understanding what happens when i install software on linux


I am trying to install some software (mysql) on linux and it says I don't have permission to do so. I can run the installation command under sudo and install the software but I would like to understand what's going on.

question 1
Why can't i install the software for use by *my* account only? Why do i need to be root. I assume i need to be root due to where the software install writes files to. Can i install mysql so that it is available only to me and that the executable files are in my directories. I ask this out of interest - not because i intend to do it

question 2
If i install it as root (as i have done in the past) then how do i know what permissions different users have with mysql. I have a basic knowledge that files have read/write/execute permissions for the owner/group/all users but i'm not sure how this applies to software? I am guessing that is the executable has permissions 777 then anyone can execute it but you can also set up the software so that only users that belong to the software group can execute it. Is this correct?

quesiton 3
How do i know what groups my user account belongs to?

question 4
When mysql is installed i presume it creates a group called mysql. How do I know what users belong to that group

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ans 1:  You got it.  You need permissions to certain folders where it is trying to write by default.  Sure root user has the permissions and not you.  You can certainly use --prefix with your install to install at non-standard locations.  I install software like that when I am making RPMs, just to check it first.  Then I destroy all files.

Ans 2:  So the binaries will be installed in standard locations where most people will have access.  If for certain commands they don't, they will have to use SUDO to use them.  Again permissions are preset during installation.  You don't need to change them.  It is also based on the user and group info of the users.  Users may be added to certain priviledged groups to buy them access without sudo.

Ans 3:
On most Linux systems you can check your info by issuing the following command

Open in new window

Ans 4:
Issue the following command:
grep mysql /etc/group

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Normally, the only person who can install on a system has to have administrative rights, on linux it is limited to root with the allowance for users configured/authorized to use sudo.

To install any software on linux that is outside your home directory, you have to have elevated rights.  This is where sudo comes in.Super User Do "command options".

The only users that belong to the mysql group is the mysql user.
grep mysql /etc/group will provide you with the answer:
/etc/group has the following format
groupname:x:groupID:list of members comma separated if multiple entries exist and is different from the username.

id username
Will return all the information about the username, uid, primary group, additional groups, etc.
Hugh FraserConsultantCommented:
To expand on the answers to question 2, versions of Linux that support selinux have additional finer-grained security features that provide much more control over what a user and application can/cannot do. In most cases, these features are already defined for you as part of an install using packaging tools like yum, apt, etc.. But if you chose to install manually, or to different locations, you may have to make changes in selinux rights as well.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

andiejeAuthor Commented:
if i use --prefix to install software in my home directory does that mean only i can run it? I don't intend to do this (there is only me on my system!) i am just trying to understand

@arnold you said 'The only users that belong to the mysql group is the mysql user.' you have user as both plural and singular there so I'm not sure what you mean. What is the mysql user?
Is there one user called mysql user?

this command didn't help me on my system:

_bio@Linux-VBox:~$ grep mysql /etc/group
why are there no users in the group. SHouldn't i at least be in it?

andrea_bio@Linux-VBox:~$ id andrea_bio
uid=1000(andrea_bio) gid=1000(andrea_bio) groups=1000(andrea_bio),4(adm),20(dialout),24(cdrom),46(plugdev),111(lpadmin),119(admin),122(sambashare)

shouldn't i be in the mysql group?
andiejeAuthor Commented:
looking on the mysql website it says

If your system does not already have a user and group for mysqld to run as, you may need to create one. The following commands add the mysql group and the mysql user.

this suggests that the mysqld command runs as a particular user. I'm not familiar with that concept. I thought a user could execute a command but i did not know that commands ran as particular users. Is this just the case for mysql or for all commands
mysqld runs with mysql user and mysql group.

Typo for the plural/singular.  Must have considered providing an example where there are multiple users as members of a group versus what is displayed when the username/group are the same.

Note that your username is both the name of the user and the name of the group,
it will be redundant to have

note that your username is a member of the adm, dialout,cdrom,plugdev, etc group
if you run grep andrea_bio /etc/group you will see all the groups of which you are a member.
you do not need to be a member of a mysql group to be able to use the mysql client to access the mysql server (mysqld) since the access to the mysql data is granted via an internal username/password mechanism.

To your prior question, if you use --prefix=$HOME only you will be able to run this application.
Linux/unix have most services started by root, but they drop their privileges/rights and run with restricted user rights limited to the direct functionality of the service.
i.e. mysql user is limited to /var/lib/mysql /var/log/mysqld.log etc. such that if mysql server is compromised the scope of the access is limited to those few things.
The web server (apache/httpd) runs with rights level of nobody i.e. it can only access /var/www/html and it can only read data as long as the permissions on the file are world readable.

Selinux is another security layer.

The more exposed something is to direct attack the less rights you want that process by way of the user credentials it uses to run, to have.  the web server is on a direct attack path, such that it is running with effectively no rights on the system.
andiejeAuthor Commented:
sorry, i think i have some prior misconceptions that are confusing me:

1) are you saying there is one user in the mysql group which i mysql user?

2) do all commands run as a particular user? i think i am getting confused by the difference between commands which i might issue at the command prompt and services which are already running and all users can access. But regardless of that distinction for now do all commands run with the privileges of a particular user.

I might i have one or two quick follow up questions when i am clear on those points

andiejeAuthor Commented:
3) re this command
_bio@Linux-VBox:~$ grep mysql /etc/group

if the output has this format, groupname:x:groupID:list of members , why isn;t the mysql user in the list?
Yes, usually if the user and the group have the same name, there will not be an explicit listing of the user as a member of the group. Often in these scenarios the UID and the GID are likely the same.

Most commands run with the privileges of the user executing them.  There are commands that run with privileges of the owner (ls -l file will return -rwsr-xr-x root root this means the permission have a setUID and the command when executed will run with the file owner's privileges in the example will be root.  A similar option for setGID group permission -rwxr-sr-x root root and in this example will be root.)

Question 3, refer to response to question one.
andiejeAuthor Commented:
ok, things make a bit more sense now.

so i presume then services, like you say, are started as root, but 'drop down' and run with the privileges of a group the service has been assigned to.

Perhaps its warrants a separate question to understand how services are assigned to a group ( I imagine that occurs in the service creation process) and how services started by root drop to run with lower privileges (i imagine this is a mechanism built into the OS)

If these questions make sense and my understanding is correct i will open another question. I don't want to take advantage of your help without awarding sufficient points for your time/effort
Yes, some services continue to run as root (system authentication types), but often other service drops down:
httpd - apache or nobody depending on the system
mysql - mysql:mysql
postfix - postfix
ssh  -sshd

The common use of vendors is to use the same username as their product or comapnay name i.e. oracle database uses oracle as the user.

It is the program vendor's decision. You can modify either within the service's configuation file /etc/my.inf for mysql as an example to change what user it will use to run under.

i.e. mysql uses mysql:mysql as the group.  You can change it if you want.

The release/downgrade of privileges is part of the service code.
The process that starts as root, triggers a copy of itself to run with predefined user/group.
The parent process exits and the child with restricted rights continues to run.

I.e. each application runs with their "own" restricted user i.e. this way if one service is compromised/hacked, the exposure will be "limited" to that service.
andiejeAuthor Commented:
brilliant - one more quick thing. How do i find out about the mysql client command as
grep mysql /etc/group
tells me about the daemon and not the client command
I do not understand what you are asking?
The client is merely a means by which you connect to the server.  Other than the options the mysql client has i.e.-u --user= for username -p --password= for password -h --host= to specify a host to which you want to connect with the database which you want at the end of the line.
The database is a requirement for a user who is only setup with access to a specific database
database1 user1 with password1 is setup in the mysql.user,mysql.db  table.
user1 running mysql -u user1 -ppassword1 will be rejected because the database is missing. The login for this user requires that the username, password and database match or access will be denied by the server.
For user1, mysql -u user1 -ppassword1 database1 is the only way a connection will be established. and all the user can see are the tables and data within this database.
andiejeAuthor Commented:
i have no idea what i was trying to say there and i wrote it. Wasn't concentrating and now i can't remember!
andiejeAuthor Commented:
thanks - extremely helpful - much appreciated
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.