Page 1 of 1

Get rid of permissions

Posted: Tue Oct 17, 2017 12:40 pm
by kaksi
One reason why I still did not move from Windows XP to Linux are permissions. When I hope it will work, bing!!! Now, I have problems with WPA2, I hoped to find help here and I want to post the wpa_supplicant.conf. In my naivety, I connected with WinSCP (BTW, it is a great program and I am not ashamed to make it hidden publicity) to RPI3 and tried to open the file. Not that easy:

Permission denied.
Error code: 3
Error message from server: Permission denied

Sure, there are solutions. Mount a stick, copy to USB. Copy the file somewhere else and change permissions. My adrenaline level raises dangerously.

BTW, on RPI2, I messed the /etc/rc/local - RPI booted and freezed, but I could connect and repair the file. On RPI3, I am not able to repair the file, question of permissions.

Where can I post "SUDO CONSIDERED HARMFUL"?

I suppose Linux gurus do not agree and beginners will hesitate to post "I have the same problem".

OK, resuming: how to minimize the permissions problem?

Re: Get rid of permissions

Posted: Tue Oct 17, 2017 12:53 pm
by jamesh
Really not sure what you are requesting.

I've found, in general, that Linux permission and setting are much easier to get on with than Windows. That said, permission are a PITA when they get in the way, but you really do need them. Computer security is important.

I have no idea what you mean when you say you need to mount a USB stick etc. Setting up Wifi permissions (WPA2) is pretty simple when running the Raspbian desktop. Click on the Wifi icon, connect to network, type in password.

If you are on the command line, you need to edit files appropriately. There is documentation on our website that tells you how to do that, or use Google.

"Sudo considered harmful" Use it with care (ie when you need it, not all the time), all will be fine.

Re: Get rid of permissions

Posted: Tue Oct 17, 2017 4:15 pm
by DougieLawson
jamesh wrote:
Tue Oct 17, 2017 12:53 pm
I have no idea what you mean when you say you need to mount a USB stick etc.
If the GUI is running USB sticks with FAT, VFAT will auto mount for user pi (read/write). NTFS things need an extra driver.

Re: Get rid of permissions

Posted: Tue Oct 17, 2017 5:23 pm
by W. H. Heydt
kaksi wrote:
Tue Oct 17, 2017 12:40 pm
Where can I post "SUDO CONSIDERED HARMFUL"?
Sudo is considered to be much less harmful that getting into a root shell...which is how it used to have to be done to run a program with root privileges. The "harmful" issue is that any time you use root privileges, you can do a lot of damage to the system if you aren't careful. IF you got rid of permissions, *everything* would carry those risks. Permissions are there for security and to protect you from yourself. Take a Pi and set up a system. Then use it while always logged in as root. Sooner or later you will do something that will seriously damage or destroy the system. The classic example being "rm -rf *" when run in the root directory (/). that gives rise to the classic..."On a clear disk, you can seek forever."

Re: Get rid of permissions

Posted: Tue Oct 17, 2017 5:32 pm
by gkaiseril
Many administrators limit the users that can use sudo by editing the sudo configuration file.

Overall Unix/Linux systems have a far more reasonable directory file control system since users can set permissions by the world of users, groups of users, and individual users by various actions like read, write, and execute.

One does not see this in the Raspberry Pi since the OS assumes the installer is an administrator. Just add a new user and login as that user and see what you can do.

Re: Get rid of permissions

Posted: Tue Oct 17, 2017 5:39 pm
by jahboater
One problem with sudo is that the more you use it, the more likely you are to end up with important files owned by root instead of being owned by user pi. Then you need sudo even more to continue working. It always ends in tears.

Re: Get rid of permissions

Posted: Tue Oct 17, 2017 5:46 pm
by gkaiseril
And that is why its use should be limited to just a few knowledgeable users and Unix/Linux provides the tools to do so, if the system is setup correctly.

Re: Get rid of permissions

Posted: Tue Oct 17, 2017 5:57 pm
by bensimmo
W. H. Heydt wrote:
Tue Oct 17, 2017 5:23 pm
kaksi wrote:
Tue Oct 17, 2017 12:40 pm
Where can I post "SUDO CONSIDERED HARMFUL"?
Sudo is considered to be much less harmful that getting into a root shell...which is how it used to have to be done to run a program with root privileges. The "harmful" issue is that any time you use root privileges, you can do a lot of damage to the system if you aren't careful. IF you got rid of permissions, *everything* would carry those risks. Permissions are there for security and to protect you from yourself. Take a Pi and set up a system. Then use it while always logged in as root. Sooner or later you will do something that will seriously damage or destroy the system. The classic example being "rm -rf *" when run in the root directory (/). that gives rise to the classic..."On a clear disk, you can seek forever."
It's just the same in Windows, to do anything you need to elevate the permissions to the Administrator (sudo as such). Which will need a password etc.

