3

I have an ubuntu instance on AWS.
After getting ssh login, I was able to change to root password with sudo su command.
For security reasons, I wanted to change the root password. So I tried the following :

root@email:/home/ubuntu# sudo passwd root
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
root@email:/home/ubuntu#

After changing password when I try to sudo su, it doesnt asks for password

ubuntu@email:~$ sudo su
root@email:/home/ubuntu#

Whereas, when I try only su, it prompts for one:

ubuntu@email:~$ su
Password:

How to implement security or set a password for sudo su?

Following are the details of sudoers (visudo)

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
Improve this question
5
  • sudo -k also doesn't prompts for password. adding content of sudoers file in the question.
    – kadamb
    Commented Apr 5, 2018 at 11:09
  • 1
    Yup. Even after, sudo -k, sudo su isnt prompting for a password.
    – kadamb
    Commented Apr 5, 2018 at 11:15
  • nope, sudo ls is also not asking password:(
    – kadamb
    Commented Apr 5, 2018 at 11:48
  • It'll be nice if whoever you're replying to could leave the asked questions here so others can see your progress.
    – HollyLeaves
    Commented Apr 5, 2018 at 12:37
  • PEBKAC error: su never asks for a password when it is run by root. Since you are running sudo first, su is run as root. Never run sudo su. If you want a root shell, run sudo -s.
    – psusi
    Commented Apr 5, 2018 at 15:57

1 Answer 1

Reset to default
8

This line in your sudoers file

#includedir /etc/sudoers.d

makes it include other files from /etc/sudoers.d/ directory. It may seem the line is commented out but it's not; the directive is #includedir with leading #. One of these included files probably sets a rule with NOPASSWD that causes the issue.

Before you change something, make sure your regular user has a valid nonempty password. From this answer:

sudo will ask for a password even when you don't have one, and won't accept an empty password.

When in doubt, invoke passwd and set a brand new password for your regular user.

This command should tell you which file(s) you need to inspect:

sudo grep -r NOPASSWD /etc/sudoers.d/

The line you seek may look like this:

ubuntu ALL=(ALL) NOPASSWD:ALL

Comment it out (# ubuntu ALL=...). Compare this answer.

Improve this answer
2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .