sudo-rs icon indicating copy to clipboard operation
sudo-rs copied to clipboard
verified publisher icon memorysafety

Authentication failure on Arch Linux with base sudo removed

Open gittoasted opened this issue 7 months ago • 5 comments

Describe the bug

Whenever a user tries to use sudo-rs on a Arch Linux machine with sudo removed, /etc/pam.d/sudo and /etc/sudoers are moved to their .pacsave counterparts but (due to the pacman package manager) but not copied rendering sudo-rs unusable at first.

To Reproduce

Steps to reproduce the behavior:

  1. Install sudo-rs
# pacman -S sudo-rs
  1. Remove sudo without removing dependent packages
# pacman -Rdd sudo # Removes sudo
  1. Test sudo-rs
$ sudo-rs -ll
sudo-rs: invalid configuration: No such file or directory (os error 2)
  1. Correctly copy the .pacsave files from uninstalling sudo
# cp /etc/sudoers.pacsave /etc/sudoers
# cp /etc/pam.d/sudo.pacsave /etc/pam.d/sudo
  1. Test sudo-rs
$ sudo-rs -ll
sudo: Authentication failed, try again.
sudo: Authentication failed, try again.
sudo-rs: Maximum 3 incorrect authentication attempts

Expected behavior

sudo-rs should ship with the necessary files to be a proper "drop-in" replacement of sudo.

Environment (please complete the following information):

  • Linux distribution: Arch Linux
  • sudo-rs commit hash: b57be94 (Version 0.2.7)

Additional context

While removing sudo after installing sudo-rs which depends on some of sudo's files, sudo-rs does not ship with the required files for it to work out-of-the-box. The github README does state how to remediate the issues here: https://github.com/trifectatechfoundation/sudo-rs/#installing-our-pre-compiled-x86-64-binaries

gittoasted avatar Jul 07 '25 16:07 gittoasted

Expected behavior

sudo-rs should ship with the necessary files to be a proper "drop-in" replacement of sudo.

Thanks for illustrating this problem clearly. 👍

We are in full agreement with you. You also don't really get any security benefits if you have to keep ogsudo around (I hope that this is obvious)

The problem here is packaging. In every distribution, for instance, /etc/sudoers and the /etc/pam.d/ files will (right now) be owned by the sudo package. Which in essence means that the package for sudo-rs has a hidden dependency on ogsudo. One solution (which I will credit to our Fedora packager @decathorpe) is to split those files off into a sudo-config package (which has /etc/sudoers and /etc/pam.d/... files), and then have the ogsudo and sudo-rs packages depend on the sudo-config package. That would also solve the problem you are illustrating.

This requires the packagers of the ogsudo and sudo-rs packages to collaborate.

In fact, we believe that the executable should be sudo, not sudo-rs. It's the job of the distribution to make this happen in a way that is easy for users to configure. For example, something like oxidizr (even though that isn't necessarily meant as a 100% foolproof tool).

However, the sudo-rs development team can't directly do anything about the situation, as we are "upstream" and don't have control over the various Linux distributions. And I can imagine some distributions would be only willing to take these steps if enough users are demanding better packaging for sudo-rs. But we support this, and are encouraging packagers to take further steps.

I would ask you to open an issue on an appropriate Arch Linux issue tracker. In the meantime I will tag @bertptrs for you here.

squell avatar Jul 07 '25 17:07 squell

FYI, we will be working on making it possible to properly replace OG sudo with sudo-rs in Fedora (implementing the things outlined in the previous comment) as part of and/or as preparation for this Change: https://fedoraproject.org/wiki/Changes/SudoRsDefault

decathorpe avatar Jul 07 '25 17:07 decathorpe

Thanks for the tag. Currently, we want to make it possible for sudo and sudo-rs to be installable at the same time, as we are not fully confident the latter actually covers all the use cases and hidden assumptions present in the distribution. sudo-rs is currently packaged for user evaluation but not supported as a sudo replacement.

I'll discuss a move of the config files with our maintainer for sudo. I'm somewhat hesitant to do it, as all my current ideas on how to do it would involve system breakage for anyone who's modified the default sudoers file.

Our original issue for this was this: https://gitlab.archlinux.org/archlinux/packaging/packages/sudo-rs/-/issues/1

In fact, we believe that the executable should be sudo, not sudo-rs. It's the job of the distribution to make this happen in a way that is easy for users to configure. For example, something like oxidizr (even though that isn't necessarily meant as a 100% foolproof tool).

While I agree, at the moment pacman does not provide an alternatives system, like Debian/Ubuntu has, which would allow the both to be installed concurrently. oxidizr could do it, but it breaks some assumptions in pacman that you really don't want to break by modifying system files.

N.B. the following is not an official recommendation and may break your system.

There exists an AUR package which adds symlinks for sudo, sudoedit, and su that allows you to remove the original sudo entirely. It has minor issues in practice, but you can use it should you want to at your own risk.

bertptrs avatar Jul 07 '25 19:07 bertptrs

Currently, we want to make it possible for sudo and sudo-rs to be installable at the same time, as we are not fully confident the latter actually covers all the use cases and hidden assumptions present in the distribution. sudo-rs is currently packaged for user evaluation but not supported as a sudo replacement.

I understood that but didn't convey it in the issue since it was posted to the project itself and not to the Arch package.

I am not too familiar with creating issues as this is my first time but I wanted to first and foremost inform about the issue I encountered as it is still an official package.

So far, I have a few symlinks and aliases to make everything work with sudo-rs like others have been doing with the doas package.

Having briefly looked at what oxidizr can do it seems like it is on the right track.

While thinking on how swapping packages like Fedora does, I think making sudo-config conflict with sudo and not sudo-rs itself can maybe work if somehow sudo-config can provide a way to move back the required files of sudo or copy them to their desired location. I do not know how pacman runs exactly under the hood but I believe it could be viable implemented by someone with more knowledge than I on the matter.

As for the matter of reporting the issue on gitlab for Arch, I may create an account but it is not a priority for me right now. The issue mentionned by bertptrs seems to be a duplicate so perhaps it is unecessary? Let me know.

gittoasted avatar Jul 08 '25 21:07 gittoasted

Just ran into this problem right now. Uninstalling sudo ona fresh arch linux install actually removes several files needed:

  • /etc/sudoers (most obvious missing file) triggers sudo-rs: invalid configuration: No such file or directory (os error 2) when its missing.
  • /etc/pam.d/sudo is also deleted, adding it back manually seems to be enough to make sudo-rs work (it seems to me like /etc/pam.d/sudo-i is not needed by sudo-rs nor needed or installed by sudo on arch linux). If missing these errors will appear when using sudo-rs:
sudo: Authentication failed, try again.
sudo: Authentication failed, try again.
sudo-rs: Maximum 3 incorrect authentication attempts

with nowhere to enter your password.

Warning: this is bad advice and only a temporary hacky fix. For those who want a quick fix, ensure /etc/sudoers is valid and /etc/pam.d/sudo contains:

#%PAM-1.0
auth            include         system-auth
account         include         system-auth
session         include         system-auth

Which is the content of the original file installed by sudo.

I may have missed other necessary files but this got sudo-rs to work for me.

I think the best thing to do for now is to disclose these issues in the README.md and I see two ways of doing it:

  • We could advise to uninstall sudo before installing sudo-rs so that sudo-rs can install back the files needed but with a potential conflict if sudo is reinstalled later) temporarily for arch. I tested it, it only produces a warning if you install back sudo while sudo-rs has created its own /etc/pam.d/sudo:
warning: /etc/pam.d/sudo installed as /etc/pam.d/sudo.pacnew

Admitedly this is a bad practice, could induce package level conflicts & confuse users. We would have to check on install if /etc/pam.d/sudo is present and if /etc/sudoers and /etc/sudoers-rs are valid and correct. we could then create /etc/pam.d/sudo if needed and issue a warning if /etc/sudoers and /etc/sudoers-rs are incorrect and/or missing upon install.

  • Or we could have a better error message (sudo-rs: invalid configuration: No such file or directory (os error 2) ) seems like a awfully pointless message if we dont tell the user explicitly what file is missing) and /etc/sudoers & /etc/sudoers-rs should also be checked for their validity and existence upon package install regardless of the distro (imo). A warning should be issued if they are both missing or if one is misconfigured, we should not be throwing these kind of errors into users faces especially as a rust project. Also if /etc/pam.d/sudo is needed for all distros then we can either install it ourselves if not present or warn the user at the very least, as a backup mechanism kept until we fix these kind of bugs at least.

Pingasmaster avatar Oct 12 '25 21:10 Pingasmaster