graftcp sudo does not work - Githubissues

hmgle / graftcp

A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy.

GNU General Public License v3.0

2.1k stars 173 forks source link

graftcp sudo does not work #11

Closed hellobbn closed 3 months ago

hellobbn commented 5 years ago

Describe the bug graftcp sudo does not work, so graftcp yay which uses it will cause error.

To Reproduce Try command graftcp sudo or graftcp yay

sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

Additional context I found some notes here

For security reasons, the setuid bit and ptrace (used to run binaries under a debugger) cannot both be honored at the same time. Failure to enforce this restriction in the past led to CVE-2001-1384.

So maybe this will not be fixed? (I am not familiar with this)

hmgle commented 5 years ago

sudo graftcp sudo will work.

hmgle commented 5 years ago

By the way, if the graftcp-local is not started by the system, you should run sudo ./graftcp-local to use sudo graftcp sudo.

hellobbn commented 5 years ago

Thanks for your reply! But some programs will fail if executed by root like makepkg in Arch Linux, instead it will request root later. Can program of this kind be supported?

➜ yay               
[sudo] password for xxx:

hmgle commented 5 years ago

You can try this:

$ sudo graftcp bash # or zsh, fish...
$ whoami
root
$ yay

As a root, do anything you wanna do :grin:

hellobbn commented 5 years ago

Hmmmm, yes it could work on some programs. But some forces to run as a non-root, if you run it as root, it will give error immediately.

hmgle commented 5 years ago

Do you mean that the root's environment does not match the non-root's environment, so that it cause the environmental dependency error? You can try sudo -E graftcp bash.

hellobbn commented 5 years ago

Sorry, but I don't understand. Let me take makepkg as an example: if run as root:

[root@hellobbn ~]# makepkg
==> ERROR: Running makepkg as root is not allowed as it can cause permanent,
catastrophic damage to your system.

hmgle commented 5 years ago

@hellobbn Thank you for your example. ~~I thank it can be solved like this:~~ Do not run the following script, it will elevate the privileges of the tracked process to root, that is risky.

$ sudo chown root:root graftcp
$ sudo chmod a+s graftcp
# Then you can use graftcp to trace sudo...
$ graftcp bash
➜ makepkg

bookyue commented 5 years ago

Hi, hmgle. I think hellobbn's problem was about fakeroot. It gives a fake root environment , to remove the need to become root for a package build. And graftcp can't work with it. Like yay etc. graftcp yay

sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

ManiaciaChao commented 4 years ago

@hellobbn Thank you for your example. I thank it can be solved like this:
$ sudo chown root:root graftcp
$ sudo chmod a+s graftcp
# Then you can use graftcp to trace sudo...
$ graftcp bash
➜ makepkg

However, this workaround works well in almost every case. To make it easier, you can write a shell script proxy-yay like below:

#! /bin/sh
graftcp sh -c "yay $@"

Then you just need to use proxy-yay instead of yay, or set it as an alias of yay.

kabehada5s commented 2 years ago

can i use graftcp on alpine?

fangzhen commented 1 year ago

Hi, Error message now reads:

$ graftcp yay
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
 -> error refreshing databases - exit status 1

In this commit ,the PR_SET_NO_NEW_PRIVS flag is set, which I think causes the new error message.

A workaround:

        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
        perror("prctl(PR_SET_NO_NEW_PRIVS)");
        exit(errno);
    }

Remove these lines, and run command like this, which run graftcp as root and yay as a non-root user.

sudo ./graftcp sudo -u <your-username> yay

hmgle commented 1 year ago

Thank you for your feedback.

Introducing PR_SET_NO_NEW_PRIVS indeed brings new restrictions to gain superuser privileges. I'll look into a solution to this problem. If you have any new ideas, feedback is welcome.

Hi, Error message now reads:
$ graftcp yay
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
 -> error refreshing databases - exit status 1
In this commit ,the PR_SET_NO_NEW_PRIVS flag is set, which I think causes the new error message.

A workaround:
        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
      perror("prctl(PR_SET_NO_NEW_PRIVS)");
      exit(errno);
  }
Remove these lines, and run command like this, which run graftcp as root and yay as a non-root user.

sudo ./graftcp sudo -u <your-username> yay

hmgle commented 3 months ago

Hi, Error message now reads:
$ graftcp yay
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
 -> error refreshing databases - exit status 1
In this commit ,the PR_SET_NO_NEW_PRIVS flag is set, which I think causes the new error message.

A workaround:
        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
      perror("prctl(PR_SET_NO_NEW_PRIVS)");
      exit(errno);
  }
Remove these lines, and run command like this, which run graftcp as root and yay as a non-root user.

sudo ./graftcp sudo -u <your-username> yay

@fangzhen I saw the solution implemented in strace and copied the code over. Now the command can be executed perfectly. Thanks to strace.