Ubuntu Precise System Administration
Users and Groups
- Note: The Unity user interface does not currently have a GUI method to modify user and group settings. For an introduction to managing users and groups from the CLI (command-line interface) see the Ubuntu Server Guide and this brief tutorial.
Manage Users and Groups with the Gnome2 GUI
- Gnome2 (the user interface for older versions of Ubuntu) included a GUI for managing users and groups. That Users and Group Management Tool from Gnome2 can be installed as part of Gnome System Tools:
sudo apt-get install gnome-system-tools
You can then launch it from Unity Dash, by pressing ALT+F2, or by creating a menu item with the command:
- Change user and group settings
- Menu -> System -> Administration -> Users and Groups
- Add New Users
- Menu -> System -> Administration -> Users and Groups -> Add
- Remove Users
- Menu -> System -> Administration -> Users and Groups -> user -> Delete
- Modify Users
- Menu -> System -> Administration -> Users and Groups -> user -> Advanced Settings
- Menu -> System -> Administration -> Users and Groups -> user -> Manage Groups
It is quite often necessary to have extra privileges to do certain tasks. These privileges are assigned to your user by belonging to certain groups. The tasks are allowed to be performed by any user belonging to the group associated with that task.
- Example: a "sudoer" is a user who can perform certain administrative tasks, such as updating the system. To become a "sudoer" a user must belong to the "sudo" group.
- Menu -> System -> Administration -> Users and Groups -> user -> Manage Groups --> sudo -> Properties -> Group Members -> user (ticked)
To become an administrator, you must belong to the adm, admin, and sudo groups. To be a virtualbox user, you must belong to the virtualbox group. To change printer settings you must belong to lpadmin. To use the cdrom, you must belong to cdrom. To use hot-pluggable devices, you must belong to plugdev. To share Samba folders (on a Windows-based network), you must belong to sambashare. To access NTFS files using the virtual filesystem fuse, you must belong to the fuse group. To use many games, you must belong to the games group. The list is long, and not always obvious.
Unfortunately, while this is the feature that gives Linux such a high-level of security, it can also take diligence to remember to add your user to certain groups. It is not uncommon for programs and functions on your system not to work merely because you don't have privileges to do so because you forgot to add your user to the appropriate group(s).
Of most importance, you must already be an administrator in order to change membership in groups. Therefore, if you create a new user and intend to give that user administrative privileges (by assigning the user to the administrative groups), you must do so from your original administrator account (the one you set up at installation) or from another administrative user account.
Timekpr (Parental controls)
- If updating, remove any prior versions:
sudo dpkg --purge timekpr
- Add the timekpr third-party repositories:
deb deb http://ppa.launchpad.net/timekpr-maintainers/ppa/ubuntu oneiric main deb-src deb http://ppa.launchpad.net/timekpr-maintainers/ppa/ubuntu oneiric main
sudo apt-get install timekpr
- When prompted which default display manager to use, select "kdm"
- K menu -> System -> Timekpr Control Panel
Web content filtering
DansGuardian provides web filtering capability, similar to NetNanny. It is useful for limiting objectionable content in publicly accessible workstations, or for filtering objectionable content for younger users. It integrates with ClamAV, and uses several criteria for filtering websites (which is difficult to modify). It is used with Tinyproxy (best for individual users) or the Squid proxy (best for a network server). Install:
sudo apt-get install dansguardian tinyproxy
sudo apt-get install dansguardian squid
See these installation instructions for setup details. In brief,
- Edit the dansguardian configuration file:
sudo nano /etc/dansguardian/dansguardian.conf
- comment out the UNCONFIGURED line:
- If using tinyproxy instead of Squid, change the proxyport to 8888:
- Reinstall dansguardian:
sudo apt-get install --reinstall dansguardian
- Set your browser to use the localhost:8080 proxy. For example, in Firefox:
- Firefox -> Edit -> Preferences -> Advanced -> Network -> Settings
- Manual proxy configuration -> HTTP proxy: localhost -> Port: 8080
- A Webmin module is available to administer settings. Also, a GUI to change Dansguardian settings called Webstrict is in development.
- A GUI for use with IPCop (based on the webmin module) is also available.
- Cron is a system daemon that runs tasks in the background according to instructions found in a crontab file. To edit the crontab file for the current user:
Tasks that normally require administrative (sudo) privileges should be added to the root user's crontab:
sudo crontab -e
- Scheduled/automated tasks (cron events) can also be edited using the GNOME schedule GUI interface.
- Menu -> System -> Administration -> Task Scheduler
- If the GNOME Schedule task scheduler is not installed, install it:
sudo apt-get install gnome-schedule
Login Menu settings
You can change the Login menu settings from the GUI interface:
- Menu -> System -> Administration -> Login Manager
You can choose an integrated theme or select individual components of the login screen/process.
