# sudo loop locked system root access



## IPTRACE (May 30, 2019)

Hi, any idea how to resolve the issue instead of run in single user mode?
I've set file permissions to 666 for /usr/local/etc/sudoers and I cannot change it back again...


```
user@serv:~ % sudo chmod 660 /usr/local/etc/sudoers
sudo: /usr/local/etc/sudoers is world writable
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

user@serv:~ % chmod 660 /usr/local/etc/sudoers
chmod: /usr/local/etc/sudoers: Operation not permitted
```


----------



## zirias@ (May 30, 2019)

log in as root? you DO have a console, do you?

Or, if you can login as a user who is a member of `wheel`, just use su(1) to become root.


----------



## IPTRACE (May 30, 2019)

Log in as root is restricted to single-user mode.
No one is in wheel group.


----------



## zirias@ (May 30, 2019)

IPTRACE said:


> Log in as root is restricted to single-user mode.


Is this some hardening setting? I wasn't aware this is possible. So you're probably out of luck, do you have at least a way to issue a clean shutdown? Maybe the power button?

How does locking down the system in such a way go with experimenting with a world-writable sudoers file? 

Anyways, IMHO, you should *always* have a local console that accepts a root login any time, to have a chance to fix things. This is normally just a vt using screen and keyboard. On a headless server, you want a serial console (RS-232) instead.


----------



## IPTRACE (May 30, 2019)

The one way I know is to run the system in single-user mode but I'd like to avoid that or even postpone that remedy in the next system changes or upgrades.

It was WARNING from Lynis software. I got:
Wrong permissions on /usr/local/etc/sudoers and /usr/local/etc/sudoers.d .
I had 440 before, so I was trying to set 400, 444, 660 and finally 666...
And basically it ddin't help, so I suspect the Lynis does not work properly in this case.

I disabled several things for security reasons.


----------



## SirDice (May 31, 2019)

If this issue was easily remedied then it would defeat the whole purpose of its security. So, either login on the console with root, or if you really disabled that boot to single user mode. But to be honest I find it hard to believe you disabled root console logins while leaving the single user mode option open.


----------



## IPTRACE (Jun 1, 2019)

Yes, root login disabled but still available via single-user mode.


----------



## zirias@ (Jun 1, 2019)

"As you can see" ... this particular security measure (I didn't even know it existed) has its downsides. Maybe reassess ... preventing remote root login (via ssh) could make quite some sense, but preventing root login on a local console MIGHT be a bit too much


----------



## IPTRACE (Jun 3, 2019)

Yeap. Anyway, it just good to know that something like that exists. Old rule says "more secure, less funcionality".


----------



## SirDice (Jun 3, 2019)

Just a tip, when you modify the sudoers, keep your current "sudo'd" session open and test with a _new_ connection. That way, if you screw up, you still have enough privileges on the original connection to fix it.


----------



## IPTRACE (Jun 14, 2019)

Ok, thanks.


----------

