From: Todd C. Miller Date: Fri, 30 Mar 2012 16:58:54 +0000 (-0400) Subject: If we are not running with an effective uid of 0, try to give the X-Git-Tag: SUDO_1_7_9p1~20 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=03e4750e91869cd75e0e78ff42884a8de7b67413;p=sudo If we are not running with an effective uid of 0, try to give the user enough information to debug the problem. --HG-- branch : 1.7 --- diff --git a/TROUBLESHOOTING b/TROUBLESHOOTING index d1cd7289f..a4c440e3a 100644 --- a/TROUBLESHOOTING +++ b/TROUBLESHOOTING @@ -16,9 +16,27 @@ A) As part of the build process, sudo creates a temporary library containing you may need to install the SUNWbtool package. On other systems "ar" may be included in the GNU binutils package. -Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root." - and sudo quits. -A) Sudo must be setuid root to do its work. You need to do something like +Q) Sudo compiles and installs OK but when I try to run it I get: + /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set +A) Sudo must be setuid root to do its work. Either /usr/local/bin/sudo + is not owned by uid 0 or the setuid bit is not set. This should have + been done for you by "make install" but you can fix it manually by + running the following as root: + # chown root /usr/local/bin/sudo; chmod 4111 /usr/local/bin/sudo + +Q) Sudo compiles and installs OK but when I try to run it I get: + effective uid is not 0, is /usr/local/bin/sudo on a file system with the + 'nosuid' option set or an NFS file system without root privileges? +A) The owner and permissions on the sudo binary appear to be OK but when + sudo ran, the setuid bit did not have an effect. There are two common + causes for this. The first is that the file system the sudo binary + is located on is mounted with the 'nosuid' mount option, which disables + setuid binaries. The other is that sudo is installed on an NFS-mounted + file system that is exported without root privileges. By default, NFS + file systems are exported with uid 0 mapped to a non-privileged uid + (usually -2). + +You need to do something like `chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides on must *not* be mounted (or exported) with the nosuid option or sudo will not be able to work. Another possibility is you may have '.' in diff --git a/sudo.c b/sudo.c index 5e3691504..a384743e7 100644 --- a/sudo.c +++ b/sudo.c @@ -115,6 +115,12 @@ # define CMND_WAIT FALSE #endif +#ifdef __TANDEM +# define ROOT_UID 65535 +#else +# define ROOT_UID 0 +#endif + /* * Prototypes */ @@ -129,6 +135,7 @@ static void show_version __P((void)); static void create_admin_success_flag __P((void)); extern int sudo_edit __P((int, char **, char **)); int run_command __P((const char *path, char *argv[], char *envp[], uid_t uid, int dowait)); /* XXX should be in sudo.h */ +static void sudo_check_suid __P((const char *path)); /* * Globals @@ -197,8 +204,8 @@ main(argc, argv, envp) # endif #endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */ - if (geteuid() != 0) - errorx(1, "must be setuid root"); + /* Make sure we are setuid root. */ + sudo_check_suid(argv[0]); /* * Signal setup: @@ -402,7 +409,7 @@ main(argc, argv, envp) } else { log_error(NO_EXIT, "timestamp owner (%s): No such user", def_timestampowner); - timestamp_uid = 0; + timestamp_uid = ROOT_UID; } } @@ -1071,6 +1078,29 @@ open_sudoers(sudoers, doedit, keepopen) return fp; } +static void +sudo_check_suid(path) + const char *path; +{ + struct stat sb; + + if (geteuid() != 0) { + if (strchr(path, '/') != NULL && stat(path, &sb) == 0) { + /* Try to determine why sudo was not running as root. */ + if (sb.st_uid != ROOT_UID || !ISSET(sb.st_mode, S_ISUID)) { + errorx(1, + "%s must be owned by uid %d and have the setuid bit set", + path, ROOT_UID); + } else { + errorx(1, "effective uid is not %d, is %s on a file system with the 'nosuid' option set or an NFS file system without root privileges?", ROOT_UID, path); + } + } else { + errorx(1, "effective uid is not %d, is sudo installed setuid root?", + ROOT_UID); + } + } +} + /* * Close all open files (except std*) and turn off core dumps. * Also sets the set_perms() pointer to the correct function.