Sign in to follow this  
Followers 0
cidViscous

Understanding Ubuntu Users

13 posts in this topic

I recently began having trouble with my primary user account on an Ubuntu 9.04 box. While working on the problem, I added another account of the type 'Desktop User' so I'd have a functional account to search from and try things. When I attempted to open the users-admin applet I was surprised to find that I couldn't. So I made another account and made sure that it included Administrative privileges. Again, no dice.

I tried running gksu/gksudo users-admin but each time I get the same results. So, I started reading and discovered that Ubuntu gives special privileges to the initial user account created. So, even running gksudo, and even when a user group has been granted admin privileges, you still can't get into the system configs unless you are issuing the gksu commands from the initial user account. Running gksudo will bring up the users-admin applet, but with no power--the option to unlock or change settings is disabled. Seems like I'm missing a few things.

What do you do when your initial user account is the one with the problems? How can you replace it?

What's the point in being able to grant admin rights or use gksudo if things have to be run from the initial account? Is there no way to grant privs to a 2nd account?

Why can I not recreate an account of the same name after it has been deleted?

If someone can point me in the right direction, I'm having trouble finding clear information on the subject. I have found a number of people getting similar error messages, but I have yet to find any explanation of the differences in user privileges. I'll be happy to rtfm, but as of now, I have yet to find the correct fm to r. Any help will be greatly appreciated.

0

Share this post


Link to post
Share on other sites

Hit Ctrl-Alt F1, log in as your first user. It won't fail here (and if it does, you have a big problem). Now just add your second user to the admin group like sudo usermod -aG admin yourotherusername.

Alternatively, you can just clear all your configuration files.

cd
mkdir olddot
mv .* olddot

You can then move select things (like your firefox config, maybe pidgin config, etc) out from olddot back into your home directory.

Maybe you can elaborate on the problem you're having?

Edit: Oh, when you're done on the console, hit Ctrl-Alt F7 to get back to the GUI.

0

Share this post


Link to post
Share on other sites

Thanks for the quick reply Ohm.

I tried both suggestions but to no avail. The usermod command seemed to work without a hitch but the 2nd account did not gain any privileges. When I tried to open the users panel I still got 'The configuration could not be loaded--You are not allowed to access the system configuration.'

So I tried to move all the configs to an olddot dir but I got the error that some files couldn't be moved because they were in use. So I tried making sure I was logged out of the 1st account and then doing a sudo mv but it said it couldn't because the directories weren't empty.

The initial problem with the primary account is that compositing quit working. I'm not sure exactly what I did to compiz (nothing as far as I could tell) but it quit compositing. Then as I was attempting to troubleshoot the problem I became aware of a lack of understanding regarding the user privileges on my system. If you need any more info I'll be happy to clarify as best I can.

0

Share this post


Link to post
Share on other sites

I'm not sure if it's handled differently under Ubuntu, but under most other *nix systems, users must be members of the group "wheel" to use su, et c. To check, log in with your user account, and issue the "groups" command -- you'll get a list.

0

Share this post


Link to post
Share on other sites

I don't see wheel but I can sudo. Usually if you don't have sudo privileges and you try it you get the 'not on sudoers....this will be reported' bit. Sudo works to launch the applet, it just comes up neutered.

0

Share this post


Link to post
Share on other sites

Is the target directory empty? I wonder if it won't move * because it already placed some files from when the other user account was still logged in. Is there a mv -r option?

I would just cp * into the new directory and rm -r the old ones to avoid mv conflicts and make sure nothing gets lost on a hangup.

0

Share this post


Link to post
Share on other sites

When I use cp instead of mv it omits the same directories that it wouldn't mv in the first place. . , .. , .gconf , .gconfd , .mozilla. There's clearly something about this whole scenario that I'm missing.

As a user in the admin group, I can sudo but it's not unlocking the users-admin panel. I can sudo adduser or sudo deluser just fine.

0

Share this post


Link to post
Share on other sites

Strike that. It refused to touch those aforementioned directories, but that didn't turn out to be a problem. The right configs were moved and new ones were generated solving the original problem. So, thank you very much Ohm.

I still don't understand what the system uses to determine the privs of the special initial user account. Is it maybe the user number? Any account in the admin group can sudo because the sudoers list says so, but what difference would it make to lock out the graphical admin panels if you can still effect the same changes by command line? Anyway, I had no idea that Ubuntu treated the initial account any differently until this happened, so I guess I learned something new.

0

Share this post


Link to post
Share on other sites

That's a good question I'd like to know too.

I know that some things I cannot even sudo but if I sudo su, then do it as a super user it works. Strange behavior this Ubuntu.

0

Share this post


Link to post
Share on other sites
Strike that. It refused to touch those aforementioned directories, but that didn't turn out to be a problem. The right configs were moved and new ones were generated solving the original problem. So, thank you very much Ohm.

I still don't understand what the system uses to determine the privs of the special initial user account. Is it maybe the user number? Any account in the admin group can sudo because the sudoers list says so, but what difference would it make to lock out the graphical admin panels if you can still effect the same changes by command line? Anyway, I had no idea that Ubuntu treated the initial account any differently until this happened, so I guess I learned something new.

Everyone seems to be forgetting about the sudoers file. Try looking at the visudo command, which is essential a specialized editor for the sudoers config file.

sudo visudo

Here is an excerpt that may clarify:

# User privilege specification

root ALL=(ALL) ALL

# Members of the admin group may gain root privileges

%admin ALL=(ALL) ALL

As you can see this is what governs a users ability to sudo, if you want a user to have full sudo power like the initial user in Ubuntu you can add a line such as 'username ALL=(ALL) ALL' or, if you want to customize what sudoing power a user has, the documentation should be show you how.

1

Share this post


Link to post
Share on other sites

Right, we went over that. Rather than editing the sudoers file, simply add your user to the admin group. This wasn't what he was looking for though, it appears.

I've just thought of something. You inherit the group ownership of the process that spawned all your current processes. In other words, when you log in, you inherit the groups you belong to. If you then add another group to the groups you belong to, you have to log out and in again for this to be reflected. If you didn't do that, it's possible your admin GUI tools won't work.

0

Share this post


Link to post
Share on other sites
I'm not sure if it's handled differently under Ubuntu, but under most other *nix systems, users must be members of the group "wheel" to use su, et c. To check, log in with your user account, and issue the "groups" command -- you'll get a list.

I think the wheel group is existent on most distributions (some not) however only certain ones grant it access to SUDO (aka configured), I want to say for security reasons but I am not sure. I know all BSDs I have used make use of the wheel group.

0

Share this post


Link to post
Share on other sites

We already went over this as well :P

It's called the admin group on Ubuntu. The only difference is the name is not cryptic. Wheel? What is that supposed to mean? And the reason for this group is obvious: so you can place users who should have full sudo access in it. Otherwise, if all users had sudo access, your apache user could have an easy route to become root. Not good.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0