-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21.02.2015 Andrei Borzenkov wrote:

В Sat, 21 Feb 2015 02:41:35 +0100 Andreas Färber пишет:

...

If I try to run "strace sudo echo foo", then it complains about the effective UID not being 0, both on working and non-working systems.

strace output would be interesting for a start.

You did read his mail? Regards, Johannes - -- `Voldemort himself created his worst enemy, just as tyrants everywhere do! Have you any idea how much tyrants fear the people they oppress? All of them realise that, one day [...]there is sure to be one who rises against them and strikes back.´ (Harry Potter 6) -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlToMoMACgkQzi3gQ/xETbIilgCfVUWTfJeBwcH7nmFqsQmyzZx4 YPMAnjyrJxGQilUYVATiLqyZcHGq9bP1 =Dkv0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Sat, Feb 21, 2015 at 03:51:13PM +0100, Andreas Färber wrote:

Am 21.02.2015 um 06:39 schrieb Andrei Borzenkov:

...

В Sat, 21 Feb 2015 02:41:35 +0100 Andreas Färber пишет:

...

The nosuid option is _not_ set on the ext4 root filesystem.

If I try to run "strace sudo echo foo", then it complains about the effective UID not being 0, both on working and non-working systems.

strace output would be interesting for a start.

"LANG=C LC_ALL=C strace sudo echo foo" output (after having entered the password once) seems to mainly differ in memory addresses afaict.

[...] access("/usr/bin/sudo", X_OK) = 0 stat64("/usr/bin/sudo", {st_mode=S_IFREG|S_ISUID|0755, st_size=124112, ...}) = 0 write(2, "sudo: effective uid is not 0, is"..., 140sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? ) = 140 exit_group(1) = ? +++ exited with 1 +++

I assume this error is because /usr/bin/sudo is sticky, but strace somehow runs it under my user's uid 1000 rather than root's uid 0.

The diff -u between logs from two Factory systems is attached: parallella is working, arnd isn't.

If more is needed, I should probably rather open a bug - was assuming there's probably something trivial I overlooked...

If you strace setuid binaries, setuid will be inactivated by the kernel. Are there entries in other logfiles? Like /var/log/messages /var/log/audit/audit.log ? Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

* Johannes Kastl [02-21-15 02:31]:

On 21.02.2015 Andreas Färber wrote:

...

Any ideas what else to check?

I have some sudo related stuff in /var/log/audit/audit.log, might be necessary to install auditd to get that. And that is mostly apparmor stating that someone executed sudo.

I'm trying to get the sudo logs out of journalctl right now, because I wanted to tell you where to look for the logs, but could not find them myself... ;-)

journalctl |grep sudo or journalctl |grep -C3 sudo -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

El 21/02/15 a las 19:36, Andreas Färber escribió:

Hi,

Am 21.02.2015 um 19:06 schrieb Vitezslav Cizek:

...

* Dne Sobota 21. únor 2015, 02:41:35 [CET] Andreas Färber napsal:

...

If I try to run "strace sudo echo foo", then it complains about the effective UID not being 0, both on working and non-working systems.

Run this as root: # strace -u your_username sudo echo foo

Thanks, that worked! It turned out that Factory needs CONFIG_AUDIT, whereas 13.2 did not.

I've filed a bug to report the silent failure: https://bugzilla.opensuse.org/show_bug.cgi?id=918953

Hrmm.. while enabling audit in the kernel is indeed a requirement for other things..sudo shouldn't fail without it.. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org