Solving the problem of disappearance of rights to the Sudo team

June

2021

14:01

Solving the problem of disappearance of rights to the Sudo team

linux

24 June 2021 14:01

After updating the Linux nucleus, he suddenly discovered that the possibility of launching the Sudo command was gone.

Error: "sorry, user user is not allowed to execute '.....' as rOOT "

where instead of .... The full path let the team for example /bin /CP

Thus, along with Sudo, the simplest teams like sudo cp a b или sudo apt-get update.

1. Quick solution to the problem

In Debian и других классических ОС нужно добавить существующего пользователя vasya In the group wheel :

su
usermod -a -G wheel vasya

where vasya - имя пользователя.

In Ubuntu and Linux Mint - the same thing, but in the group Sudo :

su
usermod -a -G sudo vasya

Where vasya - имя пользователя, которого добавляем в группу wheel или sudo.

After that, we perform logout и входим снова. Доступ к запуску su и sudo должен появиться.

The difference between teams su от su - в окружении: su - использует окружение root, в отличие от su, где окружение текущего пользователя.

Exit from su при помощи команды exit.

2. Explanation of the cause of the problem

In my case, apparently, user user disappeared from the Sudo group.
The error consisted in the erroneous team I made
sudo usermod -G dialout user

without operand "-a", команда usermod затёрла группы пользователя user.

The second option - the error arose after updating the core of the system.

3. Storage of users and groups in Linux

User groups and their members are stored in the file /etc/group.
The file is responsible for the transfer of rights /etc/sudoers.

In most classic Linux operating systems, for example, in Debian or Centos,
users who can launch SU or SUDO should be added to group wheel.
(Historically, this group for systems that worked in shifts).

Thus, using the command usermod файл /etc/group будет изменен. (Прямое редактирование /etc/group запрещено).

In Ubuntu and Linux Mint instead wheel используется группа sudo.

To find out which groups of user user is a member, execute a command

groups user

It will be written like
User : user diaLout Sudo Wheel

Where in front of the colon user - имя пользователя, после двоеточия:
user dialout sudo wheel - названия групп, в которых он состоит.

To display the members of the group members wheel или sudo, execute commands

In Debian and Centos:

cat /etc/group | grEp Wheel

grep "wheel" /etc/grOUP

In Ubuntu and Linux Mint:

cat /etc/group | grEP Sudo

grep "sudo" /etc/grOUP

If the Ubuntu user is not included in the Sudo group, then he will not have the right to execute the Sudo command.

It is necessary to add the _ -part of the user to the group using the command:

usermod -a -G группа пользователь

Where is the group - Sudo, user is your user name.

After adding, we look at the user groups:

id пользователь

The command #2 - if you need to create a _NOW MARCH and immediately add to the group:

adduser новый_пользователь группа

In Linix Mint file Sudoers (/etc/sudoerS) It looks like this:

Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/SBIN: /usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/Bin "
root ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
#includedir /etc/sudoers.d

line root ALL=(ALL:ALL) ALL наделяет неограниченными правами пользователю root
(You can’t touch it in any case, otherwise the rights of the Root superpoler will disappear).
line %admin ALL=(ALL) ALL наделяет такими же неограниченными правами пользователей группы admin
line %sudo ALL=(ALL:ALL) ALL предоставляет неограниченные права пользователям группы sudo

What is the difference between groupsadmin and sudo?

groupadmIn used Ubuntu below version 11.10, i.e. left for compatibility
In modern Ubuntu as administrative, the SUDO group is used

How to edit the file /etc /sudoers:

With the help of a team

visudo

To insert the text, click 'Insert "

To be released - press ESC, colon and letters w Q
": WQ"

For output - press ESC, colon and Q "
": Q"

4. Дополнительно: понижение безопасности путем отключения запроса пароля пользователя

So that the SUDO password does not request every time:

In the file /etc /sudoers:

vasya ALL=(ALL:ALL) NOPASSWD:ALL

where vasya - имя пользователя. Пользователь сможет выполнять команды от имени rOOT without a password (not recommended!)

The team is option

vasya ALL=(ALL:ALL) NOPASSWD:ALL /usr/bin/soundmodem

The last option only concerns the start of Soundmodem из каталога /usr/bin/ !

The line with Nopasswd should stand after the SUDO line!

Or the problem of Nopasswd is solved without editing Visudo using the catalog /etc/sudoers.d

Settings in /etc/sudoers.d - There is a decrease in rights
For example, in the file mintupdate you can read the following
(added line transfers for better readability)

All all = nopasswd:/usr/bin/
mint-refresh-caChe
All all = nopasswd:/usr/lib/linuxmint/
mintUpdate/synaptic-workarOUND.PY
All all = nopasswd:/usr/lib/linuxmint/
mintUpdate/dpkg_lock_check.sh

That is, you can, following the example of /etc /sudoeers.d /mintupdate создать файл для себя, в котором прописать строку vasya ALL=(ALL:ALL) NOPASSWD:ALL .

visudo -f /etc/sudoers.d/custom

Starting user programs with SUDO without a password.

whereis soundmodem

Conclusion:
soundmodem: /usr/sbin/soundmodem

As you can see, the path /usr/sbin/ входит в настройки "Defaults secure_paTh ".
Thus, the launch of the command, say, from the command SH of the file after setting up Nopasswd will work:

Command file for launching xastir.sh :

#!/bin/bash
sudo /usr/sbin/soundmodem &
/usr/bin/xastir

Where & - to start the program in the background.

Sources:
Returning rights to the user to execute the SUDO command
Viewing user groups of Linux and group members - users
Explanation of the Sudoers file
Edit /etc /sudoers
The difference between groupsadmin and sudo
Differences between Debian и Ubuntu в файле sudoerS.
*Regarding the operation of the Nopasswd option

Blog about Radio and Linux