# What type of account should I create if I'm the only user

## kbzium

Hello,

I know that being a root all the time may cause problems (you can do something terribly wrong by mistake). But not having any rights, makes me mad as I must su - whenever I need something. So what's tbe best configuration for you? What priviliges should I add to my normal account? Wheel only? And that for sound? What about groups?

Thanks!

----------

## NeddySeagoon

kbzium,

Use root only when you need to.  Use a normal user whenever you can.

You do not need to use su - to get root when you only need it for a few commands.

```
emerge sudo
```

Now you can prefix root commands with sudo, as in

```
sudo fdisk -l /dev/sda
```

Its up to you if you make it ask for a password or not.  If you do, it has a timeout so you don't have to enter the password for every command.

If you use passwords, it wants your normal user password, not roots.

----------

## cwr

I really wouldn't run as root if I were you - it's far too easy to blow stuff

away.  Use sudo, as Neddy suggests, and give yourself wheel privileges.

(There are a couple of other groups you might want to belong to, but I

can't recall them - they will become apparent in normal use.)

Will

----------

## cach0rr0

add a normal user, then put yourself into these groups once you get to the point where youve installed X

```

wheel audio cdrom video games cdrw users plugdev meat

```

this should be more than sufficient. My install is a few years old now and i have not needed to add my main account to any more groups.

if i really want to do a ton of administrative stuff? 

sudo su -

----------

## grunch

 *cwr wrote:*   

> I really wouldn't run as root if I were you - it's far too easy to blow stuff
> 
> away.  Use sudo, as Neddy suggests, and give yourself wheel privileges.
> 
> (There are a couple of other groups you might want to belong to, but I
> ...

 

I'll be the third to suggest using sudo(8). I use it so much that I sometimes (though rarely) find myself using it when I don't need escalated privileges (bad habit).

Here's the list of groups for which my user ID is a member:

```

0(root), 4(adm), 7(lp), 9(kmem), 14(uucp), 18(audio), 19(cdrom), 27(video), 35(games), 60(mysql), 80(cdrw), 81(apache), 85(usb), 100(users), 103(crontab), 106(lpadmin), 250(portage), 980(vboxusers), 981(rtkit), 983(pulse-access), 985(tcpdump), 987(kvm), 988(qemu), 989(kismet), 994(wireshark), 995(realtime), 996(scanner), 997(plugdev)

```

I'm certain I don't need to be in all these groups ...

Obviously, your group numbers may be different, so use the names not the group numbers if you choose to add your user ID to any of these on your system.

----------

## 1clue

I used to put myself on as wheel first thing after every install.

Seriously, that's bad.  Anything you do, you're running it with escalated privileges and that means if you get some sort of malware that's what the malware gets too.  Ask me how I know.

Right now my sole tool of convenience is sudo, and even that requires my insanely complicated password when I use it.  It's easy enough to become root if you have to, but frankly there's not even a real reason to run a service as root most of the time.

What could you possibly be doing every day that needs special access?  If your normal user needs special access, then IMO that means you're doing something wrong.  You should be able to run your system with unmodified permissions most of the time and do whatever you need to do without more authority than a default user gets.

----------

## Odward

 *1clue wrote:*   

> I used to put myself on as wheel first thing after every install.
> 
> Seriously, that's bad.  Anything you do, you're running it with escalated privileges and that means if you get some sort of malware that's what the malware gets too.  Ask me how I know.

 

Am I misunderstanding your statement or am I misunderstanding wheel.  I thought the wheel group only gave you the Ability to su on that account.  Not 'anything you do is escalated.'

Unless you meant that you normally would su First and then proceed to daily use of your system.

After installing Gentoo I ended up adding myself to the groups that cach0rr0 listed, with the exception of 'meat' as I'm not sure what that's about.  I am in the habit of using su 

on the command line when something requires permissions, although perhaps sudo is better suited to the task.  I have given myself the ability to use sudo for a few commands, 

but pretty minimal so far.  

To the OP I can agree with cach0rr0's suggestions for groups as it's been sufficient for me, although I understand your needs may differ significantly.  I su mostly for emerges 

and some config edits, but neither of those are daily tasks.  If you can't stand to utilize su or sudo 'ever' I don't know what to suggest =)  But besides all the wrong You can do 

with a single mistake as root, the same is true for what 1clue mentioned, if you're surfing the web as root and some malware runs on linux you just gave it root access to your box.

----------

## 1clue

Not sure what to say here.  Back when I learned it, it seemed that almost anything in /sbin or /usr/sbin was in the 'wheel' group.  Can't remember what distro, maybe redhat or slackware?  That was about 15 years ago I think.  Just did a quick google on it and current usage shows just the su command.

If wheel is just used on the su command it doesn't seem so bad, but still sudo gives a much finer control over special authority.

----------

## grunch

My understanding of group implementations on *nix, and specifically Gentoo's use of them is that group membership gives one the ability to perform certain tasks without other privilege escalation requirements. It has historically been applied to file access controls, and more recently to process permissions and somewhat to SElinux access controls.

I just ran the following

```
find /usr/bin /bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin -group wheel -ls

424010   48 -rwxr-x---   1 root     wheel       48264 Jan 20  2012 /usr/sbin/cron

423974   40 -rws--x---   1 root     wheel       39656 Jan 21  2012 /usr/sbin/tcptraceroute

```

and

```
sudo fgrep wheel /etc/sudoers

%wheel ALL=(ALL) ALL

```

From this, I believe that being in group 'wheel' gives a user the rights to run two commands (cron and tcptraceroute), and (in this case) run any command with root (or any other user's) privileges. Further, users in group 'wheel' will run tcptraceroute with root privileges. So if tcptraceroute has bugs that allow a user to break out of the normal execution path they may be able to do nasty things on my system. That's where SElinux would kick in and further restrict the user's actions.

And running this to find all set-group-id executables that are either owned by 'root' or in group 'root'

```
find /usr/bin /bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin -perm -g=s -ls | fgrep root
```

shows

```
822846  112 -r-xr-s--x   1 root     games      113288 Jan  9  2012 /usr/bin/gnotravex

822597  132 -r-xr-s--x   1 root     games      131584 Jan  9  2012 /usr/bin/mahjongg

792144  128 -r-xr-s--x   1 root     games      128128 Jan  9  2012 /usr/bin/glines

791929  176 -r-xr-s--x   1 root     games      177992 Jan  9  2012 /usr/bin/gnobots2

792324   20 -rwxr-s--x   1 root     mail        18720 Jan  9  2012 /usr/bin/dotlockfile

792140  160 -r-xr-s--x   1 root     games      161200 Jan  9  2012 /usr/bin/gnibbles

794000   16 -rwxr-s--x   1 root     tty         14592 Jul  9 20:30 /usr/bin/write

792139  124 -r-xr-s--x   1 root     games      124280 Jan  9  2012 /usr/bin/gnotski

786616   52 -r-xr-s--x   1 root     man         52936 Jan  9  2012 /usr/bin/man

791654  124 -r-xr-s--x   1 root     games      124728 Jan  9  2012 /usr/bin/gtali

786911   40 -rwx--s--x   1 root     locate      39352 Mar  3 20:59 /usr/bin/locate

792199   40 -rwxr-s--x   1 root     crontab     39992 Jan 20  2012 /usr/bin/crontab

792138  136 -r-xr-s--x   1 root     games      136320 Jan  9  2012 /usr/bin/gnomine

791925  152 -r-xr-s--x   1 root     games      155576 Jan  9  2012 /usr/bin/quadrapassel

396883   40 -rwx--s--x   1 root     ssmtp       39576 Jan  9  2012 /usr/sbin/ssmtp

```

From this I learned that none of my SGID executables will acutally give a user root permissions.

There's much more to it than this, but I feel comfortable in reiterating that one's user ID should be in the groups for which one wants to run commands, and one should use sudo only as needed to perform tasks that require escalated privileges.

----------

## cwr

 *grunch wrote:*   

> My understanding of group implementations on *nix, and specifically Gentoo's use of them is that group membership gives one the ability to perform certain tasks without other privilege escalation requirements. It has historically been applied to file access controls, and more recently to process permissions and somewhat to SElinux access controls.
> 
> I just ran the following
> 
> ```
> ...

 

No, cron isn't suid root, and tcptraceroute is, so cron will be run with the privileges of whoever starts it, and tcptraceroute will be

run with root privileges whoever starts it.

wheel=ALL looks dodgy to me; I'd prefer not to give wheel effectively root privileges.

Will

----------

## cach0rr0

 *Odward wrote:*   

> 
> 
> After installing Gentoo I ended up adding myself to the groups that cach0rr0 listed, with the exception of 'meat' as I'm not sure what that's about.  I am in the habit of using su 

 

laughing at this way harder than I probably should. The down side of me posting late at night I suppose. I meant to remove that to avoid confusion

'meat' is my username  :Laughing: 

```

$ id

uid=1000(meat) gid=1000(meat) groups=1000(meat),10(wheel),18(audio),19(cdrom),27(video),35(games),80(cdrw),100(users),105(plugdev)

```

----------

## PaulBredbury

 *kbzium wrote:*   

> I must su - whenever I need something.

 

In ~/.bashrc

```
alias s='su -l'
```

And include in /etc/pam.d/su

```
# Uncomment the following line to implicitly trust users in the "wheel" group.

auth        sufficient  pam_wheel.so trust use_uid

# Uncomment the following line to require a user to be in the "wheel" group.

auth        required    pam_wheel.so use_uid
```

Then just use s, without needing to enter a password.

----------

