[sudo-users] repairing corrupted sudoers

Edward Capriolo edlinuxguru at gmail.com
Fri Jan 14 15:16:06 EST 2011


On Fri, Jan 14, 2011 at 2:59 PM, Mahmood Naderan <nt_mahmood at yahoo.com> wrote:
>>Inline I will futher explain the suggestions Todd and I gave...
> Really thanks for your answer. In the future I will try to use Puppet but this
> time I have to sit in front of the server
>
> Thanks again,
> // Naderan *Mahmood;
>
>
>
>
> ________________________________
> From: JR Aquino <JR.Aquino at citrix.com>
> To: Mahmood Naderan <nt_mahmood at yahoo.com>; sudo <sudo-users at sudo.ws>
> Sent: Fri, January 14, 2011 8:18:11 PM
> Subject: Re: [sudo-users] repairing corrupted sudoers
>
> Well...
> The disappointing answer is, you will need console root level access to
> your machine. Either sitting in front of it or via some sort of ip based
> kvm.
>
> You will not be able to solve your current problem without having root on
> the device.
>
> That is why Todd suggested ssh as a normal user then: su - root
>
> Inline I will futher explain the suggestions Todd and I gave...
>
> On 1/14/11 8:38 AM, "Mahmood Naderan" <nt_mahmood at yahoo.com> wrote:
>
>>Actually when this file is corrupted for any reason, no one can run
>>previledged
>>commands. Also the roor login is disabled by default.
>>
>>>If you use visudo to edit /etc/sudoers you won't have these types
>>>of problems.
>>
>>How without sudo, one can use visudo?mahmood at localhost:~$ visudo
>>visudo: /etc/sudoers: Permission denied
>>visudo: /etc/sudoers: Permission denied
>
> What todd meant, is in the future, using visudo will care for the
> permissions so that this doesn't happen again.
>>
>>
>>>If you can login as root via ssh or su to root via a normal user
>>>you can fix the permissions, either directly via "chmod 0440
>>>/etc/sudoers" or by running visudo.
>>
>>mahmood at localhost:~$ sudo su
>>sudo: /etc/sudoers is mode 0640, should be 0440
>>sudo: no valid sudoers sources found, quitting
>>mahmood at localhost:~$ sudo -s
>>sudo: /etc/sudoers is mode 0640, should be 0440
>>sudo: no valid sudoers sources found, quitting
>
> You will not be able to use sudo to su... Because of the problem with sudo
>
>>mahmood at localhost:~$ su
>>Password:
>>su: Authentication failure
>
> This indicates that you are typing the 'root' password in wrong.  Sudo
> allows users to user their OWN password to elevate to root privileges.
>
> The 'su' command strictly requires that you know and use the ROOT password
> to elevate to the root user.
>
>
>>
>>The last one shows that the root login is disabled. Before this problem
>>"sudo
>>su" worked well.
>>
>>>Aside from suggesting using ldap...
>>>I would suggest implementing puppet and enforcing the permissions /
>>>content that
>>>way.
>>
>>I am not familiar with those, especially I have never heard about puppet.
>>Can
>>you explain more about how they can be used to solve my problem?
>
> Like Todd's suggestion for visudo... My suggestion cannot solve your
> immediate problem, but rather can help you see to it that this problem
> doesn't happen in the future.
>
> If you visit the puppet website, it will give a better description of its
> features. But I will list a few here for educational purposes.
>
> Puppet is a client -> server solution where you can store configuration
> files on your server, and push them out to all of your client servers.
>
> This way, if you wanted 1 /etc/sudoers file to be present on all of your
> servers, you could utilize puppet to do this for you instead of having to
> scp the file around manually.
>
> Puppet also has a method to 'enforce' configurations, so that if someone
> makes a mistake or changes something in the client /etc/cfgs, the client
> will check in with the server, see that the changes don't match, and
> revert back to whatever is authoritative from the server.
>
> LDAP is a centralized directory which can store sudo information without
> having to rely on the /etc/sudoers file.
>
> (http://www.gratisoft.us/sudo/sudoers.ldap.man.html)
>
> Hope this info helps.
>
>>
>>
>>// Naderan *Mahmood;
>
>
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

Leave yourself some reasonable alternative. It is easy to break a sudo
file and then it stops working. If it is your ONLY way to get to root
you are in trouble. At least make sure you always keep a root shell
open in case you break your sudo you have some way to repair it.

Puppet does this pretty well as someone suggested.
Edward



More information about the sudo-users mailing list