Is sudo working for others?

[fraternl]

sudo doesn't work on my Freetz-NG box.
I'm not sure, but I suspect it's not working for anyone.
If I know it's working for others I can see if I can do a clean install with only this package selected.
It's a 7590 International box.

sudo ping 127.0.0.1
sudo: error in /mod/etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: unable to load /usr/lib/sudo/sudoers.so: File not found
sudo: fatal error, unable to load plugins

I'm expecting it to do this:

sudo ping -c2 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.947 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.301 ms

--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.301/0.624/0.947 ms

Anyone knows how to fix this?

BTW: /mod/etc/sudo.conf doesn't exist in either boxes (not on the working box nor on the non-working one). The working one is an old Freetz box compiled years ago.

Working box:

find / -name \*.so 2>/dev/null | grep sud
/usr/lib/freetz/libsudo_noexec.so

Non-working box:

find / -name \*.so 2>/dev/null | grep sud
/usr/lib/freetz/libsudo_util.so

In make/pkgs/sudo/sudo.mk there's this line
grep ".so" make/pkgs/sudo/sudo.mk
$(PKG)_LIBS:=lib$(pkg)_util.so

In the old Freetz the line is this:
grep ".so" make/sudo/sudo.mk
$(PKG)_LIBS:=lib$(pkg)_noexec.so

[fda77]

Maybe you need to set the lib path in the conf additional? Compile time looks good:

readelf -a packages/target-mips_gcc-13.2.0_uClibc-1.0.44-nptl_kernel-4.9/sudo-1.9.14p3/root/usr/bin/sudo|grep -E "ATH|EED"
 0x00000001 (NEEDED)                     Shared library: [libsudo_util.so.0]
 0x00000001 (NEEDED)                     Shared library: [libc.so.0]
 0x00000001 (NEEDED)                     Shared library: [ld-uClibc.so.1]
 0x0000001d (RUNPATH)                    Library runpath: [/usr/lib/freetz]

There are example files:

source/target-mips_gcc-13.2.0_uClibc-1.0.44-nptl_kernel-4.9/sudo-1.9.14p3/etc/init.d/sudo.conf
source/target-mips_gcc-13.2.0_uClibc-1.0.44-nptl_kernel-4.9/sudo-1.9.14p3/examples/sudo.conf

/mod/etc/sudoers is linked to /tmp/flash/sudo/sudoers which could be configured by webif. Changed this filename?

[fda77]

Interesting configure options

--disable-shared-libutil  Disable use of the libsudo_util shared library.
--with-libpath            additional places to look for libraries

[fraternl]

--disable-shared-libutil Disable use of the libsudo_util shared library.

This option isn't in the old pre-fork, but maybe that was then done by default. It will be one of the first I will be trying.

[fraternl]

configure: error: --disable-shared-libutil may only be specified with --enable-static-sudoers or when dynamic linking is disabled.

I am compiling now with --enable-static-sudoers, but I guess no sudoers will be read from /etc/sudoers.d/ nor from /mod/etc/sudoers

compile failed...

[fraternl]

/mod/etc/sudoers is linked to /tmp/flash/sudo/sudoers which could be configured by webif. Changed this filename?
No, that one exists.

ls -l /mod/etc/sudoers
lrwxrwxrwx    1 root     root            23 Jan  1  1970 /mod/etc/sudoers -> /tmp/flash/sudo/sudoers

It's the /mod/etc/sudo.conf that's missing. It is also missing on the old working pre-fork one.

I will now start to experiment with a completely new clone of freetz-ng

mv freetz-ng freetz-ng.old
git clone https://github.com/Freetz-NG/freetz-ng.git
cd freetz-ng
make menuconfig    (change nothing)
cp -p .config .config.virgin
make menuconfig   (enable International, sudo, su, avm-portfw)
cp -p .config .config.int.with-sudo-su-portfw
diff .config .config.int.with-sudo-su-portfw
make
make

It's now compiling. I will edit this post later.

[fraternl]

diff .config .config.virgin
18,19c18,19
< # FREETZ_USER_LEVEL_BEGINNER is not set
< FREETZ_USER_LEVEL_EXPERT=y
---
> FREETZ_USER_LEVEL_BEGINNER=y
> # FREETZ_USER_LEVEL_EXPERT is not set
21d20
< FREETZ_SHOW_EXPERT=y
90,91c89,90
< # FREETZ_TYPE_LANG_DE is not set
< FREETZ_TYPE_LANG_EN=y
---
> FREETZ_TYPE_LANG_DE=y
> # FREETZ_TYPE_LANG_EN is not set
93a93
> # FREETZ_TYPE_FIRMWARE_06_9X is not set
98d97
< # FREETZ_TYPE_FIRMWARE_07_5X_INHAUS is not set
104d102
< # FREETZ_TYPE_FIRMWARE_DETECT_LATEST is not set
115d112
< # FREETZ_SELECT_HARDENING is not set
155,156d151
< # FREETZ_REMOVE_PUBKEY is not set
< # FREETZ_REMOVE_TR069 is not set
213d207
< # FREETZ_REPLACE_ONLINECHANGED is not set
536c530
< FREETZ_PACKAGE_SUDO=y
---
> # FREETZ_PACKAGE_SUDO is not set
635d628
< # FREETZ_PACKAGE_VIRTUALIP_CGI is not set
647c640
< FREETZ_PACKAGE_AVM_PORTFW=y
---
> # FREETZ_PACKAGE_AVM_PORTFW is not set
662,665d654
< # Shared libraries
< #
<
< #
1051,1055d1039
< # end of Shared libraries
<
< #
< # Kernel modules
< #
1175d1158
< # end of Kernel modules
1177,1179d1159
< #
< # Busybox applets
< #
2136,2139c2116
< FREETZ_BUSYBOX___V136_SU=y
< # FREETZ_BUSYBOX___V136_FEATURE_SU_SYSLOG is not set
< # FREETZ_BUSYBOX___V136_FEATURE_SU_CHECKS_SHELLS is not set
< # FREETZ_BUSYBOX___V136_FEATURE_SU_BLANK_PW_NEEDS_SECURE_TTY is not set
---
> # FREETZ_BUSYBOX___V136_SU is not set
2624d2600
< # end of Busybox applets
2670,2672d2645
< #
< # Additional informations
< #
2680d2652
< # FREETZ_DOT_CONFIG_DONOTADD is not set
2683,2691d2654
< # end of Additional informations
<
< #
< # Build system ---------------------------------------------
< #
<
< #
< # Toolchain options
< #
2764,2768d2726
< # end of Toolchain options
<
< #
< # Build system options
< #
2779,2783d2736
< # end of Build system options
<
< #
< # Firmware packaging (fwmod) options
< #
2790,2794d2742
< # end of Firmware packaging (fwmod) options
<
< #
< # SquashFS options
< #
2798,2802d2745
< # end of SquashFS options
<
< #
< # Strip options
< #
2808,2812d2750
< # end of Strip options
<
< #
< # Download options
< #
2822d2759
< # FREETZ_DL_KERNEL_OVERRIDE is not set
2829,2830c2766
< # FREETZ_DL_OVERRIDE is not set
< FREETZ_DL_SITE="@AVM/fritzbox-7590/{other,italy,belgium}/fritz.os"
---
> FREETZ_DL_SITE="@AVM/{fritzbox-7590/deutschland/fritz.os,fritzbox.7590/firmware/deutsch},@1&1/7590"
2832,2833d2767
< # end of Download options
<
2834a2769
> FREETZ_AVM_HAS_FIRMWARE_06_9X=y

[fda77]

The version in freetz-ng is much newer, as there was security problems like CVE-2021-3156
So some comparisations with 10 year old versions dont make sense. Its a new version which maybe needs other oder renamed files to config. And what changed needed to found and applie to freetz..

[fraternl]

Do you know if it has worked before in Freetz-ng?
It seems work was done to make it working for Freetz-ng, so I assume that's a yes.

I don't think I'm able to get it working. Do you think someone who does, can find the time to get it working?

[fda77]

Someone needs to read the manual and place the files where they are needed.
i would start with the 2 sudo.conf mentioned above1
Type araw /etc on your device and change/create files temporary

[fraternl]

I didn't know about araw /etc being able to mount the read-only fs.
I created /etc/sudo.conf and gave it chmod 0440

The system is however not complaining about /etc/sudo.conf, but about /mod/etc/sudo.conf
I was able to create both of them, but the result is the same.

ls -altr /mod/etc | grep sudo
lrwxrwxrwx 1 root root 17 Jan 1 01:00 default.sudo -> /etc/default.sudo
lrwxrwxrwx 1 root root 23 Jan 1 01:00 sudoers -> /tmp/flash/sudo/sudoers
-r--r----- 1 root root 0 Jan 1 01:02 sudo.conf

ls -altr /etc | grep sudo
drwxr-xr-x 2 root root 34 Oct 17 2023 default.sudo

araw /etc
cd /etc/
touch sudo.conf
chmod 0440 sudo.conf
ls -altr /etc | grep sudo

drwxr-xr-x 2 root root 60 Jan 1 01:08 default.sudo
-r--r----- 1 root root 0 Jan 1 01:08 sudo.conf
root@fritz:/mod/etc# su -s /bin/sh test

BusyBox v1.36.1 (2023-10-17 12:15:25 CEST) built-in shell (ash)

test@fritz:/mod/etc$ sudo ping -c 127.0.0.1
sudo: error in /mod/etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: unable to load /usr/lib/sudo/sudoers.so: File not found
sudo: fatal error, unable to load plugins

I may have misunderstood what you were asking.
Shouldn't I get /usr/lib/sudo/sudoers.so in the filesystem?

[fda77]

Freetz hides all its libs in /usr/lib/freetz, avm bins dont know it and work like before. So avm could use a heavy patched or outdated lib and freetz its own. -> the dir where the .so is should be okay! But all freetz bins need to know where it is (RPATH above). sudo may need an additional line in its conf file for the path.
If sudo.conf is in /mod/etc ist even better. Take the 2 example sudo.conf above and try to adjust until it works :)

[fraternl]

The example file is however effectively empty (after removing comments and empty lines)

freetz@debian11:~/freetz-ng$ egrep -v "^($|#)" ./source/target-mips_gcc-13.2.0_uClibc-1.0.44-nptl_kernel-4.9/sudo-1.9.14p3/examples/sudo.conf
freetz@debian11:~/freetz-ng$

I do not know enough about the building system, but isn't this an indication that sudoers.so is missing and is only on the development system?

find -name sudoers.so
./source/target-mips_gcc-13.2.0_uClibc-1.0.44-nptl_kernel-4.9/sudo-1.9.14p3/plugins/sudoers/.libs/sudoers.so

The file libsudo_util.so is in build
The file sudoers.so is not.

find build -name \*sudo\*.so
build/modified/filesystem/usr/lib/freetz/libsudo_util.so

[fda77]

Oh, there are 2 libs needed now?
The whole makefile for freetz is https://github.com/Freetz-NG/freetz-ng/blob/master/make/pkgs/sudo/sudo.mk or
make/pkgs/sudo/sudo.mk . The simplest to get the 2nd ist to copy the _LIBS with another name...
Whats about these other .so ?

./source/target-mips_gcc-13.2.0_uClibc-1.0.44-nptl_kernel-4.9/sudo-1.9.14p3/lib/util/.libs/libsudo_util.so.0.0.0
./source/target-mips_gcc-13.2.0_uClibc-1.0.44-nptl_kernel-4.9/sudo-1.9.14p3/plugins/sudoers/.libs/sudoers.so
./source/target-mips_gcc-13.2.0_uClibc-1.0.44-nptl_kernel-4.9/sudo-1.9.14p3/src/.libs/sudo_intercept.so
./source/target-mips_gcc-13.2.0_uClibc-1.0.44-nptl_kernel-4.9/sudo-1.9.14p3/src/.libs/sudo_noexec.so

Does it not make more sense to use

 --enable-static-sudoers Build the sudoers policy module as part of the sudo

for configure? Does this not prevent the 2nd .so?

[fraternl]

I have confirmed it is listening to /mod/etc/sudo.conf
Originally that file does not exist.
Without /mod/etc/sudo.conf it tries to load plugins from /usr/lib/sudo
In the error message there's a missing /

root@fritz:/usr/lib/freetz# su -s /bin/sh test


BusyBox v1.36.1 (2023-10-17 13:11:11 CEST) built-in shell (ash)

test@fritz:/usr/lib/freetz$ sudo ping -c1 127.0.0.1
sudo: error in /mod/etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: unable to load /usr/lib/sudosudoers.so: File not found
sudo: fatal error, unable to load plugins

I then added Path plugin_dir /usr/lib/sudo/ to /mod/etc/sudo.conf

test@fritz:/usr/lib/freetz$ sudo ping -c1 127.0.0.1
sudo: error in /mod/etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: unable to load /usr/lib/sudo/sudoers.so: File not found
sudo: fatal error, unable to load plugins

It merely corrected the error message

I then changed that line to Path plugin_dir /usr/lib/freetz/ to /mod/etc/sudo.conf

test@fritz:/usr/lib/freetz$ sudo ping -c1 127.0.0.1
sudo: error in /mod/etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: unable to load /usr/lib/freetz/sudoers.so: File not found
sudo: fatal error, unable to load plugins

I think the files sudoers.so should be in /usr/lib/freetz or in /usr/lib/sudo
I do not know how to change the files in make/pkgs/sudo to get that done.
I think you do.

[fda77]

add
$(PKG)_CONFIGURE_OPTIONS += --enable-static-sudoers
to 
make/pkgs/sudo/sudo.mk
then
make sudo-recompile
now
ls `find . -name *sudo*.so* -type f`

Does not show anymore "sudoers.so"

Can you test an image with such a binary. Or just copy the binary to the box:

araw /usr/bin/sudo
# NO CP!!!1
cat MYFILE >  /usr/bin/sudo

[fda77]

Sry, just copy the binary is not enought, libsudo_util.so should alsop be replaced as it also needs the sudoers lib

[fda77]

In case it works, please list the file sizes of
the 1bin + 2libs
and
the 1bin + 1libs (with enable-static-sudoers)

The see which is smaller

[fraternl]

ls find . -name *sudo*.so* -type f
./build/modified/filesystem/usr/lib/freetz/libsudo_util.so.0.0.0
./packages/target-mips_gcc-13.2.0_uClibc-1.0.44-nptl_kernel-4.9/sudo-1.9.14p3/root/usr/lib/freetz/libsudo_util.so.0.0.0
./source/target-mips_gcc-13.2.0_uClibc-1.0.44-nptl_kernel-4.9/sudo-1.9.14p3/lib/util/.libs/libsudo_util.so.0.0.0
./source/target-mips_gcc-13.2.0_uClibc-1.0.44-nptl_kernel-4.9/sudo-1.9.14p3/src/.libs/sudo_intercept.so
./source/target-mips_gcc-13.2.0_uClibc-1.0.44-nptl_kernel-4.9/sudo-1.9.14p3/src/.libs/sudo_noexec.so

[fraternl]

Was the above output of find expected?
There was no sudoers.so and I still get a missing sudoers.so (with or without /mod/etc/sudo.conf

su -s /bin/sh test


BusyBox v1.36.1 (2023-10-17 13:11:11 CEST) built-in shell (ash)

test@fritz:/var/mod/root$ sudo ping
sudo: error in /mod/etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: unable to load /usr/lib/sudosudoers.so: File not found
sudo: fatal error, unable to load plugins

su -s /bin/sh test


BusyBox v1.36.1 (2023-10-17 13:11:11 CEST) built-in shell (ash)

test@fritz:/var/mod/root$ sudo ping
sudo: error in /mod/etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: unable to load /usr/lib/freetz/sudoers.so: File not found
sudo: fatal error, unable to load plugins

[fraternl]

I didn't have a new full compile and so there's no new firmware on my box!!!

[fraternl]

Yes!!
It's working!

test@fritz:/var/mod/root$ sudo ping -c1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=1.188 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.188/1.188/1.188 ms

[fraternl]

$(PKG)_CONFIGURE_OPTIONS += --enable-static-sudoers

freetz@debian11:~/freetz-ng$ ls -l `find build -type f -name sudo`
-rwsr-sr-x 1 freetz freetz 798012 Oct 17 15:40 build/modified/filesystem/usr/bin/sudo
freetz@debian11:~/freetz-ng$ ls -l `find build -type f -name libsudo\*`
-rwxr-xr-x 1 freetz freetz 199220 Oct 17 15:40 build/modified/filesystem/usr/lib/freetz/libsudo_util.so.0.0.0

[fraternl]

With that line commented
#$(PKG)_CONFIGURE_OPTIONS += --enable-static-sudoers

freetz@debian11:~/freetz-ng$ ls -l `find build -type f -name sudo`
-rwsr-sr-x 1 freetz freetz 331588 Oct 17 16:05 build/modified/filesystem/usr/bin/sudo
freetz@debian11:~/freetz-ng$ ls -l `find build -type f -name libsudo\*`
-rwxr-xr-x 1 freetz freetz 199220 Oct 17 16:05 build/modified/filesystem/usr/lib/freetz/libsudo_util.so.0.0.0

[fda77]

Build sudo static and without sudoers.so
Is your binary updated? seems not

[fraternl]

The one with static is 798012 bytes, the "old one" was smaller and 331588 bytes.

In case you're looking at the dates.
I needed to do a recompile with the original options to give you these filesizes.

[fda77]

And does it work on the device? (before you check which option is smaller)

[fraternl]

yes... Sorry, I thought you got it.

It's the post that started with

"Yes!!
It's working!"

[fraternl]

Thanks, I will be testing it some more and will also revert to the building environment that had all the other packages set.
Hopefully it also works with a file in /etc/sudoers.d/ that I had on my old boxes.

[fda77]

Great! It seems i missed some posts, or the browser didnt updated.
The "libsudo_util.so.0.0.0" file size seems to be independent from "enable-static-sudoers " option

But i still down know if there is much difference betwen the size of

• sudoers.so+sudo, both are needed, you used the "find" with "libsudo*" :-/
• or only sudo with enable-static-sudoers

Maybe you could scroll up in the terminal...

[fda77]

If you like you could send a PR by browser with the new line in https://github.com/Freetz-NG/freetz-ng/blob/master/make/pkgs/sudo/sudo.mk
There is an edit button on the top-right

[fraternl]

[fda77]

Was it https://github.com/Freetz-NG/freetz-ng/blob/master/make/pkgs/sudo/sudo.mk ? Then there should be an push-request option

[fraternl]

I'm sorry, I have no idea how it works with the website and barely with cli
I think it's best that you just make the change.

[fda77]

You dont need cli, only the website if only 1 file is changed!

• e25863a sudo: no sudoers.so, static sudo

Dont forget to reset your local changes, see the main README.md