sudo error running -V

[gngrossi]

RC=(0) [SYSA] bash-5.2$ sudo -V Sudo version 1.9.13p3 sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument. sudo: no valid sudoers sources found, quitting sudo: error initializing audit plugin sudoers_audit

--

/hewitt/zopentools/guild/sudo-1.9.13p3 RC=(0) [SYSA] bash-5.2$ ls -E bin bin: total 9072 -rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1552384 May 23 21:35 cvtsudoers -rwsr-xr-x --s- 1 BPXROOT @ISZOST1 2015232 May 23 21:35 sudo lrwxrwxrwx 1 @02858 @ISCICS1 4 May 24 15:47 sudoedit -> sudo -rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1048576 May 23 21:35 sudoreplay

sbin: total 7184 -rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1282048 May 23 21:34 sudo_logsrvd -rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1105920 May 23 21:35 sudo_sendlog -rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1257472 May 23 21:35 visudo

[gngrossi]

sudo: error initializing audit plugin sudoers_audit Missing the sudoers.so file?

#

Default /etc/sudo.conf file

#

Sudo plugins:

Plugin plugin_name plugin_path plugin_options ...

#

The plugin_path is relative to /hewitt/zopentools/guild/sudo-1.9.13p3/libexec/sudo unless

fully qualified.

The plugin_name corresponds to a global symbol in the plugin

that contains the plugin interface structure.

The plugin_options are optional.

#

The sudoers plugin is used by default if no Plugin lines are present.

Plugin sudoers_policy sudoers.so

Plugin sudoers_io sudoers.so

Plugin sudoers_audit sudoers.so

--

RC=(0) [SYSA] bash-5.2$ pwd /hewitt/zopentools/guild/sudo-1.9.13p3/libexec/sudo RC=(0) [SYSA] bash-5.2$ ls -l total 0

[IgorTodorovskiIBM]

Thanks @gngrossi, appreciate the feedback. At the moment, I'm working on upstreaming Bash. How high of a priority are these sudo issues to you?

[gngrossi]

sudo is a low priority...no rush. thanks

[gngrossi]

bash-5.2$ sudo -V Sudo version 1.9.13p3 sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument. sudo: no valid sudoers sources found, quitting sudo: error initializing audit plugin sudoers_audit

bash-5.2$ ls -l /etc/sudoers -r--r----- 1 BPXROOT @ISZOST1 7149 Jun 21 11:27 /etc/sudoers

[gngrossi]

bash-5.2$ sudo -V Sudo version 1.9.13p3 sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument. sudo: no valid sudoers sources found, quitting sudo: error initializing audit plugin sudoers_audit

[gngrossi]

We currently are running sudo using the older Ported Tools version. bash-5.2$ /usr/lpp/ported/bin/sudo -V Sudo version 1.7.2p2

--

bash-5.2$ ls -l /SYSA/etc/sudoers -r--r----- 1 BPXROOT @ISZOST1 7149 Jun 21 11:27 /SYSA/etc/sudoers

bash-5.2$ which sudo /hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudo

bash-5.2$ sudo -V Sudo version 1.9.13p3 sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument. sudo: no valid sudoers sources found, quitting sudo: error initializing audit plugin sudoers_audit

[gngrossi]

Installed the latest pax file.

bash-5.2$ sudo -V Sudo version 1.9.13p3 sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument. sudo: no valid sudoers sources found, quitting sudo: error initializing audit plugin sudoers_audit

[gngrossi]

Is there additional information I can provide? thanks

[gngrossi]

Installed the latest pax file. Followed the instructions regarding the chown and chmod commands. I did not copy to /usr/bin and /usr/sbin

Setting up sudo...

IMPORTANT NOTE: Installation of sudo is NOT COMPLETE. For details on sudo, see: https://www.sudo.ws/releases/stable/#1.9.13p3 To finish installing sudo, run the following commands with elevated privileges: BIN_SUDO='cvtsudoers sudo sudoedit sudoreplay' SBIN_SUDO='sudo_logsrvd sudo_sendlog visudo' SUDO_INSTALL_LOCAL=/hewitt/zopentools/guild/sudo-1.9.13p3 cd $SUDO_INSTALL_LOCAL/bin cp $BIN_SUDO /usr/bin/ cd $SUDO_INSTALL_LOCAL/sbin cp $SBIN_SUDO /usr/sbin/ cd /usr/bin chown 0:0 $BIN_SUDO cd /usr/sbin chmod u+s $SBIN_SUDO Review the $SUDO_INSTALL_LOCAL/etc/sudoers file. Use visudo to create your own /etc/sudoers file.

Setup completed.

