graftcp sudo does not work

[hellobbn]

Describe the bug
graftcp sudo does not work, so graftcp yay which uses it will cause error.

To Reproduce
Try command graftcp sudo or graftcp yay

sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

Additional context
I found some notes here

For security reasons, the setuid bit and ptrace (used to run binaries under a debugger) cannot both be honored at the same time. Failure to enforce this restriction in the past led to CVE-2001-1384.

So maybe this will not be fixed? (I am not familiar with this)

[hmgle]

sudo graftcp sudo will work.

[hmgle]

By the way, if the graftcp-local is not started by the system, you should run sudo ./graftcp-local to use sudo graftcp sudo.

[hellobbn]

Thanks for your reply!
But some programs will fail if executed by root like makepkg in Arch Linux, instead it will request root later.
Can program of this kind be supported?

➜ yay               
[sudo] password for xxx: 

[hmgle]

You can try this:

$ sudo graftcp bash # or zsh, fish...
$ whoami
root
$ yay

As a root, do anything you wanna do 😁

[hellobbn]

Hmmmm, yes it could work on some programs. But some forces to run as a non-root, if you run it as root, it will give error immediately.

[hmgle]

Do you mean that the root's environment does not match the non-root's environment, so that it cause the environmental dependency error? You can try sudo -E graftcp bash.

[hellobbn]

Sorry, but I don't understand.
Let me take makepkg as an example:
if run as root:

[root@hellobbn ~]# makepkg
==> ERROR: Running makepkg as root is not allowed as it can cause permanent,
catastrophic damage to your system.

[hmgle]

@hellobbn Thank you for your example.
I thank it can be solved like this:
Do not run the following script, it will elevate the privileges of the tracked process to root, that is risky.

$ sudo chown root:root graftcp
$ sudo chmod a+s graftcp
# Then you can use graftcp to trace sudo...
$ graftcp bash
➜ makepkg

[bookyue]

Hi, hmgle.
I think hellobbn's problem was about fakeroot.
It gives a fake root environment , to remove the need to become root for a package build.
And graftcp can't work with it. Like yay etc. graftcp yay

sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

[ManiaciaChao]

@hellobbn Thank you for your example.
I thank it can be solved like this:

$ sudo chown root:root graftcp
$ sudo chmod a+s graftcp
# Then you can use graftcp to trace sudo...
$ graftcp bash
➜ makepkg

However, this workaround works well in almost every case. To make it easier, you can write a shell script proxy-yay like below:

#! /bin/sh
graftcp sh -c "yay $@"

Then you just need to use proxy-yay instead of yay, or set it as an alias of yay.

[kabehada5s]

can i use graftcp on alpine?

[fangzhen]

Hi,
Error message now reads:

$ graftcp yay
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
 -> error refreshing databases - exit status 1

In this commit ,the PR_SET_NO_NEW_PRIVS flag is set, which I think causes the new error message.

A workaround:

        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
		perror("prctl(PR_SET_NO_NEW_PRIVS)");
		exit(errno);
	}

Remove these lines, and run command like this, which run graftcp as root and yay as a non-root user.

sudo ./graftcp sudo -u <your-username> yay

[hmgle]

Thank you for your feedback.

Introducing PR_SET_NO_NEW_PRIVS indeed brings new restrictions to gain superuser privileges. I'll look into a solution to this problem. If you have any new ideas, feedback is welcome.

Hi, Error message now reads:

$ graftcp yay
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
 -> error refreshing databases - exit status 1

In this commit ,the PR_SET_NO_NEW_PRIVS flag is set, which I think causes the new error message.

A workaround:

        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
		perror("prctl(PR_SET_NO_NEW_PRIVS)");
		exit(errno);
	}

Remove these lines, and run command like this, which run graftcp as root and yay as a non-root user.

sudo ./graftcp sudo -u <your-username> yay

[hmgle]

Hi, Error message now reads:

$ graftcp yay
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
 -> error refreshing databases - exit status 1

In this commit ,the PR_SET_NO_NEW_PRIVS flag is set, which I think causes the new error message.

A workaround:

        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
		perror("prctl(PR_SET_NO_NEW_PRIVS)");
		exit(errno);
	}

Remove these lines, and run command like this, which run graftcp as root and yay as a non-root user.

sudo ./graftcp sudo -u <your-username> yay

@fangzhen I saw the solution implemented in strace and copied the code over. Now the command can be executed perfectly. Thanks to strace.