Opened 11 years ago

Closed 9 years ago

#40644 closed defect (fixed)

sudo: fails to switch to other user than root

Reported by: petrrr Owned by: youvegotmoxie@…
Priority: Normal Milestone:
Component: ports Version:
Keywords: haspatch Cc: raimue (Rainer Müller), cooljeanius (Eric Gallager), evandrix (Lee Wei Yeong), ryandesign (Ryan Carsten Schmidt), petrrr
Port: sudo

Description

I have macport's version of sudo installed on my 10.8 system. When I use it to run as root it works fine, when I try to run as a different user (macports), it would fail. I use the default configuration as provided by the port and see no obvious configuration issue.

petr% which sudo
/opt/local/bin/sudo

petr% sudo whoami
Password:
root

petr% sudo -u macports whoami
sudo: unable to change to runas uid (503, 503): Operation not permitted
sudo: unable to execute /usr/bin/whoami: Operation not permitted

petr% sudo -u petr whoami
sudo: unable to change to runas uid (502, 502): Operation not permitted
sudo: unable to execute /usr/bin/whoami: Operation not permitted

petr% whoami
petr

petr% /usr/bin/sudo -u macports whoami
macports

Attachments (4)

sudo-apple-1.7.4p6.txt (68.2 KB) - added by raimue (Rainer Müller) 11 years ago.
sudo-macports-1.7.7_0.txt (80.8 KB) - added by raimue (Rainer Müller) 11 years ago.
sudo-macports-1.8.8_0.txt (71.5 KB) - added by raimue (Rainer Müller) 11 years ago.
update-sudo.diff (713 bytes) - added by youvegotmoxie@… 9 years ago.
Remove --disable-setreuid

Download all attachments as: .zip

Change History (19)

comment:1 Changed 11 years ago by ryandesign (Ryan Carsten Schmidt)

Cc: raimue@… added; Rainer Müller <raimue@…> removed

The Cc field takes email addresses only.

I have updated sudo to 1.8.8 in r111814. Did that help by any chance?

comment:2 in reply to:  1 Changed 11 years ago by petrrr

Replying to ryandesign@…:

The Cc field takes email addresses only.

Sorry for this, I probably was not careful while copy-pasting.

I have updated sudo to 1.8.8 in r111814. Did that help by any chance?

Unfortunately not. The port now installs ${prefix}/etc/sudoers.dist instead directly sudoers. So I copied it but it still has the same behaviour. I also tried to with the systems version, which works with /usr/bin/sudo. But still the same behaviour.

comment:3 Changed 11 years ago by raimue (Rainer Müller)

I did some testing and the older version 1.7.7 did still work using the Portfile version before r103948. I guess upstream sudo 1.8 changed anything that causes this to stop working now:

Here is an excerpt from an analysis on sudo @1.8.8_1 using sudo dtruss -f /opt/local/bin/sudo -u macports id showing the failing setuid syscall:

57598/0x12e774:  fork()		 = 0 0
57598/0x12e774:  thread_selfid(0x7FFF75C73180, 0x0, 0x1)		 = 1238900 0
57598/0x12e774:  getpid(0x320000003303, 0x330000003300, 0x7FFF75C62888)		 = 57598 0
57598/0x12e774:  close(0x3)		 = 0 0
57598/0x12e774:  close(0x4)		 = 0 0
57598/0x12e774:  close(0x5)		 = 0 0
57598/0x12e774:  fcntl(0x6, 0x2, 0x1)		 = 0 0
57598/0x12e774:  setgroups(0x3, 0x7FFBF0C21E80, 0x0)		 = 0 0
57598/0x12e774:  setgid(0x1F5, 0x0, 0x0)		 = 0 0
57598/0x12e774:  umask(0x3F, 0x0, 0x0)		 = 63 0
57598/0x12e774:  seteuid(0x1F6, 0x0, 0x0)		 = 0 0
57598/0x12e774:  setuid(0x1F6, 0x0, 0x0)		 = -1 Err#1
57598/0x12e774:  open("/opt/local/share/locale/en_US.UTF-8/LC_MESSAGES/sudo.mo\0", 0x0, 0x10D2AB3D0)		 = -1 Err#2
57598/0x12e774:  open("/opt/local/share/locale/en_US.utf8/LC_MESSAGES/sudo.mo\0", 0x0, 0x10D2AB3D0)		 = -1 Err#2
57598/0x12e774:  open("/opt/local/share/locale/en_US/LC_MESSAGES/sudo.mo\0", 0x0, 0x10D2AB3D0)		 = -1 Err#2
57598/0x12e774:  open("/opt/local/share/locale/en.UTF-8/LC_MESSAGES/sudo.mo\0", 0x0, 0x10D2AB3D0)		 = -1 Err#2
57598/0x12e774:  open("/opt/local/share/locale/en.utf8/LC_MESSAGES/sudo.mo\0", 0x0, 0x10D2AB3D0)		 = -1 Err#2
57598/0x12e774:  open("/opt/local/share/locale/en/LC_MESSAGES/sudo.mo\0", 0x0, 0x10D2AB3D0)		 = -1 Err#2
57598/0x12e774:  write_nocancel(0x2, "sudo: unable to change to runas uid (502, 502): Operation not permitted\n\0", 0x48)		 = 72 0
...

