working as a normal user?

Spanik · l33t Joined: 12 Dec 2003 Posts: 953 Location: Belgium

I have the habit of working as root. I know it isn't right so with the new install I made a normal user and added it to the following groups: wheel, audio, cdrom, video, usb, users and portage. So at least I should be able to do the normal things I do dailly.

It starts already to go wrong when starting the desktop. As I'm apt do break the setup I have it set to start in runlevel 3 at boot and then go manually to runlevel 5 by starting kdm.

If I log in as normal user I cannot start kdm. Ok, I run "su kdm" and give the root password. This fails because not allowed as user. So I log into runlevel 3 as root, then start kdm. This works.

I log into kdm as my normal user and start an xterm. First I try is to emerge kate. This fails because I have to be a superuser...

So why can a user that is part of the portage group not run "emerge"? I tought that was the whole idea of being to that group? If I have to be part of all those groups and then again have to use su to start emerge, jack, xine or any other applications I use every day then what is the use of a normal user?
_________________
Expert in non-working solutions

The Doctor · Moderator Joined: 27 Jul 2010 Posts: 2678

non-root users can't install or uninstall through emerge because then they would be able to make arbitrary root level changes to the system. The portage group allows regular users to search and check the result of commands with the -p flag.

Your KDM setup is problematic since it was never meant to be used this way. KDM must be run with root privilege since allows any user to log in. You should simply start it by default and use its console log in if you need a non-GUI shell or abandon a login manager altogether and use startx.

The solution to your woe is sudo. You can give your user the power to run your daily applications either with or without a password. I would recommend using a command whitelist without a password and limiting to harmless commands otherwise an attacker could exploit it both locally or remotely.

The problem here is mostly between the keyboard and the chair. The reason is security. Running as root is basically equivalent to running windows. You allow any attacker unlimited access to your machine. You have no protection. If you examine your machines you will probably find some nasties running on them. A user has only limited power and therefore can't actually use most attack vectors. Orders of magnitude safer.

Xine has me confused. It should run without any issue. Unless you are trying to read media from a location where you don't have permission. Most likely you have been running as root and messed up your home directory. You can use ls -l to view the permissions. Everything should either be owned by <user> <user> or <user> users. Jack probably has the same problem.

I would recommend you read up on unix permissions. You don't understand them and it would take a too much to fully explain them here.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.

szatox · Advocate Joined: 27 Aug 2013 Posts: 3151

Modifying and managing your system is a task for root, not for user.
If you want to install new software, you must be root. Why are you surprised about it? That's the purpose of this account!
Start services? As root. It's not a part of user's daily chores either. Switch runlevels? Root! Linux has evolved from initial desktop system to general purpose one, including support for multiple users. Why should one user be able to alter behaviour of the machine in a way that affects other users? That's something _only_ admins should be able to do.

Yes, you DO need root access to start services. You do need root access to install or remove software, and you do need root to switch runlevels.
You can launch xorg as user with startx (or something similar) - without init scripts and without switching runlevels.

And group "portage" is being used for user-mode downloads and builds. You still need root access to install the software build by portage user.
Also, a hint on runlevel: Typical setup only needs 2 levels. Regular (Default/3) and panic or recovery mode (single/1) which is quite often handled by initramfs itself. If you're traveling with a laptop a lot, you may consider powersave (nonetwork/2), but there is hardly ever a point in populating 4 or 5. Yes, 5 used to be graphic mode, it's still available, but not needed anymore.

Spanik · l33t Joined: 12 Dec 2003 Posts: 953 Location: Belgium

This is a new install following the handbook, just finished kde and kdm. So /root is "empty"

The reason for running kdm after booting into a console is that most kde updates bork the system so that you need a console to get it going again. Just self-defence.

I agree with your argument about safety, that's why I want to put order in it. But if I have to run each and every command/application as superuser (aka root) then what is the use of being a normal user? I really miss something there. To me this looks just the same as if I run as superuser from the start.
_________________
Expert in non-working solutions

NeddySeagoon · Posted: Tue Nov 15, 2016 9:24 pm Post subject:

Spanik,

You use your normal unprivileged user to err, use your system.
You become root to administer the system.

You can configure your normal user, to have the startx command start KDE.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

asturm · Developer Joined: 05 Apr 2007 Posts: 8938

I'm confused, does that mean all you do with Gentoo is administrating it? :lol:

ct85711 · Veteran Joined: 27 Sep 2005 Posts: 1791

It's the same thing you do on any other linux system is that the root user is to administer the system. The normal user is what you usage for normal every day usage. Like for me, I have 1 linux box that I only login as root once every 6-12 months to update the system (no it is not a Gentoo system, as I don't have time to administer that system too much), every other time I use a regular user to surf the web, file management, print and that stuff. My main linux system, I login as root once a week to update the system. Since the system is setup, I don't need root access anymore as all the necessary services is already started.

