How to run specific program with root privileges (Ubuntu OS) when no sudo user log into system?

How to run specific program with root privileges (Ubuntu OS) when no sudo user log into system?

How do I run a specific program with root privileges (Ubuntu OS) when no sudo user is logged into the system? The program needs root privileges to function correctly. A normal user shouldn't be able to shutdown this process. 
For example, I have two users, Admin and Client;
The program should start only when the client logs into the system. It needs root privileges and the Client shouldn't be able to shut this process down.

Solutions/Answers:

Answer 1:

There are a few ways to do this. Ubuntu’s graphical login is provided by GDM (or KDM if you’re using Kubuntu). GDM is started by the Upstart subsystem.

The startup process follows these steps:

  1. System boots. Upstart starts services, including GDM (/etc/init/gdm).
  2. GDM starts, initializes the X-server (/etc/gdm/Init/*), and presents the GUI login window.
  3. A user logs in.
    1. PAM authorization happens (/etc/pam.d/gdm)
    2. GDM runs PostLogin script (/etc/gdm/PostLogin/*).
    3. GDM runs PreSession script (/etc/gdm/PreSession/*).
    4. GDM runs Xsession and xinit scripts
      (/etc/gdm/Xsession, /etc/X11/xinit/xinitrc.d/*, /etc/X11/Xsession, /etc/X11/Xsession.d/*)
  4. The user’s desktop appears.

Where to run your script

Everything prior to XSession runs as root. /etc/gdm/Xsession and everything after runs as the user. This leaves you with three real options for where to run your script.

  1. Modify GDM/KDM’s PostLogin or PreSession scripts to run your program. The username is available in the USER or USERNAME environment variables.

  2. Use PAM to execute your script. PAM will set the authorizing user in the PAM_USER environment variable. Add this to /etc/pam.d/gdm to kick off your script:

    auth  required  pam_exec.so   /path/to/your/script
    
    • You might be able to use PAM to match a particular user (as in this answer), so the script would only run for that user and wouldn’t need to match users itself. I don’t have the PAM expertise to explain how to do that.
  3. Write an Upstart script to run your program. Your script would start at user login, so we look for the desktop-session-start signal emitted by GDM’s PreSession script.

    So an Upstart script would detect that signal as the run trigger:

    # start when GDM's PreSession script runs
    start on desktop-session-start
    

    The signal from PreSession doesn’t pass along the username, so you’d need to tweak the signal. In /etc/gdm/PreSession/Default, find the initctl line and change it to this. You could also use USERNAME in place of USER.

    # add USER variable so Upstart script can find it
    initctl -q emit desktop-session-start DISPLAY_MANAGER=gdm USER=$USER
    

    See the manpages for Upstart and its starting event for more details.


How to avoid the Admin user

Your script will need to examine the user/username in the environment variables it gets from one of these methods and use that to determine whether to abort or continue. Standard shell-scripting methods will work. Depending on which starting location you chose from the above list, the username may be available in the USER, USERNAME, or PAM_USER environment variables.

Answer 2:

You could use setuid, to always run the program as root. From a security point of view, this is probably a very, very bad idea. If one of your users managed to exploit the setuid program it will give them root access to the whole server

Our Awesome Tools

References

How do I save a “restore point” in Linux?

How do I save a “restore point” in Linux?

I have some program that I want to run but I am not sure if it is going to do anything malicious. I have an old ubuntu pc which I am using to run it. 
I know in Windows you have save a restore point where the registry and some other stuff (it's all mysterious to me) gets backed up and can be restored to later. 
Is there a similar concept in Linux? Can I bring my filesystem to where it was before I ran this program?

Solutions/Answers:

Answer 1:

If you have used LVM, and you have unallocated space then yes, you can do this. See the section in the HOWTO about Snapshots.

As an alternative you could also simply setup a Virtual machine and experiment in a virtual environment.

Answer 2:

First: If you are unsure about this program, don’t use it. It’s that simple.

Then: The concept you are looking for is called a “backup”. It’s the same with Windows: Restore points are not designed to prevent malicious activity and it’s normally not possible to recover from such an incident with a restore point.

(Edit: Yes, indeed, as Zoredache pointed out, an LVM install would work. Didn’t thought about that).

If you would run the Ubuntu instance in a virtual machine, you could make snapshots of the system. These would indeed bring your system back to a known state.

Answer 3:

One thing that comes into my mind is dd – But make sure you understand the topic by reading about it, BEFORE you use it.

On the other hand it might be helpfull to install VirtualBox. You can create a Virtual Machine and run the unknown program there. It’s unlikly, that a program is able to break out of the VM to do any harm to the host system.
If you plan to do this, then make sure that you do not mount any folders of the host system inside the virtual machine!

Answer 4:

Others have said it already, but I’ll say it again: if you suspect a program is malware, taking a Windows restore point won’t help much.

If you suspect the program may write to places where you don’t want it to write, what you need to back up is the places where it may write. A restore point would only back up the system configuration, but the malware could hide things in other places. The bare minimum you need to do to protect against such malware is to run it as a different user that does not have the permission to write anywhere except to some scratch space.

If you suspect the program may read your private data, you need to run it in such a way that it won’t be able to read your private data. A back up won’t help. Again, running the program as its own user will provide a little protection.

But if you want reasonable protection, you need a lot more isolation that this. Run the program inside a virtual machine that doesn’t have any network connection (and on which you aren’t storing any data, obviously). You can take a snapshot of the VM before you run the program, so you can later restore that snapshot and use the VM for other purposes.

Our Awesome Tools

References

How to keep a remote task running after running it in an SSH console? [duplicate]

How to keep a remote task running after running it in an SSH console? [duplicate]


Possible Duplicates:
How to keep program running after ssh disconnection.
How can I use ssh to run a command on a remote Unix machine and exit before the command completes? 

I am running a mongo server on a production machine. I access it via an ssh console. If I run the mongo server, it runs in the foreground. If I close the SSH window on my client, the mongo process dies on the server.
Even if I run it as "mongod &" in the background, it still dies if the connection is lost.
How do I run this daemon correctly so that it does not depend on an active SSH session?
edit: using ubuntu 10 console as the server

Solutions/Answers:

Answer 1:

When you close a shell out, it sends SIGHUP signal to all jobs that it’s spawned. By default, SIGHUP will terminate any process.

If you know you need to ‘keep it running’ when you spawn the process, you can use nohup to spawn your process. As a side effect, it will redirect stdout and stderr to a file nohup.out if these streams were pointing to the terminal. You may want to redirect these yourself if you don’t want this file.

You can also run it using setsid, which creates a new process group. Your shell will no longer send SIGHUP to it since it’s not in the shell’s process group.

If you’ve already started your program, and you happen to be running bash or zsh (very likely on Linux), you can use disown.

Either run the command with & to force background, or run it normally type Ctrl-Z to suspend it, then bg %1 (assuming it’s job #1) to take it out of suspension and run it as a background process. Then you type disown %1 to make bash/zsh forget about it.

disown is my usual method, I don’t need to remember to mess with output streams like nohup requires.

Answer 2:

Try using nohup mongod &. This will prevent the program from receiving SIGHUP signals which are sent when the shell exits (after the connection is lost). This is a standard shell builtin in all shells.

You could also use setsid mongod & which would disassociate the program from the terminal, so when the shell exits, a SIGHUP signal is not sent. (Other things happen as well, but this is the primary side-effect.) Setsid is not standard in all shells, but it is in bash on Ubuntu 10.

You could also start gnu-screen, which will keep the session running after the connection is lost, allowing you to reconnect and interact with the shell again. The state of the program will not change, it will continue running while disconnected.

Our Awesome Tools

References

How can I Install Linux on flash disk with NTFS filesystem?

How can I Install Linux on flash disk with NTFS filesystem?

I would like to install Linux (Ubuntu) on a Flash disk with NTFS partition and boot from flash disk, is it possible? 
If yes, how could I do this?

Solutions/Answers:

Answer 1:

I think unetbootin does the job (installing ubuntu live cd on flash disk). You will probably have to install Grub on it too.

NTFS doesn’t work very well with linux’s file permission, you need a filesystem container (usually squashfs correct me if I’m wrong) that has a linux fs inside of your NTFS partition.

Answer 2:

To install linux on a flash disk, I assume you want either How-To-Geek’s Create a Bootable Linux Flash Drive or Create a Persistent One. From experience I know linux doesn’t play very nice with NTFS, though it is possible. If memory serves, permissions on linux don’t apply right on NTFS yet. Hope that helps!

Answer 3:

Just download the iso, then, if you have a vm app, you can boot the iso. Otherwise just burn it to a cd or dvd, then boot to it. Click on try ubuntu, then click on dash home*. lookup start, then click on startup disk creater. Insert a flash drive to your computer, and give the flash drive control to the vm, if using one. Then hoose how much space you want to give to the flash drive for storing your files and settings. Or you can mae it so they will be deleted once you shut down. Then click create. Wait for it to finish. Once finished, shut down your computer/vm and once you boot up your flash drive, it will go to ubuntu. Then you can click try ubuntu again.

*This is for version 12.04 LTS Desktop.

Answer 4:

You should be able to use the Ubuntu Windows Installer to install Ubuntu to a filesystem in a file on top of NTFS, however you will likely have to install grub manually and configure it to use the filesystem file. UWI uses Wubi, so there is probably more informaiton out there.

Our Awesome Tools

References

How do I grep help output in linux?

