[sudo-users] sudo in chroot with chmod 750 /

[Steve Brueckner]

Steve Brueckner wrote:
> I'm trying to use sudo in an unusual situation:
>  - inside a chrooted directory
>  - to decrease privilege from root to a regular user
>  - with the chrooted directory at chmod 750 instead of 755
> 
> I can use sudo in such a way when the chrooted directory is chmod
> 755, but when I chmod it to 750 I get the following error: 
> 
> (This command is run inside chroot)
> # sudo /home/steve/eclipse/eclipse
> sudo: can't open /etc/sudoers: Permission denied
> can not chdir (/var/spool/clientmqueue/): Permission denied Program
> mode requires special privileges, e.g., root or TrustedUser. 
> 
> Same thing happens when I try this:
> # sudo -u steve /home/steve/eclipse/eclipse
> But I'm trying to tell root to run eclipse as steve in sudoers
> instead of on the command line. 
> 
> I need the chrooted directory at chmod 750, since I'm using it not so
> much as a jail but as a separate protection domain. 
> 
> I've Googled around, and all the problems people have with sudo and
> /var/spool/clientmqueue are related to sendmail.  But I'm trying to
> run Eclipse, not sendmail, so I've got to wonder why sudo even tries
> to go into the clientmqueue directory.   
> 
> I also don't understand why permission is denied to /etc/sudoers.  I
> assume this is the sudoers file inside the chrooted directory.  I
> would think that since I'm starting sudo as root, it would let me
> read the file.  Only after I read the sudoers file would I expect to
> lose my root privilege.    
> 
> I find that I can simply do this once inside chroot:
> # su steve -c /home/steve/eclipse/eclipse
> But I don't want su inside of my chrooted directory; that's why I'm
> trying to get sudo to work in there. 
> 
> I use sudo to get into the chroot jail in the first place.
> Here's my "real" sudoers (outside the jail):
> root ALL=(ALL) ALL
> steve ALL=(root) NOPASSWD: /usr/sbin/chroot
> 
> Here's my sudoers inside the jail:
> Defaults: path_info, !authenticate
> Defaults: root runas_default=steve
> root ALL=(ALL) ALL
> root ALL=(steve) NOPASSWD: /home/steve/eclipse/eclipse
> 
> I've got nearly my entire filesystem replicated in the chroot
> directory, including passwd, shadow, and sudoers.  These three files
> also have the same permissions as the "real" ones.  
> 
> Any ideas on what is going on are appreciated!
> 
> Thanks,
> 
> Steve Brueckner, ATC-NY

Well, it looks like the problem had to do with group IDs not getting set.  I
added group steve to root's list of groups in /etc/group and
/chroot-dir/etc/group (probably only needed to do this in one or the other)
and sudo now works to drop privilege from root to steve with the chroot
directory at chmod 750.

I'm still confused as to why root couldn't open /etc/sudoers, though.  

And why sudo tries to access the sendmail directory.

Steve Brueckner, ATC-NY