I have recently upgraded from Leap 15 to Leap 15.1.
Since the upgrade sudo no longer accepts password (neither from root with targetpw enabled nor from user when it isn’t).
su - and kdesu both work as expected.
Example:
$ sudo -i [sudo] password for root:
Sorry, try again.
[sudo] password for root:
Sorry, try again.
[sudo] password for root:
sudo: unable to send audit message: Operation not permitted
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: 3 incorrect password attempts
$ su -
Password:
$
What have I tried so far:
- Change password (with passwd) for both root and my user
- Reinstall sudo and completely reset the sudoers file (sudo does not take the root password) as aboved
- Edite sudoers to allow users in the wheel group to sudo with their password. It then fails with a permission error like bellow:
$ sudo -i[sudo] password for aaccioly:
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to send audit message: Operation not permitted
sudo: setuid(0): Operation not permitted
sudo: unable to set supplementary group IDs: Operation not permitted
sudo: unable to change to runas uid (0, 0): Operation not permitted
sudo: unable to execute /usr/bin/zsh: Operation not permitted
The error bellow is the constant but I’m possessively clueless about what is going on:
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
Some relevant information that I can think of:
$ groups
users trusted docker input wheel samba plugdev
sudoers - wheel group / user password
$ cat /etc/sudoers
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias WEBSERVERS = www1, www2, www3
##
## User alias specification
##
## Groups of users. These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias ADMINS = millert, dowdy, mikef
##
## Cmnd alias specification
##
## Groups of commands. Often used to group related commands together.
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
##
## Defaults specification
##
## Prevent environment variables from influencing programs in an
## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
Defaults always_set_home
## Path that will be used for every command run from sudo
Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
Defaults env_reset
## Change env_reset to !env_reset in previous line to keep all environment variables
## Following list will no longer be nevessary after this change
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
## Comment out the preceding line and uncomment the following one if you need
## to use special input methods. This may allow users to compromise the root
## account if they are allowed to run commands without authentication.
#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
## Do not insult users when they enter an incorrect password.
Defaults !insults
## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system. When configuring sudo, delete the two
## following lines:
#Defaults targetpw # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
##
## Runas alias specification
##
##
## User privilege specification
##
root ALL=(ALL) ALL
## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d
sudoers with targetpw (i.e., original sudoers):
## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system. When configuring sudo, delete the two
## following lines:
Defaults targetpw # ask for the password of the target user i.e. root
ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
##
## Runas alias specification
##
##
## User privilege specification
##
root ALL=(ALL) ALL
## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL
Interesting stuff from /var/log/messages:
2019-06-10T23:45:38.214735+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): (null): pam_sm_authenticate
2019-06-10T23:45:38.214952+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't get password (it is empty)
2019-06-10T23:45:42.778927+01:00 SAT-SUSE-X1C6G unix_chkpwd[23170]: check pass; user unknown
2019-06-10T23:45:42.779290+01:00 SAT-SUSE-X1C6G unix_chkpwd[23170]: password check failed for user (root)
2019-06-10T23:45:42.779351+01:00 SAT-SUSE-X1C6G sudo: pam_unix(sudo-i:auth): authentication failure; logname=aaccioly uid=1001 euid=1001 tty=/dev/pts/0 ruser=aaccioly rhost= user=root
2019-06-10T23:45:44.966170+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: pam_sm_authenticate
2019-06-10T23:45:44.966946+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't get password (it is empty)
2019-06-10T23:45:49.788459+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5: could not set gid/uid/euid/egit for salt file creation
2019-06-10T23:45:49.791930+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't create salt file
2019-06-10T23:45:49.793283+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5: could not set gid/uid/euid/egit for salt file reading
2019-06-10T23:45:49.797107+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't read salt file
2019-06-10T23:45:49.799474+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5-kwalletd: Couldn't create or read the salt file
2019-06-10T23:45:49.800229+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Fail into creating the hash
2019-06-10T23:45:49.811375+01:00 SAT-SUSE-X1C6G unix_chkpwd[23173]: check pass; user unknown
2019-06-10T23:45:49.812156+01:00 SAT-SUSE-X1C6G unix_chkpwd[23173]: password check failed for user (root)
2019-06-10T23:45:51.823662+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: pam_sm_authenticate
2019-06-10T23:45:51.824461+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't get password (it is empty)
2019-06-10T23:45:57.220247+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5: could not set gid/uid/euid/egit for salt file creation
2019-06-10T23:45:57.223288+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't create salt file
2019-06-10T23:45:57.224337+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5: could not set gid/uid/euid/egit for salt file reading
2019-06-10T23:45:57.228049+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Couldn't read salt file
2019-06-10T23:45:57.229339+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5-kwalletd: Couldn't create or read the salt file
2019-06-10T23:45:57.230119+01:00 SAT-SUSE-X1C6G sudo: pam_kwallet5(sudo-i:auth): pam_kwallet5: Fail into creating the hash
2019-06-10T23:45:57.236480+01:00 SAT-SUSE-X1C6G unix_chkpwd[23179]: check pass; user unknown
2019-06-10T23:45:57.236748+01:00 SAT-SUSE-X1C6G unix_chkpwd[23179]: password check failed for user (root)
2019-06-10T23:45:58.875869+01:00 SAT-SUSE-X1C6G sudo: aaccioly : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/aaccioly ; USER=root ; COMMAND=/usr/bin/zsh
2019-06-10T23:46:10.821014+01:00 SAT-SUSE-X1C6G su: pam_kwallet5(su-l:auth): (null): pam_sm_authenticate
2019-06-10T23:46:10.821299+01:00 SAT-SUSE-X1C6G su: pam_kwallet5(su-l:auth): (null): we were already executed
2019-06-10T23:46:14.834649+01:00 SAT-SUSE-X1C6G su: (to root) aaccioly on pts/0
Anyone knows what is happening?