[juneau-lug] Re: How to repair sudo?
- From: Henrik Hudson <rhavenn@xxxxxxxxxxx>
- To: juneau-lug@xxxxxxxxxxxxx
- Date: Tue, 7 Apr 2015 21:09:48 -0800
On Tue, 07 Apr 2015, Nels Tomlinson wrote:
> Mark, user think is in the adm and sudo groups:
> ==================
> think@Penguin-Korora:~$ groups think
> think : think adm cdrom sudo dip plugdev lpadmin sambashare
> ======================
>
> I tried to use sudo, then immediately looked in auth.log. Here is the
> output from tail /var/og/auth.log:
>
> ================
> think@Penguin-Korora:~$ sudo visudo /etc/sudoers
> [sudo] password for think:
> think is not in the sudoers file. This incident will be reported.
> think@Penguin-Korora:~$ tail /var/log/auth.log
> Apr 7 17:24:27 Penguin-Korora lightdm: pam_unix(lightdm:session): session
> opened for user think by (uid=0)
> Apr 7 17:24:27 Penguin-Korora systemd-logind[695]: Removed session c3.
> Apr 7 17:24:27 Penguin-Korora systemd-logind[695]: New session c4 of user
> think.
> Apr 7 17:24:27 Penguin-Korora systemd-logind[695]: Linked
> /tmp/.X11-unix/X1 to /run/user/1000/X11-display.
> Apr 7 17:24:27 Penguin-Korora lightdm: pam_ck_connector(lightdm:session):
> nox11 mode, ignoring PAM_TTY :1
> Apr 7 17:24:27 Penguin-Korora lightdm: pam_kwallet(lightdm:session):
> pam_sm_open_session
> Apr 7 17:24:27 Penguin-Korora lightdm: pam_kwallet(lightdm:session):
> pam-kwallet: final socket path: /tmp//think.socket
> Apr 7 17:24:27 Penguin-Korora gnome-keyring-daemon[5504]: couldn't set
> environment variable in session: The name org.gnome.SessionManager was not
> provided by any .service files
> Apr 7 17:24:44 Penguin-Korora polkitd(authority=local): Registered
> Authentication Agent for unix-session:c4 (system bus name :1.104
> [/usr/lib/kde4/libexec/polkit-kde-authentication-agent-1], object path
> /org/kde/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> Apr 7 17:29:50 Penguin-Korora sudo: think : user NOT in sudoers ;
> TTY=pts/0 ; PWD=/home/think ; USER=root ; COMMAND=/usr/sbin/visudo
> /etc/sudoers
>
> ========================
>
> So, I'm in the adm (there is no admin group) and sudo groups, sudo group
> is in the sudoers file, but I'm not in sudoers.
>
> Henrik, I don't seem to have a /var/log/messages. grep -R sudo /var/log/*
> didn't get me anything I could recognize as useful. There were a bunch of
> messages from dpkg.log, but little else.
Nels,
If you don't have / aren't in %admin, then the %sudo is the only
other group.
Since sudo isn't throwing an error it thinks the
sudoers file is, technically, correct.
I don't know if it's a bug or something, but boot to single-user and
change this:
%sudo ALL=(ALL:ALL) ALL
to this:
%sudo ALL=(ALL) ALL
That :ALL should let you specify a group to runas, but it should
be optional. It's a hail mary :)
Also, when using visudo don't supply the sudoers file to make sure
that you're actually editing the right file. If possible, make a
copy of the sudoers file and change the permissions so that your
regular account can read it and pastebin it or email it. Assuming
it's got nothing super secret in there.
henrik
>
> Nels Tomlinson
> (907) 500-4802
>
> On Tue, Apr 7, 2015 at 10:14 AM, Mark Neyhart <Mark.Neyhart@xxxxxxxxx>
> wrote:
>
> > On 04/07/2015 09:56 AM, Nels Tomlinson wrote:
> > > Somehow I messed up sudo on a new computer preloaded with Kubuntu 14.04.
> > > It was a few weeks ago, and I didn't keep any notes on what I did, but I
> > > was trying to add my daughter's account to the sudoers list, and somehow
> > no
> > > accounts are on the sudoers list any more.
> > > Both accounts are in the adm and sudo groups. I have tried following the
> > > instructions at
> > >
> > https://sites.google.com/site/installationubuntu/security/fix-sudo-ers-file
> > > but my sudoers file looks like the one there.
> > >
> > > I would attach the sudoers file, but I don't have access to it unless I
> > > boot to single user mode.
> > >
> > > I have the lines
> > > root ALL=(ALL:ALL) ALL
> > >
> > > %admin ALL=(ALL) ALL
> > >
> > > %sudo ALL=(ALL:ALL) ALL
> > > exactly as they appear in the link I mentioned above.
> > >
> >
> > I see nothing obviously wrong with these lines.
> >
> > While logged in with your daughters account does the output of the
> > groups command show her as member of sudo and admin?
> >
> > Have you checked the permissions of the /etc/sudoers file? My debian
> > machine shows
> > # ls -l sudoers
> > -r--r----- 1 root root 787 2015-02-05 11:53 sudoers
> >
> > Is there anything of interest in the /var/log/auth.log?
> > ------------------------------------
> > The Juneau Linux Users Group -- http://www.juneau-lug.org
> > This is the Juneau-LUG mailing list.
> > To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with
> > the word unsubscribe in the subject header.
> >
>
>
> ------------------------------------
> The Juneau Linux Users Group -- http://www.juneau-lug.org
> This is the Juneau-LUG mailing list.
> To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with the
> word unsubscribe in the subject header.
------------------------------------
The Juneau Linux Users Group -- http://www.juneau-lug.org
This is the Juneau-LUG mailing list.
To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with the
word unsubscribe in the subject header.
Other related posts:
