This incident will be reported.
It’s time consuming to write a “real” blog post. They end up feeling rushed and I get discouraged from doing them because they’re daunting. Instead, I’m going to share my notes. This is something I write all the time anyway. I will prepend a summary and leave the madness if you’d like to see how I got there (or dig out any other hidden gems). Hopefully this leads to more, and more interesting, posts.
Summary
-
A user needs to be included in
/etc/sudoersprior to using sudo. -
Instead of adding to that file directly, add to
/etc/sudoers.d/withvisudo -f /etc/sudoers.d/foo.-
visudo helps validate your changes
-
sudoeors.d doesn’t change with upgrades
-
-
Users can be added to the sudoers list by group name.
-
Groups
-
View all groups:
cat /etc/group -
View a user’s groups:
groups someuser -
Add a user to a group:
usermod -aG newgroup someuser -
Set all groups (remove through omission):
usermod -G foo,bar,baz,quux someuser -
Changing a user’s group membership does not take immediate effect.
-
Log
jeremy@debian ~/c/p/reergymerej.github.io> sudo bundle install [sudo] password for jeremy: jeremy is not in the sudoers file. This incident will be reported.
What is the sudoers file?
It’s a list of users allowed to sudo.
Where is it?
/etc/sudoers
You need root to edit it. root@debian:/home/jeremy# ls -l /etc/sudoers -r–r—– 1 root root 669 Jun 5 2017 /etc/sudoers
The sudoers file tells you to edit /etc/sudoers.d/ instead and to use
visudo.
visudo is a tool that helps you to safely edit the sudoers file. By default,
it edits /etc/sudoers, but we can point it to another file with the -f flag.
What is /etc/sudoers.d/?
That is a directory of additions to the sudoers file. The main sudoers file is under the control of the distribution, so it could potentially change during an upgrade, wiping out your changes. Using sudoers.d ensures your changes are messed with.
At the end of the sudoers file, there is a directive that includes these local changes.
#includedir /etc/sudoers.d
You can read about this in /etc/sudoers.d/README
So we know we need to add our user to the sudoers list, we should use sudoers.d,
and we should use visudo to do it.
The include directive will include anything in the sudoers.d dir, so we can name the file whatever we want. Let’s go with the user’s name to keep things clear.
Now what the hell do we actually put in there?
Will visudo tell us? Nope.
man sudoers might, though.
SUDOERS FILE FORMAT The sudoers file is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what).
Holy hell. That gets deep quickly. Let’s check comments in the sudoers file.
That seems easier. root ALL=(ALL:ALL) ALL %sudo ALL=(ALL:ALL) ALL
Looking at this, though, it appears there is already a group named sudo that is set up to run. Do I need to use sudoers.d to add my user? Can’t I just add my user to this sudo group?
How do you add a user to a group?
usermod -aG thegroup theuser usermod –append –groups thegroup theuser
I can set ALL the groups with JUST the -G option. -a appends to the list of groups, though.
Before I screw anything up, what groups is my user in? groups - print the groups a user is in
root@debian:/etc/sudoers.d# groups jeremy jeremy : jeremy cdrom floppy audio dip video plugdev netdev bluetooth lpadmin scanner
If I bone it, I can redo these. root@debian:/etc/sudoers.d# usermod -aG bananas jeremy usermod: group ‘bananas’ does not exist
So I need to use a real group. How do I see all the available groups?
They’re in a text file, /etc/group
Hooray! root@debian:/etc# usermod -aG staff jeremy root@debian:/etc# groups jeremy jeremy : jeremy cdrom floppy audio dip video plugdev staff netdev bluetooth lpadmin scanner
How can I remove a single group? There isn’t a command to remove from a group. Instead, you have to list all the groups, omitting the one you don’t want.
usermod -G jeremy,cdrom,floppy,audio,dip,video,plugdev,netdev,bluetooth,lpadmin,scanner jeremy
Now, for the moment we’ve been waiting. We know how to see the groups. We know how to add, remove, and append groups. Let’s add our user to the sudo group and see what happens.
usermod -aG sudo jeremy
It’s still sad, although I am now in that group.
In order to apply the changes you made to /etc/sudoers, you need to restart the SSHD server as follows:
What is the SSHD server? SSHD - SSH Daemon SSH - Secure SHell
That may be misleading. The problem seems to be that the user’s new group has not taken effect.
jeremy@debian ~> groups jeremy cdrom floppy audio dip video plugdev netdev bluetooth lpadmin scanner jeremy@debian ~> su Password: root@debian:/home/jeremy# groups jeremy jeremy : jeremy cdrom floppy sudo audio dip video plugdev netdev bluetooth lpadmin scanner
When are user groups loaded into memory? Oh, man. I’m way far into the rabbit hole. Let’s just logout/in.
Well, log out/in did not change the groups.
We will try the sshd restart then, though I don’t see it.
root@debian:~# systemctl restart ssh Failed to restart ssh.service: Unit ssh.service not found. root@debian:~# service ssh restart Failed to restart ssh.service: Unit ssh.service not found.
OK, f it. Let’s just reboot.
That did it. I’d need to figure out a better way if this were an active server, but it’s not.
Now, what was I doing? Oh, yeah. Getting sudo to work, so I can install my ruby gems, so I can get my site working, so I can try a new theme. lol