rpm --restore is applying incorrect file capability attributes

[ubertux]

I am having some issues with running sudo as regular user on a CentOS 8 system after running 'rpm --restore sudo' to fix permissions on files within the sudo package.

Steps to reproduce:
1. Run 'rpm --restore sudo'

Code: Select all

# rpm --restore sudo

2. Try to 'sudo su -' as a non-root user:

Code: Select all

$ sudo su -
sudo: unable to change to root gid: Operation not permitted
sudo: unable to initialize policy plugin

It appears that the 'rpm --restore' has amended the file capabilties attributes on files within the sudo package and this is breaking sudo for non-root users.
Compare the output of 'getcap -r / 2>/dev/null' before and after applying the 'rpm --restore':

Code: Select all

[root@centos8 ~]# getcap -r / 2>/dev/null    # before running 'rpm --restore sudo'
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/mtr-packet = cap_net_raw+ep
/tmp/backup/ping = cap_net_admin,cap_net_raw+p
[root@centos8 ~]#

[root@centos8 ~]# getcap -r / 2>/dev/null   # after running 'rpm --restore sudo'
/etc/dnf/protected.d/sudo.conf =
/etc/pam.d/sudo =
/etc/pam.d/sudo-i =
/etc/sudo-ldap.conf =
/etc/sudo.conf =
/etc/sudoers =
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/bin/sudo =
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/cvtsudoers =
/usr/bin/sudoreplay =
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/visudo =
/usr/sbin/mtr-packet = cap_net_raw+ep
/usr/lib/tmpfiles.d/sudo.conf =
/usr/share/licenses/sudo/LICENSE =
/usr/share/doc/sudo/CONTRIBUTORS =
/usr/share/doc/sudo/HISTORY =
/usr/share/doc/sudo/NEWS =
/usr/share/doc/sudo/README =
/usr/share/doc/sudo/README.LDAP =
/usr/share/doc/sudo/TROUBLESHOOTING =
/usr/share/doc/sudo/UPGRADE =
/usr/share/doc/sudo/examples/pam.conf =
/usr/share/doc/sudo/examples/sudo.conf =
/usr/share/doc/sudo/examples/sudoers =
/usr/share/doc/sudo/examples/syslog.conf =
/usr/share/doc/sudo/schema.ActiveDirectory =
/usr/share/doc/sudo/schema.OpenLDAP =
/usr/share/doc/sudo/schema.iPlanet =
/usr/share/locale/ca/LC_MESSAGES/sudo.mo =
/usr/share/locale/ca/LC_MESSAGES/sudoers.mo =
/usr/share/locale/cs/LC_MESSAGES/sudo.mo =
/usr/share/locale/cs/LC_MESSAGES/sudoers.mo =
/usr/share/locale/da/LC_MESSAGES/sudo.mo =
/usr/share/locale/da/LC_MESSAGES/sudoers.mo =
/usr/share/locale/de/LC_MESSAGES/sudo.mo =
/usr/share/locale/de/LC_MESSAGES/sudoers.mo =
/usr/share/locale/el/LC_MESSAGES/sudoers.mo =
/usr/share/locale/eo/LC_MESSAGES/sudo.mo =
/usr/share/locale/eo/LC_MESSAGES/sudoers.mo =
/usr/share/locale/es/LC_MESSAGES/sudo.mo =
/usr/share/locale/fi/LC_MESSAGES/sudo.mo =
/usr/share/locale/fi/LC_MESSAGES/sudoers.mo =
/usr/share/locale/fr/LC_MESSAGES/sudo.mo =
/usr/share/locale/fr/LC_MESSAGES/sudoers.mo =
/usr/share/locale/fur/LC_MESSAGES/sudo.mo =
/usr/share/locale/fur/LC_MESSAGES/sudoers.mo =
/usr/share/locale/gl/LC_MESSAGES/sudo.mo =
/usr/share/locale/hr/LC_MESSAGES/sudo.mo =
/usr/share/locale/hr/LC_MESSAGES/sudoers.mo =
/usr/share/locale/hu/LC_MESSAGES/sudo.mo =
/usr/share/locale/hu/LC_MESSAGES/sudoers.mo =
/usr/share/locale/it/LC_MESSAGES/sudo.mo =
/usr/share/locale/it/LC_MESSAGES/sudoers.mo =
/usr/share/locale/ja/LC_MESSAGES/sudo.mo =
/usr/share/locale/ja/LC_MESSAGES/sudoers.mo =
/usr/share/locale/ko/LC_MESSAGES/sudo.mo =
/usr/share/locale/ko/LC_MESSAGES/sudoers.mo =
/usr/share/locale/lt/LC_MESSAGES/sudoers.mo =
/usr/share/locale/nb/LC_MESSAGES/sudo.mo =
/usr/share/locale/nb/LC_MESSAGES/sudoers.mo =
/usr/share/locale/nl/LC_MESSAGES/sudo.mo =
/usr/share/locale/nl/LC_MESSAGES/sudoers.mo =
/usr/share/locale/pl/LC_MESSAGES/sudo.mo =
/usr/share/locale/pl/LC_MESSAGES/sudoers.mo =
/usr/share/locale/pt_BR/LC_MESSAGES/sudo.mo =
/usr/share/locale/pt_BR/LC_MESSAGES/sudoers.mo =
/usr/share/locale/ru/LC_MESSAGES/sudo.mo =
/usr/share/locale/ru/LC_MESSAGES/sudoers.mo =
/usr/share/locale/sk/LC_MESSAGES/sudo.mo =
/usr/share/locale/sk/LC_MESSAGES/sudoers.mo =
/usr/share/locale/sl/LC_MESSAGES/sudo.mo =
/usr/share/locale/sl/LC_MESSAGES/sudoers.mo =
/usr/share/locale/sr/LC_MESSAGES/sudo.mo =
/usr/share/locale/sr/LC_MESSAGES/sudoers.mo =
/usr/share/locale/sv/LC_MESSAGES/sudo.mo =
/usr/share/locale/sv/LC_MESSAGES/sudoers.mo =
/usr/share/locale/tr/LC_MESSAGES/sudo.mo =
/usr/share/locale/tr/LC_MESSAGES/sudoers.mo =
/usr/share/locale/uk/LC_MESSAGES/sudo.mo =
/usr/share/locale/uk/LC_MESSAGES/sudoers.mo =
/usr/share/locale/vi/LC_MESSAGES/sudo.mo =
/usr/share/locale/vi/LC_MESSAGES/sudoers.mo =
/usr/share/locale/zh_CN/LC_MESSAGES/sudo.mo =
/usr/share/locale/zh_CN/LC_MESSAGES/sudoers.mo =
/usr/share/locale/zh_TW/LC_MESSAGES/sudo.mo =
/usr/share/locale/eu/LC_MESSAGES/sudo.mo =
/usr/share/locale/eu/LC_MESSAGES/sudoers.mo =
/usr/share/locale/nn/LC_MESSAGES/sudo.mo =
/usr/share/man/man5/sudo.conf.5.gz =
/usr/share/man/man5/sudoers.5.gz =
/usr/share/man/man5/sudoers.ldap.5.gz =
/usr/share/man/man5/sudoers_timestamp.5.gz =
/usr/share/man/man1/cvtsudoers.1.gz =
/usr/share/man/man8/sudo.8.gz =
/usr/share/man/man8/sudoreplay.8.gz =
/usr/share/man/man8/visudo.8.gz =
/usr/libexec/sudo/group_file.so =
/usr/libexec/sudo/libsudo_util.so.0.0.0 =
/usr/libexec/sudo/sesh =
/usr/libexec/sudo/sudo_noexec.so =
/usr/libexec/sudo/sudoers.so =
/usr/libexec/sudo/system_group.so =
/tmp/backup/ping = cap_net_admin,cap_net_raw+p

 

The issue isn't limited to the sudo package; I get similar behaviour when running the 'rpm --restore' on other packages. I believe that this is a bug in rpm.

Permissions on the sudo binary are the same before and after running the restore command, so it looks like the capability attributes are the cause of sudo failing:

Code: Select all

[root@centos8 ~]# ls -laZ /usr/bin/sudo    # before running 'rpm --restore sudo'
---s--x--x. 1 root root system_u:object_r:sudo_exec_t:s0 166056 May 11  2019 /usr/bin/sudo
[root@centos8 ~]# 

[root@centos8 ~]# ls -laZ /usr/bin/sudo   # after running 'rpm --restore sudo'
---s--x--x. 1 root root system_u:object_r:sudo_exec_t:s0 166056 May 11  2019 /usr/bin/sudo
[root@centos8 ~]# 

Versions of rpm and sudo are as follows:

Code: Select all

[root@centos8 ~]# rpm -qa | egrep  '^rpm-|sudo'
rpm-build-libs-4.14.2-11.el8_0.x86_64
libsss_sudo-2.0.0-43.el8_0.3.x86_64
rpm-plugin-systemd-inhibit-4.14.2-11.el8_0.x86_64
rpm-libs-4.14.2-11.el8_0.x86_64
rpm-plugin-selinux-4.14.2-11.el8_0.x86_64
rpm-ostree-libs-2018.8-2.el8.0.1.x86_64
rpm-4.14.2-11.el8_0.x86_64
sudo-1.8.25p1-4.el8.x86_64

Thanks in advance for any help,
Best regards,
ubertux

[TrevorH]

Something that needs reporting to Red Hat via bugzilla.redhat.com

[ubertux]

I have created a bug report for this on Red Hat Bugzilla - https://bugzilla.redhat.com/show_bug.cgi?id=1778361.

I've also some additional information:
Some additional information:

I've run 'rpm --setugids sudo' and this sets the correct capabilities on the files but it sets incorrect permissions (note the lack of suid on /usr/bin/sudo):

Code: Select all

[root@rhel8 ~]# ls -laZ /usr/bin/sudo
---s--x--x. 1 root root system_u:object_r:sudo_exec_t:s0 166064 Aug 19 13:15 /usr/bin/sudo
[root@rhel8 ~]# rpm --setugids sudo
[root@rhel8 ~]# ls -laZ /usr/bin/sudo
---x--x--x. 1 root root system_u:object_r:sudo_exec_t:s0 166064 Aug 19 13:15 /usr/bin/sudo

Attempting to 'sudo su -' as a non-root user at this point gives the following error:

Code: Select all

$ sudo su -
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
$ 

Running 'rpm --setperms sudo' at this point sets the right permissions and I am able to 'sudo su -' as a non-root user:

Code: Select all

[root@rhel8 ~]# rpm --setperms sudo
[root@rhel8 ~]# ls -laZ /usr/bin/sudo
---s--x--x. 1 root root system_u:object_r:sudo_exec_t:s0 166064 Aug 19 13:15 /usr/bin/sudo

Order seems important. Running 'setperms' before 'setugids' fixes permissions but doesn't fix capabilities. 'setugids' then sets incorrect file permissions by not setting the suid bit.