Q: easy su

Abdullah Ramazanoglu ar018 at yahoo.com
Mon Aug 28 19:27:14 UTC 2006 

D. R. Evans dedi ki:

> How does one get "su" to work the way it has historically done in *NIX
> (and does work in Mdv and other distros I've tinkered with over the
> years)?

As some of the security features in Kubuntu are "hacked" for no-root policy
(e.g. kdesu internally uses sudo instead of su), it's not possible to get
100% exact same behavior with other GNU/Linux distros. However the
scenario below provides a very close approximation:

1. Designate one of the sudo users as "owner" of the machine (in case you
have more than one sudo users).
2. Define the same password for root and the "owner".
3. sudo visudo
Append "targetpw" to the Defaults line. E.g.
Before:
Defaults   !lecture,tty_tickets,always_set_home,!fqdn
After:
Defaults   !lecture,tty_tickets,always_set_home,!fqdn,targetpw

Now sudo asks for root (as opposed to user) password. This way, you don't
need to worry whether an administrative utility is asking for root
password (e.g. cups - port 631) or user password (e.g. kdesu).

> I have a password assigned to root, and can easily get to be the
> super-user by typing "su" and the root password. But once I am root I
> can't edit anything, because when I try to run emacs, here's what
> happens:

1. Normally "sudo -i" unsets $DISPLAY env var. To prevent this,
sudo visudo
Append ",env_keep+=DISPLAY" parameter to "Defaults"
        E.g. before:
Defaults   !lecture,tty_tickets,always_set_home,!fqdn
        After:
Defaults   !lecture,tty_tickets,always_set_home,!fqdn,env_keep+=DISPLAY

2. Normally, another user (including root) is not allowed to connect to X.
To circumvent this,
sudo {vi|nano|kate} /etc/kde3/kdm/kdmrc
Add (or change) the line below to the section tagged "[X-*-Core]"
        Authorize=false
IIRC in default Kubuntu this line exists but commented out (defaults
to "true")
Note that when you do this, there will be a warning message on KDM greeter
stating that this is an unsecured session. As long as you're in a small
LAN behind a NAT gateway, this shouldn't be a problem.

A cooler approach would be both specifying "Authorize=true" and then
setting up X auth so that root will be able to connect to X.

-- 
Abdullah Ramazanoglu
aramazan ÄT myrealbox D0T cöm

More information about the kubuntu-users mailing list