I recently logged into my VPS and found that my user had been removed from the sudo group, which really baffled me. Here are the details:
1. I'm the only one with access to this VPS.
2. I only allow SSH access for myself, and root login is disabled.
3. Other users and system accounts have their shells set to nologin, except for root and sync. I didn't think it was necessary to change the shell for root since I disabled root SSH access.
4. My bash history shows I used sudo correctly just before logging off last night.
5. I recently set up caddy using podman, which is on the host network. It feels unlikely that someone could have hacked into the VPS through a newly set up Caddy docker image in just 24 hours.
I'm trying to figure out how my user account got removed from the sudo group and what steps I can take to diagnose the situation.
5 Answers
You should definitely check the logs to see if anyone accessed your hosting account, which could lead them to your VPS.
Do you have auditd enabled to log all sudo activity? It could help catch the changes if someone else accessed your VPS. Also, check your auth logs for any logins from unknown IPs.
It sounds more like a self-inflicted issue rather than a hack. Out of curiosity, what else are you running with caddy? Also, which distro are you using and who’s your hosting provider?
Did you by any chance use `usermod -G` instead of `usermod -aG`? That's a common mistake that would explain your user being removed from the sudo group.
I figured it out! I mistakenly used `usermod -G` instead of `-aG`. I kept using sudo for a while without realizing the permissions had changed. Apparently, Debian takes a moment to apply the new user permissions after using usermod. I guess I shot myself in the foot there!
That's a common misunderstanding! Just keep in mind that changes to group membership require a new login session to take effect. Always good to check your existing permissions before making changes.
True, that’s how Linux works. Always verify changes by creating a new session!
Great point! I think I made that mistake too; my bash history doesn’t show me removing myself though. I'm running Debian Trixie, and I'm using podman to run caddy rootless attached to the host network. The only services I plan to run are all in containers, which haven't been set up yet. My VPS provider is Racknerd.