In the end, there's a reason why linux is designed around this key piece; security... In my case, I moved my mom (classical id10t user) onto a linux box, even though it caused me more issues right away. My reasoning was because on windows, she was downloading numerous viruses weekly ( or more frequently) and it got tiring on removing all of them on a constant basis. In the end, she only needed to be able to do 4 main things; use the web, print, file management (including to flash drive), and use her embroidery program (an old windows app, that should have been put out of it's misery a while ago, but keeps limping around due to costs). Beyond that, she doesn't ever do anything else on her computer, so she won't ever have access to the root account.

Tony0945 · Posted: Wed Nov 16, 2016 3:18 am Post subject:

If you are running OpenRC, all you have to do is run "rc-update add kdm" once as root and it will start automatically every boot. You then can login in as your user and surf the web, check and write e-mail, compose and print letters, watch videos and more as a regular user. If kdm barfs, you can (even as a normal user) press CTL-ALT-F1 or CTL-ALT-F2 thru CTRL-ALT-F6 to get a console in the normal installation. (the kdm logon screen will be running on console CTL-ALT-F7) If your home directory has it's permissions screwed up, run (as root) "chown -R tony:tony /home/tony" as an example for user "tony". At least half the time I'm playing with my system, so I've screwed up permissions a few times.

If the GUI screen is screwed up, CTL-ALT-F1, login as root and run "/etc/init.d/kdm stop" and it will kill kdm.
Opinions differ on whether you should update your GUI and/or X11 from a GUI screen. I also do, but that doesn't mean it's safe. After all, I've never broken my arm, but I don't assume my arm is unbreakable.

Spanik · l33t Joined: 12 Dec 2003 Posts: 953 Location: Belgium

Ok, I tried it a bit more. I wanted to mount the USB backup disks to get my datafiles on the pc. "Fdisk -l"... need to be root, "mount": need to be root. I need these almost daily when transfering SD cards from the camera to the pc and then back them up to the usb HD's. Same with usb memory sticks for updating systems, or using dd to make SD boot cards. All data is normally on mounted disks but none of these are auto-mounted. I do not want them to be either because of previous bad experiences where for one reason or another the enumeration changed and thus the auto-mounts as well, leading to confusoin and lost files.

So yes, I can edit a photo but I cannot get it from where it is right now and I cannot save it where I need it. (I know, can su or sudo for each and every thing but then what is gained?) Haven't tried jack and audio recording/editing yet. I'll try that when they are installed.
_________________
Expert in non-working solutions

Tony0945 · Posted: Wed Nov 16, 2016 5:13 pm Post subject:

You can make your disks mountable by user in fstab. I'm not sure of the exact syntax.

NeddySeagoon · Posted: Wed Nov 16, 2016 5:19 pm Post subject:

Spanik,

You need the option user or users in /etc/fstab

user only permits the user performing the mount, to use umount.
This prevents another user stealing optical media out of the drive.

users lets any user perform umount.

One tiny gotcha - users must use the lazy form of mount or fstab will not be consulted.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

Tony0945 · Posted: Wed Nov 16, 2016 5:47 pm Post subject:

Based on my experiments, the following applies if the partition is NTFS:

1. emerge sys-fs/ntfs with flags suid and -external-fuse

2. add user to disk group and make sure the group can access the mount point

Spanik · l33t Joined: 12 Dec 2003 Posts: 953 Location: Belgium

NeddySeagoon · Posted: Wed Nov 16, 2016 9:24 pm Post subject:

Tony0945,

You never need to add a normal user to the disk group.
That gives them block level access to all your disks.

Its trivial for such a user to run hexedit on say /etc/shadow, insert a new root password hash, do anything they want as root, then revert the root password hash.
There is no valid reason to have any users is the disk group, ever root.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

The Doctor · Moderator Joined: 27 Jul 2010 Posts: 2678

Look into identifying your external media by label or UUID. These ids are independent of the sd* designations.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.

Tony0945 · Posted: Thu Nov 17, 2016 12:03 am Post subject:

The Doctor · Moderator Joined: 27 Jul 2010 Posts: 2678

Tony0945 · Posted: Thu Nov 17, 2016 3:06 am Post subject:

NeddySeagoon · Posted: Thu Nov 17, 2016 1:07 pm Post subject:

Tony0945,

With the fstab entry option user or users users can mount that filesystem.
However, they cannot use the full