user(s) question

[rikona]

First, thanks for the VERY informative post. I've not used sudo
before, and am getting used to it. I rearranged the order of your
email because of what I did - it answered a few questions for me. I'll
put the info below in case it helps others.

Friday, September 24, 2010, 4:48:10 AM, Nils wrote:

NK> I would create a second user and add that user to the admin group.

Tried that. When I first ran that account, it suggested looking at man
sudo_root for more info. A good man page that answered some questions
I had.

NK> [1] <https://help.ubuntu.com/community/RootSudo>

That was also very good. Thanks. Interestingly, it is not the first
thing that comes up in a search of ub help. They're right about their
comment 'Ubuntu is a big place'. :-)

NK> After that, check if you can use sudo from that new account.

You can, and sudo is still the only way admin can do things, if you
follow their recommendations.

NK> If it works, remove the initial user from the admin group.

Still need to learn more to feel confident...

>> When I set up Ub, it asked for a user name. It seems that that user
>> has su privileges.

NK> More precisely sudo privileges because the root account is locked
NK> and only sudo works.

True for all added accounts, even admin. I learned it is possible to
set a password for root and then log in as root, but it is not
recommended. I'll defer that and see how I like sudo...

NK> The initial user created during the installation is member of the
NK> admin group and can use sudo to gain root privilege.

That seems to be the result of having 'administer the system' checked
for that user, but I wonder if it could also be done by putting that
user in the admin group? He seems to have 'custom' and not full
'admin' privileges.

NK> All users created later don't have that privilege as default.

I'm wondering if user 1000 might have special hard-coded privileges
that any other user can not have. If so, I might not want to remove
it.

>> I'd like to use that name as a non-su user for normal logins. If it
>> was RRR, can I change it to RRRadmin, for example, keeping the same
>> UserID and privileges, and add another non-su user named RRR? Or -
>> is it better to just add RRRadmin as administrator, and set RRR as
>> a normal user?

>> I assume RRR is not root, but it didn't ask for a root pw. [Also, I
>> have a rtkit group - I hope it's not what it sounds like... :-) ]

NK> I suppose the rtkit group is used by the package with the same
NK> name …

It sounded like rootkit - a bit worrisome. :-) Apparently to many
others too - there were LOTS of folks asking about it on the net. It's
a realtimekit, a kernel hack apparently for pulse. Might be good to
find a less worrisome name, though... :-)

>> RRR would have a modest, but pretty good password, and RRRadmin would
>> have a very good pw - but - not one I'd like to have to keep entering
>> with lots of sudo's. Is there a way, while logged on as RRR, to fire
>> up a terminal as RRRadmin, become su, do the tasks as needed, and
>> exit terminal?

NK> You can use the command "sudo su" in a terminal to get a root shell.

True, and there was also a way suggested to get it from the menu,
which I implemented. Neither is recommended.

NK> But didn't you get the password strength wrong? IMHO my personal
NK> files are much more worth than the system files.

Agree totally!

NK> A theoretical virus could do nearly as many bad things if it runs
NK> as a normal user - it could wipe my personal files even without
NK> root privilege. It is no big deal to reinstall the system if is
NK> compromised but it is much more work to restore the personal data.

Agreed. I use frequent backups as an alternate, and the user pw is not
that bad. [and, no, I often don't do it as much as I should... :-) ]

NK> Therefore I think, the password for the normal user should be as
NK> strong as the password for the account with root access.

My worry re root is a rootkit, etc, that requires that privilege,
although with a user able to sudo, it's likely to be just as bad. I'd
probably run as a non-sudo user for security. My root usually has a
long, complex pw. If my regular account can use sudo, I agree it would
also need a very good pw.

>> I copied about 200+G of files to the new Ub, and added an old 1T data
>> disk, but they had the old UserID from Mandriva [but the same RRR
>> name]. In trying to reset them[with sudo], I got a 'can't do it' msg
>> for some files. Is there a way to ID which files have a 'strange' ID
>> that I can't change in a mass-change operation, or something that
>> would force the change anyway?

NK> I suppose you used a command like

Actually, I didn't. I used sudo konq/dolph, and tried to set it from
there.

NK> sudo chown -R $USER: /path/to/the/data/

Tried that instead, and didn't get an error [which, I presume, it
would show if it happened]. Looks like it was something the file
browser didn't like.

NK> Well, you could search for files not belonging to any known
NK> account with the command

NK> find /path/to/the/data/ -nouser -exec ls -l {} \;

Might try this to be sure.

Thanks VERY much!        

-- 

 rikona