Troubleshooting addendum: Account expired or PAM config lacks an "account" section for sudo
egberts opened this issue · 4 comments
In your website link, you can expand the following segment:
sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator
to include another checklist to try:
Check the /etc/shadow
Even weirder, check the first line of /etc/shadow
to ensure that it has the following:
root:!*:::::
Mine had root:!*::::0:1:
and that is what was causing the exact error.
Tried root:!*::::0:0:
, no dice.
Tried root:!*::::::
, Eureka!
(Please don't ask me how it got there, I am running someone else's ArchLinux).
The root:!*::::0:1:
entry means that the account inactivity period was set to 0 and the account expiration date is set to one day after the Unix epoch. So the root account really was marked as being expired. This could be caused by someone running:
usermod -e 1 -f 0 -L root
Though I'm not sure why someone would want to disable access to the root account completely.
I've updated the troubleshooting info to talk more explicitly about how an account can be marked as expired in /etc/shadow.
it is common to disable the root completely for a remote host. Even CISecurity reccomends this
There's a difference between disabling direct root login and disabling all access to root via sudo or su.
Believe it or not.
Having expired root and sudo can still let group or users do sudo.
I just cannot perform sudo
while already as root
user.
Isn't that funky? It's useful when having a crippled (restricted) shell for sudo'd users. Prevents full root via sudo.