Cannot strace sudo; reports that effective uid is nonzero

How to trace sudo

$ sudo  strace -u <username>  sudo -k <command>
  1. sudo runs strace as root.
  2. strace runs sudo as <username> passed via the -u option.
  3. sudo drops cached credentials from the previous sudo with -k option (for asking the password again) and runs <command>.

The second sudo is the tracee (the process being traced).

For automatically putting the current user in the place of <username>, use $(id -u -n).

Why sudo does not work with strace

In addition to this answer by Charles, here is what execve() manual page says:

If the set-user-ID bit is set on the program file referred to by pathname, then the effective user ID of the calling process is changed to that of the owner of the program file. Similarly, when the set-group-ID bit of the program file is set the effective group ID of the calling process is set to the group of the program file.

The aforementioned transformations of the effective IDs are not performed (i.e., the set-user-ID and set-group-ID bits are ignored) if any of the following is true:

  • the no_new_privs attribute is set for the calling thread (see prctl(2));
  • the underlying filesystem is mounted nosuid (the MS_NOSUID flag for mount(2)); or
  • the calling process is being ptraced.

The capabilities of the program file (see capabilities(7)) are also ignored if any of the above are true.

The permissions for tracing a process, inspecting or modifying its memory, are described in subsection Ptrace access mode checking in section NOTES of ptrace(2) manual page. I've commented about this in this answer.


For security reasons, the setuid bit and ptrace (used to run binaries under a debugger) cannot both be honored at the same time. Failure to enforce this restriction in the past led to CVE-2001-1384.

Consequently, any operating system designed with an eye to security will either stop honoring ptrace on exec of a setuid binary, or fail to honor the setuid bit when ptrace is in use.

On Linux, consider using Sysdig instead -- which, being able to only view but not modify behavior, does not run the same risks.

Tags:

Linux

Sudo

Recent Posts