Bug 1778361

Summary:	rpm --restore is applying incorrect file capability attributes
Product:	Red Hat Enterprise Linux 8	Reporter:	ubertux <ryangbowen>
Component:	rpm	Assignee:	Packaging Maintenance Team <packaging-team-maint>
Status:	CLOSED DUPLICATE	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.0	CC:	pmatilai
Target Milestone:	rc
Target Release:	8.0
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-12-03 15:36:37 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description ubertux 2019-11-30 09:28:56 UTC

Description of problem:
I am having issues with sudo failing as regular user on a RHEL 8.0 system after running 'rpm --restore sudo' to fix permissions on files within the sudo package.

Version-Release number of selected component (if applicable):
rpm-4.14.2-11.el8_0.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Run 'rpm --restore sudo'
2. Try to 'sudo su -' as a non-root user.

Actual results:
Running 'sudo su -' as a non-root user gives the following error:
$ sudo su -
sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin

Expected results:
'sudo su -' should give a root shell.

Additional info:
It appears that the 'rpm --restore' has amended the file capabilities attributes on files within the sudo package and this is breaking sudo for non-root users.
Compare the output of 'getcap -r / 2>/dev/null' before and after applying the 'rpm --restore':

[root@centos8 ~]# getcap -r / 2>/dev/null    # before running 'rpm --restore sudo'
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/mtr-packet = cap_net_raw+ep
/tmp/backup/ping = cap_net_admin,cap_net_raw+p
[root@centos8 ~]#

[root@centos8 ~]# getcap -r / 2>/dev/null   # after running 'rpm --restore sudo'
/etc/dnf/protected.d/sudo.conf =
/etc/pam.d/sudo =
/etc/pam.d/sudo-i =
/etc/sudo-ldap.conf =
/etc/sudo.conf =
/etc/sudoers =
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/bin/sudo =
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/cvtsudoers =
/usr/bin/sudoreplay =
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/visudo =
/usr/sbin/mtr-packet = cap_net_raw+ep
/usr/lib/tmpfiles.d/sudo.conf =
/usr/share/licenses/sudo/LICENSE =
/usr/share/doc/sudo/CONTRIBUTORS =
/usr/share/doc/sudo/HISTORY =
/usr/share/doc/sudo/NEWS =
/usr/share/doc/sudo/README =
/usr/share/doc/sudo/README.LDAP =
/usr/share/doc/sudo/TROUBLESHOOTING =
/usr/share/doc/sudo/UPGRADE =
/usr/share/doc/sudo/examples/pam.conf =
/usr/share/doc/sudo/examples/sudo.conf =
/usr/share/doc/sudo/examples/sudoers =
/usr/share/doc/sudo/examples/syslog.conf =
/usr/share/doc/sudo/schema.ActiveDirectory =
/usr/share/doc/sudo/schema.OpenLDAP =
/usr/share/doc/sudo/schema.iPlanet =
/usr/share/locale/ca/LC_MESSAGES/sudo.mo =
/usr/share/locale/ca/LC_MESSAGES/sudoers.mo =
/usr/share/locale/cs/LC_MESSAGES/sudo.mo =
/usr/share/locale/cs/LC_MESSAGES/sudoers.mo =
/usr/share/locale/da/LC_MESSAGES/sudo.mo =
/usr/share/locale/da/LC_MESSAGES/sudoers.mo =
/usr/share/locale/de/LC_MESSAGES/sudo.mo =
/usr/share/locale/de/LC_MESSAGES/sudoers.mo =
/usr/share/locale/el/LC_MESSAGES/sudoers.mo =
/usr/share/locale/eo/LC_MESSAGES/sudo.mo =
/usr/share/locale/eo/LC_MESSAGES/sudoers.mo =
/usr/share/locale/es/LC_MESSAGES/sudo.mo =
/usr/share/locale/fi/LC_MESSAGES/sudo.mo =
/usr/share/locale/fi/LC_MESSAGES/sudoers.mo =
/usr/share/locale/fr/LC_MESSAGES/sudo.mo =
/usr/share/locale/fr/LC_MESSAGES/sudoers.mo =
/usr/share/locale/fur/LC_MESSAGES/sudo.mo =
/usr/share/locale/fur/LC_MESSAGES/sudoers.mo =
/usr/share/locale/gl/LC_MESSAGES/sudo.mo =
/usr/share/locale/hr/LC_MESSAGES/sudo.mo =
/usr/share/locale/hr/LC_MESSAGES/sudoers.mo =
/usr/share/locale/hu/LC_MESSAGES/sudo.mo =
/usr/share/locale/hu/LC_MESSAGES/sudoers.mo =
/usr/share/locale/it/LC_MESSAGES/sudo.mo =
/usr/share/locale/it/LC_MESSAGES/sudoers.mo =
/usr/share/locale/ja/LC_MESSAGES/sudo.mo =
/usr/share/locale/ja/LC_MESSAGES/sudoers.mo =
/usr/share/locale/ko/LC_MESSAGES/sudo.mo =
/usr/share/locale/ko/LC_MESSAGES/sudoers.mo =
/usr/share/locale/lt/LC_MESSAGES/sudoers.mo =
/usr/share/locale/nb/LC_MESSAGES/sudo.mo =
/usr/share/locale/nb/LC_MESSAGES/sudoers.mo =
/usr/share/locale/nl/LC_MESSAGES/sudo.mo =
/usr/share/locale/nl/LC_MESSAGES/sudoers.mo =
/usr/share/locale/pl/LC_MESSAGES/sudo.mo =
/usr/share/locale/pl/LC_MESSAGES/sudoers.mo =
/usr/share/locale/pt_BR/LC_MESSAGES/sudo.mo =
/usr/share/locale/pt_BR/LC_MESSAGES/sudoers.mo =
/usr/share/locale/ru/LC_MESSAGES/sudo.mo =
/usr/share/locale/ru/LC_MESSAGES/sudoers.mo =
/usr/share/locale/sk/LC_MESSAGES/sudo.mo =
/usr/share/locale/sk/LC_MESSAGES/sudoers.mo =
/usr/share/locale/sl/LC_MESSAGES/sudo.mo =
/usr/share/locale/sl/LC_MESSAGES/sudoers.mo =
/usr/share/locale/sr/LC_MESSAGES/sudo.mo =
/usr/share/locale/sr/LC_MESSAGES/sudoers.mo =
/usr/share/locale/sv/LC_MESSAGES/sudo.mo =
/usr/share/locale/sv/LC_MESSAGES/sudoers.mo =
/usr/share/locale/tr/LC_MESSAGES/sudo.mo =
/usr/share/locale/tr/LC_MESSAGES/sudoers.mo =
/usr/share/locale/uk/LC_MESSAGES/sudo.mo =
/usr/share/locale/uk/LC_MESSAGES/sudoers.mo =
/usr/share/locale/vi/LC_MESSAGES/sudo.mo =
/usr/share/locale/vi/LC_MESSAGES/sudoers.mo =
/usr/share/locale/zh_CN/LC_MESSAGES/sudo.mo =
/usr/share/locale/zh_CN/LC_MESSAGES/sudoers.mo =
/usr/share/locale/zh_TW/LC_MESSAGES/sudo.mo =
/usr/share/locale/eu/LC_MESSAGES/sudo.mo =
/usr/share/locale/eu/LC_MESSAGES/sudoers.mo =
/usr/share/locale/nn/LC_MESSAGES/sudo.mo =
/usr/share/man/man5/sudo.conf.5.gz =
/usr/share/man/man5/sudoers.5.gz =
/usr/share/man/man5/sudoers.ldap.5.gz =
/usr/share/man/man5/sudoers_timestamp.5.gz =
/usr/share/man/man1/cvtsudoers.1.gz =
/usr/share/man/man8/sudo.8.gz =
/usr/share/man/man8/sudoreplay.8.gz =
/usr/share/man/man8/visudo.8.gz =
/usr/libexec/sudo/group_file.so =
/usr/libexec/sudo/libsudo_util.so.0.0.0 =
/usr/libexec/sudo/sesh =
/usr/libexec/sudo/sudo_noexec.so =
/usr/libexec/sudo/sudoers.so =
/usr/libexec/sudo/system_group.so =
/tmp/backup/ping = cap_net_admin,cap_net_raw+p


The issue isn't limited to the sudo package; I get similar behaviour when running the 'rpm --restore' on other packages. I believe that this is a bug in rpm.

Permissions on the sudo binary are the same before and after running the restore command, so it looks like the capability attributes are the cause of sudo failing:

[root@centos8 ~]# ls -laZ /usr/bin/sudo    # before running 'rpm --restore sudo'
---s--x--x. 1 root root system_u:object_r:sudo_exec_t:s0 166056 May 11  2019 /usr/bin/sudo
[root@centos8 ~]# 

[root@centos8 ~]# ls -laZ /usr/bin/sudo   # after running 'rpm --restore sudo'
---s--x--x. 1 root root system_u:object_r:sudo_exec_t:s0 166056 May 11  2019 /usr/bin/sudo
[root@centos8 ~]# 

Versions of rpm and sudo are as follows:

[root@centos8 ~]# rpm -qa | egrep  '^rpm-|sudo'
rpm-build-libs-4.14.2-11.el8_0.x86_64
libsss_sudo-2.0.0-43.el8_0.3.x86_64
rpm-plugin-systemd-inhibit-4.14.2-11.el8_0.x86_64
rpm-libs-4.14.2-11.el8_0.x86_64
rpm-plugin-selinux-4.14.2-11.el8_0.x86_64
rpm-ostree-libs-2018.8-2.el8.0.1.x86_64
rpm-4.14.2-11.el8_0.x86_64
sudo-1.8.25p1-4.el8.x86_64


I originally reported this issue on a Centos 8 system (see https://www.centos.org/forums/viewtopic.php?f=54&t=72663).

Comment 1 ubertux 2019-11-30 13:03:07 UTC

Some additional information:

I've run 'rpm --setugids sudo' and this sets the correct capabilities on the files but it sets incorrect permissions (note the lack of suid on /usr/bin/sudo):

[root@rhel8 ~]# ls -laZ /usr/bin/sudo
---s--x--x. 1 root root system_u:object_r:sudo_exec_t:s0 166064 Aug 19 13:15 /usr/bin/sudo
[root@rhel8 ~]# rpm --setugids sudo
[root@rhel8 ~]# ls -laZ /usr/bin/sudo
---x--x--x. 1 root root system_u:object_r:sudo_exec_t:s0 166064 Aug 19 13:15 /usr/bin/sudo


Attempting to 'sudo su -' as a non-root user at this point gives the following error:

$ sudo su -
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
$ 


Running 'rpm --setperms sudo' at this point sets the right permissions and I am able to 'sudo su -' as a non-root user:

[root@rhel8 ~]# rpm --setperms sudo
[root@rhel8 ~]# ls -laZ /usr/bin/sudo
---s--x--x. 1 root root system_u:object_r:sudo_exec_t:s0 166064 Aug 19 13:15 /usr/bin/sudo

Order seems important. Running 'setperms' before 'setugids' fixes permissions but doesn't fix capabilities. 'setugids' then sets incorrect file permissions by not setting the suid bit.

Comment 2 Panu Matilainen 2019-12-03 15:36:37 UTC


*** This bug has been marked as a duplicate of bug 1700920 ***