Geek Answers Handbook

Can't dry a ship; reports that the effective uid is nonzero

Team:

bigxu@bigxu-ThinkPad-T410 ~/work/lean $ sudo ls content_shell.pak leanote libgcrypt.so.11 libnotify.so.4 __MACOSX resources icudtl.dat leanote.png libnode.so locales natives_blob.bin snapshot_blob.bin

In most cases, this is correct. But sometimes it’s very slow. so i hold it.

Team:

 bigxu@bigxu-ThinkPad-T410 ~/work/lean $ strace sudo ls execve("/usr/bin/sudo", ["sudo", "ls"], [/* 66 vars */]) = 0 brk(0) = 0x7f2b3c423000 fcntl(0, F_GETFD) = 0 fcntl(1, F_GETFD) = 0 fcntl(2, F_GETFD) = 0 ...... ...... ...... write(2, "sudo: effective uid is not 0, is"..., 140sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? ) = 140 exit_group(1) = ? +++ exited with 1 +++

other information:

 bigxu-ThinkPad-T410 lean # ls /etc/sudoers -alht -r--r----- 1 root root 745 2月 11 2014 /etc/sudoers bigxu-ThinkPad-T410 lean # ls /usr/bin/sudo -alht -rwsr-xr-x 1 root root 152K 12月 14 21:13 /usr/bin/sudo bigxu-ThinkPad-T410 lean # df `which sudo` Filesystem 1K-blocks Used Available Use% Mounted on /dev/sdb1 67153528 7502092 56217148 12%
+8
linux sudo
source share
2 answers

For security reasons, the setuid and ptrace bits (used to run binary files under the debugger) cannot run simultaneously. Failure to comply with this limitation in the past has led to CVE-2001-1384.

Therefore, any operating system designed with security in mind will either stop ptrace on exec from the setuid binary, or it will not execute the setuid bit when ptrace is used.

On Linux, consider Sysdig instead - which, having the ability to view but not modify behavior, does not carry the same risks.

+8
source share

How to track sudo

 $ sudo strace -u <username> sudo -k <command>
  1. sudo runs strace as root.
  2. strace starts sudo when <username> is passed through the -u option.
  3. sudo deletes the cached credentials from the previous sudo with the -k option (to re-request the password) and runs <command> .

The second sudo is tracing (a monitored process).

To automatically place the current user instead of <username> use $(id -u -n) .

Why sudo doesn't work with strace

In addition to this Charles answer , here is what execve() on the help page says:

If the set-user-ID bit is set in the program file pointed to by the path, then the effective user identifier of the calling process changes to the identifier of the owner of the program file. Similarly, when the set-group-ID bit of a program file is set, the effective group identifier of the calling process is set to the program file group.

The above transformations of valid identifiers are not performed (that is, the set-user-ID and set-group-ID bits are ignored) if any of the following is true:

  • the no_new_privs attribute is set for the calling thread (see prctl (2));
  • the main file system is mounted nosuid (MS_NOSUID flag for mount (2)); or
  • The calling process is monitored.

The capabilities of the program file (see capabilities (7)) are also ignored if any of the above is true.

Permissions to monitor a process, check, or change its memory are described in the Ptrace Access Mode Check section in the NOTES section of the ptrace (2) manual page. I commented on this in this answer .

+1
source share

More articles:


All Articles