I have installed this version of Ubuntu on my laptop. └─ $ ▶ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.3 LTS Release: 16.04 Codename: xenial Because of my limited knowledge regarding Linux, I have added a line manually to /etc/passwd My user which I login to the laptop is gofoboso with a password. This user has sudo rights. After adding the second line into the contents following, I do not have sudo rights. root:x:0:0:root:/root:/usr/bin/zsh gofoboso:x:0:0:gofoboso:/gofoboso:/usr/bin/zsh daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin I understand that the passwords are encrypted on the /etc/shadow file, and now this has the exact attributes as the root user has (??) ─ $ ▶ sudo cat /etc/shadow [sudo] password for gofoboso: Sorry, try again. [sudo] password for gofoboso: sudo: account validation failure, is your account locked This is the company's laptop and I do not have the root password. I've tried some commands I found online but all of them required sudo. Anyone knows how can I revert this ? Most importantly I cannot restart the laptop or shut it down, because it will ask the password of the user gofoboso, which probably it's the same as root's now ?? If it cannot be fixed without becoming root, If someone knows the root password, and deletes that line the gofoboso user will be enabled again? Thanks.

I have a problem with hibernating my computer. Everything was working before an update. The update installed Plasma 6.3.5. Hibernating from the start menu doesn't work either. After the update, the following command reports an error under normal user:

$ loginctl hibernate
Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0)

However, under root, the

$ loginctl hibernate

works as expected. A normal user is a member of these groups:

$ id
uid=1000(ibarina) gid=1000(ibarina) groups=1000(ibarina),6(disk),7(lp),10(wheel),18(audio),27(video),85(usb),100(users),106(lpadmin),250(portage),272(plugdev),377(pcap)

Moreover,

grep loginctl /var/log/everything/current

gives

Jul 17 17:22:49 [loginctl] Failed to hibernate system via elogind: Interactive authentication required.

Installed versions: sys-auth/polkit-126-r1 sys-auth/elogind-255.5-r2

I want to benchmark an application of mine. Up to now I used gnu time, but perf yields much better stats. As a matter of principle I would like to go the route of a decicated perf user instead of allowing all users some security-related things, not because I am aware of a specific danger but because I don't understand the security implications. Therefore I'd like to avoid lowering the paranoid setting for perf as discussed in this question . Reading kernel.org on perf-security (note that the document seems to imply that this should work with Linux 5.9 or later), I did this:

# addgroup perf_users
# adduser perfer
# addgroup perfer perf_users
# cd /usr/bin
# chgrp perf_users perf
# chmod o-rwx perf
# setcap "cap_perfmon,cap_sys_ptrace,cap_syslog=ep" perf
# setcap -v "cap_perfmon,cap_sys_ptrace,cap_syslog=ep" perf

which returns perf: ok. # getcap perf returns perf cap_sys_ptrace,cap_syslog,cap_perfmon=ep. which is different from the link where they got perf = cap_sys_ptrace,cap_syslog,cap_perfmon+ep My Linux is 5.10.0-5-amd64 #1 SMP Debian 5.10.24-1 If I now run perf with user perfer I still get the error message

Error:
Access to performance monitoring and observability operations is limited.
Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
access to performance monitoring and observability operations for processes
without CAP_PERFMON, CAP_SYS_PTRACE or CAP_SYS_ADMIN Linux capability.
More information can be found at 'Perf events and tool security' document:
https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html 
perf_event_paranoid setting is 3:
  -1: Allow use of (almost) all events by all users
      Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>= 0: Disallow raw and ftrace function tracepoint access
>= 1: Disallow CPU event access
>= 2: Disallow kernel profiling
To make the adjusted perf_event_paranoid setting permanent preserve it
in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = )

which I tried to circumvent with all the above. Do any of you know, how to get perfer to run perf without lowering the paranoid setting?

I have a remote VM running Ubuntu 1804 and would like to run VNC. I am using x11vnc, which requires an X server to be running. Currently, I'm connected through SSH. The VM has an Nvidia card, and after generating the xorg.conf with nvidia-xconfig, I can start an X session using startx, but only as root. Any subsequent connection via VNC is with root, which I want to avoid. The Device section in xorg.conf file looks like this:

Section "Device"
    Identifier     "Device0"
    Driver         "nvidia"
    VendorName     "NVIDIA Corporation"
    BoardName      "Tesla K80"
    BusID          "0:30:0"
EndSection

When trying to launch startx as a non-root user, I get the following:

/usr/lib/xorg/Xorg.wrap: Only console users are allowed to run the X server

If I change the /etc/X11/Xwrapper.config to allow anybody to startx, I get the following:

Couldn't get a file descriptor referring to the console

I've been reading that connecting via SSH doesn't mean that you're connected to a text console, which you need to run startx. Trying to change to a text console with chvt fails doesn't change anything. Is there anyway that I can launch X via SSH?

I setup a loopback device following [this guide](https://www.thegeekdiary.com/how-to-create-virtual-block-device-loop-device-filesystem-in-linux/) . The device is OK, but only writable for root. I searched solutions and found some answer such as using fusermount, fstab etc., e.g. [this one](https://unix.stackexchange.com/questions/46423/mounting-and-modifying-a-loopback-file-without-sudo-root-is-it-possible) . I would like to know specifically: 1. Requiring root to _create_ the device is **not** a problem, but it must be writable for normal users after mounted. 2. I hope **avoid** using /etc/fstab, because all I need is to do it spontaneously, or in a shellscript, where I have neither a fixed loopback image nor a fixed mount point.

I logged into SWAT with my nonprivileged user, since the root account is usually disabled on modern Linux systems. I cannot control any Samba parameters by this user. Once I enable the root account, how should I logout from SWAT and re-login into SWAT as root? Or how should I make my nonprivileged user to be able to control Samba parameters? Put the user into certain group? Specify the user in some SWAT config as a privileged one?

I created a cgroup in /sys/fs/cgroup called testGrp. I need this cgroup to be controlled by a non-root user, so I changed the ownership of the whole directory.

-shellsession
/sys/fs/cgroup$ sudo chown -R normUser testGrp/

I made sure that all files inside testGrp are owned by the new user normUser. This user can change the interface files like io.max normally, but is not permitted to add any PID inside the cgroup.procs.

-shellsession
/sys/fs/cgroup/testGrp$ ll cgroup.procs 
-rw-r--r-- 1 normUser root 0 Aug 21 14:13 cgroup.procs
/sys/fs/cgroup/testGrp$ whoami
normUser 
/sys/fs/cgroup/testGrp$ echo $$ > cgroup.procs 
bash: echo: write error: Permission denied

I thought that changing the ownership of the cgroup would solve the issue of needing root privileges, but apparently it doesn't. So how can I control the cgroup without using the root user?

I would like to install some programs on my work development server because it is missing some programs I need for my day to day job. I don't have root access. What I did up to now is compiling the software I needs with option --prefix=/path/to/local/root. I then created a script that looks like that: #!/bin/sh export LOCAL_PATH="/path/to/local/root" export LD_LIBRARY_PATH="$LOCAL_PATH/lib:$LOCAL_PATH/lib64:$LOCAL_PATH/lib64:$LD_LIBRARY_PATH" binary=$(basename $0) $LOCAL_PATH/bin/$binary "$@" Then, if I create symlink to this program with the right name, it will run the local version. However, I have some issues: - The install folder might move from time to time. It happened recently and I had to reinstall everything - Some programs use libtool, which ignores the LD_LIBRARY_PATH when it finds a library in /usr/lib (which in my case was outdated) - The programs are hard to maintain or update For the first two problems, it seems that creating a chroot would solve the problem. Would fakechroot help in that case ? Will my script still work ? Also, the last issue makes me think about switching to a package manager. I was thinking about portage (from Gentoo, which I use at home), but maybe there are some more suited for my needs. Any suggestion? Maybe a lightweight Linux distribution ? Finally, do I need to symlink /local/lib and /local/lib64 together ?

I am working with an embedded machine (rock pi s) which can act as a USB device, communicating with a host device using the USB OTG port on the machine. I use the gadgetfs functionality of linux for this, specifically the driver /dev/gadget/ff400000.usb. It works, but only if I run the software as sudo because the device files are access protected. This causes headaches because I often need to debug various problems, but my remote debugging tools dot run the program as root, so basically I cannot use a debugger as it is now, slowing down development a lot. So how can I enable access to my usb gadgetfs driver without root? - I have tried simply temporarily chmod'ing the file, but it doesn't work because it also dynamically creates a bunch of secondary files for each usb endpoint, which also need sudo to access. - I have also attempted to use udev rules, but if I run "udevadm info -a -n /dev/gadget/ff400000.usb", it just says "Unknown device", which afaik means that udev cannot be used on this driver?

