Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

/usr/bin/sudo and setid missing #794

Closed
WolfganP opened this Issue Mar 4, 2017 · 11 comments

Comments

Projects
None yet
3 participants
@WolfganP
Copy link

WolfganP commented Mar 4, 2017

I just burned the latest img for Raspberry Pi available on the site (it boots as v144) and noticed that on 1st boot sudo fails on "sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set".
The executable is actually owned by root:root, but setid flag is not set (solved via 'chmod 4755 /usr/bin/sudo')
I wonder if it's not a side effect of the recent reworking of the images?
Thx, Wolf

BTW: wont it be possible to include a unprivileged user preconfigured (ie 'pi' as in raspbian but with password 'dietpi' for easier onboarding on people migrating from raspbian). I know about the discussion at http://dietpi.com/phpbb/viewtopic.php?f=9&t=22 but that thread is locked (I support the enhancement BTW).

@Fourdee

This comment has been minimized.

Copy link
Collaborator

Fourdee commented Mar 5, 2017

@WolfganP

The executable is actually owned by root:root, but setid flag is not set (solved via 'chmod 4755 /usr/bin/sudo')
I wonder if it's not a side effect of the recent reworking of the images?

Strange, seems this isn't the 1st report:
#775 (comment)

We actually use the official RPi Jessie Lite image as a base, then prep it for DietPi. As far as I know, we make no changes to /usr/bin/sudo. So, this must of been default on the RPi lite image we used at the time.

BTW: wont it be possible to include a unprivileged user preconfigured (ie 'pi' as in raspbian but with password 'dietpi' for easier onboarding on people migrating from raspbian). I know about the discussion at http://dietpi.com/phpbb/viewtopic.php?f=9&t=22 but that thread is locked (I support the enhancement BTW).

I've been thinking of creating a user dietpi and dietpi, replacing the root user, however, its a big change (code wise) and everything would need testing (all 131 software installations in dietpi-software). Would also require a new image, and us resetting the update system, possibly not something we could patch with certain success.

@Fourdee

This comment has been minimized.

Copy link
Collaborator

Fourdee commented Mar 5, 2017

@WolfganP

(solved via 'chmod 4755 /usr/bin/sudo')

Great stuff 👍 I'll get this patched for v146

@Fourdee Fourdee added this to the v146 milestone Mar 5, 2017

@Fourdee Fourdee added the Bug 🐞 label Mar 5, 2017

Fourdee added a commit that referenced this issue Mar 5, 2017

v146
+ General | RPi: Resolved an issue with sudo not having setuid bit set.
Many thanks to @WolfganP for the fix:
#794
@Fourdee

This comment has been minimized.

Copy link
Collaborator

Fourdee commented Mar 5, 2017

Lets apply it to all devices, as Pine seems to be effected also: #775 (comment)

Fourdee added a commit that referenced this issue Mar 5, 2017

v146
+ All sudo setuid: #794
@Fourdee

This comment has been minimized.

Copy link
Collaborator

Fourdee commented Mar 5, 2017

Completed.

I'll create another ticket for dietpi user and link it here.

@Fourdee Fourdee closed this Mar 5, 2017

@Fourdee

This comment has been minimized.

Copy link
Collaborator

Fourdee commented Mar 5, 2017

Fourdee added a commit that referenced this issue Mar 14, 2017

Merge pull request #807 from Fourdee/testing
v146
(14/03/17)

**New Device:**

RPi Zero W | Now fully supported (including onboard WiFi/BT): #787

**Changes / Improvements / Optimizations:**

General | Wlan: 'disable power save' on boot, is now a service, installed when WiFi is enabled in 'dietpi-config' or via 'dietpi-set_hardware'.

General | DietPi RPi Kernel: Updated to latest.

DietPi-Drive_Manager | Added support for F2FS filesystem: #802

DietPi-Drive_Manager | Transfer RootFS now allows for selection of filesystem types on target partition (eg: f2fs), RPi only: #802

DietPi-Software | If NTPD is used (default on DietPi) for time sync, and, NTPD fails to sync, DietPi-Software will now exit, to prevent further issues with incorrect time during software installations: #786

DietPi-Software | Syncthing-inotify: Installation updated to 0.8.5 (thanks John!)

**Bug fixes:**

General | RPi: Resolved an issue with sudo not having setuid bit set. Many thanks to @WolfganP for the fix: #794

General | NanoPi M3: USB DACs are now functional with our latest kernel update: #763

DietPi-Software | PiHole: Resolved issues with enable/disable adblocking and DHCP server having no effect: #775

DietPi-Software | Gogs: Resolved issues with URL failing connection test due to them being renamed: #793

Fourdee added a commit that referenced this issue Apr 21, 2017

v149
+ Set sudo UID bit again (was missing from finalize):
#794

+ Sudo up login script: #796
@FWeissenb

This comment has been minimized.

Copy link

FWeissenb commented May 27, 2018

I installed Dietpi V6.8 on odroid XU4 and this bug still exists. :/

I used auto-install to create the system.

dietpi@Terminus:~$ ls -la /usr/bin/ | grep sudo
-rwxr-xr-x 1 root root 102612 Mai 4 15:40 sudo
lrwxrwxrwx 1 root root 4 Mai 4 16:14 sudoedit -> sudo
-rwxr-xr-x 1 root root 34588 Mai 4 15:40 sudoreplay

@Fourdee

This comment has been minimized.

Copy link
Collaborator

Fourdee commented May 27, 2018

@FWeissenb

Thanks for the report 👍

This 'should' be applied to our images by default, however, please try running the following command:

chmod 4755 $(which sudo)
# then verify with
ls -lha $(which sudo)

Should result in:

root@DietPi:~# ls -lha $(which sudo)
-rwsr-xr-x 1 root root 134K Jun  5  2017 /usr/bin/sudo

If this resolves, we'll run this as a patch for v6.9.

Fourdee pushed a commit that referenced this issue May 27, 2018

Daniel (Fourdee)
v6.9
+DietPi-Software | OctoPrint: libjpeg-dev now installed by default, this is required for additional plugin installations (eg: Astroprintcloud Plugin): #1800

+General | UID bit reapplied for Sudo. Reported not applied on current XU4 image: #794 (comment)

+ PlexPy renamed to Tautulli
@FWeissenb

This comment has been minimized.

Copy link

FWeissenb commented Jun 4, 2018

Hi Fourdee,

sorry for late repsonse. It doesn't work. I get a "not allowed"

`dietpi@Terminus:~$ sudo dietpi-update
sudo: /usr/bin/sudo muss dem Benutzer mit UID 0 gehören und das »setuid«-Bit gesetzt haben

dietpi@Terminus:~$ chmod 4755 $(which sudo)
chmod: Beim Setzen der Zugriffsrechte für '/usr/bin/sudo': Die Operation ist nicht erlaubt

dietpi@Terminus:~$ ls -lha $(which sudo)
-rwxr-xr-x 1 root root 101K Mai 4 15:40 /usr/bin/sudo

dietpi@Terminus:~$ sudo dietpi-software
sudo: /usr/bin/sudo muss dem Benutzer mit UID 0 gehören und das »setuid«-Bit gesetzt haben
`

@WolfganP

This comment has been minimized.

Copy link
Author

WolfganP commented Jun 4, 2018

make user user dietpi is listed as sudoer

$ cat /etc/sudoers

@Fourdee

This comment has been minimized.

Copy link
Collaborator

Fourdee commented Jun 4, 2018

@WolfganP @FWeissenb

Sudoer should exist here:

root@DietPi:~# cat /etc/sudoers.d/dietpi
dietpi ALL=NOPASSWD: ALL

@FWeissenb
Try running the command as root login:

sudo su
chmod 4755 $(which sudo)
exit
@FWeissenb

This comment has been minimized.

Copy link

FWeissenb commented Jun 4, 2018

I can't login as root :/

If i try he askes a password. And if i try "dietpi" it doesn't work.
I think there is something very broken.
I will try to reflash my sd tomorrow.

@Fourdee Fourdee referenced this issue Jun 7, 2018

Merged

v6.9 #1828

Fourdee added a commit that referenced this issue Jun 7, 2018

Merge pull request #1828 from Fourdee/testing
**v6.9**
(07/06/18)

**Changes / Improvements / Optimizations:**

General | During first run of DietPi (and during this patch), you will now be given the option to change the global password for 'root' + 'dietpi' accounts, and all future software to be installed that requires a password: #1782

General | Increased verbosity and logging of DietPi boot scripts to assist with debugging: #1772

General | G_ERROR_HANDLER: Retry mechanic added, allows you to re-run and retry the last command when an error occurs. Also included option to send DietPi a bug report when an issue occurs.

General | NTP removed from DietPi-Config time sync options and DietPi core packages. All time sync modes are now offered via systemd-timesyncd, which is part of every Debian based core system: #1628

General | DietPi-Set_Core_Environment was removed. DietPi service and system config files are now updates automatically via new update system, other environment setup steps are moved into DietPi-PREP: #1749

DietPi-BugReport | Has been revised and improved to remove end user security concerns.

DietPi-Drive_Manager | Swapfile: Added ability to move the swapfile and set size. This replaces the previous option in DietPi-Config.

DietPi-Process_Tool | NoMachine + Webmin: Processes can now be controlled.

DietPi-Services | Webmin: Added and now controlled.

DietPi-Software | Fail2Ban: Install now uses the systemD backend. No longer requires Rsyslog pre-req. For new installations only.

DietPi-Software | Search: Feature now available. Find the software you require for install, faster! https://twitter.com/DietPi_/status/1000858660682305536

DietPi-Software | InfluxDB and Grafana now available for installation. Many thanks to @marcobrianza for the install code and documentation guides: #1784

DietPi-Software | LXDE: Resolved missing icons with 'pcmanfm' under RPi devices: #1558 (comment)

DietPi-Software | Webmin: Resolved failed installation due to missing package pre-reqs. Upgraded to use a systemD service: #1741

DietPi-Software | Removed npm root access error during installs: #1340 (comment)

DietPi-Software | OpenJDK/JRE now installs Java version 8 across all DietPi system. This is for stability across all programs that require it: #1340 (comment)

DietPi-Software | Updated several non-APT software titles for fresh installs and reinstalls: #1774

DietPi-Software | Transmission: General clean up of install config file. G_CONFIG_INJECT is now used to replace/add our optimized entries. Also cleaned up the service, now runs as forking: #1754

DietPi-Software | sabnzbd: Updated to latest version 2.3.4 (for new installations only): #1340

DietPi-Software | CAVA: Updated to latest version 0.6.1. Enabled for x86_64: #1340

DietPi-Software | OctoPrint: libjpeg-dev now installed by default, this is required for additional plugin installations (eg: Astroprintcloud Plugin): #1800

DietPi-Software | Xserver: DPMS and all known screen blanking/saving is now disabled by default. To re-enable this feature, remove the following file '/etc/X11/xorg.conf.d/99-dietpi-dpms_off.conf': #1823

DietPi-Survey | Has been revised and improved to remove end user security concerns.

DietPi-Update | Implemented an automated update system for DietPi files, placed outside of /DietPi, e.g. system configurations and service files. This allows significant reduction of script code and assures consistency across all systems: #1802

**Bug Fixes:**

General | Login and globals moved to /etc/bashrc.d/*, due to issues with remote shell and desktop terms under /etc/profile.d/99-dietpi-login.sh: #1777 (comment)

General | Completely removed root permission requirements from login scirpts and banner. Also users without sudo permissions will see the login banner and will be able to use dietpi-* and G_* functions: #1790

General | Sparky SBC + USB-DAC unmute fix (v2), now sets volume to max: #1779

General | UID bit reapplied for Sudo. Reported not applied on current XU4 image: #794 (comment)

DietPi-Config | WiFi HotSpot: Resolved inability to toggle state (enable/disable) and change channel: #1810 (comment)

DietPi-Drive_Manager | Format: Resolved an issue where formatting any drive, would reset the swapfile back to auto size and default location: https://dietpi.com/phpbb/viewtopic.php?f=11&t=3851&p=12864#p12864

DietPi-set_dphys-swapfile | Resolved issues with fallocate on vfat partitions which caused a failure.

DietPi-Software | SickRage: SystemD service updated to prevent timeouts, allowing the process to fully init. Experienced by some users installs: #1762

DietPi-Software | AirSonic: Resolved issues with incorrect memory limit being set during installation: #1764

DietPi-Software | AirSonic/SubSonic: Resolved 503 error when accessing web interface: #1764

DietPi-Software | CloudPrint: Resolved an issue where the CUPS web interface would fail to connect: #1797

DietPi-Software | VNC + LXDE: Resolved error message 'no session for PID x'.:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.