Really only SSH and sudo broke. sudo would still work but you'd have to re-enter your password every time. It was a painful experience and I'm glad I know better now.
As a one time noob I may have done this once or more.
To get one thing working I borked everything.
Understanding permissions is pretty basic. But understanding permission requirements for system and user apps and their config and dirs can be a bit overwhelming at first.
Thinking a little change to make your life simpler will break something else doesn't always register immediately.
Shit, even recently, wondering why my SSH keys were being refused and realising that somehow i set my private keys world readable.
Nah, there's something broken, I think it's because group render under the container has a different GID than the container so the acl fails and you either sudo or chmod.
I use podman and since it runs as my user it has exactly same same permissions as me. I just add my user to the proper group and it works.
Anyway for LXC you could just passthough a folder and then create a file. From there you can look at the file on the host to see who owns it. That will give you the needed information to set permissions correctly
Ahh, I'm running priveleged containers, I wrote my own scripted framework for containers around lxc in mostly python.
Basically I fell head over heels in love with freebsd jails and wanted them on Linux, then started running x11 apps in them, it's my heroin.
Haven't used podman outside proper k8s for work, did proxmox for a bit, but it was just a webgui for the same thing.
There were a bunch of online bug reports about the /dev/dri issue, maybe there's a better solution now, but since this is my workstation I wasn't as worried about security.
Possibly but my role was such Im really only supposed to be working on my project and not monkey with the server which is used by other projects. I don't think it was a restriction I think it was just laziness by whoever set it up.
And this is why I never get bonuses. I just can't be bothered with kissing upper management ass... tried it once... I walked out of the meeting with me telling them "less talking, more doing"... no one from upper management called me ever again. Even if they did have a computer problem, they just told the secretary to call me.
Sometimes your package manager asks you for root password every minute while doing few hours long update and cancelling process if you don't enter anything for few minutes, "yay" aur manager looking at you, and you got to do other things than sit and look in the monitor all day long, things like cleaning house or touching grass for example
That's the supported configuration. There support will not support anything else. It is total BS which makes sense because they want to silo you to the cloud
Our crappy vendor software will only function if IPv6 is disabled network wide. Even if one machine has it enabled, the whole thing breaks
Lol our former crappy vendor solution required to be run directly from AD Administrator. Pure luck the entire business didn't collapse before we replaced it.
Ubuntu uses Snaps for a lot of the software, thus, when you write sudo apt install firefox that is actually an alias for "install firefox from snap". Snaps get installed locally, not on the system (globally, for all users), but as a user, so you really can't do much damage when you actually didn't do anything to the system in the first place.
Do sudo shit on any other distro that doesn't have a company behind it, see what happens.
Because if you have sudo, you have root. Side effect of being a server system, too. During install, if you specify a root password, sudo is not installed. If you don't, it is. Ubuntu just defaulted to the latter.
So that is why I always have to install sudo manually 🤦.
And I think older versions also left you at root, you had to define a user account manually. I think that's not the case now as I recall (I haven't installed Debian in a while).
Credentials are inherited by every child process that the parent process invokes. Thus, if you give root credentials to a command, every subsequent command that the original one invokes will have root credentials.
There are some exceptions, but these are special case scenarios and are literally only a few.
Sorry (again 😂, this happens quite a lot with you, lol), it's early in the morning here, didn't have my coffee yet.
If the question is can privileges be escalate later on while a command or a script is executing, the answer is yes. You can also deescalate them once the root creds stuff is done executing. You just have to make it clear in the script or the command that "you do this with root creds, but then you continue with user creds".
The point I was trying to make with my previous comment was that, if a process (command, script, whatever) is ran with root privileges, every program, command, script it invokes later on is ran with root privileges, unless it's specifically noted to run this or that part with some other privileges.
Real pros shuffle across the carpet to build a static charge and do their system administration by electrical fault injection.
REAL pros use butterflies!
https://xkcd.com/378/
Dammit, emacs.
Still not as bad as
chmod -R 777.Once had a friend run
sudo chmod -R 777 /on a (public) Minecraft server we were running back in highschool. It made me die a bit on the inside.Doesn't it break a lot of things? Half the stuff refuses to work when some specific files have too permissive chmod.
