Naturally, you jump on your computer, open up a terminal window, and start throwing out sudo apt-get install commands left and right to play with new applications. But wait: Error messages start flying back saying that you profile is not included as a sudoer.

Well, not exactly. If the first time you attempt to operate as root on a recently installed system and the system spouts back something about your profile not having sufficient privileges to carry out the task, it means that you properly installed the distro.

The fact is that you (probably) do not want to be operating as supervisor all the time. It can be dangerous, and far too often it leads to system meltdowns at the worst possible times. While not having to insert a password before any administrative task can be helpful a lot of the time, using root as a primary account leaves your computer exposed to user stupidity – and plain dumb mistakes happen to the best of us.

Ok, so you don’t want to be root all the time, but you obviously need to be able to carry out administrative tasks from time to time – like when you want to do something as simple as installing a new program. So how do you add your profile to the sudoer file?

It’s actually very easy. First, open up a terminal window (probably the one that yelled at you for having insufficient privileges in the first place). For this tutorial let’s pretend your username is alpha, so every time you see alpha substitute in your general user profile. Go ahead and type is “su” on the first line and hit enter. You will be prompted for your password – go ahead and supply it.

Next, you need to give yourself permission to edit the sudoers file. Type

Then click enter again. Now you can go in and add yourself to the list. Type

And then go ahead and click enter again. Congratulations, you’re now on the list. Before we leave, we want to reset the permissions of the sudoer file by typing

chmod -w /etc/sudoers

Click enter again, type “exit”, press enter again, and then type “exit” one more time to leave the terminal window. And that’s it! Your profile has now been added to the list of those with administrative privileges.

While it is not a difficult procedure, it is one that is easily forgotten. Once you have given yourself sudo privileges you can give them to other Linux users as well, whether you have multiple profiles set up for other users on your computer or even different profiles for different tasks.

Update:

Edit: A number of people have responded to this post raising very justified concerns about configuring sudo in this manner. While it is perfectly safe if you are careful about every change you make, a mistake in configuring sudo can lead to bad problems down the line. As a safeguard, many people prefer editing the sudo file through the visudo command, which, if sudo has not yet been configured, must be accessed when logged in as root. To do so, login as root, open a terminal and type:

visudo

At the bottom of the new series of characters is a line that reads:

#includedir /etc/sudoers.d

To enable a user full access to sudo, simply type:

Press Ctrl+X to exit the program and click Y to save a backup buffer file on your way out just in case things go wrong.

Two ways to address the same problem – This method simply provides a failsafe.

I want to show you how this is done in two different ways: Using a typical firewall GUI and the ufw command line. For the GUI I am going to illustrate this with GUFW (GNOME frontend for UFW). Naturally, each GUI firewall tool will deal with this process differently, but understanding the fundamentals of what you’re looking for should give you enough information about how exactly to manage the task with the firewall tool you use.

ufw

Figure 1

Let’s start with the more challenging task first. I will assume you know some of the basics. What we will be doing is allowing the necessary Samba ports through with the help of the UFW command line. Let’s first check to make sure your firewall is enabled. To do this issue the command:

sudo iptables -L

When you issue the above command you should see output similar to what you see in Figure 1. If you see nothing, that means your firewall isn’t enabled.

Now, let’s add the rules to allow Samba to pass through your firewall. I am going to illustrate this using the 192.168.1.0 IP address scheme. You can adjust this to fit your needs. The commands you need to run, to open up the necessary ports are:

sudo ufw allow proto udp to any port 137 from 192.168.1.0/24
sudo ufw allow proto udp to any port 138 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 139 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 445 from 192.168.1.0/24

You will issue the above commands one at a time.

GUFW

Figure 2

Now let’s take a look at allowing Samba through your firewall using the UFW front-end, GUFW.  You can start the GUFW tool by clicking System > Administration > Firewall Configuration. When the GUFW window opens (see Figure 2). If the firewall is not enabled, check the Enabled check box to start it up. Once it is started up you can then add rules to the configuration.

Figure 3

When you click the Add button a new window will appear (see Figure 3). From this window select the Preconfigured tab. In this window select the following:

• Allow
• In
• Service
• Samba

When you have the above selected, click Add. Now go back and add another rule to use the same configuration as above with the exception of selecting Out instead of In. Once you have done that, close the Add Rule window and then quit the GUFW window. Your firewall should now allow Samba through.

