LinuxQuestions.org - Unable to Run sudo due to getresuid() Not Working on CentOS 3.1

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Unable to Run sudo due to getresuid() Not Working on CentOS 3.1 (https://www.linuxquestions.org/questions/linux-security-4/unable-to-run-sudo-due-to-getresuid-not-working-on-centos-3-1-a-417086/)

Unable to Run sudo due to getresuid() Not Working on CentOS 3.1

Hi,

I'm currently running a CentOS 3.1 VPS and want to give someone else root access without allowing them to change the root password and lock me out, and I want to apply the same property to my standard user account so that I don't have to logon as root so often. The server is running the latest stable version of cPanel. To this end I have placed the following in the sudoers file:

Code:

# Xyrael's SysOp Definitions (2006-02-18)

Cmnd_Alias      SHELLS = /usr/bin/sh,  /usr/bin/csh,          \

                        /usr/bin/ksh,  /usr/local/bin/tcsh,    \

                        /usr/bin/rsh,  /usr/local/bin/zsh



User_Alias      SYSOPS = sean, tom



SYSOPS          ALL    = !/usr/bin/su, !SHELLS

Unfortunately, I then have problems when attempting to test this on one of the users with the authentication:

Code:

root@server [/home/tom]# su tom

tom@piratefiles.com [~]# cd /root

bash: cd: /root: Permission denied

tom@piratefiles.com [~]# sudo cd /root

setresuid(0, 0, 0) failed, your operating system may have a broken setresuid() function

Try running configure with --disable-setresuid

tom@piratefiles.com [~]#

Additionally, here is the sudo version information:

Code:

Sudo version 1.6.7p5



Authentication methods: 'pam'

Syslog facility if syslog is being used for logging: authpriv

Syslog priority to use when user authenticates successfully: notice

Syslog priority to use when user authenticates unsuccessfully: alert

Ignore '.' in $PATH

Send mail if the user is not in sudoers

Use a separate timestamp for each user/tty combo

Lecture user the first time they run sudo

Require users to authenticate by default

Root may run sudo

Allow some information gathering to give useful error messages

Visudo will honor the EDITOR environment variable

Set the LOGNAME and USER environment variables

Length at which to wrap log file lines (0 for no wrap): 80

Authentication timestamp timeout: 5 minutes

Password prompt timeout: 5 minutes

Number of tries to enter a password: 3

Umask to use or 0777 to use user's: 022

Path to mail program: /usr/sbin/sendmail

Flags for mail program: -t

Address to send mail to: root

Subject line for mail messages: *** SECURITY information for %h ***

Incorrect password message: Sorry, try again.

Path to authentication timestamp dir: /var/run/sudo

Default password prompt: Password:

Default user to run commands as: root

Path to the editor for use by visudo: /bin/vi

Environment variables to check for sanity:

        LANGUAGE

        LANG

        LC_*

Environment variables to remove:

        BASH_ENV

        ENV

        TERMCAP

        TERMPATH

        TERMINFO_DIRS

        TERMINFO

        _RLD*

        LD_*

        PATH_LOCALE

        NLSPATH

        HOSTALIASES

        RES_OPTIONS

        LOCALDOMAIN

        IFS

When to require a password for 'list' pseudocommand: any

When to require a password for 'verify' pseudocommand: all

Local IP address and netmask pairs:

        127.0.0.1 / 0xffffffff

        65.254.53.143 / 0xffffffff

I'm reluctant to start reinstalling sudo to get this feature to work, because I don't want to fry anything important because this is a production server, with several hosted websites. Is there anyway to fix this problem, and has it been documented before?

Thanks,
Xyrael :)

I'm reluctant to start reinstalling sudo to get this feature to work, because I don't want to fry anything important because this is a production server, with several hosted websites.
You could build a custom RPM package with sudo under a different path with a slightly different binary name (see configure options). If you need help tell me the exact location of the source RPM. I'll check/build for CentOS 3.3 though.

Is there anyway to fix this problem, and has it been documented before?
If testing a custom RPM isn't your cup of tea you should take it up with the Sudo maintainers.

Thanks for the reply.

Changing the name sounds fine as long as the command can be aliased so that it isn't complicated. I don't mind it being built with 3.3 as long as it'll work! I'd be very grateful if you were able to do that for me.

Thankyou again.

You didn't read my post completely or didn't act on it.
//Hint: three major conditions when pricing realty.

Apologies for not reading properly; thanks for being patient.

I'm not sure where the RPM came from, because I think it was installed by default with the OS. It doesn't appear that they have an RPM, and instead offer the source and easy to use build instructions. However, the upgrade instructions are meant for real pros, and I'm not that yet - would you be able to decipher them for me so that I can attempt to do it? Thanks! I think they can be found on this page:
http://sudo.ws/sudo/download.html

I'm very grateful for your help:)

I'm not sure where the RPM came from, because I think it was installed by default with the OS.
Which means it's on the CDR's or mirrors. So the only thing you had to do was use a searchengine to point me to the location of sudo-1.6.7p5-1.1.src.rpm ...

OK. here's diff for building sudo. This RPM will have a custom suffix "1.6.7p5.CUSTOM.SETRESUID-0.1", compile sudo with --disable-setresuid, *only* install the sudo binary and install that binary in /opt/sudo/bin which means you must have it in your global PATH or call with a full path to test. I hope you have a box to build RPM's on and know how to apply the diff and build the RPM.

Please note that by now this ain't a Linux - Security question anymore, more something like Linux - Software or alike. This thread should be moved there.

Code:

--- sudo.spec        2005-06-21 09:44:12.000000000 +0200

+++ sudo.spec        2006-06-21 09:44:13.000000000 +0200

@@ -1,7 +1,7 @@

 Summary: Allows restricted root access for specified users.

 Name: sudo

-Version: 1.6.7p5

-Release: 1.1

+Version: 1.6.7p5.CUSTOM.SETRESUID

+Release: 0.1

 License: BSD

 Group: Applications/System

 Source: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz

@@ -30,7 +30,7 @@

 

 %build

 %configure \

-        --prefix=%{_prefix} \

+        --prefix=/opt/sudo \

        --sbindir=%{_sbindir} \

        --with-logging=syslog \

        --with-logfac=authpriv \

@@ -38,7 +38,8 @@

        --with-editor=/bin/vi \

        --with-env-editor \

        --with-ignore-dot \

-        --with-tty-tickets

+        --with-tty-tickets \

+        --disable-setresuid

 make

 

 %install

@@ -46,32 +47,38 @@

 

 mkdir $RPM_BUILD_ROOT

 %{makeinstall} install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`

-chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* 

-install -d -m 700 $RPM_BUILD_ROOT/var/run/sudo

-

-mkdir -p $RPM_BUILD_ROOT/etc/pam.d

-cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF

-#%PAM-1.0

-auth      required        pam_stack.so service=system-auth

-account    required        pam_stack.so service=system-auth

-password  required        pam_stack.so service=system-auth

-session    required        pam_stack.so service=system-auth

-EOF

+rm -rf $RPM_BUILD_ROOT/etc

+mkdir -p $RPM_BUILD_ROOT/opt/sudo/bin

+chmod 755 $RPM_BUILD_ROOT/opt $RPM_BUILD_ROOT/opt/sudo $RPM_BUILD_ROOT/opt/sudo/bin

+mv -f $RPM_BUILD_ROOT/usr/bin/sudo $RPM_BUILD_ROOT/opt/sudo/bin/

+rm -rf $RPM_BUILD_ROOT/usr

+#chmod 755 $RPM_BUILD_ROOT%{_bindir}/* # $RPM_BUILD_ROOT%{_sbindir}/* 

+#install -d -m 700 $RPM_BUILD_ROOT/var/run/sudo

+

+

+#mkdir -p $RPM_BUILD_ROOT/etc/pam.d

+#cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF

+##%PAM-1.0

+#auth      required        pam_stack.so service=system-auth

+#account    required        pam_stack.so service=system-auth

+#password  required        pam_stack.so service=system-auth

+#session    required        pam_stack.so service=system-auth

+#EOF

 

 %clean 

 rm -rf $RPM_BUILD_ROOT

 

 %files

 %defattr(-,root,root)

-%doc BUGS CHANGES HISTORY LICENSE README RUNSON TODO TROUBLESHOOTING UPGRADE *.pod

-%attr(0440,root,root) %config(noreplace) /etc/sudoers

-%config(noreplace) /etc/pam.d/sudo

-%dir /var/run/sudo

-%attr(4111,root,root) %{_bindir}/sudo

-%attr(0755,root,root) %{_sbindir}/visudo

-%{_mandir}/man5/sudoers.5*

-%{_mandir}/man8/sudo.8*

-%{_mandir}/man8/visudo.8*

+#%doc BUGS CHANGES HISTORY LICENSE README RUNSON TODO TROUBLESHOOTING UPGRADE *.pod

+#%attr(0440,root,root) %config(noreplace) /etc/sudoers

+#%config(noreplace) /etc/pam.d/sudo

+#%dir /var/run/sudo

+%attr(4111,root,root) /opt/sudo/bin/sudo

+#%attr(0755,root,root) %{_sbindir}/visudo

+#%{_mandir}/man5/sudoers.5*

+#%{_mandir}/man8/sudo.8*

+#%{_mandir}/man8/visudo.8*

 

 # Make sure permissions are ok even if we're updating

 %post

Alternatively you may temporarily download a tarball containing
redhat/SPECS/sudo.diff
redhat/SPECS/sudo.spec
redhat/RPMS/i686/sudo-1.6.7p5.CUSTOM.SETRESUID-0.1.i686.rpm
here (use "save as" just to be sure).
I'd appreciate it if you let me know (here, or by email whatever is faster) ASAP you got.

Unfortunately, this doesn't appear to work. I installed the rpm successfully that you suggested, and the file was installed well. Then I tried to run it, and got this:

Code:

root@server [/opt/sudo/bin]# su sean

sean@silentflame.com [/opt/sudo/bin]# ./sudo ls /root

Sorry, ./sudo must be setuid root.

sean@silentflame.com [/opt/sudo/bin]# ./sudo -u root ls /root

Sorry, ./sudo must be setuid root.

sean@silentflame.com [/opt/sudo/bin]# ./sudo --help

Sorry, ./sudo must be setuid root.

Thanks very much for all your help so far.

Sorry, ./sudo must be setuid root.
Make sure it's root-owned:
chown root.root /opt/sudo/bin/sudo
then make it setuid-root:
chmod 4755 /opt/sudo/bin/sudo"

//Moderator.note: I'll move this thread to Linux - General: this isn't a security issue AFAIK.

me, not evil being...

* For anyone reading this who didn't have doubts about the practice of installing custom RPM's w/o checksum, w/o .src.rpm: trivialities like "reputation" should not be mistaken as a basis for reassurance. Always ask for the Source, Luke!

Code:

sean@silentflame.com [~/www/portal]# /opt/sudo/bin/sudo cd /root

setreuid(0, user_uid): Resource temporarily unavailable

:cry: Waddaya think? Thanks.

Waddaya think?
Might be something VPS catches. Please take it up with the Sudo maintainers.
If they have any fix, workaround or whatever else I'd appreciate a reply from you here.
Sorry we couldnt be of more help.

Don't worry, you've already given more than I expected and I will certainly visit this site again, perhaps as a helper rather than a helped next time.

I'll drop the sudo team a line.

Thanks, Xy

I'd like to reopen this topic.

For other reasons unrelated to this, I have moved to another vps provider. Sudo appears to work.

Unfortunately, my sudo config file as shown above does not - here is what I get:

Code:

root@server [~/newt]# su sean

bash: /home/sean/.dns: Permission denied

sean@silentflame.com [/root/newt]# sudo

usage: sudo -V | -h | -L | -l | -v | -k | -K | [-H] [-P] [-S] [-b] [-p prompt]

            [-u username/#uid] -s | <command>

sean@silentflame.com [/root/newt]# sudo cat ls /root



We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these two things:



        #1) Respect the privacy of others.

        #2) Think before you type.



Password:

Sorry, try again.

Password:

Sorry, user sean is not allowed to execute '/bin/cat ls /root' as root on server.silentflame.com.

sean@silentflame.com [/root/newt]# sudo cat ls /root

Sorry, user sean is not allowed to execute '/bin/cat ls /root' as root on server.silentflame.com.

sean@silentflame.com [/root/newt]# sudo

usage: sudo -V | -h | -L | -l | -v | -k | -K | [-H] [-P] [-S] [-b] [-p prompt]

            [-u username/#uid] -s | <command>

sean@silentflame.com [/root/newt]#

I'd be grateful if you could offer some advice on the situation. Thanks.

I'd like to reopen this topic.
On LQ it's kinda customary to open a new thread for a new topic. Keeps the place clean y'know.

Sorry, user sean is not allowed to execute '/bin/cat ls /root' as root on server.silentflame.com
...and syslog says?

Quote:

unSpawn
Sorry, ./sudo must be setuid root.
Make sure it's root-owned:
chown root.root /opt/sudo/bin/sudo
then make it setuid-root:
chmod 4755 /opt/sudo/bin/sudo"

I just wanted to say thanks for this very useful info even though sudo is in different directory (of course). It allowed me to start using sudo for user in Slackware. Thank you!!