Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

How to deal with permissions?

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
floridamanuseslinux
Posts: 3
Joined: 2022-05-23 16:48
Has thanked: 5 times

How to deal with permissions?

#1 Post by floridamanuseslinux »

I am running Debian at home on a secure network and spending too much time dealing with permissions - which tells me I'm doing something wrong. Once I log in I don't want to have to deal with passwords, except very rarely. I keep my data on a separate partition which has been a big pain, but it's never been an issue before. Also, apparently Dolphin won't run as "su". I honestly don't know what you do with a file manager that won't run as admin. :?

I added "adm" to my user groups.
I changed the permissions on my data partition.
I added these entries to /etc/sudoers:

%sudo ALL=(ALL:ALL) ALL
myusername ALL=(ALL) NOPASSWORD:ALL

This solved a lot, but I'm still having problems. I would like to use Dolphin. Should I add myself in /etc/sudoers as myusername ALL=(ALL:ALL) ALL, or add include myself as "wheel", or just add "root" to my groups? There's a lot of settings:

file-directory-device permissions
/etc/sudoers
/etc/password
/etc/group
/usr/share/polkit-1
...

If there is a good resource that directly addresses how these settings relate to one another (especially what has precedence) that would be great. It would be useful to understand everything better without getting completely lost in the weeds. I am NOT concerned with my system blowing up or getting hacked. If I do something stupid that's on me.

Thanks!



Debian 5.10.0-14-amd64
KDE Plasma 5.20.5

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1400
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 79 times
Been thanked: 175 times

Re: How to deal with permissions?

#2 Post by steve_v »

Username checks out...
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2029
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 139 times
Been thanked: 206 times

Re: How to deal with permissions?

#3 Post by Hallvor »

Code: Select all

$ su -

Code: Select all

# apt install krusader
Launch the application Krusader from the menu

Look in Krusader's Tools menu --> Start Root Mode Krusader

Have fun.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: How to deal with permissions?

#4 Post by CwF »

I think the sheep herder is making fun of you...

Anyway, to the linux user down in the land of the free, unfortunately there is more than one way to do it and more than one way to screw it up. There is not enough info as to this (your) problem but it sounds like a permission battle between user and root, and not user and another user. Personally, 'administrator' is not strictly linux, at all. I don't use dolphin, but imho the user file manager should have context options to 'something "as root"', routed through polkit.

It depends on how you mount things. CLI mounts, udisk2, systemd, pmount, and their options, etc .

Optionally you can base things on group guid, or user uid. Wheel is more common is other distros, debian could use staff, or piecemeal with odd groups like plugdev or libvirt.

I use 'all of the above' so don't have a single answer except work within a user file manager and extend it however that DE likes to do so. Don't use elevated privilege within the user file space, don't change permissions outside of it. As a simple last resort for a shared data partition use a FS that doesn't respect permissions, like vfat, if appropriate. You can with most methods 'unmask', or 'allow others'

Windowized thinking seems more common now. I think linux permissions are silly, when there is a work around that means it's not about 'security', it means the method is an organic ad-hoc mix of the moment...

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: How to deal with permissions?

#5 Post by dilberts_left_nut »

You're doing it wrong.

Put your data (and 'themes' and 'tweaks' and such-like crap) in your home directory.
You can still keep it on another filesystem, just mount it in your home directory.
AdrianTM wrote:There's no hacker in my grandma...

floridamanuseslinux
Posts: 3
Joined: 2022-05-23 16:48
Has thanked: 5 times

Re: How to deal with permissions?

#6 Post by floridamanuseslinux »

dilberts_left_nut wrote: 2022-05-23 20:55 You're doing it wrong.

Put your data (and 'themes' and 'tweaks' and such-like crap) in your home directory.
You can still keep it on another filesystem, just mount it in your home directory.
What's the difference between mounting it in /home and /media? Does it change ownership, etc?

My data partition is a "legacy implementation". I tried using a /home partition, but then I managed to wreck my desktop. I reinstalled and found everything re-disasterized. :shock: I didn't want to have to figure out what was located in /home and elsewhere. Maybe it's worth taking the time.

User avatar
4D696B65
Site admin
Site admin
Posts: 2696
Joined: 2009-06-28 06:09
Been thanked: 85 times

Re: How to deal with permissions?

#7 Post by 4D696B65 »

floridamanuseslinux wrote: 2022-05-23 22:16 What's the difference between mounting it in /home and /media? Does it change ownership, etc?
Yes, you own /home/you/

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: How to deal with permissions?

#8 Post by CwF »

4D696B65 wrote: 2022-05-23 23:04 Yes, you own /home/you/
not necessarily, root created mounts will still be owned by root. So within ~/user is no guarantee.

/mnt/$user/label is the best spot, seen as a device in a user file manager. DE depending I suppose, but a udisk2 with a user pkla permissions for polkit or a user in group plugdev using pmount are two ways to create password-less access to any drive connected in any way and without any fstab entry. No su- or sudo needed, and still assuming this is a root/user issue.

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1400
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 79 times
Been thanked: 175 times

Re: How to deal with permissions?

#9 Post by steve_v »

floridamanuseslinux wrote: 2022-05-23 18:25 Dolphin won't run as "su". I honestly don't know what you do with a file manager that won't run as admin. :?
Dolphin will refuse to run as root by design, likewise several other GUI applications. It's still a fine file manager, myself and thousands of others use it daily.
"Run as admin" as the solution to every problem is a Windows thing, and you'd do well to unlearn it. The Unix way is to put things that need to be writeable for unprivileged users in /home/<username>, use user groups, and set permissions on mountpoints/directories appropriately.
Logging in as root or using su and/or sudo should be reserved for (usually infrequent) system administration tasks.
floridamanuseslinux wrote: 2022-05-23 18:25Should I add myself in /etc/sudoers as myusername ALL=(ALL:ALL) ALL, or add include myself as "wheel", or just add "root" to my groups?
I think you should read the relevant manuals before making (any more) random changes to security related settings...
floridamanuseslinux wrote: 2022-05-23 18:25/etc/sudoers
man sudoers
floridamanuseslinux wrote: 2022-05-23 18:25/etc/password
man 5 passwd
floridamanuseslinux wrote: 2022-05-23 18:25/etc/group
man 5 group
floridamanuseslinux wrote: 2022-05-23 18:25/usr/share/polkit-1
man polkit

Also try apropos <thing you want to know about>

Now as to your actual problem... What was your problem again? Accessing a mounted volume as a normal user, right?
Is it a permanent mount that can go in /etc/fstab, or do you need to dynamically mount/unmount it (e.g. removable storage)?
What are the permissions on the mountpoint and the files/directories you need to access?
What filesystem is it using?
floridamanuseslinux wrote: 2022-05-23 22:16What's the difference between mounting it in /home and /media?
(almost) nothing. A mountpoint is a mountpoint, and it can be attached to the filesystem tree anywhere you like. The usual permissions (for both the mounted filesystem and the mountpoint directory) apply regardless.

/mnt is traditionally used for things mounted from /etc/fstab that don't have any better home, and /media (or /var/(run)/media, /var/(run)/user etc. depending on distro) is typically used by GUI filemanagers and the like for removable storage.
Those are only conventions though, it's really just permission bits and ownership that matter.

/home/<username> is special only in that (by default at any rate) newly created files and directories there are owned by <username>. That's your personal space, and you can do whatever you want there... The worst that can happen is you hose your user settings, rather than the whole system.
That said, if your "data partition" needs to be accesible for multiple users, mounting it in somebody's home directory would be kinda silly... By default on Debian any user can read files in any other users home directory, but that's not something to be relied on (and a rather questionable default IMO).
floridamanuseslinux wrote: 2022-05-23 22:16My data partition is a "legacy implementation".
Elaborate. I suspect this is the real crux of the matter.
Last edited by steve_v on 2022-05-24 06:05, edited 1 time in total.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: How to deal with permissions?

#10 Post by Head_on_a_Stick »

floridamanuseslinux wrote: 2022-05-23 18:25apparently Dolphin won't run as "su". I honestly don't know what you do with a file manager that won't run as admin
GVFS has an admin:// backend that allows running as root, for example:

Code: Select all

thunar admin:///full/path/to/directory
Or enter the "admin://" bit in the path selector.

GNOME's file manager uses GVFS so it can also be run as root using the same method :)
deadbang

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1400
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 79 times
Been thanked: 175 times

Re: How to deal with permissions?

