sudo: must be setuid root

xtknight

Elite Member
Oct 15, 2004
12,974
0
71
OK, I told my friend to do a bad bad thing (thankfully it's a brand new install). That is, set the whole usr directory so everyone could access it because he was getting really frustrated. chmod -R 777 /usr/* thinking it would make it so he had no problems accessing the directory under any account. Turns out that was a bad idea. Now he can't sudo.

sudo: must be setuid root

Any clue how to fix this? He is running Ubuntu. Also he can make it into Linux just fine, but he can't get root access from sudo. I'm not sure if he can login as root or not from the consoles. Can he reinstall sudo somehow? It looks like sudo just needs "setuid root" on it but I'm not sure how to do that.

Thanks in advance.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Maybe he can gain root access by booting into single user mode. I'm not sure how to do this with grub off hand though.

Then just chmod it back to correctness.
 

xtknight

Elite Member
Oct 15, 2004
12,974
0
71
OK, I simply told him to login as root in the big consoles and type:

chmod 4111 /usr/bin/sudo

All is well now. Thanks. Well I don't know about the other files in /usr, but he said his programs work fine.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Tell him to reinstall his system, nothing should ever have it's right set to 777 and he'll most likely have more problems in the future.
 

xtknight

Elite Member
Oct 15, 2004
12,974
0
71
Don't worry, he has a practically impenetrable NAT router he's not allowed access to the configuration of, so I don't think anybody will be omgh4x0ring him any time soon. We had to do a passworded Hamachi VPN just to get any servers on his side to work. ;) So far things have been fine. Nothing we have done since the "chmod 4111 /usr/bin/sudo" command has caused any unexpected errors. The gnome control panels all work fine as far as I can tell. I think the only thing that got screwed up are things that need "set uid root" and sudo was one of the few? I would tell him to reinstall but (before the incident) we had just got done configuring ATI drivers and I don't think he wants to do that again.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
It doesn't matter, the rights should be fixed. All of the directories and executable files should be 555 and regular files should be 444, then you can readd the setuid bit back to the few executables that need it. No regular users should have write access to anything under /usr.

If the X config is that big of a deal copy the file somewhere before the reinstall, the installation portion of the drivers can't be that big of a hassle.
 

xtknight

Elite Member
Oct 15, 2004
12,974
0
71
On my machine here is what my /usr looks like (I haven't done anything to my /usr):

drwxr-xr-x 14 root root 4096 2006-04-18 23:36 .
drwxr-xr-x 21 root root 4096 2006-04-19 17:25 ..
drwxr-xr-x 2 root root 36864 2006-04-19 23:45 bin
drwxr-xr-x 2 root root 4096 2006-04-19 21:27 doc
drwxr-xr-x 2 root root 4096 2006-01-29 20:19 games
drwxr-xr-x 4 root root 4096 2006-04-18 19:57 gtkradiant
drwxr-xr-x 37 root root 4096 2006-04-19 13:06 include
lrwxrwxrwx 1 root root 10 2006-01-29 06:39 info -> share/info
drwxr-xr-x 119 root root 40960 2006-04-20 01:56 lib
drwxrwsr-x 10 root staff 4096 2006-04-17 00:51 local
drwxr-xr-x 3 root root 4096 2006-04-18 23:36 man
drwxr-xr-x 2 root root 4096 2006-04-19 00:14 sbin
drwxr-xr-x 208 root root 4096 2006-04-19 14:15 share
drwxrwsr-x 6 root src 4096 2006-04-19 13:37 src
drwxr-xr-x 6 root root 4096 2006-01-29 14:04 X11R6

According to nautilus the permissions for most are 755 and for local and src it is 2775. So should I make his directories 555 or 755? Most files in my /usr/bin are also 755. And what about subdirectories, like /usr/share/alsa? I wonder if there's some way to copy all the permissions for the files we have in common and apply the permissions to his PC again. I do have access to his computer via ssh now. I promise I won't do anything this stupid again. ;)

To setuid root, is this the right command?: chmod 4111 /usr/folder/program

And does Linux have a 'sfc' (System File Checker) like Windows where it just fixes your system files? Yeah, copying the X config would be easy and installing the driver wouldn't be too bad. Previously I had to tell him every command to do but with ssh I wouldn't mind doing it again.

Thanks.
 

kamper

Diamond Member
Mar 18, 2003
5,513
0
0
755, I would think. Otherwise you're going to have a bit of trouble installing any new software :p

Edit: but I also vote for a reinstall.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
I just made a quick guess at the permissions, less permissive is better than more. =) And since they're mostly all owned by root the 7 on 755 is mostly just for show, root can still write to them. But yea, to be correct they should be owner right, group and other read+execute. Since you didn't change the ownership or groups it shouldn't be too bad to fix, but I don't know of a way to copy just the permissions without writing a custom script.

And there's probably nothing in /usr/local or /usr/src unless you installed something by hand or installed any kernel or module source packages.

And does Linux have a 'sfc' (System File Checker) like Windows where it just fixes your system files?

AFAIK SFC just checks the files themselves to see if they're correct (md5sum or something) so that wouldn't help you anyway.

You might be able to fix them and retain any local configuration changes by reinstalling all packages by running 'COLUMNS=200 dpkg -l | awk '/^ii/ {print $2}' | xargs apt-get --reinstall install'
 

xtknight

Elite Member
Oct 15, 2004
12,974
0
71
OK, I had to add a -y to apt-get to force yes on all of them. Did that reinstall everything or just download it? Seemed awful fast (~30min). ;)

What do I have to do now? pkg-config them all? I tried doing xargs pkg-config in that command, didn't really work, I don't think. Like this?

COLUMNS=200 dpkg -l | awk '/^ii/ {print $2}' | xargs pkg-config'

Well this worked:

COLUMNS=200 dpkg -l | awk '/^ii/ {print $2}' | xargs dpkg-reconfigure'

It's asking me lots of questions though. Alright it finished. I'll have to wait until he logs back on to see the results.

I forgot to mention, his network-admin doesn't work, and it still won't. I guess it's time for a reinstall. Forget Ubuntu I'm just going to have him install Debian Sarge like I have.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
OK, I had to add a -y to apt-get to force yes on all of them. Did that reinstall everything or just download it? Seemed awful fast (~30min).

If they were still in /var/cache/apt/archives it shouldn't have redownloaded them.

What do I have to do now? pkg-config them all? I tried doing xargs pkg-config in that command, didn't really work, I don't think. Like this?

pkg-config is just a tool to tell scripts like ./configure where to find libraries, dpkg would have invoked debconf for all of the packages automatically.

It's asking me lots of questions though. Alright it finished. I'll have to wait until he logs back on to see the results.

Yea, you probably shouldn't have done that. Well it probably won't hurt anything, but you cause yourself a lot more work.

I forgot to mention, his network-admin doesn't work, and it still won't. I guess it's time for a reinstall. Forget Ubuntu I'm just going to have him install Debian Sarge like I have.

You mean NetworkManager?
 

xtknight

Elite Member
Oct 15, 2004
12,974
0
71
Originally posted by: Nothinman
You mean NetworkManager?

Nah, network-admin. Some program in the system tools/administration gnome menu. None of the other admin tools worked either. They would just say something like "error 1 child terminated". In any case he has Debian Sarge up and running at the moment and all the administration tools are working fine and everything.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Ah, I've never used network-admin before. It probably had something to do with gksu being broken after the permission changes.
 

xtknight

Elite Member
Oct 15, 2004
12,974
0
71
I did setuid on gksu and chmod 777 on it, chmod 755, 644, 2775, everything. Never did work...