How do I grep help output in linux?

When I use a switch that doesn't exist in commands such as lsof and ps there is a lengthy help menu that is returned. Instead of reading the whole thing I'd like to be able to grep it for the switch I'm looking for. I would rather not use two commands.
This is what I get when I try to grep:
ubuntu@ubuntu:~$ lsof -h | grep "\-U"
lsof 4.81
 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
 latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
 latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
 usage: [-?abhlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
  -?|-h list help          -a AND selections (OR)     -b avoid kernel blocks
  -c c  cmd c ^c /c/[bix]  +c w  COMMAND width (9)     
  +d s  dir s files        -d s  select by FD set     +D D  dir D tree *SLOW?*
                           -i select IPv[46] files    -l list UID numbers
  -n no host names         -N select NFS files        -o list file offset
  -O avoid overhead *RISK  -P no port names           -R list paRent PID
  -s list file size        -t terse listing           -T disable TCP/TPI info
  -U select Unix socket    -v list version info       -V verbose search
  +|-w  Warnings (+)       -X skip TCP&UDP* files     -- end option scan
  +f|-f  +filesystem or -file names     +|-f[gG] flaGs 
  -F [f] select fields; -F? for help  
  +|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
                                        +m [m] use|create mount supplement
  +|-M   portMap registration (-)       -o o   o 0t offset digits (8)
  -p s   exclude(^)|select PIDs         -S [t] t second stat timeout (15)
  -T qs TCP/TPI Q,St (s) info
  -g [s] exclude(^)|select and print process group IDs
  -i i   select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
  +|-r [t[m]] repeat every t seconds (15);  + until no files, - forever.
       An optional suffix to t is m; m must separate t from  and
       is an strftime(3) format for the marker line.
  -s p:s  exclude(^)|select protocol (p = TCP|UDP) states by name(s).
  -u s   exclude(^)|select login|UID set s
  -x [fl] cross over +d|+D File systems or symbolic Links
  names  select named files or files on named file systems
Anyone can list all files; /dev warnings disabled; kernel ID check disabled.

Solutions/Answers:

Answer 1:

Your grep does not work because the help output is, most of the time, flushed on the standard error output (stderr).

This stream has the file descriptor 2 instead of 1, and the pipe command redirects the file descriptor 1. A way to solve this is to redirect error output to standard output:

lsof -h 2>&1 | grep "\-U"

Our Awesome Tools

References

Music organization into folders for Linux(Ubuntu/Debian)? [closed]

Music organization into folders for Linux(Ubuntu/Debian)? [closed]

I have a few folders with randomly assorted music files.  I'm looking for a tool or utility that can read the ID3 tags, and then build and populate a folder structure in the format:
some dir/Artist/songs*
I've used MediaMonkey on Windows, but not sure what to use for Linux.

Solutions/Answers:

Answer 1:

Picard Musicbrainz is a good program for what you need.
You can use it on Linux as well as Windows.

Answer 2:

check out SortTv, its designed for sorting downloaded TV shows, but it also works for music

I use it in Ubuntu.

Our Awesome Tools

References

Surfing remote from another computer

Surfing remote from another computer

My University doesn't let me browse their article database if I am not behind their firewall. But I want to read some papers while not at home. So I want to find some way of remote browsing.
My laptop is a Mac and I plan to have this with me when I am on holidays. My ordinary computer which is stationed in my apartment, and from which I can access the database of my University, is running Ubuntu.
Suggestions?

Solutions/Answers:

Answer 1:

Now since your desktop is also behind a firewall you won’t be able to ssh or rdp into it from the outside (since they propably won’t setup the nat for you)…

what you can try is using a free vpn service like LogMeIn-hamachi
This service is free and works in a way that both your desktop and laptop would connect to a logmein server and the server would then link you up.

This way you can connect to your desktop by entering the ip that logmein gave to you.

Now what you want to do to get connected to it might require you to also run ubuntu on your laptop since I don’t know if mac supports this.

You need to setup an ssh server on your desktop by installing openssh-server

In console: [aptitude install openssh-server]

Then on your laptop you can connect to your desktop’s ssh server and use it as a proxy…

In console: [ssh -D 8080 logmeinip] (replace logmeinip with the ip that your desktop has on logmein)

Then you need to set your browser proxy to localhost or 127.0.0.1 on port 8080 (also do this for local ip’s)

Ans now you should be able to browse the database without limitation.

Answer 2:

Can you ssh into the university server? If so, then you should be able to set up an ssh tunnel:

ssh -N -p 22 will@fakename.org -L 2025/localhost/25

Here’s a breakdown of the command:

  • ssh – the actual SSH command

  • -N tells SSH we don’t want to execute a remote command. Not terribly
    necessary, but makes it safer.

  • will@fakemachine.org – account and SSH host info. user name will at server fakemachine.org

  • -L 2110/localhost/110 This one creates the tunnel. It tells SSH to forward traffic from port 2110 on the local machine to port 110 on the remote machine.

After running the command, you can set your web browser’s proxy settings with (in this case):

  • host: localhost
  • port: 2025

Our Awesome Tools

References

Small font all ‘new’ messages suddenly in Gmail on Ubuntu in Opera, why?

Small font all ‘new’ messages suddenly in Gmail on Ubuntu in Opera, why?

This seemed to happen out of the blue.
I have been using Opera for years.
I can't find anywhere in Gmail to change the default font that is used in Opera.
Ubuntu is Version 11
Opera is version 11.6
In Firefox the font is normal size.
I have tried playing around with both all the browser setting I can find plus Ubuntu system settings (I had seen some mentions of Opera using the system default font sometimes) but no success so far.
Really bumming as I have been using Opera for two years and if I can't resolve it I will not be able to use it.
I can switch to Firefox but I don't want to.

Solutions/Answers:

Answer 1:

It looks like it’s a bug in Opera 11.6+: http://my.opera.com/community/forums/topic.dml?id=1157352&t=1323469056&page=1#comment10836852

I’m zooming the web page when writing emails now (and zooming out when done). Works quite nice (and you get the editor ~fullscreen 🙂

[Note from michael: Accepted this as it “answers” the question, but also see workaround below!]

Answer 2:

This comment provides a style-sheet fix:

  1. Create a file containing this: .LW-avf {font-size: small !important;}

  2. Save this file as gmail.user.css into the Opera folder /usr/share/opera/styles/

  3. Log in to your Gmail account. RIGHT click on any empty space and select “Edit Site Preferences”. Select the “Display” tab. Go to “My
    style sheet” textbox and browse for the gmail.user.css file.

Then reload the page.

Answer 3:

According to this Gmail support discussion the cause of this problem is that Opera used to have the font too large in gmail, for which Google created an Opera-specific fix.

In 11.60, Opera fixed their bug, but Google has yet to remove their fix, so that the now too small text returns back to its normal size.

Our Awesome Tools

References

How do I create a superuser from the command line in Ubuntu? [duplicate]

How do I create a superuser from the command line in Ubuntu? [duplicate]


Possible Duplicate:
How to create a admin user on ubuntu 

How can I create a superuser in Ubuntu 11.10? I need to create it using the command line.
Either we could change a normal user to become a superuser, or we could create a superuser right away.

Solutions/Answers:

Answer 1:

You can create a new user simply using the adduser(8) command.

To make it a user capable of performing sudo, add him to the sudo group using either of the following commands:

sudo usermod -a -G sudo <username>
sudo adduser <username> sudo

This works because the sudo group is predefined in /etc/sudoers. Note though that older versions of Ubuntu will use admin as group instead:

Until Ubuntu 11.10, the Unix group for administrators with root privileges through sudo had been admin. Starting with Ubuntu 12.04 LTS, it is now sudo, for compatibility with Debian and sudo itself. However, for backwards compatibility, admin group members are still recognized as administrators

For any other customization, refer to the Sudoers documentation.

Our Awesome Tools

References

Forgot passphrase for encrypted USB drive

Forgot passphrase for encrypted USB drive

I accidentally set a passphrase on my USB drive using Ubuntu Disk Utility and I don't remember it. I tried formatting the USB drive, but it doesn't allow it.
I've tried to do it in both Ubuntu and Windows. What should I do?

Solutions/Answers:

Answer 1:

Try to call up the Disk Utility again on the same computer which you used to encrypt the external disk. If you have used the “Remember forever” option the passphrase will still be there:

image1

If this doesn’t work and you absolutely don’t remember the passphrase, the contents of the disk are lost since they were encrypted using this passphrase. Your only remaining option is then to use the Disk Utility to format the volume again to remove the encryption, therefore losing all data (but at least regaining an empty and usable disk).

image2

Answer 2:

Assuming your data is gone and lost, I would format the drive using dd

sudo dd if=/dev/zero of=/dev/USB_DEVICE

changing USB_DEVICE to the correct one (on my ubuntu, the only pen drive plugged is said to be /dev/sdb)

mind not to type numbers after the device, because that will only erase the single partition, while you probably want to have at out-of-factory status

Answer 3:

You should be able to completly format the USB drive with GNU parted from the Ubuntu system. If you are not sure which /dev the drive gets assigned just keep an eye on /var/log/messages when plugging it using sudo tail -f /var/log/messages. A message will appear there when you plug the drive so you can identify it in order to format it with parted.

Then format the partition with /sbin/mkfs -t ext3 /dev/sdc1 (if you want ext3 of course) . Perhaps this step is the only real necessary.

Our Awesome Tools

References