sudo --login not working on Arch Linux
#832
Comments
|
Thanks. I don't think we have focused on WSL being 'supported' yet, so I've added the "enhancement" label as well. Firing up a Windows machine to see if I can reproduce.
|
|
I managed to reproduce by upgrading my
|
|
Managed to reproduce! Very closely tied to the |
|
Tried it in a docker container, same thing happens, so does not seem tied to WSL. |
|
I have the same issue on my PC installation of Arch Linux. I installed sudo-rs 0.2.2 from the AUR. |
|
@JoelleJS Just to make sure: Did you fix the missing setuid/setgid on the sudo-rs binary? |
|
@Svintooo Yes, I added the |
|
Note: I've also noticed that in a fresh Arch-linux docker container, there is no PAM config for sudo, since there is no sudo in that docker. We should probably check with downstream packagers that they've thought of this. For Arch this would mean that the AUR sudo-rs package has a dependency on sudo unless the appropriate PAM files in |
|
I am not sure if missing PAM config for |
|
I've located the issue to this line: Since "sudo --login" starts a new login shell, a different PAM service name is used. This is done on purpose -- the system might have to do different session management for login sessions. ArchLinux doesn't provide this "sudo-i" service so authentication fails. Easy fix for Arch users: sudo cp /etc/pam.d/sudo /etc/pam.d/sudo-iAfter that, I guess this is not a problem with original sudo because that is likely compiled by the package maintainer with the To make sudo-rs the same, the AUR package maintainer can patch the above line in sudo-rs source code so the service_name is always Of course in the precompiled binaries we provide, we had to pick one and I think we went with |
squell
added
portability
and removed
enhancement
squell
changed the title
sudo --login not working on Arch Linux
|
Suggestion: Would it be possible to print a more descriptive error message when this issue happens? As an example, sudo-rs has a great error message (IMO) when setuid/setgid is not set for the binary. |
|
Good suggestion, let's create another issue for that. During my investigation here, I've also noticed original sudo sometimes printing uninformative error messages. Whether it is possible, I don't know -- this also requires the cooperation of PAM to give us helpful feedback. I think |
|
I just want to say thank you for a great experience in reporting this issue. The response this got has been wonderful. |
|
The biggest issue I see is that a missing service configuration could be a valid configuration, as PAM automatically falls back to the global PAM configuration in I think the best thing we could do is provide an example PAM configuration with our packages and include instructions for setting them up. Then leave it up to packagers of sudo to provide a configuration suitable for their specific distribution. One more thing we could do is to add build time configuration to allow changing the PAM service names for both login sessions and normal sessions at compile time, to give downstream maintainers a little more freedom (i.e. change the names of the services to |
|
Thanks to your help, I am adding the changes here in PKGBUILD. ❯ sudo-rs -i
arch# whoami
root
arch# exit
❯ sudo-rs --login
arch# whoami
root
arch#
|
Describe the bug
Whenever I try to use the
--loginoption I instantly get an AuthError. No password prompt is shown.This is on Arch Linux on Windows Subsystem for Linux on Windows 11.
To Reproduce
pacman -S --needed wget # Install wget wget https://github.com/memorysafety/sudo-rs/releases/download/v0.2.2/sudo-0.2.2.tar.gz tar xf sudo-0.2.2.tar.gz --strip-components=1 bin/sudoExpected behavior
Either receive a password prompt, OR execute
echo hello.Environment:
sudo-rscommit hash:f317145(Version 0.2.2)(I also tried with a manual compile of master (
ebd3e60) and got the same error.Additional context
No additional context.
The text was updated successfully, but these errors were encountered: