Linux Format - UK (2020-03)

http://www.techradar.com/pro/linux March 2020 LXF260 13

ANSWERS

Q

Restricted root

For complicated reasons I need a

user to be able to install packages, but

not have write access to the host’s file.

One method would be to install software

without root, but that looks beyond

my abilities or is likely to cause some

additional glitchiness.

I had another idea involving

permissions but I am not terribly clear

on how permissions work. Would I be

able to assign write permissions for

/etc/hosts to a user that is not root and

then restrict root (and by extension the

system) to only being able to read the

file and not write to it? Is it even possible

to restrict root’s access to things? I am

using Ubuntu 19.10.

Luna

A

You cannot restrict root with

permissions, that’s why they are

called the superuser. Even if a file has no

permissions set, root can still read and

write it. The program you need is the one

you already use to administer the system

yourself, sudo. This gives root access to

users to carry out certain tasks. Ubuntu

gives full sudo rights to the first user

created so they can administer the system.

However, sudo gives far more fine-grained

control than that and can allow specific

users to only run certain programs as root.

The file that controls this behaviour is

/etc/sudoers. This can only be edited as

root, but you should not edit it directly. The

reason for that is that if you make a

mistake when editing it, you could lock

yourself out of sudo, leaving you with no

way to correct the situation except to

reboot from a live CD. You should use the

visudo command in a terminal:

$ sudo visudo

This makes a copy of sudoers and passes

that to your preferred editor. When you exit

the editor it checks that the syntax of the

file is correct before replacing the original

/etc/sudoers file with the edited copy.

You need to add

user2 ALL = /usr/sbin/synaptic, /usr/bin/

apt

This allows user2 to run Synaptic or apt,

but nothing else. Commands are listed,

separated by commas. Sudo requires the

full path to be specified in /etc/sudoers.

This is a security feature, otherwise you

could put anything you want in a script

called apt in your user’s path and run it

with root privileges. If that script contained

/bin/bash you’d have full root access.

You can restrict things further if you

wish by specifying more than just the

command name. For example

user2 ALL = /usr/sbin/synaptic, /usr/bin/

apt install

would only allow apt to be run with the

install option. You cannot add this sort of

restriction to Synaptic, so if you wanted to

limit things to this extent, you would need

to exclude the use of Synaptic.

All of this applies to installing software

from the package manager, but you can

also use it to allow software to be installed

from source; using the standard

$ ./configure && make && sudo make

install

by using this line in /etc/sudoers:

user2 ALL = /usr/bin/apt install, /usr/bin/

make install

However, this would allow the user to

install anything they want, including

something to circumvent your controls, so

use with care unless you completely trust

the user – and if that was the case why

would you be restricting them from /etc/

hosts in the first place?

Q

Missing modem

I bought a second-hand ADSL

modem/router. I connected my

computer to it but I cannot connect to

the router’s web interface. I have tried

a variety of IP addresses, all the usual

ones, but none of them work. I did hear

that some of these modems are locked

to a specific ISP, would that be the cause

of my problem?

Dale

A

Some ISPs do supply hardware that

is locked to their system, so that

they can remote manage it when you call

support with a problem. That may be the

case here, but it has nothing to do with

being unable to connect to the LAN side of

the router.

The first thing to do with a used device

like this is to do a full reset to get rid of the

previous settings. For routers, a 30-30-

reset it recommended. To do this you hold

down the reset button for 30 seconds,

then unplug the power source for another

30 seconds. You then power it back on,

with the reset button held in for a further

30 seconds.

Now connect your computer to it using

a wired connection, as wireless won’t be

set up after a reset. In many cases, the IP

address to use is printed on the bottom of

the router, otherwise search the web for a

manual for the device and check that. If all

else fails, your computer will usually have

connected using DHCP – if you are

currently using static settings, switch to

DHCP for the time being. When the

computer sends out a DHCP query, the

response includes more than an address

for it to use. Among other things it includes

the gateway address, the address through

which to send all traffic destined for

outside of the network. This will be the

address of the modem, so run

$ sudo route -n

in a terminal and look for the gateway

address in the line starting 0.0.0.0. This

A QUICK REFERENCE TO RANDOM CRASHES

Nothing’s more infuriating than random

computer crashes. If it is reproducible,

you have somewhere to start looking,

but if it happens at any time and using

any software, where do you begin?

If it happens regardless of the

software you are using, it may be a

hardware problem. If you have a spare

PSU, try swapping that. Desktop PSUs

can vary greatly in quality, and the

cheaper ones can cause the sort of

power glitches that will crash a

computer. They can also damage

components that cost several times

more than a new PSU. If it’s a laptop, the

battery may be on the way out. If the

computer doesn’t run reliably on

battery power alone, look for a

replacement battery.

The other common culprit is faulty

memory – not all of it, just a few bytes.

Most of the time things work fine, until

something uses those bytes and boom!

Testing memory on a running system is

unreliable as you cannot test anything

the system needs, so use Memtest86+.

This is a bootable system that uses the

absolute minimum of RAM for itself,

leaving the rest available for testing.

Memtest86+ runs a comprehensive

series of tests and takes a while to run,

but even that is not enough. Because

such problems can be transient, there is

a chance of faulty memory passing on a

single run, so let it run for at least two

passes and preferably overnight.

If neither of these show anything,

you may have a problem with some core

software. If you use a popular distro,

that is unlikely without others also being

affected. One other possibility is a dirty

mains supply – voltage spikes or drops

can trigger a reboot. Some sort of

power smoothing, like a UPS

(uninterruptible power supply) can

eradicate such issues. A UPS is a wise

investment if you use your computer for

any sort of work, as such crashes seem

to always happen just before you were

about to save or back up!

1112March 0 h2rGotbhGtunigq March 2020 LXF260 13

ANSWERS

Q

Restricted root
For complicated reasons I need a
user to be able to install packages, but
not have write access to the host’s file.
One method would be to install software
without root, but that looks beyond
my abilities or is likely to cause some
additional glitchiness.
I had another idea involving
permissions but I am not terribly clear
on how permissions work. Would I be
able to assign write permissions for
/etc/hosts to a user that is not root and
then restrict root (and by extension the
system) to only being able to read the
file and not write to it? Is it even possible
to restrict root’s access to things? I am
using Ubuntu 19.10.
Luna

A

You cannot restrict root with
permissions, that’s why they are
called the superuser. Even if a file has no
permissions set, root can still read and
write it. The program you need is the one
you already use to administer the system
yourself, sudo. This gives root access to
users to carry out certain tasks. Ubuntu
gives full sudo rights to the first user
created so they can administer the system.
However, sudo gives far more fine-grained
control than that and can allow specific
users to only run certain programs as root.
The file that controls this behaviour is
/etc/sudoers. This can only be edited as

root, but you should not edit it directly. The

reason for that is that if you make a

mistake when editing it, you could lock

yourself out of sudo, leaving you with no

way to correct the situation except to

reboot from a live CD. You should use the

visudo command in a terminal:

$ sudo visudo

This makes a copy of sudoers and passes

that to your preferred editor. When you exit

the editor it checks that the syntax of the

file is correct before replacing the original

/etc/sudoers file with the edited copy.

You need to add

user2 ALL = /usr/sbin/synaptic, /usr/bin/

apt

This allows user2 to run Synaptic or apt,

but nothing else. Commands are listed,

separated by commas. Sudo requires the

full path to be specified in /etc/sudoers.

This is a security feature, otherwise you

could put anything you want in a script

called apt in your user’s path and run it

with root privileges. If that script contained

/bin/bash you’d have full root access.

You can restrict things further if you

wish by specifying more than just the

command name. For example

user2 ALL = /usr/sbin/synaptic, /usr/bin/

apt install

would only allow apt to be run with the

install option. You cannot add this sort of

restriction to Synaptic, so if you wanted to

limit things to this extent, you would need

to exclude the use of Synaptic.

