sudo error running -V

[gngrossi]

RC=(0) [SYSA] bash-5.2$ sudo -V
Sudo version 1.9.13p3
sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument.
sudo: no valid sudoers sources found, quitting
sudo: error initializing audit plugin sudoers_audit

--

/hewitt/zopentools/guild/sudo-1.9.13p3
RC=(0) [SYSA] bash-5.2$ ls -E bin
bin:
total 9072
-rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1552384 May 23 21:35 cvtsudoers
-rwsr-xr-x --s- 1 BPXROOT @ISZOST1 2015232 May 23 21:35 sudo
lrwxrwxrwx 1 @02858 @ISCICS1 4 May 24 15:47 sudoedit -> sudo
-rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1048576 May 23 21:35 sudoreplay

sbin:
total 7184
-rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1282048 May 23 21:34 sudo_logsrvd
-rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1105920 May 23 21:35 sudo_sendlog
-rwsr-xr-x --s- 1 BPXROOT @ISZOST1 1257472 May 23 21:35 visudo

[gngrossi]

sudo: error initializing audit plugin sudoers_audit
Missing the sudoers.so file?

Default /etc/sudo.conf file

Sudo plugins:

Plugin plugin_name plugin_path plugin_options ...

The plugin_path is relative to /hewitt/zopentools/guild/sudo-1.9.13p3/libexec/sudo unless

fully qualified.

The plugin_name corresponds to a global symbol in the plugin

that contains the plugin interface structure.

The plugin_options are optional.

The sudoers plugin is used by default if no Plugin lines are present.

#Plugin sudoers_policy sudoers.so
#Plugin sudoers_io sudoers.so
#Plugin sudoers_audit sudoers.so

--

RC=(0) [SYSA] bash-5.2$ pwd
/hewitt/zopentools/guild/sudo-1.9.13p3/libexec/sudo
RC=(0) [SYSA] bash-5.2$ ls -l
total 0

[IgorTodorovskiIBM]

Thanks @gngrossi, appreciate the feedback. At the moment, I'm working on upstreaming Bash. How high of a priority are these sudo issues to you?

[gngrossi]

sudo is a low priority...no rush.
thanks

[gngrossi]

bash-5.2$ sudo -V
Sudo version 1.9.13p3
sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument.
sudo: no valid sudoers sources found, quitting
sudo: error initializing audit plugin sudoers_audit

bash-5.2$ ls -l /etc/sudoers
-r--r----- 1 BPXROOT @ISZOST1 7149 Jun 21 11:27 /etc/sudoers

[gngrossi]

bash-5.2$ sudo -V
Sudo version 1.9.13p3
sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument.
sudo: no valid sudoers sources found, quitting
sudo: error initializing audit plugin sudoers_audit

[gngrossi]

We currently are running sudo using the older Ported Tools version.
bash-5.2$ /usr/lpp/ported/bin/sudo -V
Sudo version 1.7.2p2

--

bash-5.2$ ls -l /SYSA/etc/sudoers
-r--r----- 1 BPXROOT @ISZOST1 7149 Jun 21 11:27 /SYSA/etc/sudoers

bash-5.2$ which sudo
/hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudo

bash-5.2$ sudo -V
Sudo version 1.9.13p3
sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument.
sudo: no valid sudoers sources found, quitting
sudo: error initializing audit plugin sudoers_audit

[gngrossi]

Installed the latest pax file.

bash-5.2$ sudo -V
Sudo version 1.9.13p3
sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument.
sudo: no valid sudoers sources found, quitting
sudo: error initializing audit plugin sudoers_audit

[gngrossi]

Is there additional information I can provide?
thanks

[gngrossi]

Installed the latest pax file.
Followed the instructions regarding the chown and chmod commands. I did not copy to /usr/bin and /usr/sbin

Setting up sudo...

IMPORTANT NOTE: Installation of sudo is NOT COMPLETE.
For details on sudo, see: https://www.sudo.ws/releases/stable/#1.9.13p3
To finish installing sudo, run the following commands with elevated privileges:
BIN_SUDO='cvtsudoers sudo sudoedit sudoreplay'
SBIN_SUDO='sudo_logsrvd sudo_sendlog visudo'
SUDO_INSTALL_LOCAL=/hewitt/zopentools/guild/sudo-1.9.13p3
cd $SUDO_INSTALL_LOCAL/bin
cp $BIN_SUDO /usr/bin/
cd $SUDO_INSTALL_LOCAL/sbin
cp $SBIN_SUDO /usr/sbin/
cd /usr/bin
chown 0:0 $BIN_SUDO
cd /usr/sbin
chmod u+s $SBIN_SUDO
Review the $SUDO_INSTALL_LOCAL/etc/sudoers file.
Use visudo to create your own /etc/sudoers file.

Setup completed.

--
bash-5.2$ sudo -V
sudo: /hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudo must be owned by uid 0 and have the setuid bit set

I used the previous instructions.
$ chown 0:0 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/
$ chmod u+s /hewitt/zopentools/guild/sudo-1.9.13p3/bin/

bash-5.2$ ls -l /hewitt/zopentools/guild/sudo-1.9.13p3/bin/
-rwsr-xr-x 1 BPXROOT @ISZOST1 1552384 Oct 5 10:54 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/cvtsudoers
-rwsr-xr-x 1 BPXROOT @ISZOST1 2019328 Oct 5 10:54 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudo
lrwxrwxrwx 1 @02858 @ISCICS1 4 Oct 27 15:14 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudoedit -> sudo
-rwsr-xr-x 1 BPXROOT @ISZOST1 1052672 Oct 5 10:54 /hewitt/zopentools/guild/sudo-1.9.13p3/bin/sudoreplay
-rwsr-xr-x 1 BPXROOT @ISZOST1 1282048 Oct 5 10:53 /hewitt/zopentools/guild/sudo-1.9.13p3/sbin/sudo_logsrvd
-rwsr-xr-x 1 BPXROOT @ISZOST1 1105920 Oct 5 10:53 /hewitt/zopentools/guild/sudo-1.9.13p3/sbin/sudo_sendlog
-rwsr-xr-x 1 BPXROOT @ISZOST1 1257472 Oct 5 10:54 /hewitt/zopentools/guild/sudo-1.9.13p3/sbin/visudo

--
bash-5.2$ sudo -V
Sudo version 1.9.13p3
sudo: PERM_SUDOERS: setreuid(-1, 1): EDC5121I Invalid argument.
sudo: no valid sudoers sources found, quitting
sudo: error initializing audit plugin sudoers_audit

[gngrossi]

Is there any additional documentation I need to provide?
thanks

[gngrossi]

Installed the latest pax file.
Followed the post install instructions and ran the chown and chmod with elevated privileges.

Before...
-rwxr-xr-x 1 @02858 @ISCICS1 1634304 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/cvtsudoers
-rwxr-xr-x 1 @02858 @ISCICS1 2273280 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudo
lrwxrwxrwx 1 @02858 @ISCICS1 4 Feb 13 15:40 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoedit -> sudo
-rwxr-xr-x 1 @02858 @ISCICS1 1146880 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoreplay

-rwxr-xr-x 1 @02858 @ISCICS1 1470464 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_logsrvd
-rwxr-xr-x 1 @02858 @ISCICS1 1204224 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_sendlog
-rwxr-xr-x 1 @02858 @ISCICS1 1306624 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/visudo

After...
-rwxr-xr-x 1 BPXROOT @ISZOST1 1634304 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/cvtsudoers
-rwxr-xr-x 1 BPXROOT @ISZOST1 2273280 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudo
lrwxrwxrwx 1 @02858 @ISCICS1 4 Feb 13 15:40 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoedit -> sudo
-rwxr-xr-x 1 BPXROOT @ISZOST1 1146880 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoreplay

-rwsr-xr-x 1 @02858 @ISCICS1 1470464 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_logsrvd
-rwsr-xr-x 1 @02858 @ISCICS1 1204224 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_sendlog
-rwsr-xr-x 1 @02858 @ISCICS1 1306624 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/visudo

bash-5.2$ sudo -V
sudo: /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudo must be owned by uid 0 and have the setuid bit set

--

Then ran the previous instructions with chown and chmod on both the bin and sbin directories.
After...
-rwsr-xr-x 1 BPXROOT @ISZOST1 1634304 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/cvtsudoers
-rwsr-xr-x 1 BPXROOT @ISZOST1 2273280 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudo
lrwxrwxrwx 1 @02858 @ISCICS1 4 Feb 13 15:40 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoedit -> sudo
-rwsr-xr-x 1 BPXROOT @ISZOST1 1146880 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/bin/sudoreplay

-rwsr-xr-x 1 BPXROOT @ISZOST1 1470464 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_logsrvd
-rwsr-xr-x 1 BPXROOT @ISZOST1 1204224 Feb 13 11:58 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/sudo_sendlog
-rwsr-xr-x 1 BPXROOT @ISZOST1 1306624 Feb 13 11:59 /hewitt/zopentools/guild/sudo-1.9.15p5/sbin/visudo

bash-5.2$ sudo -V
Sudo version 1.9.15p5
sudo: PERM_SUDOERS: setreuid(-1, 700100): EDC5139I Operation not permitted. (errno2=0x0B7A0000)
sudo: unable to open /etc/sudoers: EDC5139I Operation not permitted. (errno2=0x05DA0167)
sudo: error initializing audit plugin sudoers_audit

[gngrossi]

Any additional documentation needed?
thanks

bash-5.2$ pwd
/hewitt/zopentools/guild/sudo-1.9.15p5

bash-5.2$ bin/sudo -l
sudo: PERM_SUDOERS: setreuid(-1, 700100): EDC5139I Operation not permitted. (errno2=0x0B7A0000)
sudo: unable to open /etc/sudoers: EDC5139I Operation not permitted. (errno2=0x05DA0167)
sudo: error initializing audit plugin sudoers_audit

16:17:12 RC=(8) [SYSA] bash-5.2$ bin/sudo -V
Sudo version 1.9.15p5
sudo: PERM_SUDOERS: setreuid(-1, 700100): EDC5139I Operation not permitted. (errno2=0x0B7A0000)
sudo: unable to open /etc/sudoers: EDC5139I Operation not permitted. (errno2=0x05DA0167)
sudo: error initializing audit plugin sudoers_audit

[gngrossi]

From the z/OS log

USS syslog
May 10 16:16:57 L98MPSYSA sudo: @02858 : unable to open /etc/sudoers : EDC5139I Operation not permitted. (errno2=0x055501B0) ; TTY=ttyp0000 ; PWD=/hewitt/zopentools/guild/sudo-1.9.15p5 ; USER=BPXROOT ;

[gngrossi]

Updated the etc/sudo.conf file by uncommenting the Plugin entries which shouldn't be needed since it's the default.
It looks like the plugin_dir was set incorrectly after the pax install...that was corrected.
But the sudoers.so file is missing.

[IgorTodorovskiIBM]

Hi @gngrossi , I've changed our builds to build the sudoers statically, so there shouldn't be a .so file anymore.

[gngrossi]

Hello @IgorTodorovskiIBM
Installed sudo-1.9.15p5.20240611_202828 and seeing the same errors as before.
Also, after sourcing .env, the chmod u+s $SUDO_HOME/bin/* is missing from the NOTE.

Setting up sudo...

IMPORTANT NOTE: Installation of sudo is NOT COMPLETE.
For details on sudo, see: https://www.sudo.ws/releases/stable/#1.9.15p5
To finish installing sudo, run the following commands with elevated privileges:
SUDO_HOME=/hewitt/zopentools/guild/sudo-1.9.15p5
chown 0:0 $SUDO_HOME/bin/*
Review the $SUDO_HOME/etc/sudoers file.
Use visudo to create your own /etc/sudoers file.

Setup completed.

[IgorTodorovskiIBM]

Odd, I am seeing this:

A few questions:

1. Does id@02858 have access granted in the sudoers file?
   I have this:

root ALL=(ALL:ALL) ALL
ITODORO ALL=(ALL:ALL) NOPASSWD: ALL

2. What permissions do you have for /etc/sudoers?

ls -l /etc/sudoers
-rw-r-----   1 BPXROOT  SYS1        3392 Jun 12 14:01 /etc/sudoers

3. Do you have a BPXROOT id?

id BPXROOT
uid=0(BPXROOT) gid=0(SYS1)

4. Do you have a id with a uid of 1?

tsocmd 'search class(user) uid(1)'

[gngrossi]

Using Rocket's tools

Using IBM's Ported tools

My RACF userid is uid=2858(@02858). All users including me, do not have sudo ALL

[IgorTodorovskiIBM]

Are you still getting this issue?

setreuid(-1, 1): EDC5121I Invalid argument.

1 is a uid here.

Curious if you have a uid of 1 present in your system:

tsocmd 'search class(user) uid(1)'

This is the relevant code:

 1072   /*
  1073    * If sudoers_uid == ROOT_UID and sudoers_mode is group readable
  1074    * we use a non-zero uid in order to avoid NFS lossage.
  1075    * Using uid 1 is a bit bogus but should work on all OS's.
  1076    */
  1077   if (sudoers_uid == ROOT_UID && (sudoers_mode & S_IRGRP))
  1078       state->euid = 1;
  1079   else
  1080       state->euid = sudoers_uid;

[IgorTodorovskiIBM]

Actually, I updated that code to this:

-	if (sudoers_uid == ROOT_UID && (sudoers_mode & S_IRGRP))
+	if (sudoers_uid == ROOT_UID && (sudoers_mode & S_IRGRP)) {
+#ifdef __MVS__
+      /* uid 1 may not exist on z/OS, find the first non-zero uid */
+      struct passwd *pwd;
+      state->euid = -1;
+      setpwent();
+      while ((pwd = getpwent()) != NULL) {
+          if (pwd->pw_uid > 0) {
+              state->euid = pwd->pw_uid;
+              break;
+          }
+      }
+      endpwent();
+#else
 	    state->euid = 1;
+#endif
+  }
 	else
 	    state->euid = sudoers_uid;

Instead of choosing uid of 1, it finds an existing id and grabs the name. Looking at your later error messages:

sudo: PERM_SUDOERS: setreuid(-1, 700100): EDC5139I Operation not permitted. (errno2=0x0B7A0000)

The euid of 700100 is chosen. Is that a valid uid on your system?

[gngrossi]

@IgorTodorovskiIBM We do not have a UID of 1.

[gngrossi]

@IgorTodorovskiIBM Yes, UID 700100 is being used on our sysplex.

[gngrossi]

@IgorTodorovskiIBM Upgraded sudo...success. Well done...thanks.
I will begin testing the rules. What did you need to fix? I'm curious about the UIDs.

bash-5.2$ sudo -V
Sudo version 1.9.15p5
Sudoers policy plugin version 1.9.15p5
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.15p5
Sudoers audit plugin version 1.9.15p5

[gngrossi]

@IgorTodorovskiIBM
Do you know why this syslog message is issued?

[IgorTodorovskiIBM]

@IgorTodorovskiIBM Do you know why this syslog message is issued?

Assuming you don't get that message with Rocket's port?

Regarding the setreuid issue, I was checking IBM's old port and that line was guarded out - sudo's comment indicates it's to prevent "NFS lossage", I looked at Rocket's code also and they guard it out as well - probably why it worked for you.

[gngrossi]

@IgorTodorovskiIBM
The RACF ICH408I security error occurs with the Rocket port but not with the IBM Ported tools port.

Sharing...here are the file permissions for Ported Tools sudo:

[gngrossi]

@IgorTodorovskiIBM

[gngrossi]

Upgraded sudo...same results as 6/14