LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   sudo: effective uid is not 0, is sudo installed setuid root? (http://www.linuxquestions.org/questions/linux-newbie-8/sudo-effective-uid-is-not-0-is-sudo-installed-setuid-root-4175438614/)

awladnas 11-25-2012 05:30 AM

sudo: effective uid is not 0, is sudo installed setuid root?
 
I'm new in linux ubuntu 12.04. i was installing jdk7. now when i run any command with sudo like :


sudo chown -R awlad /usr/

<b> sudo: effective uid is not 0, is sudo installed setuid root? </b>
i've googling for this about 2 hours.how can i solve this
more info:
ls -l $(which sudo)
give me:
-rwxr-xr-x 1 awlad root 112888 Jul 16 18:14 /usr/bin/sudo

TobiSGD 11-25-2012 05:55 AM

Quote:

Originally Posted by awladnas (Post 4836470)
I'm new in linux ubuntu 12.04. i was installing jdk7. now when i run any command with sudo like :


sudo chown -R awlad /usr/

<b> sudo: effective uid is not 0, is sudo installed setuid root? </b>
i've googling for this about 2 hours.how can i solve this
more info:
ls -l $(which sudo)
give me:
-rwxr-xr-x 1 awlad root 112888 Jul 16 18:14 /usr/bin/sudo

Have you run a command like that successfully before? If yes then you have borked your machine. Changing the owner of all files in /usr to your own unpriviledged user is exactly what would cause such issues and is a good way to break your system.

awladnas 11-25-2012 05:58 AM

Quote:

Originally Posted by TobiSGD (Post 4836479)
Have you run a command like that successfully before? If yes then you have borked your machine. Changing the owner of all files in /usr to your own unpriviledged user is exactly what would cause such issues and is a good way to break your system.

thanks for your reply. Yes may be i'm not sure. is there any way to overcome it?

shivaa 11-25-2012 06:49 AM

Executable file /usr/bin/sudo must have root as owner, not any other user. And that is why it is saying that effective UID isn't 0 (since root has EUID equal to 0). Also note that changing owner of /usr/ may cause other problems to your system. So better try to change owner of /usr/bin/sudo, and then try installing jdk.
Code:

sudo su - root
chown -R root:root /usr/bin/sudo

Then try to install jdk.
If you get permission denied type of error while using sudo cmd then, check whether you've permissions to invoke it or not, using:
Code:

sudo -l

TobiSGD 11-25-2012 08:32 AM

Quote:

Originally Posted by awladnas (Post 4836481)
thanks for your reply. Yes may be i'm not sure. is there any way to overcome it?

Something like that will normally cause a whole bunch of weird effects, the one with sudo you now can see is one of the harmless ones because it gives you a clear error message. If other issues occur I would recommend a clean re-install.

shivaa 11-25-2012 08:38 AM

I would add, the executable /usr/bin/sudo has SUID set on it (-rwsr-xr-x), which means, when you will execute /usr/bin/sudo, you will get same authorization what it's owner i.e. root has. This concept is used for many other executables utilities such /usr/bin/passwd. So simple solution is to change it's owner to root again as suggested above.

chrism01 11-26-2012 12:58 AM

@shivaa: As TobiSGD has pointed out, if the OP has run a cmd to change multiple file ownerships/perms, trying to fix them manually would be almost impossible and in the meantime could be open to exploits.
A re-install would be best.
There is a way to fix rpm based systems (http://www.cyberciti.biz/tips/reset-...ermission.html) but it looks like .deb systems like Ubuntu can't do that.

clunkpt 03-15-2013 10:20 AM

Just open terminal and do "su"
then just type chmod 4755 /usr/bin/sudo

earthling297 05-19-2013 06:49 AM

you could try reinstalling it
it worked for me

whatsupdeepak 09-20-2013 03:24 PM

Just came across this thread as I ran into same issue "effective uid is not 0, is sudo installed setuid root" message, when trying to use 'sudo su -' command.
Here are my 2 cents. After you have checked /usr/bin/sudo and /usr for proper permissions and ownerships etc etc, check your /etc/fstab file, and take out the option 'nosuid' for /usr, if it is there.
Good luck.

d4rkstorm 08-30-2014 06:03 PM

Just a note... tried eveything then...
 
