Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works
On Fri, 2007-05-25 at 20:14 -0700, maxim wexler wrote: [EMAIL PROTECTED] ~ $ ls / ls: cannot open directory /: Permission denied [EMAIL PROTECTED] ~ $ What does 'ls -ld /' and 'ls -ld /etc' return? Both of them should look like: drwxr-xr-x 20 root root 4096 May 29 04:40 / drwxr-xr-x 56 root root 4096 May 29 11:39 /etc Regards, Paul -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works
On Tuesday 29 May 2007 22:04, Paul Varner wrote: On Fri, 2007-05-25 at 20:14 -0700, maxim wexler wrote: [EMAIL PROTECTED] ~ $ ls / ls: cannot open directory /: Permission denied [EMAIL PROTECTED] ~ $ What does 'ls -ld /' and 'ls -ld /etc' return? Both of them should look like: drwxr-xr-x 20 root root 4096 May 29 04:40 / drwxr-xr-x 56 root root 4096 May 29 11:39 /etc Oops! mine looks like this: # ls -ld / drwxrwxrwt 22 root root 648 Apr 6 18:44 / What's wrong here? PS. I do not suffer from Maxim's problem, but clearly something is wrong with my access rights on the root directory? -- Regards, Mick pgpo0SvCRc70x.pgp Description: PGP signature
Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works
Mick wrote: On Tuesday 29 May 2007 22:04, Paul Varner wrote: On Fri, 2007-05-25 at 20:14 -0700, maxim wexler wrote: [EMAIL PROTECTED] ~ $ ls / ls: cannot open directory /: Permission denied [EMAIL PROTECTED] ~ $ What does 'ls -ld /' and 'ls -ld /etc' return? Both of them should look like: drwxr-xr-x 20 root root 4096 May 29 04:40 / drwxr-xr-x 56 root root 4096 May 29 11:39 /etc Oops! mine looks like this: # ls -ld / drwxrwxrwt 22 root root 648 Apr 6 18:44 / What's wrong here? PS. I do not suffer from Maxim's problem, but clearly something is wrong with my access rights on the root directory? Having root world-writeable looks a bit suspicious, especially if you don't remember doing it yourself. :) The 't' bit on a directory just means that deletes in that directory are restricted to the superuser or file owner (as opposed to anyone with +w permissions to the directory). I'm not sure why that would affect sudo, or ls for that matter, unless it's something funny with how opendir() works? You could try turning off the odd permsisions: chmod o-wt / chmod g-w / and see if anything changes. -- -- Mike Still using IE? Get Firefox! http://www.spreadfirefox.com/?q=affiliatesid=6492t=1 -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works
m450 backups # ls -al / total 72 drwxr-xr-x 18 root root 4096 Apr 29 13:38 . drwxr-xr-x 18 root root 4096 Apr 29 13:38 .. drwxr-xr-x 2 root root 4096 May 19 10:36 bin drwxr-xr-x 2 root root 4096 May 17 18:07 boot drwxr-xr-x 16 root root 13460 May 25 14:39 dev drwxr-xr-x 57 root root 4096 May 22 01:51 etc drwxr-xr-x 7 root root 4096 May 1 00:08 home drwxr-xr-x 8 root root 4096 May 19 22:29 lib drwx-- 2 root root 16384 Apr 26 15:35 lost+found drwxr-xr-x 5 root root 4096 May 6 23:46 mnt drwxr-xr-x 4 root root 4096 Apr 29 02:47 opt dr-xr-xr-x 72 root root 0 May 17 14:13 proc drwx-- 6 root root 4096 May 27 13:13 root drwxr-xr-x 2 root root 4096 May 19 22:29 sbin drwxr-xr-x 11 root root 0 May 17 14:13 sys drwxrwxrwt 11 root root 4096 May 27 14:35 tmp drwxr-xr-x 15 root root 4096 May 19 13:42 usr drwxr-xr-x 14 root root 4096 Apr 28 20:36 var Note the permissions for / drwxr-xr-x 18 root root 4096 Apr 29 13:38 . Everybody needs to have x in order to even read any files in there. As root, try... chmod 755 / My permissions are just like yours. Nevertheless I did what you suggested and ... hey, presto! permission is no longer denied. sudo works too. Thanks Walter! mw Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=listsid=396545469 -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: two identical /etc/sudoers -- only one works
maxim wexler [EMAIL PROTECTED] writes:
If by successful you mean the call returns = 0,
then they're successful.
Yes,
There is this, however:
...
open(/etc/default/nss, 0_RDONLY) =-1 ENODENT (No
such file or directory)
...
connect(4,{sa_family=AF_FILE,
path=/var/run/nscd/socket}, 110} =-1 ENODENT (No
such file or directory)
...
connect(4,{sa_family=AF_FILE, path=/dev/log}, 110
=-1 EPROTOTYPE (Protocol wront type for socket)
..
I don't think those are important. Just standard tries to open
system-files if the exists, and connect to syslog.
I'm totally out of ideas now. Sorry I couldn't help you. Try to see if
it is some security-related problem as proposed by Arturo.
--
[EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works
you. Try to see if it is some security-related problem as proposed by Arturo. There are two options under Security in the .config; neither are set. Is there someplace else to check? mw Pinpoint customers who are looking for what you sell. http://searchmarketing.yahoo.com/ -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works
FS corruption. Check dmesg for any errors, but fsck the filesystem containing this file ASAP even if you don't see anything. /dev/hda3 unmounted #reiserfsck -l check.log /dev/hda3 No corruptions found check.log empty. No errors in dmesg for /dev/hda3 mw Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/ -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: two identical /etc/sudoers -- only one works
maxim wexler [EMAIL PROTECTED] writes: strace: ... open(/etc/sudoers, O_RDONLY) = -1 EACCES (Permission denied) geteuid32() = 1 hmm, strange, geteuid should return euid which should be zero for root. Look for other occurences of geteuid in strace output. Check also that root actually has uid=0 on that machine. $ getent passwd | grep ^root root:x:0:0:root:/root:/bin/bash -- Christer -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works
root. Look for other occurences of geteuid in strace output. Most similar instance is following the line: ... readlink(/proc/self/fd/0, /dev/tty2, 4095) = 9 getuid32() = 0 ^ note: no 'e' Check also that root actually has uid=0 on that machine. $ getent passwd | grep ^root root:x:0:0:root:/root:/bin/bash checks OK FWIW, scrolling to the top of the output of strace -- how do I write strace to a file? -- there is the line: close(393) =-1 EBADF (Bad file descriptor) followed by 630 similar lines ending in 'close(1023) ditto' then the body of the output. mw Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games. http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: two identical /etc/sudoers -- only one works
maxim wexler [EMAIL PROTECTED] writes: Most similar instance is following the line: ... readlink(/proc/self/fd/0, /dev/tty2, 4095) = 9 getuid32() = 0 ^ note: no 'e' Yes that's also interesting, uid is zero, which is should be since you are running strace as root. uid and euid is two different attribs of a process, both should be zero. Check also that root actually has uid=0 on that machine. $ getent passwd | grep ^root root:x:0:0:root:/root:/bin/bash checks OK Good, but unfortunate since i'm out if ideas now. FWIW, scrolling to the top of the output of strace -- how do I write strace to a file? strace -o file -- there is the line: close(393) =-1 EBADF (Bad file descriptor) followed by 630 similar lines ending in 'close(1023) ditto' then the body of the output. That is perfectly normal. sudo just closes every fd's even the ones not opened. -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: two identical /etc/sudoers -- only one works
maxim wexler [EMAIL PROTECTED] writes: root. Look for other occurences of geteuid in strace output. Most similar instance is following the line: ... readlink(/proc/self/fd/0, /dev/tty2, 4095) = 9 getuid32() = 0 You should aslo check for any of setuid seteuid setreuid or setresuid. any call to any of those must be succesfull. -- Christer -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Maybe you're running sudo frm withing a chrooted/restricted shell, or some kernel with security options that is not allowing /etc/sudoers to be read? - -- Arturo Buanzo Busleiman - Consultor Independiente en Seguridad Informatica OpenPGP for HTTP: New Web-Auth Scheme: http://freshmeat.net/articles/view/2599 Consulting and Secure Mail Hosting: http://www.buanzo.com.ar/pro/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGWM1XAlpOsGhXcE0RChoEAJ9kUmXMtXP1G1+0/kT276pEJZSnngCfaNdu h9KvJ3hNiKzdGKZEX/Pg/Tw= =aeRq -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works
You should aslo check for any of setuid seteuid
setreuid or
setresuid. any call to any of those must be
succesfull.
If by successful you mean the call returns = 0,
then they're successful.
There is this, however:
...
open(/etc/default/nss, 0_RDONLY) =-1 ENODENT (No
such file or directory)
...
connect(4,{sa_family=AF_FILE,
path=/var/run/nscd/socket}, 110} =-1 ENODENT (No
such file or directory)
...
connect(4,{sa_family=AF_FILE, path=/dev/log}, 110
=-1 EPROTOTYPE (Protocol wront type for socket)
..
mw
Fussy?
Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel and lay
it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
--
[EMAIL PROTECTED] mailing list
[gentoo-user] Re: two identical /etc/sudoers -- only one works
Walter Dnes [EMAIL PROTECTED] writes: On Wed, May 23, 2007 at 06:14:53PM -0700, maxim wexler wrote Hi group, I connect to the web using $sudo /usr/sbin/pon isp on one machine(2.6.20-gentoo-r6). On another machine(2.6.19-gentoo-r5), I get :sudo: can't open /etc/sudoers: Permission denied. The message suggest that the process of cudo actually don~t have permission to open the sudoers file. Check that the sudo-program (type sudo) is in fact owned by root, and has the setuid-bit set. $ls -l `which sudo` ---s--x--x 1 root root 107240 2007-05-21 11:11 /usr/bin/sudo* ^ ^ setuidroot -- Christer -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works
$ls -l `which sudo` ---s--x--x 1 root root 107240 2007-05-21 11:11 /usr/bin/sudo* ^ ^ setuidroot -- Christer Thanks Christer, never saw that command before, but like I told Walter, a listing for sudo is indeed: ---s--x--1 2 root root ^ Is this supposed to be a one? mw Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games. http://videogames.yahoo.com/platform?platform=120121 -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: two identical /etc/sudoers -- only one works
I was wrong. Sorry. I realize now that this cannot be your problem, sudo tell you that it is not setuid if it's not. $ sudo chmod -s sudo $ sudo ls sudo: must be setuid root Thanks Christer, never saw that command before, but like I told Walter, a listing for sudo is indeed: ---s--x--1 2 root root ^ Is this supposed to be a one? Did you type that line instead of cut'n paste? If not, I fail to. understand the 1 in ---s--x--1 If you ask about the first number directly after the permission string, it is the number of hard links to that file. If it is other than one it means that the file has an other name also, you can find that by using -i to ls to show the inode-number, and then find the other with find -inum Example: $ pwd /usr/bin $ ls -li sudo 8803772 ---s--x--x 2 root root 107240 2007-05-21 11:11 sudo* $ find . -inum 8803772 ./sudo ./foo $ ls -li foo 8803772 ---s--x--x 2 root root 107240 2007-05-21 11:11 foo* Unfortunately I do not know what's wrong, try to strace sudo to see what it does, remember that you have to bee root to strace a setuid program. Look for open(/etc/sudoers, O_RDONLY) = 4 The 4 is what filedescriptor open returned, and is -1 for a failed open. -- Christer -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works
Example: $ pwd /usr/bin $ ls -li sudo 8803772 ---s--x--x 2 root root 107240 2007-05-21 11:11 sudo* $ find . -inum 8803772 ./sudo ./foo $ ls -li foo 8803772 ---s--x--x 2 root root 107240 2007-05-21 11:11 foo* Unfortunately I do not know what's wrong, try to strace sudo to see what it does, remember that you have to bee root to strace a setuid program. Look for open(/etc/sudoers, O_RDONLY) = 4 The 4 is what filedescriptor open returned, and is -1 for a failed open. strace: ... open(/etc/sudoers, O_RDONLY) = -1 EACCES (Permission denied) geteuid32() = 1 setresuid32(0, 0, 0)= 0 write(2, sudo: , 6sudo: ) = 6 write(2, can\'t open /etc/sudoers, 23can't open /etc/sudoers) = 23 write(2, : , 2: ) = 2 write(2, Permission denied\n, 18Permission denied ) = 18 ... [EMAIL PROTECTED] /usr/bin $ ls -li sudo 314108 ---s--x--x 2 root root 106160 Apr 11 09:26 sudo [EMAIL PROTECTED] /usr/bin $ find . -inum 314108 ./sudo ./sudoedit [EMAIL PROTECTED] /usr/bin $ ls -li sudoedit 314108 ---s--x--x 2 root root 106160 Apr 11 09:26 sudoedit [EMAIL PROTECTED] /usr/bin $ Just noticed this: [EMAIL PROTECTED] ~ $ ls / ls: cannot open directory /: Permission denied [EMAIL PROTECTED] ~ $ picky can't even mount a floppy or write to it! But picky's fstab is identical to heathen's. Only thing I can think of: recently had to do emerge --metadata on account of CacheCorruption error. Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works
On Friday 25 May 2007, maxim wexler [EMAIL PROTECTED] wrote about 'Re: [gentoo-user] Re: two identical /etc/sudoers -- only one works': strace: ... open(/etc/sudoers, O_RDONLY) = -1 EACCES (Permission denied) FS corruption. Check dmesg for any errors, but fsck the filesystem containing this file ASAP even if you don't see anything. I'd seen the same behavior (albeit on a different file) on some of my reiserfs filesystems -- files that no one, including root, could access due to Permission denied. -- Boyd Stephen Smith Jr. ,= ,-_-. =. [EMAIL PROTECTED] ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.org/ \_/ signature.asc Description: This is a digitally signed message part.
