this post was submitted on 29 Jan 2024
413 points (93.7% liked)

Technology

59123 readers
2310 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 9 months ago (2 children)

I moved to Fedora (KDE Plasma) about a year ago. I had researched alternatives for all I needed.

I installed it on a new machine and kept an old windows machine running.

It took a month or so to get things how I liked.

I miss some things in Windows but found some real time saving features in linux, on the whole I am better off.

And I feel a whole lot safer.

[–] [email protected] 2 points 9 months ago

When Linux spoons me in bed and whispers in my ear that it loves me, that's when I feel really safe.

[–] [email protected] 2 points 9 months ago (1 children)

Side question:

Know a good place I can learn linux user/group/permission management?

I don't understand it well enough so I do a stupid amount of things as root...

[–] [email protected] 1 points 9 months ago (1 children)

A good start is using something like sudo rather than logging in as root.

sudo gives your command root permission when it runs. That way you can delete the password from the root account and it can’t be logged in with. sudo will ask for YOUR password and then check if you have permissions to elevate your command to root level.

In a simple setup, you can just use for anything you would normally do as root.

This can protect you from mistakes too, when running commands that you’ve mistyped. For example, if you want to do “rm -rf ./*” to delete all files in the current directory, but you forget the dot (period); if you’re at a root prompt, you just deleted your entire filesystem. If you’re not, then you get a permission error.

[–] [email protected] 1 points 9 months ago (2 children)

How do I manage what users can use sudo?

One issue is trying to create a user to run services under, but not knowing how to give it permission to access what it needs (while also not entirely sure what it should/shouldn't have permissions for).

Or just generally managing file permissions. I understand using chmod in a very basic capacity with a few letter arguments like +r, but then you toss in numbers (chmod 777, wut?) and I get lost.

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (1 children)

The /etc/sudoers file is what you'd need to edit, and you'd use the visudo command to edit it.

chmod is indeed used for file permissions, but you can also use SELinux or AppArmor for more access/role/action based permissions (aka Mandatory Access Controls) instead of just limiting yourself to file permissions (aka Discretionary Access Control). There's also udev rules (for device/sysfs access) and PAM (Pluggable Authentication Modules). Then there's cgroups and namespaces for process limits and sandboxing. Really depends on what you're trying to achieve.

But is there any reason why you're looking into micromanaging service permissions? Most users, or even power users wouldn't need to touch that stuff at all.

If it's in a corporate environment, you'd already be running something like SELinux or similar and you'd apply a baseline security profile that meets various compliance specs. Very rarely would you have to mess with permissions of a service.

If this is for personal stuff, you'd just make use of multiple user accounts (if it's a multi-user system), or just sandboxing (containers, flatpak etc) to run untrustworthy stuff like web browsers. None of this stuff would require you to touch chmod.

[–] [email protected] 1 points 9 months ago (1 children)

But is there any reason why you're looking into micromanaging service permissions?

Because I don't know any better, having very little base knowledge of linux.

The thought process here was that services like nginx should be running under a separate user from root and your main daily user account, only having access to the files it actually needs, but not really knowing how to achieve that. I know genuinely nothing about linux user management and feel a bit overwhelmed trying to figure out where to start :/ (especially comming from the all graphical UI experience of Windows)

Chmod is/was the only tool I've known about for managing permissions. I end up running stuff as root in my experimentations because I randomly run into permissions errors, but don't know how to solve them, particularly without creating more problems for other processes.

I'm using Debian as a first Linux desktop experience; previously I've done some experimenting with rpis managed via ssh, mostly to run pihole, that's about it. The rest has been windows where I was familiar.

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago) (1 children)

Okay so that's different.

nginx only runs the master process as root, but the actual worker processes already run under a low-privileged account called http. If you want to run the master process as well as non-root, you can follow the instructions here: https://wiki.archlinux.org/title/nginx#Running_unprivileged_using_systemd

To restrict access to files, you'd be editing the nginx config file, you can read on how to do that in the nginx documentation, or check ServerFault etc.

But the modern Linux world revolves around containers. There's an official Docker image for nginx that you could use if you'd like, and that'd make it a much more secure - and portable option.

Also, I'd recommend checking the Arch Wiki first for anything Linux related - the wealth of knowledge and documentation there is unmatched, and is useful even if you're not running Arch.

[–] [email protected] 2 points 9 months ago

Thanks for your help m8, I appreciate it.

I'll have to do some more reading once I've got some time.

[–] [email protected] 0 points 9 months ago

In addition to what other posters said, some distros allow you to add a user to the “sudo” group (as a secondary group assignment; don’t make it their primary) to allow them sudo access.

Edit your /ect/sudoers file using visudo