|
Administrative tasks do not require you to login anew,
instead you just type
su
at a (virtual) shell prompt and supply the root password.
Now you are 'root' and can run any program as 'root', even graphical ones.
You can return to your user account by hitting <CTRL d>.
A convenient way saving you many 'su's is to open a
virtual terminal, running su once and use it for all the 'root'
tasks during your session.
Of course you have to be sure that no one has physical access to your computer
during this session. Furthermore it is advisable to close this terminal or
to log out of the 'root' account while you are online.
One important thing to keep in mind are the different
$PATH settings for users and root:
- user:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/user/bin:
- root: /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
So, if there is an executable in '/usr/local/bin', 'root'
will have to supply the full path to run this application, otherwise
the shell will just return 'not found'. Same goes for executables in the
'sbin' directories and users.
If you want to preserve environment variables like $PATH,
use
su -p
Now root's $PATH is the same as the user's who su'd.
Note that this command will show the user's home directory as root's home
directory (since $HOME is preserved)!
The disadvantage of this switch is that directories which usually contain
administrative commands like '/sbin/' and '/usr/sbin' are now no longer part
of 'root's' $PATH. You have to supply the full path now if you want to run
executables from this directory or adjust the $PATH setting.
Another convenient option for 'su' is '-c':
su -c "command"
will execute command as 'root' and then immediately
return to the user account. One drawback is that command line completion
doesn't work with su -c, so if you want to install an RPM, you
better typerpm -i rpm<TAB> first and then put
su -c in front of it. Do not forget to add the
quotes around the command to be executed.
Another drawback is that you can't start graphical programs this way.
You can shorten this somewhat arduous procedure procedure
by adding this line to '/etc/inputrc':
"\C-xs": "\C-e\"\C-asu -c \""
and from the next session on you just hit <CTRL
x> on any given command line to turn it into su -c "command"!
 section index  top
'kdesu' is KDE's way to run applications with 'root'
privileges on a user's desktop. The syntax is like that of 'su':
kdesu -c "command"
This will pop up a small window asking for the root
password and then execute the program as 'root'.
You can run any program as 'root' via a graphical login
window, you just have to create an entry in the menu for it and use the 'kdesu
-c ""' command around the command which invokes that program.
Notice that all other desktops and window managers will
use 'kdesu', too, as long as the 'kdebase' package is installed. I haven't
found out yet what Mandrake Linux provides in case kdebase isn't installed.
Maybe some KDE hater can help me out here ;-).
section index top
'sudo' is a highly sophisticated but yet quite easy
to use tool to let users do some tasks as root, even in a large network.
'sudo' supports extensive logging in connection with '/etc/syslog.conf' and
the internal mailing system.
You can either get the source from 'sudo's home page or install it
your Mandrake Linux CD. Control freaks and network administrators should
get the source since there are a lot of important options to choose from
at compile time, for everyone else (me included :)) the RPM will do.
'sudo's configuration file is '/etc/sudoers'. You configure
it with the command visudo (man visudo). For those
of you not familiar with the 'vi' editor, here are some basic commands:
- <i> puts you into 'insert' mode
- <ESC> <Z> <Z> exits
and saves
- <ESC> <:> <q> <!>
exits without saving
However, you can use another editor by setting the system
variable $EDITOR appropriately (e.g. export EDITOR=/usr/bin/emacs).
You'll find the main documentation in man sudoers.
It is very concise and exhaustive, in most cases however reading the EXAMPLES
section will do.
A very simple example of '/etc/sudoers' for a single-user machine would be:
# Host alias specification
# User alias specification
# Cmnd alias specification
Cmnd_Alias RPM = /bin/rpm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
# User privilege specification
root ALL = (ALL) ALL
jim ALL = NOPASSWD: RPM, SHUTDOWN
The three aliases sections are used to define internal
variables which can then be used in the last section.
The first 'ALL' refers to machines in the network, which
you can define with Host_Alias. Since this is a stand-alone
machine, it doesn't matter.
This sudoers file allows user 'jim' to install and remove RPM's and tarballs,
and to shutdown the machine. The syntax is
sudo command (e.g. sudo rpm
-i blah.rpm,no quotes!)
'NOPASSWD' means just that: 'jim' won't have to provide
a password. You have to specify this option explicitly because by default
'sudo' asks for the account password before executing the command. You should
use this option only if no other Linux literate has physical access to your
machine. Furthermore you can set the option passwd_timeout min
to specify how long the password will be kept in memory. A funny option is
insults which will insult everyone who provides
a wrong password :-).
There are lots of security related options you should consider carefully
if working in an untrusted environment.
To list the sudo rights of the current user, type sudo
-l:
User jim may run the following commands on this
host:
(root) NOPASSWD: /bin/rpm
(root) NOPASSWD: /usr/sbin/shutdown
This will allow you to do the two most common administrative
tasks on your machine more conveniently without compromising your security
that much.
section index top
|
