Unable to Run sudo due to getresuid() Not Working on CentOS 3.1
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian for servers, Ubuntu for desktops
Posts: 12
Rep:
Unable to Run sudo due to getresuid() Not Working on CentOS 3.1
Hi,
I'm currently running a CentOS 3.1 VPS and want to give someone else root access without allowing them to change the root password and lock me out, and I want to apply the same property to my standard user account so that I don't have to logon as root so often. The server is running the latest stable version of cPanel. To this end I have placed the following in the sudoers file:
Unfortunately, I then have problems when attempting to test this on one of the users with the authentication:
Code:
root@server [/home/tom]# su tom
tom@piratefiles.com [~]# cd /root
bash: cd: /root: Permission denied
tom@piratefiles.com [~]# sudo cd /root
setresuid(0, 0, 0) failed, your operating system may have a broken setresuid() function
Try running configure with --disable-setresuid
tom@piratefiles.com [~]#
Additionally, here is the sudo version information:
Code:
Sudo version 1.6.7p5
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5 minutes
Password prompt timeout: 5 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
Environment variables to check for sanity:
LANGUAGE
LANG
LC_*
Environment variables to remove:
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
IFS
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
Local IP address and netmask pairs:
127.0.0.1 / 0xffffffff
65.254.53.143 / 0xffffffff
I'm reluctant to start reinstalling sudo to get this feature to work, because I don't want to fry anything important because this is a production server, with several hosted websites. Is there anyway to fix this problem, and has it been documented before?
I'm reluctant to start reinstalling sudo to get this feature to work, because I don't want to fry anything important because this is a production server, with several hosted websites.
You could build a custom RPM package with sudo under a different path with a slightly different binary name (see configure options). If you need help tell me the exact location of the source RPM. I'll check/build for CentOS 3.3 though.
Is there anyway to fix this problem, and has it been documented before?
If testing a custom RPM isn't your cup of tea you should take it up with the Sudo maintainers.
Distribution: Debian for servers, Ubuntu for desktops
Posts: 12
Original Poster
Rep:
Thanks for the reply.
Changing the name sounds fine as long as the command can be aliased so that it isn't complicated. I don't mind it being built with 3.3 as long as it'll work! I'd be very grateful if you were able to do that for me.
Distribution: Debian for servers, Ubuntu for desktops
Posts: 12
Original Poster
Rep:
Apologies for not reading properly; thanks for being patient.
I'm not sure where the RPM came from, because I think it was installed by default with the OS. It doesn't appear that they have an RPM, and instead offer the source and easy to use build instructions. However, the upgrade instructions are meant for real pros, and I'm not that yet - would you be able to decipher them for me so that I can attempt to do it? Thanks! I think they can be found on this page: http://sudo.ws/sudo/download.html
I'm not sure where the RPM came from, because I think it was installed by default with the OS.
Which means it's on the CDR's or mirrors. So the only thing you had to do was use a searchengine to point me to the location of sudo-1.6.7p5-1.1.src.rpm ...
OK. here's diff for building sudo. This RPM will have a custom suffix "1.6.7p5.CUSTOM.SETRESUID-0.1", compile sudo with --disable-setresuid, *only* install the sudo binary and install that binary in /opt/sudo/bin which means you must have it in your global PATH or call with a full path to test. I hope you have a box to build RPM's on and know how to apply the diff and build the RPM.
Please note that by now this ain't a Linux - Security question anymore, more something like Linux - Software or alike. This thread should be moved there.
Alternatively you may temporarily download a tarball containing redhat/SPECS/sudo.diff
redhat/SPECS/sudo.spec
redhat/RPMS/i686/sudo-1.6.7p5.CUSTOM.SETRESUID-0.1.i686.rpm here (use "save as" just to be sure).
I'd appreciate it if you let me know (here, or by email whatever is faster) ASAP you got.
Distribution: Debian for servers, Ubuntu for desktops
Posts: 12
Original Poster
Rep:
Unfortunately, this doesn't appear to work. I installed the rpm successfully that you suggested, and the file was installed well. Then I tried to run it, and got this:
Code:
root@server [/opt/sudo/bin]# su sean
sean@silentflame.com [/opt/sudo/bin]# ./sudo ls /root
Sorry, ./sudo must be setuid root.
sean@silentflame.com [/opt/sudo/bin]# ./sudo -u root ls /root
Sorry, ./sudo must be setuid root.
sean@silentflame.com [/opt/sudo/bin]# ./sudo --help
Sorry, ./sudo must be setuid root.
Sorry, ./sudo must be setuid root.
Make sure it's root-owned:
chown root.root /opt/sudo/bin/sudo
then make it setuid-root:
chmod 4755 /opt/sudo/bin/sudo"
//Moderator.note: I'll move this thread to Linux - General: this isn't a security issue AFAIK.
* For anyone reading this who didn't have doubts about the practice of installing custom RPM's w/o checksum, w/o .src.rpm: trivialities like "reputation" should not be mistaken as a basis for reassurance. Always ask for the Source, Luke!
Waddaya think?
Might be something VPS catches. Please take it up with the Sudo maintainers.
If they have any fix, workaround or whatever else I'd appreciate a reply from you here.
Sorry we couldnt be of more help.
Last edited by unSpawn; 02-25-2006 at 11:06 AM.
Reason: --repeat=off
Distribution: Debian for servers, Ubuntu for desktops
Posts: 12
Original Poster
Rep:
I'd like to reopen this topic.
For other reasons unrelated to this, I have moved to another vps provider. Sudo appears to work.
Unfortunately, my sudo config file as shown above does not - here is what I get:
Code:
root@server [~/newt]# su sean
bash: /home/sean/.dns: Permission denied
sean@silentflame.com [/root/newt]# sudo
usage: sudo -V | -h | -L | -l | -v | -k | -K | [-H] [-P] [-S] [-b] [-p prompt]
[-u username/#uid] -s | <command>
sean@silentflame.com [/root/newt]# sudo cat ls /root
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:
#1) Respect the privacy of others.
#2) Think before you type.
Password:
Sorry, try again.
Password:
Sorry, user sean is not allowed to execute '/bin/cat ls /root' as root on server.silentflame.com.
sean@silentflame.com [/root/newt]# sudo cat ls /root
Sorry, user sean is not allowed to execute '/bin/cat ls /root' as root on server.silentflame.com.
sean@silentflame.com [/root/newt]# sudo
usage: sudo -V | -h | -L | -l | -v | -k | -K | [-H] [-P] [-S] [-b] [-p prompt]
[-u username/#uid] -s | <command>
sean@silentflame.com [/root/newt]#
I'd be grateful if you could offer some advice on the situation. Thanks.
unSpawn
Sorry, ./sudo must be setuid root.
Make sure it's root-owned:
chown root.root /opt/sudo/bin/sudo
then make it setuid-root:
chmod 4755 /opt/sudo/bin/sudo"
I just wanted to say thanks for this very useful info even though sudo is in different directory (of course). It allowed me to start using sudo for user in Slackware. Thank you!!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.