sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

[markfaine]

• [x] This is a bug report
• [ ] This is a feature request
• [ ] I searched existing issues before opening this one

Expected behavior

Users with valid sudoers configuration should be able to use sudo

Actual behavior

sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

Steps to reproduce the behavior

docker run --rm -it my-namespace/ansible sudo -l

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.12
 API version:       1.40
 Go version:        go1.13.10
 Git commit:        48a66213fe
 Built:             Mon Jun 22 15:46:54 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.12
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.10
  Git commit:       48a66213fe
  Built:            Mon Jun 22 15:45:28 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 12
  Running: 12
  Paused: 0
  Stopped: 0
 Images: 45
 Server Version: 19.03.12
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: active
  NodeID: t89xq3b5gqmd14uusi0hl8m2t
  Is Manager: true
  ClusterID: ex4x1ect904in3srt12g9zrmn
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8  
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 1
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 192.112.230.238
  Manager Addresses:
   192.112.230.238:2377
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 3.10.0-1127.19.1.el7.x86_64
 Operating System: Red Hat Enterprise Linux
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 11.73GiB
 Name: p-msfc-enms-cm
 ID: AYJU:X7NE:XFRJ:QQVO:AVFD:J7R3:WYRG:X6O2:ACKE:X2M4:TV3L:BQDL
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.)

Red Hat Enterprise Linux Server release 7.8 (Maipo) vm on ESX host.

/var/lib/docker in /etc/mtab:

/dev/mapper/vg01-varvol /var/log                ext4    defaults        1 2

The container is ubuntu:latest and this is not an issue on other containers. This is the first time I've seen it.

[tdwyer]

Well actually, that's how sudo works...

1. Your user executes the binary /usr/bin/sudo
2. /usr/bin/sudo has the Sticky Bit set for the User (aka SUID) and the file is owned by the root user to the program will run as root even though you executed it as a non-root user.
3. /usr/bin/sudo reads the configuration files in /etc and will execute other commands as allowed by the configuration files.

So, if the file system dose not support the SUID bit, /usr/bin/sudo will not run as the root user with UID 0 but instead will run as your non-root user which is not capable of elevating it's privileges.

I've never tired it but maybe if you give the /usr/bin/sudo binary CAP_ADMIN it would work?