March 14, 2016

Fixing sudo errors from the command line on OSX

The first symptom that I had made a terrible mistake showed up in an Ansible playbook:

GATHERING FACTS
***************************************************************
fatal: [...] => ssh connection closed waiting for a privilege escalation password prompt
fatal: [...] => ssh connection closed waiting for a privilege escalation password prompt
fatal: [...] => ssh connection closed waiting for sudo password prompt
fatal: [...] => ssh connection closed waiting for sudo password prompt

That looks like the sudo binary might be broken. To rule out Ansible problems, remote into the machine and try to use sudo:

administrators-Mac-mini:~ administrator$ sudo ls
sudo: effective uid is not 0, is sudo installed setuid root?

This meant that there was a file permissions problem:

working-host administrator$ ls -al /usr/bin/sudo
-r-s--x--x  1 root  wheel  164560 Sep  9  2014 /usr/bin/sudo

broken-host administrator$ ls -al /usr/bin/sudo
-rwxrwxr-x  1 root  wheel  164560 Sep  9  2014 /usr/bin/sudo

Now the problem is reduced to fixing the permissions. One does not simply sudo to root, because there’s no working sudo. However, Apple provides a utility which allows you to enable root login using only the administrator account’s permissions:

broken-host administrator$ dsenableroot
username = administrator
user password:
root password:
verify root password:

dsenableroot:: ***Successfully enabled root user.

The first password is the current one for the administrator account, and the other two should be the same string and will become the root account’s password.

After enabling root login, disconnect then SSH into the host as root:

broken-host root# chmod 4411 /usr/bin/sudo

And test that the fix fixed it:

broken-host root# su administrator
broken-host administrator$ sudo ls

Finally, clean up after yourself to inconvenience any future attackers:

broken-host administrator$ dsenableroot -d

Moral of the story: Errant chowns of /usr/bin are just as bad when they come from automation as when they come from humans.

Posted by E. Dunham

Tags: osx, ansible

• « Reducing SaltStack log verbosity for TravisCI
• Ansible, Vagrant, and changed host keys »

Recent Posts

• Collaboration
• Assorted Git & Unix Tips
• DIY Shoe Chains
• Making Dice
• Retroreflectors & Storing Ground Glass
• DIY Thimble
• Lumenator
• Playing Dress-Up With Starlink
• tree-style tab setup
• top/htop in windows is ctrl+shift+esc

Search

Blog Archive

Tags

advice (1), ansible (6), arandr (1), arch (11), arduino (1), audio (1), aws (5), bash (2), blackarch (1), buildbot (5), career (2), cargo (1), cfengine (1), chef (1), cloudfront (1), conferences (5), coverage (1), crafts (2), cs480 (2), cups (1), design (1), devops (2), digitalocean (1), diy (1), dmarc (1), dns (1), docker (1), ec2 (1), email (3), EXAMPLE (1), example (1), extundelete (1), ferris (2), forth (1), foss (4), freenode (1), games (1), git (3), github (1), github pages (1), gitstat (1), habitrpg (2), hardware (1), hieroglyph (2), i3 (2), internships (1), interviews (1), irc (7), irssi (4), jekyll (1), kangaroos (1), LaTeX (3), let's code (1), linode (1), mailman (1), mentor (1), minecraft (1), monte (1), mozilla (5), mplayer (1), multirust (1), newbie (1), notty (1), opinion (1), orglog (1), osx (1), packaging (1), pandoc (1), playpen (1), printers (1), programming (1), psychology (1), puppet (1), python (2), recordmydesktop (1), resume (4), rst (1), ruby (1), rust (6), rustinfra (9), rustlang (4), s3 (2), saltstack (3), school (6), screen (1), security (1), shameless self-promotion (1), shell (1), slack (1), solved (5), speaking (3), sphinx (2), ssh (1), sshfs (1), talks (1), terminator (1), TEST (1), testing (1), thinkpad (2), TIL (1), tinkerer (5), trackpoint (1), travisci (5), troubleshooting (6), ubuntu (1), vagrant (1), vidyo (1), vim (3), wifi (1), Windows (1), work (1), workflow (1), x240 (1), xrandr (1)