Filesystem permission error: sudo not working

[NewbieOrange]

The latest version (11.14 buster) seems to break some files permission, not sure if this is from upstream (armbian).

Older version works fine (11.06 buster).

sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

[ophub]

What box and which firmware is installed? What is the specific performance? Take a screenshot and give feedback about the error.

[NewbieOrange]

Using a t95z plus box with S912 3/32, installed Armbian_21.11.0_Aml_s912_buster_5.10.79_2021.11.14.0059.img.gz.

Can be reproduced by simply typing sudo as a non-root user. The issue was not in the build from a week ago.

The issue can be mitigated by chmod 4755 /usr/lib/sudo/sudoers.so but there are other permission issues (systemctl exited with error instead of asking for password to run as root)

The error was the exact line about sudo must be owned by uid 0, no other error messages.

Note: armbian is on sd card, not installed to emmc.

[ophub]

cat /boot/uEnv.txt

cat /etc/armbian-aml-release

Check it out and send it to me, the first time I saw this box.

[NewbieOrange]

chengzi@armbian:~$ cat /boot/uEnv.txt
LINUX=/zImage
INITRD=/uInitrd
FDT=/dtb/amlogic/meson-gxm-octopus-planet.dtb
APPEND=root=LABEL=ROOTFS rootflags=data=writeback rw console=ttyAML0,115200n8 console=tty0 no_console_suspend consoleblank=0 fsck.fix=yes fsck.repair=yes net.ifnames=0 cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory swapaccount=1
chengzi@armbian:~$ cat /etc/armbian-aml-release 
FDTFILE='meson-gxm-octopus-planet.dtb'
U_BOOT_EXT='1'
UBOOT_OVERLOAD='u-boot-zyxq.bin'
MAINLINE_UBOOT=''
ANDROID_UBOOT=''
KERNEL_VERSION=''
SOC='s912'
K510='1'

Note that I am using the s905-s912 uboot as uboot.ext (the default zyxq.bin cannot boot from sd card on this device), and it reads config from /boot/extlinux. The extlinux config has been modified to load the custom meson-gxm-t95z-plus.dtb.

Also I have reverted back armbian/build repo to commit from a week ago, and the issue still presents.

[ophub]

Run under root user:

chown root:root /usr/bin/sudo
chmod 4755 /usr/bin/sudo
chown 0 /usr/lib/sudo/sudoers.so
chmod 644 /usr/lib/sudo/sudoers.so

Try if it can solve the problem.

[ophub]

Example to create a new user abc:

groupadd abc
useradd -m abc -g abc -s /bin/bash -d /home/abc
passwd abc

vim /etc/sudoers

# User privilege specification
root ALL=(ALL) ALL
abc ALL=(ALL) ALL

[ophub]

Can you share your /boot/extlinux, meson-gxm-t95z-plus.dtb, s905-s912 uboot, and other modified files?

[NewbieOrange]

Run under root user:

chown root:root /usr/bin/sudo
chmod 4755 /usr/bin/sudo
chown 0 /usr/lib/sudo/sudoers.so
chmod 644 /usr/lib/sudo/sudoers.so

Try if it can solve the problem.

This indeed fixed sudo, however there seem to be a wider issue (systemctl not working without root or sudo, for example).

I compiled older commits and still no good, not sure what went wrong.

/boot/extlinux/extlinux.conf

LABEL Armbian
LINUX /zImage
INITRD /uInitrd
# aml s9xxx
FDT /dtb/amlogic/meson-gxm-t95z-plus.dtb
APPEND root=LABEL=ROOTFS rootflags=data=writeback rw console=ttyAML0,115200n8 console=tty0 no_console_suspend consoleblank=0 fsck.fix=yes fsck.repair=yes net.ifnames=0

The uboot is copied from the compiled image (u-boot-s905x-s912.bin).

Here is the custom dtb. USB port 1 is set to otg and not tested, other seems to be working fine (WiFi/1Gbe/etc.)
meson-gxm-t95z-plus.zip

[NewbieOrange]

There are multiple varients of t95z plus with different 1Gbe nic and wireless card, so this dtb file will not work for all devices.

[NewbieOrange]

I am still trying to figure out what has changed between today's image and a few days ago's. Even after I cloned the older commit (both this repo and armbian/build) the output image still cannot sudo properly, very confusing.

Also systemctl is not working as expected (after using chown and chmod to fix sudo),

chengzi@armbian:~$ systemctl enable armbian-resize-filesystem.service 
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-unit-files ===
Authentication is required to manage system service or unit files.
Authenticating as: chengzi,,, (chengzi)
polkit-agent-helper-1: needs to be setuid root
Error: Incorrect permissions on /usr/libexec/polkit-agent-helper-1 (needs to be setuid root)
==== AUTHENTICATION FAILED ===

Seems the filesystem permission is kinda broken to me.

[ophub]

According to user feedback from tx3mini, u-boot-s905x-s912.bin can be used to read /boot/uEnx.txt to start. Have you tested the boot file u-boot-p212.bin?

[ophub]

My packaging just changed the official img file of 1 partition into 2 partitions.
The changed file is /boot. And /usr/lib/modules these two directories.
The other files are basically official source files.

[ophub]

For non-root users, to use system services, you can add sudo

[NewbieOrange]

For non-root users, to use system services, you can add sudo

Yes, but systemctl should prompt for password without sudo if polkit-agent-helper-1 have setuid root.

[NewbieOrange]

According to user feedback from tx3mini, u-boot-s905x-s912.bin can be used to read /boot/uEnx.txt to start. Have you tested the boot file u-boot-p212.bin?

Without /boot/extlinux the bootloader tried to load stuff from eth and failed. u-boot-p212.bin is not booting.

[NewbieOrange]

I pulled 6593d77, which fixed sudo for me. systemctl need chmod 4755 /usr/libexec/polkit-agent-helper-1.

Still not sure why this is happening, and if there are any more permission fix needed.

[ophub]

Add your user to the root group: usermod -g root abc

[NewbieOrange]

Add your user to the root group: usermod -g root abc

This does not sound very safe to me. After fixing /usr/libexec/polkit-agent-helper-1 file permission, systemctl works without being root if you are sudoer.

[ophub]

This permission modification is safe. already added.

[NewbieOrange]

This permission modification is safe. already added.

Fixed all issues I have encountered so far! Thanks

[ophub]

@NewbieOrange

According to your introduction and shared dtb, I added support for s912-t95z-plus separately in the armbian default compilation e390b65. Please confirm whether the following is correct.

If so, please confirm whether it is used in openwrt and whether such modification is also required?

[NewbieOrange]

LGTM. The t95z image is working flawlessly.

I don't use this box for openwrt, but I would guess the modification is required for openwrt too.

[ophub]

You are the first friend to use this device. If you are free, I hope to help me test whether the current OpenWrt of s912 can be started in the usb on your device.

If it can't start, you can try to modify the boot file of OpenWrt according to the modification method of armbian, and test whether it can be booted in usb.

[NewbieOrange]

This seems have been broken again, and even more errors about sudo permissions.

[NewbieOrange]

This seems have been broken again, and even more errors about sudo permissions.

Nevermind, I downloaded the wrong file.

[ophub]

@NewbieOrange
Hello, do you have the dts source code of the file meson-gxm-t95z-plus.dtb?

[NewbieOrange]

@ophub No, but it is modified based on decompiled source from meson-gxm-octopus-planet.dtb. Decompile both and compare will show the changes I made.

[392377870]

@ophub不，但它是根据 meson-gxm-octopus-planet.dtb 的反编译源修改的。反编译两者并比较将显示我所做的更改。

大神的能写入emmc吗？我用了你的dtb网卡无线都正常，就是无法写入emmc我的是t95z max型号

[NewbieOrange]

@392377870 没试过emmc

[392377870]

@392377870 没试过emmc

从安卓中提取的dts有办法适配到armbian中不？