LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-19-2006, 03:39 AM   #1
Xyrael
LQ Newbie
 
Registered: Sep 2005
Location: Sheffield, UK
Distribution: Debian for servers, Ubuntu for desktops
Posts: 12

Rep: Reputation: 0
Exclamation Unable to Run sudo due to getresuid() Not Working on CentOS 3.1


Hi,

I'm currently running a CentOS 3.1 VPS and want to give someone else root access without allowing them to change the root password and lock me out, and I want to apply the same property to my standard user account so that I don't have to logon as root so often. The server is running the latest stable version of cPanel. To this end I have placed the following in the sudoers file:
Code:
# Xyrael's SysOp Definitions (2006-02-18)
Cmnd_Alias      SHELLS = /usr/bin/sh,   /usr/bin/csh,           \
                         /usr/bin/ksh,  /usr/local/bin/tcsh,    \
                         /usr/bin/rsh,  /usr/local/bin/zsh

User_Alias      SYSOPS = sean, tom

SYSOPS          ALL    = !/usr/bin/su, !SHELLS
Unfortunately, I then have problems when attempting to test this on one of the users with the authentication:
Code:
root@server [/home/tom]# su tom
tom@piratefiles.com [~]# cd /root
bash: cd: /root: Permission denied
tom@piratefiles.com [~]# sudo cd /root
setresuid(0, 0, 0) failed, your operating system may have a broken setresuid() function
Try running configure with --disable-setresuid
tom@piratefiles.com [~]#
Additionally, here is the sudo version information:
Code:
Sudo version 1.6.7p5

Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5 minutes
Password prompt timeout: 5 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
Environment variables to check for sanity:
        LANGUAGE
        LANG
        LC_*
Environment variables to remove:
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        IFS
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
Local IP address and netmask pairs:
        127.0.0.1 / 0xffffffff
        65.254.53.143 / 0xffffffff
I'm reluctant to start reinstalling sudo to get this feature to work, because I don't want to fry anything important because this is a production server, with several hosted websites. Is there anyway to fix this problem, and has it been documented before?

Thanks,
Xyrael
 
Old 02-21-2006, 06:49 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
I'm reluctant to start reinstalling sudo to get this feature to work, because I don't want to fry anything important because this is a production server, with several hosted websites.
You could build a custom RPM package with sudo under a different path with a slightly different binary name (see configure options). If you need help tell me the exact location of the source RPM. I'll check/build for CentOS 3.3 though.


Is there anyway to fix this problem, and has it been documented before?
If testing a custom RPM isn't your cup of tea you should take it up with the Sudo maintainers.
 
Old 02-22-2006, 11:01 AM   #3
Xyrael
LQ Newbie
 
Registered: Sep 2005
Location: Sheffield, UK
Distribution: Debian for servers, Ubuntu for desktops
Posts: 12

Original Poster
Rep: Reputation: 0
Thanks for the reply.

Changing the name sounds fine as long as the command can be aliased so that it isn't complicated. I don't mind it being built with 3.3 as long as it'll work! I'd be very grateful if you were able to do that for me.

Thankyou again.
 
Old 02-22-2006, 11:45 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
You didn't read my post completely or didn't act on it.
//Hint: three major conditions when pricing realty.
 
Old 02-22-2006, 02:02 PM   #5
Xyrael
LQ Newbie
 
Registered: Sep 2005
Location: Sheffield, UK
Distribution: Debian for servers, Ubuntu for desktops
Posts: 12

Original Poster
Rep: Reputation: 0
Apologies for not reading properly; thanks for being patient.

I'm not sure where the RPM came from, because I think it was installed by default with the OS. It doesn't appear that they have an RPM, and instead offer the source and easy to use build instructions. However, the upgrade instructions are meant for real pros, and I'm not that yet - would you be able to decipher them for me so that I can attempt to do it? Thanks! I think they can be found on this page:
http://sudo.ws/sudo/download.html

I'm very grateful for your help
 
Old 02-23-2006, 07:25 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
I'm not sure where the RPM came from, because I think it was installed by default with the OS.
Which means it's on the CDR's or mirrors. So the only thing you had to do was use a searchengine to point me to the location of sudo-1.6.7p5-1.1.src.rpm ...

OK. here's diff for building sudo. This RPM will have a custom suffix "1.6.7p5.CUSTOM.SETRESUID-0.1", compile sudo with --disable-setresuid, *only* install the sudo binary and install that binary in /opt/sudo/bin which means you must have it in your global PATH or call with a full path to test. I hope you have a box to build RPM's on and know how to apply the diff and build the RPM.

Please note that by now this ain't a Linux - Security question anymore, more something like Linux - Software or alike. This thread should be moved there.

Code:
--- sudo.spec	2005-06-21 09:44:12.000000000 +0200
+++ sudo.spec	2006-06-21 09:44:13.000000000 +0200
@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users.
 Name: sudo
-Version: 1.6.7p5
-Release: 1.1
+Version: 1.6.7p5.CUSTOM.SETRESUID
+Release: 0.1
 License: BSD
 Group: Applications/System
 Source: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
@@ -30,7 +30,7 @@
 
 %build
 %configure \
-	--prefix=%{_prefix} \
+	--prefix=/opt/sudo \
 	--sbindir=%{_sbindir} \
 	--with-logging=syslog \
 	--with-logfac=authpriv \
@@ -38,7 +38,8 @@
 	--with-editor=/bin/vi \
 	--with-env-editor \
 	--with-ignore-dot \
-	--with-tty-tickets
+	--with-tty-tickets \
+	--disable-setresuid
 make
 
 %install
@@ -46,32 +47,38 @@
 
 mkdir $RPM_BUILD_ROOT
 %{makeinstall} install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
-chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* 
-install -d -m 700 $RPM_BUILD_ROOT/var/run/sudo
-
-mkdir -p $RPM_BUILD_ROOT/etc/pam.d
-cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
-#%PAM-1.0
-auth       required	pam_stack.so service=system-auth
-account    required	pam_stack.so service=system-auth
-password   required	pam_stack.so service=system-auth
-session    required	pam_stack.so service=system-auth
-EOF
+rm -rf $RPM_BUILD_ROOT/etc
+mkdir -p $RPM_BUILD_ROOT/opt/sudo/bin
+chmod 755 $RPM_BUILD_ROOT/opt $RPM_BUILD_ROOT/opt/sudo $RPM_BUILD_ROOT/opt/sudo/bin
+mv -f $RPM_BUILD_ROOT/usr/bin/sudo $RPM_BUILD_ROOT/opt/sudo/bin/
+rm -rf $RPM_BUILD_ROOT/usr
+#chmod 755 $RPM_BUILD_ROOT%{_bindir}/* # $RPM_BUILD_ROOT%{_sbindir}/* 
+#install -d -m 700 $RPM_BUILD_ROOT/var/run/sudo
+
+
+#mkdir -p $RPM_BUILD_ROOT/etc/pam.d
+#cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
+##%PAM-1.0
+#auth       required	pam_stack.so service=system-auth
+#account    required	pam_stack.so service=system-auth
+#password   required	pam_stack.so service=system-auth
+#session    required	pam_stack.so service=system-auth
+#EOF
 
 %clean 
 rm -rf $RPM_BUILD_ROOT
 
 %files
 %defattr(-,root,root)
-%doc BUGS CHANGES HISTORY LICENSE README RUNSON TODO TROUBLESHOOTING UPGRADE *.pod
-%attr(0440,root,root) %config(noreplace) /etc/sudoers
-%config(noreplace) /etc/pam.d/sudo
-%dir /var/run/sudo
-%attr(4111,root,root) %{_bindir}/sudo
-%attr(0755,root,root) %{_sbindir}/visudo
-%{_mandir}/man5/sudoers.5*
-%{_mandir}/man8/sudo.8*
-%{_mandir}/man8/visudo.8*
+#%doc BUGS CHANGES HISTORY LICENSE README RUNSON TODO TROUBLESHOOTING UPGRADE *.pod
+#%attr(0440,root,root) %config(noreplace) /etc/sudoers
+#%config(noreplace) /etc/pam.d/sudo
+#%dir /var/run/sudo
+%attr(4111,root,root) /opt/sudo/bin/sudo
+#%attr(0755,root,root) %{_sbindir}/visudo
+#%{_mandir}/man5/sudoers.5*
+#%{_mandir}/man8/sudo.8*
+#%{_mandir}/man8/visudo.8*
 
 # Make sure permissions are ok even if we're updating
 %post
Alternatively you may temporarily download a tarball containing
redhat/SPECS/sudo.diff
redhat/SPECS/sudo.spec
redhat/RPMS/i686/sudo-1.6.7p5.CUSTOM.SETRESUID-0.1.i686.rpm

here (use "save as" just to be sure).
I'd appreciate it if you let me know (here, or by email whatever is faster) ASAP you got.
 
Old 02-23-2006, 01:20 PM   #7
Xyrael
LQ Newbie
 
Registered: Sep 2005
Location: Sheffield, UK
Distribution: Debian for servers, Ubuntu for desktops
Posts: 12

Original Poster
Rep: Reputation: 0
Unfortunately, this doesn't appear to work. I installed the rpm successfully that you suggested, and the file was installed well. Then I tried to run it, and got this:
Code:
root@server [/opt/sudo/bin]# su sean
sean@silentflame.com [/opt/sudo/bin]# ./sudo ls /root
Sorry, ./sudo must be setuid root.
sean@silentflame.com [/opt/sudo/bin]# ./sudo -u root ls /root
Sorry, ./sudo must be setuid root.
sean@silentflame.com [/opt/sudo/bin]# ./sudo --help
Sorry, ./sudo must be setuid root.
Thanks very much for all your help so far.
 
Old 02-23-2006, 02:46 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Sorry, ./sudo must be setuid root.
Make sure it's root-owned:
chown root.root /opt/sudo/bin/sudo
then make it setuid-root:
chmod 4755 /opt/sudo/bin/sudo"

//Moderator.note: I'll move this thread to Linux - General: this isn't a security issue AFAIK.
 
Old 02-23-2006, 03:05 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Exclamation me, not evil being...

* For anyone reading this who didn't have doubts about the practice of installing custom RPM's w/o checksum, w/o .src.rpm: trivialities like "reputation" should not be mistaken as a basis for reassurance. Always ask for the Source, Luke!
 
Old 02-25-2006, 09:13 AM   #10
Xyrael
LQ Newbie
 
Registered: Sep 2005
Location: Sheffield, UK
Distribution: Debian for servers, Ubuntu for desktops
Posts: 12

Original Poster
Rep: Reputation: 0
Code:
sean@silentflame.com [~/www/portal]# /opt/sudo/bin/sudo cd /root
setreuid(0, user_uid): Resource temporarily unavailable
Waddaya think? Thanks.
 
Old 02-25-2006, 10:23 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Waddaya think?
Might be something VPS catches. Please take it up with the Sudo maintainers.
If they have any fix, workaround or whatever else I'd appreciate a reply from you here.
Sorry we couldnt be of more help.

Last edited by unSpawn; 02-25-2006 at 11:06 AM. Reason: --repeat=off
 
Old 02-25-2006, 10:33 AM   #12
Xyrael
LQ Newbie
 
Registered: Sep 2005
Location: Sheffield, UK
Distribution: Debian for servers, Ubuntu for desktops
Posts: 12

Original Poster
Rep: Reputation: 0
Don't worry, you've already given more than I expected and I will certainly visit this site again, perhaps as a helper rather than a helped next time.

I'll drop the sudo team a line.

Thanks, Xy
 
Old 03-30-2006, 11:00 AM   #13
Xyrael
LQ Newbie
 
Registered: Sep 2005
Location: Sheffield, UK
Distribution: Debian for servers, Ubuntu for desktops
Posts: 12

Original Poster
Rep: Reputation: 0
I'd like to reopen this topic.

For other reasons unrelated to this, I have moved to another vps provider. Sudo appears to work.

Unfortunately, my sudo config file as shown above does not - here is what I get:
Code:
root@server [~/newt]# su sean
bash: /home/sean/.dns: Permission denied
sean@silentflame.com [/root/newt]# sudo
usage: sudo -V | -h | -L | -l | -v | -k | -K | [-H] [-P] [-S] [-b] [-p prompt]
            [-u username/#uid] -s | <command>
sean@silentflame.com [/root/newt]# sudo cat ls /root

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

        #1) Respect the privacy of others.
        #2) Think before you type.

Password:
Sorry, try again.
Password:
Sorry, user sean is not allowed to execute '/bin/cat ls /root' as root on server.silentflame.com.
sean@silentflame.com [/root/newt]# sudo cat ls /root
Sorry, user sean is not allowed to execute '/bin/cat ls /root' as root on server.silentflame.com.
sean@silentflame.com [/root/newt]# sudo
usage: sudo -V | -h | -L | -l | -v | -k | -K | [-H] [-P] [-S] [-b] [-p prompt]
            [-u username/#uid] -s | <command>
sean@silentflame.com [/root/newt]#
I'd be grateful if you could offer some advice on the situation. Thanks.
 
Old 03-30-2006, 02:05 PM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
I'd like to reopen this topic.
On LQ it's kinda customary to open a new thread for a new topic. Keeps the place clean y'know.


Sorry, user sean is not allowed to execute '/bin/cat ls /root' as root on server.silentflame.com
...and syslog says?
 
Old 02-06-2008, 08:29 PM   #15
Rollo69
Member
 
Registered: Sep 2005
Location: Charlotte, NC
Distribution: Slack 12.0
Posts: 190

Rep: Reputation: 30
Quote:
unSpawn
Sorry, ./sudo must be setuid root.
Make sure it's root-owned:
chown root.root /opt/sudo/bin/sudo
then make it setuid-root:
chmod 4755 /opt/sudo/bin/sudo"
I just wanted to say thanks for this very useful info even though sudo is in different directory (of course). It allowed me to start using sudo for user in Slackware. Thank you!!

Last edited by Rollo69; 02-06-2008 at 08:30 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to boot due to changes in fstab Covel Linux - General 4 12-09-2010 04:18 PM
sudo :adduser: unable to lock password file khamdy Linux - General 9 10-13-2010 05:26 AM
Video card issues, unable to boot CentOS 4.2 kryptondog Linux - Hardware 0 01-15-2006 12:44 PM
Unable to mount share due to file lock Rivitir Linux - Networking 0 07-18-2005 10:12 AM
sudo: unable to lookup via gethostbyname() rickenbacherus Linux - General 2 12-07-2003 03:09 PM


All times are GMT -5. The time now is 01:45 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration