sudo loop locked system root access

IPTRACE

Well-Known Member

Reaction score: 20
Messages: 257

Hi, any idea how to resolve the issue instead of run in single user mode?
I've set file permissions to 666 for /usr/local/etc/sudoers and I cannot change it back again...

Code:
user@serv:~ % sudo chmod 660 /usr/local/etc/sudoers
sudo: /usr/local/etc/sudoers is world writable
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

user@serv:~ % chmod 660 /usr/local/etc/sudoers
chmod: /usr/local/etc/sudoers: Operation not permitted
 

Zirias

Aspiring Daemon

Reaction score: 215
Messages: 587

log in as root? you DO have a console, do you?

Or, if you can login as a user who is a member of wheel, just use su(1) to become root.
 
OP
OP
IPTRACE

IPTRACE

Well-Known Member

Reaction score: 20
Messages: 257

Log in as root is restricted to single-user mode.
No one is in wheel group.
 

Zirias

Aspiring Daemon

Reaction score: 215
Messages: 587

Log in as root is restricted to single-user mode.
Is this some hardening setting? I wasn't aware this is possible. So you're probably out of luck, do you have at least a way to issue a clean shutdown? Maybe the power button?

How does locking down the system in such a way go with experimenting with a world-writable sudoers file? :eek:

Anyways, IMHO, you should *always* have a local console that accepts a root login any time, to have a chance to fix things. This is normally just a vt using screen and keyboard. On a headless server, you want a serial console (RS-232) instead.
 
OP
OP
IPTRACE

IPTRACE

Well-Known Member

Reaction score: 20
Messages: 257

The one way I know is to run the system in single-user mode but I'd like to avoid that or even postpone that remedy in the next system changes or upgrades.

It was WARNING from Lynis software. I got:
Wrong permissions on /usr/local/etc/sudoers and /usr/local/etc/sudoers.d .
I had 440 before, so I was trying to set 400, 444, 660 and finally 666...
And basically it ddin't help, so I suspect the Lynis does not work properly in this case.

I disabled several things for security reasons.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,412
Messages: 30,000

If this issue was easily remedied then it would defeat the whole purpose of its security. So, either login on the console with root, or if you really disabled that boot to single user mode. But to be honest I find it hard to believe you disabled root console logins while leaving the single user mode option open.
 
OP
OP
IPTRACE

IPTRACE

Well-Known Member

Reaction score: 20
Messages: 257

Yes, root login disabled but still available via single-user mode.
 

Zirias

Aspiring Daemon

Reaction score: 215
Messages: 587

"As you can see" ... this particular security measure (I didn't even know it existed) has its downsides. Maybe reassess ... preventing remote root login (via ssh) could make quite some sense, but preventing root login on a local console MIGHT be a bit too much ;)
 
OP
OP
IPTRACE

IPTRACE

Well-Known Member

Reaction score: 20
Messages: 257

Yeap. Anyway, it just good to know that something like that exists. Old rule says "more secure, less funcionality".
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,412
Messages: 30,000

Just a tip, when you modify the sudoers, keep your current "sudo'd" session open and test with a new connection. That way, if you screw up, you still have enough privileges on the original connection to fix it.
 
Top