What to do if admin cannot sudo

sssammm · September 6, 2022, 5:58pm

I everyone

I recently encoutered the same issue as described here, namely after restoring a backup on a different device (Raspberry Pi) when trying to use sudo with the admin user, I got the following error message:

user is not allowed to run sudo on mydomain. This incident will be reported.

It turned out I could not switch to the root account using su and the root password either. So what I ended up doing was the following:

Turning-off the server, taking out the sd-card and mounting it on my Linux laptop
Then, I added my ssh public key to the root account by manually editing the /root/.ssh/authorized_keys file. I followed this tutorial to this aim (beware to edit the file on the SD card and not the one of the host computer).
The next step was to activate root logging by ssh by setting PermitRootLogin yes to /etc/ssh/sshd_config, following the instructions here. This may have been unnecessary according to the doc, as I was on the same local network.
Then, I unmounted the card, put it back to the Pi, started it again and logged in as root directly, not admin.
From the root account, I added the admin user back to the sudo group with usermod -a -G sudo admin.
Then, I deactivated the ssh root login again (do not forget to restart the sshd service).

After this, I could use sudo with the admin user again. Maybe there would have been a better way, though.

Aleks · September 6, 2022, 6:30pm

tumblr_b20a26a19cd5fdbadb552035b435d6f2_73d60c57_500

nononononoonono …

If you can’t sudo yet you still need to become root to debug stuff, then run su instead, enter root’s password (= the admin password on a regular yunohost setup), and you’ll be root … No need to unplug the SD card and edit it on another system ogod

activate root logging by ssh by setting PermitRootLogin yes

… If you have Yunohost’s default SSH config, then root login on SSH is permitted if you’re on the same local network (read the file entirely to get convinced of this) … so if you’re able to grab the SD card, pretty sure you are on the same local network as the server ?

added the admin user back to the sudo group with usermod -a -G sudo admin.

… Except the admin user was never in that group ? Because the sudo group admin is supposed to be in is supposed to be the LDAP group, not the regular “unix” group … On a regular Yunohost system, grep sudo /etc/group shows that the group is empty and this is expected.

Maybe this works for you, but admin doesn’t randomly vanish from the LDAP group and I wouldn’t be surprised that there are bigger issues on your setup … So the real questions are :

what happened before this issue started to show up …
what does slapcat | grep sudo returns …

sssammm · September 7, 2022, 8:22pm

Thanks a lot for your answer @Aleks. I appreciate people taking time for these kind of situation despite the potential dummy mistakes

Regarding your points above:

run su instead, enter root’s password (= the admin password on a regular yunohost setup)

This is what I was trying to do. Actually, I was facing the same issue as described in the issue I linked above (at least that’s my guess). I wanted to run a yunohost command with sudo and got the error message after entering the admin password. I tried to run su and to enter the admin password and got an error as well (su: Authentication failure if I am not mistaken).

If you have Yunohost’s default SSH config, then root login on SSH is permitted if you’re on the same local network

Indeed, my bad.

what happened before this issue started to show up …

Some background may help at this stage. The system where I perfomed this is actually a Raspberry Pi where I tried to restore a backup of my prod instance (located in a data center) for test purposes. I basically started from Raspbian, then used the bash script installer and restored the backup before the post-installation (I wasn’t aware that there were images for the Pi itself). In order to do this, I activated the root account before running the script. So my assumption was that somehting went wrong during the restoration. I therefore tried to use the old root password instead of the admin password when running su, which was not useful. Then, I assumed (wrongly) that the restoration process had locked the root accound and kicked the admin user out of the sudo unix group. Hence my attempts.

what does slapcat | grep sudo returns …

I get the following output:

ou: sudo
dn: cn=admin,ou=sudo,dc=yunohost,dc=org
objectClass: sudoRole
sudoCommand: ALL
sudoUser: admin
sudoOption: !authenticate
sudoHost: ALL
structuralObjectClass: sudoRole

Surprinsingly enough, I just set the root password to the same value as the admin password and removed admin from the sudo group. Now, it seems that I can run sudo yunohost commands with the admin user again. So at least the problem seems to be solved properly for me. Could it be that the fact that the original root password and the admin password did not coincide caused this? Or am I overseeing something trivial?

Thanks again for your time.

petesim · September 10, 2022, 8:11pm

Sorry, encountered the same message admin is not in the sudoers file. This incident will be reported. And following your discussion I still wonder what is recommended way to remediate? In contrast to @sssammm I didn’t do anything to the system yet, and my state came from plain recover of backup to another VPS instance and setting SSH port since the new hosting prohibit 22 in spite of another port.

As in my case su doesn’t work as well, looks like I will need to redo the migration. But I still need to know what to do to empower admin user again. Should note, that previously there was no such problem after restoring on new instance.

petesim · September 11, 2022, 12:48am

tried to upgrade the system to latest versions before migration
but no luck

neither sudo, neither sudo su, neither su – nothing works
=((

Strabisme · April 9, 2023, 2:58pm

Hi, I’m encountering the same issue, I’m trying to export my backups on an external HDD but I can’t even access the file yunohost.archives because of my permissions.

I tried the su and su -l numerous times with no success, I get only su: Authentication failure by putting my usual password. I even tried with another password I use for admin stuff and it doesn’t work anyway.

Strabisme · April 9, 2023, 3:05pm

Okay so I found out by doing grep sudo /etc/group that it was another username for my admin stuff than the usual one and the su "that user" worked with my passwords.

Sorry I’m not very competent T_T

Si des personnes francophones rencontrent ce problème je peux traduire en français le topic au besoin, j’ai répondu en anglais car c’était déjà en anglais.

Strabisme · April 9, 2023, 3:07pm

AH, so I could login to that other user, but the usual “authentication failure” is going on again ;-; so no I had false hopes