Automating bootup options
StartupManager is a GUI to manage settings for Grub (Grub Legacy), Grub 2, Usplash, and Splashy.
GRUB boot manager settings
Precise comes with Grub2, a difficult boot manager to customize. (Grub2 is also known as grub-pc.) See the evolving instructions at the Ubuntu wiki or Ubuntu forums. In brief, some settings can be edited:
sudo nano /etc/default/grub sudo grub-mkconfig --output=/boot/grub/grub.cfg
Alternatively, use the command:
Grub2 background image, colors, fonts
- See this Ubuntu Forums thread.
- Any background image can be used for Grub2 by placing the image in the /boot/grub folder and then reconfiguring Grub2:
The image ought to be the same size as the Grub2 startup resolution specified in /etc/default/grub (e.g. 1024x768).
- A selection of splashimages can be installed into the /usr/share/images/grub folder:
sudo apt-get install grub2-splashimages
- One of the images can be linked to the /boot/grub folder and used as the splash image. For example:
sudo ln -s /usr/share/images/grub/Plasma-lamp.tga /boot/grub sudo update-grub
Change the default menu item
- There are several ways to change the default Grub2 menu item, but only one is reliable. The menu items in Grub2 change name and position in the list with every kernel upgrade. However, if you choose the default menu item by name, you can reliably set it as the default. For example, if you wish to boot a Windows OS as the default and the Grub 2 menu lists it as Microsoft Windows 98SE Ancient Edition (on /dev/sda1) then edit /etc/default/grub:
sudo kate /etc/default/grub
and change the entry to resemble:
GRUB_DEFAULT="Microsoft Windows 98SE Ancient Edition (on /dev/sda1)"
then regenerate the Grub2 config file:
To find out the names of the menu items, use:
sudo grep menuentry /boot/grub/grub.cfg
- Note: There is a bug in Grub2 v.1.99 such that if the GRUB_DEFAULT option is used, the Grub2 menu can not be entered (for manually selecting a menu item). If the default option is a non-Linux OS, there will then be no way start a Linux OS (and therefore no way to subsequently change the /etc/default/grub configuration file). Use this option with great care.
Protecting Grub2 from cracking
- See this section of the Grub Manual for important information on securing Grub2.
- To add password protection, in the /etc/grub.d/40_custom configuration file, add the lines:
set superusers="user1" #password_pbkdf2 user1 grub.pbkdf2.sha512.10000.biglongstring password user1 insecurecleartextpassword
and change your password to something other than insecurecleartextpassword, or use the pbkdf2-encrypted method described here. You can then password-lock menu items as well. For detailed info see this blog.
The older version of GRUB ("Grub Legacy") is available, for use with a boot partition, for example. Install:
sudo apt-get install grub
- If you have multiple operating systems (OS) on your computer, you may be using the GRUB Legacy boot manager (in a boot partition, for example). You can edit the options for GRUB Legacy in the menu.lst configuration file. (See this detailed info.)
sudo nano /boot/grub/menu.lst
- (gedit can also be used instead of nano as the text editor.)
Chainloading Grub2 from Grub Legacy
- To chainload Grub2 (installed in this example with the OS in the /dev/sda7 partition) from Grub Legacy (stored in a boot partition, for example), use an entry of this format in the Grub Legacy /boot/grub/menu.lst configuration file:
title (K)Ubuntu Precise OS (chainloader) rootnoverify (hd0,6) chainloader +1
- Grub2 is erratic, however. In many situations I don't bother to chainload it at all. Instead, it is possible to bypass Grub2 entirely and load the OS directly using Grub Legacy (stored in a boot partition, for example) using an entry in /boot/grub/menu.lst of the format:
title (K)Ubuntu Oneiric OS (chainloader) rootnoverify (hd0,6) kernel /vmlinuz root=/dev/sda7 ro initrd /initrd.img
- My old method for chainloading Grub2 (installed in this example in the /dev/sda7 partition) from Grub Legacy used an entry in the Grub Legacy configuration file (/boot/grub/menu.lst) with this format:
title (K)Ubuntu Maverick OS (chainloader) rootnoverify (hd0,6) kernel /boot/grub/core.img
- This method, however, requires a current core.img to have been created with grub-mkimg (part of the grub-install process). When there are substantial changes to the partition or the kernel, the core.img must be re-created by re-installing Grub2 into the OS partition (in this example /dev/sda7 corresponds to (hd0,6) ):
sudo grub-install /dev/sda7
Protecting Grub Legacy from cracking
- See this section of the Grub Manual for important information on securing Grub Legacy.
- To add password protection, in the /boot/grub/menu.lst configuration file, uncomment (remove the hashmark) from the line:
and change your password to something other than topsecret, or use the md5-encrypted method described here. You can then password-lock menu items by adding the descriptor lock below the title of any item menu.
In previous version of ubuntu, you could choose which program to use as your default program for a specific task.
- Menu -> System -> Administration -> Default Applications
or by right-clicking on any file and choosing the "Open with Other Application..." option.
The Default Applications menu has now been removed from Ubuntu, however. For a GUI that will allow this and multiple similar Ubuntu system tweaks, install Ubuntu Tweak:
wget http://launchpad.net/ubuntu-tweak/0.5.x/0.5.8/+download/ubuntu-tweak_0.5.8-1_all.deb sudo dpkg -i ubuntu-tweak_0.5.8-1_all.deb
Kill a process
Sometimes a program (or "process") just freezes. To "kill" (or end) the program/process:
- Menu -> System -> Administration -> System Monitor -> highlight the errant process -> Kill process
From the command line:
sudo killall process
- where process is the name of the frozen program, such as firefox.
Enabling NUM LOCK On Startup
- Menu -> System -> Administration -> Keyboard & Mouse -> Keyboard ->"turn on Numlock on Startup"
Working with Menus
Create an encrypted folder
You can create a folder whose contents are encrypted. See these instructions.
Create a symlink from a file to another location
A symbolic link (also known as a symlink) is a method in Linux of referring to a file (or directory) in one location from another location. Usage:
ln -s /path/to/source /path/to/destination
If /path/to/destination requires superuser rights, then use:
sudo ln -s /path/to/source /path/to/destination
This is similar to, but more powerful than, creating Shortcuts, with which former Windows users may be familiar.
Assign a root password
To be able to log in as root directly, you must assign a root password. This can be done with:
sudo passwd root
Afterwards, you can use
to get a root prompt. You would then use the root password.
Get a root prompt without using a root password
If you have not set a root password (or don't know it), you can obtain root user privileges anyway. From the command-line Terminal:
You will use your own user password instead of a root password.
You could also get a prompt to become any other user on the computer by typing:
sudo su <username>
Use the File Manager as root
Manually Mount and Unmount a device
To manually mount a device:
replace /dev/hda with the location of the device.
To manually unmount a device:
replace /dev/hda with the location of the device.
Mounting NTFS Partitions (with read/write privileges)
Find out the name of your ntfs partition:
sudo fdisk -l
Method 1: In this example, the NTFS drive is listed by fdisk as /dev/sda2, but yours may differ.
Make a mount point for the drive:
sudo mkdir /media/WindowsNTFS
sudo nano /etc/fstab
Comment out the automatically added lines by Ubuntu installation:
#/dev/sda2 auto nouser,atime,noauto,rw,nodev,noexec,nosuid 0 0 #/dev/sda2 /mnt auto user,atime,noauto,rw,nodev,noexec,nosuid 0 0
and instead add the line:
/dev/sda2 /media/WindowsNTFS ntfs-3g quiet,defaults,rw 0 0
In this example, I indicated that the file system was an ntfs-3g filesystem, so did not use the auto option (which detects the filesystem automatically). I used rw to specify read/write privileges for all users, but umask=0 and umask=000 are accepted by some kernels.
Method 2: Edit fstab:
sudo nano /etc/fstab
When Ubuntu installation finishes, it mounts all ntfs partitions automatically with ntfsprogs, adding a line similar to the following to fstab:
UUID=8466268666267956 /media/sda1 ntfs defaults,gid=46 0 1
Change this line to:
UUID=8466268666267956 /media/sda1 ntfs-3g defaults,nls=utf8,locale=zh_CN.UTF-8,rw,gid=46 0 1
In this example, I have a Chinese-language Windows installation on my first partition, so I set the locale parameter (locale=zh_CN.UTF-8) so that my Chinese documents can display correctly. Setting rw (same as umask=0 or umask=000) lets me read/write the partition without sudo. gid=46 specifies that the drive will belong to the group of hot-pluggable devices (plugdev) and is not necessary unless your ntfs drive is a hot-pluggable one (such as an external USB drive). nls=utf8 is the default and is optional for most ntfs users, but there are other options for Chinese (and other specialized character-set users).
Mounting FAT32 Partitions
Follow the above instructions, but use vfat instead of ntfs-3g.
In other words, if you have made a mount point directory /mnt/WindowsFAT32 and your FAT32 drive is /dev/sda3, then edit the /etc/fstab file to include the line:
/dev/sda3 /mnt/WindowsFAT32 vfat quiet,defaults,rw 0 0
Synchronize clock to network time server
The Network Time Protocol (NTP) allows time synchronization of your computer to time servers on the Internet.To enable it:
- Applications menu -> System Settings -> Date & Time
- Check the "Set date and time automatically" option
- Choose an ntp time server near you.