On 11.05.2017 12:33, Carsten Haitzler (The Rasterman) wrote: > On Wed, 10 May 2017 09:48:19 +0200 PaulTT <[email protected]> said: > >> i just posted a message about this... (sorry, i've seen now this thread) >> >> as i said there, there's also a problem with unlocking (so, pam related, i >> assume ?) >> via console su and sudo worked like a charm (i've got error messages about >> cpufreq and backlight too) > > pam would be executing a setuid root binary to do the password check... so > it's > the same issue. something has decided that e and app processes below it in the > process tree "cant run setuid (root) binaries" and has disabled that feature. > that feature seems to only kick in with 4.11 kernel. it certainly is not e > doing this. it has relied on this working for many years. it's something new > security-wise that is being enabled by a new kernel. > > maybe some parent process is using setpriv? CAP_SETUID disabled? man > capabilities ... for info ... maybe run captest ? >e > 12:20PM ~ > captest > User credentials uid:1000 euid:1000 suid:1000 > Group credentials gid:1000 egid:1000 sgid:1000 > Current capabilities: none > securebits flags: none > Attempting direct access to shadow...FAILED (Permission denied) > Attempting to access shadow by child process...FAILED > Child User credentials uid:1000 euid:1000 suid:1000 > Child Group credentials gid:1000 egid:1000 sgid:1000 > Child capabilities: none > Child securebits flags: none > > is what i get. which is normal.
I get the same as you on my system here: florian@washu:~ # uname -a Linux washu 4.11.0 #2 SMP PREEMPT Tue May 2 12:12:51 JST 2017 i686 GNU/Linux florian@washu:~ # captest User credentials uid:500 euid:500 suid:500 Group credentials gid:100 egid:100 sgid:100 Current capabilities: none securebits flags: none Attempting direct access to shadow...FAILED (Permission denied) Attempting to access shadow by child process...FAILED Child User credentials uid:500 euid:500 suid:500 Child Group credentials gid:100 egid:100 sgid:100 Child capabilities: none Child securebits flags: none Cheers, Florian >> could the problem be related to some new sh**y systemd operation???? >> i saw that also using wayland, i coulnd't access halt/reboot/suspend menu >> items too (this happens to me also with previous kernels) > > works for me with enlightenment + wl + arch (+systemd)... i can do all the > power off etc. stuff... > >> On Thu, May 4, 2017 at 6:19 AM, Carsten Haitzler <[email protected]> >> wrote: >> >>> On Thu, 04 May 2017 11:09:13 +0900 <[email protected]> said: >>> >>>> Hi, >>>> >>>> Carsten Haitzler (The Rasterman) <[email protected]> wrote: >>>> >>>>> On Wed, 3 May 2017 12:09:21 +0900 Florian Schaefer <[email protected]> >>> said: >>>> >>>>>> Hi! >>>>>> >>>>>> On 03.05.2017 10:04, Carsten Haitzler (The Rasterman) wrote: >>>>>>> On Tue, 02 May 2017 21:16:40 +0900 [email protected] said: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I got the source of kernel 4.11, then comipled, and check the >>>>>>>> behaviour of enlightenment (efl 1.18.1, enlightment 0.21.7). >>>>>>>> >>>>>>>> At the start up of enlightenment, I got an error message; >>>>>>>> >>>>>>>> There was an error trying to set the cpu power state setting via >>> the >>>>>>>> module's setfreq utility. >>>>>>>> >>>>>>>> On the kernel 4.10.x, I never see such a message. >>>>>>>> >>>>>>>> And, I tried to use su and sudo command in the terminal, I got a >>>>>>>> strange message; >>>>>>>> >>>>>>>> fulwood@linux-uw5l:~> sudo >>>>>>>> sudo: effective uid is not 0, is sudo installed setuid root >>>>>>>> >>>>>>>> fulwood@linux-uw5l:~> su >>>>>>>> Password: >>>>>>>> su: incorrect password >>>>>>>> >>>>>>>> This means, there is a problem concerning uid treatment in the >>>>>>>> enlightenment, doesn't it. >>>>>>>> >>>>>>>> Moreover, VirtualBox indicate the problem of enlightenment >>> directly; >>>>>>>> >>>>>>>> fulwood@linux-uw51:~> VirtualBox >>>>>>>> >>>>>>>> VirtualBox: Error -10 in SUPRHardenedMain! >>>>>>>> VirtualBox: Effective UID is not root (euid=1000, egid=100, >>> uid=1000, >>>>>>>> gid=100) >>>>>>>> VirtualBox: Tip! It may help to reintall VirtualBox. >>>>>>>> >>>>>>>> Why does uid=1000? >>>>>>> >>>>>>> that's a common uid to start with for users added to a system - >>> first >>>>>>> user added commonly is uid 1000... that's probably ... you. >>>>>>> >>>>>>>> So, we can't use enlightenment on the kernel 4.11. >>>>>>> >>>>>>> from the above it seems like since you compiled your own kernel it >>>>>>> seemingly has disabled setuid root binaries. i assume this is some >>> new >>>>>>> feature of kernels since 4.11 that has been turned on. i suggest >>> you >>>>>>> turn it off to allow them again. your kernel broke far more than >>>>>>> enlightenment. it broke sudo. probably even broke su. it broke >>>>>>> virtualbox... it broke stuff. what that option is - i don't know. >>> this >>>>>>> is news to me. >>>>>> >>>>>> Just for the record I'd like to add that I observe the same behavior. >>>>>> >>>>>> Since switching from 4.9 to 4.11 yesterday I cannot do suid requiring >>>>>> operations (like su or mount.cifs) from within E (using terminology >>> or >>>>>> xterm) any more. Interestingly, if I am right at the console (so no >>> Xorg >>>>>> and e in-between) all those commands work like a charm. >>>>>> >>>>>> I could not find any setuid related option in the kernel >>> configuration >>>>>> so I cannot really imagine where it is misconfigured. >>>> >>>>> it'll likely be some security option that ends up doing this for child >>>>> processes ... whatever/however it is... but its certainly a change in >>> the >>>>> kernel and "security options" of some sort. >>>> >>>> But, why the kernel's change has an impact on enlightenment only? >>>> On e16 and kde-plasma, no impact. >>> >>> neither controls cpu frequency/governor or don't use setuid root binaries >>> or >>> they come from packages with specific selinux rules to allow setuid root >>> binaries... or something. but it's a kernel change that creates the issue. >>> what >>> - i don't know. ask your friendly neighbourhood kernel developer. the >>> setuid >>> root binaries are specifically erroring out unable to assume root privs >>> where >>> they could before. >>> >>> >>> -- >>> ------------- Codito, ergo sum - "I code, therefore I am" -------------- >>> The Rasterman (Carsten Haitzler) [email protected] >>> >>> >>> ------------------------------------------------------------ >>> ------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> enlightenment-devel mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/enlightenment-devel >>> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> enlightenment-devel mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/enlightenment-devel >> > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ enlightenment-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