Tried evrything.. debian7 x86 box,.... then, i tried something on my own, and seem to have fixed...

root@sudoer:~# ls -l /usr/bin/sudo
-rwsr-xr-x 2 hax hax 119172 Mar 1 2013 /usr/bin/sudo
root@sudoer:~# chown -R root:root /usr/bin/sudo
root@sudoer:~# sudo ls
sudo: parse error in /etc/sudoers near line 25
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
root@sudoer:~# chown -R root:root /usr/bin/sudo
root@sudoer:~# sudo ls
sudo: parse error in /etc/sudoers near line 25
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
root@sudoer:~# nano /etc/sudoers
root@sudoer:~# sudo ls
sudo: parse error in /etc/sudoers near line 24
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
root@sudoer:~# nano /etc/sudoers
root@sudoer:~# sudo ls
sudo: parse error in /etc/sudoers.d/sudoers near line 29
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
root@sudoer:~# nano /etc/sudoers.d/sudoers
root@sudoer:~# sudo ls
sudo: parse error in /etc/sudoers.d/sudoers near line 28
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
root@sudoer:~# sudo -l
sudo: parse error in /etc/sudoers.d/sudoers near line 28
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
root@sudoer:~# cd /etc/sudoers.d
root@sudoer:/etc/sudoers.d# ls
README sudoers sudoers.so
root@sudoer:/etc/sudoers.d# rm sudoers sudoers.so
root@sudoer:/etc/sudoers.d# sudo ls
README

so, i got my sudo back... then i did chmod settings wich i asked for from a vps hoster
of mine, they simply gave me a very good start, so il post it here

chmod o= /usr/bin/last
chmod o= /usr/bin/lastlog
chmod o= /usr/bin/w
chmod o= /usr/bin/who
chmod o= /usr/bin/chsh
chmod o= /usr/bin/chfn ##added in as it is abused with some methods
chmod o= /usr/bin/sudoedit
chmod o= /usr/bin/smbmnt
chmod o= /usr/bin/traceroute6
chmod o= /bin/umount
chmod o= /bin/ping6
chmod o= /bin/ping
chmod o= /usr/bin/finger
chmod o= /usr/bin/write
chmod o= /usr/bin/nmap
chmod o= /usr/bin/ncat
chmod o= /usr/bin/nping
chmod o= /usr/sbin/hping3
chmod o= /usr/bin/oping
#chmod o= /usr/bin/
chmod o= /usr/bin/nc
chmod o= /usr/bin/cc
chmod o= /usr/bin/netcat
chmod o= /usr/bin/netcat6
chmod o= /bin/mount
chmod o= /usr/bin/top
chmod o= /sbin/umount.cifs
chmod o= /sbin/mount.cifs
chmod og-rwx /etc/rc*
chmod og-rwx /usr/bin/last
chmod og-rwx /usr/sbin/lastlogin
chmod og-rwx /var/log/messages
chmod og-rwx /var/log/maillog
chmod og-rwx /log/maillog
chmod og-rwx /bin/lastlogin
chmod go= /usr/bin/telnet
chmod go= /bin/netstat
chmod go= /bin/telnet
chmod go= /usr/bin/locate
#chmod go-r /bin
#chmod go-r /etc ## we will be making this much better now,readon
chmod go-r /home ## NOTE: I have used for ages simply chmod -r /home ,seems to work fine with debian/ubuntu based,and possibly centOS v5,not v6
#chmod -r /home
#chmod go-r /sbin
#chmod go-r /usr
#chmod go-r /usr/bin
chmod go-r /usr/local
chmod go-r /usr/local/bin/
chmod go-r /usr/local/sbin
chmod go-r /usr/sbin
chmod go-r /usr/src
chmod go-r /usr/src/sys
chmod go-r /usr/src/sys/i386/conf
chmod go-r /var
chmod go-r /var/log
chmod go-r /src/sys/i386/conf
chmod go-r /src/sys
chmod 700 /boot
chmod 700 /dist
chmod 700 /rescue
chmod 700 /root
chmod o+x-r /mnt
chmod 0 /proc/net/netlink

## for tmp dirs, we can also add tmpwatch app on most Linux ..wich then is easily started once, on restart of box.. so need universal-starter.sh made also (todo's)
chmod 660 /var/log/tmp
chmod 660 /var/log/wtmp
chmod 660 /var/run/utmp
chmod 660 /var/log/btmp

## Small read-on section, explaining wqhat is todo,has been done and, ofc, still it is in TESTING on CentOS-6
## ok some simple addins wich are essential (this will both kill most auditd bugs and mainly the udev.d 0days),but really need a perl-pipe-upload blocker,and a FWall tht GOOD!
## wich can add ips as it is being attackd, wich can have own sigs added, or, even script to generate those rules for the ips, and how the rule should be structered.Simply
## using methods like --hash-limit ,will almost kill your use of TCp,so, i have made eth0 based ipv4/6; */network/interface/eth0/* ipv4 or ipv6/ then, modified EACH rule
## THEn there is KNOWN blocks of IPS like, ones we do NOT need, nor will ever use for anything BUT these are also many of boxes wich are pwnable,so must kill them thru iptables
## mixed with (BSD: sysctl.conf and Linux is thru interfaces/ to achieve same thing),BSD has a few different places,and handles tmp dirrently,and will be added to universal
## script for setup of boxes,and for adding of users, after the actual setup scripts,and ip6tables* ipfw6/pf ,must also be accounted for,but on BSD,it use many things.
## Also dont be scred to use some anti-* scripts,nor ddos_deflate, IF you set it right, it works gr8,aswith an upto-date A/V,one wich will find shelling,bindshells,rkits.
## WILL be added/done for Linux/BSD and, will have 2-3 scripts wich you basically then get info for on howto use, plz,dont beg me for shit, if your luicky, and ask, i will ask
## you maybe for some minor helps like, login.sh wich, i would LOVE to be able to make asciigenerator for the motd,and, basically GUI for setting motd,banner.
## MAIN todo, i thik is to check some methods out on restricting /sbin/nologin accounts,passwd/shadow,and blocking even root user echoing to those files,MUST use editor as root
## that, then, i gues, adding as we find new problems, ie; XML,TYP03 ,and other Java/Pdf/Browser exploit stuff wich MAY be used on linux websites hacked,and need to kill these.

## Udev.D and other stuffs we need and have added
chmod 700 /sbin/udevd
chmod 660 /var/log/faillog
chmod 660 /var/log/lastlog
chmod 660 /var/log/lastlogin

## not many people think about 'dash' or 'ash' but theyre BOTH used BUT permissions are VERY different
chmod 511 /bin/dash
chmod 511 /bin/ash
chmod 511 /bin/sh

## this can maybe JUSt be the config wich need to have 100% chmod,but dont know if /ssh/ is useful to blockout. i dont see any harm,so this would be better,or add more to chmod.
chmod 700 /etc/ssh/sshd_config
chmod 700 /etc/ssh/*
chmod 700 /etc/hosts.allow
chmod 700 /etc/hosts.deny
chmod 700 /etc/hosts.equiv

## MAKESURE you do chmod the '/etc/sudoers' file, or it will NOT work right! MUST be,always 0440 .
chmod +x `which sudo`
chmod 440 /etc/sudoers

## Other GOOD ways to chmod what we need ONLY in /etc ,not the WHOLE dir.Pretty easy way to get out of doing a 'good' script/job,so,do BY FILE you NEED ONLY.
## Now we add syslog-ng and use this BUT remmeber rsyslogd ,is STILL active..so must edit syslogging conf, for this and other 'notifiers' of abusive stuff,ie; root-use eMech,etc
chmod 700 /etc/sysctl.conf
chmod 700 /etc/syslog.conf
chmod 700 /etc/syslog-ng.conf
chmod 700 /etc/pam.conf
chmod 700 /etc/profile
chmod 700 /etc/bashrc
chmod 700 /etc/cshrc
chmod 700 /etc/tcshrc
chmod 700 /etc/fstab
chmod 700 /etc/php.ini
chmod 700 /etc/php.conf

