Jump to content


Photo
- - - - -

Understanding Ubuntu Users


  • Please log in to reply
12 replies to this topic

#1 double.emms

double.emms

    elite

  • Members
  • 103 posts

Posted 08 May 2009 - 09:14 PM

I recently began having trouble with my primary user account on an Ubuntu 9.04 box. While working on the problem, I added another account of the type 'Desktop User' so I'd have a functional account to search from and try things. When I attempted to open the users-admin applet I was surprised to find that I couldn't. So I made another account and made sure that it included Administrative privileges. Again, no dice.

I tried running gksu/gksudo users-admin but each time I get the same results. So, I started reading and discovered that Ubuntu gives special privileges to the initial user account created. So, even running gksudo, and even when a user group has been granted admin privileges, you still can't get into the system configs unless you are issuing the gksu commands from the initial user account. Running gksudo will bring up the users-admin applet, but with no power--the option to unlock or change settings is disabled. Seems like I'm missing a few things.

What do you do when your initial user account is the one with the problems? How can you replace it?
What's the point in being able to grant admin rights or use gksudo if things have to be run from the initial account? Is there no way to grant privs to a 2nd account?
Why can I not recreate an account of the same name after it has been deleted?

If someone can point me in the right direction, I'm having trouble finding clear information on the subject. I have found a number of people getting similar error messages, but I have yet to find any explanation of the differences in user privileges. I'll be happy to rtfm, but as of now, I have yet to find the correct fm to r. Any help will be greatly appreciated.

#2 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 08 May 2009 - 09:26 PM

Hit Ctrl-Alt F1, log in as your first user. It won't fail here (and if it does, you have a big problem). Now just add your second user to the admin group like sudo usermod -aG admin yourotherusername.

Alternatively, you can just clear all your configuration files.

cd
mkdir olddot
mv .* olddot

You can then move select things (like your firefox config, maybe pidgin config, etc) out from olddot back into your home directory.

Maybe you can elaborate on the problem you're having?

Edit: Oh, when you're done on the console, hit Ctrl-Alt F7 to get back to the GUI.

#3 double.emms

double.emms

    elite

  • Members
  • 103 posts

Posted 08 May 2009 - 09:56 PM

Thanks for the quick reply Ohm.

I tried both suggestions but to no avail. The usermod command seemed to work without a hitch but the 2nd account did not gain any privileges. When I tried to open the users panel I still got 'The configuration could not be loaded--You are not allowed to access the system configuration.'

So I tried to move all the configs to an olddot dir but I got the error that some files couldn't be moved because they were in use. So I tried making sure I was logged out of the 1st account and then doing a sudo mv but it said it couldn't because the directories weren't empty.

The initial problem with the primary account is that compositing quit working. I'm not sure exactly what I did to compiz (nothing as far as I could tell) but it quit compositing. Then as I was attempting to troubleshoot the problem I became aware of a lack of understanding regarding the user privileges on my system. If you need any more info I'll be happy to clarify as best I can.

#4 systems_glitch

systems_glitch

    Dangerous free thinker

  • Moderating Team
  • 1,642 posts
  • Gender:Male

Posted 08 May 2009 - 10:06 PM

I'm not sure if it's handled differently under Ubuntu, but under most other *nix systems, users must be members of the group "wheel" to use su, et c. To check, log in with your user account, and issue the "groups" command -- you'll get a list.

#5 double.emms

double.emms

    elite

  • Members
  • 103 posts

Posted 08 May 2009 - 10:27 PM

I don't see wheel but I can sudo. Usually if you don't have sudo privileges and you try it you get the 'not on sudoers....this will be reported' bit. Sudo works to launch the applet, it just comes up neutered.

#6 eth0s

eth0s

    HACK THE PLANET!

  • Members
  • 63 posts
  • Location:Seattle

Posted 08 May 2009 - 11:10 PM

Is the target directory empty? I wonder if it won't move * because it already placed some files from when the other user account was still logged in. Is there a mv -r option?