And that's for a default user, not the standard simple user who needs it for even more things.

Files, folders and users can all be given read write execute of files folders etc and added to groups and whatnot.

There is little difference bar the way it's presented as far as I can see.

Re: Get rid of permissions

Posted: Tue Oct 17, 2017 6:17 pm
by kaksi
DougieLawson wrote:
Tue Oct 17, 2017 4:15 pm
jamesh wrote:
Tue Oct 17, 2017 12:53 pm
I have no idea what you mean when you say you need to mount a USB stick etc.
If the GUI is running USB sticks with FAT, VFAT will auto mount for user pi (read/write). NTFS things need an extra driver.
Ehm.... Yes... I seldom use the GUI, so I did not think of that. (Still, copying it over network is much preferable.)

Re: Get rid of permissions

Posted: Tue Oct 17, 2017 7:18 pm
by kaksi
I quite expected the stuff about security. Some counter-arguments:

1) I am using DOS and command line under XP for 35 years. I do not say I never deleted a file by mistake - just much less that users clicking on "Are you sure?" Why? Because I learned (maybe the hard way) to think before.

2) If I except the commands ls and hostname, 80% of commands I type must be prefixed with sudo. The concept of security is gone, remains the annoyance.

i.e. the y/Enter after the DOS command del *.* is a reflex and the confirmation would never prevent me from an unwanted delete.

The same way: "You do not have the permission" results in a reflex: arrow up, prefix with sudo. (Unfortunately, it does not work over network.(Just got an idea: putty))

3) On a campus with 300 terminals and 2,000 users, I would hesitate to give the shutdown permission to everyone. The situation is a little bit different in a company with 10 employees. And you will need to draw a very detailed picture to make me understand why I need to be superuser to shutdown my RPI.

Hand on the heart: how often permissions prevented you from a disaster? And how often annoy them, especially the beginners? Make the balance sheet.

The system was not so bad under DOS: you set hidden, read-only, system COMMAND.COM, CONFIG.SYS and AUTOEXEC.BAT and you were free to delete your wedding photos. (You do not have a backup of your wedding photos? Now you learned you should backup the photos from your next wedding.)

IMHO, to be useful, the restrictions should be set VERY, VERY scarcely. Not for 80% of commands.

Re: Get rid of permissions

Posted: Tue Oct 17, 2017 8:02 pm
by Heater
kaksi,
1) I am using DOS and command line under XP for 35 years.
That is not a counter argument. It does however tell us why you think the way you do.
2) If I except the commands ls and hostname, 80% of commands I type must be prefixed with sudo. The concept of security is gone, remains the annoyance.
How is that different from Windows 10 popping up dialogs all the time asking me to give permission to do this and that?
The same way: "You do not have the permission" results in a reflex: arrow up, prefix with sudo. (Unfortunately, it does not work over network.
No. Of course sudo works over the network.
3) On a campus with 300 terminals and 2,000 users, I would hesitate to give the shutdown permission to everyone. The situation is a little bit different in a company with 10 employees. And you will need to draw a very detailed picture to make me understand why I need to be superuser to shutdown my RPI.
Here is the detailed picture. My computers have thousands of potential users. Most of them I do not know. I like that the permission system keeps my web server out of my system when it is compromised by some hacker out there. Even if I restrict connectivity to my local LAN those permissions make me feel better.
IMHO, to be useful, the restrictions should be set VERY, VERY scarcely. Not for 80% of commands.
What on Earth are you doing that 80% of your commands are requiring root privilages?

The good news for you is that you can "get rid of permissions" and give yourself access to anything and everything all the time with one simple command:

Code: Select all

$ sudo chmod -R 777 /
Good luck.

Re: Get rid of permissions

Posted: Tue Oct 17, 2017 8:08 pm
by jamesh
If you are comparing Linux with DOS, there are a few things to think about.

DOS is a single user, originally non-networked system. Linux is and always has been a multiuser networked system. They have VERY different demands.

If you are using sudo on 80% of command you are doing something very very wrong . Probably 5% in my case, and I use linux all the time.

Linux is used for the majority of webservers worldwide (many 10's of millions of devices). If there was a problem with its security system that would have been noticed by now. It's also effectively based on Unix, which has been around longer than Microsoft, DOS and Windows have been in existence.

No idea how many times permission have prevented me from a disaster. I haven't had a disaster. Read in to that what you will.

Re: Get rid of permissions

Posted: Tue Oct 17, 2017 9:23 pm
by HawaiianPi
jamesh wrote:
Tue Oct 17, 2017 8:08 pm
If you are using sudo on 80% of command you are doing something very very wrong...
This ^

What are you doing that requires sudo so much? If I had to guess, I'd say using sudo too often (like when you didn't need it) and screwing up your permissions, so now you really have to use it. Learn how to use it properly and stop messing up your system.

And I use sudo "over network" via SSH with my headless PiZero, so again, you are doing something wrong.

You really need to take the time you use ranting and use it for something more practical, like reading a Linux tutorial or two, so that you can learn how to do things properly.

Re: Get rid of permissions

Posted: Tue Oct 17, 2017 10:51 pm
by jahboater
kaksi wrote:
Tue Oct 17, 2017 7:18 pm
2) If I except the commands ls and hostname, 80% of commands I type must be prefixed with sudo. The concept of security is gone, remains the annoyance.
Thats ridiculous. You have probably screwed up the system by running sudo (created lots of files owned by root - so you cant then access them without sudo).

I flash an SD card, boot the Pi, edit a few config files which of course need administrator privilege - sudo, then use the Pi for all sorts of things. Once a week I use sudo to install updates and occasionally to install new software. For normal use - sudo is never required.

Most people use Android (Linux) phones for years without "rooting" them, so why do you need root access 80% of the time??

Take some time to learn about multi-user operating systems, flash a new SD card, and stop using root.

Re: Get rid of permissions

Posted: Wed Oct 18, 2017 10:16 am
by jbudd
It's true that many Windows users quickly learn to click Yes without thinking when Windows pops up "Do you really want to do that?"
Many linux command line users too quickly learn to use the up arrow and insert sudo.

You can always dispense with sudo by enabling and logging in as root.
Then you will learn to think about your command before pressing Enter, surely a good thing. There is a big difference in the effect of the commands

Code: Select all

rm -rf ./junkfiles
and

Code: Select all

rm -rf . /junkfiles
The problems really start when someone else logs in to your computer as root.

Re: Get rid of permissions

Posted: Wed Oct 18, 2017 11:13 am
by RaTTuS
to run the previous command as sudo do

Code: Select all

sudo !!
mostly you should not be using sudo
if you have to do a few things then
sudo bash -l
if using putty and you find that up / down arrow do not give you the previous command then you may be logging into sh instead of bash
or you have a badly configured puttly session

Re: Get rid of permissions

Posted: Wed Oct 18, 2017 3:46 pm
by kaksi
Heater wrote:
Tue Oct 17, 2017 8:02 pm
How is that different from Windows 10 popping up dialogs all the time asking me to give permission to do this and that?
That is not a counter argument. :D
It does not cheer me up when things are worse elsewhere. I try to get inspired by where it is better.
Heater wrote:
Tue Oct 17, 2017 8:02 pm
My computers have thousands of potential users. Most of them I do not know. I like that the permission system keeps my web server out of my system when it is compromised by some hacker out there. Even if I restrict connectivity to my local LAN those permissions make me feel better.
I see about 3 categories of users:
- curious beginner
- experienced user who made an error
- top level pirate

Neither of those will be prevented to make damage.
Heater wrote:
Tue Oct 17, 2017 8:02 pm
What on Earth are you doing that 80% of your commands are requiring root privilages?
jamesh wrote:
Tue Oct 17, 2017 8:08 pm
If you are using sudo on 80% of command you are doing something very very wrong . Probably 5% in my case, and I use linux all the time.

I feel a little uncomfortable here, what I am doing is a bunch of hacks I picked here and there. But I post it anyway, thanks in advance for hints how to do it better.

Code: Select all

AUTOMOUNT USB STICK
===================
Step 1: Identify the devices ID:
	ls -l /dev/disk/by-uuid/
	The line will usually refer to sda, in this case AAAA-BBBB.

Step 2: Create a mount point:
	sudo mkdir /media/usb_1
	sudo chown -R pi:pi /media/usb_1

Step 3: Mount the drive (optional)
	sudo mount /dev/sda1 /media/usb_1 -o uid=pi,gid=pi

Step 4: Auto mount
	sudo nano /etc/fstab, add the line:
	UUID=AAAA-BBBB /media/usb_1 vfat auto,users,rw,uid=pi,gid=pi 0 0
--------------------------------------------------------------------------
MINIMIZE LOGS
=============
sudo nano /etc/systemd/journald.conf
change: #Storage=auto
to:     Storage=volatile
--------------------------------------------------------------------------
RUN A SCRIPT AFTER LOGIN (can be stopped with Ctrl-C)
=====================================================
mkdir /home/pi/cam
mkdir /home/pi/cam/jpg
sudo nano /etc/profile
Add to the end of the file:
	sudo python /home/pi/cam/PI_CAM.PY
--------------------------------------------------------------------------
RUN A SCRIPT AFTER LOGIN (can be stopped with killall WATCHDOG.PY)
==================================================================
sudo nano /etc/rc.local
Add before exit 0
	sudo python /home/pi/cam/WATCHDOG.PY &
CAUTION: there MUST be "&" at the end of the line
--------------------------------------------------------------------------
CAMERA LED
==========
sudo nano /boot/config.txt
disable_camera_led=1
--------------------------------------------------------------------------
That's what works so far. The next step is something like mv /home/pi/cam/jpg/*.JPG to_my_desktop when there is a connection. Once more sudo for arp-scan --localnet. It will probably need to edit configuration files: sudo cp, sudo nano.
Heater wrote:
Tue Oct 17, 2017 8:02 pm
The good news for you is that you can "get rid of permissions" and give yourself access to anything and everything all the time with one simple command:

Code: Select all

$ sudo chmod -R 777 /
Thanks, I will try it once before reinstalling pixel. (I am a little bit nervous doing such a big change.)
RaTTuS wrote:
Wed Oct 18, 2017 11:13 am
to run the previous command as sudo do

Code: Select all

sudo !!
I will do extensive use of that! BTW, I believe many a beginner would be thankful if someone found the time to compile such a list and place it as STICKY:. (Maybe it exists, but where?)

Re: Get rid of permissions

Posted: Wed Oct 18, 2017 5:20 pm
by W. H. Heydt
kaksi wrote:
Wed Oct 18, 2017 3:46 pm
I will do extensive use of that! BTW, I believe many a beginner would be thankful if someone found the time to compile such a list and place it as STICKY:. (Maybe it exists, but where?)
What I am concerned about in all this, and my guess is that I'm not alone, is that we will then get an endless flood of questions about why said beginners systems no longer work. In addition, as soon as they try to use a normally configured Linux system, they won't know what they are doing, despite the experiences they have had. Better to learn how the system is *supposed* to work when properly configured than to seek to dismantle all the normal protections and restrictions that were put there for good reasons. Trying to alter the world to conform to your own idiosyncracies rather that learning why it is the way it is and adjusting yourself to the world is a poor tactic....and not just with computer systems.

Re: Get rid of permissions

Posted: Thu Oct 19, 2017 7:10 am
by RaTTuS
RUN A SCRIPT AFTER LOGIN (can be stopped with Ctrl-C)
=====================================================
mkdir /home/pi/cam
mkdir /home/pi/cam/jpg
sudo nano /etc/profile
Add to the end of the file:
sudo python /home/pi/cam/PI_CAM.PY
--------------------------------------------------------------------------
RUN A SCRIPT AFTER LOGIN (can be stopped with killall WATCHDOG.PY)
==================================================================
sudo nano /etc/rc.local
Add before exit 0
sudo python /home/pi/cam/WATCHDOG.PY &
CAUTION: there MUST be "&" at the end of the line
--------------------------------------------------------------------------
this is a horrible way of doing things
you can get the system to auto log you in ,
you dont need to edit the global profile -
use the .bashrc file
running the WATCHGDOG script should only be needed as a normal user
this will make filers in the cam directory as by the user pi , so no need to use sudo to manipulate them

Re: Get rid of permissions

Posted: Thu Oct 19, 2017 11:36 am
by kaksi
RaTTuS wrote:
Thu Oct 19, 2017 7:10 am
this is a horrible way of doing things
I feared that and I see I was right to fear it. At least it works... The idea is:

PI_CAM.PY pilots the camera, on start, it reads in PI_CAM.INI when it should take photos, sleep, in which frequency and for which brightness it should delete the picture. If I modify this INI over network (which happens quite often: low frequency to focus it, high or very, very low frequency then), I restart the RPI (I could read the INI file periodically, but I still need a way to shutdown somehow the RPI). When I connect the keyboard/monitor for debuging, it is nice to operate it easily.

WATCHDOG (basicly):
if os.path.isfile (shut.h): sudo shutdown -h now
if os.path.isfile (shut.r): sudo shutdown -r now

The main (but not only) reason why these tasks are separated: if PY_CAM.PY hangs for some reason, I can correct it and still restart the RPI. I am quite annoyed it runs as root (in RPI2, it did not). Both write to the same LOG. Once, I turned the LOG on and RPI crashed. Because of permissions. One afternoon to figure out why.

There are uncountable posts asking how to run a command on power-on and I did not find one that lists and compares all the possibilities.

How would you call these programs?