LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-23-2015, 01:17 PM   #1
lucky27
LQ Newbie
 
Registered: Dec 2015
Posts: 1

Rep: Reputation: Disabled
How to fix a broken sudoers file in Redhat server..without root password?


Hi,

I tried to make a small change on sudoers file and I messed it up. Now sudo is not working, I am getting below error. I dont have root password, is there a way to fix the sudoers file without root password ? also this is a virtual machine..please let me know how to fix this?

sudo: >>> /etc/sudoers: syntax error near line 103 <<<
sudo: parse error in /etc/sudoers near line 103
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
 
Old 12-23-2015, 01:34 PM   #2
joe_2000
Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 823

Rep: Reputation: 237Reputation: 237Reputation: 237
Quote:
Originally Posted by lucky27 View Post
Hi,

I tried to make a small change on sudoers file and I messed it up. Now sudo is not working, I am getting below error. I dont have root password, is there a way to fix the sudoers file without root password ? also this is a virtual machine..please let me know how to fix this?

sudo: >>> /etc/sudoers: syntax error near line 103 <<<
sudo: parse error in /etc/sudoers near line 103
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
First off: You could avoid this type of error by only editing sudoers through the visudo command.

The easiest way to fix this is from within a live system. Boot the machine from a live usb stick and fix the sudoers file. Then boot normally and you should be able to use sudo again.
 
Old 12-23-2015, 01:41 PM   #3
learnin2cocatinate
Member
 
Registered: Nov 2015
Posts: 41

Rep: Reputation: Disabled
Yeah you need to boot in single user mode.. This is why its advisable to set a root password and use visudo to edit.
 
Old 12-23-2015, 05:08 PM   #4
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 5,802

Rep: Reputation: 1379Reputation: 1379Reputation: 1379Reputation: 1379Reputation: 1379Reputation: 1379Reputation: 1379Reputation: 1379Reputation: 1379Reputation: 1379
if the drive isn't encrypted, you can also access it by booting up some live medium.
 
Old 12-23-2015, 06:40 PM   #5
yancek
LQ Guru
 
Registered: Apr 2008
Distribution: PCLinux, Slackware
Posts: 7,225

Rep: Reputation: 1350Reputation: 1350Reputation: 1350Reputation: 1350Reputation: 1350Reputation: 1350Reputation: 1350Reputation: 1350Reputation: 1350Reputation: 1350
Could you post line 103 and about ten lines prior to it from the sudoers file?
 
Old 12-23-2015, 06:57 PM   #6
Steven_G
Member
 
Registered: Dec 2015
Location: Western US
Distribution: Home spun
Posts: 142

Rep: Reputation: 67
Code:
pkexec visudo
It will let you launch the process through policy kit as your <user> and not touch sudo in the process; which means that the user password *should* still work. (I've used this trick when I fried sudo once.)

If not then w/ 103+ lines in sudoers I'm *assuming* there'd be another user on the system w/ privileges that would let them run visudo whose password you do know? If so then just use pkexec to launch the process as them.

And why don't you know your root password?
 
Old 12-23-2015, 07:12 PM   #7
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_10{.0|.1|.2}
Posts: 4,270
Blog Entries: 1

Rep: Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304
Quote:
Originally Posted by Steven_G View Post
Code:
pkexec visudo
It will let you launch the process through policy kit as your <user> and not touch sudo in the process; which means that the user password *should* still work. (I've used this trick when I fried sudo once.)

If not then w/ 103+ lines in sudoers I'm *assuming* there'd be another user on the system w/ privileges that would let them run visudo whose password you do know? If so then just use pkexec to launch the process as them.

And why don't you know your root password?
I don't think so. pkexec will ask for the root password, which the OP says they do not have.

Further, in general, use of pkexec depends upon polkit itself having been properly configured which is probably not the case on many (most) home or small business installs. Pkexec is not a suitable substitute for sudo.

The OP does have their own user password which would be requested by sudo, but that is the problem - sudo will not process the broken sudoers file. This also precludes use of another user account via sudo.

So the way out is to fall back to single user mode which would likely still require the root password, or boot to a live media and fix the sudoers file.
 
Old 12-23-2015, 07:26 PM   #8
Steven_G
Member
 
Registered: Dec 2015
Location: Western US
Distribution: Home spun
Posts: 142

Rep: Reputation: 67
Quote:
Originally Posted by astrogeek View Post
I don't think so. pkexec will ask for the root password, which the OP says they do not have.