As far as I know, sudoedit gives a user permission to edit a file that is owned and writable by root. It makes a copy of that file, the copy is owned by the user, and then it spawns a text editor with the privileges of the user. In this way, it avoids the dangers of running a text editor as root (shell escapes). On the other hand, visudo also makes a copy of the sudoers file. However, that copy is owned by root and it spawns a text editor with root privileges. Also, on a Debian 12 system I tried, you can get a root shell from within visudo: it spawns an instance of nano and via the _Execute_ option in nano you can get a shell escape. For example, if you type cat /etc/shadow to _Execute_, it works. Why does visudo spawn a text editor as root? Why can't it do what sudoedit does (make a copy owned by the user, spawn a text editor as the user)? Wouldn't that be more secure? At least, shouldn't it block shell escapes from within the text editor that it spawns as root? Why doesn't it do that?

So I don't have root permissions but I've been installing packages to a local directory on my (CentOS) system and it works fine. But I was wondering if I can do the same using yum. The reason I want to use yum is because I don't want to worry about dependencies and want yum to take care of that for me. Is there a way to do this?

I'm trying to start a docker container, which has 2 services. One of those services needs to be run as a non-root User, otherwise he won't start. The other must run as root. Now I want to link the non_root_service.log file to either /dev/tty or /dev/stdout, so that the logs could be catched by docker (check with docker logs $CONTAINER): ln -s /dev/stdout non_root_service.log The Problem is by doing so, that the non-root User has no rights to write to either /dev/tty or /dev/stdout resulting in the following error on startup of the non-root-service: cannot open "non_root_service.log": Permission denied But if I don't create the link, I could not catch the logs with docker logs $CONTAINER. Does anyone has an idea how that could be fixed, so that I could run the user as non-root AND link the log files to /dev/{tty,stdout}? P.S.: Does not matter if I use as shell script CMD ["starter.sh"] or supervisor CMD ["supervisord", "-n", "-c", "/app/supervisord.conf"] to start the 2 services, I get with both the same error.

I'm new to working with OS and unix, I'm trying to create separate users for an application, nginx, etc... and in order to run the process on their behalf. I'm currently debugging the following ways to run the command, and I can't figure out exactly what's really going on when using the runuser -u username and su username commands. **UPDATE** (thanks to @Kusalananda) Okay, what's wrong with permissions? root@someuser:/somehome# runuser -u app "source /etc/app/secrets/env; /somehome/way/app &" & 479621 root@someuser:/somehome# runuser: failed to execute source /etc/app/secrets/env; /somehome/way/app &: Permission denied ^C Exit 1 runuser -u app "source /etc/app/secrets/env; /somehome/way/app &" root@someuser:/somehome# root@someuser:/somehome# root@someuser:/somehome# ls -ld /etc/app/secrets/env -r-------- 1 app nogroup 1126 Apr 1 15:15 /etc/app/secrets/env root@someuser:/somehome# ls -ld /etc/app/secrets drwx------ 2 app nogroup 4096 Apr 1 15:15 /etc/app/secrets root@someuser:/somehome# ls -ld /somehome/way/app -rwxrw-r-- 1 app someuser 348528086 Mar 31 22:23 /somehome/way/app root@someuser:/somehome# ls -ld /somehome/way/ drwxr-xr-x 3 someuser someuser 4096 Apr 1 09:30 /somehome/way/ or i now trying to run like this: runuser --pty -u app -- bash "source /etc/app/secrets/env && /somehome/way/app &" bash: source /etc/app/secrets/env && /somehome/way/app &: Permission denied **The first(original question): Problem was $(), thanks to @Kusalananda** I want to point out that I consciously run, for example, a web application as a background process. Get to the point. I run applications/commands like this: runuser -u someapp $(source /etc/someapp/secrets/env; /someapp) su nginx source /etc/someapp/secrets/env && sleep 90s & **Eventually, I check ps aux or ps -A and see: app or the "sleep" commands are running as root!? What am I doing wrong? Or what I don't understand?** **P.S. But running this command i get what i expected:** runuser -u testappuser2 sleep 30s & #ps output root 462265 0.0 0.4 9376 4224 pts/1 S 18:20 0:00 runuser -u testappuser2 sleep 30s testapp+ 462270 0.0 0.1 5684 1920 pts/1 S 18:20 0:00 sleep 30s

I want to create a rootfs to be used with an UML kernel and be able to use the internet. I was using febootstrap with packages: bash, coreutils, net-tools, iputils. After using febootstrap-supermin-helper I got my rootfs but when trying to boot it with UML I get these errors: [ 4.340000] systemd: systemd-logind.service holdoff time over, scheduling restart. [ 4.340000] systemd: dbus.service start request repeated too quickly, refusing to start. [ 4.340000] systemd-logind: Failed to get system D-Bus connection: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. [ 4.340000] systemd-logind: Failed to fully start up daemon: Connection refused I am wondering which packages are necessary for rootfs and if there is any other way besides febootstrap.

I run my docker stuff with a dedicated user, and installed the docker rootlesskit. I start docker with systemctl --user start docker.service. Everything related to docker, executed with that user, works. I am now installing a nostr relay. I followed the instructions and the thing actually works. But. I have to run it via tmux and then scripts/start_local. This script basically runs docker compose -f $DOCKER_FILE up -d. I tried setting up a systemd script for that. First, I tried the /etc/systemd/system/ location, with the correct USER variable and working directory. However, it would fail to start with the famous Cannot connect to the Docker daemon at unix:///home/me/.docker/run/docker.sock. Is the docker daemon running? error message. So I thought maybe it's because I should run the systemd script as the user. So I installed the script into $HOME/.config/systemd/user with a symlink to $HOME/.config/systemd/user/default.target.wants. Basically, the same way my docker service runs. To my surprise, I get the same error. Going back to running it in tmux, it just works. What is different here? For clarity, here is the service file I am using:

[Unit]
Description=Nostr TS Relay

[Service]
Type=simple
Restart=always
RestartSec=5
WorkingDirectory=/home/me/nostream
ExecStart=/home/me/nostream/scripts/start_local
ExecStop=/home/me/nostream/scripts/stop

[Install]
WantedBy=default.target

Note: it's not a big deal I can have it running with a tmux, but I'd prefer the systemd variant.

I recently experienced a Mass Email attack where someone "sniffed" my email and was using it as a "From:myemail@email.com" in the mass attack. I believe my email info get sniffed because I enabled IMAP, used SSL instead of TLS, among other things. But I also got lazy with root user in my dockerfile. I'm a data engineer and not a linux pro. I'm sharing a dockerfile that I'm extending from apache-airflow after running a build command. **Can you please help me do something other than "USER root" below? How can I make everything just the "myuser"?**

FROM apache/airflow:latest
COPY --chown=myuser:root requirements.txt /
USER root
RUN apt-get update
RUN apt-get install -y --no-install-recommends vim
RUN apt-get install libmysqlclient-dev
RUN apt-get autoremove -yqq --purge
RUN apt-get clean
RUN rm -rf /var/lib/apt/lists/*

USER myuser
ENV PYTHONPATH=/usr/local/bin/python:...
RUN export PATH=$PATH:$PYTHONPATH
RUN pip install --upgrade pip
RUN pip install --no-cache-dir -r /requirements.txt

I tried removing chown and starting with USER myuser instead of root, but I got a permission denied error when running the first RUN apt-get... commands.

I am learning about capabilities for the first time: https://man7.org/linux/man-pages/man7/capabilities.7.html As a frontend web developer, learning about this type of linux material feels like I jumped into the middle of a story and making a lot of incorrect assumptions...and I don't know what I don't know. At the moment, I'm trying to understand how to set file capabilities such that when a non-zero/non-root user runs the process, it has capabilities as if they were run by root. For example, here is a recent exercise I made for myself:

bob@bob:~$ ps auxf
...
bob    1286  0.0  0.0   9000  5852 pts/0    Ss   23:01   0:00          \_ -bash
bob@bob:~$ getpcaps $$
1286: =
bob@bob:~$ sudo su
root@bob:/home/bob# getpcaps $$
1311: =ep
root@bob:/home/bob# exit
exit
bob@bob:~$ sudo cp /bin/bash /usr/local/bin/testing_bash
bob@bob:~$ sudo setcap cap_sys_admin=eip /usr/local/bin/testing_bash
bob@bob:~$ /usr/local/bin/testing_bash
bob@bob:~$ getpcaps $$
1358: cap_sys_admin=ep
bob@bob:~$

