I told someone to "chmod sudoers", then she couldn't change it back. Is this a bug?
UbuntuThis forum is for the discussion of Ubuntu Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I told someone to "chmod sudoers", then she couldn't change it back. Is this a bug?
The story is simple. Someone asked me how to let another user to use "sudo". I told her to edit /etc/sudoers. Since I am an "Emacs" guy and not familiar with vi and visudo, so the fatal step is that I told her to:
Code:
sudo chmod 0666 /etc/sudoers
Then she couldn't change it back, because nobody could use "sudo" anymore. She is not the root user and didn't have the password of root. I googled, and learned that the solution is to reboot the system to "recovery mode" and change it back. She couldn't reboot it because some important codes are running in the background.
I have never thought that Linux has been so fragile: a little mistake by a normal user could make such a big problem! I think this is a bug!
No, this is not a bug, no, this wasn't done as normal user. When using sudo you effectively are root, so you have to be as careful as when you would directly have logged in as root.
By the way, to use a different editor with visudo you have nothing more to do than set your EDITOR environment variable. You can do that temporarily with using a construct like
Code:
EDITOR=emacs visudo
Also, there is a reason why visudo exists, namely because it checks the file for errors before it writes it to the disk. So it is never a good idea to use an editor to edit that file instead of visudo.
The real question that remains is why don't you simply have used
Code:
sudo emacs /etc/sudoers
instead of chmoding the file?
Anyways, unless the person you advised to do that has a root shell open, gets the root password or is able to reboot the machine there is no way to fix that.
I admit that what I instructed her was a mistake. But the stupid thing is that:
1. sudo can do a change.
2. sudo can't change it back.
So I consider it as a bug.
And by the way, in my salckware,
Code:
sudo emacs /etc/sudoers
will open it in read-only mode. I can't edit it. I am not sure about Ubuntu.
Your tip about "EDITOR=emacs" might be useful. And your these sentences really make sense:
Quote:
Also, there is a reason why visudo exists, namely because it checks the file for errors before it writes it to the disk. So it is never a good idea to use an editor to edit that file instead of visudo.
You can edit files as root from within a running emacs with
Code:
C-x C-f /sudo::/path/to/file RET
Quote:
Anyways, unless the person you advised to do that has a root shell open, gets the root password or is able to reboot the machine there is no way to fix that.
According to this askubuntu thread, pkexec can also work (if it's installed).
I admit that what I instructed her was a mistake. But the stupid thing is that:
1. sudo can do a change.
2. sudo can't change it back.
So I consider it as a bug.
It is not. It is a security feature. sudo is programmed in a way that the sudoers file has to have 0440 for access rights. If this is changed the sudo program considers the sudoers file as being compromised and refuses to give anyone root access. This is a good thing, as long as sudo is used in the way it is being intended.
It is not. It is a security feature. sudo is programmed in a way that the sudoers file has to have 0440 for access rights. If this is changed the sudo program considers the sudoers file as being compromised and refuses to give anyone root access. This is a good thing, as long as sudo is used in the way it is being intended.
I think linux should be very tough.
It should forbid non-root users to touch the file /etc/sudoers.
... I googled, and learned that the solution is to reboot the system to "recovery mode" and change it back. ...
She is not the root user and didn't have the password of root. ...
Just in case this may help, here is the method to fix the sudoers file from recovery mode: http://psychocats.net/ubuntu/fixsudo
Note that in my experience from reading threads here on LQ, one of the best ways to break an Ubuntu system is to enable the root account, and or to mess with the /etc/sudoers file.
I have used every version of Ubuntu since the inaugural 4.10. I have never enabled the root account on Ubuntu because I have never found any valid reason for doing it.
I also never mess with the /etc/sudoers file.
I also never have these problems.
You can elevate users to use sudo from the user accounts GUI on Ubuntu.
Emacs opens the file in read-only mode but you can make the buffer editable with C-x C-q
Thank you, ntubski!
Quote:
Originally Posted by tommcd
Just in case this may help, here is the method to fix the sudoers file from recovery mode: http://psychocats.net/ubuntu/fixsudo
Note that in my experience from reading threads here on LQ, one of the best ways to break an Ubuntu system is to enable the root account, and or to mess with the /etc/sudoers file.
I have used every version of Ubuntu since the inaugural 4.10. I have never enabled the root account on Ubuntu because I have never found any valid reason for doing it.
I also never mess with the /etc/sudoers file.
I also never have these problems.
You can elevate users to use sudo from the user accounts GUI on Ubuntu.
Thank you, tommcd!
You are right, one should not mess with the /etc/sudoers file.
It does. But you have told that user to use sudo, which makes her root. So the file was not altered by a non-root user.
She can "sudo", but can't "su", which makes her a half-root user. A mistake I instructed her made a huge problem: no one can use sudo anymore. Maybe she is not a non-root user, but she isn't a root user too.
By the way, today I rebooted the system, and got into "recovery mode". Without the root password I can log in as root! Is this safe? It's convenient though.
New question: What should I do if I made the same mistake on a system without a "Recovery Mode"? (If I didn't have the root password either.) By now all I can think of is to boot the machine with another linux system (using a live CD or a thumb-drive). Will it work? Or are there any better ways?
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233
Rep:
Quote:
Originally Posted by nsp
By the way, today I rebooted the system, and got into "recovery mode". Without the root password I can log in as root! Is this safe? It's convenient though.
it's only unsafe if the attacker is sitting in front of the machine, physical access trumps any and all security you place on a machine anyways, so don't sweat it.. yes you can set a grub password but that is only a relatively minor deterrent to a determined attacker who has stolen your machine.
Quote:
Originally Posted by nsp
New question: What should I do if I made the same mistake on a system without a "Recovery Mode"? (If I didn't have the root password either.) By now all I can think of is to boot the machine with another Linux system (using a live CD or a thumb-drive). Will it work? Or are there any better ways?
ALL Linux machines have a recovery mode, whether or not it was conveniently placed in the grub menu or not is the only difference.
it's called single user mode and can be accessed by manually (temporarily) appending the word 'Single' to the end of the kernel line of the grub entry at boot, or worst comes to worst adding
Code:
init=/bin/bash
instead of single then at the prompt typing
Code:
mount -oremount /
or if that doesn't even work, boot to live media
Code:
# mkdir /rescue
# mount /dev/sda1
# for dir in {proc,sys,dev}
> do
> mount --bind /$dir /rescue/$dir
> done
# chroot /rescue
replacing sda1 with your root volume
this creates an environment in which you have root control over your installed system, and if it works, can fix a non bootable system as a last resort to having to re-install
the above methods are exactly why physical access trumps any security
so again, in answer to your query, there is always a recovery mode of some nature available on any Linux system, even if it isn't conveniently stuck in the boot menu for you.
even modern macs, which are a bsd userspace on a mach microkernel has single user mode, not sure if they have chroot but that's off topic.
She can "sudo", but can't "su", which makes her a half-root user. A mistake I instructed her made a huge problem: no one can use sudo anymore. Maybe she is not a non-root user, but she isn't a root user too.
If sudo is set up the way it is on Ubuntu systems (without restrictions which programs a user in the sudo group can run) than the user is in fact a full root user, only without access to the root account. There is no difference at all if you run a program with sudo or from a root account.
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233
Rep:
Quote:
Originally Posted by nsp
She can "sudo", but can't "su", which makes her a half-root user. A mistake I instructed her made a huge problem: no one can use sudo anymore. Maybe she is not a non-root user, but she isn't a root user too.
sudo elevates privileges and uses the person's own password, su switches users and uses the root account, if enabled, unlike ubuntu and mac os X but i second tobi, with sudo set the way the 'buntu systems configure it by default, she IS a full root user since sudo was configured to allow all access.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