Further, in general, use of pkexec depends upon polkit itself having been properly configured which is probably not the case on many (most) home or small business installs. Pkexec is not a suitable substitute for sudo.

The OP does have their own user password which would be requested by sudo, but that is the problem - sudo will not process the broken sudoers file. This also precludes use of another user account via sudo.

So the way out is to fall back to single user mode which would likely still require the root password, or boot to a live media and fix the sudoers file.
Well, I build most everything out custom from the kernel. But I don't make a ton of changes to policy kit or system permissions, and most of what I do is hardening. But, I've used the pkexec trick on a single user system where I had fried sudo to fix it. It won't auto-default to root on the ubuntu branch unless you pass it no flags.

Now, I've never touched a RHEL install in my life (and maybe that's where the dif is). But in raspbian 8 pkexec auto-defaults to a list of every user on the system and you pick one by number to launch as that user and then enter their password.
 
Old 12-23-2015, 07:33 PM   #9
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_10{.0|.1|.2}
Posts: 4,270
Blog Entries: 1

Rep: Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304
Quote:
Originally Posted by Steven_G View Post
Well, I build most everything out custom from the kernel. But I don't make a ton of changes to policy kit or system permissions, and most of what I do is hardening. But, I've used the pkexec trick on a single user system where I had fried sudo to fix it. It won't auto-default to root on the ubuntu branch unless you pass it no flags.

Now, I've never touched a RHEL install in my life (and maybe that's where the dif is). But in raspbian 8 pkexec auto-defaults to a list of every user on the system and you pick one by number to launch as that user and then enter their password.
pkexec visudo would seem to pass it no flags, so it might be expected to default to root - no?

But for the sake of argument let's say that is all so... how does becoming another non-root user help this situation?
 
Old 12-23-2015, 07:51 PM   #10
Steven_G
Member
 
Registered: Dec 2015
Location: Western US
Distribution: Home spun
Posts: 142

Rep: Reputation: 67
Quote:
Originally Posted by astrogeek View Post
pkexec visudo would seem to pass it no flags, so it might be expected to default to root - no?
Not necessarily. It won't on a raspbian 8 install, and I've done almost nothing to it. On that OS it will pull up a list of every user on the system on a numbered list, you enter the number, it asks for that users password.

I have no idea how RHEL works. But I think it would be worth 5 minutes to look at the man page for the flags (if it needs the flags in RHEL) to see if there is an easy way to fix this w/o having to take the system down.

Quote:
Originally Posted by astrogeek View Post
But for the sake of argument let's say that is all so... how does becoming another non-root user help this situation?
Um, I said *assuming* there is a user on the system who has permissions to run visudo whose password you know. If neither one of those criteria is met then there's no point in trying that method. But I figure it's worth a look see. It may be a prod server that they can't take down to fix. Maybe this suggestion will save their bacon. Maybe it will waste 5 minutes of their time.

Doesn't hurt to consider alternatives. There is often more than one way to skin cat.

--------

EDIT:

Of course running visudo is just a suggestion to add a little safety. They can always do it manually (possibly as another user). But I shied way from that b/c I'm assuming that's what got them in this pickle to begin with. But if they can't take the system down they may have no choice but to do it again.

Last edited by Steven_G; 12-23-2015 at 08:01 PM.
 
Old 12-23-2015, 09:30 PM   #11
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,357

Rep: Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367
You should be able to select Rescue mode by booting from the install media, then it will offer to mount the hdd in qn and you can fix that file.
 
Old 12-24-2015, 12:46 AM   #12
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_10{.0|.1|.2}
Posts: 4,270
Blog Entries: 1

Rep: Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304
Quote:
Originally Posted by Steven_G View Post
Not necessarily...

Um, I said *assuming* there is a user on the system who has permissions to run visudo whose password you know...

Doesn't hurt to consider alternatives. There is often more than one way to skin cat...

Yes, necessarily. That assumption is a pretty far stretch!

First, the /etc/sudoers file would have to be writeable by non-root users and the visudo binary would have to be executable by non-root users. Additionally, /etc/ would have to be world writeable to create the required sudoers.tmp file! But even if all that were the case on a given very broken system, visudo itself would still refuse to write the file! It is a critical security application, it was designed to prevent mis-use as much as possible... try it!