Really only SSH and sudo broke. sudo would still work but you'd have to re-enter your password every time. It was a painful experience and I'm glad I know better now.
Goodbye ssh access
As a one time noob I may have done this once or more.
To get one thing working I borked everything.
Understanding permissions is pretty basic. But understanding permission requirements for system and user apps and their config and dirs can be a bit overwhelming at first.
Thinking a little change to make your life simpler will break something else doesn't always register immediately.
Shit, even recently, wondering why my SSH keys were being refused and realising that somehow i set my private keys world readable.
Thank god SSH checks file and dir permission.
Jesus, every time I have to run glx or vaapi under a container I end up having to do this then cringe.
You don't need to
Nah, there's something broken, I think it's because group render under the container has a different GID than the container so the acl fails and you either sudo or chmod.
Lxc is still a little wobbly in places.
I use podman and since it runs as my user it has exactly same same permissions as me. I just add my user to the proper group and it works.
Anyway for LXC you could just passthough a folder and then create a file. From there you can look at the file on the host to see who owns it. That will give you the needed information to set permissions correctly
Ahh, I'm running priveleged containers, I wrote my own scripted framework for containers around lxc in mostly python.
Basically I fell head over heels in love with freebsd jails and wanted them on Linux, then started running x11 apps in them, it's my heroin.
Haven't used podman outside proper k8s for work, did proxmox for a bit, but it was just a webgui for the same thing.
There were a bunch of online bug reports about the /dev/dri issue, maybe there's a better solution now, but since this is my workstation I wasn't as worried about security.
from the chmod or from the containers?
From the chmod, I love running games and shit under containers.
Come on! I've stopped logging on as root, can't we just leave it at that?
Stopped being fun after you destroyed the system a few times... am I right 😏.
just worked a job where I did not have privlages to sudo commands. except su. had to sudo su so I could run a script.
Could you not just use root to give your user sudo? Seems like a pretty dumb restriction
Possibly but my role was such Im really only supposed to be working on my project and not monkey with the server which is used by other projects. I don't think it was a restriction I think it was just laziness by whoever set it up.
Fair enough. Got a colleague who sudo nanos everything then wonders why he keeps getting permission denied errors later lol
...file in
~/.config...-
sudo nano /path/to/file... yeah, I wanna fucking save changes... OK, let's see if it works... damn it, this distro fucking sucks man!Worst part is he's the sysadmin
Jesus 🤦...
And this is why I never get bonuses. I just can't be bothered with kissing upper management ass... tried it once... I walked out of the meeting with me telling them "less talking, more doing"... no one from upper management called me ever again. Even if they did have a computer problem, they just told the secretary to call me.
Oh god no not upper management lol we're just in a small company
then at first day of work:
"You're absolutely right, we wouldn't want to take too long to break the network or open god rights vulnerabilities"
And you give them the look and they shut up.
sudo steam
I'm in jail because I was not in the sudoer file
This incident was, in fact, reported.
Well, you were warned 🤷.
Sometimes your package manager asks you for root password every minute while doing few hours long update and cancelling process if you don't enter anything for few minutes, "yay" aur manager looking at you, and you got to do other things than sit and look in the monitor all day long, things like cleaning house or touching grass for example
sudo visudoAt the end:
Defaults:USER timestamp_timeout=30USER is obviously changed to your username.
Thank you
If I remember correctly the default sudo timeout is set to 5 minutes on Yay, you should be able to increase it to something more reasonable
Thank you
See, this is why I love xbps. Does everything in one blow, no bullshit.
Man if only there was an option like --sudoloop to ensure that doesn't happen
Reminds me of all of those vendors that require Windows Admin for no reason.
Looking at you quickbooks network shares...
Its not like QuickBooks are sensitive data or anything
More like I come in to fix someone's aging infrastructure and find a QuickBooks share with read/write everyone because people are too lazy to RTFM.
Ahem...
That's the supported configuration. There support will not support anything else. It is total BS which makes sense because they want to silo you to the cloud
Then encrypt it…
Tell that to Intuit
sudo -sfor auditabilityWasn't it 2017 where they had the race condition in
sudo suas the command elevates up to root and drops back down?Every other year,
sudo suwas not unsafe but merely ghetto. 'sudo su' is the dutch-rudder of 'sudo'.A thread I read a long time ago on r/sysadmin
That's at least once a week
Reminds me of software saying to put your docker socket into the docker container you are starting for convenience.
Oh yeah, I'm docking the shit ot of that container!
run0is the newsudo suYou're going to start a fight with the
doaspeople.And the people that don't use systemd.
All five of them.
There are a few of us, but our 2nd gen i3s will eat the shit out of your 5th gen i5s 😁.
there are dozens of us
OpenRC represent!
🥹 🙏
helenslunch doesn't know about
sudo !!Not even arrow keys
Why does
sudo suexist?sudo -idoes exactly what you want.It's much easier to type sudo su 😅
chmod 777 /directory go brrrrrrrrrrrr
You mean sudo chmod -R 777 /that/path/I'm/trying/to/share ?
Ya probably. I’m dumb enough to type that in and just see what happens 😎
Guilty as charged, officer.
I bet you distro hop a lot.
:p
sudo viYeah. After that everything can be done with
!sh.(Edit: This is a joke. There's a lot of reasons not to do this.)
sudoedit is what you're looking for. Don't elevate the text editor.
sudo -s vi &Tell me you use Ubuntu without telling me you use Ubuntu.
Wait till you try this on Debian or non Ubuntu variants.
I ask out of ignorance - why would it be different?
Debian doesn't have sudo by default, you have to install it manually
Not sure what they mean by "non Ubuntu variants" though since most other distros add it even when they aren't Ubuntu based
Ubuntu uses Snaps for a lot of the software, thus, when you write
sudo apt install firefoxthat is actually an alias for "install firefox from snap". Snaps get installed locally, not on the system (globally, for all users), but as a user, so you really can't do much damage when you actually didn't do anything to the system in the first place.Do
sudoshit on any other distro that doesn't have a company behind it, see what happens.True, but not actually the reason, it's because Debian doesn't discourage the use of the root account, and
suis used instead ofsudo.Really? But why?
Because if you have sudo, you have root. Side effect of being a server system, too. During install, if you specify a root password, sudo is not installed. If you don't, it is. Ubuntu just defaulted to the latter.
So that is why I always have to install sudo manually 🤦.
And I think older versions also left you at root, you had to define a user account manually. I think that's not the case now as I recall (I haven't installed Debian in a while).
Yea I switched from Ubuntu on my past few installs to avoid snaps. Glad I did, basically the same experience.
sudo -i ?
sudo -u root bashftwMissing the
-i.The
-iis not required.It's silent.
Or sudo bash
sudo su -c "man man"
Can't programs steal sudo access if the timeout isn't 0?
If on a brand new rig, it's allowed.
What?
Oh, sorry, I misread programs as programmers 😁.
And no, I don't think so. Credentials need to be cleared before exectution.
Okay. So you must invoke sudo fr on the exact same shell? It cant be taken from a subsequent script?
Credentials are inherited by every child process that the parent process invokes. Thus, if you give root credentials to a command, every subsequent command that the original one invokes will have root credentials.
There are some exceptions, but these are special case scenarios and are literally only a few.
That doesnt at all answer my concern but I'll interpret the answer as no it doesn't do that.
Sorry (again 😂, this happens quite a lot with you, lol), it's early in the morning here, didn't have my coffee yet.
If the question is can privileges be escalate later on while a command or a script is executing, the answer is yes. You can also deescalate them once the root creds stuff is done executing. You just have to make it clear in the script or the command that "you do this with root creds, but then you continue with user creds".
The point I was trying to make with my previous comment was that, if a process (command, script, whatever) is ran with root privileges, every program, command, script it invokes later on is ran with root privileges, unless it's specifically noted to run this or that part with some other privileges.
Use Sudo -i instead. Sudo su is like cat file | grep pattern vs grep pattern file. You're wasting resources.
I'm partial to sudo bash myself 👌
sudo chmod +x * can solve it sometimes
sudo rm -rf /* what could go wrong? (don't try it)
sudo su - ?