loosing and regaining sudo on ubuntu 13.10

February 9, 2014

For reasons which I’m not even going to try to explain (even if I could give you a rational explanation), I managed, all on my own, to loose sudo capability on my Ubuntu notebook. How? In a fit of paranoia I started to lock down my notebook, removing any unneeded software and capabilities, operating under the principle of least privilege. I do that for software as well as my system accounts, stepping up to a higher privilege only when absolutely necessary. Unfortunately, on every consumer OS I’ve used, just about everything non-trivial you really need to do to the system requires administrator/root privileges.

In trying to do the “right thing”, I changed my Account Type on the User Account GUI (see above) from Administrator to Standard (going to the lesser privilege) and in the process lost sudo privileges.

I found out what I’d done to myself when I went to start working on my Raspberry Pi and needed to flash one of my SDHC cards with one of my Arch Linux images. You need sudo to run dd in order to copy the image to the card. Except, this time, when I tried to use sudo, I got the ominous error message that I wasn’t in the sudoers file.

And, of course, I only have one account on my Ubuntu notebook. At that time, not even root.

Shit.

This is where having a copy of the ISO you initially set up your Ubuntu system within easy reach is so vital. Mine is on a 2GB thumb drive. I plugged the thumb drive back in and booted into the live Ubuntu image on the thumb drive. Fortunately for me, Ubuntu Live can be used to rescue (or break into, depending) an existing system. The problem wasn’t in the sudoers file, it was in the group file.

/etc/group is an ASCII file which defines the groups to which users belong, one group per line in the file. Each line is formatted as

group_name:passwd:GID:user_list

where group_name is, in this instance, sudo, and the user_list should have the account you operate. For example, on my system, I operate from the ubuntu account. The /etc/group entry should look like

sudo:x:27:ubuntu

Instead, when I opened it up on repair mode, it looked like

sudo:x:27:

Uh-huh. I put the account name back in the group file, rebooted into Ubuntu, and had sudo privileges back. The last thing I did was to enable root on Ubuntu. You do this with ‘sudo passwd root’, enter a root password, and then have a root account. You can’t login as root from the graphical page (you can from the console command line), but you can still log in as a regular account and ‘su -‘ to root. There are all sorts of warnings about enabling root, but when you can just blow your sudo rights at the drop of a hat, you really do need a backup account to restore yourself besides booting into rescue mode. I still work from least privilege whenever possible, but I need this alternative as a developer, properly locked down until needed.