Results 1 to 8 of 8

Thread: SOLVED: After upgrade from 15.0 sudo not working (su - and kdesu works)

  1. #1

    Default SOLVED: After upgrade from 15.0 sudo not working (su - and kdesu works)

    I have recently upgraded from Leap 15 to Leap 15.1.
    Since the upgrade sudo no longer accepts password (neither from root with targetpw enabled nor from user when it isn't).
    su - and kdesu both work as expected.

    Example:

    Code:
    $ sudo -i [sudo] password for root:  
    Sorry, try again. 
    [sudo] password for root:  
    Sorry, try again. 
    [sudo] password for root:  
    sudo: unable to send audit message: Operation not permitted 
    sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted 
    sudo: 3 incorrect password attempts 
    $ su -    
    Password:  
    $
    What have I tried so far:


    1. Change password (with passwd) for both root and my user
    2. Reinstall sudo and completely reset the sudoers file (sudo does not take the root password) as aboved
    3. Edite sudoers to allow users in the wheel group to sudo with their password. It then fails with a permission error like bellow:
      Code:
      $ sudo -i[sudo] password for aaccioly: 
      sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
      sudo: unable to send audit message: Operation not permitted
      sudo: setuid(0): Operation not permitted
      sudo: unable to set supplementary group IDs: Operation not permitted
      sudo: unable to change to runas uid (0, 0): Operation not permitted
      sudo: unable to execute /usr/bin/zsh: Operation not permitted


    The error bellow is the constant but I'm possessively clueless about what is going on:

    Code:
    sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
    Some relevant information that I can think of:

    Code:
    $ groups 
    users trusted docker input wheel samba plugdev
    sudoers - wheel group / user password

    Code:
    $ cat /etc/sudoers
    ## sudoers file.
    ##
    ## This file MUST be edited with the 'visudo' command as root.
    ## Failure to use 'visudo' may result in syntax or file permission errors
    ## that prevent sudo from running.
    ##
    ## See the sudoers man page for the details on how to write a sudoers file.
    ##
    
    ##
    ## Host alias specification
    ##
    ## Groups of machines. These may include host names (optionally with wildcards),
    ## IP addresses, network numbers or netgroups.
    # Host_Alias    WEBSERVERS = www1, www2, www3
    
    ##
    ## User alias specification
    ##
    ## Groups of users.  These may consist of user names, uids, Unix groups,
    ## or netgroups.
    # User_Alias    ADMINS = millert, dowdy, mikef
    
    ##
    ## Cmnd alias specification
    ##
    ## Groups of commands.  Often used to group related commands together.
    # Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
    #                           /usr/bin/pkill, /usr/bin/top
    # Cmnd_Alias    REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
    
    ##
    ## Defaults specification
    ##
    ## Prevent environment variables from influencing programs in an
    ## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
    Defaults always_set_home
    ## Path that will be used for every command run from sudo
    Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
    Defaults env_reset
    ## Change env_reset to !env_reset in previous line to keep all environment variables
    ## Following list will no longer be nevessary after this change
    Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
    ## Comment out the preceding line and uncomment the following one if you need
    ## to use special input methods. This may allow users to compromise the root
    ## account if they are allowed to run commands without authentication.
    #Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
    
    ## Do not insult users when they enter an incorrect password.
    Defaults !insults
    
    ## Uncomment to use a hard-coded PATH instead of the user's to find commands
    # Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    ##
    ## Uncomment to send mail if the user does not enter the correct password.
    # Defaults mail_badpass
    ##
    ## Uncomment to enable logging of a command's output, except for
    ## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
    # Defaults log_output
    # Defaults!/usr/bin/sudoreplay !log_output
    # Defaults!REBOOT !log_output
    
    ## In the default (unconfigured) configuration, sudo asks for the root password.
    ## This allows use of an ordinary user account for administration of a freshly
    ## installed system. When configuring sudo, delete the two
    ## following lines:
    #Defaults targetpw   # ask for the password of the target user i.e. root
    #ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
    
    ##
    ## Runas alias specification
    ##
    
    ##
    ## User privilege specification
    ##
    root ALL=(ALL) ALL
    
    ## Uncomment to allow members of group wheel to execute any command
    %wheel ALL=(ALL) ALL
    
    ## Same thing without a password
    # %wheel ALL=(ALL) NOPASSWD: ALL
    
    ## Read drop-in files from /etc/sudoers.d
    ## (the '#' here does not indicate a comment)
    #includedir /etc/sudoers.d
    sudoers with targetpw (i.e., original sudoers):

    Code:
    ## In the default (unconfigured) configuration, sudo asks for the root password.
    ## This allows use of an ordinary user account for administration of a freshly
    ## installed system. When configuring sudo, delete the two
    ## following lines:
    Defaults targetpw   # ask for the password of the target user i.e. root
    ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
    
    ##
    ## Runas alias specification
    ##
    
    ##
    ## User privilege specification
    ##
    root ALL=(ALL) ALL
    
    ## Uncomment to allow members of group wheel to execute any command
    # %wheel ALL=(ALL) ALL
    Interesting stuff from /var/log/messages:

    Code:
    2019-06-10T23:45:38.214735+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): (null): pam_sm_authenticate
    2019-06-10T23:45:38.214952+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't get password (it is empty)
    2019-06-10T23:45:42.778927+01:00 SAT-SUSE-X1C6G unix_chkpwd[23170]: check pass; user unknown
    2019-06-10T23:45:42.779290+01:00 SAT-SUSE-X1C6G unix_chkpwd[23170]: password check failed for user (root)
    2019-06-10T23:45:42.779351+01:00 SAT-SUSE-X1C6G sudo: pam_unix(sudo-i:auth): authentication failure; logname=aaccioly uid=1001 euid=1001 tty=/dev/pts/0 ruser=aaccioly rhost=  user=root
    2019-06-10T23:45:44.966170+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: pam_sm_authenticate
    2019-06-10T23:45:44.966946+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't get password (it is empty)
    2019-06-10T23:45:49.788459+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5: could not set gid/uid/euid/egit for salt file creation
    2019-06-10T23:45:49.791930+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't create salt file
    2019-06-10T23:45:49.793283+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5: could not set gid/uid/euid/egit for salt file reading
    2019-06-10T23:45:49.797107+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't read salt file
    2019-06-10T23:45:49.799474+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5-kwalletd: Couldn't create or read the salt file
    2019-06-10T23:45:49.800229+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Fail into creating the hash
    2019-06-10T23:45:49.811375+01:00 SAT-SUSE-X1C6G unix_chkpwd[23173]: check pass; user unknown
    2019-06-10T23:45:49.812156+01:00 SAT-SUSE-X1C6G unix_chkpwd[23173]: password check failed for user (root)
    2019-06-10T23:45:51.823662+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: pam_sm_authenticate
    2019-06-10T23:45:51.824461+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't get password (it is empty)
    2019-06-10T23:45:57.220247+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5: could not set gid/uid/euid/egit for salt file creation
    2019-06-10T23:45:57.223288+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't create salt file
    2019-06-10T23:45:57.224337+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5: could not set gid/uid/euid/egit for salt file reading
    2019-06-10T23:45:57.228049+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't read salt file
    2019-06-10T23:45:57.229339+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5-kwalletd: Couldn't create or read the salt file
    2019-06-10T23:45:57.230119+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Fail into creating the hash
    2019-06-10T23:45:57.236480+01:00 SAT-SUSE-X1C6G unix_chkpwd[23179]: check pass; user unknown
    2019-06-10T23:45:57.236748+01:00 SAT-SUSE-X1C6G unix_chkpwd[23179]: password check failed for user (root)
    2019-06-10T23:45:58.875869+01:00 SAT-SUSE-X1C6G sudo: aaccioly : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/aaccioly ; USER=root ; COMMAND=/usr/bin/zsh
    2019-06-10T23:46:10.821014+01:00 SAT-SUSE-X1C6G su: pam_kwallet5(su-l:auth): (null): pam_sm_authenticate
    2019-06-10T23:46:10.821299+01:00 SAT-SUSE-X1C6G su: pam_kwallet5(su-l:auth): (null): we were already executed
    2019-06-10T23:46:14.834649+01:00 SAT-SUSE-X1C6G su: (to root) aaccioly on pts/0
    Anyone knows what is happening?

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,611
    Blog Entries
    3

    Default Re: SOLVED: After upgrade from 15.0 sudo not working (su - and kdesu works)

    There are some recent bug reports on this. Apparently, there's a problem with a recent "libgcrypt" update and a problem with "pam_kwallet". And those might be related.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  3. #3

    Default Re: SOLVED: After upgrade from 15.0 sudo not working (su - and kdesu works)

    Quote Originally Posted by nrickert View Post
    There are some recent bug reports on this. Apparently, there's a problem with a recent "libgcrypt" update and a problem with "pam_kwallet". And those might be related.
    Thanks @nrickert.
    I found the mentioned bug and a temporary workaround.

    It is indeed a regression with pam_kwallet due to a change in libgcrypt20.
    https://bugzilla.opensuse.org/show_bug.cgi?id=1133808

    Downgrading to version 1.8.2-lp150.5.3.1 (Download Link) fixed it for me.
    I have also locked version 1.8.2-lp151.8.1 to be completely safe.

    Code:
    zypper install --old libgcrypt20-1.8.2-lp150.5.3.1.x86_64.rpm
    zypper addlock "libgcrypt20 == 1.8.2-lp151.8.1
    Uninstalling pam_kwallet also works if you don't need it.

  4. #4

    Default Re: SOLVED: After upgrade from 15.0 sudo not working (su - and kdesu works)

    I have previously missed a closing quotation mark in the addlock command.

    Fixed version:

    Code:
    zypper addlock "libgcrypt20 == 1.8.2-lp151.8.1"

  5. #5

    Default Re: SOLVED: After upgrade from 15.0 sudo not working (su - and kdesu works)

    This also solved same problem in Tumbleweed.
    Thanks.
    I did 1-click install from the download.opensuse.org though.

  6. #6

    Default Re: SOLVED: After upgrade from 15.0 sudo not working (su - and kdesu works)

    It does not necessarily need to be libgcrypt20 1.8.2.

    libgcrypt20 1.8.4-2.4 is still okay.
    Updating to 1.8.4-3.2 broke sudo for me.

  7. #7

    Default Re: SOLVED: After upgrade from 15.0 sudo not working (su - and kdesu works)

    Sorry for resurrecting an old thread, I just want to point out that the problem has been fixed in
    libgcrypt20-1.8.2-lp151.9.4.1 and it is safe to delete the version lock.

    Cheers,

  8. #8
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,611
    Blog Entries
    3

    Default Re: SOLVED: After upgrade from 15.0 sudo not working (su - and kdesu works)

    Thanks for confirming that the problem is fixed. Yes, I did see that update come through.

    My workaround for this problem was to uninstall pam_kwallet, and then reconfigure kwallet to use gpg encryption. I will be leaving it that way.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •