Cannot "sudo su root"
Home › Forums › Conduit: AEP Model › Cannot "sudo su root"
Tagged: AEP conduit superuser su sudo
- This topic has 12 replies, 2 voices, and was last updated 6 years, 3 months ago by Jeff Hatch.
-
AuthorPosts
-
October 2, 2018 at 10:41 am #26435William LaingParticipant
Good day –
We’re trying to install software on one of our MultiConnect Conduits:
> MTCDT-LVW2-246A, AEP Firmware 1.6.2
The installation requires changing to root. However, “sudo su” o “sudo su root” does nothing. User remains admin.
Any help appreciated!
Thank you.
October 2, 2018 at 12:53 pm #26436Jeff HatchKeymasterWilliam,
Is your software checking for user ID 0 (zero) or is it actually checking the username? On AEP the admin user doesn’t have sudo privilege, however, it’s user ID is 0, the same as root.
Jeff
October 3, 2018 at 9:09 am #26445William LaingParticipantThanks for the response, Jeff.
It’s a third-party software package, so I emailed them about it.
But we were able to install their software on a couple Conduits several times in the past with an earlier AEP firmware (1.4.16).
Did the ability to sudo go away with AEP 1.6.2?
Thanks,
WilliamOctober 3, 2018 at 10:18 am #26448Jeff HatchKeymasterWilliam,
The sudo program did get updated in the Yocto update. Another interesting piece is that the “admin” user is not in the sudoers file, and I’m assuming not in the sudo group:
admin@mtcdt:~# sudo -s
admin is not in the sudoers file. This incident will be reported.The sudo program didn’t go away, but something appears to have changed to prevent the admin user from successfully using sudo.
Jeff
October 3, 2018 at 10:24 am #26449Jeff HatchKeymasterWilliam,
I added the following under the “User privilege specification” in /etc/sudoers:
admin ALL=(ALL) ALL
And then as admin user I was able to do a “sudo -s”.
Jeff
October 3, 2018 at 10:26 am #26450William LaingParticipantThanks for looking into this, Jeff.
I’m not a Linux admin expert. Is this something I can change with visudo?
Or should I roll our Conduits back to AEP 1.4.16?
Thanks,
WilliamOctober 3, 2018 at 11:02 am #26456Jeff HatchKeymasterWilliam,
Yes, this is a change you can make with visudo. You should be able to work around this limitation using visudo and adding the line from my previous comment.
Jeff
October 4, 2018 at 9:20 am #26476William LaingParticipantHi Jeff,
I used visudo to make the change, but I’m still getting an error with the third-party vendor’s installation script even if I execute with sudo -s <install_script_name.sh>:
Error: Software must be installed as root.
Execute ‘sudo su root’ and retry the installIs there any way to make ‘sudo su root’ work on the new version of firmware like it used to?
Thanks,
WilliamOctober 4, 2018 at 10:58 am #26477Jeff HatchKeymasterWilliam,
That software must be doing a “whoami” and looking for root instead of doing an “id -u $USER” or something like that. The uid of admin is the same as root on the AEP device: 0 (zero). The behavior of the “sudo su root” on the Conduit appears to be different than it is on systems like Ubuntu. I do not get an error when doing a “sudo su root” on AEP-1.6.2 with the changes made to the sudoers file, but “whoami” still says that I am “admin” and not “root”. If I have time today I will see if I can figure out why. It may have to do with the sudoers config file again.
Jeff
October 4, 2018 at 12:21 pm #26481William LaingParticipantThanks again for looking into this, Jeff.
I’m not getting an error when I do “sudo su root”. Nothing happens when I execute that command. I remain as user admin.
The third-party vendor’s installation script returns the error I mentioned previously.
We look forward to hearing what you discover.
Thanks,
WilliamOctober 4, 2018 at 3:15 pm #26482Jeff HatchKeymasterWilliam,
I figured out what is probably going on with the sudo command. I was able to successfully switch to the root user (prompt says “root@mtcdt:/run#” and whoami says root) after I did the following:
1) I moved the root user to the top of the /etc/passwd and /etc/shadow files.
2) executed “sudo -u root su” at the command line.I think that even sudo is only going through the passwd and/or shadow files and looking for the first user with id=0. Other than the sudo command being updated I don’t know what else is influencing this change in behavior with the root user vs. any other user with id=0.
Jeff
October 5, 2018 at 12:42 pm #26483William LaingParticipantThat procedure worked, Jeff, thanks!
I’m not a Linux admin guru, but it’s interesting that the changes to those two files are undone after a Conduit restart. In any case, we’re up and running.
Thanks, and have a great weekend!
William
October 5, 2018 at 2:36 pm #26485Jeff HatchKeymasterHello William,
The explanation for why the changes to those file get undone is: On AEP Conduit, the API code starts up on boot and rewrites the passwd and shadow files so that the users in the database are present. This is legacy from our MTR product (which no longer behaves that way anymore), and is currently being addressed in development. There will be multiple user support (same as MTR) and no rewrites of those files in the future. In addition, I think that sudo will work the way it does on other Linux variants. These updates will be released late Q1 next year or early Q2 (at least that’s what the schedule says).
Jeff
-
AuthorPosts
- You must be logged in to reply to this topic.