And from man visudo:

Code:
DIAGNOSTICS
     ...
     /etc/sudoers.tmp: Permission denied
           You didn't run visudo as root.
     ...
You can't just say, "I want user Fred to be able to edit {xyz system config}." You have to give Fred root permission such as via sudo or root password - that is at the foundation of the Unix/Linux security model!

I would think that someone overtly obsessed with security would see even the possibility as a very big problem!

The OP got into this pickle by editing the file as root, using sudo, but not using visudo. Once the root-writeable-only file /etc/sudoers had been saved with errors they could no longer use sudo to again obtain root access to correct it.

So again, without a root password this leaves only single user mode or booting to another media as possible solutions.

I do not intend to seem argumentative, but it is important to point out incorrect or misleading posts to keep the information on LQ valid for current and future visitors. Thanks.

Last edited by astrogeek; 12-24-2015 at 01:51 AM.
 
Old 12-24-2015, 07:58 AM   #13
Steven_G
Member
 
Registered: Dec 2015
Location: Western US
Distribution: Home spun
Posts: 142

Rep: Reputation: 67
Quote:
Originally Posted by astrogeek View Post
Yes, necessarily. That assumption is a pretty far stretch!

First, the /etc/sudoers file would have to be writeable by non-root users and the visudo binary would have to be executable by non-root users. Additionally, /etc/ would have to be world writeable to create the required sudoers.tmp file! But even if all that were the case on a given very broken system, visudo itself would still refuse to write the file! It is a critical security application, it was designed to prevent mis-use as much as possible... try it!

And from man visudo:

Code:
DIAGNOSTICS
     ...
     /etc/sudoers.tmp: Permission denied
           You didn't run visudo as root.
     ...
You can't just say, "I want user Fred to be able to edit {xyz system config}." You have to give Fred root permission such as via sudo or root password - that is at the foundation of the Unix/Linux security model!

I would think that someone overtly obsessed with security would see even the possibility as a very big problem!

The OP got into this pickle by editing the file as root, using sudo, but not using visudo. Once the root-writeable-only file /etc/sudoers had been saved with errors they could no longer use sudo to again obtain root access to correct it.

So again, without a root password this leaves only single user mode or booting to another media as possible solutions.

I do not intend to seem argumentative, but it is important to point out incorrect or misleading posts to keep the information on LQ valid for current and future visitors. Thanks.
How to modify a invalid /etc/sudoers file? It throws out an error and not allowing me to edit again
 
Old 12-24-2015, 03:33 PM   #14
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_10{.0|.1|.2}
Posts: 4,270
Blog Entries: 1

Rep: Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304Reputation: 2304
Ignoring that this is for Ubu which has a much different root/sudo setup than the OP's Redhat distro, I suggest that you just read the page you linked - it repeats exactly the points I and others have already made here.

Quote:
...log in to the machine and run the command pkexec visudo...

Assuming you (or some other user) are authorized to run programs as root with PolicyKit, you can enter your password, and then it will run visudo as root, and you can fix your /etc/sudoers.

...

If that doesn't work--for example, if there are no users authorized to run programs as root via PolicyKit--then boot from an Ubuntu live CD (like the CD you probably used to install Ubuntu) and mount the filesystem for the installed system.
Perhaps we each think we mean the same thing but speak different languages, мой друг, and I agree it would only take a few seconds for the OP to discover if it applies to their system. Unfortunately the OP is beginning to look like just another drive-by...

Researching this afresh has had one beneficial result for myself at least - it has reminded me of all the reasons I avoid polkit and PAM (sometimes known as SCAM, Swiss Cheese Authentication Module) - ambiguity!
 
Old 12-24-2015, 03:45 PM   #15
Steven_G
Member
 
Registered: Dec 2015
Location: Western US
Distribution: Home spun
Posts: 142

Rep: Reputation: 67
My ONLY POINT is that is valid on a lot of systems, is easy to try and if it works will save time and achieve the desired results. It will not blow up their system. Is not horrible advice. Will take almost no time to try and could even be helpful and save time.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
re: how do I fix a broken server x? angelhamilton8 Linux - Newbie 1 05-03-2013 08:33 AM
[SOLVED] Help needed fix /etc/sudoers, logical error or file not being read correctly? nguyeng Slackware 5 10-20-2011 03:12 PM
sudoers file and no password question uncle-c Linux - Newbie 4 04-29-2009 04:35 AM
Sudoers file no password kamahl Linux - General 5 03-03-2008 08:40 AM


All times are GMT -5. The time now is 04:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration