[SOLVED] Ubuntu 18.04 Changing account password in GUI broke sudo

coldbeer · 06-27-2018, 11:52 AM

The account name here is "tv".

Set up the account:
# adduser tv
# usermod -a -G sudo tv

Then log into account GUI.
Then upper right screen power icon->tv->account settings-> change password.

Go to terminal:

Code:

$ sudo su
[sudo] password for tv: *******
tv is not in the sudoers file.  This incident will be reported.
tv@c3:~$ su root
Password: ******
root@c3:/home/tv# cat /etc/group | grep sudo
sudo:x:27:tv

And it doesn't matter if I use passwd or usermod again. Says tv is not in sudoers file but it is.

auth.log

Code:

Jun 27 12:44:20 c3 gdm-password]: pam_unix(gdm-password:session): session opened for user tv by (uid=0)
Jun 27 12:44:20 c3 systemd-logind[783]: New session 9 of user tv.
Jun 27 12:44:21 c3 gnome-keyring-daemon[3799]: failed to unlock login keyring on startup
Jun 27 12:44:22 c3 polkitd(authority=local): Registered Authentication Agent for unix-session:9 (system bus name :1.223 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jun 27 12:44:36 c3 sudo:       tv : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/tv ; USER=root ; COMMAND=/bin/su
Jun 27 12:44:43 c3 su[4289]: Successful su for root by tv
Jun 27 12:44:43 c3 su[4289]: + /dev/pts/0 tv:root
Jun 27 12:44:43 c3 su[4289]: pam_unix(su:session): session opened for user root by (uid=1003)

michaelk · 06-27-2018, 02:39 PM

Quote:

tv is not in the sudoers file.

Just like the warning message states the username tv is not in the sudoers file i.e /etc/sudoers which is not the same thing as being in the sudo group.

To add your user to the sudoers file use the visudo command as root.

https://www.digitalocean.com/communi...ntu-and-centos

hazel · 06-27-2018, 02:56 PM

Everything depends on whether the sudo group has already been given full sudo access in /etc/sudoers. If so, adding a new user to that group will give him full sudo access by virtue of his group membership. But if not, then sudo will check the individual user's sudo access and reject him if he is not personally listed in sudoers.

coldbeer · 06-27-2018, 03:06 PM

In /etc/sudoers I have this which works for every account until I change the password as the user in the user's GUI

Code:

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) NOPASSWD: ALL

Again in the group file:

Code:

sudo:x:27:tv

And it does work with $ sudo su before I change the password in the GUI. Afterwards it stops working.

For giggles I added this to the sudoers file

Code:

tv      ALL=(ALL:ALL) ALL

Which then when I $ sudo su asks for the password and then is successful. But is not a normal thing. Why would changing my password in the GUI make $ sudo su ignore the sudo group settings?

michaelk · 06-27-2018, 04:23 PM

I'm not sure except that you might have to logout then log back in once you change the password.

coldbeer · 06-27-2018, 08:15 PM

I have rebooted the system many times.

Another odd symptom was when I would entered the command $ groups the sudo wasn't there when it was there in the /etc/group file.

Anyways I got it working again.

I remember that while I was trying to change my file with the GUI, I also edited the /etc/pam.d/common-password file to remove the obscure modifier. That when this started.

So I ran

Code:

# pam-auth-update

Disabled all the pam modules, then rebooted, then ran the comand again and reenabled the previous pam modules and rebooted again. It re-wrote the /etc/pam.d /common-password file and now its working again.

And $ groups returns the sudo group and sudo works.

michaelk · 06-27-2018, 08:17 PM

If desired you can mark the thread as solved using the Thread Tools pull down menu at the top.