Hardware: VPS bought online (OVH) YunoHost version: 11.0.10.2 I have access to my server : Through SSH | through the webadmin | Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no (fresh install)
Description of my issue
Hi!
if I execute a âsudoâ command with the âadminâ account I have an error
I have access to the ârootâ account with the âsuâ command, but I donât know what modifications to make to be able to execute a command with âsudoâ directly from the âadminâ account (it works without problem on other yunohost server that I own)
Thankâs for your help
admin is not in the sudoers file. this incident will be reported
Mon serveur YunoHost
MatĂŠriel: VPS achetĂŠ en ligne (OVH) Version de YunoHost: x.x.x Jâai accès Ă mon serveur : En SSH | Par la webadmin | En direct avec un clavier/ĂŠcran | ⌠Ătes-vous dans un contexte particulier ou avez-vous effectuĂŠ des modificiations particulières sur votre instance ? : non / oui Si oui, expliquer:
Description du problème
Bonjour
Si jâexĂŠcute une commande âsudoâ avec le compte admin jâai une erreur.
Jâai bien accès au compte ârootâ avec la commande âsuâ, mais je ne sais pas quelle modifications faire pour pouvoir exĂŠcuter une commande avec âsudoâ directement depuis le compte âadminâ (ça marche sans problème sur dâautre serveur yunohost que je possède)
Merci dâavance pour votre aide
admin is not in the sudoers file. this incident will be reported
root@tmp:/home/admin# dpkg --list | grep sudo
rc sudo 1.9.5p2-3 amd64 Provide limited super user privileges to specific users
ii sudo-ldap 1.9.5p2-3 amd64 Provide limited super user privileges to specific users
â sudo-ldap.service - LSB: Provide limited super user privileges to specific users
Loaded: loaded (/etc/init.d/sudo-ldap; generated)
Active: active (exited) since Wed 2022-11-30 14:18:43 UTC; 3h 7min ago
Docs: man:systemd-sysv-generator(8)
Process: 2680 ExecStart=/etc/init.d/sudo-ldap start (code=exited, status=0/SUCCESS)
CPU: 11ms
Nov 30 14:18:43 xxxx systemd[1]: Starting LSB: Provide limited super user privileges to specific users...
Nov 30 14:18:43 xxxx systemd[1]: Started LSB: Provide limited super user privileges to specific users.
i just realized your admin is not on sudoers group not root,
âadmin is not in the sudoers file. this incident will be reportedâ
so add admin to sudoers group and see what happens
su
usermod -aG sudo admin
reboot
that should be fine,
cause admin is not on sudoers file also in my server i donât think you should add it casue there might other configurations on yunohost which i might not aware of,
but generally in debian an ordinary user should be also in sudoers file as same as root,
so for the meantime you can add admin to sudoers file if adding it to the group will not help you,
admin ALL=(ALL:ALL) ALL
i dont know why its like that on your server, till someone will return with any other solution that can solve it
Thankâs for your help.
I havenât tried it but Iâm pretty sure it will work. That said, @Aleks said ânononononoononoâ for this modification (on this post: What to do if admin cannot sudo).
He explains that it must be managed via LDAP. I donât know what to do now
he is right cause another system inside debian is implemented which is yunohost and there are might some other things we are not aware of, cause we donât know the full structure of the system, but i dont see any danger when admin will be on sudoers through the sudoers file,
that what is happening when you install debian, if you want to use an ordinary user as a sudoer you should add it to sudoers file,
i have many debians installed without any relations to yunohost for example my openvpn server and i did added my user to sudoers,
but in yunohost is little bit different
cause admin in yunohost case is an front line user, its the user what control everything through a web api so its little bit dangerous,
if someone will success to manipulate the admin user with a remote python code somehow he will be able to control the whole system,
so admin user probably have its own inner control through LDAP to be able to execute things internally only
but thatâs in theory, its not so simple, so what i am saying for the mean time if its really urgent if not better you will wait for aleks to provide any solution, i donât recommend to use your admin (yunohost system user) as a root full privileged) for security reasons
in another situation we dont have such control over web or anything that can risk the system behind an open port as in yunohost,
⌠Except the admin user was never in that group ? Because the sudo group admin is supposed to be in is supposed to be the LDAP group, not the regular âunixâ group ⌠On a regular Yunohost system, grep sudo /etc/group shows that the group is empty and this is expected.
donât do that extremely dangerous i didnât knew that i am sorry i have told you that from the first place donât add admin to sudoers that way,