Why I can not drop sudo root privileges

permissionsrootsetuidsudosystem-calls

I am debugging a program and not quite sure why I can not drop privileges.

I have root permissions via sudo and I can call setgid/setuid, but the operation [is] is not supported.

Basic code to reproduce (golang):

package main

import (
    "fmt"
    "os"
    "strconv"
    "syscall"
)

func main() {
    if os.Getuid() != 0 {
        fmt.Println("run as root")
        os.Exit(1)
    }

    uid, err := strconv.Atoi(os.Getenv("SUDO_UID"))
    check("", err)

    gid, err := strconv.Atoi(os.Getenv("SUDO_GID"))
    check("", err)

    fmt.Printf("uid: %d, gid: %d\n", uid, gid)

    check("gid", syscall.Setgid(gid))
    check("uid", syscall.Setuid(uid))
}

func check(message string, err error) {
    if err != nil {
        fmt.Printf("%s: %s\n", message, err)
        os.Exit(1)
    }
}

Example output:

$ sudo ./drop-sudo 
uid: 1000, gid: 1000
gid: operation not supported

System info:

$ uname -a
Linux user2460234 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Best Answer

Your programming language simply does not support such things.

It's complex to do this stuff on Linux, because of the architecture of Linux. The C libraries (e.g. GNU and musl) hide this complexity. It continues to be one of the known problems with threads on Linux.

The Go language does not replicate the mechanism of the C libraries. The current implementation of those functions is not a system call, and has not been since 2014.

sudo ppa-purge ppa:gnome3-team/gnome3 (in order to revert back to supported gnome packages like nautilus, ...etc)
creating directory: /var/lib/samba and adding myself to samba passwords databse (sudo mkdir -p /var/lib/samba && sudo smbpasswd -a myusername
sudo pam-auth-update (all the authentication modules were already selected, so I just cliked okay).

Troubleshooting here: http://ubuntuforums.org/showthread.php?t=2115288

Can edit file as root, but not using sudo

I just discovered the reason, and it was a collection of circumstances:

First of all, I don't know exactly why, but sudo was not grabbing the HOME environment variable properly and used the one of the regular user, so it read the .vimrc from /home/user/.vimrc.

In order to see this, I issued:

user@hostname:~$ sudo bash
[sudo] password for user: 
root@hostname:/home/user# echo $HOME
/home/user

Second, I have folding persistence enabled in my user's vimrc file in order to store cursor position:

au BufWinLeave * mkview
au BufWinEnter * silent loadview

This makes that every time a file is edited, a properties file is created inside $HOME/.vim/view folder. In my case, it looks like I tried to edit the file without sudo the first time, so the folding file was created as regular user's:

user@hostname:~$ ll .vim/view/ | grep thunderbird.sh
-rw-rw-r-- 1 user user  2650 Aug 20 15:56 =+usr=+lib=+thunderbird=+thunderbird.sh=

Since the root took /home/user as $HOME, the same folding file was (wrongly) used when I issued sudo vim, and for some reason that I ignore, probable related to vim internals, if the folding file is not owned by the editing user, the edited file is opened in ReadOnly mode.

So, I realized that if I removed the file /home/user/.vim/view/=+usr=+lib=+thunderbird=+thunderbird.sh= and then tried to edit using sudo vim, I had no problems at all.

So, at the end of the story, in order to fix this situation I just edited /etc/sudoers and added this line:

Defaults always_set_home

Now everything works as expected and I can use sudo reliably again.

Why I can not drop sudo root privileges

Best Answer

Further reading

Related Question

Best Answer

Further reading

Related Solutions

Ubuntu – Suddenly, I Can’t login with correct password (greeter & tty)

Can edit file as root, but not using sudo

Related Question