Sudo doesn't work

amrogers3 · January 7, 2014, 5:51am

What is the password when using sudo. I tried welc0me but that doesn’t work.

I am logged in as a normal user and trying to run commands as root.

Tinwarble · January 7, 2014, 6:08am

You don’t need to use sudo. Once you log in via SSH you are already root.

When you log in

cd /

amrogers3 · January 7, 2014, 2:22pm

No, I am logging in as a normal user trying to use sudo.

TonyPh12345 · January 7, 2014, 2:43pm

amrogers3 wrote:

No, I am logging in as a normal user trying to use sudo.

You CAN’T log in using a normal user unless you’ve modified the configurations … and if you have done that, then we probably would need to know what changes you’ve made…

amrogers3 · January 7, 2014, 2:52pm

You can create a user in GUI and then enable SSH, so that is what I did to log in as a different user.

TonyPh12345 · January 7, 2014, 2:57pm

Well, then you’ve come across a new bug – none of my users can SSH in. Only root. It’d be incredibly dangerous otherwise. So I am now very interested in this.

… and that’s how it’s documented; only root.

So when you log in and type “whoami” you get something other than “root” as the answer?

amrogers3 · January 7, 2014, 3:17pm

That is correct.

Actually, it is more dangerous if root logs in. You should never have root access unless you absolutely need it.

TonyPh12345 · January 7, 2014, 4:58pm

amrogers3 wrote:

That is correct.

Actually, it is more dangerous if root logs in. You should never have root access unless you absolutely need it.

Not in the case of most NASes I’ve seen.

Assume I have User A with access to Share A only.

and I have User B with access to Share B only.

According to what you’re seeing, I can ssh in as User A and delete User B’s data. Not good at all.

All Share permissions are 770. That means they all have Group RWX permissions.

All users are members of the group SHARE.

All Shares are owned by group SHARE.

That means any user, through the shell, can delete any data in any share. BAD NEWS.

But, I cannot log in to mine via SSH, so I don’t know what’s up with yours…

/home/tony> ssh 10.0.0.32
tony@10.0.0.32's password:
Permission denied, please try again.

tony is one of the users on the Cloud… Can’t log in via SSH.

I’d love to see a screen scrape of you doing that, because you’ve got me really worried.

TonyPh12345 · January 7, 2014, 5:04pm

More info, sshd explicitly denies logins to anyone but root:

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
AllowUsers root

As seen in the sshd_config file, “AllowUsers” only allows root.

TonyPh12345 · January 7, 2014, 5:20pm

Oh. OK – forget all this.

I went back through your posting history and see you’ve made substantial changes to the configuration. — so all bets are off.

Tinwarble · January 7, 2014, 5:25pm

amrogers3 wrote:

That is correct.

Actually, it is more dangerous if root logs in. You should never have root access unless you absolutely need it.

Yes, but that’s the whole point of enabling SSH, to have root level access.

SSH is meant only for troubleshooting and not for normal use.

As TonyPH12345 has stated, only root should have access and I have not seen any instance where any other user is able to log in. But since it appears you have made changes to your system, you are pretty much on your own.

amrogers3 · January 8, 2014, 5:33am

Tinwarble wrote:> Yes, but that’s the whole point of enabling SSH, to have root level access.

SSH is meant only for troubleshooting and not for normal use.

As TonyPH12345 has stated, only root should have access and I have not seen any instance where any other user is able to log in. But since it appears you have made changes to your system, you are pretty much on your own.

I disagree and I think most of the security community would disagree that it is a good idea to have root level SSH access. What you want is normal user access and then utilizing sudo or su to do any configuration changes necessary. But how you config your system is totally up to you. Just my .02.

amrogers3 · January 8, 2014, 5:41am

TonyPh12345 wrote:

More info, sshd explicitly denies logins to anyone but root:

Authentication:

LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
AllowUsers root

As seen in the sshd_config file, “AllowUsers” only allows root.

Everything is configurable. You can add a user to “AllowUsers” to allow users other than root to access your device via SSH. Matter of fact to tighten security, you could take out root completely. Something like this:

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
AllowUsers user1 user2

And you are correct I have made considerable changes to my NAS. I am able to rsync over SSH from a normal user using keys so I do not have to utilize a password. The main reason for this is to be able to create a script to automatically run the job via crontab. I have a backup script that syncs all my files and folders to the NAS at a set time of day.

The problem with using root is that your files and folders will be saved with different ownership and permissions and you will not be able to modify or delete any files on the NAS. Thus, that is the reason I had to utilize a local user to perform this task. This was ideal for my setup, however, this may not be ideal for all cases.

Tinwarble · January 8, 2014, 6:33am

amrogers3 wrote:

I disagree and I think most of the security community would disagree that it is a good idea to have root level SSH access. What you want is normal user access and then utilizing sudo or su to do any configuration changes necessary. But how you config your system is totally up to you. Just my .02.

Yes, I would agree, if you were talking about a PC or some other comparable sytem. But your not, this is a NAS and SSH is not meant for the normal user, it is ONLY meant for the adminstrator as it states here:

http://wdc.custhelp.com/app/answers/detail/a_id/10435/p/247,487/session/L3RpbWUvMTM4OTE2MjQ5Ny9zaWQva19rMU5RSmw%3D

The UI is provided for normal access and is what is supposed to be used, SSH is only provided in the case that the Dashboard can’t be accessed or an issue arrises that can’t be resolved under normal means.

JRman · January 8, 2014, 12:12pm

If you want to use sudo for users other than root, need to update the /etc/sudoers file:

WDMyCloud:/etc/ssh# cat /etc/sudoers

/etc/sudoers

This file MUST be edited with the ‘visudo’ command as root.

See the man page for details on how to write a sudoers file.

Defaults secure_path = /bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
www-data ALL=(ALL) NOPASSWD: ALL

add root to allow php scripts to run from command line

root ALL=(ALL) NOPASSWD: ALL

Add an entry at the end:

username ALL=(ALL) NOPASSWD: ALL

TonyPh12345 · January 8, 2014, 2:11pm

amrogers: The point is, you wasted folks’ time.

In post 5, I asked if you’d made modifications. Your response said you had made NO changes (You said all you did was create a user and enable SSH on the GUI), when in fact you had made substantial changes to the backend to do what I was questioning.

Through my own fault, I assumed you had uncovered a catastrophic security flaw, and I spent a lot of my time trying to figure out if I needed to remove My Cloud from my network.

We could have gotten an answer to you much faster if you’d have simply answered that question.

And your subject is that “sudo doesn’t work” – which makes no sense in a non-modified configuration, further compounding the confusion.

So, now that we know a little more about what you’ve done, as JRman points out, you must edit the sudoers configuation via visudo which allows username to run things as root WITHOUT ANY PASSWORD.

But if you don’t want it that wide, then you must also assign a password to the user that you’re loging in as.