0

I've 3 ubuntu 14.04 vm on a remote hosting for code repository and testing purpose. I've got them for more than 1 year now. Two of them are working properly, but on one of them I can't run root commands anymore. I disabled root access and I'm log in as "user1", using sudo to run commands. But now it say that the users is no more in the sudoers (last time I logged in, 2 days ago, I didn't change anything)

I've seen the file sudoers has not been changed since months ago. I tried to log as root running su, but it says that the authentication is wrong.

I'm writing here just for the last chance before running a reinstall command (I can't enter recovery mode cause is a remote hosting vm...). did it happen to someone else ? Because I don't know what to think: 1) server hacked; 2) file corruption (but it says that the users is not in, not that there is an error reading and the root password should work) 3) no idea...

Thanks

[Update] this is the output from stat /etc/sudoers

    File: "/etc/sudoers"
  Dim.: 745             Blocchi: 8          Blocco di IO: 4096   file regolare
Device: 801h/2049d      Inode: 653038      Coll.: 1
Accesso: (0440/-r--r-----)  Uid: (    0/    root)   Gid: (    0/    root)
Accesso  : 2014-11-13 12:56:19.622105032 +0100
Modifica : 2014-02-10 20:16:26.000000000 +0100
Cambio   : 2014-06-22 09:50:38.421005615 +0200
Creazione: -
Nadavdan
  • 3
  • 3
  • possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Hrvoje Špoljar Nov 13 '14 at 15:53
  • Interesting answer, but unfortunately I'm unable to make operations like that. And I don't know if it has been hacked or not (everything is working, just can't run root commands). – Nadavdan Nov 13 '14 at 16:08
  • Question is simple; either you forgot the password or someone took over you machine – Hrvoje Špoljar Nov 13 '14 at 16:10
  • Thank you for your answer, but there's no way I forgot the password. I've used it for months now and I can login to the system, I just cannot run root commands (and with sudo I use the same login password...) About hacking, it was what I thought, but it's wired that someone didn't use it, just locking me out of root. – Nadavdan Nov 13 '14 at 17:01
  • can you update answer with output of `stat /etc/sudoers` please – Hrvoje Špoljar Nov 13 '14 at 17:12
  • Your user must belong to the sudo group that has elevated privileges in sudoers. Did you happen to make changes to your users group membership recently? perhaps you accidentally removed yours from the sudo group. I've done this before too. It's easy to do. – hookenz Nov 13 '14 at 19:32
  • The way I messed up was as I recall "usermod -G groupname username". Instead of "usermod -aG groupname username". Rather than add my user to another group, I did that but in the process removed myself from all over groups. – hookenz Nov 13 '14 at 19:34
  • @Matt I think you perfectly got what I did. I realized it now that I read your comment. And I locked root account, that's why I can't login as superuser. If you make the answer I'll check it. Sometimes trying to secure a server can have its drawbacks.... – Nadavdan Nov 14 '14 at 06:50
  • so based on your `stat` output `/etc/sudoers` was last changed on ` Cambio : 2014-06-22 09:50:38.421005615 +0200` so it was not changed any time recently, you can rule that one out... – Hrvoje Špoljar Nov 16 '14 at 00:20

1 Answers1

0

Not that long ago I accidentically removed myself from the sudoers file by attempting to add my user to another group.

Instead of typing the intended:

usermod -aG groupname username

I instead typed I believe it was the following:

usermod -G groupname username

What happened? Well it did add me to one group, but removed me from all the others including sudo.

NET result? I can't sudo anymore.

To fix it, I had to reboot the server and start in recovery mode and go to straight to a shell. I think fixed my group permissions and rebooted.

hookenz
  • 14,132
  • 22
  • 86
  • 142