Unable to Run sudo due to getresuid() Not Working on CentOS 3.1

Xyrael · 02-19-2006, 03:39 AM

Hi,

I'm currently running a CentOS 3.1 VPS and want to give someone else root access without allowing them to change the root password and lock me out, and I want to apply the same property to my standard user account so that I don't have to logon as root so often. The server is running the latest stable version of cPanel. To this end I have placed the following in the sudoers file:

Code:

# Xyrael's SysOp Definitions (2006-02-18)
Cmnd_Alias      SHELLS = /usr/bin/sh,   /usr/bin/csh,           \
                         /usr/bin/ksh,  /usr/local/bin/tcsh,    \
                         /usr/bin/rsh,  /usr/local/bin/zsh

User_Alias      SYSOPS = sean, tom

SYSOPS          ALL    = !/usr/bin/su, !SHELLS

Unfortunately, I then have problems when attempting to test this on one of the users with the authentication:

Code:

root@server [/home/tom]# su tom
tom@piratefiles.com [~]# cd /root
bash: cd: /root: Permission denied
tom@piratefiles.com [~]# sudo cd /root
setresuid(0, 0, 0) failed, your operating system may have a broken setresuid() function
Try running configure with --disable-setresuid
tom@piratefiles.com [~]#

Additionally, here is the sudo version information:

Code:

Sudo version 1.6.7p5

Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5 minutes
Password prompt timeout: 5 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
Environment variables to check for sanity:
        LANGUAGE
        LANG
        LC_*
Environment variables to remove:
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        IFS
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
Local IP address and netmask pairs:
        127.0.0.1 / 0xffffffff
        65.254.53.143 / 0xffffffff

I'm reluctant to start reinstalling sudo to get this feature to work, because I don't want to fry anything important because this is a production server, with several hosted websites. Is there anyway to fix this problem, and has it been documented before?

Thanks,
Xyrael

unSpawn · 02-21-2006, 06:49 AM

I'm reluctant to start reinstalling sudo to get this feature to work, because I don't want to fry anything important because this is a production server, with several hosted websites.
You could build a custom RPM package with sudo under a different path with a slightly different binary name (see configure options). If you need help tell me the exact location of the source RPM. I'll check/build for CentOS 3.3 though.

Is there anyway to fix this problem, and has it been documented before?
If testing a custom RPM isn't your cup of tea you should take it up with the Sudo maintainers.

Xyrael · 02-22-2006, 11:01 AM

Thanks for the reply.

Changing the name sounds fine as long as the command can be aliased so that it isn't complicated. I don't mind it being built with 3.3 as long as it'll work! I'd be very grateful if you were able to do that for me.

Thankyou again.

unSpawn · 02-22-2006, 11:45 AM

You didn't read my post completely or didn't act on it.
//Hint: three major conditions when pricing realty.

Xyrael · 02-22-2006, 02:02 PM

Apologies for not reading properly; thanks for being patient.

I'm not sure where the RPM came from, because I think it was installed by default with the OS. It doesn't appear that they have an RPM, and instead offer the source and easy to use build instructions. However, the upgrade instructions are meant for real pros, and I'm not that yet - would you be able to decipher them for me so that I can attempt to do it? Thanks! I think they can be found on this page:
http://sudo.ws/sudo/download.html

I'm very grateful for your help

unSpawn · 02-23-2006, 07:25 AM

I'm not sure where the RPM came from, because I think it was installed by default with the OS.
Which means it's on the CDR's or mirrors. So the only thing you had to do was use a searchengine to point me to the location of sudo-1.6.7p5-1.1.src.rpm ...

OK. here's diff for building sudo. This RPM will have a custom suffix "1.6.7p5.CUSTOM.SETRESUID-0.1", compile sudo with --disable-setresuid, *only* install the sudo binary and install that binary in /opt/sudo/bin which means you must have it in your global PATH or call with a full path to test. I hope you have a box to build RPM's on and know how to apply the diff and build the RPM.

Please note that by now this ain't a Linux - Security question anymore, more something like Linux - Software or alike. This thread should be moved there.

Code:

--- sudo.spec	2005-06-21 09:44:12.000000000 +0200
+++ sudo.spec	2006-06-21 09:44:13.000000000 +0200
@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users.
 Name: sudo
-Version: 1.6.7p5
-Release: 1.1
+Version: 1.6.7p5.CUSTOM.SETRESUID
+Release: 0.1
 License: BSD
 Group: Applications/System
 Source: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
@@ -30,7 +30,7 @@
 
 %build
 %configure \
-	--prefix=%{_prefix} \
+	--prefix=/opt/sudo \
 	--sbindir=%{_sbindir} \
 	--with-logging=syslog \
 	--with-logfac=authpriv \
@@ -38,7 +38,8 @@
 	--with-editor=/bin/vi \
 	--with-env-editor \
 	--with-ignore-dot \
-	--with-tty-tickets
+	--with-tty-tickets \
+	--disable-setresuid
 make
 
 %install
@@ -46,32 +47,38 @@
 
 mkdir $RPM_BUILD_ROOT
 %{makeinstall} install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
-chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* 
-install -d -m 700 $RPM_BUILD_ROOT/var/run/sudo
-
-mkdir -p $RPM_BUILD_ROOT/etc/pam.d
-cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
-#%PAM-1.0
-auth       required	pam_stack.so service=system-auth
-account    required	pam_stack.so service=system-auth
-password   required	pam_stack.so service=system-auth
-session    required	pam_stack.so service=system-auth
-EOF
+rm -rf $RPM_BUILD_ROOT/etc
+mkdir -p $RPM_BUILD_ROOT/opt/sudo/bin
+chmod 755 $RPM_BUILD_ROOT/opt $RPM_BUILD_ROOT/opt/sudo $RPM_BUILD_ROOT/opt/sudo/bin
+mv -f $RPM_BUILD_ROOT/usr/bin/sudo $RPM_BUILD_ROOT/opt/sudo/bin/
+rm -rf $RPM_BUILD_ROOT/usr
+#chmod 755 $RPM_BUILD_ROOT%{_bindir}/* # $RPM_BUILD_ROOT%{_sbindir}/* 
+#install -d -m 700 $RPM_BUILD_ROOT/var/run/sudo
+
+
+#mkdir -p $RPM_BUILD_ROOT/etc/pam.d
+#cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
+##%PAM-1.0
+#auth       required	pam_stack.so service=system-auth
+#account    required	pam_stack.so service=system-auth
+#password   required	pam_stack.so service=system-auth
+#session    required	pam_stack.so service=system-auth
+#EOF
 
 %clean 
 rm -rf $RPM_BUILD_ROOT
 
 %files
 %defattr(-,root,root)
-%doc BUGS CHANGES HISTORY LICENSE README RUNSON TODO TROUBLESHOOTING UPGRADE *.pod
-%attr(0440,root,root) %config(noreplace) /etc/sudoers
-%config(noreplace) /etc/pam.d/sudo
-%dir /var/run/sudo
-%attr(4111,root,root) %{_bindir}/sudo
-%attr(0755,root,root) %{_sbindir}/visudo
-%{_mandir}/man5/sudoers.5*
-%{_mandir}/man8/sudo.8*
-%{_mandir}/man8/visudo.8*
+#%doc BUGS CHANGES HISTORY LICENSE README RUNSON TODO TROUBLESHOOTING UPGRADE *.pod
+#%attr(0440,root,root) %config(noreplace) /etc/sudoers
+#%config(noreplace) /etc/pam.d/sudo
+#%dir /var/run/sudo
+%attr(4111,root,root) /opt/sudo/bin/sudo
+#%attr(0755,root,root) %{_sbindir}/visudo
+#%{_mandir}/man5/sudoers.5*
+#%{_mandir}/man8/sudo.8*
+#%{_mandir}/man8/visudo.8*
 
 # Make sure permissions are ok even if we're updating
 %post

Alternatively you may temporarily download a tarball containing
redhat/SPECS/sudo.diff
redhat/SPECS/sudo.spec
redhat/RPMS/i686/sudo-1.6.7p5.CUSTOM.SETRESUID-0.1.i686.rpm
here (use "save as" just to be sure).
I'd appreciate it if you let me know (here, or by email whatever is faster) ASAP you got.

Xyrael · 02-23-2006, 01:20 PM

Unfortunately, this doesn't appear to work. I installed the rpm successfully that you suggested, and the file was installed well. Then I tried to run it, and got this:

Code:

root@server [/opt/sudo/bin]# su sean
sean@silentflame.com [/opt/sudo/bin]# ./sudo ls /root
Sorry, ./sudo must be setuid root.
sean@silentflame.com [/opt/sudo/bin]# ./sudo -u root ls /root
Sorry, ./sudo must be setuid root.
sean@silentflame.com [/opt/sudo/bin]# ./sudo --help
Sorry, ./sudo must be setuid root.

Thanks very much for all your help so far.

unSpawn · 02-23-2006, 02:46 PM

Sorry, ./sudo must be setuid root.
Make sure it's root-owned:
chown root.root /opt/sudo/bin/sudo
then make it setuid-root:
chmod 4755 /opt/sudo/bin/sudo"

//Moderator.note: I'll move this thread to Linux - General: this isn't a security issue AFAIK.

unSpawn · 02-23-2006, 03:05 PM

* For anyone reading this who didn't have doubts about the practice of installing custom RPM's w/o checksum, w/o .src.rpm: trivialities like "reputation" should not be mistaken as a basis for reassurance. Always ask for the Source, Luke!

Xyrael · 02-25-2006, 09:13 AM

Code:

sean@silentflame.com [~/www/portal]# /opt/sudo/bin/sudo cd /root
setreuid(0, user_uid): Resource temporarily unavailable

Waddaya think? Thanks.

unSpawn · 02-25-2006, 10:23 AM

Waddaya think?
Might be something VPS catches. Please take it up with the Sudo maintainers.
If they have any fix, workaround or whatever else I'd appreciate a reply from you here.
Sorry we couldnt be of more help.

Xyrael · 02-25-2006, 10:33 AM

Don't worry, you've already given more than I expected and I will certainly visit this site again, perhaps as a helper rather than a helped next time.

I'll drop the sudo team a line.

Thanks, Xy

Xyrael · 03-30-2006, 11:00 AM

I'd like to reopen this topic.

For other reasons unrelated to this, I have moved to another vps provider. Sudo appears to work.

Unfortunately, my sudo config file as shown above does not - here is what I get:

Code:

root@server [~/newt]# su sean
bash: /home/sean/.dns: Permission denied
sean@silentflame.com [/root/newt]# sudo
usage: sudo -V | -h | -L | -l | -v | -k | -K | [-H] [-P] [-S] [-b] [-p prompt]
            [-u username/#uid] -s | <command>
sean@silentflame.com [/root/newt]# sudo cat ls /root

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

        #1) Respect the privacy of others.
        #2) Think before you type.

Password:
Sorry, try again.
Password:
Sorry, user sean is not allowed to execute '/bin/cat ls /root' as root on server.silentflame.com.
sean@silentflame.com [/root/newt]# sudo cat ls /root
Sorry, user sean is not allowed to execute '/bin/cat ls /root' as root on server.silentflame.com.
sean@silentflame.com [/root/newt]# sudo
usage: sudo -V | -h | -L | -l | -v | -k | -K | [-H] [-P] [-S] [-b] [-p prompt]
            [-u username/#uid] -s | <command>
sean@silentflame.com [/root/newt]#

I'd be grateful if you could offer some advice on the situation. Thanks.

unSpawn · 03-30-2006, 02:05 PM

I'd like to reopen this topic.
On LQ it's kinda customary to open a new thread for a new topic. Keeps the place clean y'know.

Sorry, user sean is not allowed to execute '/bin/cat ls /root' as root on server.silentflame.com
...and syslog says?

Rollo69 · 02-06-2008, 08:29 PM

Quote:

unSpawn
Sorry, ./sudo must be setuid root.
Make sure it's root-owned:
chown root.root /opt/sudo/bin/sudo
then make it setuid-root:
chmod 4755 /opt/sudo/bin/sudo"

I just wanted to say thanks for this very useful info even though sudo is in different directory (of course). It allowed me to start using sudo for user in Slackware. Thank you!!