Open gngrossi opened 1 year ago
sudo: error initializing audit plugin sudoers_audit Missing the sudoers.so file?
#
#
#
#
--
RC=(0) [SYSA] bash-5.2$ pwd /hewitt/zopentools/guild/sudo-1.9.13p3/libexec/sudo RC=(0) [SYSA] bash-5.2$ ls -l total 0
Thanks @gngrossi, appreciate the feedback. At the moment, I'm working on upstreaming Bash. How high of a priority are these sudo issues to you?
sudo is a low priority...no rush. thanks
bash-5.2$ sudo -V Sudo version 1.9.13p3 sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument. sudo: no valid sudoers sources found, quitting sudo: error initializing audit plugin sudoers_audit
bash-5.2$ ls -l /etc/sudoers -r--r----- 1 BPXROOT @ISZOST1 7149 Jun 21 11:27 /etc/sudoers
bash-5.2$ sudo -V Sudo version 1.9.13p3 sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument. sudo: no valid sudoers sources found, quitting sudo: error initializing audit plugin sudoers_audit
We currently are running sudo using the older Ported Tools version. bash-5.2$ /usr/lpp/ported/bin/sudo -V Sudo version 1.7.2p2
--
bash-5.2$ ls -l /SYSA/etc/sudoers -r--r----- 1 BPXROOT @ISZOST1 7149 Jun 21 11:27 /SYSA/etc/sudoers
bash-5.2$ which sudo /hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudo
bash-5.2$ sudo -V Sudo version 1.9.13p3 sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument. sudo: no valid sudoers sources found, quitting sudo: error initializing audit plugin sudoers_audit
Installed the latest pax file.
bash-5.2$ sudo -V Sudo version 1.9.13p3 sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument. sudo: no valid sudoers sources found, quitting sudo: error initializing audit plugin sudoers_audit
Is there additional information I can provide? thanks
Installed the latest pax file. Followed the instructions regarding the chown and chmod commands. I did not copy to /usr/bin and /usr/sbin
Setup completed.
I used the previous instructions. $ chown 0:0 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/ $ chmod u+s /hewitt/zopentools/guild/sudo-1.9.13p3/bin/
bash-5.2$ ls -l /hewitt/zopentools/guild/sudo-1.9.13p3/bin/ -rwsr-xr-x 1 BPXROOT @ISZOST1 1552384 Oct 5 10:54 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/cvtsudoers -rwsr-xr-x 1 BPXROOT @ISZOST1 2019328 Oct 5 10:54 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudo lrwxrwxrwx 1 @02858 @ISCICS1 4 Oct 27 15:14 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudoedit -> sudo -rwsr-xr-x 1 BPXROOT @ISZOST1 1052672 Oct 5 10:54 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudoreplay -rwsr-xr-x 1 BPXROOT @ISZOST1 1282048 Oct 5 10:53 /hewitt/zopentools/guild/sudo-1.9.13p3/sbin/sudo_logsrvd -rwsr-xr-x 1 BPXROOT @ISZOST1 1105920 Oct 5 10:53 /hewitt/zopentools/guild/sudo-1.9.13p3/sbin/sudo_sendlog -rwsr-xr-x 1 BPXROOT @ISZOST1 1257472 Oct 5 10:54 /hewitt/zopentools/guild/sudo-1.9.13p3/sbin/visudo
Is there any additional documentation I need to provide? thanks
Installed the latest pax file. Followed the post install instructions and ran the chown and chmod with elevated privileges.
Before... -rwxr-xr-x 1 @02858 @ISCICS1 1634304 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/cvtsudoers -rwxr-xr-x 1 @02858 @ISCICS1 2273280 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudo lrwxrwxrwx 1 @02858 @ISCICS1 4 Feb 13 15:40 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoedit -> sudo -rwxr-xr-x 1 @02858 @ISCICS1 1146880 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoreplay
-rwxr-xr-x 1 @02858 @ISCICS1 1470464 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_logsrvd -rwxr-xr-x 1 @02858 @ISCICS1 1204224 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_sendlog -rwxr-xr-x 1 @02858 @ISCICS1 1306624 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/visudo
After... -rwxr-xr-x 1 BPXROOT @ISZOST1 1634304 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/cvtsudoers -rwxr-xr-x 1 BPXROOT @ISZOST1 2273280 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudo lrwxrwxrwx 1 @02858 @ISCICS1 4 Feb 13 15:40 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoedit -> sudo -rwxr-xr-x 1 BPXROOT @ISZOST1 1146880 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoreplay
-rwsr-xr-x 1 @02858 @ISCICS1 1470464 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_logsrvd -rwsr-xr-x 1 @02858 @ISCICS1 1204224 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_sendlog -rwsr-xr-x 1 @02858 @ISCICS1 1306624 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/visudo
bash-5.2$ sudo -V sudo: /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudo must be owned by uid 0 and have the setuid bit set
--
Then ran the previous instructions with chown and chmod on both the bin and sbin directories. After... -rwsr-xr-x 1 BPXROOT @ISZOST1 1634304 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/cvtsudoers -rwsr-xr-x 1 BPXROOT @ISZOST1 2273280 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudo lrwxrwxrwx 1 @02858 @ISCICS1 4 Feb 13 15:40 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoedit -> sudo -rwsr-xr-x 1 BPXROOT @ISZOST1 1146880 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoreplay
-rwsr-xr-x 1 BPXROOT @ISZOST1 1470464 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_logsrvd -rwsr-xr-x 1 BPXROOT @ISZOST1 1204224 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_sendlog -rwsr-xr-x 1 BPXROOT @ISZOST1 1306624 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/visudo
bash-5.2$ sudo -V Sudo version 1.9.15p5 sudo: PERM_SUDOERS: setreuid(-1, 700100): EDC5139I Operation not permitted. (errno2=0x0B7A0000) sudo: unable to open /etc/sudoers: EDC5139I Operation not permitted. (errno2=0x05DA0167) sudo: error initializing audit plugin sudoers_audit
Any additional documentation needed? thanks
bash-5.2$ pwd /hewitt/zopentools/guild/sudo-1.9.15p5
bash-5.2$ bin/sudo -l sudo: PERM_SUDOERS: setreuid(-1, 700100): EDC5139I Operation not permitted. (errno2=0x0B7A0000) sudo: unable to open /etc/sudoers: EDC5139I Operation not permitted. (errno2=0x05DA0167) sudo: error initializing audit plugin sudoers_audit
16:17:12 RC=(8) [SYSA] bash-5.2$ bin/sudo -V Sudo version 1.9.15p5 sudo: PERM_SUDOERS: setreuid(-1, 700100): EDC5139I Operation not permitted. (errno2=0x0B7A0000) sudo: unable to open /etc/sudoers: EDC5139I Operation not permitted. (errno2=0x05DA0167) sudo: error initializing audit plugin sudoers_audit
From the z/OS log
USS syslog May 10 16:16:57 L98MPSYSA sudo: @02858 : unable to open /etc/sudoers : EDC5139I Operation not permitted. (errno2=0x055501B0) ; TTY=ttyp0000 ; PWD=/hewitt/zopentools/guild/sudo-1.9.15p5 ; USER=BPXROOT ;
Updated the etc/sudo.conf file by uncommenting the Plugin entries which shouldn't be needed since it's the default. It looks like the plugin_dir was set incorrectly after the pax install...that was corrected. But the sudoers.so file is missing.
Hi @gngrossi , I've changed our builds to build the sudoers statically, so there shouldn't be a .so file anymore.
Hello @IgorTodorovskiIBM Installed sudo-1.9.15p5.20240611_202828 and seeing the same errors as before. Also, after sourcing .env, the chmod u+s $SUDO_HOME/bin/* is missing from the NOTE.
Setup completed.
Odd, I am seeing this:
A few questions:
Does id@02858
have access granted in the sudoers file?
I have this:
root ALL=(ALL:ALL) ALL
ITODORO ALL=(ALL:ALL) NOPASSWD: ALL
What permissions do you have for /etc/sudoers?
ls -l /etc/sudoers
-rw-r----- 1 BPXROOT SYS1 3392 Jun 12 14:01 /etc/sudoers
Do you have a BPXROOT id?
id BPXROOT
uid=0(BPXROOT) gid=0(SYS1)
Do you have a id with a uid of 1?
tsocmd 'search class(user) uid(1)'
Using Rocket's tools
Using IBM's Ported tools
My RACF userid is uid=2858(@02858). All users including me, do not have sudo ALL
Are you still getting this issue?
setreuid(-1, 1): EDC5121I Invalid argument.
1 is a uid here.
Curious if you have a uid of 1 present in your system:
tsocmd 'search class(user) uid(1)'
This is the relevant code:
1072 /*
1073 * If sudoers_uid == ROOT_UID and sudoers_mode is group readable
1074 * we use a non-zero uid in order to avoid NFS lossage.
1075 * Using uid 1 is a bit bogus but should work on all OS's.
1076 */
1077 if (sudoers_uid == ROOT_UID && (sudoers_mode & S_IRGRP))
1078 state->euid = 1;
1079 else
1080 state->euid = sudoers_uid;
Actually, I updated that code to this:
- if (sudoers_uid == ROOT_UID && (sudoers_mode & S_IRGRP))
+ if (sudoers_uid == ROOT_UID && (sudoers_mode & S_IRGRP)) {
+#ifdef __MVS__
+ /* uid 1 may not exist on z/OS, find the first non-zero uid */
+ struct passwd *pwd;
+ state->euid = -1;
+ setpwent();
+ while ((pwd = getpwent()) != NULL) {
+ if (pwd->pw_uid > 0) {
+ state->euid = pwd->pw_uid;
+ break;
+ }
+ }
+ endpwent();
+#else
state->euid = 1;
+#endif
+ }
else
state->euid = sudoers_uid;
Instead of choosing uid of 1, it finds an existing id and grabs the name. Looking at your later error messages:
sudo: PERM_SUDOERS: setreuid(-1, 700100): EDC5139I Operation not permitted. (errno2=0x0B7A0000)
The euid of 700100 is chosen. Is that a valid uid on your system?
@IgorTodorovskiIBM We do not have a UID of 1.
@IgorTodorovskiIBM Yes, UID 700100 is being used on our sysplex.
@IgorTodorovskiIBM Upgraded sudo...success. Well done...thanks. I will begin testing the rules. What did you need to fix? I'm curious about the UIDs.
bash-5.2$ sudo -V Sudo version 1.9.15p5 Sudoers policy plugin version 1.9.15p5 Sudoers file grammar version 50 Sudoers I/O plugin version 1.9.15p5 Sudoers audit plugin version 1.9.15p5
@IgorTodorovskiIBM Do you know why this syslog message is issued?
@IgorTodorovskiIBM Do you know why this syslog message is issued?
Assuming you don't get that message with Rocket's port?
Regarding the setreuid issue, I was checking IBM's old port and that line was guarded out - sudo's comment indicates it's to prevent "NFS lossage", I looked at Rocket's code also and they guard it out as well - probably why it worked for you.
@IgorTodorovskiIBM The RACF ICH408I security error occurs with the Rocket port but not with the IBM Ported tools port.
Sharing...here are the file permissions for Ported Tools sudo:
@IgorTodorovskiIBM
RC=(0) [SYSA] bash-5.2$ sudo -V Sudo version 1.9.13p3 sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument. sudo: no valid sudoers sources found, quitting sudo: error initializing audit plugin sudoers_audit
--
/hewitt/zopentools/guild/sudo-1.9.13p3 RC=(0) [SYSA] bash-5.2$ ls -E bin bin: total 9072 -rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1552384 May 23 21:35 cvtsudoers -rwsr-xr-x --s- 1 BPXROOT @ISZOST1 2015232 May 23 21:35 sudo lrwxrwxrwx 1 @02858 @ISCICS1 4 May 24 15:47 sudoedit -> sudo -rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1048576 May 23 21:35 sudoreplay
sbin: total 7184 -rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1282048 May 23 21:34 sudo_logsrvd -rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1105920 May 23 21:35 sudo_sendlog -rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1257472 May 23 21:35 visudo