linux - Why does a double sudo modify permissions?
2014-07
Context:
ssh
ed into an AWS t1.micro instance running Amazon Linux 2013.09, using the default ec2-user
. I'm trying to list the contents of the default postgresql directory:
What's in there?
$ ls /var/lib/pgsql9/
ls: cannot open directory /var/lib/pgsql9/: Permission denied
Ok. Who owns this?
$ ls -l /var/lib | grep pgsql
drwx------ 4 postgres postgres 4096 Jun 22 16:06 pgsql9
Ah. Silly me.
$ sudo -u postgres ls /var/lib/pgsql9/
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for ec2-user:
... What? ec2-user
has a password? Time for a bigger gun.
$ sudo sudo -u postgres ls /var/lib/pgsql9/
backups data
Success! Now, off to superuser.com to figure out what happened.
Why does sudo sudo
behave differently than sudo
?
Amazon EC2 is built like Ubuntu: no root
access and everything is done with sudo
instead.
What your sudo
command did was try to impersonate postgres
, requiring permission to do so. ec2-user
does not have this permission, so sudo
will ask for a password (which will fail because it doesn't have one).
When you did sudo sudo
, you are invoking the second sudo
as root which has the permissions to impersonate other users, so the command works. Because of the way sudo
is configured (the NOPASSWD line in sudoers) it doesn't need a password to execute as root.
I have an Amazon EC2 instance. I can login just fine, but neither "su" nor "sudo" work now (they worked fine previously):
"su" requests a password, but I login using ssh keys, and I don't think the root user even has a password.
"sudo
<anything>
" does this:
sudo: /etc/sudoers is owned by uid 222, should be 0
sudo: no valid sudoers sources found, quitting
I probably did "chown ec2-user /etc/sudoers" (or, more likely "chown -R ec2-user /etc" because I was sick of rsync failing), so this is my fault.
How do I recover? I stopped the instance and tried the "View/Change User Data" option on the AWS EC2 console, but this didn't help.
EDIT: I realize I could kill this instance and create a new one, but was hoping to avoid something that extreme.
In that kind of situation I think you should be able to use a second instance to fix the problem:
- Detach the EBS disk containing the broken system
- Create another EC2 instance
- Attach & mount the disk to the new instance
- Fix the permissions
- Umount, detach & reattach to the original instance
Looks like you've answered this yourself...
I probably did "chown ec2-user /etc/sudoers" (or, more likely "chown -R ec2-user /etc" because I was sick of rsync failing), so this is my fault.
Either way, I don't think you can resolve this without gaining a root shell. (I'm unsure what recovery methods are possible on ec2?)
If you did indeed recursively chown /etc then I think rebuilding the server is the best way to go.