I would just cp * into the new directory and rm -r the old ones to avoid mv conflicts and make sure nothing gets lost on a hangup.

#7 double.emms

double.emms

    elite

  • Members
  • 103 posts

Posted 08 May 2009 - 11:33 PM

When I use cp instead of mv it omits the same directories that it wouldn't mv in the first place. . , .. , .gconf , .gconfd , .mozilla. There's clearly something about this whole scenario that I'm missing.

As a user in the admin group, I can sudo but it's not unlocking the users-admin panel. I can sudo adduser or sudo deluser just fine.

#8 double.emms

double.emms

    elite

  • Members
  • 103 posts

Posted 09 May 2009 - 12:30 AM

Strike that. It refused to touch those aforementioned directories, but that didn't turn out to be a problem. The right configs were moved and new ones were generated solving the original problem. So, thank you very much Ohm.

I still don't understand what the system uses to determine the privs of the special initial user account. Is it maybe the user number? Any account in the admin group can sudo because the sudoers list says so, but what difference would it make to lock out the graphical admin panels if you can still effect the same changes by command line? Anyway, I had no idea that Ubuntu treated the initial account any differently until this happened, so I guess I learned something new.

#9 eth0s

eth0s

    HACK THE PLANET!

  • Members
  • 63 posts
  • Location:Seattle

Posted 09 May 2009 - 03:31 PM

That's a good question I'd like to know too.

I know that some things I cannot even sudo but if I sudo su, then do it as a super user it works. Strange behavior this Ubuntu.

#10 .solo

.solo

    Gibson Hacker

  • Members
  • 80 posts

Posted 20 May 2009 - 12:16 AM

Strike that. It refused to touch those aforementioned directories, but that didn't turn out to be a problem. The right configs were moved and new ones were generated solving the original problem. So, thank you very much Ohm.

I still don't understand what the system uses to determine the privs of the special initial user account. Is it maybe the user number? Any account in the admin group can sudo because the sudoers list says so, but what difference would it make to lock out the graphical admin panels if you can still effect the same changes by command line? Anyway, I had no idea that Ubuntu treated the initial account any differently until this happened, so I guess I learned something new.



Everyone seems to be forgetting about the sudoers file. Try looking at the visudo command, which is essential a specialized editor for the sudoers config file.
sudo visudo

Here is an excerpt that may clarify:

# User privilege specification
root ALL=(ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

As you can see this is what governs a users ability to sudo, if you want a user to have full sudo power like the initial user in Ubuntu you can add a line such as 'username ALL=(ALL) ALL' or, if you want to customize what sudoing power a user has, the documentation should be show you how.

#11 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 20 May 2009 - 02:56 AM

Right, we went over that. Rather than editing the sudoers file, simply add your user to the admin group. This wasn't what he was looking for though, it appears.

I've just thought of something. You inherit the group ownership of the process that spawned all your current processes. In other words, when you log in, you inherit the groups you belong to. If you then add another group to the groups you belong to, you have to log out and in again for this to be reflected. If you didn't do that, it's possible your admin GUI tools won't work.

#12 friendless

friendless

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 336 posts
  • Gender:Male
  • Location:Indiana

Posted 21 May 2009 - 02:10 PM

I'm not sure if it's handled differently under Ubuntu, but under most other *nix systems, users must be members of the group "wheel" to use su, et c. To check, log in with your user account, and issue the "groups" command -- you'll get a list.


I think the wheel group is existent on most distributions (some not) however only certain ones grant it access to SUDO (aka configured), I want to say for security reasons but I am not sure. I know all BSDs I have used make use of the wheel group.

#13 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 21 May 2009 - 04:48 PM

We already went over this as well :P

It's called the admin group on Ubuntu. The only difference is the name is not cryptic. Wheel? What is that supposed to mean? And the reason for this group is obvious: so you can place users who should have full sudo access in it. Otherwise, if all users had sudo access, your apache user could have an easy route to become root. Not good.




BinRev is hosted by the great people at Lunarpages!