Admin is not in the sudoers file. this incident will be reported

Support
1

:uk:/:us: My YunoHost server

Hardware: VPS bought online (OVH)
YunoHost version: 11.0.10.2
I have access to my server : Through SSH | through the webadmin |
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no (fresh install)

Description of my issue

Hi!
if I execute a “sudo” command with the “admin” account I have an error
I have access to the “root” account with the “su” command, but I don’t know what modifications to make to be able to execute a command with “sudo” directly from the “admin” account (it works without problem on other yunohost server that I own)

Thank’s for your help

admin is not in the sudoers file. this incident will be reported

:fr: Mon serveur YunoHost

MatĂŠriel: VPS achetĂŠ en ligne (OVH)
Version de YunoHost: x.x.x
J’ai accès à mon serveur : En SSH | Par la webadmin | En direct avec un clavier/écran | …
Êtes-vous dans un contexte particulier ou avez-vous effectué des modificiations particulières sur votre instance ? : non / oui
Si oui, expliquer:

Description du problème

Bonjour
Si j’exécute une commande “sudo” avec le compte admin j’ai une erreur.
J’ai bien accès au compte “root” avec la commande “su”, mais je ne sais pas quelle modifications faire pour pouvoir exécuter une commande avec “sudo” directement depuis le compte “admin” (ça marche sans problème sur d’autre serveur yunohost que je possède)

Merci d’avance pour votre aide

admin is not in the sudoers file. this incident will be reported
2

Hmf some people reported similar issues recently

Could you share the output of (as root)

slapcat | grep "admin\|sudo"
3 
root@xxx:/home/admin# /usr/sbin/slapcat | grep "admin\|sudo"
dn: ou=sudo,dc=yunohost,dc=org
ou: sudo
dn: cn=admin,ou=sudo,dc=yunohost,dc=org
cn: admin
objectClass: sudoRole
sudoCommand: ALL
sudoUser: admin
sudoOption: !authenticate
sudoHost: ALL
structuralObjectClass: sudoRole
dn: cn=admin,dc=yunohost,dc=org
cn: admin
uid: admin
homeDirectory: /home/admin
dn: cn=admins,ou=groups,dc=yunohost,dc=org
memberUid: admin
cn: admins
mail: admin@xxxxxxx
4

And what about dpkg --list | grep sudo ?

5 
root@tmp:/home/admin# dpkg --list | grep sudo
rc  sudo                                  1.9.5p2-3                                          amd64        Provide limited super user privileges to specific users
ii  sudo-ldap                             1.9.5p2-3                                          amd64        Provide limited super user privileges to specific users
6

Annnd let’s also check if ‘sudo-ldap’ is reported “active (exited)” in green with

systemctl status sudo-ldap

Possibly maybe systemctl restart sudo-ldap can fix the situation, but doesn’t really explain why it happens in the first place

7 
● sudo-ldap.service - LSB: Provide limited super user privileges to specific users
     Loaded: loaded (/etc/init.d/sudo-ldap; generated)
     Active: active (exited) since Wed 2022-11-30 14:18:43 UTC; 3h 7min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 2680 ExecStart=/etc/init.d/sudo-ldap start (code=exited, status=0/SUCCESS)
        CPU: 11ms

Nov 30 14:18:43 xxxx systemd[1]: Starting LSB: Provide limited super user privileges to specific users...
Nov 30 14:18:43 xxxx systemd[1]: Started LSB: Provide limited super user privileges to specific users.
8

unfortunately systemctl restart sudo-ldap doesn’t fix anything
I try to reboot my server, doesn’t fix anything too

9

Hi!
I tried restarting again but that still doesn’t fix the error. Do you have another idea?

Thank’s

10

just check your sudoers file if everything is properly configured there:

cd /
nano /etc/sudoers

image
image826×654 8.88 KB

if it doesn’t looks like on my file just write the same line and save the file, then reboot

11

image
image844×506 10.6 KB

Thank’s for your help, it’s seem be the same…

12

what happens if you try to add root to the sudoers group manually?

su
usermod -aG sudo root
reboot

13

i just realized your admin is not on sudoers group not root,
“admin is not in the sudoers file. this incident will be reported”

so add admin to sudoers group and see what happens

su
usermod -aG sudo admin
reboot

that should be fine,
cause admin is not on sudoers file also in my server i don’t think you should add it casue there might other configurations on yunohost which i might not aware of,
but generally in debian an ordinary user should be also in sudoers file as same as root,

so for the meantime you can add admin to sudoers file if adding it to the group will not help you,
admin ALL=(ALL:ALL) ALL

i dont know why its like that on your server, till someone will return with any other solution that can solve it

14

Hi!

Thank’s for your help.
I haven’t tried it but I’m pretty sure it will work. That said, @Aleks said “nononononoonono” for this modification (on this post: What to do if admin cannot sudo).
He explains that it must be managed via LDAP. I don’t know what to do now

15

he is right cause another system inside debian is implemented which is yunohost and there are might some other things we are not aware of, cause we don’t know the full structure of the system, but i dont see any danger when admin will be on sudoers through the sudoers file,
that what is happening when you install debian, if you want to use an ordinary user as a sudoer you should add it to sudoers file,
i have many debians installed without any relations to yunohost for example my openvpn server and i did added my user to sudoers,

but in yunohost is little bit different
cause admin in yunohost case is an front line user, its the user what control everything through a web api so its little bit dangerous,
if someone will success to manipulate the admin user with a remote python code somehow he will be able to control the whole system,

so admin user probably have its own inner control through LDAP to be able to execute things internally only

but that’s in theory, its not so simple, so what i am saying for the mean time if its really urgent if not better you will wait for aleks to provide any solution, i don’t recommend to use your admin (yunohost system user) as a root full privileged) for security reasons

in another situation we dont have such control over web or anything that can risk the system behind an open port as in yunohost,

16

oh i just read what aleks said to the other user

… Except the admin user was never in that group ? Because the sudo group admin is supposed to be in is supposed to be the LDAP group, not the regular “unix” group … On a regular Yunohost system, grep sudo /etc/group shows that the group is empty and this is expected.

don’t do that extremely dangerous i didn’t knew that i am sorry i have told you that from the first place don’t add admin to sudoers that way,

its as i thought

17

I have no idea what I’m doing, but investigating what etc/init.d/sudo-ldap does, let’s double check that:

namei -l /run/sudo/ts/admin

returns:

f: /run/sudo/ts/admin
drwxr-xr-x root root /
drwxr-xr-x root root run
drwx--x--x root root sudo
drwx------ root root ts
-rw------- root 1007 admin

(or similar stuff with just /run/sudo/ts/ if /run/sudo/ts/admin doesnt exist)

18

Ah also you really want to make sure that:

grep sudo /etc/nsswitch.conf

displays:

sudoers:	files ldap
19

And also:

ls -l /etc/sudo-ldap.conf

should return :

lrwxrwxrwx 1 root root 14 Whatever /etc/sudo-ldap.conf -> ldap/ldap.conf
20

OK, here is the first track since the start of my tests

root@tmp:/home/admin# ls -l /etc/sudo-ldap.conf
ls: cannot access '/etc/sudo-ldap.conf': No such file or directory

I try this and other yunohost server and it’s return like yours.