Cannot strace sudo; reports that effective uid is nonzero

Question

command:

bigxu@bigxu-ThinkPad-T410 ~/work/lean $ sudo ls
content_shell.pak  leanote  libgcrypt.so.11  libnotify.so.4  __MACOSX      resources
icudtl.dat     leanote.png  libnode.so   locales     natives_blob.bin  snapshot_blob.bin

most time it is right.but sometimes it is very slow. so i strace it.

command:

bigxu@bigxu-ThinkPad-T410 ~/work/lean $ strace sudo ls
execve("/usr/bin/sudo", ["sudo", "ls"], [/* 66 vars */]) = 0
brk(0)                                  = 0x7f2b3c423000
fcntl(0, F_GETFD)                       = 0
fcntl(1, F_GETFD)                       = 0
fcntl(2, F_GETFD)                       = 0
......
......
......
write(2, "sudo: effective uid is not 0, is"..., 140sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
) = 140
exit_group(1)                           = ?
+++ exited with 1 +++

other information:

bigxu-ThinkPad-T410 lean # ls /etc/sudoers -alht
-r--r----- 1 root root 745  2月 11  2014 /etc/sudoers
bigxu-ThinkPad-T410 lean # ls /usr/bin/sudo -alht
-rwsr-xr-x 1 root root 152K 12月 14 21:13 /usr/bin/sudo
bigxu-ThinkPad-T410 lean # df `which sudo`
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/sdb1       67153528 7502092  56217148  12% 

Answer 1

For security reasons, the setuid bit and ptrace (used to run binaries under a debugger) cannot both be honored at the same time. Failure to enforce this restriction in the past led to CVE-2001-1384.

Consequently, any operating system designed with an eye to security will either stop honoring ptrace on exec of a setuid binary, or fail to honor the setuid bit when ptrace is in use.

On Linux, consider using Sysdig instead -- which, being able to only view but not modify behavior, does not run the same risks.

Answer 2

How to trace sudo

$ sudo  strace -u <username>  sudo -k <command>

1. sudo runs strace as root.
2. strace runs sudo as <username> passed via the -u option.
3. sudo drops cached credentials from the previous sudo with -k option (for asking the password again) and runs <command>.

The second sudo is the tracee (the process being traced).

For automatically putting the current user in the place of <username>, use $(id -u -n).

Why sudo does not work with strace

In addition to this answer by Charles, here is what execve() manual page says:

If the set-user-ID bit is set on the program file referred to by pathname, then the effective user ID of the calling process is changed to that of the owner of the program file. Similarly, when the set-group-ID bit of the program file is set the effective group ID of the calling process is set to the group of the program file.

The aforementioned transformations of the effective IDs are not performed (i.e., the set-user-ID and set-group-ID bits are ignored) if any of the following is true:

• the no_new_privs attribute is set for the calling thread (see prctl(2));
• the underlying filesystem is mounted nosuid (the MS_NOSUID flag for mount(2)); or
• the calling process is being ptraced.

The capabilities of the program file (see capabilities(7)) are also ignored if any of the above are true.

The permissions for tracing a process, inspecting or modifying its memory, are described in subsection Ptrace access mode checking in section NOTES of ptrace(2) manual page. I've commented about this in this answer.