[juneau-lug] Re: How to repair sudo?
- From: Nels Tomlinson <nels.tomlinson@xxxxxxxxx>
- To: juneau-lug@xxxxxxxxxxxxx
- Date: Wed, 8 Apr 2015 06:45:29 -0800
Here, between the equals signs, are the contents of the file. Henrik, I
have attached the actual file again, also. This is the old file, from
before I changed the sudo line to read sudo=(ALL) ALL.
Do I need a % in front of sudo? It seems odd that visudo didn't complain,
if that's a problem.
=============
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
===================
Nels Tomlinson
(907) 500-4802
On Tue, Apr 7, 2015 at 11:04 PM, Henrik Hudson <rhavenn@xxxxxxxxxxx> wrote:
> Seems the mailing list strips attachments. You can send it directly
> to me if you want.
>
> henrik
>
>
> --
> Henrik Hudson
> rhavenn@xxxxxxxxxxx
> -------------------------------------------------
> "There are 10 kinds of people in the world: Those
> who understand binary and those who don't..."
>
>
> On Tue, 07 Apr 2015, Nels Tomlinson wrote:
>
> > I tried the Hail Mary, but Mary didn't hail back. It was a good thought,
> > but changing the %sudo line didn't change anything.
> > Visudo saved the edited file as sudoers.tmp without any complaints. I
> then
> > did mv /etc/sudoers /etc/sudoers.old and mv /etc/sudoers.tmp
> /etc/sudoers.
> >
> > I have attached sudo.old.
> >
> > Nels Tomlinson
> > (907) 500-4802
> >
> > On Tue, Apr 7, 2015 at 9:09 PM, Henrik Hudson <rhavenn@xxxxxxxxxxx>
> wrote:
> >
> > > On Tue, 07 Apr 2015, Nels Tomlinson wrote:
> > >
> > > > Mark, user think is in the adm and sudo groups:
> > > > ==================
> > > > think@Penguin-Korora:~$ groups think
> > > > think : think adm cdrom sudo dip plugdev lpadmin sambashare
> > > > ======================
> > > >
> > > > I tried to use sudo, then immediately looked in auth.log. Here is
> the
> > > > output from tail /var/og/auth.log:
> > > >
> > > > ================
> > > > think@Penguin-Korora:~$ sudo visudo /etc/sudoers
> > > > [sudo] password for think:
> > > > think is not in the sudoers file. This incident will be reported.
> > > > think@Penguin-Korora:~$ tail /var/log/auth.log
> > > > Apr 7 17:24:27 Penguin-Korora lightdm: pam_unix(lightdm:session):
> > > session
> > > > opened for user think by (uid=0)
> > > > Apr 7 17:24:27 Penguin-Korora systemd-logind[695]: Removed session
> c3.
> > > > Apr 7 17:24:27 Penguin-Korora systemd-logind[695]: New session c4 of
> > > user
> > > > think.
> > > > Apr 7 17:24:27 Penguin-Korora systemd-logind[695]: Linked
> > > > /tmp/.X11-unix/X1 to /run/user/1000/X11-display.
> > > > Apr 7 17:24:27 Penguin-Korora lightdm:
> > > pam_ck_connector(lightdm:session):
> > > > nox11 mode, ignoring PAM_TTY :1
> > > > Apr 7 17:24:27 Penguin-Korora lightdm: pam_kwallet(lightdm:session):
> > > > pam_sm_open_session
> > > > Apr 7 17:24:27 Penguin-Korora lightdm: pam_kwallet(lightdm:session):
> > > > pam-kwallet: final socket path: /tmp//think.socket
> > > > Apr 7 17:24:27 Penguin-Korora gnome-keyring-daemon[5504]: couldn't
> set
> > > > environment variable in session: The name org.gnome.SessionManager
> was
> > > not
> > > > provided by any .service files
> > > > Apr 7 17:24:44 Penguin-Korora polkitd(authority=local): Registered
> > > > Authentication Agent for unix-session:c4 (system bus name :1.104
> > > > [/usr/lib/kde4/libexec/polkit-kde-authentication-agent-1], object
> path
> > > > /org/kde/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> > > > Apr 7 17:29:50 Penguin-Korora sudo: think : user NOT in sudoers ;
> > > > TTY=pts/0 ; PWD=/home/think ; USER=root ; COMMAND=/usr/sbin/visudo
> > > > /etc/sudoers
> > > >
> > > > ========================
> > > >
> > > > So, I'm in the adm (there is no admin group) and sudo groups, sudo
> group
> > > > is in the sudoers file, but I'm not in sudoers.
> > > >
> > > > Henrik, I don't seem to have a /var/log/messages. grep -R sudo
> > > /var/log/*
> > > > didn't get me anything I could recognize as useful. There were a
> bunch
> > > of
> > > > messages from dpkg.log, but little else.
> > >
> > > Nels,
> > >
> > > If you don't have / aren't in %admin, then the %sudo is the only
> > > other group.
> > >
> > > Since sudo isn't throwing an error it thinks the
> > > sudoers file is, technically, correct.
> > >
> > > I don't know if it's a bug or something, but boot to single-user and
> > > change this:
> > > %sudo ALL=(ALL:ALL) ALL
> > >
> > > to this:
> > > %sudo ALL=(ALL) ALL
> > >
> > > That :ALL should let you specify a group to runas, but it should
> > > be optional. It's a hail mary :)
> > >
> > > Also, when using visudo don't supply the sudoers file to make sure
> > > that you're actually editing the right file. If possible, make a
> > > copy of the sudoers file and change the permissions so that your
> > > regular account can read it and pastebin it or email it. Assuming
> > > it's got nothing super secret in there.
> > >
> > >
> > > henrik
> > >
> > >
> > > >
> > > > Nels Tomlinson
> > > > (907) 500-4802
> > > >
> > > > On Tue, Apr 7, 2015 at 10:14 AM, Mark Neyhart <
> Mark.Neyhart@xxxxxxxxx>
> > > > wrote:
> > > >
> > > > > On 04/07/2015 09:56 AM, Nels Tomlinson wrote:
> > > > > > Somehow I messed up sudo on a new computer preloaded with Kubuntu
> > > 14.04.
> > > > > > It was a few weeks ago, and I didn't keep any notes on what I
> did,
> > > but I
> > > > > > was trying to add my daughter's account to the sudoers list, and
> > > somehow
> > > > > no
> > > > > > accounts are on the sudoers list any more.
> > > > > > Both accounts are in the adm and sudo groups. I have tried
> > > following the
> > > > > > instructions at
> > > > > >
> > > > >
> > >
> https://sites.google.com/site/installationubuntu/security/fix-sudo-ers-file
> > > > > > but my sudoers file looks like the one there.
> > > > > >
> > > > > > I would attach the sudoers file, but I don't have access to it
> > > unless I
> > > > > > boot to single user mode.
> > > > > >
> > > > > > I have the lines
> > > > > > root ALL=(ALL:ALL) ALL
> > > > > >
> > > > > > %admin ALL=(ALL) ALL
> > > > > >
> > > > > > %sudo ALL=(ALL:ALL) ALL
> > > > > > exactly as they appear in the link I mentioned above.
> > > > > >
> > > > >
> > > > > I see nothing obviously wrong with these lines.
> > > > >
> > > > > While logged in with your daughters account does the output of the
> > > > > groups command show her as member of sudo and admin?
> > > > >
> > > > > Have you checked the permissions of the /etc/sudoers file? My
> debian
> > > > > machine shows
> > > > > # ls -l sudoers
> > > > > -r--r----- 1 root root 787 2015-02-05 11:53 sudoers
> > > > >
> > > > > Is there anything of interest in the /var/log/auth.log?
> > > > > ------------------------------------
> > > > > The Juneau Linux Users Group -- http://www.juneau-lug.org
> > > > > This is the Juneau-LUG mailing list.
> > > > > To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx
> > > with
> > > > > the word unsubscribe in the subject header.
> > > > >
> > > >
> > > >
> > > > ------------------------------------
> > > > The Juneau Linux Users Group -- http://www.juneau-lug.org
> > > > This is the Juneau-LUG mailing list.
> > > > To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx
> with
> > > the word unsubscribe in the subject header.
> > > ------------------------------------
> > > The Juneau Linux Users Group -- http://www.juneau-lug.org
> > > This is the Juneau-LUG mailing list.
> > > To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx
> with
> > > the word unsubscribe in the subject header.
> > >
> >
> >
> >
> > ------------------------------------
> > The Juneau Linux Users Group -- http://www.juneau-lug.org
> > This is the Juneau-LUG mailing list.
> > To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with
> the word unsubscribe in the subject header.
> ------------------------------------
> The Juneau Linux Users Group -- http://www.juneau-lug.org
> This is the Juneau-LUG mailing list.
> To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with
> the word unsubscribe in the subject header.
>
------------------------------------
The Juneau Linux Users Group -- http://www.juneau-lug.org
This is the Juneau-LUG mailing list.
To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with the
word unsubscribe in the subject header.
Other related posts:
