setresuid() Operation not permitted when performing a sudo -iu

[crozone]

On Ubuntu, it's fairly common to switch users using the sudo -iu <username> command.

Issue: On BoUoW, sudo -iu <username> from a non-root user account returns the error sudo: setresuid() [1000, 1001, 1000] -> [-1, 0, -1]: Operation not permitted.

Workaround: Become root before executing sudo -iu <username>. The easiest method is to run sudo sudo -iu <username>, which runs the second sudo as root.

The workaround is acceptable for the time being, however it requires a user to have root access via sudo, whilst sudo -iu <username> can allow non-root users to switch to other non-root users directly based on user specific. permissions.

[fpqc]

Can't you sudo su usename? That works here, and it is one fewer character.

[crozone]

sudo su <usename> is subtly different to sudo -iu <username>.

sudo su <usename> effectively says "use sudo privileges to become root, and then from root use that privilege to become ". It's pretty much the same thing as sudo sudo -u <username>, the current user requires privileges to become root first, and then nothing else matters.

On the other hand, sudo -iu <username> says "use sudo privileges to become <username> directly", the user doesn't actually need root access, only permissions to become <username>. It also logs in using an interactive session which runs .profile etc (like doing a sudo su -l <usename>).

None of this matters much for BoUoW scenarios since root access is pretty standard, but it's a bug regardless.

[valeryan]

Several programs I use in Linux perform actions such as sudo -u username ln -s $target $link and they fail in WSL. So pretty much any script or program that wants to do an action on the part of the current user would grab the user and do a sudo -u username command to accomplish the action in behalf of the user. This is a pretty common thing in Linux scripts.

Error Output:

sudo: setresuid() [1000, 1000, 1000] -> [-1, 0, -1]: Operation not permitted
sudo: unable to set runas group vector: Operation not permitted
sudo: PERM_ROOT: setresuid(0, -1, 0): Operation not permitted
username is not in the sudoers file.  This incident will be reported.

[stehufntdev]

Marking this as a bug for tracking.

[SheepReaper]

Encountered this while building ALFS from Linux from scratch through bash on windows.

bryan@DESKTOP-EA4JA04:/mnt/c/lfs/build_dir/jhalfs$ make
--------------------------------------------------------------------------------
mk_LUSER
You are going to log into the user account lfs
sudo requires a password
sudo: setresuid() [1000, 1001, 1000] -> [-1, 0, -1]: Operation not permitted
sudo: unable to set runas group vector: Operation not permitted
sudo: unable to mkdir /var/run/sudo: Permission denied
[sudo] password for bryan:
sudo: PERM_ROOT: setresuid(0, -1, 0): Operation not permitted
bryan is not in the sudoers file.  This incident will be reported.
Makefile:77: recipe for target 'mk_LUSER' failed
make: *** [mk_LUSER] Error 1

[benhillis]

I have drafted a fix for this - marking as a duplicate of #962.