12

command:

bigxu@bigxu-ThinkPad-T410 ~/work/lean $ sudo ls
content_shell.pak  leanote  libgcrypt.so.11  libnotify.so.4  __MACOSX      resources
icudtl.dat     leanote.png  libnode.so   locales     natives_blob.bin  snapshot_blob.bin

most time it is right.but sometimes it is very slow. so i strace it.

command:

bigxu@bigxu-ThinkPad-T410 ~/work/lean $ strace sudo ls
execve("/usr/bin/sudo", ["sudo", "ls"], [/* 66 vars */]) = 0
brk(0)                                  = 0x7f2b3c423000
fcntl(0, F_GETFD)                       = 0
fcntl(1, F_GETFD)                       = 0
fcntl(2, F_GETFD)                       = 0
......
......
......
write(2, "sudo: effective uid is not 0, is"..., 140sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
) = 140
exit_group(1)                           = ?
+++ exited with 1 +++

other information:

bigxu-ThinkPad-T410 lean # ls /etc/sudoers -alht
-r--r----- 1 root root 745  2月 11  2014 /etc/sudoers
bigxu-ThinkPad-T410 lean # ls /usr/bin/sudo -alht
-rwsr-xr-x 1 root root 152K 12月 14 21:13 /usr/bin/sudo
bigxu-ThinkPad-T410 lean # df `which sudo`
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/sdb1       67153528 7502092  56217148  12%
Charles Duffy
  • 280,126
  • 43
  • 390
  • 441
Xiu Hong
  • 181
  • 2
  • 8
  • Welcome to stackoverflow. This is a fair question but a bit off-topic for this site because it is more about support for a specific tool (privilege elevation using sudo) than about programming. You may have better luck at serverfault.com or superuser.com. – Paulo Scardine Dec 15 '15 at 01:36
  • @PauloScardine, I think there's an argument to be made for topicality inasmuch as this is about a debugging tool (`strace`, here, but the same thing would happen with `gdb`) modifying the behavior of the program it's intended to observe. – Charles Duffy Dec 15 '15 at 01:50
  • @CharlesDuffy: fair enough, you are absolutely right. – Paulo Scardine Dec 15 '15 at 01:53

2 Answers2

12

For security reasons, the setuid bit and ptrace (used to run binaries under a debugger) cannot both be honored at the same time. Failure to enforce this restriction in the past led to CVE-2001-1384.

Consequently, any operating system designed with an eye to security will either stop honoring ptrace on exec of a setuid binary, or fail to honor the setuid bit when ptrace is in use.

On Linux, consider using Sysdig instead -- which, being able to only view but not modify behavior, does not run the same risks.

Charles Duffy
  • 280,126
  • 43
  • 390
  • 441
  • Thank you @charles-duffy very much. Could you please expand on your answer a bit by linking to the official documentation or the source code where "the setuid bit is not honored for binaries under ptrace"? – Daniel Le Mar 26 '16 at 02:07
  • @DanielLe, hmm. R'ing TFS for the current (4.5-series) kernel, current codepaths go about it the other way -- honoring setuid but disabling ptrace. [By contrast, on MacOS, disabling setuid when ptrace is in use is explicitly documented in the man page]. Regardless of which direction any given OS goes about it, we have the end effect that gdb can't be effectively used in combination with the setuid bit -- and the risk of bugs like CVE-2001-1384 absent that restriction. – Charles Duffy Mar 26 '16 at 03:58
  • @DanielLe, ...I've modified my answer to make more cautious assertions, less tied to any specific kernel version or operating system's behavior. – Charles Duffy Mar 26 '16 at 04:03
8

How to trace sudo

$ sudo  strace -u <username>  sudo -k <command>
  1. sudo runs strace as root.
  2. strace runs sudo as <username> passed via the -u option.
  3. sudo drops cached credentials from the previous sudo with -k option (for asking the password again) and runs <command>.

The second sudo is the tracee (the process being traced).

For automatically putting the current user in the place of <username>, use $(id -u -n).

Why sudo does not work with strace

In addition to this answer by Charles, here is what execve() manual page says:

If the set-user-ID bit is set on the program file referred to by pathname, then the effective user ID of the calling process is changed to that of the owner of the program file. Similarly, when the set-group-ID bit of the program file is set the effective group ID of the calling process is set to the group of the program file.

The aforementioned transformations of the effective IDs are not performed (i.e., the set-user-ID and set-group-ID bits are ignored) if any of the following is true:

  • the no_new_privs attribute is set for the calling thread (see prctl(2));
  • the underlying filesystem is mounted nosuid (the MS_NOSUID flag for mount(2)); or
  • the calling process is being ptraced.

The capabilities of the program file (see capabilities(7)) are also ignored if any of the above are true.

The permissions for tracing a process, inspecting or modifying its memory, are described in subsection Ptrace access mode checking in section NOTES of ptrace(2) manual page. I've commented about this in this answer.

psqli
  • 588
  • 6
  • 11