Computer Laboratory

Gaining privilege: sudo, xsudo, cl-asuser

Users cannot login as root to install software, and hence will not have write access to the directories into which a package typically wants to put the files. There are various ways in which a user can temporarily be given the right to run certain commands, including those used to install software.

The main way in general to gain privilege is to use the sudo command. This allows a permitted user to execute a few or ALL commands as the superuser or another user, as specified in the file /etc/sudoers. Typically, there will be a small number of commands that you can run on a given machine without giving a password — you can find out which with the "sudo -l" command:

User ab123 may run the following commands on this host:
    (ALL) ALL
    (root) NOPASSWD: /usr/bin/cl-asuser
    (root) NOPASSWD: /usr/bin/cl-mkscratchdir
    (root) NOPASSWD: /usr/bin/mkscratchdir

Any application which tries to open a window under X which is run as root cannot ordinarily connect to the X server because access to the users .Xauthority file is denied to root over NFS. In this case, use xsudo, which is a wrapper to sudo which ensures that the X window can be opened.

The output of "sudo -l" above shows that a user can typically run a number of commands without having to give a password (those shown with "NOPASSWD"). Among these commands for the registered user of a machine (the owner of the file /etc/user-config/bundles) will be the command cl-asuser — this allows the registered user to run a number of other "safe" commands with raised privileges. If a command is available under cl-user, it's generally better to use it rather than sudo, as it avoids having to type your password, and it may perform certain sanity checks. Type "cl-asuser --list" to see the available commands, for example

/usr/bin/cl-asuser: valid commands are:
 apt-get         aptitude        aticonfig       blkid           cdrecord
 cfdisk          chkconfig       chmod           chown           chroot
 cl-add-rpms     cl-hostid-fix   cl-isidle       cl-make-ownfiles
 cl-mkscratchdir cl-patch-file   cl-update-authorized-keys
 cl-update-system                cl-writedvdimage                dd
 debuginfo-install               dellmgr         dhclient
 dpkg-reconfigure                eject           envyng          ethtool
 ext2online      fdisk           fix.files       fsck            gdmsetup
 gparted         hdparm          ifconfig        invoke-rc.d     ip6tables
 ipmitool        ipt_recent      iptables        iwconfig        k3b
 list            lvm             mdadm           mdadm-E         mkdir
 mkfs            mknod           mkswap          modprobe        mount
 nspluginwrapper ntpdate         nvidia-xconfig  parted          partprobe
 passwd          pirut           pm-hibernate    pm-suspend
 pm-suspend-hybrid               pup             reiserfsck      repo-able
 resize2fs       restorecon      rm              rpm             semanage
 semodule        sensors         sensors-detect  service         setenforce
 setup-rc.d      sfdisk          shutdown        smartctl        ssh-wrong-host
 swapoff         swapon          system-config-display
 system-config-keyboard          system-config-language
 system-config-lvm               system-config-securitylevel
 system-config-soundcard         tune2fs         tw_cli          ufw
 umount          usermod         virsh           virt-install    virt-manager
 wifi-radar      xenguest-install                xenmon.py       xm
 yum             yum-complete-transaction        yumex

Note in particular the presence of the yum and apt-get commands in that list. cl-asuser imposes some restrictions on the arguments which can be passed to certain commands, protecting users from doing too much damage in some instances.