Linux/Unix - HELP! - I've screwed up and now can't access root.

Author

HELP! - I've screwed up and now can't access root.

fsjcp2

2003-06-25, 8:18 pm

I consider myself an intermediate user on Linux. I can do things very well,
others not well at all. At my workplace, I've converted a former PIII NT
machine into a smoking RH9.0 NetWorker client. One of the requests that my
lead IT asked me to do is to set up this Linux box to be SSH enabled to
transfer and store critical files. Although it was my first time doing so, I
was able to impliment SSH, and then started looking for addtional security.
So I downloaded the RH Linux Security Guide from RH's site.

I was walking through the guide, and started working on root access. I
wasn't reading ahead. Instead, I was just doing the commands that the guide
instructed.

First I changed the root shell in my /etc/passwd file from /bin/bash to
/sbin/nologin.

Second I disabled root access via any console device (tty) by creating an
empty /etc/securetty file.

Third I disabled root SSH logins by editing the /etc/ssh/sshd_config to set
the PermitRootLogin to no.

I didn't get as far as using PAM to limit root access services because at
this point I then rebooted to test a previous security implementation to the
grub.conf file to enforce pwords when login in to command line. I found out
that something went wrong. I believe it was a bad crypto copy from the
/sbin/grub-md5-crypt output, but that's not my problem. My problem is this.
Because of my root access step one, I'm no longer to switch into root mode
with su. I then tried to implement my commands with sudo. However, I cannot
get it to accept my root password. FYI, because it was my first time running
sudo, I didn't do any config on it. I know that my root password still works
because when I execute any system setting programs, I can successfully start
it with my root pword. I really want to edit my root shell back to
/sbin/nologin. What is the correct implimentation of sudo? I've been
entering the following below:

$ sudo vi /etc/passwd

I wish I were in front of my work workstation, but I'm currently at home and
can't recall the output from that statement. All I know is that I can't get
into it. Please can someone help me out here?

Boulware5

2003-06-25, 11:44 pm

Well, to set up sudo you do this... Add yourself to the "wheel" group and in /etc/sudoers, uncomment this:
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL

Not sure why you want to disable the root account on your local system. I can see disabling root logons via SSH, but you kinda lost me.

fsjcp2

2003-06-26, 12:11 am

Thanks for responding. The machine that I'm prepping is a production machine that'll be sitting out in the open in a semi-high traffic area. I don't really have to do it, but I'd like to just for the experience. I was able to get my root access back when I booted up with the installation CD-ROM and linux rescue mode.

I'm still having problems with sudo though. I'd still like to have it set up to where root doesn't have access, and only certain users can administer it with sudo. The portion of the sudoers that you posted with the wheel, what exactly is that? can you clarify what it is? I'm guessing that it is just another system group that I can have my desired accounts join. Once joined, then they shouldn't have any problems utilizing sudo, right?

I did add one of the users to the sudoers file using visudo. I had included them under the User Specification section with the following text:

sxops ALL=(ALL) ALL

However, when followed that up with a test of sudo capabilities, I was unable to get the sxops profile to chmod a file that only root can change. I did use the following when trying that:

sudo -u sxops chmod 660 /etc/sudoers

When prompted for a password, I typed in sxops pword. The attempt had failed, and after several tries I got a broken pipe response. What is a broken pipe? What am I doing wrong here? Will adding sxops to the wheel group and editing that line that you've mentioned in sudoers file clear up my troubles?

Boulware5

2003-06-26, 12:24 am

You create a wheel group, add members to that wheel group (usermod -G or editing /etc/group). root does not have to be a member of this group - just the users you want to give sudo access to, then in /etc/sudoers (by running visudo) you uncomment the line I showed you. Now when you do someting like:

sudo vi /etc/gshadow, it will ask you for the users password, not root's passwords. So you don't need to know or have root's password, just your own. You'll obviously need root access and its pass to add people to the wheel group, etc...But after that, you don't. Now that statement I showed you, will allow just the users in wheel to run anything root can; you can also configure it to allow those users to run certain things and not "all". Shouldn't be hard to find documentation on that. Understand it better now?

fsjcp2

2003-06-26, 12:28 am

Thanks for your prompt responses Boulware5. I'll try what you've told me and will post a follow-up to let you know how things have gone.

fsjcp2

2003-06-26, 12:53 am

It works! Thanks for your help.

I further tested out something else that popped into my head. From my machine I SSH'd to another machine, then SSH'd back as sxops. I then had a successful SSH connection where I attempted to do some of the sudo stuff that had me hunkered down a bit ago. I discovered that I was unable to do sudo over SSH. Is this because of my edit to the /etc/passwd file where the root's shell is changed from /bin/bash to /sbin/nologin? I see from the RH9 Security Guide that this change affects root login via SSH. What're your thoughts on this situation?

dlewis

2003-07-25, 2:34 am

of course if your root has lost it's shell or you need a shell for you login you could always login as a regular user and type su -s /bin/bash, don't know if this pertains at all to your situation but I had a simliar situation liek this that I use the above for.

-Don

xonkers

2003-08-03, 3:06 am

Sponsored Links