Thursday, November 26, 2009

sudo without password

"Sudo" is a great security enhancement: Instead of having an active root account that could possibly be exploited, even remotely, and another password that could be forgotten, sudo lets you run specific commands with root privileges. There's a lot more to it, so I highly recommend you read the man pages for sudo, sudo_root and sudoers.

On some systems, under certain circumstances, a tradeoff between security and convenience can be made by lowering security a little to raise convenience a bit - by allowing sudo usage for specific users without requiring a password. For example, on a secure server without passwords (accessed only through SSH with pubkey authentication), sudo without password is an interesting option.

The normal way to set it up would be to edit the sudo configuration file /etc/sudoers using the visudo command (which would be run with sudo: sudo visudo). There's already an uncommented section which would allow members of the group "sudo" to not need a password, but it's overriden by the later entry which lets members of the "admin" group gain root privileges, so it needs to be added at the very end of this file.

Using visudo to edit /etc/sudoers is recommended because it properly locks the file to prevent simultaneous edits and does basic sanity checking (a corrupt sudoers file could prevent you from gaining root privileges and lock you out of your system if the root account is locked - as it should be). However, I prefer to enable sudo without password running a one-liner command:

sudo sed -i~ '$a\\n%sudo ALL=NOPASSWD: ALL' /etc/sudoers

This command appends "%sudo ALL=NOPASSWD: ALL" to the end of /etc/sudoers - which you would otherwise have to do manually.

Now all members of the group "sudo" will be able to use sudo without a password. By default, the "sudo" group is empty, so you'll want to at least add yourself to this group:

sudo adduser "$USER" sudo

Another possibility would be to use the "admin" group instead of the group "sudo" - then the one-liner would look like this:

sudo sed -i~ 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD: ALL/' /etc/sudoers

Since you're already part of the "admin" group, that's the only command you'd need to run.

Thursday, November 19, 2009

Remove Old Kernels

When Ubuntu upgrades the kernel, a new version is installed alongside the old one. At the grub boot prompt, you can select which kernel to use.

That's great if for some reason a new kernel doesn't work as well as an old one, but there's not much use for keeping old kernels around forever. Since Ubuntu doesn't yet automatically offer obsolete kernels for uninstallation, I wrote a one-liner to remove old kernels:

sudo apt-get remove --purge `dpkg --get-selections 'linux-*.*' | awk '$2 == "install" { print $1 }' | grep -v "$(uname -r | sed 's/\(.*\)-.*/\1/')"`

Since Linux kernels can take up a lot of disk space, you should regularly clean up your system to free space by manually running the one-liner after upgrading your kernel and rebooting. Make sure that you rebooted into your new kernel once a kernel upgrade has been installed, otherwise you'd remove the new kernel instead of the old one which most likely isn't what you want.

Wednesday, November 18, 2009

Ubuntu Shell Tweaks

I already told you that my favorite operating system is Ubuntu. I run it on my laptop, I run it on my desktop, and I run it on most of the servers I administer.

Since I spend most of my working hours in a terminal, staring at the shell, I need a comfortable environment. Thankfully, Ubuntu ships with bash-completion enabled, which makes Tab completion truly awesome. (If it's not enabled for you, make sure that the package bash-completion is installed and /etc/bash_completion is sourced in your ~/.bashrc.)

Here's a couple of other highly recommended tweaks to improve your shell usage:

Colored Shell Prompt:

Unfortunately a colored prompt isn't turned on by default, but fortunately it's easily activated by uncommenting force_color_prompt=yes in ~/.bashrc. Although it's claimed that "the focus in a terminal window should be on the output of commands, not on the prompt", with which I generally agree, I think the best way to focus on the output is by clearly differentiating it from the prompt.

Here's a one-liner which enables the color prompt:

sed -ri~ '/#(force_color_prompt|if|    |fi|alias .?grep)/s/#//' ~/.bashrc

Custom Bash Aliases:

When working within a shell, the most common commands tend to be changing directories and listing directory contents. And when operating on files or directories with potentially dangerous commands, you normally don't get asked "Are you sure?" by default.

That's why I always add some custom aliases to make working with the shell easier and safer. The above command which enabled a color prompt also ensures that an existing alias definition file will be used (since previous versions of Ubuntu sadly had the source command commented out).

You can simply create such a file and save it as ~/.bash_aliases. Here's what mine contains as a minimum:

# some more ls aliases
alias l='ls -CF'
alias la='ls -Al'
alias ll='ls -l'
alias c='clear'
alias cla='c;la'
alias cll='c;ll'
alias cls='c;ls'

# Some more aliases to avoid making mistakes:
alias cp='cp -i'
alias ln='ln -i'
alias mv='mv -i'
alias rm='rm -i'

As you can see, aliases are a great way to create shortcuts for common commands (and command combinations) or to set new default options.

I like to create aliases for ssh connections, e. g. alias servername='ssh servername', so I only have to type a server's name to securely connect to it. (You could also add server-specific options, for instance which username or port to use, but that should better be specified in ~/.ssh/config.)

Tuesday, November 17, 2009

My current workplace

As a professional system and network administrator, I spend most of my working hours in front of a computer screen, or three:

So that's where I work. And this is where I live:

Boring, huh? Not a bit! All I see now is blondes, brunettes, redheads... ;-)

Seriously, though, I only use three or four (GUI) programs most of the time: Firefox (my favorite web browser), Kate (my favorite text editor), Konsole (my favorite terminal emulator), and Pidgin (my messenger).

And if you didn't already guess it already, my favorite operating system is Ubuntu!

Sunday, November 15, 2009

About my blog

This is my new blog. It's a personal blog, first and foremost, but it may also contain information that's at least of some interest to a certain audience. Well, hopefully.

So the first question is, what am I going to write about? Since that will determine who the audience might be. Other than me, of course.

Yes, I'm going to use the blog for notes and reminders for myself, too. I'll also document my research and progress regarding the varied interests that I have. Topics will probably change regularly, just like my focus changes among my various interests.

Another important factor influencing the possible audience is the choice of language. As a German, blogging in German would be obvious, but it would likely limit my audience to a national one. Choosing English instead, I can address an international audience, so that's why I'll (mainly) post in English.

Right now I don't have a fixed schedule for this blog, so I'll just post whenever I have something I consider worth sharing. I strive to keep quality above quantity. This also applies to comments, so I won't tolerate any kind of nonsense that could distract from the actual topics.

That said I certainly value constructive criticism and am looking forward to get new and interesting input from anyone who cares to comment. If and when I post something of use to you, let me know, and I'll see if there's more like it I can share. And if you have something interesting to share, let me know as well, and I'll mention it here.

Well, enough for now, that's my introduction to this new blog. We'll see how and where it goes. Thanks for reading, now stay tuned, more is soon to come.

See ya!
-- Stefan Daniel Schwarz

Friday, November 13, 2009

Hello World!

Welcome to my new weblog. This is my first post. Merry Meet!