[opensuse-factory] sudo issues
Hello, On two of my Factory systems, sudo does not work (but does on others). They have the same trivial /etc/sudoers.d/af file granting my user unrestricted rights, and the authentication/authorization part does seem to work okay. However when running "sudo reboot" or "sudo echo foo", simply nothing happens beyond the password request if not cached, i.e. it seems as if the argument does not get executed. su with interactive commands works just fine though. I've already tried to forcefully reinstall "sudo" and "permissions" packages, and removing and reinstalling "sudo" package with no luck. Using yast2-sudo to write back the settings did not help either. The file permissions look identical on both config files and on the executable, including the sticky bit. The nosuid option is _not_ set on the ext4 root filesystem. If I try to run "strace sudo echo foo", then it complains about the effective UID not being 0, both on working and non-working systems. Could this be due to some kernel config option? Most of my armv7hl Factory systems are running the latest linux-next.git next-20150220, but it happened also with earlier kernels on those systems. Any ideas what else to check? Thanks, Andreas -- SUSE Linux GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton; HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
В Sat, 21 Feb 2015 02:41:35 +0100
Andreas Färber
Hello,
On two of my Factory systems, sudo does not work (but does on others). They have the same trivial /etc/sudoers.d/af file granting my user unrestricted rights, and the authentication/authorization part does seem to work okay. However when running "sudo reboot" or "sudo echo foo", simply nothing happens beyond the password request if not cached, i.e. it seems as if the argument does not get executed. su with interactive commands works just fine though.
I've already tried to forcefully reinstall "sudo" and "permissions" packages, and removing and reinstalling "sudo" package with no luck.
Using yast2-sudo to write back the settings did not help either.
The file permissions look identical on both config files and on the executable, including the sticky bit.
The nosuid option is _not_ set on the ext4 root filesystem.
If I try to run "strace sudo echo foo", then it complains about the effective UID not being 0, both on working and non-working systems.
Could this be due to some kernel config option? Most of my armv7hl Factory systems are running the latest linux-next.git next-20150220, but it happened also with earlier kernels on those systems.
Any ideas what else to check?
strace output would be interesting for a start. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21.02.2015 Andrei Borzenkov wrote:
В Sat, 21 Feb 2015 02:41:35 +0100 Andreas Färber
пишет:
If I try to run "strace sudo echo foo", then it complains about the effective UID not being 0, both on working and non-working systems.
strace output would be interesting for a start.
You did read his mail? Regards, Johannes - -- `Voldemort himself created his worst enemy, just as tyrants everywhere do! Have you any idea how much tyrants fear the people they oppress? All of them realise that, one day [...]there is sure to be one who rises against them and strikes back.´ (Harry Potter 6) -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlToMoMACgkQzi3gQ/xETbIilgCfVUWTfJeBwcH7nmFqsQmyzZx4 YPMAnjyrJxGQilUYVATiLqyZcHGq9bP1 =Dkv0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 21.02.2015 um 06:39 schrieb Andrei Borzenkov:
В Sat, 21 Feb 2015 02:41:35 +0100 Andreas Färber
пишет: The nosuid option is _not_ set on the ext4 root filesystem.
If I try to run "strace sudo echo foo", then it complains about the effective UID not being 0, both on working and non-working systems.
strace output would be interesting for a start.
"LANG=C LC_ALL=C strace sudo echo foo" output (after having entered the password once) seems to mainly differ in memory addresses afaict. [...] access("/usr/bin/sudo", X_OK) = 0 stat64("/usr/bin/sudo", {st_mode=S_IFREG|S_ISUID|0755, st_size=124112, ...}) = 0 write(2, "sudo: effective uid is not 0, is"..., 140sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? ) = 140 exit_group(1) = ? +++ exited with 1 +++ I assume this error is because /usr/bin/sudo is sticky, but strace somehow runs it under my user's uid 1000 rather than root's uid 0. The diff -u between logs from two Factory systems is attached: parallella is working, arnd isn't. If more is needed, I should probably rather open a bug - was assuming there's probably something trivial I overlooked... Cheers, Andreas -- SUSE Linux GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton; HRB 21284 (AG Nürnberg)
On Sat, Feb 21, 2015 at 03:51:13PM +0100, Andreas Färber wrote:
Am 21.02.2015 um 06:39 schrieb Andrei Borzenkov:
В Sat, 21 Feb 2015 02:41:35 +0100 Andreas Färber
пишет: The nosuid option is _not_ set on the ext4 root filesystem.
If I try to run "strace sudo echo foo", then it complains about the effective UID not being 0, both on working and non-working systems.
strace output would be interesting for a start.
"LANG=C LC_ALL=C strace sudo echo foo" output (after having entered the password once) seems to mainly differ in memory addresses afaict.
[...] access("/usr/bin/sudo", X_OK) = 0 stat64("/usr/bin/sudo", {st_mode=S_IFREG|S_ISUID|0755, st_size=124112, ...}) = 0 write(2, "sudo: effective uid is not 0, is"..., 140sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? ) = 140 exit_group(1) = ? +++ exited with 1 +++
I assume this error is because /usr/bin/sudo is sticky, but strace somehow runs it under my user's uid 1000 rather than root's uid 0.
The diff -u between logs from two Factory systems is attached: parallella is working, arnd isn't.
If more is needed, I should probably rather open a bug - was assuming there's probably something trivial I overlooked...
If you strace setuid binaries, setuid will be inactivated by the kernel. Are there entries in other logfiles? Like /var/log/messages /var/log/audit/audit.log ? Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21.02.2015 Andreas Färber wrote:
Any ideas what else to check?
I have some sudo related stuff in /var/log/audit/audit.log, might be necessary to install auditd to get that. And that is mostly apparmor stating that someone executed sudo. I'm trying to get the sudo logs out of journalctl right now, because I wanted to tell you where to look for the logs, but could not find them myself... ;-) Regards, Johannes - -- `Oh, you may not think I'm pretty, But don't judge on what you see, I'll eat myself if you can find a smarter hat than me.´ (The Sorting Hat in Harry Potter I) -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlToNDMACgkQzi3gQ/xETbJcbQCfcc5jCOH60Zru2DD+hDC+ykyj 2+IAnjqTRjAIDntykAMm4pTg+mZqSdMt =gfmD -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Johannes Kastl
On 21.02.2015 Andreas Färber wrote:
Any ideas what else to check?
I have some sudo related stuff in /var/log/audit/audit.log, might be necessary to install auditd to get that. And that is mostly apparmor stating that someone executed sudo.
I'm trying to get the sudo logs out of journalctl right now, because I wanted to tell you where to look for the logs, but could not find them myself... ;-)
journalctl |grep sudo or journalctl |grep -C3 sudo -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 21/02/15 a las 10:09, Patrick Shanahan escribió:
journalctl |grep sudo or journalctl |grep -C3 sudo
No. You want to use journalctl /usr/bin/sudo, no piping or grep needed. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, Am 21.02.2015 um 19:06 schrieb Vitezslav Cizek:
* Dne Sobota 21. únor 2015, 02:41:35 [CET] Andreas Färber napsal:
If I try to run "strace sudo echo foo", then it complains about the effective UID not being 0, both on working and non-working systems.
Run this as root: # strace -u your_username sudo echo foo
Thanks, that worked! It turned out that Factory needs CONFIG_AUDIT, whereas 13.2 did not. I've filed a bug to report the silent failure: https://bugzilla.opensuse.org/show_bug.cgi?id=918953 Regards, Andreas -- SUSE Linux GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton; HRB 21284 (AG Nürnberg)
El 21/02/15 a las 19:36, Andreas Färber escribió:
Hi,
Am 21.02.2015 um 19:06 schrieb Vitezslav Cizek:
* Dne Sobota 21. únor 2015, 02:41:35 [CET] Andreas Färber napsal:
If I try to run "strace sudo echo foo", then it complains about the effective UID not being 0, both on working and non-working systems.
Run this as root: # strace -u your_username sudo echo foo
Thanks, that worked! It turned out that Factory needs CONFIG_AUDIT, whereas 13.2 did not.
I've filed a bug to report the silent failure: https://bugzilla.opensuse.org/show_bug.cgi?id=918953
Hrmm.. while enabling audit in the kernel is indeed a requirement for other things..sudo shouldn't fail without it.. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Dne Neděle 22. únor 2015, 07:20:58 [CET] Cristian Rodríguez napsal:
El 21/02/15 a las 19:36, Andreas Färber escribió:
Hi,
Am 21.02.2015 um 19:06 schrieb Vitezslav Cizek:
* Dne Sobota 21. únor 2015, 02:41:35 [CET] Andreas Färber napsal:
If I try to run "strace sudo echo foo", then it complains about the effective UID not being 0, both on working and non-working systems.
Run this as root: # strace -u your_username sudo echo foo
Thanks, that worked! It turned out that Factory needs CONFIG_AUDIT, whereas 13.2 did not.
I've filed a bug to report the silent failure: https://bugzilla.opensuse.org/show_bug.cgi?id=918953
Hrmm.. while enabling audit in the kernel is indeed a requirement for other things..sudo shouldn't fail without it..
Agreed. This is a bug in sudo: http://bugzilla.sudo.ws/show_bug.cgi?id=671 I submitted sudo 1.8.12 including the fix to Factory. -- Vita Cizek
participants (7)
-
Andreas Färber
-
Andrei Borzenkov
-
Cristian Rodríguez
-
Johannes Kastl
-
Marcus Meissner
-
Patrick Shanahan
-
Vitezslav Cizek