dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1465

Rexter
Libertas, Aequitas, Veritas
join:2002-11-17
cloud 9

Rexter

Member

Ubuntu 14.04. I did a stupid!

In the process of adding my only sudo user to another group, I removed this user from all other groups, including sudo. So now I have no users in the sudo group.

I can use recovery mode to drop into root shell, but it won't let me add a user to the sudo group. It also won't let me enable the root user from there. I'd be happy to explain the errors, but it appears to be by design. I figure I'm just barking up the wrong tree.

What is the best way to get sudo access again?

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

1 recommendation

jimkyle

Premium Member

said by Rexter:

I can use recovery mode to drop into root shell, but it won't let me add a user to the sudo group. It also won't let me enable the root user from there. I'd be happy to explain the errors, but it appears to be by design. I figure I'm just barking up the wrong tree.

How are you trying to add your user to the "sudo" group? Once you are in the root shell, you should be able to open /etc/group in a text editor (either nano or vi at your preference), find the line that begins with "sudo" and then add your user name to the end of that line. Finally save the file back. That ought to be all there is to it; while you're at it you might want to put your user back into the other groups that control use of the networks, and so on. There's a reason the initial user gets added to so many groups, and it's not just for bloat...

Rexter
Libertas, Aequitas, Veritas
join:2002-11-17
cloud 9

1 edit

Rexter

Member

I was just using:

adduser {username} sudo

I was thinking back to single user mode on the Mac, and realized that Ubuntu probably mounts the file system read only when you use recovery mode to drop to root shell. That's why I was getting the errors.

mount -rw -o remount /

Then, the adduser command worked. Now I just need to figure out what other groups I used to belong to.

dumb, dumb, dumb... I hope someone else find all this useful.

Thanks for the reply!

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra to Rexter

Premium Member

to Rexter
worst case, you have to boot a live CD, mount the partition containing /etc, and edit the group file. Virtually any live CD either gives you a root shell or also lets you sudo, often without entering any password.

Personally, I rename sulogin to sulogin.bin, and make a new sulogin file:

#!/bin/sh
HOME=/root
export HOME
exec /bin/bash --login

That way, there's no messy root password to forget or set. Yes, it's more insecure, but by-and-large it can be defeated by simply booting from a live CD or USB anyway, so I kind of figure, what's the point? If the system upgrades the package which provides sulogin, it may obliterate my hack, but it's so simple to reproduce if I don't remember to keep a copy of it around somewhere.

If you're working with encrypted filesystems or SELinux, that may be even tougher, but I haven't used either extensively, so I can't much advise you if you do.

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

Bill_MI to Rexter

MVM

to Rexter
I'm not sure if you're going to run into problems but all indications are there's more to sudo than just 1 group. I always took note of the notes (maybe someone has more details?). Maybe this is strictly the group itself?

/etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaultsenv_reset
Defaultsmail_badpass
Defaultssecure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 
# Host alias specification
 
# User alias specification
 
# Cmnd alias specification
 
# User privilege specification
rootALL=(ALL:ALL) ALL
 
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
 
# Allow members of group sudo to execute any command
%sudoALL=(ALL:ALL) ALL
 
# See sudoers(5) for more information on "#include" directives:
 
#includedir /etc/sudoers.d
 

EDIT: BTW, this is right from Ubuntu Server 14.04.
Bill_MI

Bill_MI to Rexter

MVM

to Rexter
said by Rexter:

Now I just need to figure out what other groups I used to belong to.

I have the next best thing... A fresh install of Ubuntu-Mate 14.04 and here's my sudo user groups list. Should be a good start and nothing Mate specific.

$ sudo groups bill
bill : bill adm cdrom sudo dip plugdev lpadmin sambashare
 

Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

Selenia to Rexter

Premium Member

to Rexter
I always edited the sudoers file before I knew better than using Ubuntu and sudo. Of course, disabling sudo in Ubuntu or any distro is pretty trivial, just make sure root logins via su are allowed in Ubuntu's case(default on other distros). I firmly believe no account should have root privileges except root. Just make sure to disable direct root logins via ssh(just change sshd.conf directive for it from yes to no(su will still be possible when logged in as a user). If you must use sudo, an explanation of the proper way to configure /etc/sudoers is here »www.digitalocean.com/com ··· d-centos If you mess up, you can always fix it via live cd despite the stern warnings in the guide

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

1 recommendation

jimkyle to Bill_MI

Premium Member

to Bill_MI
Just to explain what some of those groups listed by Bill_Mi are:

cdrom = members can use the cd/dvd drive's write functions

plugdev = members can use USB ports

lpadmin = members can use printers

sambashare = members can use samba

In *buntu, once you're a member of the sudo group, you can use the GUI system menus to add groups to any user.

Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

Selenia

Premium Member

Seems like a very insecure arrangement to me.

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

jimkyle

Premium Member

In the GUI under Xubuntu, few of these are joined by default. There's a list of actions with checkboxes for each action, and only the superuser (whether working as root or under sudo) is allowed to modify that list. Other *buntu flavors may deal with them differently, but in all cases group membership is controlled only by the superuser.

Of course, anyone who logs into "recovery mode" can launch a root shell, and that's totally insecure -- but physical access means no security anyway! All security measures protect against the outside world, primarily.

Enabling a direct login as root is equally insecure, depending as it does entirely on keeping the password controlled. Using sudo provides a bit finer-grained approach since some actions can be delegated without opening up everything. A "perfectly secure system" is impossible to achieve, anyway; we can only approach it and so far we're not really very close...

Rexter
Libertas, Aequitas, Veritas
join:2002-11-17
cloud 9

Rexter to Bill_MI

Member

to Bill_MI
I see what you're say'n. I didn't uninstall sudo, nor did I mess up the sudoers file. I just remove my only "admin" user from all groups, including the sudo group. Since root is disabled, this left me with an Android style OS where no one has root. All I needed was to put the "admin" user back in the proper groups. I needed to drop into root shell to do this, becasue adding someone to the sudo group requires root privileges, and no users on the machine had it. That's what I tried to do before my OP. From root shell, I did:

# adduser {username} sudo

But I would get an error that the passwd file could not be unlocked.

This is where I was when I posted. Then I remembered that on a Mac, when you boot into single user mode, it tells you that the file system has been mounted in read only mode, and it gives you the command to remount it, if you plan to make changes. It occurred to me that perhaps Ubuntu does the same thing:

# mount -rw -o remount /

yes, now it works:

# adduser {username} sudo

Now I have a user that has root permissions in the sudoers file you mentioned. Then I booted normally, and add the user to each of the other groups it should be part of:

$ sudo adduser {username} {group}

All better now. Unstupified!
Rexter

1 edit

Rexter to Selenia

Member

to Selenia
I think this is a very fair representation:
Advantages and Disadvantages

Benefits of using sudo

Some benefits of leaving Root logins disabled by default include the following:

The Ubuntu installer has fewer questions to ask.
Users don't have to remember an extra password (i.e. the root password), which they are likely to forget (or write down so anyone can crack into their account easily).

It avoids the "I can do anything" interactive login by default (e.g. the tendency by users to login as an "Administrator" user in Microsoft Windows systems), you will be prompted for a password before major changes can happen, which should make you think about the consequences of what you are doing.

sudo adds a log entry of the command(s) run (in /var/log/auth.log). If you mess up, you can always go back and see what commands were run. It is also nice for auditing.

Every cracker trying to brute-force their way into your box will know it has an account named Root and will try that first. What they don't know is what the usernames of your other users are. Since the Root account password is locked, this attack becomes essentially meaningless, since there is no password to crack or guess in the first place.

Allows easy transfer for admin rights, in a short term or long term period, by adding and removing users from groups, while not compromising the Root account.
sudo can be setup with a much more fine-grained security policy.
The Root account password does not need to be shared with everybody who needs to perform some type of administrative task(s) on the system (see the previous bullet).
The authentication automatically expires after a short time (which can be set to as little as desired or 0); so if you walk away from the terminal after running commands as Root using sudo, you will not be leaving a Root terminal open indefinitely.

Downsides of using sudo

Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:

Redirecting the output of commands run with sudo requires a different approach. For instance consider sudo ls > /root/somefile will not work since it is the shell that tries to write to that file. You can use ls | sudo tee -a /root/somefile to append, or ls | sudo tee /root/somefile to overwrite contents. You could also pass the whole command to a shell process run under sudo to have the file written to with root permissions, such as sudo sh -c "ls > /root/somefile".
In a lot of office environments the ONLY local user on a system is Root. All other users are imported using NSS techniques such as nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, Root is required. This tends to leave the system unusable unless cracked. An extra local user, or an enabled Root password is needed here. The local user account should have its $HOME on a local disk, _not_ on NFS (or any other networked filesystem), and a .profile/.bashrc that doesn't reference any files on NFS mounts. This is usually the case for Root, but if adding a non-Root rescue account, you will have to take these precautions manually.
Alternatively, a sysadmin type account can be implemented as a local user on all systems, and granted proper sudo privileges. As explained in the benefits section above, commands can be easily tracked and audited.
help.ubuntu.com/communit ··· RootSudo

Two big ones for me, is the ability to assign permissions for specific users, and the logging capabilities. I want to be able track who did what. If my admins just su to root, I loose that capability. Secondly, how many times have you seen someone get up from the terminal, just to grab something? Be back in 30 seconds. During that 30 seconds an emergency arises, and now they've left the terminal for an extended amount of time with root shell left open. Of course there are other ways of dealing with that, but you get the point. That article above acknowledged that there are disadvantages that someone in your situation may not be able to tolerate. As you mentioned, to enable root and disable sudo, is quite trivial. For my situation, I prefer sudo. I installed it on my Fedora box, and my Debian 7 server, both which didn't have it by default.
Rexter

Rexter to jimkyle

Member

to jimkyle
There is a way to disable the recovery root shell, but that wouldn't prevent you from doing a chroot into the system. I suppose that if you fully encrypted the entire file system, one could prevent that as well. But I agree, physical security is still key. I do virus removals on Windows boxes. People ask things like "Well how did this happen? Who did this to me, and why don't the police go after them?" When I explain, people often say, "Well if they are so smart, how are you going to fix it? Are you saying you are smarted than the bad guys?" I say "No, I'm not smarter than the bad guys, but I hold the trump card... physical access."

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to Rexter

Mod

to Rexter
When using "ubuntu" (which is rare), I use "sudo" only for:

sudo sh

to get a root shell. That reduces the extent of ubuntu madness.

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

1 recommendation

jimkyle

Premium Member

No need to launch a additional sub-shell. "sudo -i" does the same thing!

Sudo, itself, launches a sub-shell. Using it to launch another one simply puts you two layers down.

rolfp
no-shill zone
Premium Member
join:2011-03-27
Oakland, CA

rolfp

Premium Member

said by jimkyle:

"sudo -i" does the same thing!

For one case, in an ssh session, at least, not so much. Just trying this way, I could not run a remote instance of synaptic, whereas `sudo bash` worked for this.

rolf@hp-mint:~ > sudo -i
X11 connection rejected because of wrong authentication.
hp-mint ~ # synaptic
X11 connection rejected because of wrong authentication.
 
** (synaptic:3726): WARNING **: Could not open X display
X11 connection rejected because of wrong authentication.
X11 connection rejected because of wrong authentication.
error: XDG_RUNTIME_DIR not set in the environment.
 
(synaptic:3726): Gtk-WARNING **: cannot open display: localhost:10.0
hp-mint ~ # exit
logout
rolf@hp-mint:~ > sudo bash
hp-mint ~ # synaptic
 
** (synaptic:3762): WARNING **: Error retrieving accessibility bus address: 
org.freedesktop.DBus.Error.ServiceUnknown: 
The name org.a11y.Bus was not provided by any .service files
 
(synaptic:3762): Gtk-CRITICAL **: gtk_widget_hide: assertion 'GTK_IS_WIDGET (widget)' failed 
 



Pjr
Don't Panic
join:2005-12-11
UK

1 edit

1 recommendation

Pjr to Rexter

Member

to Rexter
IMO using sudo instils the idea that if something doesn't work as a normal user prefixing the command with "sudo" is the proper way to go. XKCD summed it up nicely:



Alt Txt:

Proper User Policy apparently means Simon Says.


rodjames
Premium Member
join:2010-06-19

1 recommendation

rodjames to Rexter

Premium Member

to Rexter
su -
Password: ********

root@locl#

problem solved. always know your root password.

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra

Premium Member

...except for default Ubuntu installations, which disable the root user by not assiging it a password. But I like being able to log in as root, so I don't follow their default advice, and "su" will work for me at least.

And for others following along, the "-" is optional. It means that the shell is invoked with a leading "-", which is a convention for shells to indicate it's a login shell (therefore .profile, .login, or whatever login initialization file is supposed to be sourced).

rodjames
Premium Member
join:2010-06-19

rodjames

Premium Member

so what you do is the first thing you do is sudo su and passwd before anything else. stop being terse.