[gentoo-user] two identical /etc/sudoers -- only one works

[gentoo-user] two identical /etc/sudoers -- only one works

[maxim wexler]

Hi group,

I connect to the web using

$sudo /usr/sbin/pon <isp> 

on one machine(2.6.20-gentoo-r6). On another
machine(2.6.19-gentoo-r5), I get

:sudo: can't open /etc/sudoers: Permission denied.

But both files have identical permissions:

heathen@localhost ~ $ ls -l /etc/sudoers
-r--r----- 1 root root 1875 Feb  3 21:14 /etc/sudoers

picky@localhost ~ $ ls -l /etc/sudoers
-r--r----- 1 root root 1717 May 23 16:38 /etc/sudoers

I used visudo on both machines and wrote identical
lines in each:

heathen localhost = (root) NOPASSWD: /usr/sbin/pon hd
heathen localhost = (root) NOPASSWD: /usr/sbin/poff hd

usernames of course are different. All other lines are
exact matches.

The non-compliant machine connects but only as root.

This is /etc/group from the machine that works. The
'wheel', 'dialout', 'users', 'root', 'bin', 'daemon',
'sys', 'adm'... lines are the same on both machines:


root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root,adm
lp:x:7:lp
mem:x:8:
kmem:x:9:
wheel:x:10:root,heathen
floppy:x:11:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:man
cron:x:16:cron
console:x:17:
audio:x:18:heathen
cdrom:x:19:heathen
dialout:x:20:root
ftp:x:21:
sshd:x:22:
at:x:25:at
tape:x:26:root
video:x:27:root,heathen
squid:x:31:squid
gdm:x:32:gdm
xfs:x:33:xfs
games:x:35:
named:x:40:named
mysql:x:60:
postgres:x:70:
cdrw:x:80:heathen
nut:x:84:
usb:x:85:heathen
vpopmail:x:89:
users:x:100:games,heathen
nofiles:x:200:
qmail:x:201:
postfix:x:207:
postdrop:x:208:
smmsp:x:209:smmsp
slocate:x:245:
portage:x:250:portage,heathen
utmp:x:406:
nogroup:x:65533:
nobody:x:65534:
rpc:x:111:
ldap:x:439:

Don't know what else to show the group :(

-Maxim



       
____________________________________________________________________________________You snooze, you lose. Get messages ASAP with AutoCheck
in the all-new Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/newmail_html.html
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] two identical /etc/sudoers -- only one works

[Walter Dnes]

On Wed, May 23, 2007 at 06:14:53PM -0700, maxim wexler wrote
> Hi group,
> 
> I connect to the web using
> 
> $sudo /usr/sbin/pon <isp> 
> 
> on one machine(2.6.20-gentoo-r6). On another
> machine(2.6.19-gentoo-r5), I get
> 
> :sudo: can't open /etc/sudoers: Permission denied.

  Is "picky" a member of both "users" and "wheel"?  Does picky's machine
run PAM?  PAM has additional config files to control access.

-- 
Walter Dnes <waltdnes@waltdnes.org> In linux /sbin/init is Job #1
Q. Mr. Ghandi, what do you think of Microsoft security?
A. I think it would be a good idea.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] two identical /etc/sudoers -- only one works

[maxim wexler]

>   Is "picky" a member of both "users" and "wheel"? 

Yes

> Does picky's machine
> run PAM?  PAM has additional config files to control

Yes, and /etc/pam.d/sudo is identical on both machines

Also permissions under /usr/bin/sudo are identical on
both machines: ---s--x--x. As are all other bin and
sbin permissions(generally): 755.




 
____________________________________________________________________________________
Sucker-punch spam with award-winning protection. 
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: two identical /etc/sudoers -- only one works

[Christer Ekholm]

"Walter Dnes" <waltdnes@waltdnes.org> writes:

> On Wed, May 23, 2007 at 06:14:53PM -0700, maxim wexler wrote
>> Hi group,
>> 
>> I connect to the web using
>> 
>> $sudo /usr/sbin/pon <isp> 
>> 
>> on one machine(2.6.20-gentoo-r6). On another
>> machine(2.6.19-gentoo-r5), I get
>> 
>> :sudo: can't open /etc/sudoers: Permission denied.
>

The message suggest that the process of cudo actually don~t have
permission to open the sudoers file.  Check that the sudo-program
(type sudo) is in fact owned by root, and has the setuid-bit set.

$ls -l `which sudo`
---s--x--x 1 root root 107240 2007-05-21 11:11 /usr/bin/sudo*
   ^         ^
   setuid    root

--
 Christer

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works

[maxim wexler]

> $ls -l `which sudo`
> ---s--x--x 1 root root 107240 2007-05-21 11:11
> /usr/bin/sudo*
>    ^         ^
>    setuid    root
> 
> --
>  Christer

Thanks Christer, never saw that command before, but
like I told Walter, a listing for sudo is indeed:
---s--x--1 2 root root                                
              ^
                            Is this supposed to be a
one?
            
mw


 
____________________________________________________________________________________
Be a PS3 game guru.
Get your game face on with the latest PS3 news and previews at Yahoo! Games.
http://videogames.yahoo.com/platform?platform=120121
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: two identical /etc/sudoers -- only one works

[Christer Ekholm]

I was wrong. Sorry.

I realize now that this cannot be your problem, sudo tell you that it
is not setuid if it's not.

  $ sudo chmod -s sudo
  $ sudo ls
  sudo: must be setuid root

>
> Thanks Christer, never saw that command before, but
> like I told Walter, a listing for sudo is indeed:
> ---s--x--1 2 root root                                
>               ^
>                             Is this supposed to be a
> one?

Did you type that line instead of cut'n paste?  If not, I fail to.
understand the 1 in ---s--x--1

If you ask about the first number directly after the permission
string, it is the number of hard links to that file. If it is other
than one it means that the file has an other name also, you can find
that by using -i to ls to show the inode-number, and then find the
other with find -inum

Example:

  $ pwd
  /usr/bin
  $ ls -li sudo
  8803772 ---s--x--x 2 root root 107240 2007-05-21 11:11 sudo*
  $ find . -inum 8803772
  ./sudo
  ./foo
  $ ls -li foo
  8803772 ---s--x--x 2 root root 107240 2007-05-21 11:11 foo*


Unfortunately I do not know what's wrong, try to strace sudo to see
what it does, remember that you have to bee root to strace a setuid
program. Look for

open("/etc/sudoers", O_RDONLY)          = 4

The 4 is what filedescriptor open returned, and is -1 for a failed
open. 


--
 Christer

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works

[maxim wexler]

> Example:
> 
>   $ pwd
>   /usr/bin
>   $ ls -li sudo
>   8803772 ---s--x--x 2 root root 107240 2007-05-21
> 11:11 sudo*
>   $ find . -inum 8803772
>   ./sudo
>   ./foo
>   $ ls -li foo
>   8803772 ---s--x--x 2 root root 107240 2007-05-21
> 11:11 foo*
> 
> 
> Unfortunately I do not know what's wrong, try to
> strace sudo to see
> what it does, remember that you have to bee root to
> strace a setuid
> program. Look for
> 
> open("/etc/sudoers", O_RDONLY)          = 4
> 
> The 4 is what filedescriptor open returned, and is
> -1 for a failed
> open. 
> 

strace:
<...>
open("/etc/sudoers", O_RDONLY)          = -1 EACCES
(Permission denied)
geteuid32()                             = 1
setresuid32(0, 0, 0)                    = 0
write(2, "sudo: ", 6sudo: )                   = 6
write(2, "can\'t open /etc/sudoers", 23can't open
/etc/sudoers) = 23
write(2, ": ", 2: )                       = 2
write(2, "Permission denied\n", 18Permission denied
)     = 18
<...>

picky@localhost /usr/bin $ ls -li sudo
314108 ---s--x--x 2 root root 106160 Apr 11 09:26 sudo
picky@localhost /usr/bin $ find . -inum 314108
./sudo
./sudoedit
picky@localhost /usr/bin $ ls -li sudoedit
314108 ---s--x--x 2 root root 106160 Apr 11 09:26
sudoedit
picky@localhost /usr/bin $

Just noticed this:

picky@localhost ~ $ ls /
ls: cannot open directory /: Permission denied
picky@localhost ~ $

picky can't even mount a floppy or write to it!

But picky's fstab is identical to heathen's. 

Only thing I can think of: recently had to do emerge
--metadata on account of CacheCorruption error.




 
____________________________________________________________________________________
Sucker-punch spam with award-winning protection. 
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works

[Boyd Stephen Smith Jr.]

[-- Attachment #1: Type: text/plain, Size: 784 bytes --]

On Friday 25 May 2007, maxim wexler <blissfix@yahoo.com> wrote about 'Re: 
[gentoo-user]  Re: two identical /etc/sudoers -- only one works':
> strace:
> <...>
> open("/etc/sudoers", O_RDONLY)          = -1 EACCES
> (Permission denied)

FS corruption.  Check dmesg for any errors, but fsck the filesystem 
containing this file ASAP even if you don't see anything.

I'd seen the same behavior (albeit on a different file) on some of my 
reiserfs filesystems -- files that no one, including root, could access 
due to "Permission denied".

-- 
Boyd Stephen Smith Jr.                     ,= ,-_-. =. 
bss03@volumehost.net                      ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy           `-'(. .)`-' 
http://iguanasuicide.org/                      \_/     

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works

[maxim wexler]

> FS corruption.  Check dmesg for any errors, but fsck
> the filesystem 
> containing this file ASAP even if you don't see
> anything.

/dev/hda3 unmounted

#reiserfsck -l check.log /dev/hda3

"No corruptions found"

check.log empty.

No errors in dmesg for /dev/hda3

mw


 
____________________________________________________________________________________
Never miss an email again!
Yahoo! Toolbar alerts you the instant new Mail arrives.
http://tools.search.yahoo.com/toolbar/features/mail/
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: two identical /etc/sudoers -- only one works

[Christer Ekholm]

maxim wexler <blissfix@yahoo.com> writes:

> strace:
> <...>
> open("/etc/sudoers", O_RDONLY)          = -1 EACCES
> (Permission denied)
> geteuid32()                             = 1

hmm, strange, geteuid should return euid which should be zero for
root.  Look for other occurences of geteuid in strace output.

Check also that root actually has uid=0 on that machine.

$ getent passwd | grep ^root
root:x:0:0:root:/root:/bin/bash

--
 Christer

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works

[maxim wexler]

> root.  Look for other occurences of geteuid in
> strace output.

Most similar instance is following the line:
<...>
readlink("/proc/self/fd/0,  "/dev/tty2", 4095) = 9
getuid32()                               = 0
   ^
note: no 'e'

> 
> Check also that root actually has uid=0 on that
> machine.
> 
> $ getent passwd | grep ^root
> root:x:0:0:root:/root:/bin/bash

checks OK

FWIW, scrolling to the top of the output of strace --
how do I write strace to a file? -- there is the line:

close(393)             =-1 EBADF (Bad file descriptor)

followed by 630 similar lines ending in 'close(1023)
ditto' then the "body" of the output.

mw


       
____________________________________________________________________________________Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games.
http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow  
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: two identical /etc/sudoers -- only one works

[Christer Ekholm]

maxim wexler <blissfix@yahoo.com> writes:

> Most similar instance is following the line:
> <...>
> readlink("/proc/self/fd/0,  "/dev/tty2", 4095) = 9
> getuid32()                               = 0
>    ^
> note: no 'e'

Yes that's also interesting, uid is zero, which is should be since you
are running strace as root. uid and euid is two different attribs of a
process, both should be zero.

>
>> 
>> Check also that root actually has uid=0 on that
>> machine.
>> 
>> $ getent passwd | grep ^root
>> root:x:0:0:root:/root:/bin/bash
>
> checks OK

Good, but unfortunate since i'm out if ideas now.

>
> FWIW, scrolling to the top of the output of strace --
> how do I write strace to a file?

strace -o file

> -- there is the line:
>
> close(393)             =-1 EBADF (Bad file descriptor)
>
> followed by 630 similar lines ending in 'close(1023)
> ditto' then the "body" of the output.

That is perfectly normal. sudo just closes every fd's even the ones not
opened.


-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: two identical /etc/sudoers -- only one works

[Christer Ekholm]

maxim wexler <blissfix@yahoo.com> writes:

>> root.  Look for other occurences of geteuid in
>> strace output.
>
> Most similar instance is following the line:
> <...>
> readlink("/proc/self/fd/0,  "/dev/tty2", 4095) = 9
> getuid32()                               = 0

You should aslo check for any of setuid seteuid setreuid or
setresuid. any call to any of those must be succesfull.

--
 Christer

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Maybe you're running sudo frm withing a chrooted/restricted shell, or some kernel with security
options that is not allowing /etc/sudoers to be read?

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
OpenPGP for HTTP: New Web-Auth Scheme: http://freshmeat.net/articles/view/2599
Consulting and Secure Mail Hosting: http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGWM1XAlpOsGhXcE0RChoEAJ9kUmXMtXP1G1+0/kT276pEJZSnngCfaNdu
h9KvJ3hNiKzdGKZEX/Pg/Tw=
=aeRq
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works

[maxim wexler]

> You should aslo check for any of setuid seteuid
> setreuid or
> setresuid. any call to any of those must be
> succesfull.

If by "successful" you mean the call returns >= 0,
then they're successful.

There is this, however:
<...>
open("/etc/default/nss", 0_RDONLY) =-1 ENODENT (No
such file or directory)
<...>
connect(4,{sa_family=AF_FILE,
path="/var/run/nscd/socket"}, 110} =-1 ENODENT (No
such file or directory)
<...>
connect(4,{sa_family=AF_FILE, path="/dev/log"}, 110
=-1 EPROTOTYPE (Protocol wront type for socket)
<..>


mw


      ____________________________________________________________________________________Fussy? Opinionated? Impossible to please? Perfect.  Join Yahoo!'s user panel and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: two identical /etc/sudoers -- only one works

[Christer Ekholm]

maxim wexler <blissfix@yahoo.com> writes:

>
> If by "successful" you mean the call returns >= 0,
> then they're successful.

Yes,

>
> There is this, however:
> <...>
> open("/etc/default/nss", 0_RDONLY) =-1 ENODENT (No
> such file or directory)
> <...>
> connect(4,{sa_family=AF_FILE,
> path="/var/run/nscd/socket"}, 110} =-1 ENODENT (No
> such file or directory)
> <...>
> connect(4,{sa_family=AF_FILE, path="/dev/log"}, 110
> =-1 EPROTOTYPE (Protocol wront type for socket)
> <..>

I don't think those are important. Just standard tries to open
system-files if the exists, and connect to syslog.

I'm totally out of ideas now. Sorry I couldn't help you. Try to see if
it is some security-related problem as proposed by Arturo.


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works

[maxim wexler]

> you. Try to see if
> it is some security-related problem as proposed by
> Arturo.

There are two options under Security in the .config;
neither are set. Is there someplace else to check?

mw


       
____________________________________________________________________________________Pinpoint customers who are looking for what you sell. 
http://searchmarketing.yahoo.com/
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works

[Paul Varner]

On Fri, 2007-05-25 at 20:14 -0700, maxim wexler wrote:
> picky@localhost ~ $ ls /
> ls: cannot open directory /: Permission denied
> picky@localhost ~ $

What does 'ls -ld /' and 'ls -ld /etc' return?

Both of them should look like:
drwxr-xr-x 20 root root 4096 May 29 04:40 /
drwxr-xr-x 56 root root 4096 May 29 11:39 /etc

Regards,
Paul
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works

[Mick]

[-- Attachment #1: Type: text/plain, Size: 660 bytes --]

On Tuesday 29 May 2007 22:04, Paul Varner wrote:
> On Fri, 2007-05-25 at 20:14 -0700, maxim wexler wrote:
> > picky@localhost ~ $ ls /
> > ls: cannot open directory /: Permission denied
> > picky@localhost ~ $
>
> What does 'ls -ld /' and 'ls -ld /etc' return?
>
> Both of them should look like:
> drwxr-xr-x 20 root root 4096 May 29 04:40 /
> drwxr-xr-x 56 root root 4096 May 29 11:39 /etc

Oops! mine looks like this:

# ls -ld /   
drwxrwxrwt 22 root root 648 Apr  6 18:44 /

What's wrong here?

PS. I do not suffer from Maxim's problem, but clearly something is wrong with 
my access rights on the root directory?
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works

[Mike Edenfield]

Mick wrote:
> On Tuesday 29 May 2007 22:04, Paul Varner wrote:
>> On Fri, 2007-05-25 at 20:14 -0700, maxim wexler wrote:
>>> picky@localhost ~ $ ls /
>>> ls: cannot open directory /: Permission denied
>>> picky@localhost ~ $
>> What does 'ls -ld /' and 'ls -ld /etc' return?
>>
>> Both of them should look like:
>> drwxr-xr-x 20 root root 4096 May 29 04:40 /
>> drwxr-xr-x 56 root root 4096 May 29 11:39 /etc
> 
> Oops! mine looks like this:
> 
> # ls -ld /   
> drwxrwxrwt 22 root root 648 Apr  6 18:44 /
> 
> What's wrong here?
> 
> PS. I do not suffer from Maxim's problem, but clearly something is wrong with 
> my access rights on the root directory?

Having root world-writeable looks a bit suspicious, 
especially if you don't remember doing it yourself. :)

The 't' bit on a directory just means that deletes in that 
directory are restricted to the superuser or file owner (as 
opposed to anyone with +w permissions to the directory). 
I'm not sure why that would affect sudo, or ls for that 
matter, unless it's something funny with how opendir() works?

You could try turning off the odd permsisions:

chmod o-wt /
chmod g-w /

and see if anything changes.

-- 
-- Mike

Still using IE? Get Firefox!
http://www.spreadfirefox.com/?q=affiliates&id=6492&t=1
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works

[maxim wexler]

> m450 backups # ls -al /
> total 72
> drwxr-xr-x 18 root root  4096 Apr 29 13:38 .
> drwxr-xr-x 18 root root  4096 Apr 29 13:38 ..
> drwxr-xr-x  2 root root  4096 May 19 10:36 bin
> drwxr-xr-x  2 root root  4096 May 17 18:07 boot
> drwxr-xr-x 16 root root 13460 May 25 14:39 dev
> drwxr-xr-x 57 root root  4096 May 22 01:51 etc
> drwxr-xr-x  7 root root  4096 May  1 00:08 home
> drwxr-xr-x  8 root root  4096 May 19 22:29 lib
> drwx------  2 root root 16384 Apr 26 15:35
> lost+found
> drwxr-xr-x  5 root root  4096 May  6 23:46 mnt
> drwxr-xr-x  4 root root  4096 Apr 29 02:47 opt
> dr-xr-xr-x 72 root root     0 May 17 14:13 proc
> drwx------  6 root root  4096 May 27 13:13 root
> drwxr-xr-x  2 root root  4096 May 19 22:29 sbin
> drwxr-xr-x 11 root root     0 May 17 14:13 sys
> drwxrwxrwt 11 root root  4096 May 27 14:35 tmp
> drwxr-xr-x 15 root root  4096 May 19 13:42 usr
> drwxr-xr-x 14 root root  4096 Apr 28 20:36 var
> 
>   Note the permissions for /
> drwxr-xr-x 18 root root  4096 Apr 29 13:38 .
> 
>   Everybody needs to have "x" in order to even read
> any files in there.
> As root, try...
> 
> chmod 755 /

 My permissions are just like yours. Nevertheless I
did what you suggested and ... hey, presto! permission
is no longer denied. sudo works too. 

Thanks Walter!

mw




       
____________________________________________________________________________________Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545469
-- 
gentoo-user@gentoo.org mailing list