Enabling user with ROOT privileges WITHOUT using sudo

fanoflq · 03-11-2017, 01:29 AM

Quote:

Originally Posted by Turbocapitalist

Can you give some examples of what you are really trying to do? There probably is a safe and reasonable way to get it done, but we'll need more information.

The configuration posted above looks like the exact kind of abuse of sudo that I have blogged about since it is so common. A small amount of the fault lies with sudo being very flexible, but I think nearly all of the problem are the awful defaults provided by most sudo-using distros and worse examples provided out on the net.

Most people using sudo could benefit greatly from reading the manual page for sudoers at least once because if you're doing all-or-nothing permissions, you're doing it wrong See also the slides from his other presentation of the same name, sudo: You're Doing It Wrong. I highly recommend going through the slides or the presentation.

I was looking at enabling sudo without password.
Then I thought what if we escalate a regular user
to using commands without using sudo.
How can I do this?

Sorry, as you can see, there is no use case for my case study!
But it would be nice (but not recommended) if I can do that on
my VMs in KVM, but not for production servers.

Thanks for the links.

Turbocapitalist · 03-11-2017, 01:32 AM

Quote:

Originally Posted by fanoflq

I was looking at enabling sudo without password.

Yes, but sudo for what in particular? It does not stand on its own, it is there to change the user temporarily when running specific utilities. Which utilities do you want to run?

fanoflq · 03-11-2017, 01:43 AM

Quote:

Originally Posted by Turbocapitalist

Yes, but sudo for what in particular? It does not stand on its own, it is there to change the user temporarily when running specific utilities. Which utilities do you want to run?

I was doing it for any utility using this directive in /etc/sudoers:
user1 ALL= NOPASSWD: ALL

I am doing this as a part of my Linux learning experience.
Nothing specific or special.

Again, I am aware this is not recommended.
But since I am using a VM in KVM,
I am less worried about crashing
and burning due a fatal command.
Thanks to the ease of cloning a VM.

wpeckham · 03-11-2017, 07:10 AM

I think you are doing thought experiments with doing the things that good Sysadms and security people have worked for decades to avoid allowing. But I could be wrong.
Re:

Quote:

# Q1: Is there away to display prompt string as user1@... instead of root@... when user's id has been changed to 0 (root)?

If you become another user and check the output of two commands:

Code:

whoami
who am i

yoou will see that one reports your current ID, and the other reports your logon name. If you put the logon name into the PS1 variable then it is the one that will appear in the prompt. More information can be found in online documents and your shell man page section on environment variables.

fanoflq · 03-11-2017, 12:24 PM

Quote:

Originally Posted by fanoflq

Here is my solution:

I login as root.
Then delete line containing user1 from :
/etc/passwd
/etc/group
/etc/shadow

And then reboot to see it I caused any problem.
Then I recreate user1 again via useradd command.

Since I did not delete user1's home directory,
those account will become this "new" user1's account.
All is good.

After doing above, I was not able to login.
I found out it was related to root being the user owner of /home/user1.

Code:

#Able to login since user1 is owner of /home/user1.
[root@Centos7-1024ram-minimal home]# ls -ld /home/user1
drwx------. 2 user1 user1 94 Sep 21 18:54 /home/user1
[root@Centos7-1024ram-minimal home]# su - user1
Last login: Sat Mar 11 10:08:36 MST 2017 on pts/0
[user1@Centos7-1024ram-minimal ~]$ exit
logout

#change /home/user1 owner to root.
[root@Centos7-1024ram-minimal home]# chown root:user1 user1
[root@Centos7-1024ram-minimal home]# ls -ld /home/user1
drwx------. 2 root user1 94 Sep 21 18:54 /home/user1
[root@Centos7-1024ram-minimal home]# su - user1
Last login: Sat Mar 11 10:09:34 MST 2017 on pts/0
su: warning: cannot change directory to /home/user1: Permission denied
-bash: /home/user1/.bash_profile: Permission denied
-bash-4.2$ exit
logout
-bash: /home/user1/.bash_logout: Permission denied

Why am I not able to login as root since I am now also
the owner of /home/user1?

fanoflq · 03-11-2017, 12:34 PM

Quote:

Originally Posted by wpeckham

I think you are doing thought experiments with doing the things that good Sysadms and security people have worked for decades to avoid allowing. But I could be wrong.
Re:

If you become another user and check the output of two commands:

Code:

whoami
who am i

yoou will see that one reports your current ID, and the other reports your logon name. If you put the logon name into the PS1 variable then it is the one that will appear in the prompt. More information can be found in online documents and your shell man page section on environment variables.

There is no option for logon name as far as i could see in man bash.

Quote:

In man bash:
...
PROMPTING
...
\u the username of the current user
...

Code:

#Change user1's id to root.
host@server1 ~ $ ssh root@192.168.122.167                                                                                    
root@192.168.122.167's password: 
Last login: Sat Mar 11 10:37:55 2017
[root@Centos7-1024ram-minimal ~]# usermod -ou 0 user1
usermod: warning: /var/spool/mail/user1 not owned by user1
[root@Centos7-1024ram-minimal ~]# su - user1
Last login: Sat Mar 11 10:39:00 MST 2017 from 192.168.122.1 on pts/0
[root@Centos7-1024ram-minimal ~]# pwd
/home/user1
[root@Centos7-1024ram-minimal ~]# ls -ld /home/user1
drwx------. 2 root user1 94 Sep 21 18:54 /home/user1

#Exit to host.  ....

#Login as user1
host@server1 ~ $ ssh user1@192.168.122.167
user1@192.168.122.167's password: 
Last login: Sat Mar 11 10:40:31 2017
[root@Centos7-1024ram-minimal ~]# export PS1='\u@$(hostname):\w\$ 
root@Centos7-1024ram-minimal:~# pwd
/home/user1
root@Centos7-1024ram-minimal:~# who
user1    pts/0        2017-03-11 10:41 (192.168.122.1)
root@Centos7-1024ram-minimal:~# ls -l /home/user1
total 0
root@Centos7-1024ram-minimal:~# ls -ld /home/user1
drwx------. 2 root user1 94 Sep 21 18:54 /home/user1
root@Centos7-1024ram-minimal:~# id user1
uid=0(root) gid=0(root) groups=0(root)

273 · 03-11-2017, 12:45 PM

Quote:

Originally Posted by fanoflq

# Q0 : Is there a better way to allow root privilege WITHOUT using sudo for any user?

No.
The system is not designed like that.
There is nothing to be gained by playing with turning a user into root. It server no purpose in the real world and as a thought experiment it's like trying to imagine whether it's just about possible to build a car out of chocolate that randomly explodes and kills all passengers.
I don't even see any way this kind of thing could be used for gaining unauthorised access as it's almost the opposite scenario of being root nad trying to make a user root without the user knowing.

TxLonghorn · 03-11-2017, 01:17 PM

Quote:

Originally Posted by fanoflq

Is this question unsolvable?

# Q2: How do I change user1's user id from 0 back to the original user ID?

Create a new user, (user2), and give that new user administrative (sudo) authority. Log in as that user.
Run the command

Code:

id

to make sure that user2 is not uid=1000
Enter the usermod commands:

Code:

sudo usermod -u 1000 user1

Code:

sudo groupmod -g 1000 user1

Code:

sudo usermod -g 1000 user1

wpeckham · 03-11-2017, 02:38 PM

Quote:

Originally Posted by fanoflq

There is no option for logon name as far as i could see in man bash.

I did not say that there was. I meant that you could find more about the use and setting of the PS1 variable, options, and effects on the man page for your shell. The commands I provided will provide the name string you need, and that may be embedded in the prompt to the prompt effect you desired. In fact you can use almost any arbitrary string or command result in the prompt if you can only delimit it properly. That can result in great fun, or confusion, or both.

Confusion seems pertinent to this conversation.

fanoflq · 03-11-2017, 02:51 PM

TxLonghorn:

Your post is not making sense if you follow my posts
on my I was unable to change user id for user1 from 0 to 1000.

BW-userx · 03-11-2017, 05:24 PM

enabling user with ROOT privileges WITHOUT using sudo

the easiest way to do it without a lot of fiddling around, just give him or her the root user password.

Code:

su 
password

GazL · 03-11-2017, 06:24 PM

Like others I'm still very unclear about what the OP is trying to achieve, but one approach I use with my scripts is to get them to reinvoke themselves with sudo like this:

Code:

#!/bin/bash -p
########################################################################
# Sanitise the environment:

PATH="/bin:/sbin:/usr/bin:/usr/sbin"
unset IFS TAR_OPTIONS GREP_OPTIONS
umask 0022

########################################################################
# Reinvoke this script as root:

#   Note:
#     checking for $SUDO_UID will mean that the script will reinvoke
#     itself even when run by the superuser directly.  This is both
#     intentional and necessary as we use $SUDO_UID later.

if [ "$EUID" != '0' ] || [ -z "$SUDO_UID" ]; then
   exec sudo -u root -- "$(readlink -e "$0")" "$@"
   exit 1
fi

########################################################################

Which means I don't have to remember to run it via sudo.

This example is from a wrapper script I've written around Slackware's makepkg command so that I can build packages from a non-root user. It goes with a sudoers rule:

Code:

# Allow member of group 'build' a.k.a. "Software packagers"
# to run buildpkg
%build ALL=(root) NOPASSWD: /usr/local/bin/buildpkg