function f-tutorial.7 ()
{
bold ; cyan
clear
echo ; echo
echo "In Which We Become Powerful and Dangerous."
white

cat << EOPOWERSTART


This tutorial gets a bit schoolmasterly - only because I've seen people get burnt.
We have briefly met the "sudo" command already. A bit of background is in order...

There is a certain amount of controversy about this command - most of it ill informed.
Traditionally, GNU/Linux has by default used "su" as the command to gain administrative
rights. The administrative user is known as "root", since that user has control over 
all files in the system from "/" down. Originally "/" was the root user's "home"
by default - the whole filesystem was effectively "home" for the Godlike "root" user. 

The waters have been muddied, because most systems now have a dedicated
/root directory, which is a sensible idea, since even root needs some privacy and
somewhere to put files without spraying them all over the system ;-)

Actually, the "su" command does not, contrary to what some people believe, stand for
"Super User" ;-)

"su" actually means "switch user". It simply defaults to switching to the root user, unless
another user is specified.

Now, "sudo" can do similar things, but it was originally used to give fine-grained
control over which users were authorised to run what commands, or access which parts
of the system.

As you have probably guessed by now, we are about to tell you how to become a sorcerer's
apprentice. Do, please, remember what happened to the apprentice in the story...

The lecture is not quite over. We do move on to some useful information eventually ;-)

EOPOWERSTART


f-tutescape

echo
echo ; bold ; cyan
echo "Using sudo without tears."
white ; echo
cat << EOSUDOINTRO


INX is based on Ubuntu, which has removed the scary lectures that were standard fare 
for new users. One of the traditional ones popped up when "sudo" was first invoked:

"We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:
   
      #1) Respect the privacy of others.
      #2) Think before you type."
      
... seemingly irrelevant for users on home systems, or single-user systems - but the point is
still worth making.


EOSUDOINTRO

bold ; cyan ; echo
echo "\"Thou Art Mortal.\""
white
cat << EOLECTURE


In Rome, a slave was assigned to stand behind the hero of conquest in his chariot, as he
passed through the streets in triumphal parade, acknowledging the plaudits of the crowd.

The slave was told to whisper in the conqueror's ear: "Thou art mortal."

I suggest that you whisper the same thing to yourself each time you become a sudo (pseudo?)
deity on your system. ;-)

If you don't, your mortality will become only too clear soon enough!

EOLECTURE

f-tutescape
echo
echo ; cyan ; bold
echo "\"Permission denied...\""
white
cat << EOPERMISSION

This sort of thing is unfamiliar to users of certain operating systems that shall remain
nameless.

"It's my system! What do you mean, 'permission denied'? I'll do as I like!" 

...and so on.

Get used to it. Permissions are your friends. There are excellent reasons for them, and changing
them should be done only with careful thought.

There are several commands used for permission setting. The common ones are:
EOPERMISSION
echo ; bold ; yellow
echo "chmod"
echo
echo "chown"
white ; echo
echo "The first one changes the \"mode\" of files and directories. The \"mode\" is a set"
echo "of symbols or numbers. For example if we type"
echo ; yellow
echo "ls -l /usr/bin/mplayer"
echo ; white
echo "we see"
echo 
ls -l /usr/bin/mplayer
cat <<EORWX

This is not too difficult to decode. For the moment we are only looking at the left.

"r" means "read"
"w" means "write"
"x" means "execute

Since mplayer is an "executable" (a program), we see some "x" symbols here.
EORWX
f-tutescape
echo
echo ; bold ; cyan
echo "Shooting Yourself in the Foot."
white ; echo
cat <<EODEMO

OK, lets see why changing permissions is to be approached carefully.
At the prompt below, type the following:

EODEMO
yellow ; bold
echo "sudo chmod -x /usr/bin/mplayer"
echo ; white
echo "Straight after that, type"
echo ; yellow
echo "mplayer"
echo ; white ; unbold
/bin/bash
echo ; bold
echo "Oops! Reverse it with"
echo ; yellow
echo "sudo chmod +x /usr/bin/mplayer"
white ; unbold ; echo
/bin/bash
bold ; echo
echo "That is a fairly unlikely error, but it illustrates the point. You can do much worse."
echo "If you find that it's awkward not having access to write in /usr/ you might"
echo "decide to just open it right up, for example. You read somewhere that mode 777 gives"
echo "all rights to everyone, and -R is recursive for sub-directories and files, so you type:"
echo ; yellow
echo "sudo chmod -R 777 /usr/"
echo ; white ; bred
echo "You just blasted a large hole in your foot ;-) In fact it would be very difficult to heal."
bblack ; echo
echo "I've seen this done on the / directory. That isn't just removing a foot - it's murdering"
echo "the system. As I said, permissions are there for excellent reasons, worked out over more"
echo "than thirty-five years of UNIX... and people wonder why chmod -R 777 breaks things?"

f-tutescape
echo
echo ; bold ; cyan
echo "So when do we get some positive stuff?"
echo ; white
echo "Patience, Grasshopper ;-)"

cat <<EOEXPLAIN

Obviously, changing permissions is extremely useful at times.

The most common use of the chmod command is to make a script executable. If we have the script
in our home directory, no "sudo" is required - "chmod +x script-name" will do fine, assuming
we don't mind the script being executable by other users.

There are three ( actually more but we are keeping it simple for now) possible positions for 
permissions - user, group, and others. The easy way to manipulate this stuff is to use
letters. If we want only the owner (user) to have, say, execution permission ( sounds horrible,
doesn't it?), we can do this:
EOEXPLAIN
echo ; bold ; yellow
echo "chmod u+x script-name"
echo ; white
cat << EOMNEMONIC

The letters are mnemonic: - u=user, g=group, o=others
Now let's look at the output of our ls -l /usr/bin/mplayer command again.

EOMNEMONIC
ls -l /usr/bin/mplayer
echo
echo "What we see is that all three positions have an \"x\" - user, group and others, left to right"
echo
echo "The owner/user and group are often the same on Ubuntu, Debian and thus INX."
echo
echo "You will have noticed that the file size and creation time are also in the output."

f-tutescape
echo ; cyan ; bold
echo
echo "Groups and Owners."
white ; echo
cat << EOG

In general, you can't write (save) to another user's directory or file. It's fairly obvious
why. After all, on a multi-user system you don't want people clobbering or altering your files.

On some systems (Ubuntu and Debian for example), permissions for users are set so that they can 
read each other's files by default, but not change them. Other "distributions" may be more strict,
allowing no read permissions either.

You can see your groups by typing the command "groups" - amazing, a command that makes sense!
As user "inx" you are by default in group "inx". Normally you would be the only user in that 
group. Have a look at the groups you are in:

EOG
unbold
groups
echo ; bold
cat << EODISCUSS

Notice how the system assigns you to groups like "video", "audio" and "fuse"...
This gives the administrator (you in this case) power to stop or allow others using various
programs. For example, if you were nasty you could exclude a user from the audio group,
and that user would not be able to hear sound. ;-) More sensibly, you might want to restrict
who is allowed to use the sshfs remote file sharing protocol - if so you would exclude users
from the "fuse" group, because sshfs uses fuse to do its magic.

A more significant group is the "admin" group - on Ubuntu and INX, only users in the "admin"
group are authorised to use sudo to gain root powers. 

To add a user to a group, you can type

EODISCUSS
bold ; yellow
echo "sudo adduser frida audio"
white ; echo
echo "...for example."

f-tutescape
echo ; echo
echo "The adduser command is also used to add new users like this:"
echo ; yellow
echo "sudo adduser frida"
echo ; white
echo "Which adds an account for \"frida\", including a home directory."
echo
echo "The reverse is"
echo ; yellow
echo "sudo deluser frida"
echo ; white
echo "which removes the user frida from the system, of course. It does not delete the home directory"
echo "though. That's up to you as administrator!"
echo 
echo "As with "adduser", deluser can also be used with group membership - for instance"
echo ; yellow
echo "sudo deluser frida audio"
echo ; white
echo "removes frida's audio rights. (Poor Frida!)"
echo 
echo "As you can see, all this can become quite complicated - but it also gives GNU/Linux"
echo "systems potential for great security. If some unpleasant person invaded the system,"
echo "that person would not be able to do a great deal of harm without admin permissions,"
echo "and even a \"local\" user with an account would only be able to do what the system"
echo "administrator allowed. That's the theory, anyway. People always find loopholes, but"
echo "on GNU/Linux the loopholes are usually hard to find."

f-tutescape
printf "\n\n\n"
echo "There are nicer uses for all this of course! Let's say a user wants to make a copy of a file"
echo "available to another user to alter at will." 
echo
echo "This particular file is read-write for the user, no-one else - exclusive - permissions 600 " 
echo "(rw-------). The user, however, owns the file, so he can temporarily do, say:"
echo ; yellow

echo "chmod o+r coolfile-for-frida"
echo ; white
echo "Frida can read from his home directory, so from /home/frida she can now do:"
echo ; yellow
echo "cp /home/niceguy/coolfile-for-frida . "
echo
echo "(notice the dot)"

echo ; white
echo "Frida now has a copy she can edit herself - on copying it, she gains ownership of the copy."
echo
echo "By combining group and individual permissions, various \"work groups\" can be set up."
echo "You could have an \"elite\" group that shared Truly Important Marketing Buzzwords!"
echo ; unbold
echo
echo "(Yes, I seem to have forgotten the <sarcasm> tags.)"

f-tutescape
echo ; bold ; cyan
echo "By the Numbers."
echo ; white
echo "You'll recall I ranted about \"777\" permissions. In simplified form, the numbers"
echo "look like this:"
echo ; cyan
echo "		User		Group		Others"
echo
echo "Read		 4		 4		 4		"
echo 
echo "Write		 2		 2		 2		"
echo
echo "Execute	 	 1		 1		 1		"
echo "	________________________________________________________		"
echo 
echo "		 7		 7		 7		"
echo ; white
echo
echo "Thus, adding or subtracting numbers, we see for instance that \"644\""
echo "means \"User/Owner can read and write, Group can read, Others can read\""
echo
echo "755 means Owner/User can do anything, group can read and execute, and so can others."
echo
echo "And so on... So you can see how 777 permissions undermine security - in fact, a lot"
echo "of things will simply stop working, completely, if such permissions are applied."
echo
echo "So, suppose we add the smart user \"Roid\" to the \"elite\" group..."
echo
echo "Read on..."

f-tutescape
echo ; cyan ; bold
echo "User Roid's Rise and Fall."
echo ; white

echo "Roid has been admitted to the Holy of Holies - the \"elite\" group!"
echo "/home/inx/elite has permissions 070 and ownership inx:elite. That looks like this:"
echo ; yellow ; bold
echo "$ ls -ld elite"
echo "d---rwx--- 2 inx elite 60 2007-10-31 07:14 elite"
echo ; white
echo "Remember this is an example... Hey, the elite directory is EXCLUSIVE!"
echo "Let's see what happens to Roid..."

echo ; unbold
echo "tty6:roid@inx:/home/inx$ cd elite"
echo "tty6:roid@inx:/home/inx/elite$ "

echo ; green ; bold
printf "Woohoo!" ; magenta ; printf " Roid is so..." ; green ; printf " IN!"
echo ; white
echo
echo "Sadly though, it turns out Roid doesn't quite measure up to the Elite profile..."
echo ; yellow ; bold
echo "tty1:inx@inx:~$ sudo deluser roid elite"
echo "Removing user 'roid' from group 'elite' ..."
echo "Done."
echo
echo ; white ; unbold
echo "tty6:roid@inx:/home/inx$ cd elite"
echo "bash: cd: elite: Permission denied"
echo "tty6:roid@inx:/home/inx$"
echo ; magenta ; bold
echo " :'("
echo ; white
echo "So long, Roid. Thanks for your interest... Have a nice day..." 
echo
echo "Don't slam the door on the way out."
echo ; cyan
echo "On that note, we end tutorial 7... :-) "

f-tutescape
f-tutorial
}