Can't chmod on /etc/sudoers 2

[AlbertAguirre]

File /etc/sudoers is at 0666.

I tried the following:
sudo chmod 0440 sudoers

and I get:

/etc/sudoers is mode 0666, should be 0440


Why?

 

[RodKnowlton]

For security reasons, sudo won't run if the file permissions on /etc/sudoers are not 0440.

So you can't use sudo to fix the problem. Someone with root privileges should review /etc/sudoers for changes, then set the appropriate permissions.



Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 

[hfaix]

The sudo binary (/usr/bin/sudo) wants /etc/sudoers to be 0440 and someone has changed it. I think root must change this back to 0440 and everything should be fine. Remember, sudoers should not be modified with vi, only with visudo.

 

[RodKnowlton]

good point, hfaix.

Do you know if visudo does validation on both open and write? In other words, if I wreak havoc on it with vi, will visudo at least be nice enough to open it so I can see what it doesn't like about it?

I'm not willing to deliberately screw up my sudoers, nor do I want you to. Just wondering if you know.


Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 

[kHz]

man visudo

 

[AlbertAguirre]

Man thats the answer.
Thank you.

But I have another issue.

I cannot log in as root because remote root login is not allowed. Our actual physical system is located in another state.

How can I correct my sudoers file without root?

 

[spamly]

Okay, in the unlikely event that you're using telnet AND you still have ftp enabled for root:

ftp into the system as root
grab your /etc/default/login file and change the entry "CONSOLE=/dev/console" to "#CONSOLE=/dev/console".

You should then be able to telnet in as root and make your changes. Don't forget to change the CONSOLE entry back when you're finished.

 

[spamly]

Yeah, if I would have read that this post was AIX forum and not the Sun forum I don't think that I would have posted that reply.

I wonder if you could perform similar steps using the /etc/security/user file by changing "rlogin = false" to "rlogin = true"? Anyone know?

 

[RodKnowlton]

I hope you're connecting securely, perhaps with SSH.

Connect as yourself, then use "su" to take on root privileges.



Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 

[hfaix]

exactly like Rod put it.... login as yourself, then su to the root user.

Rod....... I tried it (I've got one sudoers file for several machines). I hacked up the sudoers file with vi, then opened it with visudo. It opened the sudoers file fine (with the errors I created), but it wouldn't let me wq! . It forced me to make the corrections. That was kind of fun.

 

[kHz]

Hmm. man visudo would have answered your question, Rod.

 

[RodKnowlton]

kHz,

Not with version 1.6.6, it wouldn't have.

The man page has nothing to say about opening an already invalid file.



Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+