Sudo broken after latest update

MaxT · November 5, 2022, 2:31am

After today’s updates, which included sudo update, I am now getting this error message for my main user:

username is not in the sudoers file.
This incident has been reported to the administrator.

This happened on both my laptop and my desktop PCs.

Anyone else running into this?
What’s the fix?

Thank you.

MaxT · November 5, 2022, 3:00am

Looks like I had to add

username    ALL = (ALL:ALL) ALL

to the sudoers.tmp file using

EDITOR=kate kdesu visudo

Is this the correct fix? Should the wheel group approach be used instead (what are the best practices for OpenSUSE)?

nrickert · November 5, 2022, 3:28am

You might want to check this thread in the factory mailing list:

sudo changed behaviour since upgrade to snapshot 20221103

arvidjaar · November 5, 2022, 8:35am

This is entirely up to whoever maintains your system.

what are the best practices for OpenSUSE?

Historically (open)SUSE used targetpw. This will likely change in upcoming releases. We will see how exactly it will change when it is there.

Oceanwaves · November 5, 2022, 9:15am

I found the best way to fix it is to create the file /etc/sudoers.d/user:

# su -
# vi /etc/sudoers.d/user
Defaults targetpw  # Ask for the password of the target user 
ALL ALL=(ALL:ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

This way you switch back to the previous behavior. For single user systems this should be ok.

hcvv · November 5, 2022, 9:26am

I don’t think there is one special for openSUSE. It is used Unix/Linux wide for running processes as another user (often root) then the present.

Personally I do never use sudo. I only use

su -

For me that is the best practice that I used already before sudo even existed. Never had any problems introduced by changes/updates/whatever done on sudo.

karlmistelberger · November 5, 2022, 10:21am

hcvv:

Personally I do never use sudo. I only use
su -
For me that is the best practice that I used already before sudo even existed. Never had any problems introduced by changes/updates/whatever done on sudo.

The same here. Use of sudo adds complexity, but benefits are nonexistent on most systems. Some distributions don’t allow “su -”. I run “sudo passwd” which enables “su -” on these systems.

suse_rasputin · November 5, 2022, 4:51pm

What a mess…

I read this

https://linux.die.net/man/5/sudoers

but I still have no idea: what is the difference between

Defaults targetpw

and

Defaults rootpw

in sudoers?

suse_rasputin · November 5, 2022, 5:15pm

To answer my own question: rootpw requires root password even when changing to another user than root…

For the su - hardcore fraction:

with su - you get access to each and everything on the machine. With sudo you can define for which commands sudo will work, much more fine graduated…

hui · November 5, 2022, 5:21pm

…this is the burden of a system administrator…and part of its job description…

hcvv · November 5, 2022, 5:36pm

When you indeed have a user community of which several should be allowed certain tasks only and have sudo configured to that need, you will not have any questions here and, if I am correct, you are not even hurt by the change because you have your own overriding configuration.

MaxT · November 5, 2022, 6:24pm

Oceanwaves:

I found the best way to fix it is to create the file /etc/sudoers.d/user:
# su -
# vi /etc/sudoers.d/user
Defaults targetpw  # Ask for the password of the target user 
ALL ALL=(ALL:ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
This way you switch back to the previous behavior. For single user systems this should be ok.

This seems like the most reasonable approach to get the original behavior back.
Thank you!

I’ll have to think how I want to handle this going forward.

larryr · November 5, 2022, 7:54pm

I just replace it with the one from 15.4 - this is what it was before the update that removed it.

# cat /etc/sudoers
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##

##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias    WEBSERVERS = www1, www2, www3

##
## User alias specification
##
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias    ADMINS = millert, dowdy, mikef

##
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
#                 /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias    REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff

##
## Defaults specification
##
## Prevent environment variables from influencing programs in an
## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
Defaults always_set_home
## Use this PATH instead of the user's to find commands.
Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin"
Defaults env_reset
## Change env_reset to !env_reset in previous line to keep all environment variables
## Following list will no longer be necessary after this change
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
## Comment out the preceding line and uncomment the following one if you need
## to use special input methods. This may allow users to compromise the root
## account if they are allowed to run commands without authentication.
#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"

## Do not insult users when they enter an incorrect password.
Defaults !insults

## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output

## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system. When configuring sudo, delete the two
## following lines:
Defaults targetpw   # ask for the password of the target user i.e. root
ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

##
## Runas alias specification
##

##
## User privilege specification
##
root ALL=(ALL:ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL:ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL

## Read drop-in files from /etc/sudoers.d
@includedir /etc/sudoers.d

brucecadieux · November 6, 2022, 2:25pm

I just ran yast package manager, and there are updates to sudo in the latest updates on ( Tumbleweed ) that fix this problem

Vernius · November 6, 2022, 4:02pm

I just upgraded and it has not yet solved the problem.

disisdadrum · November 8, 2022, 4:17am

Good news, the latest Tumbleweed update (20221106) has restored sudo. Enjoy!!