bambuntu's questions

iptables seems to not want to block a user.

I'm using a remastered 10.04 live and Firestarter as a firewall. I've made no fundamental changes to the distro, except to update, upgrade and added this iptable line for my admin user dev:

sudo iptables -A OUTPUT -p all -m owner --uid-owner dev -j DROP

I've allowed dev, my admin, to use Firefox as another user:

gksudo -u browserUser /usr/bin/firefox

Note: The purpose of this is stop opening up browser scripts to the admin account, and instead use a clean account with no privs as a proxy.

Now, I test to see if iptables is blocking in case admin accidentally tried to connect without using another user. So I try Midori browser directly:

/usr/bin/midori

Midori launches, and connects to the internet. I'm puzzled. My iptables entry doesn't seem to work.

I added the same line I remastered with:

sudo iptables -A OUTPUT -p all -m owner --uid-owner dev -j DROP

I still am not blocked. So, I try reseting the tables:

sudo /etc/init.d/networking restart

I get output:

 * Reconfiguring network interfaces...
Ignoring unknown interface wlan0=wlan0.

I try connecting again with Midori browser, and my iptable rule is still ignored.

What's happening?

I've created some disabled accounts for the sole purpose of customizing Docky in those accounts. Each account has a set of Docky Items that represents a tool set. This should give you an idea of what I mean by a Docky Tool Set:

• Admin app tool set
• Online user app tool set
• Offline user app tool set
• Office app tool set
• Gamer app tool set, etc.

From these disabled accounts, I want the actual user to enable or disable tool sets through gksudo calls:

xhost + local:dockyAdminUser
gksudo -u dockyAdminUser /usr/bin/docky

I've already set up the accounts, but when I launch Docky this way it complains that it needs DBus and can't find it. How can I make DBus available so Docky can fire up this way?

Note: This same thing happens for Tomboy, it's won't run and complains of a dbus problem.

Note: I'm not looking for a solution that suggests I don't launch Docky as another user. There is more than one reason that I must launch Docky as another user. But I kept those reasons out in order to keep the question clearer.*

How do you send the output of an upstart script to a terminal so to find tracebacks in python code? It's taking me for ever to do things without trace-backs that used to take just a second. I'm having to place several file write calls to track down errors. What took second to find before with a traceback is turning in to several minutes minutes. This is miserable. This has been going on for a few weeks now and I'm sick of it. would some speak up on this please. I feel like I'm using assembly without a debugger again.

I want to create a boot up potential which allows a different upstart/runlevel configurations to load based upon specific key downs at boot (or combos). How do I detect a key down event with an upstart script?

I'm on 10.04 if that helps.

Alternative methods to achieve the same result are acceptable, i.e., How can I use grub to do this?

To help provide more clarity, I am creating a step by step instruction based upon both answers given by Tuminoid and Lumbric. (Please help me improve this, my interpretation of Tuminoid's answer does not work.)

Note: Everyone must have a reason for doing this. To give meaning to the following two Step-by-Step Solutions, I'll describe my purpose for wanting to have upstart scripts decided at boot.

I am creating a Live DVD for surfing the Internet called Surfer. For security, I want to disable the admin account and leave a non-privileged account for surfing the web. I also want to give myself and users the ability to remaster Surfer so they can add more online apps and customise their Surfer account, then burn their own live custom Surfer iso. So I will need two boot profiles: Surfer and Remaster. One for secure online surfing, the other for remastering and development.

Lumbric's Solution

Create a Custom grub File

1. To add custom entries to grub, open this file with gedit for editing:

gksudo gedit /etc/grub.d/40_custom

You will have the right file if you see this text in it:

#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.

2. In another gedit tab, open:

/boot/grub/grub.cfg

3. In grub.cfg, look for sections that begin with:

menuentry

Choose the default entry you use for booting. If you do not know the default entry by looking at this file, then reboot and take a note of the one you pick at boot. Do not save any changes if you have to reboot to find your default entry. When you are positive of your default entry, keep note that this is the entry to use for your custom profiles.

Each menuentry section will have some corresponding set of brackets:

menuentry ...text left out... {
  ...text left out...

}

that encapsulate a few lines of text. Copy the your default entry section. Copy from the word menuentry to the closing bracket. I will need two entries, so I will paste my default entry twice.

It should look something like the following for two custom boot profile entries. (Keep in mind I took out text to make this easier to read):

#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.

menuentry ...text left out... {
    ...text left out...

}

menuentry ...text left out... {
    ...text left out...

}

4. Find your boot line by pressing ctrl + f. Type in the search field:

linux /boot

Each boot line will should be highlighted.

5. Cut and paste this text at the end of the highlighted boot line, but change the number for each entry.

boot-profile=1

After pasting, the menu entry should look similar to this:

menuentry ...text left out... {
    ...text left out...
    linux /boot/vmlinuz-2.6.35-22-generic root=UUID=66cdrfwec91-0070-32f-b666-c9f2232j23232j ro quiet splash boot-profile=1
}

menuentry ...text left out... {
    ...text left out...
    linux /boot/vmlinuz-2.6.35-22-generic root=UUID=66cdrfwec91-0070-32f-b666-c9f2232j23232j ro quiet splash boot-profile=2
}

6. Now, we will edit the line we see at boot. For the menu entry identified above, edit the text that is between the word menuentry and the first bracket. Replace with the text Surfer:

menuentry "Surfer" {
    ...text left out...
    linux /boot/vmlinuz-2.6.35-22-generic root=UUID=66cdrfwec91-0070-32f-b666-c9f2232j23232j ro quiet splash boot-profile=1
}

Do the same for Remaster entry:

menuentry "Remaster" {
    ...text left out...
    linux /boot/vmlinuz-2.6.35-22-generic root=UUID=66cdrfwec91-0070-32f-b666-c9f2232j23232j ro quiet splash boot-profile=2
}

7. Save the file 40_custom.

8. Now, update grub with this command:

sudo update-grub

Note: If you do any upgrading or installation of programs that modify your kernel, be aware of lumbric's point made in his link. How can we know if our kernel is going to be upgraded? Help me clarify how we can prevent upgrading our kernel without knowing it.

9. Reboot. When at the boot menu, look for your new entries. If you see them, things are going great so far. Choose one of your custom entries and hit enter.

10. When logged in, open up Terminal. Enter this command.

cat /proc/cmdline

Grub writes the boot line to this file. The boot line is where you added boot-profile=1 at the end. So, if you chose surfer, then it should read boot-profile=1 at the end or boot-profile=2 if you chose Remaster. If not, reread from step one and correct any logical errors.

11. Now, the script must be written that will handle the boot entry chosen from grub menu. I'm choosing to use an upstart script, because I know how to do that. The upstart will start as soon as possible, check the contents of /proc/cmdline and use that to determine our choice at the boot menu. Here is the upstart start script:

/etc/bootChoice.conf

12. Past the following text in:

task
start on startup or bootChoice

script

profile=$(cat /proc/cmdline |sed 's/.*boot-profile=\([0-9]\).*/\1/g')

case $profile in
   1)
      # Run script for Surfer Profile
      initctl emit surferboot
      ;;
   2)
      # Run script for Remaster Profile
      initctl emit remasterboot
      ;;

   *)
      echo Error
      echo "Error" > /error
      ;;
esac

end script

13. Now, a signal will be emitted based on our choice. In order to handle each signal, two files must be created. One called: surfer.conf and another called remaster.conf. Place them in /etc/init/. Their contents will be similar to this:

# surfer user boot

task
start on surferboot

script
    echo "surfer test-data" > /home/surfer/surfer
end script

We can see that when the surferboot signal is emitted, that the script above is started determined by this line: start on surferboot Place all custom boot script code between script and end script. Same thing will be done for Remaster.

I tried this, it works. Thanks Lumbric.

Tuminoid's Solution

First, we must let grub know we want to call a script. We will place the path of the script inside /etc/default/grub.

1. Open the file: /etc/default/grub.

gksudo gedit /etc/default/grub

2. Add this line at the end of the file:

init=/sbin/preinit

3. Save and exit. Then, run this command:

update-grub

Now we will create the file that we made grub aware of.

4. Create the file with gedit:

gksudo gedit /sbin/preinit

5. Paste the following text inside:

#!/bin/sh 
EVENT="startup" 
while [ /bin/true ]; do   
  echo "Select boot:"   
  echo " 1) Surfer"   
  echo " 2) Remaster"   
  echo ""   
  read selection   
  case "$selection" in 
1)   
  EVENT="surfer"   
  ;; 
2)   
  EVENT="remaster"   
  ;;
*)   
  ;;   
  esac 
done

exec /sbin/init --startup-event=$EVENT

6. Make the script executable:

chmod +x /sbin/preinit

WIP NOTE: I've tried this up to this point and it does not work. Please help improve this interpretation of the answer by pointing out where I am going wrong.

Last Section: This section unfinished. Waiting for clarity on first steps to finish.

The events above are upstart signals. If you haven't used upstart signals, they will call a script in the directory: /etc/init. So, I will make two files in /etc/init called:

/etc/init/surfer.conf

/etc/init/remaster.conf

In these files I will use bash scripts to configure each boot.

I will create at upstart /etc/gdm/custom.conf to force an auto-login if Surfer is chosen. I will also open /etc/shadow and disable remasters password.

Alternatively, I will create /etc/gdm/custom.conf for a forced auto-login to the user remaster for remastering and development.

I need to run a script as root called root.py. I need to create notifications within the script. I made a separate script specifically for the notifications called notify.py.

Here is notify.py:

import pynotify
import sys

def notify(title, message):
    n = pynotify.Notification (title,
        message,
        "notification-message-im")
    n.show()

if __name__ == '__main__':
    notify(sys.argv[1], sys.argv[2])

notify.py script works well with a user not as root:

python notify.py Title Message

But I need to call this script inside root.py, which is ran as root. It fails if I run it as root. So, I tried to for lack of better words, sign out as root by launching it as another user (I also replaced sudo with gksudo in the following):

xhost local:user
gksudo -u user notify.py Title Message

Won't work.

Any ideas?

btw: I had a similar problem with running gtk from root ran upstart scripts. Also, gvfs won't change attributes as root when as other user as sudo.

I would like to run scripts that will allow me to interact with the gui by sending windows events such as:

• button presses
• text insertion
• window closing, minimizing
• utilize an apps quick key combinations
• etc.

Is there something out there for Ubuntu that does this?

I'm using this to set passwords in a script:

usermod -p `mkpasswd -H md5 passwordText` user

I need to create an exception in my script, just in case this command fails. What file contains the encrypted password and how do I reverse the encryption so I can verify it was written to the file correctly?

Edit: I finally found the problem with the line above. The password was allowing symbols that were being interpreted as wildcards on the command line making it appear as if the command itself failed. Nonetheless, it's lead me to new things I'm glad I know now.

Before I ask the question, would someone please help stipulate the Ubuntu definition for these two seemingly identical but different terms (I've given drafts.):

Autologin - When you power up the computer, you sign directly into your account.

Passwordless Login - When you pick a user at the greeter and you are logged in without a prompt for a password.

Now, for the question. How do we change each via the command line? Is the solution the same for all currently supported releases?

And for those who would rather use the gui method, how is that done?

At the bottom of this pic is the checkbox for a passwordless login. It says:

Don't ask for password on login

How do I do this with the command line?

I need to monitor a process to find out what file it is saving it's configuration data in. I can't find the config file, but I know the process. Is there a way to log the files that a process is accessing (including spawned processes also)?

I'm writing an upstart script that has to issue several utilities to manipulate files, ls, rm, etc. Some of these commands are not being executed. If I put a timer and make the script wait, they work.

Is there a upstart variable that I can use to ensures command line utilities are fully loaded and available when my script executes?

I'm trying to increase the security of a remaster distro meant to be ran live and used online. To avoid tempting the user into:

• not changing their password
• not creating a new password, or
• using an auto login user

I'm changing the password at the gdm and creating a popup window that gives the passwords to the user to sign in.

At this point in time, this is what is what is going on:

• passwords sometimes successfully changed.
• some user passwords are changed, others not
• old passwords are never left, so if the passwords are not changed successfully, then there is a lock out, reboot needed

What can I do to the start up script to ensure the passwords are definitely changed?

password python code call, for the user manager:

os.system("usermod -p `mkpasswd -H md5 " + managerPassword + "` manager")

startup script:

# create new passwords at login

task
# the following "start on" from gdm.conf, has helped, but not solved
start on (filesystem
          and started dbus
          and (drm-device-added card0 PRIMARY_DEVICE_FOR_DISPLAY=1
               or stopped udevtrigger)) or initpasswd

script
    python /initpasswd/initpasswd-sleep.py # a little sleep has helped, not solved
    python /initpasswd/initpasswd.py # password reset script
    echo "" > /initpasswd/initpasswd.py # so it resets only once at gdm per boot
end script

I have a script that starts on desktop-session-start. The first person who logs in graphically after a boot will have this script called. I want it called once, not every time a person logs in. How do I make a script perform just once?

# one time script

start on desktop-session-start
stop on somebodystopme

script
...
end script

Is the deb installation process protected against Man In The Middle Attacks that would alter the install script?

It seems if not, then it would be possible for a Man In The Middle Attack to place code that fundamentally alters the system in the deb install script. Because all installations require root privileges, the invitation is wide open for exploits.

Would we be better off not using custom deb installing scripts as root? I know that links, shortcuts, and app directories need to be copied as root. This could be done by a script already residing on Ubuntu and shipping with Ubuntu. The deb should fit it's expected protocol. It would simply hand it places to move files from the package and appropriate shortcut creation locations, etc. It would have restrictions to never delete, rename, without explicit approval (for updating apps).

If the deb file never asked to be run as root, then an installation could never compromise fundamental parts of the system.

I would like to use ssh to access the shell of another Ubuntu computer and issue a few commands. I'm interested in how to form the shh command in the following scenarios. To keep it simple, I will not be using password protected accounts. I would like to focus primarily on command formations that establish the connection.

• Two local Ubuntu computers directly connected with an Ethernet cable:

• Two remote Ubuntu computers where each is connected via cable modem (each has it's own ip):

• Same as previous, but one is using NAT:

• Two remote Ubuntu computers, where one is connected via a cable modem and the other is connected via a wireless router:

• Two local boxes connected to the same wireless router:

Ubuntu, out of the box, has the live user signed into all tty's.

What is the purpose of this?

Why can't I sign the user out of these tty's?

In a freshly installed Ubuntu environment, my user is not signed into all the tty's. Why?

If I do sign into a tty in the installed environment, I can sign out. How is this possible compared to the live situation?

Is it possible to disable tty's? If so, how?

I want to hook the two Ubuntu computers together vie an Ethernet cable. I would like to access both via one monitor and keyboard. Is there a quick and easy way to do this?

What are my Ubuntu options?

A script that requires root privileges needs to be executed when a non-root privileged user signs in/out. How do I handle this?

I'm working on Ubuntu/Mint distro meant to be ran Live. There are multiple accounts that fall into three general groups: Admin, Internet and Security.

• Admin is obviously has the authority to do whatever.
• Internet account is for using the Internet.

The other accounts are Security accounts. Under no circumstances is any networking Internet, printer, Bluetooth, WiFi devices, etc, allowed.

What I'd like to do is remove the network drivers from the kernel, but that would disable the accounts that need Internet.

What are the lowest level way(s) to disable Internet for these security accounts? I'm looking for impossible to connect solutions.

I'm trying to create a kids account.

I'd like to create a User Account that restricts all apps by default, except a specific list of apps, i.e. firefox, Yo Frankie, Numpty Physics, etc.. Additionally, I'd like to make their entire account non-writable, with the exception that they may write if the app allows them to create a document. Of course if the app they are allowed to run needs to write logs for example, this will need to be enabled too. The intended result is they wouldn't be able to right click on the desktop and create a directory or document. They might be able to download an executable, but not execute it.

How can I do this?

I want to make it impossible for any root commands to be issued during a Live Boot session. I don't want anyone being able to sign in as root. Period!

So, is it possible to stop the sudo service? If so, would this accomplish what I'm trying to do?

I tried the three possible stop service commands below but chkconfig --list show sudo still working:

(1)

sudo stop sudo

(2)

sudo /etc/init.d/sudo stop

(3)

sudo service sudo stop