All of this applies to installing software

from the package manager, but you can

also use it to allow software to be installed

from source; using the standard

$ ./configure && make && sudo make

install

by using this line in /etc/sudoers:

user2 ALL = /usr/bin/apt install, /usr/bin/

make install

However, this would allow the user to

install anything they want, including

something to circumvent your controls, so

use with care unless you completely trust

the user – and if that was the case why

would you be restricting them from /etc/

hostsinthefirstplace?

Q

Missing modem

I bought a second-hand ADSL

modem/router. I connected my

computer to it but I cannot connect to

the router’s web interface. I have tried

a variety of IP addresses, all the usual

ones, but none of them work. I did hear

that some of these modems are locked

to a specific ISP, would that be the cause

of my problem?

Dale

A

Some ISPs do supply hardware that

is locked to their system, so that

they can remote manage it when you call

support with a problem. That may be the

case here, but it has nothing to do with

being unable to connect to the LAN side of

the router.

The first thing to do with a used device

like this is to do a full reset to get rid of the

previous settings. For routers, a 30-30-

reset it recommended. To do this you hold

down the reset button for 30 seconds,

then unplug the power source for another

30 seconds. You then power it back on,

with the reset button held in for a further

30 seconds.

Now connect your computer to it using

a wired connection, as wireless won’t be

set up after a reset. In many cases, the IP

address to use is printed on the bottom of

the router, otherwise search the web for a

manual for the device and check that. If all

else fails, your computer will usually have

connected using DHCP – if you are

currently using static settings, switch to

DHCP for the time being. When the

computer sends out a DHCP query, the

response includes more than an address

for it to use. Among other things it includes

the gateway address, the address through

which to send all traffic destined for

outside of the network. This will be the

address of the modem, so run

$ sudo route -n

in a terminal and look for the gateway

address in the line starting 0.0.0.0. This

AQUICKREFERENCETORANDOMCRASHES

Nothing’smoreinfuriatingthanrandom

computercrashes.Ifitisreproducible,

youhavesomewheretostartlooking,

butifithappensatanytimeandusing

anysoftware,wheredoyoubegin?

Ifithappensregardlessofthe

softwareyouareusing,itmaybea

hardwareproblem.Ifyouhaveaspare

PSU,tryswappingthat.DesktopPSUs

canvarygreatlyinquality,andthe

cheaperonescancausethesortof

powerglitchesthatwillcrasha

computer.Theycanalsodamage

componentsthatcostseveraltimes

morethananewPSU.Ifit’salaptop,the

batterymaybeonthewayout.Ifthe

computerdoesn’trunreliablyon

batterypoweralone,lookfora

replacementbattery.

Theothercommonculpritisfaulty

memory–notallofit,justafewbytes.

Mostofthetimethingsworkfine,until

somethingusesthosebytesandboom!

Testingmemoryonarunningsystemis

unreliableasyoucannottestanything

thesystemneeds,souseMemtest86+.

Thisisabootablesystemthatusesthe

absoluteminimumofRAMforitself,

leavingtherestavailablefortesting.

Memtest86+runsacomprehensive

seriesoftestsandtakesawhiletorun,

buteventhatisnotenough.Because

suchproblemscanbetransient,thereis

achanceoffaultymemorypassingona

singlerun,soletitrunforatleasttwo

passesandpreferablyovernight.

Ifneitheroftheseshowanything,

youmayhaveaproblemwithsomecore

software.Ifyouuseapopulardistro,

thatisunlikelywithoutothersalsobeing

affected.Oneotherpossibilityisadirty

mainssupply–voltagespikesordrops

cantriggerareboot.Somesortof

powersmoothing,likeaUPS

(uninterruptiblepowersupply)can

eradicatesuchissues.AUPSisawise

investmentifyouuseyourcomputerfor

anysortofwork,assuchcrashesseem

toalwayshappenjustbeforeyouwere

abouttosaveorbackup!