On Thu, 11 May 2017 21:07:20 +0900 Florian Schaefer <[email protected]> said:
> > On 11.05.2017 12:33, Carsten Haitzler (The Rasterman) wrote: > > On Wed, 10 May 2017 09:48:19 +0200 PaulTT <[email protected]> said: > > > >> i just posted a message about this... (sorry, i've seen now this thread) > >> > >> as i said there, there's also a problem with unlocking (so, pam related, i > >> assume ?) > >> via console su and sudo worked like a charm (i've got error messages about > >> cpufreq and backlight too) > > > > pam would be executing a setuid root binary to do the password check... so > > it's the same issue. something has decided that e and app processes below > > it in the process tree "cant run setuid (root) binaries" and has disabled > > that feature. that feature seems to only kick in with 4.11 kernel. it > > certainly is not e doing this. it has relied on this working for many > > years. it's something new security-wise that is being enabled by a new > > kernel. > > > > maybe some parent process is using setpriv? CAP_SETUID disabled? man > > capabilities ... for info ... maybe run captest ? > >e > > 12:20PM ~ > captest > > User credentials uid:1000 euid:1000 suid:1000 > > Group credentials gid:1000 egid:1000 sgid:1000 > > Current capabilities: none > > securebits flags: none > > Attempting direct access to shadow...FAILED (Permission denied) > > Attempting to access shadow by child process...FAILED > > Child User credentials uid:1000 euid:1000 suid:1000 > > Child Group credentials gid:1000 egid:1000 sgid:1000 > > Child capabilities: none > > Child securebits flags: none > > > > is what i get. which is normal. > > I get the same as you on my system here: > > florian@washu:~ # uname -a > Linux washu 4.11.0 #2 SMP PREEMPT Tue May 2 12:12:51 JST 2017 i686 GNU/Linux > florian@washu:~ # captest > User credentials uid:500 euid:500 suid:500 > Group credentials gid:100 egid:100 sgid:100 > Current capabilities: none > securebits flags: none > Attempting direct access to shadow...FAILED (Permission denied) > Attempting to access shadow by child process...FAILED > Child User credentials uid:500 euid:500 suid:500 > Child Group credentials gid:100 egid:100 sgid:100 > Child capabilities: none > Child securebits flags: none try capsh --print ? Current: = Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read Securebits: 00/0x0/1'b0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) uid=1000(raster) gid=1000(raster) groups=5(tty),6(disk),7(lp),10(wheel),50(games),78(kvm),90(network),91(video),92 (audio),93(optical),94(floppy),95(storage),96(scanner),98(power),100(users),492 (oprofile),1000(raster) > Cheers, > Florian > > >> could the problem be related to some new sh**y systemd operation???? > >> i saw that also using wayland, i coulnd't access halt/reboot/suspend menu > >> items too (this happens to me also with previous kernels) > > > > works for me with enlightenment + wl + arch (+systemd)... i can do all the > > power off etc. stuff... > > > >> On Thu, May 4, 2017 at 6:19 AM, Carsten Haitzler <[email protected]> > >> wrote: > >> > >>> On Thu, 04 May 2017 11:09:13 +0900 <[email protected]> said: > >>> > >>>> Hi, > >>>> > >>>> Carsten Haitzler (The Rasterman) <[email protected]> wrote: > >>>> > >>>>> On Wed, 3 May 2017 12:09:21 +0900 Florian Schaefer <[email protected]> > >>> said: > >>>> > >>>>>> Hi! > >>>>>> > >>>>>> On 03.05.2017 10:04, Carsten Haitzler (The Rasterman) wrote: > >>>>>>> On Tue, 02 May 2017 21:16:40 +0900 [email protected] said: > >>>>>>> > >>>>>>>> Hi, > >>>>>>>> > >>>>>>>> I got the source of kernel 4.11, then comipled, and check the > >>>>>>>> behaviour of enlightenment (efl 1.18.1, enlightment 0.21.7). > >>>>>>>> > >>>>>>>> At the start up of enlightenment, I got an error message; > >>>>>>>> > >>>>>>>> There was an error trying to set the cpu power state setting via > >>> the > >>>>>>>> module's setfreq utility. > >>>>>>>> > >>>>>>>> On the kernel 4.10.x, I never see such a message. > >>>>>>>> > >>>>>>>> And, I tried to use su and sudo command in the terminal, I got a > >>>>>>>> strange message; > >>>>>>>> > >>>>>>>> fulwood@linux-uw5l:~> sudo > >>>>>>>> sudo: effective uid is not 0, is sudo installed setuid root > >>>>>>>> > >>>>>>>> fulwood@linux-uw5l:~> su > >>>>>>>> Password: > >>>>>>>> su: incorrect password > >>>>>>>> > >>>>>>>> This means, there is a problem concerning uid treatment in the > >>>>>>>> enlightenment, doesn't it. > >>>>>>>> > >>>>>>>> Moreover, VirtualBox indicate the problem of enlightenment > >>> directly; > >>>>>>>> > >>>>>>>> fulwood@linux-uw51:~> VirtualBox > >>>>>>>> > >>>>>>>> VirtualBox: Error -10 in SUPRHardenedMain! > >>>>>>>> VirtualBox: Effective UID is not root (euid=1000, egid=100, > >>> uid=1000, > >>>>>>>> gid=100) > >>>>>>>> VirtualBox: Tip! It may help to reintall VirtualBox. > >>>>>>>> > >>>>>>>> Why does uid=1000? > >>>>>>> > >>>>>>> that's a common uid to start with for users added to a system - > >>> first > >>>>>>> user added commonly is uid 1000... that's probably ... you. > >>>>>>> > >>>>>>>> So, we can't use enlightenment on the kernel 4.11. > >>>>>>> > >>>>>>> from the above it seems like since you compiled your own kernel it > >>>>>>> seemingly has disabled setuid root binaries. i assume this is some > >>> new > >>>>>>> feature of kernels since 4.11 that has been turned on. i suggest > >>> you > >>>>>>> turn it off to allow them again. your kernel broke far more than > >>>>>>> enlightenment. it broke sudo. probably even broke su. it broke > >>>>>>> virtualbox... it broke stuff. what that option is - i don't know. > >>> this > >>>>>>> is news to me. > >>>>>> > >>>>>> Just for the record I'd like to add that I observe the same behavior. > >>>>>> > >>>>>> Since switching from 4.9 to 4.11 yesterday I cannot do suid requiring > >>>>>> operations (like su or mount.cifs) from within E (using terminology > >>> or > >>>>>> xterm) any more. Interestingly, if I am right at the console (so no > >>> Xorg > >>>>>> and e in-between) all those commands work like a charm. > >>>>>> > >>>>>> I could not find any setuid related option in the kernel > >>> configuration > >>>>>> so I cannot really imagine where it is misconfigured. > >>>> > >>>>> it'll likely be some security option that ends up doing this for child > >>>>> processes ... whatever/however it is... but its certainly a change in > >>> the > >>>>> kernel and "security options" of some sort. > >>>> > >>>> But, why the kernel's change has an impact on enlightenment only? > >>>> On e16 and kde-plasma, no impact. > >>> > >>> neither controls cpu frequency/governor or don't use setuid root binaries > >>> or > >>> they come from packages with specific selinux rules to allow setuid root > >>> binaries... or something. but it's a kernel change that creates the issue. > >>> what > >>> - i don't know. ask your friendly neighbourhood kernel developer. the > >>> setuid > >>> root binaries are specifically erroring out unable to assume root privs > >>> where > >>> they could before. > >>> > >>> > >>> -- > >>> ------------- Codito, ergo sum - "I code, therefore I am" -------------- > >>> The Rasterman (Carsten Haitzler) [email protected] > >>> > >>> > >>> ------------------------------------------------------------ > >>> ------------------ > >>> Check out the vibrant tech community on one of the world's most > >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >>> _______________________________________________ > >>> enlightenment-devel mailing list > >>> [email protected] > >>> https://lists.sourceforge.net/lists/listinfo/enlightenment-devel > >>> > >> ------------------------------------------------------------------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> _______________________________________________ > >> enlightenment-devel mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/enlightenment-devel > >> > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > enlightenment-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/enlightenment-devel > -- ------------- Codito, ergo sum - "I code, therefore I am" -------------- The Rasterman (Carsten Haitzler) [email protected] ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ enlightenment-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