## Directory /libs
chmod g+w /usr/lib
chmod 755 /usr/lib

## anti-AUDIT-xploit stuff ie; common pathways used to attack,and the EXACT libs,we can restrict
chmod 711 /sbin/auditd
chmod 711 /dev/shm/*
chmod 755 /proc/fd3/map/*
chmod g+r /proc/fd3/map/*
chmod 755 /proc/*
chmod g+r proc/*
chmod 700 /libs/pcprofile.so
chmod 700 /libs/pcprofile.so.*
chmod 700 /libs/liblftp.so
chmod 700 /libs/liblftp.so.3
chmod 700 /libs/liblftp.so.4
chmod 700 /libs/liblftp.so.*

## apps we add (MOST COMMDON)
chmod 660 /usr/sbin/pure-ftpd
chmod go-r /usr/sbin/pure-ftpd
chmod 700 /usr/etc/pure-ftpd.conf
chmod g+r /usr/sbin/oidentd
chmod 755 /usr/sbin/oidentd
chmod go-r /etc/oidentd.conf
chmod go-r /usr/etc/oidentd.conf
chmod go-r /etc/oidentd_masq.conf
chmod go-r /usr/etc/oidentd.conf
touch ~/.oidentd.conf
chmod 644 ~/.oidentd.conf

## we better CHECk these and also makesure the pure-ftpd stuff done right in /opt/ftpusers/* coz this is user ftp-dir; setup when you add the user (bash-script-addon).
chmod 700 /etc/php-zts.d
chmod 700 /etc/php.d
chmod 700 /etc/php.ini.rpmnew
chmod 700 /etc/httpd/conf.d/php.conf
chmod 700 /etc/php-zts.d/*
chmod 700 /etc/php.d/*
chmod 700 /lib/modules/*

## sometimes this could be anything your using for easy setup and backup, but, to chmod etc/ alone is NOT a great idea,is better to restrict by filenames.
chmod 700 /root/vhosts.php
chmod 700 /root/vhoststest.php
chmod 700 /root/llvm
chmod 700 /root/ftpd-up.sh
chmod 700 /root/webminstart.sh
chmod 700 /root/oidentd.sh
chmod 700 /root/webminstart.sh
chmod 700 /root/ipv6.sh
chmod 700 /root/ipv6-he.sh
chmod 700 /root/vhosts.sh
chmod a+x /etc/motd

## IRC/IRCD and/or anything USER necessary, and some blocks against PHP (.ini) attacks
chmod a+x /usr/bin/irssi
chmod 700 /etc/irssi.conf
chmod a+x /usr/bin/znc
chmod a+x /usr/bin/BitchX
cp /usr/lib64/bx/script/example-.bitchxr ~/.bitchxrc
chmod 711 .bitchxrc
cp /usr/bin/BitchX /usr/bin/bx
chmod a+x /usr/bin/bx
chmod a+x /usr/bin/scr-bx

## added for php,apache,lynx and var/www/ and anything else wich does not fit in other areas.
chmod 700 /usr/bin/php
chmod 700 /usr/bin/php-cgi
chmod 700 /usr/bin/phpize
chmod 700 /usr/lib64/php
chmod 700 /usr/lib64/php-zts
chmod 700 /usr/lib64/php/modules/
chmod 700 /usr/share/php
chmod 700 /var/lib/php
chmod 700 /var/lib/php/session
chmod a+x /usr/bin/lynx
chmod 644 /etc/lynx.cfg
cp /etc/lynx.cfg ~/lynx.cfg
chmod 644 ~/lynx.cfg

## now for httpd and /var/www/
chmod 700 /usr/lib64/httpd/modules/
chmod 660 /var/www/icons/*
chmod 660 /var/www/*

## added for 'syslog-ng' on LINUX,and for -> (CentOS.v6.3 x64-Minimal 2012 Kernel)
## NOTE: THis is currently the box Im using to make this script
## TODO: need x86 pathways for centOS and more better setup chmods ,still need to test some but sofar it is OK for sudo/root,user base being tested/debugged
chmod 700 /etc/syslog-ng
chmod 700 /etc/rc.d/init.d/syslog-ng
chmod 700 /etc/sysconfig/syslog-ng
chmod 700 /etc/syslog-ng/modules.conf
chmod 700 /etc/syslog-ng/patterndb.d
chmod 700 /etc/syslog-ng/scl.conf
chmod 660 /etc/syslog-ng/syslog-ng.conf
chmod 660 /lib64/libsyslog-ng.so.0
chmod 700 /lib64/libsyslog-ng.so.0.0.0
chmod 660 /lib64/syslog-ng
chmod 660 /lib64/syslog-ng/libaffile.so
chmod 660 /lib64/syslog-ng/libafprog.so
chmod 660 /lib64/syslog-ng/libafsocket-notls.so
chmod 700 /lib64/syslog-ng/libafsocket.so
chmod 700 /lib64/syslog-ng/libafuser.so
chmod 700 /lib64/syslog-ng/libbasicfuncs.so
chmod 700 /lib64/syslog-ng/libconfgen.so
chmod 700 /lib64/syslog-ng/libconvertfuncs.so
chmod 700 /lib64/syslog-ng/libcsvparser.so
chmod 700 /lib64/syslog-ng/libdbparser.so
chmod 700 /lib64/syslog-ng/libdummy.so
chmod 700 /lib64/syslog-ng/libsyslogformat.so
chmod 700 /sbin/syslog-ng
chmod 700 /sbin/syslog-ng-ctl
chmod 700 /usr/share/syslog-ng
chmod 700 /usr/share/syslog-ng/include/scl/*
chmod 700 /usr/share/syslog-ng/include/scl/pacct/plugin.conf
chmod 700 /usr/share/syslog-ng/include/scl/syslogconf/plugin.conf
chmod 700 /usr/share/syslog-ng/include/scl/system/generate-system-source.sh
chmod 700 /usr/share/syslog-ng/include/scl/system/plugin.conf
chmod 660 /usr/share/syslog-ng/xsd/*
chmod 660 /var/lib/syslog-ng
chmod 644 /usr/share/doc/*
chmod 644 /usr/share/doc/*/rsyslog_php_syslog_ng.html

## yum manager/repos on centOS/RHEL based distros wich use yum.
chmod 700 /var/lib/yum/yumdb/
chmod 700 /var/lib/yum/yumdb/s/
chmod 700 /etc/yum.repos.d/

## rc.d directorys (centOS6.3-x64) based paths.
#chmod 700 /etc/rc.d/*
chmod 700 /etc/rc.d/rc0.d/*
chmod 700 /etc/rc.d/rc1.d/*
chmod 700 /etc/rc.d/rc2.d/*
chmod 700 /etc/rc.d/rc3.d/*
chmod 700 /etc/rc.d/rc4.d/*
chmod 700 /etc/rc.d/rc5.d/*
chmod 700 /etc/rc.d/rc6.d/*


along with the o/s , might help... oh, i had to run dpkg-reconfigure vsftpd for vsftpd users,thats only way to reset your configs then just reset that up.. theres alot still untouched, but this atleast gives you a chance... and heym , now my vps loaded all init scripts etc fine no erors...so i have somewhat reccovered from this on debian ** (remember deb was apprently not possible,..and frankly i tried everything..until the above when i removed the sudoers file from sudoers.d it seeemed to work as there is a sudoers.tmp file wich seems visudo will create, thats the problem in debian.. you have to reset your sudoers file in /etc/ chmod it as root, then go hard :)
xd


All times are GMT -5. The time now is 03:35 PM.