If we are not running with an effective uid of 0, try to give the

user enough information to debug the problem.
2012-03-27 13:57:03 -04:00
parent 12422f928c
commit 2f30694b87
2 changed files with 51 additions and 5 deletions
--- a/doc/TROUBLESHOOTING
+++ b/doc/TROUBLESHOOTING
@@ -16,9 +16,27 @@ A) As part of the build process, sudo creates a temporary library containing
   you may need to install the SUNWbtool package.  On other systems
   "ar" may be included in the GNU binutils package.

-Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
-   and sudo quits.
-A) Sudo must be setuid root to do its work.  You need to do something like
+Q) Sudo compiles and installs OK but when I try to run it I get:
+   /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set
+A) Sudo must be setuid root to do its work.  Either /usr/local/bin/sudo
+   is not owned by uid 0 or the setuid bit is not set.  This should have
+   been done for you by "make install" but you can fix it manually by
+   running the following as root:
+    # chown root /usr/local/bin/sudo; chmod 4111 /usr/local/bin/sudo
+
+Q) Sudo compiles and installs OK but when I try to run it I get:
+    effective uid is not 0, is /usr/local/bin/sudo on a file system with the
+    'nosuid' option set or an NFS file system without root privileges?
+A) The owner and permissions on the sudo binary appear to be OK but when
+   sudo ran, the setuid bit did not have an effect.  There are two common
+   causes for this.  The first is that the file system the sudo binary
+   is located on is mounted with the 'nosuid' mount option, which disables
+   setuid binaries.  The other is that sudo is installed on an NFS-mounted
+   file system that is exported without root privileges.  By default, NFS
+   file systems are exported with uid 0 mapped to a non-privileged uid
+   (usually -2).
+
+You need to do something like
   `chmod 4111 /usr/local/bin/sudo'.  Also, the file system sudo resides
   on must *not* be mounted (or exported) with the nosuid option or sudo
   will not be able to work.  Another possibility is you may have '.' in
--- a/src/sudo.c
+++ b/src/sudo.c
@@ -112,6 +112,7 @@ static int sudo_mode;
 */
 static void fix_fds(void);
 static void disable_coredumps(void);
+static void sudo_check_suid(const char *path);
 static char **get_user_info(struct user_details *);
 static void command_info_to_details(char * const info[],
    struct command_details *details);
@@ -185,8 +186,8 @@ main(int argc, char *argv[], char *envp[])
 # endif
 #endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */

-    if (geteuid() != 0)
-	errorx(1, _("must be setuid root"));
+    /* Make sure we are setuid root. */
+    sudo_check_suid(argv[0]);

    /* Reset signal mask and make sure fds 0-2 are open. */
    (void) sigemptyset(&mask);
@@ -720,6 +721,33 @@ command_info_to_details(char * const info[], struct command_details *details)
    debug_return;
 }

+static void
+sudo_check_suid(const char *path)
+{
+    struct stat sb;
+    debug_decl(sudo_check_suid, SUDO_DEBUG_PCOMM)
+
+    if (geteuid() != 0) {
+	if (strchr(path, '/') != NULL && stat(path, &sb) == 0) {
+	    /* Try to determine why sudo was not running as root. */
+	    if (sb.st_uid != ROOT_UID || !ISSET(sb.st_mode, S_ISUID)) {
+		errorx(1,
+		    _("%s must be owned by uid %d and have the setuid bit set"),
+		    path, ROOT_UID);
+	    } else {
+		errorx(1, _("effective uid is not %d, is %s on a file system "
+		    "with the 'nosuid' option set or an NFS file system without"
+		    " root privileges?"), ROOT_UID, path);
+	    }
+	} else {
+	    errorx(1,
+		_("effective uid is not %d, is sudo installed setuid root?"),
+		ROOT_UID);
+	}
+    }
+    debug_return;
+}
+
 /*
 * Disable core dumps to avoid dropping a core with user password in it.
 * We will reset this limit before executing the command.