Debian User Forums

Posted: **2023-03-25 22:03**

When I try to sudo from a user (non-root) to run an updateroot it does not work. If I su to root it works. Using Debian 11 kernel 5.10.0-20-686-pae

example
sudo apt-get update

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for mac20
Sorry, try again.
[sudo] password for mac:
Sorry, try again.
[sudo] password for mac:
sudo: 3 incorrect password attempts

But If I do a su root same password it works.

why does the sudo not work ?

Posted: **2023-03-25 22:29**

sudo needs your user password, not root password.

Posted: **2023-03-26 05:45**

Neither works. root or user. If i usee the user password I get the message " "username" is not in the sudoers file. This incident will be reported."

Posted: **2023-03-26 06:12**

then su root and then visudo

Posted: **2023-03-26 08:11**

compis3 wrote: ↑2023-03-26 05:45 Neither works. root or user. If i usee the user password I get the message " "username" is not in the sudoers file. This incident will be reported."

You have to add the user to the sudoers file:

Code: Select all

su -
<give root password>
usermod -a -G sudo <username>

Posted: **2023-03-26 19:44**

When I do I su it works which I alreay know. But what is the meaning of the following? why can I not enter a Root or user password to authenticate the request?

sudo apt-get update
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for mac20
Sorry, try again.
[sudo] password for mac:

Posted: **2023-03-26 19:56**

compis3 wrote: ↑2023-03-26 19:44 When I do I su it works which I alreay know. But what is the meaning of the following? why can I not enter a Root or user password to authenticate the request?

https://wiki.debian.org/sudo/

Posted: **2023-03-27 00:05**

compis3 wrote: ↑2023-03-26 19:44 When I do I su it works which I alreay know. But what is the meaning of the following? why can I not enter a Root or user password to authenticate the request?

sudo apt-get update
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for mac20
Sorry, try again.
[sudo] password for mac:

Becuase as you've alereayd been told, mac20 is NOT in the sudoers file. You need ot become root and add that user to soduers using a mechnism given to you above. Read what people are tellign you and dont make assumptions.

Posted: **2023-03-27 02:53**

kent_dorfman766 wrote: ↑2023-03-27 00:05
compis3 wrote: ↑2023-03-26 19:44...
[sudo] password for mac20
Sorry, try again.
[sudo] password for mac:
Becuase as you've alereayd been told, mac20 is NOT in the sudoers file.

I don't think that's correct. If user is not in sudoers, the message would be "user ** is not in the sudoers file...". This message looks more like incorrect password has been entered.
And why are there 2 different usernames? "mac20" and "mac"? It's hard to help if you post conflicting info.

To help diagnose, post the output of this command, run as user:

Code: Select all

groups

"sudo" should be one of the listed groups.
and run as root:

Code: Select all

cat /etc/sudoers | grep -A2 Allow

The sudo group entry should look like this in sudoers file:

Code: Select all

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

so as soon as user is added to sudo group, they have permissions after doing a full logout and login again, or reboot.

BTW, this command is easier to remember to add user to sudo:

Code: Select all

adduser <username> sudo

Posted: **2023-03-27 06:24**

sunrat wrote: ↑2023-03-27 02:53 This message looks more like incorrect password has been entered.

The sudo lecture (#1 Respect the privacy of others etc) only appears the first time sudo is used (successfully), so the fact that it keeps appearing suggests, yes, password is incorrect.

https://superuser.com/questions/500119/ ... ng-forever

Edit: or as wiki says, no reboot since user added.

Posted: **2023-03-28 00:10**

sudo is not a standard a debian way of working.

when you installed the system you were asked for a root password. debian expects as a default that root actions are completed by the root user. you can login to the root user using su -.

you can then run all root related commands without the sudo prefix.

if you want to be able to run the sudo command as a normal user, you then have to edit /etc/sudoers to tell it that there are some users that can use the sudo command. the way i have set up sudo on my desktop and laptop is that it only accepts the root password. and it never remembers it.

Code: Select all

Defaults        rootpw
Defaults        timestamp_timeout=0

this sets root password only and never remembers the root password.

then you can get to be very specific about how users other than root get to use sudo

Code: Select all

# User privilege specification
root    ALL=(ALL:ALL) ALL
<user> ALL=(ALL:ALL) ALL

the user you specify in this setup would be effectively root. if they know the root password that was setup on install.

i actually noticed on the laptop that i have not setup a user for sudo. so i just su - and do all the root things i need to do.

Posted: **2023-03-28 04:11**

sudo is not a standard a debian way of working.

yeah...30+ years of managing UNIX and Linux servers and I'm gonna dissagree on this point. sudo has been the defacto standard way to allow non-SA users to execute privileged functions when they must do so, for many years. Old SVR4 UNIX had this thing called csu (controlled super-user) but I haven't seen it since leaving Bell Labs back in the 90s.

Posted: **2023-03-28 14:17**

kent_dorfman766 wrote: ↑2023-03-28 04:11...30+ years of managing UNIX and Linux servers... sudo has been the defacto standard way to allow non-SA users to execute privileged functions when they must do so...

Starting out with GNU/Linux I had a root account and an user account. But I have moved to just an user account with administrative privileges.

My use case is single user with desktop environment (Gnome) installing software and updating software. So as a single user of a workstation, it provides simpler function.

If I recall correctly, Debian installer strongly recommends creating root account. I leave root password blank, forcing first user to be (sudo) admin privileged. I am curious how many Debian users are like me, simple workstation with focus on gui application use, such as browsers or photo editing and so on. Would disabling root account be a better recommendation for users like me?

Posted: **2023-03-28 22:17**

If I recall correctly, Debian installer strongly recommends creating root account. I leave root password blank, forcing first user to be (sudo) admin privileged. I am curious how many Debian users are like me, simple workstation with focus on gui application use, such as browsers or photo editing and so on. Would disabling root account be a better recommendation for users like me?

I would NEVER endorse disabling root. Make sure root has a password, lock that password away somewhere, and whenever possible use privilege escallation like sudo to accomplish needed admin functions. I undertand rumors of privilege policy classes built into the gnome fiasco, but I don't/wont use gnome so I cannot speak to them, and generally feel that such functions are a bad idea because they overcomplicate operation for a huge subset of the user base.

Posted: **2023-03-28 23:30**

I've never used sudo If I want such features I use doas

https://packages.debian.org/bullseye/doas

Posted: **2023-03-29 02:46**

kent_dorfman766 wrote: ↑2023-03-28 22:17I would NEVER endorse disabling root. Make sure root has a password, lock that password away somewhere, and whenever possible use privilege escallation like sudo to accomplish needed admin functions.

I'll research more, but I'm not sure why I would need root access for my user case. As a single user on a workstation, I accomplish everything with sudo.

Posted: **2023-03-29 05:03**

As a single user on a workstation, I accomplish everything with sudo.

There are some tasks that you cannot do thru sudo. If something breaks in your system and you need to boot into single user mode the system will expect you to enter the root password to access a maintenance shell.

Posted: **2023-03-29 07:06**

kent_dorfman766 wrote: ↑2023-03-29 05:03
As a single user on a workstation, I accomplish everything with sudo.
There are some tasks that you cannot do thru sudo. If something breaks in your system and you need to boot into single user mode the system will expect you to enter the root password to access a maintenance shell.

Usually its trivial to get a root maintenance shell without a password in default configuration (makes recovering when you forget your password easy!), sudo will not change that. root is not disabled! sudo really does switch to root, see passwd manual for the '-l' flag.

If you use sudo not having a root password closes an 'attack vector', of course how many are attacking your desktop computer by trying to log in as root, not really a problem! It also just makes your user account the attack vector instead, but now they have to find out your name

.

I have largely come to the conclusion that privilege management for non-remote access desktop computers is really just down to personal preference, basically all configurations are sane.

Posted: **2023-03-29 07:23**

BBQdave wrote: ↑2023-03-29 02:46
kent_dorfman766 wrote: ↑2023-03-28 22:17I would NEVER endorse disabling root. Make sure root has a password, lock that password away somewhere, and whenever possible use privilege escallation like sudo to accomplish needed admin functions.
I'll research more, but I'm not sure why I would need root access for my user case. As a single user on a workstation, I accomplish everything with sudo.

I am not an IT/ICT specialist but have been on duty maintenance man here for about a decade now of the family members' laptops running under Linux .
Each family member has their own Linux laptop where they have full access as both superuser ( root ) and user .
Each family member also has full access to everyone's Linux laptop both as superuser ( root ) and user .
So each family member knows the name of the superuser , user and passwords of the respective laptops .
No secrets here ... and if you've got one , don't keep it on your laptop , is my advice .

Code: Select all

****@****-gl753vd:~$ sudo -s
[sudo] wachtwoord voor ****: 
root@****-gl753vd:/home/****# whoami
root
root@****-gl753vd:/home/****# apt upgrade
Pakketlijsten worden ingelezen... Klaar
Boom van vereisten wordt opgebouwd... Klaar
De statusinformatie wordt gelezen... Klaar 
Opwaardering wordt doorgerekend... Klaar
0 opgewaardeerd, 0 nieuw geïnstalleerd, 0 te verwijderen en 0 niet opgewaardeerd.
root@****-gl753vd:/home/****# exit
exit

****@****-gl753vd:~$ sudo apt upgrade
Pakketlijsten worden ingelezen... Klaar
Boom van vereisten wordt opgebouwd... Klaar
De statusinformatie wordt gelezen... Klaar 
Opwaardering wordt doorgerekend... Klaar
0 opgewaardeerd, 0 nieuw geïnstalleerd, 0 te verwijderen en 0 niet opgewaardeerd.
****@****-gl753vd:~$

That being said , during this period , have never had to call on "root" to keep these laptops up to date , let alone troubleshoot problems .

am I one of the better students in the class then ?

Posted: **2023-03-29 14:39**

I appreciate the information all. My experience, not setting root password, I am able to administer with sudo. So far no problems.
Now of course, I just jinxed myself and something will not work with sudo

Hopefully I'm not missing a vulnerability, but I am confident in my security. So not setting root password is more of a convenience, one user account which can also administer the system.

Most of my data is shared as well, with family and friends. Photos, organizing data for school events and family events, and so on. Sensitive data, such as medical data, or credit cards is not shared.

Which could probably bring up a whole other discussion of how secure your medical data is, when you log in to your Medical Dashboard to communicate with your doctor. But I'm optimistic, and cautious

Again all, I appreciate your thoughts and experiences

Debian User Forums

Sudo to root

Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root

Re: Sudo to root