ophub / amlogic-s9xxx-armbian

Support for Armbian in Amlogic, Rockchip and Allwinner boxes. Support a311d, s922x, s905x3, s905x2, s912, s905d, s905x, s905w, s905, s905l, rk3588, rk3568, rk3399, rk3328, h6, etc.
GNU General Public License v2.0
6.09k stars 1.95k forks source link

Filesystem permission error: sudo not working #22

Closed NewbieOrange closed 2 years ago

NewbieOrange commented 2 years ago

The latest version (11.14 buster) seems to break some files permission, not sure if this is from upstream (armbian).

Older version works fine (11.06 buster).

sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
ophub commented 2 years ago

What box and which firmware is installed? What is the specific performance? Take a screenshot and give feedback about the error.

NewbieOrange commented 2 years ago

Using a t95z plus box with S912 3/32, installed Armbian_21.11.0_Aml_s912_buster_5.10.79_2021.11.14.0059.img.gz.

Can be reproduced by simply typing sudo as a non-root user. The issue was not in the build from a week ago.

The issue can be mitigated by chmod 4755 /usr/lib/sudo/sudoers.so but there are other permission issues (systemctl exited with error instead of asking for password to run as root)

The error was the exact line about sudo must be owned by uid 0, no other error messages.

Note: armbian is on sd card, not installed to emmc.

ophub commented 2 years ago

cat /boot/uEnv.txt

cat /etc/armbian-aml-release

Check it out and send it to me, the first time I saw this box.

NewbieOrange commented 2 years ago
chengzi@armbian:~$ cat /boot/uEnv.txt
LINUX=/zImage
INITRD=/uInitrd
FDT=/dtb/amlogic/meson-gxm-octopus-planet.dtb
APPEND=root=LABEL=ROOTFS rootflags=data=writeback rw console=ttyAML0,115200n8 console=tty0 no_console_suspend consoleblank=0 fsck.fix=yes fsck.repair=yes net.ifnames=0 cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory swapaccount=1
chengzi@armbian:~$ cat /etc/armbian-aml-release 
FDTFILE='meson-gxm-octopus-planet.dtb'
U_BOOT_EXT='1'
UBOOT_OVERLOAD='u-boot-zyxq.bin'
MAINLINE_UBOOT=''
ANDROID_UBOOT=''
KERNEL_VERSION=''
SOC='s912'
K510='1'

Note that I am using the s905-s912 uboot as uboot.ext (the default zyxq.bin cannot boot from sd card on this device), and it reads config from /boot/extlinux. The extlinux config has been modified to load the custom meson-gxm-t95z-plus.dtb.

Also I have reverted back armbian/build repo to commit from a week ago, and the issue still presents.

ophub commented 2 years ago

Run under root user:

chown root:root /usr/bin/sudo
chmod 4755 /usr/bin/sudo
chown 0 /usr/lib/sudo/sudoers.so
chmod 644 /usr/lib/sudo/sudoers.so

Try if it can solve the problem.

ophub commented 2 years ago

Example to create a new user abc:

groupadd abc
useradd -m abc -g abc -s /bin/bash -d /home/abc
passwd abc

vim /etc/sudoers

# User privilege specification
root ALL=(ALL) ALL
abc ALL=(ALL) ALL
ophub commented 2 years ago

Can you share your /boot/extlinux, meson-gxm-t95z-plus.dtb, s905-s912 uboot, and other modified files?

NewbieOrange commented 2 years ago

Run under root user:

chown root:root /usr/bin/sudo
chmod 4755 /usr/bin/sudo
chown 0 /usr/lib/sudo/sudoers.so
chmod 644 /usr/lib/sudo/sudoers.so

Try if it can solve the problem.

This indeed fixed sudo, however there seem to be a wider issue (systemctl not working without root or sudo, for example).

I compiled older commits and still no good, not sure what went wrong.

/boot/extlinux/extlinux.conf

LABEL Armbian
LINUX /zImage
INITRD /uInitrd
# aml s9xxx
FDT /dtb/amlogic/meson-gxm-t95z-plus.dtb
APPEND root=LABEL=ROOTFS rootflags=data=writeback rw console=ttyAML0,115200n8 console=tty0 no_console_suspend consoleblank=0 fsck.fix=yes fsck.repair=yes net.ifnames=0

The uboot is copied from the compiled image (u-boot-s905x-s912.bin).

Here is the custom dtb. USB port 1 is set to otg and not tested, other seems to be working fine (WiFi/1Gbe/etc.) meson-gxm-t95z-plus.zip

NewbieOrange commented 2 years ago

There are multiple varients of t95z plus with different 1Gbe nic and wireless card, so this dtb file will not work for all devices.

NewbieOrange commented 2 years ago

I am still trying to figure out what has changed between today's image and a few days ago's. Even after I cloned the older commit (both this repo and armbian/build) the output image still cannot sudo properly, very confusing.

Also systemctl is not working as expected (after using chown and chmod to fix sudo),

chengzi@armbian:~$ systemctl enable armbian-resize-filesystem.service 
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-unit-files ===
Authentication is required to manage system service or unit files.
Authenticating as: chengzi,,, (chengzi)
polkit-agent-helper-1: needs to be setuid root
Error: Incorrect permissions on /usr/libexec/polkit-agent-helper-1 (needs to be setuid root)
==== AUTHENTICATION FAILED ===

Seems the filesystem permission is kinda broken to me.

ophub commented 2 years ago

According to user feedback from tx3mini, u-boot-s905x-s912.bin can be used to read /boot/uEnx.txt to start. Have you tested the boot file u-boot-p212.bin?

ophub commented 2 years ago

My packaging just changed the official img file of 1 partition into 2 partitions. The changed file is /boot. And /usr/lib/modules these two directories. The other files are basically official source files.

ophub commented 2 years ago

For non-root users, to use system services, you can add sudo

Snip20211114_3

Snip20211114_4

NewbieOrange commented 2 years ago

For non-root users, to use system services, you can add sudo

Yes, but systemctl should prompt for password without sudo if polkit-agent-helper-1 have setuid root.

NewbieOrange commented 2 years ago

According to user feedback from tx3mini, u-boot-s905x-s912.bin can be used to read /boot/uEnx.txt to start. Have you tested the boot file u-boot-p212.bin?

Without /boot/extlinux the bootloader tried to load stuff from eth and failed. u-boot-p212.bin is not booting.

NewbieOrange commented 2 years ago

I pulled 6593d77, which fixed sudo for me. systemctl need chmod 4755 /usr/libexec/polkit-agent-helper-1.

Still not sure why this is happening, and if there are any more permission fix needed.

ophub commented 2 years ago

Add your user to the root group: usermod -g root abc

NewbieOrange commented 2 years ago

Add your user to the root group: usermod -g root abc

This does not sound very safe to me. After fixing /usr/libexec/polkit-agent-helper-1 file permission, systemctl works without being root if you are sudoer.

ophub commented 2 years ago

This permission modification is safe. already added.

NewbieOrange commented 2 years ago

This permission modification is safe. already added.

Fixed all issues I have encountered so far! Thanks

ophub commented 2 years ago

@NewbieOrange

According to your introduction and shared dtb, I added support for s912-t95z-plus separately in the armbian default compilation e390b65. Please confirm whether the following is correct.

If so, please confirm whether it is used in openwrt and whether such modification is also required?

NewbieOrange commented 2 years ago

LGTM. The t95z image is working flawlessly.

I don't use this box for openwrt, but I would guess the modification is required for openwrt too.

ophub commented 2 years ago

You are the first friend to use this device. If you are free, I hope to help me test whether the current OpenWrt of s912 can be started in the usb on your device.

If it can't start, you can try to modify the boot file of OpenWrt according to the modification method of armbian, and test whether it can be booted in usb.

NewbieOrange commented 2 years ago

This seems have been broken again, and even more errors about sudo permissions.

NewbieOrange commented 2 years ago

This seems have been broken again, and even more errors about sudo permissions.

Nevermind, I downloaded the wrong file.

ophub commented 2 years ago

@NewbieOrange Hello, do you have the dts source code of the file meson-gxm-t95z-plus.dtb?

NewbieOrange commented 2 years ago

@ophub No, but it is modified based on decompiled source from meson-gxm-octopus-planet.dtb. Decompile both and compare will show the changes I made.

392377870 commented 2 years ago

@ophub不,但它是根据 meson-gxm-octopus-planet.dtb 的反编译源修改的。反编译两者并比较将显示我所做的更改。

大神的能写入emmc吗?我用了你的dtb网卡无线都正常,就是无法写入emmc我的是t95z max型号

NewbieOrange commented 2 years ago

@392377870 没试过emmc

392377870 commented 2 years ago

@392377870 没试过emmc

从安卓中提取的dts有办法适配到armbian中不?