6

I know the threads How do I add myself back as a sudo user?, Mounting encrypted LUKS partition from Live CD, ... This thread is about how to add a sudo user back without root and other strict security policies in place in encrypted environment: whole-media encryption, home-folder encryption and empty-space overwrite, but you know the password of the encryption. Still, the mounting of such an encrypted device is not that straight-forward. This is not duplicate!

My whole disk is encrypted. It contains Ubuntu 16.04. I know the thread How do I add myself back as a sudo user? but it is not for whole disk encryption. I did sudo usermod -G staff masi by accident (missed option -a there) and logged out. It removed me from all other groups than staff. To get back to defaults, I should run 

sudo usermod -a -G  adm cdrom sudo dip plugdev lpadmin sambashare masi

However, I am not anymore a part of sudo group, so I cannot run it. You cannot go Ubuntu's Grub > Rescue Mode in Grub > Advanced options because encryption in whole disc; no root is enabled; shift unsuccessful before/after encryption steps; unsuccessful entry to Recovery mode as described here; no Grub start after successful password entry in the encryption step; you cannot change the read-only /etc/default/grub so you cannot add there GRUB_CMDLINE_LINUX_DEFAULT="quiet splash single" for letting Grub work. So you have to have live Ubuntu with ecryptfs-utils schroot.

Persistent Live Ubuntu 16.04 Attempt

Create a persistent Live Ubuntu USB here. I do the following motivated by the sources here and here where no ready solution exists

> sudo apt-get update
...
> sudo apt-get install lvm2 cryptsetup
...
> sudo modprobe dm-crypt
> sudo fdisk -l % find the appropriate disc
sudo: unable to resolve host masi-CM6340: Connection refused
...
> sudo cryptsetup luksOpen /dev/sda5 myvolume % my case sda5 i.e. linux, not extended
sudo: unable to resolve host masi-CM6340: Connection refused
Enter passphrase for /dev/sda5: % which I enter successfully
>
> sudo mkdir /media/test
> 
% sudo vgscan not needed to activate the sockets
> sudo vgchange -ay % will make volumes active 
sudo: unable to resolve host masi-CM6340: Connection refused
2 logical volume(s) in volume group "ubuntu-vg" now active
% created also /dev/mapper/myvolume which can be mounted
>
> sudo mount /dev/sda5/home /media/test
mount: special device /dev/sda5/home does not exist (a path prefix is not a directory) 
> 
> % JayEye's 2nd proposal
> sudo mount /dev/mapper/myvolume /media/test
mount: unknown filesystem type 'LVM2_member'  
%
% chroot to the mounted device, add masi back to sudoers and work done

Output of sudo parted -l /dev/mapper/myvolume [JayEye]

Model: ATA WDC WD64000AAKS-7 (scsi)
Disk /dev/sda: 640 GB
Sector size (logical/physical): 512B/512B
Partition table: msdos
Disk Flags: 

Number Start End Size Type File system Flags
1 1049kB 512MB primary ext2 boot
2 513MB 640GB extended
5 513MB 640GB logical

Model: Kingston HyperX Fury 3.0 (scsi)
Disk /dev/sdb: 31.5GB
Sector size (logical/physical): 512B/512B
Partition table: msdos
Disk Flags

Number Start End Size Type File system Flags
1 27.3MB 30.4GB 30.4GB primary ext4 boot
2 30.4GB 31.5GB 1049MB primary linux-swap(v1)

Model: Linux device-mapper (linear) (dm)
Disk /dev/mapper/ubuntu--vg-swap_1: 34.3GB
Sector size (logical/physical): 512B/512B
Partition table: loop
Disk Flags: 

Number Start End Size Type File system Flags
1 0.00B 34.3GB 34.3GB linux-swap(v1)

Model: Linux device-mapper (linear) (dm)
Disk /dev/mapper/ubuntu--vg-root: 605GB
Sector size (logical/physical): 512B/512B
Partition table: loop
Disk Flags: 

Number Start End Size Type File system Flags
1 0.00B 605GB 605GB ex4

Error: /dev/mappper/myvolume: unrecognized disk label
Model: Linux device-mapper (crypt) (dm)
Disk /dev/mapper/myvolume: 640GB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:

I run sudo mount /dev/mapper/myvolume--vg-root /mnt [JayEye] and get

mount: special device /dev/mapper/myvolume--vg-root does not exist

I run sudo mount /dev/mapper/ubuntu--vg-root /mnt [DavidFoester] and get the following output which may still indicate successful mounting

sudo: unable to resolve host masi-CM6340: Connection refused

which is a warning that I get three times before in the script above. I access successfully the first step of the encrypted device by vi /mnt/home/masi/README.txt

THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA. 

From the graphical desktop, click on: 
 "Access Your Private Data"

From the command line, run: 
 ecryptfs-mount-private

where Access Your Private Data file is in /mnt/home/masi/Access-Your-Private-Data.desktop, but clicking on it does not lead to any GUI ouput (icon starts but closes automatically). I can find also ecryptfs-mount-private in Terminal, but there is no manpage/help-page of it. I run it in the folder, and I get

ERROR: Encrypted private directory is not setup properly

How to run ecryptfs-mount-private successfully?

Boot to the System - DavidFoerster's proposal (3) without Live System

My system has no root enabled. I boot to Grub > Advanced Options > Recovery Mode. I run sudo adduser masi sudo but get error code 1

Adding user 'masi' to group 'sudo' ...
Adding user masi to group sudo
gpasswd: cannot lock /etc/group; try again later
adduser: '/usr/bin/gpasswd -a masi sudo' returned error code 1. Exiting.

Rebooting, logging back again in the system, I do sudo echo "masi" and I get masi is not in the sudoers file. ....

I think problem here is that no mount and chroot.

Ubuntu 16.04 Live System Attempt

I cannot open the encryption in the normal Live system. I run unsuccessfully 

> sudo modprobe dm-crypt
> sudo fdisk -l % find the appropriate disc
...
Device Boot Start End Sectors Size Id Type
/dev/sdf1 ... 449.9G ... Linux 
/dev/sdf2 ... 15.9G ... Extended
/dev/sdf5 ... 15.9G ... Linux swap / Solaris
> sudo cryptsetup luksOpen /dev/sdf1 myvolume 
Device /dev/sdf1 is not a valid LUKS device
> sudo cryptsetup luksOpen /dev/sdf2 myvolume  
Device /dev/sdf2 is not a valid LUKS device

I still do the following but notice that the above step has to be completed successfully before proceeding 

sudo fdisk -l % find the correct sector
ubuntu@ubuntu:~$ sudo mount /dev/sdf1 /mnt
ubuntu@ubuntu:~$ sudo chroot /mnt
sudo adduser masi sudo

Output

sudo: unable to resolve host ubuntu: Connection refused
The user `masi' is already a member of `sudo'.

TODO I think you need to enter the passphrase for the encryption before doing this. However, it did not ask me it in any stage.

How can you add yourself back in sudo group in Encrypted HDD of 16.04 with Strict Security Policies?

Community
  • 1
Léo Léopold Hertz 준영
  • 4,647
  • 1
    So is your question really about Mounting encrypted LUKS partition from Live CD or Mount encrypted volumes from command line?? – steeldriver May 07 '16 at 14:23
  • You have ecryptfs inside a LUKS container? Why the double encryption? O_o Anyway the recovery of ecryptfs containers is described in https://askubuntu.com/questions/38336/how-do-i-recover-my-data-from-an-encrypted-home-directory – David Foerster May 10 '16 at 16:52
  • By the way you don't even need to decrypt the home directory to edit the group membership of a user. – David Foerster May 10 '16 at 16:59
  • 1
    Ok, I think I understand the issue now. Can you please include the (relevant part of the) /etc/sudoers* file(s) then? You'll need to access them from the live system since they're not world-readable. I still believe that this should be a separate question since it refers to a non-standard sudoers configuration and is not directly related to the LUKS/LVM issues. – David Foerster May 10 '16 at 19:42
  • 1
    Someone must have been capable of running apt-get install, cryptsetup, mount, and parted, didn't they? Otherwise, if you cannot become super-user even through a live system or other forms of physical access you cannot re-add your user to the administrator group. Furthermore you cannot re-install another OS and the machine remains permanently unusable. – David Foerster May 11 '16 at 08:08
  • Yet I'm not sure that's actually the case. Hence the if in my previous comment. If you boot from a live DVD/USB there should be only the default policies in place and you should be able to become root with no issue. Is there a reason why you cannot boot a live system? How did you run the other commands with sudo in your question? – David Foerster May 11 '16 at 11:29
  • Let us continue this discussion in chat. – David Foerster May 11 '16 at 12:38
  • 1
    Did you ever find a solution? Boot into recovery again and run mount. Find your partition in the output. Is it mount ro, or rw? (for example mine looks like /dev/sda7 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered) (note the rw). Then check out this question: https://askubuntu.com/questions/84277/cannot-lock-etc-group-in-recovery-mode – Seth May 25 '16 at 17:19
  • @Masi I don't see any misformatting.. It looks a little weird because I have some terminal output in there but it is formatted as code to be readable. What part are you not getting? – Seth May 25 '16 at 19:09
  • @Masi how about you come to [chat]? I don't want to write out a full answer when it's really just the same stuff being said in the other question (the one linked in my original comment) and I'm not sure if it will work. – Seth May 25 '16 at 19:25
  • @LéoLéopoldHertz준영 Maybe I'm missing something, but about that comment where you say "I am stuck at sudo vgscan and I get failures": what's the full message? After cryptsetup succeeds you show % sudo vgscan not needed to activate the sockets, which looks like (part?) of a command and part(?) of the output. I have an LVM in a LUKS container on /dev/sda5 of an MBR disk; cryptsetup and vgscan work perfectly from a live environment, and I can mount and chroot in just fine. – Eliah Kagan Jan 06 '17 at 10:13
  • @LéoLéopoldHertz준영 Sorry, I don't know what you mean. Are you saying I should post a question? I have no problem. I have a setup similar to yours that works fine for something you say is impossible. Of course you're under no obligation to continue working on this -- but if you still happen to have the affected system (or one like it) and want to take another go at it, I suspect we could figure it out. It's totally up to you. – Eliah Kagan Jan 06 '17 at 10:58
  • @LéoLéopoldHertz준영 I'm afraid I don't understand what you've just asked me. What do you mean by the phrase "such a comment which you point"? Are you saying that one of the links in the comments I've recently posted here did not work? The body of what? – Eliah Kagan Jan 06 '17 at 11:12
  • @EliahKagan OK! Found it. The case is resolved already. – Léo Léopold Hertz 준영 Jan 06 '17 at 12:04

