[sudo-users] repairing corrupted sudoers

JR Aquino JR.Aquino at citrix.com
Fri Jan 14 11:48:11 EST 2011


Well...
The disappointing answer is, you will need console root level access to
your machine. Either sitting in front of it or via some sort of ip based
kvm.

You will not be able to solve your current problem without having root on
the device.

That is why Todd suggested ssh as a normal user then: su - root

Inline I will futher explain the suggestions Todd and I gave...

On 1/14/11 8:38 AM, "Mahmood Naderan" <nt_mahmood at yahoo.com> wrote:

>Actually when this file is corrupted for any reason, no one can run
>previledged 
>commands. Also the roor login is disabled by default.
>
>>If you use visudo to edit /etc/sudoers you won't have these types
>>of problems.
>
>How without sudo, one can use visudo?mahmood at localhost:~$ visudo
>visudo: /etc/sudoers: Permission denied
>visudo: /etc/sudoers: Permission denied

What todd meant, is in the future, using visudo will care for the
permissions so that this doesn't happen again.
>
>
>>If you can login as root via ssh or su to root via a normal user
>>you can fix the permissions, either directly via "chmod 0440
>>/etc/sudoers" or by running visudo.
>
>mahmood at localhost:~$ sudo su
>sudo: /etc/sudoers is mode 0640, should be 0440
>sudo: no valid sudoers sources found, quitting
>mahmood at localhost:~$ sudo -s
>sudo: /etc/sudoers is mode 0640, should be 0440
>sudo: no valid sudoers sources found, quitting

You will not be able to use sudo to su... Because of the problem with sudo

>mahmood at localhost:~$ su
>Password:
>su: Authentication failure

This indicates that you are typing the 'root' password in wrong.  Sudo
allows users to user their OWN password to elevate to root privileges.

The 'su' command strictly requires that you know and use the ROOT password
to elevate to the root user.


>
>The last one shows that the root login is disabled. Before this problem
>"sudo 
>su" worked well.
>
>>Aside from suggesting using ldap...
>>I would suggest implementing puppet and enforcing the permissions /
>>content that 
>>way.
>
>I am not familiar with those, especially I have never heard about puppet.
>Can 
>you explain more about how they can be used to solve my problem?

Like Todd's suggestion for visudo... My suggestion cannot solve your
immediate problem, but rather can help you see to it that this problem
doesn't happen in the future.

If you visit the puppet website, it will give a better description of its
features. But I will list a few here for educational purposes.

Puppet is a client -> server solution where you can store configuration
files on your server, and push them out to all of your client servers.

This way, if you wanted 1 /etc/sudoers file to be present on all of your
servers, you could utilize puppet to do this for you instead of having to
scp the file around manually.

Puppet also has a method to 'enforce' configurations, so that if someone
makes a mistake or changes something in the client /etc/cfgs, the client
will check in with the server, see that the changes don't match, and
revert back to whatever is authoritative from the server.

LDAP is a centralized directory which can store sudo information without
having to rely on the /etc/sudoers file.

(http://www.gratisoft.us/sudo/sudoers.ldap.man.html)

Hope this info helps.

>
> 
>// Naderan *Mahmood;




More information about the sudo-users mailing list