Re: How to gain control over the system?

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sun, Jul 16, 2017 at 09:42:46AM -0400, RavenLX wrote:

[...]

> I use a laptop but I've never needed to ssh into a laptop computer.
> Also, if you want to set up ssh, add ssh client and set up your user
> (sudo enabled) account and random obscure port in sshd config. Be
> sure to set it up so that it uses a key pair. Then you still won't
> need root over ssh.

I must have been unclear. I think I explicitly discouraged from
allowing root login via SSH (this is the general recommendation
out there anyway).

The *only* case a root account (with password) may help is a
busted boot (e.g. by a root FS file system check dropping into
an interactive root session, among other things). There, you
need a root password (or alternatively, a rescue medium, if
you have one handy). And in this case (root login with password
restricted to physical presence) there is no security downside,
in the "normal" case (i.e. laptop or workstation). A kiosk
or (physically remote) server is a different story, though.

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAllrer8ACgkQBcgs9XrR2kY5ZACfbrpofJQNLQP86QgM7AVRyXgL
qgIAnimLiZVrAverAnPcJYp1JYOCniLF
=C82S
-END PGP SIGNATURE-

Re: How to gain control over the system?

[RavenLX]

On 07/12/2017 09:21 AM, to...@tuxteam.de wrote:

[snip]


I've been following this back-and-forth for a while. Yes, I think it's
a good idea to use the root account as little as possible. Myself, I
use sudo in the overwhelming majority of cases.

But I learnt the hard way that sometimes it's a good idea to keep a
root account (with a corresponding password!) around.

When the system boots and the root file system is corrupt (or a
similar early-boot problem happens), you find yourself staring at
a message more or less looking like that:

  Please enter your root password to start a rescue shell:

(message is from memory, but you get the -uh- message).

This was shortly after Debian convinced me that having a root password
is The Evil Itself.

Duh.

I'm wiser now.

(Yah, there is a workaround for that: a rescue disk, and that's how
I got myself out of that, but hey).


I have only used a rescue disk once many years ago. That was because of 
a failing hard drive. Got the data from it OK, thankfully.



Of course: no remote login as root (sshd_config). Use sudo in normal
life (it's more comfortable, anyway). All that. Use a hard-to-guess
root password (pwgen -n 16, for me).

But. A root password doesn't make your system more insecure (unless
it opens up one more remote access). And sometimes, just sometimes
you wish you had one :-)


I use a laptop but I've never needed to ssh into a laptop computer. 
Also, if you want to set up ssh, add ssh client and set up your user 
(sudo enabled) account and random obscure port in sshd config. Be sure 
to set it up so that it uses a key pair. Then you still won't need root 
over ssh.


I'm not totally convinced that having a root account accessible 24/7 is 
a good idea, especially on portable systems that can also be accessed 
via internet.

Re: How to gain control over the system?

[David Wright]

On Thu 13 Jul 2017 at 15:11:59 (+0200), to...@tuxteam.de wrote:
> On Thu, Jul 13, 2017 at 01:34:39PM +0200, Kaj Persson wrote:
> 
> [...]
> 
> [added cc debian-user]
> 
> > Can you have this defined from /etc/fstab too? I have had no success
> > in that.
> 
> This line in the fstab works for me (note: no systemd here; systemd
> is known to do things with mounting, so results may vary):
> 
>   #  
>   
>   /dev/sdb1   /media/usb0 autorw,user,noauto,uid=tomas,gid=tomas  
> 0   0
> 
> Season to taste :-)
> 
> Fixed entries in fstab are of limited use for removable media, though:
> you never know which device your stick appears as (you might use label
> or UUID, depending on your use case).

Another way that works for me is lines like:

UUID=2017-0401 /media/esxplore4g vfat 
rw,errors=remount-ro,utf8,shortname=lower,user,noauto,fmask=137,dmask=027

With this, whoever mounts it owns it and gets rw-r- (files) and
drwxr-x--- (directories). All our sticks/cards etc have individual
mount points, and mount by UUID (fat) or LABEL (ext/fat).
The mount points are all created  drwx-- root root
with identical timestamps, so any with devices mounted on them can
easily be spotted.

Cheers,
David.

Re: How to gain control over the system?

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Jul 13, 2017 at 08:12:46AM -0400, Fungi4All wrote:
> > UTC Time: July 13, 2017 11:13 AM
> > From: to...@tuxteam.de
> > To: debian-user@lists.debian.org
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> > On Thu, Jul 13, 2017 at 12:08:27PM +0200, Kaj Persson wrote:
> > [...]
> >> As always only root can mount a file system. In the case vfat, which
> >> does not have an access system by its own, the owner of the mounted
> >> system will be root.
> > As a hint (I"m not a purist, mind you): I always mount vfat (well,
> > at least when I plan to access them as regular user):
> > sudo mount -ouid=tomas,gid=tomas /dev/sdb1 /mnt
> > This makes my life easier (yes, you can put the user name in there,
> > and separating uid=foo,gid=bar with a comma (no space!) should
> > work for you.
> > As to your original problem... sorry.
> > Cheers
> 
> Minor note and question:
> If he or anyone else is using other than MSwin more than one linux/unix
> system with a common /home partition and wants access to the
> same /home/user if "user" corresponds to 1001 in Debian and 1003 in
> LinuxX then the name user will not allow access to the other system as
> on is user 1001 and the other 1003, two different users with the same
> label. The other way around seems to work with my experience, if
> 1002 is Deb on one system and 1002 is Ian on another then it shows
> as the same user. The true owner is described by the id not the label,
> I think!

I couldn't really follow your thoughts. It is simple: the command
"mount" translates the user and group names to some IDs according
to whatever mapping is defined in the current /etc/passwd.

Windows... is another story completely.

Cheers
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAllncpkACgkQBcgs9XrR2kZDsgCfX5QhwauiGu4Hk1hw5cKDzl+6
jZcAn1lo3C8WaUrRoJCDxp0ZOavAVudQ
=S/Z9
-END PGP SIGNATURE-

Re: How to gain control over the system?

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Jul 13, 2017 at 01:34:39PM +0200, Kaj Persson wrote:

[...]

[added cc debian-user]

> Can you have this defined from /etc/fstab too? I have had no success
> in that.

This line in the fstab works for me (note: no systemd here; systemd
is known to do things with mounting, so results may vary):

  #  
  
  /dev/sdb1   /media/usb0 autorw,user,noauto,uid=tomas,gid=tomas  0 
  0

Season to taste :-)

Fixed entries in fstab are of limited use for removable media, though:
you never know which device your stick appears as (you might use label
or UUID, depending on your use case).

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAllncZ8ACgkQBcgs9XrR2kb5MQCfRgJDrdom249bF3L+0R7bLTtM
miwAnjWQ6TXWUN3NO/5Ckbi7sKcpSgKv
=+B/y
-END PGP SIGNATURE-

Re: How to gain control over the system?

[Fungi4All]

> UTC Time: July 13, 2017 11:13 AM
> From: to...@tuxteam.de
> To: debian-user@lists.debian.org
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> On Thu, Jul 13, 2017 at 12:08:27PM +0200, Kaj Persson wrote:
> [...]
>> As always only root can mount a file system. In the case vfat, which
>> does not have an access system by its own, the owner of the mounted
>> system will be root.
> As a hint (I"m not a purist, mind you): I always mount vfat (well,
> at least when I plan to access them as regular user):
> sudo mount -ouid=tomas,gid=tomas /dev/sdb1 /mnt
> This makes my life easier (yes, you can put the user name in there,
> and separating uid=foo,gid=bar with a comma (no space!) should
> work for you.
> As to your original problem... sorry.
> Cheers

Minor note and question:
If he or anyone else is using other than MSwin more than one linux/unix
system with a common /home partition and wants access to the
same /home/user if "user" corresponds to 1001 in Debian and 1003 in
LinuxX then the name user will not allow access to the other system as
on is user 1001 and the other 1003, two different users with the same
label. The other way around seems to work with my experience, if
1002 is Deb on one system and 1002 is Ian on another then it shows
as the same user. The true owner is described by the id not the label,
I think!

Re: How to gain control over the system?

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Jul 13, 2017 at 12:08:27PM +0200, Kaj Persson wrote:

[...]

> As always only root can mount a file system. In the case vfat, which
> does not have an access system by its own, the owner of the mounted
> system will be root.

As a hint (I'm not a purist, mind you): I always mount vfat (well,
at least when I plan to access them as regular user):

  sudo mount -ouid=tomas,gid=tomas /dev/sdb1 /mnt

This makes my life easier (yes, you can put the user name in there,
and separating uid=foo,gid=bar with a comma (no space!) should
work for you.

As to your original problem... sorry.

Cheers
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAllnVdIACgkQBcgs9XrR2kYtnwCfTqIpa9KgpccLP9pC31xEas7v
9TYAn1z/3Zwcv+lNQvGS4Y33btjsptE6
=IyrH
-END PGP SIGNATURE-

Re: How to gain control over the system?

[Kaj Persson]

On 2017-07-12 at 03:49, Felix Miata wrote:

Kaj Persson composed on 2017-07-11 22:29 (UTC+0200):
...

ls -Al /home:
drwxr-xr-x 39 kaj  kaj  16384 jul 11 17:23 kaj

OK...


and from the command
tree -qpadxugL 2 /home:
/home

...

│   ├── [drwxrwx--- root kaj ]  DATA

...

│   ├── [drwxrwx--- root kaj ]  Hämtningar

...

│   ├── [drwxrwx--- root kaj ]  Musik
│   ├── [drwxrwx--- root kaj ]  Nedladd

...
Definitely not OK, making one wonder what lurks deeper or elsewhere.


and from
tree -qpadxugL 3 /home/kaj/.config:

OK only as deep as you went.

...

I see nothing which gives me an idea of what is wrong. Are there any
more files or directories to look at? In /etc perhaps?

You're not done looking. Until you get all the way to the bottom, you can't know
what else is wrong. You apparently need depth of at least 3 in the other hidden
directories, at least 4 in .config, and probabliy 4 or more in all.

Again:

chown -R 1000:1000 /home/kaj/

as root should fix them all. If it doesn't, chown would seem to be broken.

Maybe this in addition?

chown -R 1000:1000 /home/kaj/.*


Try MC in fullscreen mode. That way every listing you can see will display
ownership.
Some of you did react strongly on the ownership on some of the 
directories. They are owned by root and have group access by group kaj 
(1000). I tried to shortly explain why. They are mounted vfat 
partitions, and as far as I have succeeded to mount them, this is the 
result. I suppose that those people are purists with not too big 
experience of mixed environments. If I go solely with ext4 partitions, 
all this is much easier, but I have reasons to have at least half a 
window open towards the Microsoft world with common data, so that's it. 
Maybe ntfs is a better choice, and simpler to manage, but at that time, 
many years ago when I had to chose, the support for that file system was 
not sufficiently good, so my choice became vfat.


As always only root can mount a file system. In the case vfat, which 
does not have an access system by its own, the owner of the mounted 
system will be root. According to "man mount" you could put the option 
uid=1000 (or any), and I do so in my fstab, but at least I have not got 
this to work. However gid=1000 works fine, and that way I get full 
access to the vfat partitions. I use umask=007. Possibly you could use 
707, but this has not caused me any problems during all these years I 
have used this method. And these vfat partitions are used purely for 
user data: photos, documents, downloads etc. Unpacking the downloads are 
normally performed in an ext4 partition and run from there. Moreover 
chown has no impact on these mounts. The only way to change the 
ownership (which does not work) or group, is by umount and a new mount. 
Not even the option remount has any effect, at least according to my 
experience. Also, all files and all subdirectories inherit the owner and 
group properties from its parents all way up, so strictly it is 
sufficient to look at the top level of all mounts. In my case all mounts 
except /usr/local are mounted at subdirectories of /mnt. Then some of 
them have got an extra entry via mount --bind in $HOME, and it is those 
you see in the list with root as the owner. I have looked at all files 
down to the bottom of the tree, but this list is not suitable to present 
in this forum, much too long. Already the previous lists were too big, 
but I wanted you to see the principle. Nowhere in this huge list I can 
see an incorrect root influence.


BUT! What I lack is power to arrange my desktop and panels. Isn't there 
some file somewhere in which I should be set access to these facilities, 
something like sudo access? Maybe a group I should belong to, or 
something like this? I do not have enough knowledge of all this, but I 
hope someone in the forum will have.


/Kaj

Re: How to gain control over the system?

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, Jul 12, 2017 at 08:30:12AM -0400, RavenLX wrote:

[...]

> To remove the root password so root can't log in again:
> 
> sudo passwd -l root

I've been following this back-and-forth for a while. Yes, I think it's
a good idea to use the root account as little as possible. Myself, I
use sudo in the overwhelming majority of cases.

But I learnt the hard way that sometimes it's a good idea to keep a
root account (with a corresponding password!) around.

When the system boots and the root file system is corrupt (or a
similar early-boot problem happens), you find yourself staring at
a message more or less looking like that:

  Please enter your root password to start a rescue shell:

(message is from memory, but you get the -uh- message).

This was shortly after Debian convinced me that having a root password
is The Evil Itself.

Duh.

I'm wiser now.

(Yah, there is a workaround for that: a rescue disk, and that's how
I got myself out of that, but hey).

Of course: no remote login as root (sshd_config). Use sudo in normal
life (it's more comfortable, anyway). All that. Use a hard-to-guess
root password (pwgen -n 16, for me).

But. A root password doesn't make your system more insecure (unless
it opens up one more remote access). And sometimes, just sometimes
you wish you had one :-)

Cheers
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAllmIlkACgkQBcgs9XrR2kbbrQCeMEk2yo4l//4fQ6EmfVKZdCI8
NO8An3h/C2QqwlJU77AjzwDo0y5eRQYe
=dq9G
-END PGP SIGNATURE-

Re: How to gain control over the system?

[RavenLX]

On 07/09/2017 06:11 PM, Kaj Persson wrote:

Hi Jimmy,
Well, I did not follow your suggestion exactly, but as people has said,
the root account is already and always  there, even it has not been
assigned a password. So, against my real whish, not to activate the root
account, I gave the command sudo passwd root, and entered a password.
And now I suppose I have burned my ships and have no way back...


[Snip]

To remove the root password so root can't log in again:

sudo passwd -l root

It'll report that the root password expiry has changed:

from man passwd:

  -l, --lock
Lock the password of the named account. This option disables a password 
by changing it to a value which matches no possible encrypted value (it 
adds a ´!´ at the beginning of the password).


Note that this does not disable the account. The user may still be able 
to login using another authentication token (e.g. an SSH key). To 
disable the account, administrators should use usermod --expiredate 1 
(this set the account's expire date to Jan 2, 1970).


Users with a locked password are not allowed to change their password.

[end of man entry]

Now, nobody can log in as root. But, root account is still there if you 
need it. To get it back and give it a password:


sudo passwd -u root
sudo passwd root

(Then type in a secure password for root.)

Re: How to gain control over the system?

[Greg Wooledge]

On Tue, Jul 11, 2017 at 09:49:15PM -0400, Felix Miata wrote:
> Again:
> 
>   chown -R 1000:1000 /home/kaj/
> 
> as root should fix them all. If it doesn't, chown would seem to be broken.

Looks correct.

> Maybe this in addition?
> 
>   chown -R 1000:1000 /home/kaj/.*

No, NOT correct.  Do not do this.  .* will expand to .. which will mean
you end up chowning all of /home.

The chown -R rooted in /home/kaj will include all of the dot files,
so you don't need a second step at all.  Especially not this one.

Re: How to gain control over the system?

[Felix Miata]

Kaj Persson composed on 2017-07-11 22:29 (UTC+0200):
...
> ls -Al /home:

> drwxr-xr-x 39 kaj  kaj  16384 jul 11 17:23 kaj

OK...

> and from the command
> tree -qpadxugL 2 /home:

> /home
...
> │   ├── [drwxrwx--- root kaj ]  DATA
...
> │   ├── [drwxrwx--- root kaj ]  Hämtningar
...
> │   ├── [drwxrwx--- root kaj ]  Musik
> │   ├── [drwxrwx--- root kaj ]  Nedladd
...
Definitely not OK, making one wonder what lurks deeper or elsewhere.

> and from
> tree -qpadxugL 3 /home/kaj/.config:

OK only as deep as you went.

...
> I see nothing which gives me an idea of what is wrong. Are there any 
> more files or directories to look at? In /etc perhaps?

You're not done looking. Until you get all the way to the bottom, you can't know
what else is wrong. You apparently need depth of at least 3 in the other hidden
directories, at least 4 in .config, and probabliy 4 or more in all.

Again:

chown -R 1000:1000 /home/kaj/

as root should fix them all. If it doesn't, chown would seem to be broken.

Maybe this in addition?

chown -R 1000:1000 /home/kaj/.*


Try MC in fullscreen mode. That way every listing you can see will display
ownership.
-- 
"The wise are known for their understanding, and pleasant
words are persuasive." Proverbs 16:21 (New Living Translation)

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata  ***  http://fm.no-ip.com/

Re: How to gain control over the system?

[Greg Wooledge]

On Tue, Jul 11, 2017 at 03:54:21PM -0500, David Wright wrote:
> $ find ~ -mount -not -group 1000 -exec ls -ld {} \; -o -not -user 1000 -exec 
> ls -ld {} \;

find ~ -mount \( ! -group 1000 -o ! -user 1000 \) -ls

(You could also use DeMorgan's laws to factor out the "!", but this
way seems a little clearer.)

Re: How to gain control over the system?

[David Wright]

On Tue 11 Jul 2017 at 22:29:45 (+0200), Kaj Persson wrote:
[...]
> I see nothing which gives me an idea of what is wrong. Are there any
> more files or directories to look at? In /etc perhaps?

I don't know whether this would be useful, but

# find / -mount -not -group 0 -exec ls -ld {} \; -o -not -user 0 -exec ls -ld 
{} \; | less

or

$ find ~ -mount -not -group 1000 -exec ls -ld {} \; -o -not -user 1000 -exec ls 
-ld {} \;

might be useful (where 1000 is the typical UID of the First User).
The latter would usually be expected to produce no output, the former
will produce some, depending on where /var, /tmp etc are mounted.

Cheers,
David.

Re: How to gain control over the system?

[Kaj Persson]

On 2017-07-10 at 01:36, Felix Miata wrote:

Kaj Persson composed on 2017-07-09 14:54 (UTC+0200):


* Regarding access to my user directory: During my search I did in fact
find some files and directories owned by user root or group root. These
are changed to be owned by my user id and group id, but this did not
help. By the way, On this computer I have always had just one user,
mine, and hence got the user id 1000 and group id 1000. This is the case
now too.

Are you 100% sure you found and corrected 100% of bad ones? Does 1000:1000 own
$HOME? X session settings not saved is virtually always bad file permissions or
errant ownership. Anything that got stolen by root:root via errant sudo or su
will almost certainly have to be fixed as root, exception being via a
superwizard who would unlikely ever have gotten into this trouble in the first
place.

You really don't need to hunt for any that are bad unless you care to know which
are causing the trouble. Simply do as root:

chown -R 1000:1000 /home/kaj/

using whatever your actual username is rather than kaj.


Yes, I think so. Shouldn't I?

All the commands in the following are given as user root.
This is the output from the command
ls -Al /home:

drwxr-xr-x 39 kaj  kaj  16384 jul 11 17:23 kaj
drwx--  2 root root 16384 sep 28  2016 lost+found
drwx--  4 root root  4096 okt 26  2016 .Trash-0

and from the command
tree -qpadxugL 2 /home:

/home
├── [drwxr-xr-x kaj  kaj ]  kaj
│   ├── [drwx-- kaj  kaj ]  .alsaplayer
│   ├── [drwxr-xr-x kaj  kaj ]  Bilder
│   ├── [drwxr-xr-x kaj  kaj ]  bin
│   ├── [drwx-- kaj  kaj ]  .cache
│   ├── [drwxr-xr-x kaj  kaj ]  .config
│   ├── [drwxrwx--- root kaj ]  DATA
│   ├── [drwxr-xr-x kaj  kaj ]  Dokument
│   ├── [drwxr-xr-x kaj  kaj ]  dwhelper
│   ├── [drwx-- kaj  kaj ]  .gconf
│   ├── [drwx-- kaj  kaj ]  .gnome2
│   ├── [drwx-- kaj  kaj ]  .gnome2_private
│   ├── [drwx-- kaj  kaj ]  .gnupg
│   ├── [drwxrwx--- root kaj ]  Hämtningar
│   ├── [drwx-- kaj  kaj ]  .local
│   ├── [drwx-- kaj  kaj ]  Mail
│   ├── [drwxr-xr-x kaj  kaj ]  Mallar
│   ├── [drwx-- kaj  kaj ]  .mozc
│   ├── [drwx-- kaj  kaj ]  .mozilla
│   ├── [drwxrwx--- root kaj ]  Musik
│   ├── [drwxrwx--- root kaj ]  Nedladd
│   ├── [drwxr-xr-x kaj  kaj ]  Publikt
│   ├── [drwxr-xr-x kaj  kaj ]  Skrivbord
│   ├── [drwx-- kaj  kaj ]  .thunderbird
│   ├── [drwxr-xr-x kaj  kaj ]  Video
├── [drwx-- root root]  lost+found
└── [drwx-- root root]  .Trash-0
├── [drwx-- root root]  files
└── [drwx-- root root]  info


and from
tree -qpadxugL 3 /home/kaj/.config:

/home/kaj/.config
├── [drwxr-xr-x kaj  kaj ]  caja
│   └── [drwxr-xr-x kaj  kaj ]  scripts
├── [drwx-- kaj  kaj ]  enchant
├── [drwx-- kaj  kaj ]  gtk-2.0
├── [drwx-- kaj  kaj ]  gtk-3.0
├── [drwx-- kaj  kaj ]  ibus
│   └── [drwx-- kaj  kaj ]  bus
├── [drwxr-xr-x kaj  kaj ]  libreoffice
│   └── [drwx-- kaj  kaj ]  4
│   ├── [drwxr-xr-x kaj  kaj ]  cache
│   └── [drwxr-xr-x kaj  kaj ]  user
├── [drwx-- kaj  kaj ]  mate
│   ├── [drwx-- kaj  kaj ]  eom
│   └── [drwx-- kaj  kaj ]  panel2.d
│   └── [drwx-- kaj  kaj ]  default
├── [drwxr-xr-x kaj  kaj ]  mate-session
│   └── [drwxr-xr-x kaj  kaj ]  saved-session
├── [drwx-- kaj  kaj ]  mc
├── [drwxr-xr-x kaj  kaj ]  pluma
└── [drwxr-xr-x kaj  kaj ]  rncbc.org


A few explanations:
The names are partly in Swedish, but you might never the less understand 
them, I think. "Hämtningar" and "Nedladd" is Swedish for "Downloads". 
Those few directories owned by user root and group kaj are mounted file 
systems (FAT32) containing only user data. I have removed a few lines 
regarding installed programmes.


I see nothing which gives me an idea of what is wrong. Are there any 
more files or directories to look at? In /etc perhaps?


/Kaj

Re: How to gain control over the system?

[Dejan Jocic]

On 10-07-17, Kaj Persson wrote:
> Hi Jimmy,
> Well, I did not follow your suggestion exactly, but as people has said, the
> root account is already and always  there, even it has not been assigned a
> password. So, against my real whish, not to activate the root account, I
> gave the command sudo passwd root, and entered a password. And now I suppose
> I have burned my ships and have no way back...
> 
> But! Nothing has changed. I can still not enter program icons to the panel,
> and not define keyboard shortcuts. If I sort the icons on the desktop they
> still, after a cold start, come back in a completely other order, dispite I
> had marked "Keep ajusted" (right click on desktop).
> 
> So...?
> /Kaj
> 

What are you talking about, there are several ways to lock your root
account? Not sure why you would like to though. You can lock it with
sudo, like this:

sudo passwd -l root

But that is not really necessary. Better would be to learn how to
strengthen your root account. Depending on what you really want to
achieve, you can set it up so only way to access it would be to use su,
or sudo from trusted accounts. If you are interested in that, further
reading you can find here:

https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s2-wstation-privileges-noroot.html

Re: How to gain control over the system?

[Joel Rees]

On Mon, Jul 10, 2017 at 7:11 AM, Kaj Persson  wrote:
> Hi Jimmy,
> Well, I did not follow your suggestion exactly, but as people has said, the
> root account is already and always  there, even it has not been assigned a
> password. So, against my real whish, not to activate the root account, I
> gave the command sudo passwd root, and entered a password. And now I suppose
> I have burned my ships and have no way back...

Of course you have a way back.

   man vipw

   man 5 passwd

   man 5 shadow

and note the -s option.

   man nologin

   man false

Then

   sudo vipw

and change the line for root (should be the very first line) to give it
either /bin/false or /sbin/nologin as the default shell for root.

(That's the last field.)

   cat /etc/passwd

after you're done, to make sure you saved it. Then,

   sudo vipw -s

and replace the encrypted password (second ffield) there with '*'.

 > But! Nothing has changed. I can still not enter program icons to the panel,
> and not define keyboard shortcuts. If I sort the icons on the desktop they
> still, after a cold start, come back in a completely other order, dispite I
> had marked "Keep ajusted" (right click on desktop).
>
> So...?
> /Kaj

Have you checked group ownership and  permissions?

Also, have you checked your mount parameters?

And have you checked whether you have established SELinux or acl
permissions or anything of that ilk?

(BTW, do you keep a backup of your /home partition? I usually find
myself using cp -p or tar to copy the files from the old /home to the
new one, instead of keeping an old /home around.)

-- 
Joel Rees

One of these days I'll get someone to pay me
to design a language that combines the best of Forth and C.
Then I'll be able to leap wide instruction sets with a single #ifdef,
run faster than a speeding infinite loop with a #define,
and stop all integer size bugs with my bare cast.
http://defining-computers.blogspot.com/2017/06/reinventing-computers.html

More of my delusions:
http://reiisi.blogspot.com/2017/05/do-not-pay-modern-danegeld-ransomware.html
http://reiisi.blogspot.jp/p/novels-i-am-writing.html

Re: How to gain control over the system?

[Felix Miata]

Kaj Persson composed on 2017-07-09 14:54 (UTC+0200):

> * Regarding access to my user directory: During my search I did in fact 
> find some files and directories owned by user root or group root. These 
> are changed to be owned by my user id and group id, but this did not 
> help. By the way, On this computer I have always had just one user, 
> mine, and hence got the user id 1000 and group id 1000. This is the case 
> now too.
Are you 100% sure you found and corrected 100% of bad ones? Does 1000:1000 own
$HOME? X session settings not saved is virtually always bad file permissions or
errant ownership. Anything that got stolen by root:root via errant sudo or su
will almost certainly have to be fixed as root, exception being via a
superwizard who would unlikely ever have gotten into this trouble in the first
place.

You really don't need to hunt for any that are bad unless you care to know which
are causing the trouble. Simply do as root:

chown -R 1000:1000 /home/kaj/

using whatever your actual username is rather than kaj.
-- 
"The wise are known for their understanding, and pleasant
words are persuasive." Proverbs 16:21 (New Living Translation)

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata  ***  http://fm.no-ip.com/

Re: How to gain control over the system?

[Jimmy Johnson]

On 07/09/2017 03:11 PM, Kaj Persson wrote:

Hi Jimmy,
Well, I did not follow your suggestion exactly, but as people has said,
the root account is already and always  there, even it has not been
assigned a password. So, against my real whish, not to activate the root
account, I gave the command sudo passwd root, and entered a password.
And now I suppose I have burned my ships and have no way back...

But! Nothing has changed. I can still not enter program icons to the
panel, and not define keyboard shortcuts. If I sort the icons on the
desktop they still, after a cold start, come back in a completely other
order, dispite I had marked "Keep ajusted" (right click on desktop).

So...?
/Kaj


I don't do sudo nor do I top post.  Maybe you should start over and this 
time use the net install, you will be given the option to install task mate.


Good luck.
--
Jimmy Johnson

Debian Buster - KDE Plasma 5.8.7 - Intel G3220 - EXT4 at sda14
Registered Linux User #380263

Re: How to gain control over the system?

[Kaj Persson]

Hi Jimmy,
Well, I did not follow your suggestion exactly, but as people has said, 
the root account is already and always  there, even it has not been 
assigned a password. So, against my real whish, not to activate the root 
account, I gave the command sudo passwd root, and entered a password. 
And now I suppose I have burned my ships and have no way back...


But! Nothing has changed. I can still not enter program icons to the 
panel, and not define keyboard shortcuts. If I sort the icons on the 
desktop they still, after a cold start, come back in a completely other 
order, dispite I had marked "Keep ajusted" (right click on desktop).


So...?
/Kaj

Den 2017-07-09 kl. 22:28, skrev Jimmy Johnson:

On 07/08/2017 02:57 PM, Kaj Persson wrote:

Hi all,

So can someone help me get the command back, or do I have to make a new
reinstall, hoping for better luck. Possibly setting a password on the
Admin, hence activating that account, which I would prefer not having 
to.


Thank you in advance
Kaj


Hi,

Start the Stretch install cd/dvd in repair mode and when you get to 
where you can start a shell in the install at the prompt type:# passwd 
root and then enter the new root passwd and then reboot.

Re: How to gain control over the system?

[Kaj Persson]

Yes, a good try, but ...
Owner and group for /home is root resp. root,
and for /home/cookoo (to use your example) is the correct user name 
resp. group.
I have also looked one level further, hence /home/cookoo/subdir/, and 
all directories on this level have the same ownership (=user name - group).


Thank you for your efforts to help.
/Kaj


On 2017-07-09 at 19:21, Fungi4All wrote:

I am interested in the owner of the file structure of /home/user
Let's say your username is cookoo  Is the owner of
and its subdirectories and contents also cookoo?
With your filemanager r-click properties and permissions to see owner
and file access rights.  If you see a number like 1008 instead of the
username that is the problem.


From: 70147pers...@telia.com
To: debian-user@lists.debian.org


Well, as I wrote my /home is an own partition, and so it has been for 
a long time. So it is not a new copy but a new mount. Certainly it 
therefore contains old config files that maybe ought to be removed. 
But on the other hand almost all of them are reused, since many  of 
them belong to applications which I want to install also in the new 
system.


Also, as I wrote, I did a test by moving all these config files into 
a new directory "hidden", itself not hidden despite the name, inside 
the home directory (and partition).

/Kaj


On 2017-07-09 at 15:38, Fungi4All wrote:

Again, did you copy your /home from a previous system or is it a new
configuration that locked your panels?


UTC Time: July 9, 2017 12:54 PM
From: 70147pers...@telia.com
To: debian-user@lists.debian.org

Thank you all for thoughts and viewpoints on what can be wrong in my
installation of Debian 9. I have looked through places I might expect
can contain some explanation, but so far I have not been able to 
exclaim

an "Ah, that"s it!". Here are some of my observations:

* First source of install: Well, I do know I wrote that used the live
image, but to be honest, for now I am not sure, I do not remember. 
I had

downloaded the live image as well as the install image, and most
probable choice would be the later. But I do not know. Anyway the
install process itself went without any problems.

* At the install I made it fully new from the bottom. The only 
directory

I kept unchanged was my home directory. This is situated on an own
partition. All the others were reformatted: /, /boot, /usr, /var and
/tmp. All these are on individual partitions while e.g. /etc is
contained in the root partition. At earlier installations I have 
noticed

that the home directory can contain wrong configuration files, so as a
test I moved all hidden files i.e. files starting with a dot to a new
created directory "hidden". This was however after the install. So 
at a

subsequent cold start the system had no configuration files there but
created new ones with default values. This however had no positive
impact on my problem.

* Configuring sudo? No I have not done that explicitly, not more than
what the install program did itself. I have looked at /etc/sudoers and
what I think the important lines are:

# User privilege specification
root ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

#includedir /etc/sudoers.d

In /etc/sudoers.d there are no more files than README.

There is no /etc/sudo.conf file.

* Regarding access to my user directory: During my search I did in 
fact
find some files and directories owned by user root or group root. 
These

are changed to be owned by my user id and group id, but this did not
help. By the way, On this computer I have always had just one user,
mine, and hence got the user id 1000 and group id 1000. This is the 
case

now too.

uid 1000 is a member of the sudo group.

* As I wrote I have always used this method of not setting any 
password
to the root account, and this is for quite many years now. My Linux 
path

has gone via Ubuntu, well to be honest a couple of years after the
Microsoft era I ran in Suse, but was not fully satisfied. And when
Ubuntu and Canonical introduced Unity, I left that ship for Linux Mint
Debian edition (LMDE) until I took the last(?) step into Debian a 
couple

of years ago where the entrance point was jessie. The empty root
password has always worked fine until now. Possibly Ubuntu has patched
the sudologin but should LMDE? And jessie? I do not think so.


Hope someone can find something significant in this and give a hint on
what to do.

Kaj

Re: How to gain control over the system?

[Jimmy Johnson]

On 07/08/2017 02:57 PM, Kaj Persson wrote:

Hi all,

So can someone help me get the command back, or do I have to make a new
reinstall, hoping for better luck. Possibly setting a password on the
Admin, hence activating that account, which I would prefer not having to.

Thank you in advance
Kaj


Hi,

Start the Stretch install cd/dvd in repair mode and when you get to 
where you can start a shell in the install at the prompt type:# passwd 
root and then enter the new root passwd and then reboot.

--
Jimmy Johnson

Debian Buster - KDE Plasma 5.8.7 - Intel G3220 - EXT4 at sda14
Registered Linux User #380263

Re: How to gain control over the system?

[Kaj Persson]

Well, as I wrote my /home is an own partition, and so it has been for a 
long time. So it is not a new copy but a new mount. Certainly it 
therefore contains old config files that maybe ought to be removed. But 
on the other hand almost all of them are reused, since many  of them 
belong to applications which I want to install also in the new system.


Also, as I wrote, I did a test by moving all these config files into a 
new directory "hidden", itself not hidden despite the name, inside the 
home directory (and partition).

/Kaj


On 2017-07-09 at 15:38, Fungi4All wrote:

Again, did you copy your /home from a previous system or is it a new
configuration that locked your panels?


UTC Time: July 9, 2017 12:54 PM
From: 70147pers...@telia.com
To: debian-user@lists.debian.org

Thank you all for thoughts and viewpoints on what can be wrong in my
installation of Debian 9. I have looked through places I might expect
can contain some explanation, but so far I have not been able to exclaim
an "Ah, that"s it!". Here are some of my observations:

* First source of install: Well, I do know I wrote that used the live
image, but to be honest, for now I am not sure, I do not remember. I had
downloaded the live image as well as the install image, and most
probable choice would be the later. But I do not know. Anyway the
install process itself went without any problems.

* At the install I made it fully new from the bottom. The only directory
I kept unchanged was my home directory. This is situated on an own
partition. All the others were reformatted: /, /boot, /usr, /var and
/tmp. All these are on individual partitions while e.g. /etc is
contained in the root partition. At earlier installations I have noticed
that the home directory can contain wrong configuration files, so as a
test I moved all hidden files i.e. files starting with a dot to a new
created directory "hidden". This was however after the install. So at a
subsequent cold start the system had no configuration files there but
created new ones with default values. This however had no positive
impact on my problem.

* Configuring sudo? No I have not done that explicitly, not more than
what the install program did itself. I have looked at /etc/sudoers and
what I think the important lines are:

# User privilege specification
root ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

#includedir /etc/sudoers.d

In /etc/sudoers.d there are no more files than README.

There is no /etc/sudo.conf file.

* Regarding access to my user directory: During my search I did in fact
find some files and directories owned by user root or group root. These
are changed to be owned by my user id and group id, but this did not
help. By the way, On this computer I have always had just one user,
mine, and hence got the user id 1000 and group id 1000. This is the case
now too.

uid 1000 is a member of the sudo group.

* As I wrote I have always used this method of not setting any password
to the root account, and this is for quite many years now. My Linux path
has gone via Ubuntu, well to be honest a couple of years after the
Microsoft era I ran in Suse, but was not fully satisfied. And when
Ubuntu and Canonical introduced Unity, I left that ship for Linux Mint
Debian edition (LMDE) until I took the last(?) step into Debian a couple
of years ago where the entrance point was jessie. The empty root
password has always worked fine until now. Possibly Ubuntu has patched
the sudologin but should LMDE? And jessie? I do not think so.


Hope someone can find something significant in this and give a hint on
what to do.

Kaj

Re: How to gain control over the system?

[Fungi4All]

Again, did you copy your /home from a previous system or is it a new
configuration that locked your panels?

> UTC Time: July 9, 2017 12:54 PM
> From: 70147pers...@telia.com
> To: debian-user@lists.debian.org
> Thank you all for thoughts and viewpoints on what can be wrong in my
> installation of Debian 9. I have looked through places I might expect
> can contain some explanation, but so far I have not been able to exclaim
> an "Ah, that"s it!". Here are some of my observations:
> * First source of install: Well, I do know I wrote that used the live
> image, but to be honest, for now I am not sure, I do not remember. I had
> downloaded the live image as well as the install image, and most
> probable choice would be the later. But I do not know. Anyway the
> install process itself went without any problems.
> * At the install I made it fully new from the bottom. The only directory
> I kept unchanged was my home directory. This is situated on an own
> partition. All the others were reformatted: /, /boot, /usr, /var and
> /tmp. All these are on individual partitions while e.g. /etc is
> contained in the root partition. At earlier installations I have noticed
> that the home directory can contain wrong configuration files, so as a
> test I moved all hidden files i.e. files starting with a dot to a new
> created directory "hidden". This was however after the install. So at a
> subsequent cold start the system had no configuration files there but
> created new ones with default values. This however had no positive
> impact on my problem.
> * Configuring sudo? No I have not done that explicitly, not more than
> what the install program did itself. I have looked at /etc/sudoers and
> what I think the important lines are:
> # User privilege specification
> root ALL=(ALL:ALL) ALL
> # Allow members of group sudo to execute any command
> %sudo ALL=(ALL:ALL) ALL
> #includedir /etc/sudoers.d
> In /etc/sudoers.d there are no more files than README.
> There is no /etc/sudo.conf file.
> * Regarding access to my user directory: During my search I did in fact
> find some files and directories owned by user root or group root. These
> are changed to be owned by my user id and group id, but this did not
> help. By the way, On this computer I have always had just one user,
> mine, and hence got the user id 1000 and group id 1000. This is the case
> now too.
> uid 1000 is a member of the sudo group.
> * As I wrote I have always used this method of not setting any password
> to the root account, and this is for quite many years now. My Linux path
> has gone via Ubuntu, well to be honest a couple of years after the
> Microsoft era I ran in Suse, but was not fully satisfied. And when
> Ubuntu and Canonical introduced Unity, I left that ship for Linux Mint
> Debian edition (LMDE) until I took the last(?) step into Debian a couple
> of years ago where the entrance point was jessie. The empty root
> password has always worked fine until now. Possibly Ubuntu has patched
> the sudologin but should LMDE? And jessie? I do not think so.
> Hope someone can find something significant in this and give a hint on
> what to do.
> Kaj

Re: How to gain control over the system? [a security-side-note]

[Dejan Jocic]

On 09-07-17, Eike Lantzsch wrote:
> On Sunday, 9 July 2017 14:54:02 -04 Kaj Persson wrote:
> > 
> > * Configuring sudo? No I have not done that explicitly, not more than
> > what the install program did itself. I have looked at /etc/sudoers and
> > what I think the important lines are:
> > 
> >  # User privilege specification
> >  rootALL=(ALL:ALL) ALL
> > 
> >  # Allow members of group sudo to execute any command
> >  %sudo   ALL=(ALL:ALL) ALL
> There the "security" went out of the building ...
> Please have a look here:
> https://blather.michaelwlucas.com/archives/2266

It does not matter really ( though it is really nice lecture about sudo
), because it is personal machine. Settings like that on personal
machine are really fine. 

> > 
> >  #includedir /etc/sudoers.d
> > 
> > In /etc/sudoers.d there are no more files than README.
> > 

Re: How to gain control over the system? [a security-side-note]

[Eike Lantzsch]

On Sunday, 9 July 2017 14:54:02 -04 Kaj Persson wrote:
> Thank you all for thoughts and viewpoints on what can be wrong in my
> installation of Debian 9. I have looked through places I might expect
> can contain some explanation, but so far I have not been able to exclaim
> an "Ah, that's it!". Here are some of my observations:
> 
> * First source of install: Well, I do know I wrote that used the live
> image, but to be honest, for now I am not sure, I do not remember. I had
> downloaded the live image as well as the install image, and most
> probable choice would be the later. But I do not know. Anyway the
> install process itself went without any problems.
> 
> * At the install I made it fully new from the bottom. The only directory
> I kept unchanged was my home directory. This is situated on an own
> partition. All the others were reformatted: /, /boot, /usr, /var and
> /tmp. All these are on individual partitions while e.g. /etc is
> contained in the root partition. At earlier installations I have noticed
> that the home directory can contain wrong configuration files, so as a
> test I moved all hidden files i.e. files starting with a dot to a new
> created directory "hidden". This was however after the install. So at a
> subsequent cold start the system had no configuration files there but
> created new ones with default values. This however had no positive
> impact on my problem.
> 
> * Configuring sudo? No I have not done that explicitly, not more than
> what the install program did itself. I have looked at /etc/sudoers and
> what I think the important lines are:
> 
>  # User privilege specification
>  rootALL=(ALL:ALL) ALL
> 
>  # Allow members of group sudo to execute any command
>  %sudo   ALL=(ALL:ALL) ALL
There the "security" went out of the building ...
Please have a look here:
https://blather.michaelwlucas.com/archives/2266
> 
>  #includedir /etc/sudoers.d
> 
> In /etc/sudoers.d there are no more files than README.
> 
> There is no /etc/sudo.conf file.
> 
> * Regarding access to my user directory: During my search I did in fact
> find some files and directories owned by user root or group root. These
> are changed to be owned by my user id and group id, but this did not
> help. By the way, On this computer I have always had just one user,
> mine, and hence got the user id 1000 and group id 1000. This is the case
> now too.
> 
> uid 1000 is a member of the sudo group.
> 
> * As I wrote I have always used this method of not setting any password
> to the root account, and this is for quite many years now. My Linux path
> has gone via Ubuntu, well to be honest a couple of years after the
> Microsoft era I ran in Suse, but was not fully satisfied. And when
> Ubuntu and Canonical introduced Unity, I left that ship for Linux Mint
> Debian edition (LMDE) until I took the last(?) step into Debian a couple
> of years ago where the entrance point was jessie. The empty root
> password has always worked fine until now. Possibly Ubuntu has patched
> the sudologin but should LMDE? And jessie? I do not think so.
> 
I didn't try this myself (didn't ever have to) but this might help for now:
https://unix.stackexchange.com/questions/205799/how-to-create-root-user-account-in-debian
> 
> Hope someone can find something significant in this and give a hint on
> what to do.
I'd first try to go through the installation with the netinstall and without 
reusing any home partition in a virtual machine. See if the problem is there 
too.
If yes: place a bug-report.
If not: take a snapshot for later
put back the home partition, see if the problem is there or not.
If yes: restore the snapshot. And start putting back the config files for LMDE.
...
gradually testing out what can be reused and what not.
...
on second thought: I wouldn't invest the time ...
If the install in the virtual machine is doing allright, I'd just do the exact 
same install on the real hardware and be happy.
Have a nice day
Eike

Re: How to gain control over the system?

[Kaj Persson]

Thank you all for thoughts and viewpoints on what can be wrong in my 
installation of Debian 9. I have looked through places I might expect 
can contain some explanation, but so far I have not been able to exclaim 
an "Ah, that's it!". Here are some of my observations:


* First source of install: Well, I do know I wrote that used the live 
image, but to be honest, for now I am not sure, I do not remember. I had 
downloaded the live image as well as the install image, and most 
probable choice would be the later. But I do not know. Anyway the 
install process itself went without any problems.


* At the install I made it fully new from the bottom. The only directory 
I kept unchanged was my home directory. This is situated on an own 
partition. All the others were reformatted: /, /boot, /usr, /var and 
/tmp. All these are on individual partitions while e.g. /etc is 
contained in the root partition. At earlier installations I have noticed 
that the home directory can contain wrong configuration files, so as a 
test I moved all hidden files i.e. files starting with a dot to a new 
created directory "hidden". This was however after the install. So at a 
subsequent cold start the system had no configuration files there but 
created new ones with default values. This however had no positive 
impact on my problem.


* Configuring sudo? No I have not done that explicitly, not more than 
what the install program did itself. I have looked at /etc/sudoers and 
what I think the important lines are:


# User privilege specification
rootALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

#includedir /etc/sudoers.d

In /etc/sudoers.d there are no more files than README.

There is no /etc/sudo.conf file.

* Regarding access to my user directory: During my search I did in fact 
find some files and directories owned by user root or group root. These 
are changed to be owned by my user id and group id, but this did not 
help. By the way, On this computer I have always had just one user, 
mine, and hence got the user id 1000 and group id 1000. This is the case 
now too.


uid 1000 is a member of the sudo group.

* As I wrote I have always used this method of not setting any password 
to the root account, and this is for quite many years now. My Linux path 
has gone via Ubuntu, well to be honest a couple of years after the 
Microsoft era I ran in Suse, but was not fully satisfied. And when 
Ubuntu and Canonical introduced Unity, I left that ship for Linux Mint 
Debian edition (LMDE) until I took the last(?) step into Debian a couple 
of years ago where the entrance point was jessie. The empty root 
password has always worked fine until now. Possibly Ubuntu has patched 
the sudologin but should LMDE? And jessie? I do not think so.



Hope someone can find something significant in this and give a hint on 
what to do.


Kaj

Re: How to gain control over the system?

[Richard Owlett]

On 07/09/2017 05:08 AM, Fungi4All wrote:

From: david...@freevolt.org
To: debian-user@lists.debian.org
As they say[1],[2],[3], do not use a live image for installs.
1. https://lists.debian.org/debian-user/2017/06/msg00723.html
2. https://lists.debian.org/debian-user/2017/06/msg00740.html
3. https://lists.debian.org/debian-user/2017/06/msg00755.html


My experience with live images is that they include the installer and
a live image. The gui within the live system most usually runs into
errors, while the installer from the initial grub-like menu works just like the
netinstall system. I suspect the installer without booting the live
system has maximum resources available, while the live system
even as idle requires 15-20% of resources to run the installation
gui.



I see you can't be bothered reading relevant info before posting.
There *WAS* a bug in the live version of 9.0.
It was fixed in a 9.01 release of the live edition.

Re: How to gain control over the system?

[Fungi4All]

> From: david...@freevolt.org
> To: debian-user@lists.debian.org
> As they say[1],[2],[3], do not use a live image for installs.
> 1. https://lists.debian.org/debian-user/2017/06/msg00723.html
> 2. https://lists.debian.org/debian-user/2017/06/msg00740.html
> 3. https://lists.debian.org/debian-user/2017/06/msg00755.html

My experience with live images is that they include the installer and
a live image. The gui within the live system most usually runs into
errors, while the installer from the initial grub-like menu works just like the
netinstall system. I suspect the installer without booting the live
system has maximum resources available, while the live system
even as idle requires 15-20% of resources to run the installation
gui.

Re: How to gain control over the system?

[Dejan Jocic]

On 09-07-17, Anders Andersson wrote:
> On Sun, Jul 9, 2017 at 12:51 AM, Fungi4All  wrote:
> 
> > On Sat, 2017-07-08 at 23:57 +0200, Kaj Persson wrote:
> >
> > > But now I discovered an issue, I cannot manage my desktop. I have
> > > always at the previous installations, and they are quite many now, been
> > > advised to, for security reason, leave the root password unset, which
> > causes
> > > the root account go passive, and for all tasks where I need root
> > > authority I  go via su/sudo.
> >
> >
> > It is a bad idea despite of what security gurus may advise.  You may lose
> > your system
> > and never get it back.
> >
> 
> 
> It's an even worse idea to listen to people on the internet who ignore
> "security gurus" based on rumours. You can easily restore or change the
> root password if it's lost or unset.

Leaving root password unassigned for "security" reasons is silly.
Heaving, or not heaving root account assigned does not make your system
any more secure. For some things you do need root account. Those systems
that use sudo only approach ( read Ubuntu and derivates ) have sulogin
patched to allow single user mode, for example. And it is made so on
Ubuntu out of fear that new users attracted to Linux will mess up things
more if they have access to root account. Not that it stopped people to
be people and to mess things up equally successful with sudo account. As
for those "security gurus", who are they? Real gurus? Or just people
repeating what they've read somewhere with little to no understanding
what they've read?

Re: How to gain control over the system?

[Anders Andersson]

On Sun, Jul 9, 2017 at 12:51 AM, Fungi4All  wrote:

> On Sat, 2017-07-08 at 23:57 +0200, Kaj Persson wrote:
>
> > But now I discovered an issue, I cannot manage my desktop. I have
> > always at the previous installations, and they are quite many now, been
> > advised to, for security reason, leave the root password unset, which
> causes
> > the root account go passive, and for all tasks where I need root
> > authority I  go via su/sudo.
>
>
> It is a bad idea despite of what security gurus may advise.  You may lose
> your system
> and never get it back.
>


It's an even worse idea to listen to people on the internet who ignore
"security gurus" based on rumours. You can easily restore or change the
root password if it's lost or unset.

Re: How to gain control over the system?

[davidson]

On Sat, 8 Jul 2017, Kaj Persson wrote:


Hi all,

Anyone having an idea how to get back the command over my desktop,
including the panels? Until two weeks ago I ran Debian 8 ("jessie"),
but after a unsuccessful clean-up operation the whole system became
totally corrupted, and I decided to to a complete new install of the
new Debian 9 ("stretch") and Mate (which I was using in jessie
too). I was using the live DVD put on a memory stick.


As they say[1],[2],[3], do not use a live image for installs.

1. https://lists.debian.org/debian-user/2017/06/msg00723.html
2. https://lists.debian.org/debian-user/2017/06/msg00740.html
3. https://lists.debian.org/debian-user/2017/06/msg00755.html

--
"Jesus! Where will it end? How low do you have to stoop in this country to be 
President?"
Hunter S Thompson, 1972

Re: How to gain control over the system?

[Fungi4All]

> From: oflam...@gmail.com
> To: Kaj Persson <70147pers...@telia.com>, debian-user@lists.debian.org
> Did you remember to reconfigure sudo? What Desktop Environment are you
> using?

He said Mate

> On Sat, 2017-07-08 at 23:57 +0200, Kaj Persson wrote:
>> But now I discovered an issue, I cannot manage my desktop. I have
>> always at the previous installations, and they are quite many now, been
>> advised to, for security reason, leave the root password unset, which causes
>> the root account go passive, and for all tasks where I need root
>> authority I go via su/sudo.

It is a bad idea despite of what security gurus may advise. You may lose your 
system
and never get it back.

>> But I cannot control the panels, I have two of them, one on
>> top
>>

A user should not need sudo rights to edit the conf files in the desktop.
It is all stored in the /home/*user* subdirectory, while as root your home
is /root. Chances are the access rights in your home directory have been
restricted, so you need to give yourself as a user the rights back.
As a su you should not be able to alter the /home/user directories.
What I suspect you've done is copy the /home from an old system
which transfered the rights of that system and from a different user.
Let's say in that system your username was mate99 and so it is in the
new system. But the user id in that system was user 1003 and now
you are user 1001. 1001 will not be able to adjust conf. files for user
1003. If you open the filemanager and your desktop folder is owned
by a user 1003 (or some number) then you need to switch the rights
of all your home/user stuff to be owned by mate99

Re: How to gain control over the system?

[Oflameo]

Did you remember to reconfigure sudo? What Desktop Environment are you
using?

On Sat, 2017-07-08 at 23:57 +0200, Kaj Persson wrote:
> Hi all,
> 
> Anyone having an idea how to get back the command over my desktop, 
> including the panels? Until two weeks ago I ran Debian 8 ("jessie"),
> but 
> after a unsuccessful clean-up operation the whole system became
> totally 
> corrupted, and I decided to to a complete new install of the new
> Debian 
> 9 ("stretch") and Mate (which I was using in jessie too). I was
> using 
> the live DVD put on a memory stick. All went fine, and the system 
> started without problems. I was happy to notice that I could now use
> the 
> Nouveau driver for the screen. Until now I have had to use the
> nVidia 
> driver certainly without problems, but it is good being able to use
> free 
> software.
> 
> But now I discovered an issue, I cannot manage my desktop. I have
> always 
> at the previous installations, and they are quite many now, been
> advised 
> to, for security reason, leave the root password unset, which causes
> the 
> root account go passive, and for all tasks where I need root
> authority I 
> go via su/sudo. It has always worked fine, and this using su/sudo
> still 
> does. But I cannot control the panels, I have two of them, one on
> top 
> intended for icons of my most used programs, as a kind of favourite 
> menu, and one at bottom where the active programmes appear as
> buttons. 
> The bottom panel is working mostly as I want, but I cannot add new
> apps 
> to it, e.g. the window switch, I used to have. And I cannot add the 
> program icons to top panel. Via a right click on a program menu item
> I 
> have the option "Put this to the panel" (well, possibly not the
> correct 
> words, this is a home made translation from my Swedish version),
> but, 
> when trying to select that, nothing happens.
> 
> However the related options to save icon to the desktop works fine,
> and 
> I can also sort the icons to what I find useful, but it does not
> survive 
> a cold start. All the icons come back in some kind of default order, 
> which I have not been able found out. It is at least not alphabetic.
> 
> So can someone help me get the command back, or do I have to make a
> new 
> reinstall, hoping for better luck. Possibly setting a password on
> the 
> Admin, hence activating that account, which I would prefer not having
> to.
> 
> Thank you in advance
> Kaj
> 

How to gain control over the system?

[Kaj Persson]

Hi all,

Anyone having an idea how to get back the command over my desktop, 
including the panels? Until two weeks ago I ran Debian 8 ("jessie"), but 
after a unsuccessful clean-up operation the whole system became totally 
corrupted, and I decided to to a complete new install of the new Debian 
9 ("stretch") and Mate (which I was using in jessie too). I was using 
the live DVD put on a memory stick. All went fine, and the system 
started without problems. I was happy to notice that I could now use the 
Nouveau driver for the screen. Until now I have had to use the nVidia 
driver certainly without problems, but it is good being able to use free 
software.


But now I discovered an issue, I cannot manage my desktop. I have always 
at the previous installations, and they are quite many now, been advised 
to, for security reason, leave the root password unset, which causes the 
root account go passive, and for all tasks where I need root authority I 
go via su/sudo. It has always worked fine, and this using su/sudo still 
does. But I cannot control the panels, I have two of them, one on top 
intended for icons of my most used programs, as a kind of favourite 
menu, and one at bottom where the active programmes appear as buttons. 
The bottom panel is working mostly as I want, but I cannot add new apps 
to it, e.g. the window switch, I used to have. And I cannot add the 
program icons to top panel. Via a right click on a program menu item I 
have the option "Put this to the panel" (well, possibly not the correct 
words, this is a home made translation from my Swedish version), but, 
when trying to select that, nothing happens.


However the related options to save icon to the desktop works fine, and 
I can also sort the icons to what I find useful, but it does not survive 
a cold start. All the icons come back in some kind of default order, 
which I have not been able found out. It is at least not alphabetic.


So can someone help me get the command back, or do I have to make a new 
reinstall, hoping for better luck. Possibly setting a password on the 
Admin, hence activating that account, which I would prefer not having to.


Thank you in advance
Kaj