ctacke
Posts: 6
Joined: Wed Oct 14, 2020 10:05 pm

sudo after network boot

Wed Oct 21, 2020 6:33 pm

So I've successfully network booted by Pi device. I now would like to perform actions on the device that require `sudo`, but I'm getting the following error:

`sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set`

I assume it's because the network user is different than the user on the server that actually owns the OS files, but I've not been able to figure out the black magic that will allow this to work.

fbe
Posts: 648
Joined: Thu Aug 17, 2017 9:08 pm

Re: sudo after network boot

Wed Oct 21, 2020 7:03 pm

please post the output of:

Code: Select all

ls -l /usr/bin/sudo
findmnt

trejan
Posts: 2949
Joined: Tue Jul 02, 2019 2:28 pm

Re: sudo after network boot

Wed Oct 21, 2020 7:10 pm

Did you set no_root_squash and no_all_squash for the mount options?

ctacke
Posts: 6
Joined: Wed Oct 14, 2020 10:05 pm

Re: sudo after network boot

Wed Oct 21, 2020 9:07 pm

fbe wrote:
Wed Oct 21, 2020 7:03 pm
please post the output of:

Code: Select all

ls -l /usr/bin/sudo
findmnt

Code: Select all

pi@raspberrypi:~ $ sudo ls
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
pi@raspberrypi:~ $ ls -l /usr/bin/sudo
-rwxr-xr-x 1 root root 147560 Oct 21  2020 /usr/bin/sudo
pi@raspberrypi:~ $ findmnt
TARGET                           SOURCE     FSTYPE     OPTIONS
/                                10.3.1.100:/opt/nfs/pi4
│                                           nfs4       rw,relatime,vers=4.1,rsize=4096,wsize=4096,namlen=255,hard,proto=
├─/sys                           sysfs      sysfs      rw,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/security         securityfs securityfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/cgroup               tmpfs      tmpfs      ro,nosuid,nodev,noexec,mode=755
│ │ ├─/sys/fs/cgroup/unified     cgroup2    cgroup2    rw,nosuid,nodev,noexec,relatime,nsdelegate
│ │ ├─/sys/fs/cgroup/systemd     cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,xattr,name=systemd
│ │ ├─/sys/fs/cgroup/memory      cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,memory
│ │ ├─/sys/fs/cgroup/freezer     cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,freezer
│ │ ├─/sys/fs/cgroup/cpu,cpuacct cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,cpu,cpuacct
│ │ ├─/sys/fs/cgroup/pids        cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,pids
│ │ ├─/sys/fs/cgroup/net_cls     cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,net_cls
│ │ ├─/sys/fs/cgroup/devices     cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,devices
│ │ ├─/sys/fs/cgroup/blkio       cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,blkio
│ │ └─/sys/fs/cgroup/cpuset      cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,cpuset
│ ├─/sys/fs/bpf                  bpf        bpf        rw,nosuid,nodev,noexec,relatime,mode=700
│ ├─/sys/kernel/debug            debugfs    debugfs    rw,relatime
│ └─/sys/kernel/config           configfs   configfs   rw,relatime
├─/proc                          proc       proc       rw,relatime
│ └─/proc/sys/fs/binfmt_misc     systemd-1  autofs     rw,relatime,fd=39,pgrp=1,timeout=0,minproto=5,maxproto=5,direct
├─/dev                           devtmpfs   devtmpfs   rw,relatime,size=1867780k,nr_inodes=117763,mode=755
│ ├─/dev/shm                     tmpfs      tmpfs      rw,nosuid,nodev
│ ├─/dev/pts                     devpts     devpts     rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
│ └─/dev/mqueue                  mqueue     mqueue     rw,relatime
├─/run                           tmpfs      tmpfs      rw,nosuid,nodev,mode=755
│ ├─/run/lock                    tmpfs      tmpfs      rw,nosuid,nodev,noexec,relatime,size=5120k
│ ├─/run/rpc_pipefs              sunrpc     rpc_pipefs rw,relatime
│ ├─/run/user/1000               tmpfs      tmpfs      rw,nosuid,nodev,relatime,size=399972k,mode=700,uid=1000,gid=1000
│ └─/run/user/109                tmpfs      tmpfs      rw,nosuid,nodev,relatime,size=399972k,mode=700,uid=109,gid=114
└─/boot                          10.3.1.100:/opt/nfs/pi4/boot
                                            nfs4       rw,relatime,vers=4.1,rsize=131072,wsize=131072,namlen=255,hard,pr
pi@raspberrypi:~ $

ctacke
Posts: 6
Joined: Wed Oct 14, 2020 10:05 pm

Re: sudo after network boot

Wed Oct 21, 2020 9:07 pm

trejan wrote:
Wed Oct 21, 2020 7:10 pm
Did you set no_root_squash and no_all_squash for the mount options?
Yes, I did.

Code: Select all

pi@pxe-server:/opt $ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/opt/nfs/pi4 *(rw,sync,no_subtree_check,no_root_squash,no_all_squash)
/opt/tftp/pi4 *(rw,sync,no_subtree_check,no_root_squash,no_all_squash)

trejan
Posts: 2949
Joined: Tue Jul 02, 2019 2:28 pm

Re: sudo after network boot

Wed Oct 21, 2020 9:19 pm

You've lost the suid bit on sudo. Is it there on the server?

ctacke
Posts: 6
Joined: Wed Oct 14, 2020 10:05 pm

Re: sudo after network boot

Wed Oct 21, 2020 9:32 pm

trejan wrote:
Wed Oct 21, 2020 9:19 pm
You've lost the suid bit on sudo. Is it there on the server?
Yes. I can sudo just fine on the server.

fbe
Posts: 648
Joined: Thu Aug 17, 2017 9:08 pm

Re: sudo after network boot

Wed Oct 21, 2020 9:39 pm

Please post the output of:

Code: Select all

ls -l /opt/nfs/pi4/usr/bin/sudo
on your server.

ctacke
Posts: 6
Joined: Wed Oct 14, 2020 10:05 pm

Re: sudo after network boot

Wed Oct 21, 2020 9:44 pm

I just ran this on the server and it *may* have fixed things:

Code: Select all

$ sudo chmod +s /opt/nfs/pi4/usr/bin/sudo
If it did, it concerns me in two ways:
1) why did that bit get removed?
2) Where else did it get removed?

trejan
Posts: 2949
Joined: Tue Jul 02, 2019 2:28 pm

Re: sudo after network boot

Wed Oct 21, 2020 9:56 pm

ctacke wrote:
Wed Oct 21, 2020 9:44 pm
I just ran this on the server and it *may* have fixed things:

Code: Select all

$ sudo chmod +s /opt/nfs/pi4/usr/bin/sudo
This is what I was asking above. Does the sudo that you're exporting have the suid bit? I assume no if this fixed it.
ctacke wrote:
Wed Oct 21, 2020 9:44 pm
If it did, it concerns me in two ways:
1) why did that bit get removed?
2) Where else did it get removed?
You probably lost it when you created the exported tree. How did you create/copy it? If you just did cp --recursive without --preserve then it won't have copied the SUID bit.
ctacke wrote:
Wed Oct 21, 2020 9:44 pm
2) Where else did it get removed?
Run "sudo find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;" on the source image and you'll find everything with SUID/SGID set.

You've probably broken ping as well as it won't have cap_net_raw.

User avatar
dickon
Posts: 1804
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: sudo after network boot

Wed Oct 21, 2020 11:09 pm

Are you running some security software on the server that's keeping an eye out for suid binaries that aren't where it's expecting to find them?

Return to “Advanced users”