sudo in av_scanner script: effective uid is not 0

Andreas Büthe abuethe at novomind.com
Fri Jul 13 14:47:44 CEST 2018 

Hi everyone,

I want to implement a commercial av scanner into amavis scanning. For this purpose, a wrapper script has been written that contains a sudo call.
When I run the script as user 'amavis' from the commandline everything works fine. When it's run as a result of the av_scanners call, it fails with the following error message though:
    run_av (Test Antivirus) FAILED - unexpected exit 1, output="sudo: unable to change to root gid: Operation not permitted\nsudo: unable to initialize policy plugin"

With an 'strace' on the sudo command itself, the error message is:
    effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges
Confusingly, a 'Permission denied' occurs in this 'strace'  on '/etc/sudo.conf' although the process should be root at this point.

The version used is 'amavisd-new 2.11.0-2el7' (CentOS 7 from epel) without chroot. I checked basics like the suid bit on /usr/bin/sudo, the filesystem / where /usr resides on is not mounted 'nosuid', SELinux is currently disabled for testing purposes, etc.
I somehow assume that my problem has to do with the read-only filesystem remounts in the amavis worker.

You'll find the necessary problem description below, I hope. Do you have an idea or need further information?

Best regards,
Andreas

---- configuration details ----

 /etc/amavisd/amavisd.conf
[...]
@av_scanners = (

  ['Test Antivirus',
   '/opt/antivirus/test.sh',
   '-s {}',
   qr/\bThreats found:\s+0\b/m,
   qr/\bThreats found:\s+[1-9]\d*\b/m,
   /./
  ],

);
[...]

---- positive result from shell ----

$ su - amavis -s /bin/bash
-bash-4.2$ /usr/bin/id
uid=508(amavis) gid=508(amavis) groups=508(amavis) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ sudo /usr/bin/id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

---- my test script ----

$ vi /opt/antivirus/test.sh
#! /bin/bash

/usr/bin/id > ~/id.txt
sudo /usr/bin/id >> ~/id.txt

ls -l /usr/bin/sudo /etc/sudoers /etc/sudo.conf > ~/sudo_perms.txt

findmnt -lo source,target,fstype,label,options,used > ~/findmnt.txt

strace -s 512 sudo id > ~/strace_id.txt 2>&1

---- results of the test script when run via run_av ----

$ cat ~/id.txt # second line missing, sudo not successful
uid=508(amavis) gid=508(amavis) groups=508(amavis) context=system_u:system_r:antivirus_t:s0

$ cat ~/sudo_perms.txt # suid bit is set, rest of permissions is centos-default as well
-rw-r-----. 1 root root   1786 Jun 26 20:07 /etc/sudo.conf
-r--r-----. 1 root root   4667 Jul 13 13:18 /etc/sudoers
---s--x--x. 1 root root 143248 Jun 27 20:03 /usr/bin/sudo

$ grep -E "SOURCE|^/dev" findmnt.txt # file is attached if you need further details
SOURCE                                                                                                      TARGET                          FSTYPE      LABEL OPTIONS                                                                                                   USED
/dev/mapper/vg01-root                                                                                       /                               xfs               rw,relatime,seclabel,attr2,inode64,noquota                                                                  6G
/dev/sda1                                                                                                   /boot                           xfs               ro,relatime,seclabel,attr2,inode64,noquota                                                              309.1M
/dev/mapper/vg02-srv                                                                                        /srv                            xfs               rw,relatime,seclabel,attr2,inode64,noquota                                                              650.6M
/dev/mapper/vg01-root[/tmp/systemd-private-d12bc474211b4beb8ef887951c75f901-amavisd.service-9PDyaf/tmp]     /tmp                            xfs               rw,relatime,seclabel,attr2,inode64,noquota                                                                  6G
/dev/mapper/vg01-root[/var/tmp/systemd-private-d12bc474211b4beb8ef887951c75f901-amavisd.service-IAPlVY/tmp] /var/tmp                        xfs               rw,relatime,seclabel,attr2,inode64,noquota                                                                  6G
/dev/mapper/vg01-root[/etc]                                                                                 /etc                            xfs               ro,relatime,seclabel,attr2,inode64,noquota                                                                  6G

$ grep -E "execve|EACCES|/usr/bin/sudo|write" strace_id.txt # file is attached if you need further details
execve("/usr/bin/sudo", ["sudo", "id"], [/* 13 vars */]) = 0
open("/etc/sudo.conf", O_RDONLY)        = -1 EACCES (Permission denied)
access("/usr/bin/sudo", X_OK)           = 0
stat("/usr/bin/sudo", {st_mode=S_IFREG|S_ISUID|0111, st_size=143248, ...}) = 0
write(2, "sudo", 4sudo)                     = 4
write(2, ": ", 2: )                       = 2
write(2, "effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?", 133effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?) = 133
write(2, "\n", 1

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: findmnt.txt
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20180713/3c1085da/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: strace_id.txt
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20180713/3c1085da/attachment-0001.txt>

More information about the amavis-users mailing list