LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 08-09-2016, 10:27 AM   #1
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
How is this user able to sudo su to root?


How is this user able to sudo su to root?

Code:
[terry@CentOS7 ~]$ whoami
terry
[terry@CentOS7 ~]$ sudo su
[root@centos7 terry]# whoami
root
[root@centos7 terry]# cat /etc/group |grep wheel
wheel:x:10:
[root@centos7 terry]# cat /etc/passwd |grep terry
terry:x:1000:1000::/home/terry:/bin/bash
[root@centos7 terry]# cat /etc/sudoers |grep terry
[root@centos7 terry]# cat /etc/group |grep terry
terry:x:1000:
[root@centos7 terry]#
 
Old 08-09-2016, 11:54 AM   #2
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,317

Rep: Reputation: Disabled
The answer is in groups and sudoers.
 
Old 08-09-2016, 11:57 AM   #3
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,244
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Look into the sudoers file.
 
Old 08-09-2016, 12:54 PM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
instead of all that "cat'iness", try
Code:
id terry
command instead.
 
Old 08-09-2016, 01:04 PM   #5
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
Code:
# cat /etc/sudoers |grep -v \#
Defaults    requiretty
Defaults   !visiblepw
Defaults    always_set_home
Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root	ALL=(ALL) 	ALL
%wheel	ALL=(ALL)	ALL
[root@centos7 terry]# id terry
uid=1000(terry) gid=1000(terry) groups=1000(terry)
If the user isn't in the wheel group, and not uid 0, it shouldn't be able to su to root, correct?
 
Old 08-09-2016, 01:09 PM   #6
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,244
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Again look at your sudoers file. Wheel group doesn't permit or deny anyone anything.
 
Old 08-09-2016, 01:17 PM   #7
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
You're right, the wheel group doesn't matter when sudo is used.

But /etc/sudoers doesn't seem to have anything specific for the terry user, and if I add a user called test, that is not able to sudo su:
Code:
[root@centos7terry]# su test
[test@centos7 terry]$ whoami
test
[test@centos7 terry]$ sudo su
[sudo] password for test: 
sudo: pam_authenticate: Conversation error

Last edited by abefroman; 08-09-2016 at 01:22 PM.
 
Old 08-09-2016, 02:20 PM   #8
HMW
Member
 
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Red Hat, CentOS
Posts: 773
Blog Entries: 3

Rep: Reputation: 369Reputation: 369Reputation: 369Reputation: 369
I have no idea what is up with your system and your permissions, but here's a tip; save yourself some pipes and ditch the cat in:
Code:
cat /etc/group |grep terry
and
Code:
cat /etc/sudoers |grep -v \#
etc...

You can (and should!) issue those commands like this:
Code:
grep terry /etc/group
and
Code:
grep -v '^#' /etc/sudoers
More here: http://catb.org/jargon/html/U/UUOC.html

Best regards,
HMW
 
Old 08-09-2016, 02:31 PM   #9
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,244
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
What is the output of the following command:

Code:
sudo -l -U terry
 
2 members found this post helpful.
Old 08-09-2016, 02:33 PM   #10
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
Well here's my answer.

Where is this set though? Like if I want to disable it, or reenable it later?
Code:
$ sudo -l -U terry
Matching Defaults entries for terry on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
    LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User terry may run the following commands on this host:
    (ALL) NOPASSWD: ALL
 
Old 08-09-2016, 02:39 PM   #11
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,244
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
That in itself shows that terry has full rights to run ALL commands without using a password.

Did terry at one time have sudo rights?

Last edited by lazydog; 08-09-2016 at 02:41 PM.
 
Old 08-09-2016, 02:41 PM   #12
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
Quote:
Originally Posted by lazydog View Post
That in itself shows that terry has full rights to run ALL commands without using a password.

Has terry at one time had sudo rights?
It has the default settings, its a new VM.
 
Old 08-09-2016, 02:48 PM   #13
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,244
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
I'm at the end of my knowledge with this one. Some how he has the elevated rights but nothing shows that he should.

If you reboot the VM does terry still have sudo rights?
 
Old 08-09-2016, 02:50 PM   #14
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
Quote:
Originally Posted by lazydog View Post
I'm at the end of my knowledge with this one. Some how he has the elevated rights but nothing shows that he should.
Glad its just not me That was the default user when the VM was created, if that makes a difference.

Quote:
Originally Posted by lazydog View Post
If you reboot the VM does terry still have sudo rights?
Yes, I have rebooted it a couple times.
 
Old 08-09-2016, 02:56 PM   #15
michaelk
Moderator
 
Registered: Aug 2002
Posts: 20,472

Rep: Reputation: 3569Reputation: 3569Reputation: 3569Reputation: 3569Reputation: 3569Reputation: 3569Reputation: 3569Reputation: 3569Reputation: 3569Reputation: 3569Reputation: 3569
What type of virtual machine?

Typically sudo is not configured on Red Hat/CentOS systems. My CentOS 7 is basically an as is min install.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] sudo to user other than root but do not allow sudo to root Westmoreland Linux - Security 3 02-03-2015 11:48 AM
Question about the sudo command, specifically how to have sudo act as if user is root slacker_ Linux - Newbie 17 09-22-2013 03:48 PM
User is Not Able to sudo su -l root devUnix Linux - Server 22 08-14-2013 06:52 AM
startx from root user is working while from sudo user not unkn(0)wn Linux - Newbie 2 08-17-2012 09:31 PM
Gconf-editor settings not sticking for root, sudo user, or user when run sandaili Fedora 1 07-19-2008 08:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration