesudotosnooparound.
Normally,bobcan'taccessthecontentsoftherootuser'shomedirectory:[bob@mymchine~]$ls/rootls:/root:Permissiondeniedasexpected.
Butusing"sudo"andenteringroot'spassword,bobcanbenosy:[bob@mymachine~]$sudols/rootPassword:anaconda-ks.
cfgDesktopinstall.
logscsrun.
logsomething_secret[bob@mymachine~]$Afterthecommandexecutes,theuserisreturnedtotheiroriginalpermissions;sudoallowed'bob'torunjustonecommandasroot,asdesired.
5.
WheretogoformoreinformationNaturally,"mansudo"willprovidedetailedreferenceinformation,butthere'sagreatmanualwithexamplesgaloreatsudo'shomepage,www.
sudo.
ws.
6.
AbouttheauthorWhilHentzenstartedoutlifeintheearly'80'sasacustomsoftwaredeveloperusingdBASEII(hestillhastheoriginal81/2x11greybinderofdocumentation,muchtothechagrinofhiswife),andswitchedtoFoxProin1990.
Besidesbilling15,000hoursinthe90's,hepresentedmorethan70papersatconferencesthroughoutNorthAmericaandEurope,editedFoxTalk,PinnaclePublishing'shighendtechnicaljournalfor7years,hostedtheGreatLakesGreatDatabaseWorkshopsince1994.
He'swritten7booksandpublished30moreonavarietyofsoftwaredevelopmenttopics.
HewasaMicrosoftMostValuableProfessionalfrom1995through2003forhiscontributionstotheFoxProdevelopmentcommunity,andreceivedthefirstMicrosoftLifetimeAchievementAwardforVisualFoxProin2001.
WhilbeganusingLinuxonthedesktopwhenOpenOffice.
orgbecameastandardinthemainstreamdistributions,asitspelledpotentialforcustomapplicationdevelopmentinthefuture,andhasbeenaLinuxuser,developer,andevangelisteversince.
HisfirstbookonLinux,LinuxTransferforWindowsPowerUsers,waspublishedinearly2004.
HeisavailablefornewandlegacyVisualFoxProapplicationdevelopmentaswellasWebanddesktopdevelopmentonLinux.
7.
AwordfromoursponsorThisfreewhitepaperispublishedanddistributedbyHentzenwerkePublishing,Inc.
Wehavethelargestlistsof"MovingtoLinux",OpenOffice.
org,andVisualFoxProbooksontheplanet.
Wealsohaveoodlesoffreewhitepapersonourwebsiteandmorearebeingaddedregularly.
OurPreferredCustomermailinglistgetsbi-monthlyannouncementsofnewwhitepapers(andgetsdiscountsonourbooks,firstcrackatspecialdeals,andotherstuffaswethinkofit.
)Clickon"YourAccount"atwww.
hentzenwerke.
comtogetonourPreferredCustomerlist.
Ifyoufoundthiswhitepaperhelpful,checkouttheseHentzenwerkePublishingbooksaswell:LinuxTransferforWindowsNetworkAdmins:AroadmapforbuildingaLinuxfileandprintserverMichaelJangLinuxTransferforWindowsPowerUsers:GettingstartedwithLinuxforthedesktopWhilHentzenHentzenwerkePublishing,Inc.
articles@hentzenwerke.
comwww.
hentzenwerke.
com