But there are times when that trust old application needs to have a bit of a tweaking and when that time comes, you’re going to need to know exactly what to tweak and what to do post-tweak. In this Ghacks article I am going to introduce you to some of the fundamentals of the Grub2 bootloader.

What the bootloader does

In a nutshell, the bootloader instructs the kernel how it is supposed to boot. Without the bootloader the kernel wouldn’t get it’s initialization instructions (which kernel is default, any switches that are passed at startup, etc). Of course this is a vast over-simplification of what the boot loader does, but for the newer user, it’s explanation enough.

Handy Grub switches

There are plenty of Grub command line switches that you can use upon boot. But first you have to get to the Grub command prompt. To do this hit the “e” key when you see the kernel listing at boot followed by <Ctrl>x. This will land you in the Grub command prompt, at which point you can run any of the following:

• grub> CTRL + X: Boots any arguments you enter into the commandline.
• grub> halt: Shuts down the computer
• grub> reboot: Reboot the computer
• grub> help: :ists all available commands (which is quite a few)
• grub> help a: Lists all available commands that start with the letter a
• grub> ls: Lists all available partitions on your disk(s)
• grub>ls (hdx,x): Lists all files on that partition
• grub>cat (hdx,x)file: Outputs the contents of “file”

Configuring Grub

I am going to demonstrate how to make a change to Grub and then make that change take effect. There are a few files that might seem like the one you want to edit. The real file you should edit is /etc/default/grub. When you open this file take notice of the following entry:
GRUB_DEFAULT=0

That line instructs which kernel is the default to boot. You may find any number of entries in your Grub configuration file. For each kernel version you will find a standard entry and a recovery mode entry. The are numbered 0,1,2,3,4, etc. Look through your Grub configuration file for the kernel line you want to be the default entry. Remember, numbering starts at 0 not 1. So the third entry will actually be 2. Change that GRUB_DEFAULT= line to reflect the entry you want to serve as the default, save and close the file, and then run the following command update Grub:

sudo update-grub

Now when you reboot your machine, it will default to the kernel you have chosen as default. This is always helpful when you are experimenting with kernels or you get an upgraded kernel that breaks a feature.

Final thoughts

The boot loader for your machine is crucial. Take good care of this tool and it will do the same for you. But do use caution when undertaking any task that involves the boot loader, else you render your machine unbootable. Of course Grub is much more than what you have been shown here. We’ll get into more about this powerful boot loader later.

One of those ways is with the help of bash aliases. A bash alias is a way to create shortcuts to commands that would normally take a lot of typing or are a challenge to remember. So instead of ssh -v -l jlwallen 192.168.1.10 I could enter just desktop or whatever I want that shortcut to be. In that vein, I am going to offer up some very handy shortcuts for you to add to make your command line usage more efficient.

Where they go

If you open up a terminal and issue the command ls -a |less you should come across a file called ~/.bashrc. This file is very powerful and handles a LOT of tasks. One such task is that of aliases. Within that file you will find the section:

# Alias definintions

This is where you put your user-created aliases…and where we will place the aliases listed below. Once you create the aliases, you will notice they don’t work within the same terminal you used to add them with your text editor. You have to fire up a new terminal to make sure they work. Because of this, always leave your original terminal open to make sure the new terminal will still work. I have witnessed a user fubar their bash such that the terminal would no longer open. So use caution when randomly closing your terminals. Now, on the aliases.

Ask before you remove

Admit it, you’ve accidentally deleted a file that could have been prevented if you had used the -i switch with the rm command. To avoid this common mistake, let’s add an alias such that any time the rm command is issued, it is done with the -i switch. This alias would look like:

alias rm=”rm -i”

Secure shell

As I mentioned earlier, secure shell’ing to a machine can be a real pain when you do it over and over. Create an alias like so:

alias server1=”ssh -v -l USER ADDRESS”

Where USER is the user name you would log in with and ADDRESS is the address of the machine you are remoting into.

Bookmark alias

Here’s a fun one. You can open up your browser to a specific bookmark, from the command line with an alias like so:

alias ghacks=”chromium-browser http://www.ghacks.net”

Of course you would replace chromium-browser with your default browser and the URL with the address you want the browser to open up to.

RPM batch installation

Say you do a lot of batch installations of RPMS. And say you always save your RPM files to ~/RPMS. You can add an alias to quickly install those RPMS like so:

alias brpm=”rpm -ivh ~/RPMS/*rpm”

Update/upgrade with apt

Instead of having to issue both command for updating apt and upgrading your installation, combine them into one easy to use alias like so:

alias update=”sudo apt-get update ; sudo apt-get upgrade”

You will have to enter your sudo password once and the update/upgrade will take place.

Final thoughts

Bash aliases are only limited to your imagination. After you spend enough time with the command line you will see that these aliases can really make your day to day Linux life much easier.

In this article I will walk you through the installation of Google Earth for your Linux machine. Once complete, you’ll be zooming around the globe with ease.

Minimum requirements

As always, you should check to make sure your machine meets (or exceeds preferably) the minimum requirements for installation. The minimum requirements are:

• Kernel: 2.4 or later
• glibc: 2.3.2 w/ NPTL or later
• XFree86-4.0 or x.org R6.7 or later
• CPU: Pentium 3, 500Mhz
• System Memory (RAM): 256MB
• Hard Disk: 400MB free space
• Network Speed: 128 Kbits/sec
• Graphics Card: 3D-capable with 16MB of VRAM – Screen: 1024×768, “16-bit High Color” screen

The recommended requirements are:

• Kernel 2.6 or later
• glibc 2.3.5 w/ NPTL or later
• x.org R6.7 or later
• System Memory (RAM): 512MB
• Hard Disk: 2GB free space
• Network Speed: 768 Kbits/sec
• Graphics Card: 3D-capable with 32MB of VRAM
• Screen: 1280×1024, 32 bit color

If your machine meets these, let’s move on.

Installation

You will need to download the binary installation file from the Google Earth download page. Once you have that on your hard drive (let’s assume it was downloaded to ~/Downloads) it’s time to get to work. The first steps are:

1. Open a terminal window.
2. Change to the ~/Downloads directory.
3. Issue the command chmod u+x GoogleEarthLinux.bin to give the file executable permissions.
4. Issue the command sudo ./GoogleEarthLinux.bin to start the installation process.

NOTE: If you are not on a machine that uses sudo then remove sudo from the command in line four above and, instead, su to the root user for installation.

Figure 1

After you issue the command for installation the GUI install window will appear (see Figure 1). In this window you need to configure the

Install path: This is where you want the package to be installed.

Symbolic link: Do you want to create a global executable in /usr/local/bin (You want to do this, otherwise the executable for the application will not be global).

Binary path: Where do you want the symbolic link to be placed.

The defaults, in most cases, should work fine, so click the Begin Install button which will start the installation. The installation should only take a few seconds and you will be ready to go. Upon completion of installation the installer will allow you to start the program by clicking the Start button. If you don’t want to run it then you can always use the command googleearth to start Google Earth.

Final thoughts

In my experience Google Earth on Linux runs as well as it does on any other platform. And, as you can see, the installation is nearly as simple. Do enjoy your Google Earth experience.

Oh sure you can use Samba to take this task on, but you better be prepared for some serious configuration and work. With Likewise-Open5 that job is made significantly easier. Now I understand that with the upcoming major release of Samba, joining a domain should be much simpler. But with the tools we have now, Likewise-Open5 is your best bet. In this article I will show you how to join a Windows domain using a Ubuntu box.

Installation

Installing Likewise-Open5 is simple. Although there is a GUI that comes along with Likewise-Open5, we are going to install and use the CLI tool. Why? It’s more reliable. So for installation open up a terminal window and issue the  following command:

sudo apt-get install likewise-open5

That command should pick up all the necessary dependencies and have you ready to join i no time.

What you need

In order to connect to your domain, you will need the following information:

• Domain name: This is the domain name (FQDN) of the domain you want to join.
• DNS: Although you may be tempted to use something like OpenDNS, you will want to use the DNS used on your domain.
• Access: You will need to have an account that is able to join your domain.

You will also need some more information for configuring Sudo later.

Joining

To join the domain, the command you want to use looks like this:

sudo domainjoin-cli join DOMAIN USER

Where DOMAIN is the domain you want to join and USER is the username that has rights to join said domain.

You will be prompted for your password. Once you have authenticated, you have officially joined that domain.

Now, let’s set Likewise-Open to use this domain as the default domain. This will mean you can actually log into your domain from your Ubuntu login screen. In other words, you will automatically be joined upon boot. To do this open up the file /etc/samba/lwiauthd.conf and add the following line:

windbind use default domain = yes

Now, restart the daemon with the command /etc/init.d/likewise-open restart and all is well.

Leaving

If you want to leave the domain, just issue the following command:

sudo domainjoin-cli leave

Sudo

One thing you will notice is that, when you have logged in under the domain, your user has no sudo rights. In order to get around this you need to log into your machine as your standard user and edit your /etc/sudoers file. But at this point you need one more bit of information. You need to know the Group your user is a member of in Active Directory. Most likely this is Users. If that doesn’t work, contact your IT department and they should be able to tell you.

In the /etc/sudoers file, look for this line:

#Members of the Admin group may gain root privileges and do the following:

and append the following under it:

%DOMAIN\\GROUP ALL=(ALL) ALL

Where DOMAIN is the actual domain and GROUP is the group your user belongs to. Now if you log out and log back in your domain user should have sudo rights.

Final thoughts

Linux has come a long, long way. And I have confidence this process will soon become a part of either the installation or be included as an easy to use wizard. But for now, it’s no longer a harrowing experience to join a Windows domain.

But what if, as a system administrator, you add a new user and want to give them similar sudo rights? How do you go about doing this? Could you just open the /etc/sudoers file in your favorite text editor and make some changes? No. There is another tool that you must use called visudo. The reason for this is that the visudo command ensures that only one person can edit the /etc/sudoers file at a time (in order to avoid any possible security or user-induced overwriting issues). As the name might imply, visudoers will default to the vi editor. But if you have set up your installation to use a different editor (such as nano), visudoers will default to that. With that in mind, let’s make some changes!

As you might expect, you can’t just issue the visudo command without using sudo itself. So to actually open your /etc/sudoers file with visudo you must issue the command (from within a terminal window):

sudo visudo

NOTE: If you have Phil Collin’s song Susudio playing in the background, you will still have to use sudo when using the visudo command.

When you open visudo you will immediately notice it is not an overly huge file (approximately 25 lines long).  You will also notice near the end a section that looks like:

# %sudo ALL=NOPASSWD: ALL

You might be tempted to uncomment this out so you no longer have to type that sudo password. DO NOT DO THIS or you will compromise the security of your system.

There is a line a few lines above this that looks like:

root ALL=(ALL) ALL

What you need to do is mimic this line just below it with the new line to include your new user. This new line will look like:

username ALL=(ALL) ALL

Where username is the actual username you have added.

Isn’t there a GUI?

Figure 1

Yes, there is. If you go to the Administration sub-menu of the System menu and select Users and Groups you can unlock this tool (click the “Keys” button and enter your password). Now select the user you want to modify and click the Properties button. Figure 1 shows a new user without Administrative (sudo) rights. Click the check box next to Administer the system and then click OK.  This user should now have the same rights as they would have by using the visudo command.

Me? I prefer doing things the command-line way, simply because I feel there is more control. But if you prefer the GUI path, you can have that as well.

Final thoughts

As always, use caution when giving users administrative rights. If you don’t trust their skills or their motivations, don’t give them the ability to bring down your system.

Now as an administrator of a Linux system, the sudo utility is a great way to manage user permissions with regards to access (especially with regard to applications). Say, for example, you have a specific executable file placed in /usr/sbin that you want your standard users to be able to use along with the ability to use the tools in the whole /usr/bin. Or say you have one specific user on your system that you want to give full administrative access to. This can all be done with the help of sudo. Let’s see how.

A quick intro

If you’re not familiar with sudo, let me give you a quick synopsis. The sudo tool allows you to effectively execute a command as a user with the security pirvileges of another user. Most often, as in Ubuntu, this allows a standard user to issue commands with administrative privileges. The basic command is issued like this:

sudo COMMAND

Where COMMAND is the command you want to run. You will then be prompted for your user password. Of course you don’t need to use sudo if you are running standard commands that do not require administrative privileges.

Sudo configuration

Sudo is configured with the help of a single file: /etc/sudoers. When you look at this file you will most likely be a bit tentative to make any changes. Fortunately the changes we are going to make are fairly basic. You do have to use sudo to make changes to the sudoers file. So to open this file with the nano editor you would issue the command:

sudo nano /etc/sudoers

and then give your user password.

Add a user for all administrative privileges

To add an already existing user to this file you would add a line in the main section. This “main” section can be found by searching for the root entry which looks like:

root ALL=(ALL)     ALL

Not only is that the line you are looking for, it is also the structure of the line you will add. Let’s say you want to add the user onichan to give her administrative rights with sudo. To do this the line would look like:

onichan     ALL=(ALL)     ALL

Now, there is one problem with adding a user like this. What a user can do is, effectively, gain access to the real, permanent root user and avoid all logging handle by sudo. So instead of the above, let’s give onichan permission to execute commands in specific directories. We’ll give her pemission to run commands in the following:

• /usr/sbin/
• /sbin

This entry will look like:

onichan ALL=/usr/sbin, /sbin

Now user onichan can execute commands in both /usr/sbin and /sbin using sudo and giving her user password.

Final thoughts

This only skims the surface of the power of sudo. We’ll cover many more aspects of this outstanding administrative tool in later articles. But at least now you can see how sudo works and how to add users. There are other aspects of sudo that I do not recommend employing (such as the NOPASSWD feature), but every system has unique needs.

Relax. Ubuntu was created so that “su” access wasn’t necessary. Instead Ubuntu employes the “sudo” utility which adds the standard user to the administrative group. Why did they do this? Simple. Ubuntu’s goal is to make their distribution the most user-friendly available. To that end the developers felt it necessary to “remove” the root user because the average user had little to no experience with such a beast. The average user certainly didn’t have to have “root” privileges to get around in the Windows operating system. Ubuntu figured this was the way to go. There were two ways around this – make the standard user a root user or just emply sudo and create an administrative group the standard user would belong to. Now the standard user could undertake admin tasks without having to understand the concept of a standard user versus a root user.

When you install Ubuntu you created a user and that user has a password. To handle most any “administrative” task all they have to do is use the “sudo” command so they can run commands as a different (in this case the administrative) user.

So if you want to issue a command that requires administrative access you would issue it by way of the sudo command like so:

sudo ADMIN_TASK

Where ADMIN_TASK is the actual administrative task you want to run. When you hit enter you will be asked for your password, at which point you will enter your standard user password.

But What About “su”?

I have run into instances where I have wanted to have actual root access. Although I don’t really recommend this (It is actually best to stick with the setup Ubuntu has created), you can create a root password by issuing the command:

sudo passwd root

When you press enter you will be prompted (twice) for a new password. Once you enter the password the second time your root password will be ready to use.

/etc/sudoers

The /etc/sudoers file is where you configure sudo. This file shouldn’t really be monkied with as the default should work perfectly for you. There is one particular line you should definitely avoid (of course I have to point it out so you will know which one to avoid.) Take a look at this line:

# %sudo ALL=NOPASSWD: ALL

You probably have a good guess as to what that line would do if it were uncommented. Allow the sudo user access to root privileges without having to use a password. This should remain commented out so this option isn’t available.

Final Thoughts

The Ubuntu distribution has created one of the most user-friendly setups in Linux land. Taking advantage of sudo is one of the many ways Ubuntu achieves such a state. Understanding the sudo system will keep new Ubuntu users from pulling out their hair as they attempt to gain root privileges. New users? Nothing to see here…just go about your business. ;-)

An owner of a computer surely wants to install software on it even if he is running as a limited user. This is where the problem starts. The Run As command can be used to run applications as a different user. The major problem is that you have to provide the username and password for that user to be able to run the selected application. This data can be easily logged by a keylogger.

Surun uses its own Windows service that adds the user to the group of administrators during program start and removes him automatically from that group again. The user, not the administrator, will be asked on a secure desktop that only services may access if he wants to run the program and if he confirms that the application will be started. Programs are started with a right-click and the selection of Run as Administrator.

Surun comes with lots of settings and a huge configuration. Each application that was once started with Surun can be added to a list of applications that are started without the prompt from then on.