linux - Why does a double sudo modify permissions?

07
2014-07
  • kdbanman

    Context:

    sshed into an AWS t1.micro instance running Amazon Linux 2013.09, using the default ec2-user. I'm trying to list the contents of the default postgresql directory:

    What's in there?

    $ ls /var/lib/pgsql9/

ls: cannot open directory /var/lib/pgsql9/: Permission denied

    Ok. Who owns this?

    $ ls -l /var/lib | grep pgsql
drwx------ 4 postgres postgres 4096 Jun 22 16:06 pgsql9

    Ah. Silly me.

    $ sudo -u postgres ls /var/lib/pgsql9/

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for ec2-user:

    ... What? ec2-user has a password? Time for a bigger gun.

    $ sudo sudo -u postgres ls /var/lib/pgsql9/
backups  data

    Success! Now, off to superuser.com to figure out what happened.

    Why does sudo sudo behave differently than sudo?

    • Answers
  • Nathan C

    Amazon EC2 is built like Ubuntu: no root access and everything is done with sudo instead.

    What your sudo command did was try to impersonate postgres, requiring permission to do so. ec2-user does not have this permission, so sudo will ask for a password (which will fail because it doesn't have one).

    When you did sudo sudo, you are invoking the second sudo as root which has the permissions to impersonate other users, so the command works. Because of the way sudo is configured (the NOPASSWD line in sudoers) it doesn't need a password to execute as root.


    • Related Question

    Lost sudo/su on Amazon EC2 instance
  • barrycarter

    I have an Amazon EC2 instance. I can login just fine, but neither "su" nor "sudo" work now (they worked fine previously):

    • "su" requests a password, but I login using ssh keys, and I don't think the root user even has a password.

    • "sudo <anything>" does this: 

    
sudo: /etc/sudoers is owned by uid 222, should be 0 
sudo: no valid sudoers sources found, quitting

    I probably did "chown ec2-user /etc/sudoers" (or, more likely "chown -R ec2-user /etc" because I was sick of rsync failing), so this is my fault.

    How do I recover? I stopped the instance and tried the "View/Change User Data" option on the AWS EC2 console, but this didn't help.

    EDIT: I realize I could kill this instance and create a new one, but was hoping to avoid something that extreme.


    • Related Answers
  • varesa

    In that kind of situation I think you should be able to use a second instance to fix the problem:

    • Detach the EBS disk containing the broken system
    • Create another EC2 instance
    • Attach & mount the disk to the new instance
    • Fix the permissions
    • Umount, detach & reattach to the original instance
  • PriceChild

    Looks like you've answered this yourself...

    I probably did "chown ec2-user /etc/sudoers" (or, more likely "chown -R ec2-user /etc" because I was sick of rsync failing), so this is my fault.

    Either way, I don't think you can resolve this without gaining a root shell. (I'm unsure what recovery methods are possible on ec2?)

    If you did indeed recursively chown /etc then I think rebuilding the server is the best way to go.