Sudo issue with admin account

[ASupport]

Hi All,

When we try to sudo as admin we get the following error:

sudo
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

All other accounts on the server work fine. Any idea how we fix this?

Thanks

 

[toml]

as root issue the following commands:
chown root:root /usr/bin/sudo
chmod 4755 /usr/bin/sudo

 

[ASupport]

as root issue the following commands:
chown root:root /usr/bin/sudo
chmod 4755 /usr/bin/sudo

Sorry that doesn't work. Its only the admin account. No other accounts are affected, @DirectAdmin Support is there a script to fix the admin permissions at admin level?

 

[toml]

Sorry that doesn't work. Its only the admin account. No other accounts are affected, @DirectAdmin Support is there a script to fix the admin permissions at admin level?

That doesn't sound right. The message from sudo literally tells you that /usr/bin/sudo is either not owned by root or doesn't have the setuid bit on. The commands I gave do exactly that. If you are saying that the admin user can't do sudo then that is another issue. I would expect a completely different error message.

 

[ASupport]

That doesn't sound right. The message from sudo literally tells you that /usr/bin/sudo is either not owned by root or doesn't have the setuid bit on. The commands I gave do exactly that. If you are saying that the admin user can't do sudo then that is another issue. I would expect a completely different error message.

I know, i am going mad. All other users can sudo only the admin account cannot.

 

[toml]

Show us the following:
* output from "ls -l /usr/bin/sudo"
* show the exact command you are trying to issue and the error

Depending on the error that is output, we might need the contents of your /etc/sudoers file or at least certain lines within it.

 

[toml]

That is a problem, it should be owned by root. Did you map the user/group nobody to uid/gid 0?

 

[ASupport]

Show us the following:
* output from "ls -l /usr/bin/sudo"
* show the exact command you are trying to issue and the error

Depending on the error that is output, we might need the contents of your /etc/sudoers file or at least certain lines within it.

-rwsr-xr-x. 1 nobody nobody 165656 Apr 24 2020 /usr/bin/sudo

I am just trying sudo wget for instance and it fails. If i try sudo anything it fails I get the following:

/usr/bin/sudo must be owned by uid 0 and have the setuid bit set

 

[ASupport]

That is a problem, it should be owned by root. Did you map the user/group nobody to uid/gid 0?

Not that I am aware of

 

[ASupport]

That is a problem, it should be owned by root. Did you map the user/group nobody to uid/gid 0?

As root user I get the following:

-rwsr-xr-x. 1 root root 165656 Apr 24 2020 /usr/bin/sudo

 

[toml]

Sudo will allow you to run applications in privileged mode. The way it is allowed to run something as root, is because the sudo binary is owned by the user root (uid 0) and the setuid bit enabled ( s instead of x in user part of the perms). The 's' bit says to run this as the owner which should be root.

It is possible that it is still owned by "root" and just displaying "nobody" due to the order of the entries in your /etc/passwd.

As the user what do you see when you do:
ls -ln /usr/bin/sudo

The "n" added to ls will display the user and group id numbers and not try to map it to a user.

Are you using something other than /etc/passwd for users? Like AD or LDAP?

 

[ASupport]

Sudo will allow you to run applications in privileged mode. The way it is allowed to run something as root, is because the sudo binary is owned by the user root (uid 0) and the setuid bit enabled ( s instead of x in user part of the perms). The 's' bit says to run this as the owner which should be root.

It is possible that it is still owned by "root" and just displaying "nobody" due to the order of the entries in your /etc/passwd.

As the user what do you see when you do:
ls -ln /usr/bin/sudo

The "n" added to ls will display the user and group id numbers and not try to map it to a user.

Are you using something other than /etc/passwd for users? Like AD or LDAP?

I get the following:

-rwsr-xr-x. 1 65534 65534 165656 Apr 24 2020 /usr/bin/sudo

And no we aren't using anything like LDAP or AD just the /etc/passwd

 

[ASupport]

Sudo will allow you to run applications in privileged mode. The way it is allowed to run something as root, is because the sudo binary is owned by the user root (uid 0) and the setuid bit enabled ( s instead of x in user part of the perms). The 's' bit says to run this as the owner which should be root.

It is possible that it is still owned by "root" and just displaying "nobody" due to the order of the entries in your /etc/passwd.

As the user what do you see when you do:
ls -ln /usr/bin/sudo

The "n" added to ls will display the user and group id numbers and not try to map it to a user.

Are you using something other than /etc/passwd for users? Like AD or LDAP?

I see this if I cat the /etc/passwd

admin:x:1002:1003::/home/admin:/usr/bin/jailshell
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin

 

[toml]

I have no idea how that shows as root when you run that as root, unless the uid/gid of root was changed to 65534 in /etc/passwd. Regardless, try doing this:
chown 0:0 /usr/bin/sudo
that eliminates the mapping and will just change the id's to the values required

 

[toml]

OK, I think I see your issue. Your admin user is going through a jailed shell therefore the /usr/bin/sudo may not be the same /usr/bin/sudo you are looking at as root (no jailed shell). Typically jailed shells will have their own environment/filesystem and may prevent running anything as root since you really want that user jailed.

 

[ASupport]

OK, I think I see your issue. Your admin user is going through a jailed shell therefore the /usr/bin/sudo may not be the same /usr/bin/sudo you are looking at as root (no jailed shell). Typically jailed shells will have their own environment/filesystem and may prevent running anything as root since you really want that user jailed.

Okay, how do i turn that off? We need the admin user to be able to execute sudo. I didn't turn this on so i'm sure as to what has happened?

 

[toml]

change the shell for admin from /usr/bin/jailshell to something like /bin/sh or /bin/bash or another shell you prefer. Just make sure that the shell exists (in some cases /bin/bash doesn't exist but /usr/bin/bash will). After that you would need to log back in as admin and try again.

 

[ASupport]

change the shell for admin from /usr/bin/jailshell to something like /bin/sh or /bin/bash or another shell you prefer. Just make sure that the shell exists (in some cases /bin/bash doesn't exist but /usr/bin/bash will). After that you would need to log back in as admin and try again.

Sorry I am very new to linux, how would i do that?

 

[toml]

Personally I open /etc/passwd with vi, modify that record, save it and exit. As a beginner vi is very daunting. You can do this:
vi /etc/passwd
use the arrow keys to move the cursor to the line that reads:
admin:x:1002:1003::/home/admin:/usr/bin/jailshell
when the cursor is over the slash in /usr/bin/jailshell you can type a capital 'D', it should erase from the cursor to the end of the line
type a lowercase 'a', this will all you to append to that line starting at the current position from there you can type the shell (i.e. /bin/sh)
when complete, hit the Esc key, this brings you out of edit mode. Now type ":x" without the quotes. The colon will display on the bottom left of the window and the x tells vi to save the edited file and exit.

Unfortunately DirectAdmin doesn't have an easy method for modifying /etc/passwd.

One more way to do this is if you do:
grep jailshell /etc/passwd
and there is ONLY one entry, and /usr/bin/bash exists, then you can do this:
perl -pi -e 's#/usr/bin/jailshell#/bin/bash#g' /etc/passwd

Just make sure that you change /bin/bash to a shell that already exists on your system.

 

[ASupport]

Personally I open /etc/passwd with vi, modify that record, save it and exit. As a beginner vi is very daunting. You can do this:
vi /etc/passwd
use the arrow keys to move the cursor to the line that reads:
admin:x:1002:1003::/home/admin:/usr/bin/jailshell
when the cursor is over the slash in /usr/bin/jailshell you can type a capital 'D', it should erase from the cursor to the end of the line
type a lowercase 'a', this will all you to append to that line starting at the current position from there you can type the shell (i.e. /bin/sh)
when complete, hit the Esc key, this brings you out of edit mode. Now type ":x" without the quotes. The colon will display on the bottom left of the window and the x tells vi to save the edited file and exit.

Unfortunately DirectAdmin doesn't have an easy method for modifying /etc/passwd.

One more way to do this is if you do:
grep jailshell /etc/passwd
and there is ONLY one entry, and /usr/bin/bash exists, then you can do this:
perl -pi -e 's#/usr/bin/jailshell#/bin/bash#g' /etc/passwd

Just make sure that you change /bin/bash to a shell that already exists on your system.

Thank you for this. I am still getting the same error