• bitchkat@lemmy.worldEnglish
    3·
    4 days ago

    Had an idiot “fix” a permission problem by running “sudo chmod -R 777 /”

    And that is why sudo privileges were removed for the vast majority of people.

    • MTK@lemmy.world
      1·
      3 days ago

      seems reasonable to me, root is just a made up concept and the human owns the machine.

    • bigbuckalex@lemmy.zip
      1·
      4 days ago

      Oh… That sounds like a nightmare. How do you even fix that? There’s no “revert the entire filesystem’s permissions to default” button that I’m aware of

      • bitchkat@lemmy.worldEnglish
        1·
        3 days ago

        I think they had to reinstall. It was part of a Hadoop cluster and that was extra finicky.

      • justme@lemmy.dbzer0.com
        0·
        4 days ago

        If you are lucky your system is atomic or has other roll back feature. Otherwise it’s reinstall time.

        I guess you could set up a fresh system, run a script that goes through each folder checking the permission and setting it on the target system.

  • xia@lemmy.sdf.orgEnglish
    3·
    4 days ago

    Getting flashbacks of me trying to explain to a mac user why using sudo “to make it work” is why he had a growing problem of needing to use sudo… (more and more files owned by root in his home folder).

  • Sixty@sh.itjust.worksEnglish
    1·
    4 days ago

    sudo dolphin

    Then I act like a Windows user and go there via the GUI because I didn’t feel like learning how to use nano.

  • GreenKnight23@lemmy.world
    1·
    4 days ago

    why tho?

    If it’s a file I have to modify once why would I run:

    sudo chmod 774 file.conf

    sudo chown myuser:myuser file.conf

    vi file.conf

    sudo chown root:root file.conf

    sudo chmod 644 file.conf

    instead of:

    sudo vi file.conf

    1000001464

    • bitchkat@lemmy.worldEnglish
      1·
      4 days ago

      I’ll create directories via sudo in /var/log, /var/lib etc and then chown to the user that the systemd service will be running as.

  • SleepyPie@lemmy.world
    0·
    4 days ago

    If it’s all my system should I really care about chown and chmod? Is the point that automatic processes with user names like www-data have to make edits, and need permission to do so, and that’s it?

    Newish Linux user btw

    • corsicanguppy@lemmy.caEnglish
      1·
      4 days ago

      Short answer: yes.

      One of the tenets of security is that a user or process should have only enough access to do what it needs, and then no more. So your web server, your user account, to your mail server, should have exactly what they need, and usually that’s been intricately planned by the distro.

      If you subvert it you could be writing files as root that www-data now can’t read or write. This kind of error is sometimes obvious and sometimes very subtle.

      Especially if you’re new to this different access model, tread carefully.

      Great news! If you need it up, many distros are really great at allowing you cm to compare permissions and reset them. The bad news is that maybe you’re not on one of those. But you could be okay.

  • juipeltje@lemmy.world
    0·
    4 days ago

    I’m not sure if that’s the joke and it flew over my head but isn’t editing with sudo what you should be doing anyway if it’s a system level file? You shouldn’t change permissions unless the file is actually supposed to be owned by your user.

    • anton@lemmy.blahaj.zone
      1·
      4 days ago

      You are supposed to run sudoedit.
      This command creates a temporary copy, opens it in you editor of choice and overwrites the protected file when the temp file changes.
      That way the editor doesn’t run as root.
      You can see the difference if you run shell command, like whoami, in vim.

  • Korthrun@lemmy.sdf.org
    0·
    4 days ago

    You mean sudoedit right? Right?

    edit: While there’s a little bit of attention on this I also want to beg you to stop doing sudo su - and start doing sudo -i you know who you are <3

    • Albbi@lemmy.ca
      0·
      4 days ago

      Why memorize a different command? I assume sudoedit just looks up the system’s EDITOR environment variable and uses that. Is there any other benefit?

      • Arthur Besse@lemmy.mlEnglish
        0·
        4 days ago

        Why memorize a different command? I assume sudoedit just looks up the system’s EDITOR environment variable and uses that. Is there any other benefit?

        I don’t use it, but, sudoedit is a little more complicated than that.

        details

        from man sudo:

        When invoked as sudoedit, the -e option (described below), is implied.

               -e, --edit
               Edit one or more files instead of running a command.   In  lieu
               of  a  path name, the string "sudoedit" is used when consulting
               the security policy.  If the user is authorized by the  policy,
               the following steps are taken:

               1.   Temporary  copies  are made of the files to be edited with
                    the owner set to the invoking user.

               2.   The editor specified by the policy is run to edit the tem‐
                    porary files.  The sudoers policy  uses  the  SUDO_EDITOR,
                    VISUAL  and  EDITOR environment variables (in that order).
                    If none of SUDO_EDITOR, VISUAL  or  EDITOR  are  set,  the
                    first  program  listed  in the editor sudoers(5) option is
                    used.

               3.   If they have been modified, the temporary files are copied
                    back to their original location and the temporary versions
                    are removed.

               To help prevent the editing of unauthorized files, the  follow‐
               ing  restrictions are enforced unless explicitly allowed by the
               security policy:

                •  Symbolic links  may  not  be  edited  (version  1.8.15  and
                   higher).

                •  Symbolic links along the path to be edited are not followed
                   when  the parent directory is writable by the invoking user
                   unless that user is root (version 1.8.16 and higher).

                •  Files located in a directory that is writable by the invok‐
                   ing user may not be edited unless that user is  root  (ver‐
                   sion 1.8.16 and higher).

               Users are never allowed to edit device special files.

               If  the specified file does not exist, it will be created.  Un‐
               like most commands run by sudo, the editor is run with the  in‐
               voking  user's  environment  unmodified.  If the temporary file
               becomes empty after editing, the user will be  prompted  before
               it is installed.  If, for some reason, sudo is unable to update
               a file with its edited version, the user will receive a warning
               and the edited copy will remain in a temporary file.

        tldr: it makes a copy of the file-to-be-edited in a temp directory, owned by you, and then runs your $EDITOR as your normal user (so, with your normal editor config)

        note that sudo also includes a similar command which is specifically for editing /etc/sudoers, called visudo 🤪