I can see that bob is running process 1286 which has no capabilities. If I run the /bin/bash as a root user, i can see 1311: =ep means it has all capabilities. Out of curiosity, I was wondering if bob could achieve the same result of [pid]: =ep. I read there is something called setcap. So I made a copy of the /bin/bash as /usr/local/bin/testing_bash. Then I used setcap to try to assign cap_sys_admin to /usr/local/bin/testing_bash...cap_sys_admin is my best guess at giving the highest possible privileges. But when bob runs /usr/local/bin/testing_bash, the terminal doesn't show 1358: =ep, instead the terminal shows 1358: cap_sys_admin=ep Is there a way to let bob run /usr/local/bin/testing_bash and have [pid]: =ep? ------ Note1: It's possible I completely mis-understood how capabilities work. Just this morning, I was still operating under the assumption that capabilities are associated with USERs, i lost a lot of time before I understood capabilities are associated with files and processes, and have zero relevance to users. ------ Note2: I thought setcap all=eip might allow bob to run testing_bash with same capabilities as the root user. But I think I may have been wrong about this, and posted a follow up question here showing my investigation: https://unix.stackexchange.com/questions/792603/how-come-setcap-all-eip-has-fewer-capabilities-than-setcap-cap-sys-admin-eip

I'd like users in group foogroup to be able to: - systemctl start foo.service, - systemctl stop foo.service, - systemctl status foo.service, and - journalctl -u foo.service without using elevated privileges. Is that possible? --- I have a systemd service which looks like: [Unit] Description=foo service [Service] Type=simple ExecStart=/bin/sleep infinity User=foobot Group=foogroup Where foobot is a system user. I know we can install the unit file to ~/.config/systemd/user/ to allow an unprivileged user to use systemd, but this doesn't really help a group. Note: I plan on using the [sd-bus](https://manpages.debian.org/experimental/libsystemd-dev/sd_bus_default_user.3.en.html) API from [libsystem-dev](http://0pointer.net/blog/the-new-sd-bus-api-of-systemd.html) and [cockpit](https://cockpit-project.org/) so adding systemctl to /etc/sudoers isn't going to help. I don't care as much about systemctl enable, it's fine if I need elevated privilages for that.

I have a Raspberry Pi 5 4Gb. I am trying to run a Python script on boot which will allow me to control the volume of my default amixer device (Master) through a slider switch. The script works perfectly fine when I run it manually. However, I am unable to access the "Master" device via amixer when running the script on boot. * When I run the amixer controls command via SSH while logged into user pi (or running the Python script), I get this output:

numid=4,iface=MIXER,name='Master Playback Switch'
    numid=3,iface=MIXER,name='Master Playback Volume'
    numid=2,iface=MIXER,name='Capture Switch'
    numid=1,iface=MIXER,name='Capture Volume'

* However, when I run the same script on reboot, I get this output instead:

numid=1,iface=CARD,name='HDMI Jack'
    numid=5,iface=PCM,name='ELD'
    numid=4,iface=PCM,name='IEC958 Playback Default'
    numid=3,iface=PCM,name='IEC958 Playback Mask'
    numid=2,iface=PCM,name='Playback Channel Map'

Note that I get this same second output if I run the command sudo amixer controls. * I've tried running the script via crontab -e and I've also tried putting this line into my rc.local file:

-sh
    su -u pi -c "python /home/pi/scripts/volume.py > /home/pi/scripts/volume.log 2>&1" &

However, both of these result in the same second output. I believe getting the first output has something to do with running the script under the correct user or setting my environment variables correctly, but I have no idea how to do it. Would someone be able to help me here?

I want to create a user in such a way that it can create a file and update the contents of the file. useradd username For sudo, we can create a username and link it to sudo as shown below: useradd username sudo But I don't want to give sudo-access, and without sudo-access I am unable to create or update files.