4 Answers4

2

To edit the group membership status and re-add yourself to the sudo group you must first access the encrypted, volume-managed file systems. The latter part is the same as for file recovery in such a situation.

To summarize the sequence of necessary steps and link each one to more detailed instructions:

  1. Boot from a live DVD/USB an choose "Try Ubuntu".

  2. Mount encrypted volumes from command line? to decrypt the LUKS container.

  3. Mounting encrypted LUKS partition from Live CD to expose the volumes managed by LVM inside the LUKS container.

    According to the output of Parted the volume for the root partition of your Ubuntu installation would be /dev/mapper/ubuntu--vg-root which you can mount with

    sudo mount /dev/mapper/ubuntu--vg-root <MOUNTPOINT>

    or

    udisks --mount /dev/mapper/ubuntu--vg-root

  4. How do I add myself back as a sudo user? to fix the group membership on the previously mounted volume. (You don't need to access the home directory for this so no need to decrypt it.)

Bonus:

David Foerster
  • 36,264
  • 56
  • 94
  • 147
  • I don't see anything related to the user root or even assuming that it exists or is enabled in (3). Anyway can you please open a new question if you have issues at that point since this one is getting a bit out of hand. ;-P – David Foerster May 10 '16 at 19:35
1

Boot from installation media and select "Try ubuntu".
Open/decrypt with cryptsetup, Mount the local disk, chroot to it, and re-add yourself!

Xen2050
  • 8,705
JayEye
  • 1,033
0

You are trying to mount /dev/sda5/home. Given how you have run cryptsetup, you should be trying to mount /dev/mapper/myvolume

JayEye
  • 1,033
  • Probably because the (now decrypted) /dev/sda5 does not contain a file system, but yet another layer of LVM. What is the output of sudo parted -l /dev/mapper/myvolume? – JayEye May 08 '16 at 06:43
  • try mount /dev/mapper/myvolume--vg-root /mnt – JayEye May 08 '16 at 07:24
  • Say, this should probably have been edited into your other answer – Xen2050 May 08 '16 at 16:11
  • @masi let's move this to chat so we can debug it interactively? http://chat.stackexchange.com/rooms/201/ask-ubuntu-general-room (if there is a way to move it to a private room, I lack the privileges to do so) – JayEye May 08 '16 at 22:07
  • 1
    Please only give (up to) one answer per question listing multiple possible solutions unless you have a specific reason not to. – David Foerster May 10 '16 at 10:32
0

Impossible. You cannot add yourself back to the disk because of the strict security policies. Answers here have not made the testing environment for them. They have not managed to test their own answers. Much reproduction what I I have already tested there.

Léo Léopold Hertz 준영
  • 4,647