Cannot "sudo su root"

Home Forums Conduit: AEP Model Cannot "sudo su root"

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #26435
    William Laing
    Participant

    Good day –

    We’re trying to install software on one of our MultiConnect Conduits:

    > MTCDT-LVW2-246A, AEP Firmware 1.6.2

    The installation requires changing to root. However, “sudo su” o “sudo su root” does nothing. User remains admin.

    Any help appreciated!

    Thank you.

    #26436
    Jeff Hatch
    Keymaster

    William,

    Is your software checking for user ID 0 (zero) or is it actually checking the username? On AEP the admin user doesn’t have sudo privilege, however, it’s user ID is 0, the same as root.

    Jeff

    #26445
    William Laing
    Participant

    Thanks for the response, Jeff.

    It’s a third-party software package, so I emailed them about it.

    But we were able to install their software on a couple Conduits several times in the past with an earlier AEP firmware (1.4.16).

    Did the ability to sudo go away with AEP 1.6.2?

    Thanks,
    William

    #26448
    Jeff Hatch
    Keymaster

    William,

    The sudo program did get updated in the Yocto update. Another interesting piece is that the “admin” user is not in the sudoers file, and I’m assuming not in the sudo group:

    admin@mtcdt:~# sudo -s
    admin is not in the sudoers file. This incident will be reported.

    The sudo program didn’t go away, but something appears to have changed to prevent the admin user from successfully using sudo.

    Jeff

    #26449
    Jeff Hatch
    Keymaster

    William,

    I added the following under the “User privilege specification” in /etc/sudoers:

    admin ALL=(ALL) ALL

    And then as admin user I was able to do a “sudo -s”.

    Jeff

    #26450
    William Laing
    Participant

    Thanks for looking into this, Jeff.

    I’m not a Linux admin expert. Is this something I can change with visudo?

    Or should I roll our Conduits back to AEP 1.4.16?

    Thanks,
    William

    #26456
    Jeff Hatch
    Keymaster

    William,

    Yes, this is a change you can make with visudo. You should be able to work around this limitation using visudo and adding the line from my previous comment.

    Jeff

    #26476
    William Laing
    Participant

    Hi Jeff,

    I used visudo to make the change, but I’m still getting an error with the third-party vendor’s installation script even if I execute with sudo -s <install_script_name.sh>:

    Error: Software must be installed as root.
    Execute ‘sudo su root’ and retry the install

    Is there any way to make ‘sudo su root’ work on the new version of firmware like it used to?

    Thanks,
    William

    #26477
    Jeff Hatch
    Keymaster

    William,

    That software must be doing a “whoami” and looking for root instead of doing an “id -u $USER” or something like that. The uid of admin is the same as root on the AEP device: 0 (zero). The behavior of the “sudo su root” on the Conduit appears to be different than it is on systems like Ubuntu. I do not get an error when doing a “sudo su root” on AEP-1.6.2 with the changes made to the sudoers file, but “whoami” still says that I am “admin” and not “root”. If I have time today I will see if I can figure out why. It may have to do with the sudoers config file again.

    Jeff

    #26481
    William Laing
    Participant

    Thanks again for looking into this, Jeff.

    I’m not getting an error when I do “sudo su root”. Nothing happens when I execute that command. I remain as user admin.

    The third-party vendor’s installation script returns the error I mentioned previously.

    We look forward to hearing what you discover.

    Thanks,
    William

    #26482
    Jeff Hatch
    Keymaster

    William,

    I figured out what is probably going on with the sudo command. I was able to successfully switch to the root user (prompt says “root@mtcdt:/run#” and whoami says root) after I did the following:

    1) I moved the root user to the top of the /etc/passwd and /etc/shadow files.
    2) executed “sudo -u root su” at the command line.

    I think that even sudo is only going through the passwd and/or shadow files and looking for the first user with id=0. Other than the sudo command being updated I don’t know what else is influencing this change in behavior with the root user vs. any other user with id=0.

    Jeff

    #26483
    William Laing
    Participant

    That procedure worked, Jeff, thanks!

    I’m not a Linux admin guru, but it’s interesting that the changes to those two files are undone after a Conduit restart. In any case, we’re up and running.

    Thanks, and have a great weekend!

    William

    #26485
    Jeff Hatch
    Keymaster

    Hello William,

    The explanation for why the changes to those file get undone is: On AEP Conduit, the API code starts up on boot and rewrites the passwd and shadow files so that the users in the database are present. This is legacy from our MTR product (which no longer behaves that way anymore), and is currently being addressed in development. There will be multiple user support (same as MTR) and no rewrites of those files in the future. In addition, I think that sudo will work the way it does on other Linux variants. These updates will be released late Q1 next year or early Q2 (at least that’s what the schedule says).

    Jeff

Viewing 13 posts - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.