Allow Normal User to su Without Password

All Unix and Linux system will ship with different default policies. Usually these policies don’t match the local policies, such as which users are allowed what kind of access to which resources and when. In addition security policies may require non-default authentication and/or logging.

A system administrator must examine the system’s configuration files and update them if necessary to enforce local policies. On modern systems PAM (Pluggable Authentication Modules) can be used to configure a wide range of security policies, including which databases to use to authenticate users, minimum password length, max login attempts, special permissions for console users (to various commands and devices), and many other policies.

wheel group policy

The wheel group enables us to define several system administrators and none of them need the root password. The group wheel was first used this way in Unix systems, but by using PAM any system can enable this handy feature. With proper PAM configuration any member of group wheel can become root by using the su command without supplying any password.

Step by step:

1) Create a user who will work as a trusted users and assign password to that user.

#useradd master

#password master

2) Add this user in to wheel group’s member list.

#usermod -a -G wheel master

or

#usermod -G wheel master

3) Edit PAM configuration file for su that is /etc/pam.d/su and uncomment line

auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid

This will allow users in wheel group as a trusted users.

4) Now Login with user master and run command

#su -

By this master user can su to root without applying password.

Auto Logout In Linux

Almost everyone are forgetful and used to leave the Linux/Unix login session open without logging out. So, how to make sure all the Linux systems will automatically logout users after idle for certain minutes?

In fact, the simplest way is to configure the TMOUT shell variable!
i.e

export TMOUT=60

This export command will immediately get the Linux OS to automatically logout a user after his/her login session being idle for 60 seconds or 1 minute! 

Note: The TMOUT environment variable is applied to a command line console login session only. For X-window or GUI log in, we can easily turn on any pretty auto-lock screen-saver, that works very much like those in Windows.

In order the apply TMOUT to all Linux login accounts, put that export command to the login scripts or login profile (.bash_profile or .profile) in respective user home directory. But, the easiest way is to write the export command in the system profile instead of respective user’s profile! That’s to say, we can append the export TMOUT=60 command to /etc/profile (i.e. the system profile)!

To disable the Linux auto-logout user feature, just set the TMOUT to zero,
i.e.

export TMOUT=0

Sulogin for Single User Mode

By default on Red Hat Linux, user can enter single user mode simply by typing “linux single” at the GRUB boot-editing menu. Some believe that this is left in to ease support of users with lost root passwords.

In any case, it represents a clear security risk – authentication should always be required for root level access. It should be noted that it is extremely difficult to prevent compromise by any attacker who has knowledge, tools, and full physical access to a system. This kind of measure simply increases the difficulty of compromise by requiring more of each of these factors. These last two items have attempted to address concerns of physical/boot security.

To make these preparations more complete, one should consider setting the BIOS to boot only from the main hard disk and locking this setting with a BIOS password.

To set authentication for Single user mode edit /etc/inittab and add following line below initdefault.

id:3:initdefault
~~:S:wait:/sbin/sulogin


This will restrict Single User mode without authentication.

Setup proxy setting in a text based linux machine

In generic scenario internet access is running through proxy in small offices in that case Linux command line utilities those require internet access to work like wget, curl, yum and apt-get don't work. The question comes at

How to install packages using proxy by yum?
How to install packages using proxy by apt-get?
How to download file from command line using wget?

All these utilities are depends on shell variables http_proxy and ftp_proxy to work on proxy.

So, to use proxy server to access http/https from a linux machine in CLI, set the environment variable http_proxy. This will allow wget and python’s urllib modules and other applications (yum, apt-get etc) to use this environment variable and access http/https using the settings assigned to the variable http_proxy.

The below would be the ideal way of assigning values for http_proxy variable.
 
$export http_proxy=”http://ipaddress:port”

In the same way use ftp_proxy variable to access ftp

$export fttp_proxy=”http://ipaddress:port”

Add these two lines to  ~/.bashrc so that this variable exported every time user logs in to machine.

Argument list too long

Suppose, there are 1,30,000 files to move from one directory to another, what will happen

# mv *.txt test
Oh!! There is an error

mv: Argument list too long.
What to do? Simple answer is to use find command

#find . -maxdepth 1 -name ‘*.txt’ -exec mv ‘{}’ test \;

Here,

. : defines search directory
-maxdepth : disables recursive search and searches only in the current directory. It allows you to control how deep into sub directories it will recurs. With ‘-maxdepth’ 1 it will only search in current
directory.
-name : string to be searched
-exec : Applies a command to set of file that has been searched
{} : Inserts each found file into given command after -exec
\; : Indicates the exec command line has ended

The above example searches for *.txt files in current directory and moves it to the test directory. 

bad interpreter no such file

Sometimes shell scripts in Linux gives error like,

bash: ./t1.sh: /bin/sh^M: bad interpreter: No such file or directory

This happens whenever the files are transferred from Windows machine to Linux Machine over network. Reason being different OS uses different line ending characters. Have a look at below table

OS	Line End	Character
UNIX/Linux	LF	'\n'
DOS	CRLF	'\r' and '\n'
MAC	CR only	'\r'

CR (Carriage Return): return cursor to left margin, (Ctrl-M(^M) or hex 0D) 

LF (Linefeed): move cursor down, (Ctrl-J(^J) or hex 0A)

Combination of cat and sed command can easily solve this issue.

Example:


1. Create a simple shell scripts having (Ctrl+M) character at each line end. Download example code from here and save it as bad_int.sh

#!/bin/sh^M$
^M$
ls -l^M$

2. Make script bad_int.sh executable and run it from shell.

$ chmod +x bad_int.sh
$ ./bad_int.sh
bash: ./bad_int.sh: /bin/sh^M: bad interpreter: No such file or directory
$

3. Use cat and cat -A command to differentiate file contents.

$ cat bad_int.sh
#!/bin/sh

ls -l

$ cat -A bad_int.sh
#!/bin/sh^M$
^M$
ls -l^M$
$

Note: -A argument of cat command displays non printable characters

4. Now, at last remove all occurrence of (^M) character from the script using combination of cat and sed command and redirect its output to bad_int_solved.sh, make script bad_int_solved.sh executable and run it from shell.

$ cat -A bad_int.sh | sed -e 's/\^M\$//g' > bad_int_solved.sh 
$ chmod +x bad_int_solved.sh 
$ ./bad_int_solved.sh 
total 12
-rwxr-xr-x 1 jaymin jaymin 20 Sep 11 14:00 bad_int.sh
-rwxr-xr-x 1 jaymin jaymin 17 Sep 11 14:35 bad_int_solved.sh
-rw-r--r-- 1 jaymin jaymin 19 Sep 11 13:37 so.sh
$

Don't confuse with $ character, it represents line ends for Unix/Linux files.