linuxdeploy
linuxdeploy copied to clipboard
meefik
Galaxy S6: Can't sudo
I get this instead when I try:
android@Solarium:~$ sudo -s sudo: PERM_ROOT: setresuid(0, -1, -1): Permission denied sudo: unable to initialize policy plugin android@Solarium:~$
This is after selecting Debian unstable as my environment to install.
Same problem here with s6 i tried ubuntu and fedora. I receive the same error message.. Yes i used arm64. it seems to be a selinux problem. I used a start script to change the root password. It works. But if i try to become root with su - it tells me "setgid: permission denied."
i have enforced. but i tried another kernel yesterday with passive mode and then it works without problems.
Well you could change selinux's behaviour using an app called selinux mode changer. So you dont need to flash a new kernel.
SELinuxModeChanger v3.2 has no effect on Galaxy S6 / SM-G920F but thx for the tip
What do you have? Enforcing or Permssive? Usually it could be found on about phone.
You can set "Properties -> Username" as root and run "Properties -> Reconfigure".
I'm running into this as well with a Samsung Galaxy Note 4 (SM-N910H) running stock 4.4.4.
I've tried the steps in this comment, setting a root password, as well as making sure android is in sudoers.
SELinuxModeChanger 3.2 has no effect as well - getenforce keeps saying Enforcing. Maybe it's possible to create a SELinux rule instead?
Here is what I get in my audit log (/data/misc/audit/audit.log):
Start Linux Deploy
audit.log:
type=1400 msg=audit(1438953319.249:191): avc: denied { execute } for pid=11559 comm="bash" name="su" dev="loop30" ino=131342 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file SEPF_SM-N910H_4.4.4_A031
type=1300 msg=audit(1438953319.249:191): arch=40000028 syscall=33 per=800000 success=yes exit=0 a0=40d908 a1=1 a2=beab7270 a3=8000 items=1 ppid=9694 pid=11559 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts2 comm="bash" exe="/bin/bash" subj=u:r:init:s0 key=(null)
type=1307 msg=audit(1438953319.249:191): cwd="/"
type=1302 msg=audit(1438953319.249:191): item=0 name="/bin/su" inode=131342 dev=07:1e mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=u:object_r:unlabeled:s0
type=1320 msg=audit(1438953319.249:191):
type=1400 msg=audit(1438953319.259:192): avc: denied { execute_no_trans } for pid=11770 comm="bash" path="/bin/su" dev="loop30" ino=131342 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=file SEPF_SM-N910H_4.4.4_A031
type=1300 msg=audit(1438953319.259:192): arch=40000028 syscall=11 per=800000 success=yes exit=0 a0=40d908 a1=40f5a8 a2=40ca08 a3=8a467500 items=2 ppid=11559 pid=11770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts2 comm="su" exe="/bin/su" subj=u:r:init:s0 key=(null)
type=1309 msg=audit(1438953319.259:192): argc=2 a0="su" a1="android"
type=1307 msg=audit(1438953319.259:192): cwd="/"
type=1302 msg=audit(1438953319.259:192): item=0 name="/bin/su" inode=131342 dev=07:1e mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=u:object_r:unlabeled:s0
type=1302 msg=audit(1438953319.259:192): item=1 name=(null) inode=132067 dev=07:1e mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=u:object_r:unlabeled:s0
type=1320 msg=audit(1438953319.259:192):
type=1400 msg=audit(1438953319.314:193): avc: denied { audit_write } for pid=11770 comm="su" capability=29 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability SEPF_SM-N910H_4.4.4_A031
type=1100 msg=audit(1438953319.314:194): pid=11770 uid=0 auid=4294967295 ses=4294967295
subj=u:r:init:s0 msg='op=PAM:authentication acct="android" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=1300 msg=audit(1438953319.314:193): arch=40000028 syscall=290 per=800000 success=yes exit=120 a0=3 a1=bef3b604 a2=78 a3=0 items=0 ppid=11559 pid=11770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts2 comm="su" exe="/bin/su" subj=u:r:init:s0 key=(null)
type=1306 msg=audit(1438953319.314:193): saddr=100000000000000000000000
type=1320 msg=audit(1438953319.314:193):
type=1101 msg=audit(1438953319.319:195): pid=11770 uid=0 auid=4294967295 ses=4294967295
subj=u:r:init:s0 msg='op=PAM:accounting acct="android" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=1103 msg=audit(1438953319.319:196): pid=11770 uid=0 auid=4294967295 ses=4294967295
subj=u:r:init:s0 msg='op=PAM:setcred acct="android" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=1105 msg=audit(1438953319.324:197): pid=11770 uid=0 auid=4294967295 ses=4294967295
subj=u:r:init:s0 msg='op=PAM:session_open acct="android" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
Run sudo
Terminal:
android@localhost:/$ sudo
sudo: PERM_ROOT: setresuid(0, -1, -1): Permission denied
(nothing in audit.log)
Run su
Terminal:
android@localhost:/$ su
Password:
setgid: Permission denied
audit.log:
type=1400 msg=audit(1438953374.604:198): avc: denied { audit_write } for pid=11997 comm="su" capability=29 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability SEPF_SM-N910H_4.4.4_A031
type=1100 msg=audit(1438953374.604:199): pid=11997 uid=5000 auid=4294967295 ses=4294967295
subj=u:r:init:s0 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=1300 msg=audit(1438953374.604:198): arch=40000028 syscall=290 per=800000 success=yes exit=116 a0=3 a1=bef415f4 a2=74 a3=0 items=0 ppid=11771 pid=11997 auid=4294967295 uid=5000 gid=5000 euid=0 suid=0 fsuid=0 egid=5000 sgid=5000 fsgid=5000 ses=4294967295 tty=pts2 comm="su" exe="/bin/su" subj=u:r:init:s0 key=(null)
type=1306 msg=audit(1438953374.604:198): saddr=100000000000000000000000
type=1320 msg=audit(1438953374.604:198):
type=1101 msg=audit(1438953374.604:200): pid=11997 uid=5000 auid=4294967295 ses=4294967295
subj=u:r:init:s0 msg='op=PAM:accounting acct="root" exe="/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'
I'll try running this through audit2allow.
Edit: Noticed that setenforce generates an audit.log entry. It's probably prevented by a SELinux rule. Maybe that rule has to first be disabled?
I've managed A root terminal through A comment I saw on the issue elsewhere. The problem appears to be because of Samsungs' Knox protection on setuid, so you have to start the actual using of Linux form Androids terminal (su). All that was needed was to connect to Linux directly from Android Terminal Emulator ( or any Android Terminal, like Airterm floating terminal) as root. Linux Deploy has it's own shell commands.
Start your linux after install and open Terminal Emulator then type: su (important!) cd /data/data/ru.meefik.linuxdeploy/linux/bin ( or Env Directory in LinuxDeploy settings) ./linuxdeploy shell ( there are other options for configuing linuxdeploy)
You will now be in root@localhost! Of course any root commands work now. This does not use SSH to local device at all so it may also have some benefits (maybe sound, if device is set) as it's built in to your phones data folder, but also not safe due to root login.
I haven't gotten sudo through ssh yet. Still trying to figure that out. This may only work for specific devices. I'm using sprint Samsung Galaxy S6 Edge (SM-G925P).
CrazyJ36, after following your thing you get root access on the device. After that run passwd root and set a new password for root. Than you should be able to gain root access through ssh too.
You would actually have to ssh root@localhost instead of the user. After ssh as root use the password that you previously set and it should work.
@SariNusier @CrazyJ36 This issue about sudo not working. The goal is to be able to ssh as a non-root user, and elevate to root only as needed (e.g. to run apt-get).
I'm on a Samsung note pro and I'm facing the same issue. I followed some ideas for solving this but with no luck:
- Tried to disable knox (following this)
- Starting knox to disable it failed, knox doesn't start because I tripped knox when installing TWRP
- Froze knox with Titanium Backup and rebooted -> didn't help
- Tried to execute
su pm disable com.sec.knox.seandroidbut it says there is no commanddisable
- Researched SELinux/seandroid and tried to create a policy for allowing sudo
- Recorded the audit log in the adb shell and tried to play it back into the
audit2allowbinary that is available in deploy linux:
- Recorded the audit log in the adb shell and tried to play it back into the
$ adb shell
shell@device:/ $ su
root@device:/ # cp /sepolicy /sdcard/sepolicy
root@device:/ # cat /proc/kmsg | grep sudo --line-buffered | tee /sdcard/denial.txt
<3>[ 752.935297] [L0: sudo: 10286] Restricted changing UID. PID = 10286(sudo) PPID = 9978(bash)
$ ssh [email protected]
android@localhost:~$ sudo -i
sudo: PERM_ROOT: setresuid(0, -1, -1): Permission denied
sudo: unable to initialize policy plugin
root@localhost:~# cat /mnt/0/denial.txt
<3>[ 752.935297] [L0: sudo: 10286] Restricted changing UID. PID = 10286(sudo) PPID = 9978(bash)
android@localhost:~$ audit2allow -p /mnt/0/sepolicy -i /mnt/0/denial.txt -M sudopolicy
Nothing to do
I don't know if I'm on the right track here, any other ideas?
I'm not sure, but last time I looked into this I think what I found was that modifying the SELinux policy was disallowed by a SELinux policy... so it has to be done during boot, before SELinux is initialized.
Also maybe it's a good idea to try that outside of linuxdeploy's chroot.
@hvoecking
Tried to execute
su pm disable com.sec.knox.seandroidbut it says there is no command disable
If your'e already root you should leave off the su or you get this message, so as root, just do: pm disable com.sec.knox.seandroid.
That said, I have the same issue, and disabling knox with this route seems to have successfully disabled knox but didn't change anything WRT being able to use sudo.
[android@localhost ~]$ sudo echo 'foo'
sudo: PERM_ROOT: setresuid(0, -1, -1): Permission denied
sudo: unable to initialize policy plugin
Luckily the instructions above about using the local terminal to execute linuxdeploy shell as root got it so I can at least use the root user now. Unfortunately, I'd much rather just use sudo as needed than have to jump into a root shell for everything...
@n8henrie you're right
I ended up downloading a "deknoxed" version of the stock rom for my note pro. After flashing it, everything works like it should.
I had the same problem on samsung tab4. Thanks to "CrazyJ36 commented on 21 Aug" : it works !! This morning I managed to connect as root using ssh, without deknox...
1- install a ssh server on the android 2- connect from my computer in ssh (putty) as root to the android (android is rooted : user root mdp admin) 3- as described above by Crazy.j36 : cd /data/data/ru.meefik.linuxdeploy/linux/bin ( or Env Directory in LinuxDeploy settings) ./linuxdeploy shell ( there are other options for configuing linuxdeploy) 4- It works !! I am know root@localhost in the linux VM from my pc computer
Thank you for your help :)
Correct, this seems to be a workaround to get root, but have you been able to get sudo working? I still have not, and I'd prefer to work as a standard user and only elevate my privileges as needed...
sudo no.... The aim for me was to be able to work from my personnal computer as a root (keyboard, screen..) when possible, instead of the terminal emulator of the samsung.. Better confort tu run complicated commands..
I can have 2 putty opened, first one with root and the other one with the default android user, the one than cannot sudo....
I found the solution to the
sudo sudo: PERM_ROOT: setresuid(0, -1, -1): Permission denied
problem.
You need to enable root login through ssh and then you will be able to ssh in as root and wont have any weird permission problems.
Follow crazy's instructions from above: -->Start your linux after install and open Terminal Emulator then type: su (important!) cd /data/data/ru.meefik.linuxdeploy/files/bin [this line could be different. find your bin and use its path.] ./linuxdeploy shell ( there are other options for configuing linuxdeploy)
install nano if necessary with apt-get install nano
------------start of guide for ssh changes-----------
Enable root login over SSH: As root, edit the sshd_config file in /etc/ssh/sshd_config: nano /etc/ssh/sshd_config
Add a line in the Authentication section of the file that says PermitRootLogin yes.
This line may already exist and be commented out with a "#". In this case, remove the "#"
Authentication:
#LoginGraceTime 2m PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10
Save the updated /etc/ssh/sshd_config file. Restart the SSH server: service sshd restart You can now connect to the conversion server as root over SSH.
NOTE: I NOTICED THAT ON ANDROID LINUX THE RESTART SERVICE SSHD COMMAND DOES NOT WORK. JUST STOP LINUX IN LINUX DEPLOY APP AND RESTART INSTEAD. NOW I AM SSHed FROM WINDOWS 10 INTO MY OLD NOTE 3. THINKING ABOUT ADDING IT TO A BEOWULF CLUSTER. XD !!!
guide for adding root to ssh credit: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/V2V_Guide/Preperation_Before_the_P2V_Migration-Enable_Root_Login_over_SSH.html
https://github.com/meefik/linuxdeploy/issues/224
ssh as root doesn't fix sudo, it only avoids the need to use it. Everything you do will run as root, with all the consequences (such as making it easier to wipe or brick your phone), same as on a desktop Linux system.
Also I can actually ssh in now and actually do stuff. Before I had to do everything in the terminal emulator after launching the shell. was very frustrating. also not useful for a cluster in that state.
I had the same issue with my S7. And I must note that connecting as root solved the problems only to a certain extent. For example, "apt install hugs" failed during installation because some security context could not be set. I can no longer reproduce it, but it seemed as if shells spawned from a root shell didn't inherit their permissiveness. (SuperSU makes root shells permissive, assuming that doesn't add rights root couldn't obtain anyway).
The solution was to install a kernel with SELinux set to permissive like the one below. http://forum.xda-developers.com/galaxy-s7/development/kernel-superkernel-v1-0-t3389247
Yea. You have to make serious changes to the root system structure if you are going to use it. It took me a day and a half to get IDLE2 and IDLE3 running properly under root. There are some display files and other configuration folders that are not installed in roots directory like they are for other users. But if you take your time you can make it work. I cant wait to see how it handles its place in my cluster computing chain.
Since we're posting workarounds - put the following in your /home/android/.bashrc (in your Linux chroot):
function sudo { ssh -qt root@localhost "cd '$PWD' ; \"\$@\"" "$@" ; }
This is a "sudo replacement" which runs the specified command via ssh (but still in the current directory).
If you don't want the password prompt, run ssh-keygen followed by ssh-copy-id root@localhost.
Yet another workaround, add /system in custom mounts options and create a file at /usr/local/bin/sudo with the following content:
#!/bin/sh
/system/xbin/su -c "/data/data/ru.meefik.linuxdeploy/files/bin/linuxdeploy shell $@"
@CyberShadow Your method sounds promising, but I'm stuck at figuring out what root password I should enter. I tried the one I supply in linuxdeploy for my user, which obviously doesn't work, and I also tried setting a password for the root user by starting a root shell in a terminal emulator (su; /data/data/ru.meefik.linuxdeploy/files/bin/linuxdeploy shell; passwd), but that password doesn't seem to do the trick either. Any pointer?
@gfkpth I think the default password for the root user depends on your choice of distribution. It's possible that the default is that no password would work. The password would be set in /etc/shadow in the distro's filesystem (not Andriod's), so one could either su then chroot to the Linux filesystem then use the passwd command, or edit that file directly. Another option is to create /root/.ssh/authorized_keys, which would make this sudo replacement passwordless (unless you password-protect the key from the android user - /home/android/.ssh/id_whatever). This is what I did.
... Well... slowly im getting pretty angry. Since 4 days i tried so many things, but it wont work as expected on my galaxy tab s2. Somehow nothing works correctly. GNOME -> VNC ->Something went wrong. LXDE seems to be the only thing that works without any graphic bugs.
Sudo -> permission denied. (0, -1, -1) su -> password needed.
I chrooted to root bash and tried to get somehow access with ssh keys and modified sshd_config. All settings are so contradictory. In sudoers, my user has all rights, but at the same time it has no rights. Changing roots passwd is not working because of no rights to change roots password as root. -.- Trying ssh as root (with ssh key) still asks me for password. (sshd_config -> permitrootlogin without-password) ssh service is already restarted. uncommented authorized_keys in sshd_config, cat id_rsa.pub >> authorized_keys in /root/.ssh/ ..
sudo apt-get install kali-linux-full or apt-get upgrade-> cant install cause of missing packages. Those packages cant be installed due to serveral errors i cant understand.
what is that thing with selinux enforcing/passive or whatever? i dont understand what this should do, or where i see what status i got. When i look in linux-deploy -> status ... (selinux = yes) ?
Changing the User to "root" in the installation config, doesn't let me even login, cause of wrong password.
@g4njawizard
-
Make sure
/root/.ssh/authorized_keysis owned byrootand has mode600.sshdwill ignoreauthorized_keysif it is readable by other users. -
To change root's password you will need to either chroot into the install as root (perhaps via Linux Deploy's terminal feature), or edit
/etc/shadowwith an Android app manually. Perhaps it's also possible to set the password via Linux Deploy, but I don't know how it does that. -
You will not be able to use real
sudoorsuas long as SELinux is in enforcing mode. To disable it, you will probably need to flash a modded kernel (however note that this weakens your device's security generally). -
I don't think you need to edit
sshd_config. Editingsudoerswill probably not help because with any PAM configuration, thesetuidflag on executables will be ignored due to SELinux. -
For most distros, you can check the reason for SSH login failures in
/var/log/auth.log. -
I think Linux Deploy or something else messes up the
aptconfiguration. It's missing theupdatesmirror. For example, my/etc/apt/sources.listcontains:deb http://ports.ubuntu.com/ xenial main universe multiverse deb-src http://ports.ubuntu.com/ xenial main universe multiverse deb http://ports.ubuntu.com/ xenial-updates main restricted universe multiverseThe third line wasn't there, and was preventing updates and installing applications. I had to add it myself.
HTH!
Just would like to say thanks. @Pelphobos
- Start your linux after install and open Terminal Emulator then type:
- su *(this gives root privilege, BUT not to the system u installed!!!) *
- cd /data/data/ru.meefik.linuxdeploy/files/bin
- ./linuxdeploy shell (this gives root access to the system u installed in linuxdeploy)
- passwd root (set a password to root account)
- vi /etc/ssh/sshd_config find this PermitRootLogin under Authentication section. By default, it is set as PermitRootLogin without-password (this means you cant root login over SSH)
- i (Change it to yes)
- vol up D (this is to ESC, using Terminal Emulator. And save the change and quit vi.)
- :x
- service ssh restart
Now, login to the system u installed via ssh, you can use sudo
@CyberShadow
Hi Friend,
thx for the fast response. I still cant login via ssh. (file owned by root and mod 600 + restartet service ssh) Still asks me after password. I Tried to switch to permissive mode (setenforce 1). gives me no output, but no error. added your 3rd source to list, but updates still wont download.
half output from install full kali:
Depends: wfuzz but it is not going to be installed Depends: whatweb but it is not going to be installed Depends: wifi-honey but it is not going to be installed Depends: wifitap but it is not going to be installed Depends: wifite but it is not going to be installed Depends: windows-binaries but it is not going to be installed Depends: wireshark but it is not going to be installed Depends: wol-e but it is not going to be installed Depends: wordlists but it is not going to be installed Depends: wpscan but it is not going to be installed Depends: wvdial but it is not going to be installed Depends: xpdf but it is not going to be installed Depends: xprobe but it is not going to be installed Depends: xspy but it is not going to be installed Depends: xsser but it is not going to be installed Depends: xtightvncviewer but it is not going to be installed Depends: yersinia but it is not going to be installed Depends: zaproxy but it is not going to be installed Depends: zenmap but it is not going to be installed Depends: zim but it is not going to be installed libsasl2-2 : Depends: libsasl2-modules-db (>= 2.1.26.dfsg1-13) but it is not going to be installed samba-libs : Depends: libldb1 (> 2:1.1.24~) but 2:1.1.20-0+deb8u1 is to be installed Depends: libgnutls30 (>= 3.4.2) but it is not going to be installed Depends: libwbclient0 (= 2:4.3.9+dfsg-0ubuntu0.16.04.2) but 2:4.2.10+dfsg-0+deb8u3 is to be installed E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution). root@localhost:/# apt-get install -f Reading package lists... Done Building dependency tree Reading state information... Done Correcting dependencies... Done The following packages were automatically installed and are no longer required: libldb1 libntdb1 libpython2.7 libtalloc2 libtdb1 libtevent0 libwbclient0 python-talloc Use 'apt-get autoremove' to remove them. The following extra packages will be installed: libsasl2-modules-db samba-libs The following NEW packages will be installed: libsasl2-modules-db 0 upgraded, 1 newly installed, 0 to remove and 82 not upgraded. 13 not fully installed or removed. E: Can't find a source to download version '2:4.2.10+dfsg-0+deb8u3' of 'samba-libs:armhf
I found a solution! All you have to do is change the username to root before installing your distribution. You are now root user and su and all other commands will work If this does not work please tell me and I can try and help you. Note: This will work on all Samsung devices
I could change root password and enable root to login by ssh with talked posts. The method is chrooted and then change root password by # passwd command.
Am I the only one that cant vim or nano over an adb shell? All I see is a bunch of garbage characters.
I also have the sudo issue (though not with an s6); I do not want to have to flash a custom kernel to fix this, and allowing root access through ssh is a really bad idea.
You can set "Properties -> Username" as root and run "Properties -> Reconfigure".
Thank you so much, this is the only thing that worked! 💖
