Scott Hanselman

Getting admin by adding a new user to sudoers when you're locked out of an Azure Linux VM

March 18, 2015 Comment on this post [11] Posted in Azure | Open Source
Sponsored By

So I got locked out of an Ubuntu VM that's running in Azure  Long story, but an employee left and somehow the "admin" user I had access to no longer had "sudo" powers anymore. I needed to run apt-get update && apt-get upgrade but literally had no user available with admin on the box.

If the machine was local, I could perhaps boot into recovery mode but this is a VM in the cloud.

I do however, have access to the Azure portal because I do own the VM. While the operating system  doesn't think I'm powerful inside, I am powerful outside. ;)

Corey Sanders, the head of the IAAS team was kind enough to remind me of the CustomScriptForLinux "VM Extension." VM Extensions can inject/install software like Chef and Puppet into VMs. I talked to Kundana Palagiri about this on Azure Friday (http://friday.azure.com)

He pointed me to his "AddUser.sh" script on GitHub. It's pretty straightforward, but how do I run it?

#!/bin/bash
# Script to add a user to Linux system
if [ $(id -u) -eq 0 ]; then
        username="$1"
        password="$2"
        echo "Creating $username"
        egrep "^$username" /etc/passwd >/dev/null
        if [ $? -eq 0 ]; then
                echo "$username exists!"
                exit 1
        else
                pass=$(perl -e 'print crypt($ARGV[0], "password")' $password)
                useradd -G adm,dialout,cdrom,floppy,sudo,audio,dip,video,plugdev,netdev -m -p $pass $username
                [ $? -eq 0 ] && echo "User $username has been added to system!" || echo "Failed to add a $username!"
        fi
else
        echo "Only root may add a user to the system"
        exit 2
fi

I don't have root, but Azure has root. Azure has all the power, in fact. I need to run this script with parameters (my new username and password) then SSH in and put things right. I can return my original user to sudoers:

sudo adduser <username> sudo

And there's other administration I may want to do, including deleting this user I just added. Doing this dance is how I'm going to regain access to my VM, though.

NOTE: There are other ways to regain access to a Linux VM if you've lost a SSH Key or forgotten your password, like the VMAccess Extension in PowerShell. However, not everyone has a Windows machine, and I wanted in fast without any local setup. I'm going to use the Custom Script extension.

First, I'll log into the Azure Portal at http://portal.azure.com and select the VM, then under All Settings, select Extensions. Click ADD and pick Custom Script for Linux.

Adding Custom Script for Linux

Note that my bash script has two parameters, so I'll put my preferred USERNAME and PASSWORD in the Arguments box there and hit done.

Successfully added a VM Extension

After it's done, I click look at the detailed results. Do note that the Azure Portal is called into the backend REST services that manage all of Azure so you can certainly script all of this if you need to.

Script Success

Now I can SSH into the machine (I use bitvise) and then add my original user back into sudoers.

Adding user to group sudo

At this point I can generally tidy up this machine and put it as it was. I've regained control of a Linux VM that I no long had root on.

Please check out http://friday.azure.com, subscribe on iTunes, and tweet and tell your friends! There are over 150 episodes of Azure Friday, each just around 15 min long!


Sponsor: Big thanks to Aspose for sponsoring the blog feed this week! Are you working with Files?Aspose.Total for .NET has all the APIs you need to create, manipulate and convert Microsoft Office documents and many other formats in your applications. Start a free trial today.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Hosting By
Hosted in an Azure App Service
March 18, 2015 20:56
So much hassle just to gain a sudo access?
Is there no such thing like root console access directly to the VM from Azure portal site?
March 18, 2015 22:58
In Ubuntu root user login is disabled by default.
March 22, 2015 1:27

scott@localhost~$ sudo su

March 23, 2015 3:39
Steve - Weird. I only use Chrome. Never had a problem with either Azure or Office. I'm not familiar with any "known issues" about this. Care to give me more details?
March 23, 2015 14:13
Very neat and worth knowing.

What I'd like is the ability to detach the root disk from the machine when it was shut down, so I can attach it to another machine and then run fsck on it occasionally.

I needed to do this once as the root partition was misbehaving.

Currently I think you have to make an image of you VM, delete the VM keeping the disk, then attach that to another VM to fsck and then create a VM from the image and configure that to use the original disk (after disconnecting it from the original VM).

Very messy and quite scary!
March 23, 2015 17:44
I think it also can starting with just access to see the screenshot of the running VM, whether Linux or Windows/
March 24, 2015 0:54
I should add that you can do what I described in AWS very quickly.
March 24, 2015 4:58
Keep trying this, but keep getting following, any ideas? would be appreciate it.

{
"name": "Microsoft.OSTCExtensions.CustomScriptForLinux",
"status": "Error",
"message": "Lanch script failed:[Errno 2] No such file or directory",
"code": 1,
"operation": "Enable"
}

And yes, the error says "Lanch".
AV
March 25, 2015 22:23
Thanks in favor of sharing such a fastidious opinion, article is nice, thats why
i have read it fully
March 26, 2015 1:00
Hi Scott,

Any chance you'd update the mixed ASP.net webforms and mvc blog posts for adding a few MVC pages to an existing webforms project?

Here are your two earlier blog posts.

http://www.hanselman.com/blog/IntegratingASPNETMVC3IntoExistingUpgradedASPNET4WebFormsApplications.aspx
http://www.hanselman.com/blog/PlugInHybridsASPNETWebFormsAndASPMVCAndASPNETDynamicDataSideBySide.aspx
Ted
March 27, 2015 5:34
Nice trick.

I have done that before with VM's but not yet in the cloud, will happen eventually!!

Thanks :)

Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.