In sudo @1.7.7_0, only setuid(502) is called at this point without any seteuid(502) before. The full log files from my system are attached.

Changed 11 years ago by raimue (Rainer Müller)

Attachment: sudo-apple-1.7.4p6.txt added

Changed 11 years ago by raimue (Rainer Müller)

Attachment: sudo-macports-1.7.7_0.txt added

Changed 11 years ago by raimue (Rainer Müller)

Attachment: sudo-macports-1.8.8_0.txt added

comment:4 Changed 10 years ago by cooljeanius (Eric Gallager)

Cc: egall@… added

Cc Me!

comment:5 Changed 10 years ago by evandrix (Lee Wei Yeong)

Cc: evandrix@… added

Cc Me!

comment:6 Changed 9 years ago by raimue (Rainer Müller)

Owner: changed from macports-tickets@… to youvegotmoxie@…

Assigning to maintainer.

comment:7 Changed 9 years ago by youvegotmoxie@…

Can recreate, looking into it now.

comment:8 Changed 9 years ago by youvegotmoxie@…

Fixed: #48816

Last edited 9 years ago by ryandesign (Ryan Carsten Schmidt) (previous) (diff)

comment:9 Changed 9 years ago by ryandesign (Ryan Carsten Schmidt)

Cc: ryandesign@… added
Keywords: haspatch added

Could you elaborate on the fix you proposed in #48816? Was this problem reported to the developers of sudo? If so, what is the bug report URL? Did they agree that this is the correct solution?

comment:10 Changed 9 years ago by raimue (Rainer Müller)

Your patch attached to #48816 removes setuid(), which means the real uid of the target will not be set, only the effective uid will be changed. This is not the desired behavior. The seteuid() should be removed, as in this upstream change.

Upstream report: http://bugzilla.sudo.ws/show_bug.cgi?id=713

Which leaves a question, why are we using --disable-setreuid? Apparently, this bug was only exposed due to this configuration.

Last edited 9 years ago by ryandesign (Ryan Carsten Schmidt) (previous) (diff)

comment:11 in reply to:  9 Changed 9 years ago by youvegotmoxie@…

Replying to ryandesign@…:

Could you elaborate on the fix you proposed in #48816? Was this problem reported to the developers of sudo? If so, what is the bug report URL? Did they agree that this is the correct solution?

That is the bug report I opened on the sudo bug tracker as posted by raimue@….

Upstream report: ​http://bugzilla.sudo.ws/show_bug.cgi?id=713

I am not sure why the Portfile is using --disable-setreuid, without the patched sudo.c and not using --disable-setreuid the aforementioned bug is not present.

comment:12 Changed 9 years ago by petrrr

Cc: petr@… added

Cc Me!

comment:13 Changed 9 years ago by raimue (Rainer Müller)

I propose to remove --disable-setreuid. According to a quick check with svn blame it has always been there. If it was not implemented in some older version of OS X, a workaround can be applied in the appropriate platform block.

comment:14 Changed 9 years ago by youvegotmoxie@…

That works for me, although, I have only tested it on Yosemite.

Changed 9 years ago by youvegotmoxie@…

Attachment: update-sudo.diff added

Remove --disable-setreuid

comment:15 Changed 9 years ago by neverpanic (Clemens Lang)

Resolution: fixed
Status: newclosed

Committed in r143281.

Note: See TracTickets for help on using tickets.