#11 Post by steve_v »

Head_on_a_Stick wrote: 2022-05-24 06:03GNOME's file manager uses GVFS so it can also be run as root using the same method :)
But, but, GNOME(3+) is braindamage...
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

floridamanuseslinux
Posts: 3
Joined: 2022-05-23 16:48
Has thanked: 5 times

Re: How to deal with permissions?

#12 Post by floridamanuseslinux »

CwF wrote: 2022-05-23 23:58
4D696B65 wrote: 2022-05-23 23:04 Yes, you own /home/you/
not necessarily, root created mounts will still be owned by root. So within ~/user is no guarantee.

/mnt/$user/label is the best spot, seen as a device in a user file manager. DE depending I suppose, but a udisk2 with a user pkla permissions for polkit or a user in group plugdev using pmount are two ways to create password-less access to any drive connected in any way and without any fstab entry. No su- or sudo needed, and still assuming this is a root/user issue.
Ok, now I think I know what's going on. At first I installed Debian with an su password, so sudo was not installed. As a result I got mixed up. When I got that all straightened out I kept using "su". I didn't realize that doing something as "root" with "su" was different from doing the same thing as "user" with "sudo". (It didn't make any sense to me why you had both.)

When I list my data partition with "lsblk" I get:

Code: Select all

MODE OWNER GROUP
brw-rw---- root disk
All of my disks and partitions are listed this way.


But when I list the mounted filesystem with "ls" I get:

Code: Select all

MODE OWNER GROUP
drwxrwxrwx myusername myusername


I can add myself to the "disk" group, and change the filesystem permissions.



What would the permissions for the disks and filesystems usually be set at?

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2029
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 139 times
Been thanked: 206 times

Re: How to deal with permissions?

#13 Post by Hallvor »

[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: How to deal with permissions?

#14 Post by CwF »

floridamanuseslinux wrote: 2022-05-24 06:32 I can add myself to the "disk" group, and change the filesystem permissions.
No, you need to stop grasping at straws and backup a few steps. Realize not all methods are compatible, pick one and stick to it. Perhaps state the details, what are you mounting and how. It is highly likely that a future correct method will still be borked by your prior actions.
CwF wrote: 2022-05-23 23:58 two ways to create password-less access to any drive connected in any way and without any fstab entry. No su- or sudo needed
Let that sink in, if you then use one of these ways and it still doesn't work, back up further and undo prior mistakes I can't name. Check you Dolphin's right click context menu, any 'as root' or 'as adminisrtator' entries? should be...
Head_on_a_Stick wrote: 2022-05-24 06:03 GVFS has an admin:// backend that allows running as root, for example:

Code: Select all

thunar admin:///full/path/to/directory
On an system without a full or absent gvfs subsystem this will break Thunar for the session. I had this conversation recently with no solution to prevent someone typing that in and causing the fracture.

Code: Select all

$ pkexec thunar
works fine, and need some config

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: How to deal with permissions?

#15 Post by Head_on_a_Stick »

CwF wrote: 2022-05-24 15:22
Head_on_a_Stick wrote: 2022-05-24 06:03

Code: Select all

thunar admin:///full/path/to/directory
On an system without a full or absent gvfs subsystem this will break Thunar for the session.
If people install packages with --no-install-recommends then they should expect some breakage of desktop functionality.
deadbang

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1400
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 79 times
Been thanked: 175 times

Re: How to deal with permissions?

#16 Post by steve_v »

floridamanuseslinux wrote: 2022-05-24 06:32When I list my data partition with "lsblk" I get:

Code: Select all

MODE OWNER GROUP
brw-rw---- root disk
All of my disks and partitions are listed this way.


But when I list the mounted filesystem with "ls" I get:

Code: Select all

MODE OWNER GROUP
drwxrwxrwx myusername myusername


I can add myself to the "disk" group, and change the filesystem permissions.
Permissions on the raw block device are irrelevant (again, like most of the other things you're poking at) unless you are trying to do raw block device access (e.g. manipulating partition tables or nuking a drive with dd).
The same goes for the 'disk' group, all you will achieve adding your user to that one is giving yourself the ability to trash your filesystems without a password.

If you prefer to just change random things without reading the manuals or providing the informaton asked for to help you, that's fine too though. Good luck.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

Post Reply