exec.Command using sudo from a rootless process

I am currently trying to exec a new process using sudo, from a rootless one. However, I keep being told that:

sudo: /etc/sudo.conf is owned by uid 65534, should be 0
sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: /usr/libexec/sudo/sudoers.so must be owned by uid 0
sudo: fatal error, unable to load plugins

and I am using this snippet to exec:

	cmd := exec.Command("sudo", os.Args[0], "--cgroup-manager=cgroupfs", "save", "--output", scpOpts.Save.Output)
	cmd.Env = os.Environ()
	outp, err := cmd.CombinedOutput()
	if err != nil {
		return err

I feel like this is a common usecase. Mapping UID’s and GID’s also did not work. Any tips?

Hi @cdoern,

The error message says that two sudo-related files must be owned by root (uid 0) but aren’t.

Are you able to run a sudo command at the shell prompt manually?

If this also fails, I’d guess you’ll need to check file ownership for at least the two files listed in the error message. j

The specific UID in your error message (65534) indicates that you might have a specific RedHat-related problem, otherwise you might want to review this thread in Ask Ubuntu.

Let me know if this helps.

@christophberger thanks for the feedback, the commands work as expected when running them myself. the issue seems to be eerily similar to the Red Hat problem, but no one seems to have found a solution to that.

Rather than sudo to run the command. It is easier to use linux’s suid feature. You make the file owned by root and set a flag on the file so it executes as the owner.

Google “linux suid privilege escalation”

1 Like

@precisionpete has a good point, using SUID instead of sudo might be a feasible workaround.

Of course, the usual caveats for SUID apply. Setting the SUID bit means that the file always runs with the file owner’s permissions. Unprivileged users could misuse a SUID binary for gaining elevated privileges. So ensure no one can misuse your binary for spawning a root shell or the like.

Back to the original error: the error message mentions uid 65534, which belongs to user nobody. I wonder how sudo.conf or sudoers.so can ever be owned by nobody? Are you working in a special environment? (a VM, a container, or some other sandboxed environment)