-- bash-5.2$ sudo -V sudo: /hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudo must be owned by uid 0 and have the setuid bit set

I used the previous instructions. $ chown 0:0 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/ $ chmod u+s /hewitt/zopentools/guild/sudo-1.9.13p3/bin/

bash-5.2$ ls -l /hewitt/zopentools/guild/sudo-1.9.13p3/bin/ -rwsr-xr-x 1 BPXROOT @ISZOST1 1552384 Oct 5 10:54 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/cvtsudoers -rwsr-xr-x 1 BPXROOT @ISZOST1 2019328 Oct 5 10:54 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudo lrwxrwxrwx 1 @02858 @ISCICS1 4 Oct 27 15:14 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudoedit -> sudo -rwsr-xr-x 1 BPXROOT @ISZOST1 1052672 Oct 5 10:54 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudoreplay -rwsr-xr-x 1 BPXROOT @ISZOST1 1282048 Oct 5 10:53 /hewitt/zopentools/guild/sudo-1.9.13p3/sbin/sudo_logsrvd -rwsr-xr-x 1 BPXROOT @ISZOST1 1105920 Oct 5 10:53 /hewitt/zopentools/guild/sudo-1.9.13p3/sbin/sudo_sendlog -rwsr-xr-x 1 BPXROOT @ISZOST1 1257472 Oct 5 10:54 /hewitt/zopentools/guild/sudo-1.9.13p3/sbin/visudo

-- bash-5.2$ sudo -V Sudo version 1.9.13p3 sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument. sudo: no valid sudoers sources found, quitting sudo: error initializing audit plugin sudoers_audit

[gngrossi]

Is there any additional documentation I need to provide? thanks

[gngrossi]

Installed the latest pax file. Followed the post install instructions and ran the chown and chmod with elevated privileges.

Before... -rwxr-xr-x 1 @02858 @ISCICS1 1634304 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/cvtsudoers -rwxr-xr-x 1 @02858 @ISCICS1 2273280 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudo lrwxrwxrwx 1 @02858 @ISCICS1 4 Feb 13 15:40 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoedit -> sudo -rwxr-xr-x 1 @02858 @ISCICS1 1146880 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoreplay

-rwxr-xr-x 1 @02858 @ISCICS1 1470464 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_logsrvd -rwxr-xr-x 1 @02858 @ISCICS1 1204224 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_sendlog -rwxr-xr-x 1 @02858 @ISCICS1 1306624 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/visudo

After... -rwxr-xr-x 1 BPXROOT @ISZOST1 1634304 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/cvtsudoers -rwxr-xr-x 1 BPXROOT @ISZOST1 2273280 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudo lrwxrwxrwx 1 @02858 @ISCICS1 4 Feb 13 15:40 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoedit -> sudo -rwxr-xr-x 1 BPXROOT @ISZOST1 1146880 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoreplay

-rwsr-xr-x 1 @02858 @ISCICS1 1470464 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_logsrvd -rwsr-xr-x 1 @02858 @ISCICS1 1204224 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_sendlog -rwsr-xr-x 1 @02858 @ISCICS1 1306624 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/visudo

bash-5.2$ sudo -V sudo: /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudo must be owned by uid 0 and have the setuid bit set

--

Then ran the previous instructions with chown and chmod on both the bin and sbin directories. After... -rwsr-xr-x 1 BPXROOT @ISZOST1 1634304 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/cvtsudoers -rwsr-xr-x 1 BPXROOT @ISZOST1 2273280 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudo lrwxrwxrwx 1 @02858 @ISCICS1 4 Feb 13 15:40 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoedit -> sudo -rwsr-xr-x 1 BPXROOT @ISZOST1 1146880 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoreplay

-rwsr-xr-x 1 BPXROOT @ISZOST1 1470464 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_logsrvd -rwsr-xr-x 1 BPXROOT @ISZOST1 1204224 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_sendlog -rwsr-xr-x 1 BPXROOT @ISZOST1 1306624 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/visudo

bash-5.2$ sudo -V Sudo version 1.9.15p5 sudo: PERM_SUDOERS: setreuid(-1, 700100): EDC5139I Operation not permitted. (errno2=0x0B7A0000) sudo: unable to open /etc/sudoers: EDC5139I Operation not permitted. (errno2=0x05DA0167) sudo: error initializing audit plugin sudoers_audit

[gngrossi]

Any additional documentation needed? thanks

bash-5.2$ pwd /hewitt/zopentools/guild/sudo-1.9.15p5

bash-5.2$ bin/sudo -l sudo: PERM_SUDOERS: setreuid(-1, 700100): EDC5139I Operation not permitted. (errno2=0x0B7A0000) sudo: unable to open /etc/sudoers: EDC5139I Operation not permitted. (errno2=0x05DA0167) sudo: error initializing audit plugin sudoers_audit

16:17:12 RC=(8) [SYSA] bash-5.2$ bin/sudo -V Sudo version 1.9.15p5 sudo: PERM_SUDOERS: setreuid(-1, 700100): EDC5139I Operation not permitted. (errno2=0x0B7A0000) sudo: unable to open /etc/sudoers: EDC5139I Operation not permitted. (errno2=0x05DA0167) sudo: error initializing audit plugin sudoers_audit

[gngrossi]

From the z/OS log

USS syslog May 10 16:16:57 L98MPSYSA sudo: @02858 : unable to open /etc/sudoers : EDC5139I Operation not permitted. (errno2=0x055501B0) ; TTY=ttyp0000 ; PWD=/hewitt/zopentools/guild/sudo-1.9.15p5 ; USER=BPXROOT ;

[gngrossi]

Updated the etc/sudo.conf file by uncommenting the Plugin entries which shouldn't be needed since it's the default. It looks like the plugin_dir was set incorrectly after the pax install...that was corrected. But the sudoers.so file is missing.

[IgorTodorovskiIBM]

Hi @gngrossi , I've changed our builds to build the sudoers statically, so there shouldn't be a .so file anymore.

[gngrossi]

Hello @IgorTodorovskiIBM Installed sudo-1.9.15p5.20240611_202828 and seeing the same errors as before. Also, after sourcing .env, the chmod u+s $SUDO_HOME/bin/* is missing from the NOTE.

Setting up sudo...

IMPORTANT NOTE: Installation of sudo is NOT COMPLETE. For details on sudo, see: https://www.sudo.ws/releases/stable/#1.9.15p5 To finish installing sudo, run the following commands with elevated privileges: SUDO_HOME=/hewitt/zopentools/guild/sudo-1.9.15p5 chown 0:0 $SUDO_HOME/bin/* Review the $SUDO_HOME/etc/sudoers file. Use visudo to create your own /etc/sudoers file.

Setup completed.

[IgorTodorovskiIBM]

Odd, I am seeing this:

A few questions:

1. Does id@02858 have access granted in the sudoers file? I have this:

   root ALL=(ALL:ALL) ALL
   ITODORO ALL=(ALL:ALL) NOPASSWD: ALL

2. What permissions do you have for /etc/sudoers?

   ls -l /etc/sudoers
   -rw-r-----   1 BPXROOT  SYS1        3392 Jun 12 14:01 /etc/sudoers

3. Do you have a BPXROOT id?

   id BPXROOT
   uid=0(BPXROOT) gid=0(SYS1)

4. Do you have a id with a uid of 1?

   tsocmd 'search class(user) uid(1)'

[gngrossi]

Using Rocket's tools

Using IBM's Ported tools

My RACF userid is uid=2858(@02858). All users including me, do not have sudo ALL

[IgorTodorovskiIBM]

Are you still getting this issue?

setreuid(-1, 1): EDC5121I Invalid argument.

1 is a uid here.

Curious if you have a uid of 1 present in your system:

tsocmd 'search class(user) uid(1)'

This is the relevant code:

 1072   /*
  1073    * If sudoers_uid == ROOT_UID and sudoers_mode is group readable
  1074    * we use a non-zero uid in order to avoid NFS lossage.
  1075    * Using uid 1 is a bit bogus but should work on all OS's.
  1076    */
  1077   if (sudoers_uid == ROOT_UID && (sudoers_mode & S_IRGRP))
  1078       state->euid = 1;
  1079   else
  1080       state->euid = sudoers_uid;

[IgorTodorovskiIBM]

Actually, I updated that code to this:

-   if (sudoers_uid == ROOT_UID && (sudoers_mode & S_IRGRP))
+   if (sudoers_uid == ROOT_UID && (sudoers_mode & S_IRGRP)) {
+#ifdef __MVS__
+      /* uid 1 may not exist on z/OS, find the first non-zero uid */
+      struct passwd *pwd;
+      state->euid = -1;
+      setpwent();
+      while ((pwd = getpwent()) != NULL) {
+          if (pwd->pw_uid > 0) {
+              state->euid = pwd->pw_uid;
+              break;
+          }
+      }
+      endpwent();
+#else
        state->euid = 1;
+#endif
+  }
    else
        state->euid = sudoers_uid;

Instead of choosing uid of 1, it finds an existing id and grabs the name. Looking at your later error messages:

sudo: PERM_SUDOERS: setreuid(-1, 700100): EDC5139I Operation not permitted. (errno2=0x0B7A0000)

The euid of 700100 is chosen. Is that a valid uid on your system?

[gngrossi]

@IgorTodorovskiIBM We do not have a UID of 1.

[gngrossi]

@IgorTodorovskiIBM Yes, UID 700100 is being used on our sysplex.

[gngrossi]

@IgorTodorovskiIBM Upgraded sudo...success. Well done...thanks. I will begin testing the rules. What did you need to fix? I'm curious about the UIDs.

bash-5.2$ sudo -V Sudo version 1.9.15p5 Sudoers policy plugin version 1.9.15p5 Sudoers file grammar version 50 Sudoers I/O plugin version 1.9.15p5 Sudoers audit plugin version 1.9.15p5

[gngrossi]

@IgorTodorovskiIBM Do you know why this syslog message is issued?

[IgorTodorovskiIBM]

@IgorTodorovskiIBM Do you know why this syslog message is issued?

Assuming you don't get that message with Rocket's port?

Regarding the setreuid issue, I was checking IBM's old port and that line was guarded out - sudo's comment indicates it's to prevent "NFS lossage", I looked at Rocket's code also and they guard it out as well - probably why it worked for you.

[gngrossi]

@IgorTodorovskiIBM The RACF ICH408I security error occurs with the Rocket port but not with the IBM Ported tools port.

Sharing...here are the file permissions for Ported Tools sudo:

[gngrossi]

@IgorTodorovskiIBM