sudo: Error dropping capabilities, aborting in Linux Centos 5.3
For some reason I keep getting this error when trying to run a sudo command eg:
sudo -u someuser somecommand
sudo: Error dropping capabilities, aborting
My version of sudo is: sudo-1.6.9p17-3.el5_3.1
and I've heard that version 1.7 fixes everything. The only thing is yum does not think sudo has any update. I guess the new version has not been committed to the RPM repository yet.
This is really a huge and annoying bug, imagine if you have a backup script or something else that depends on sudo. I should add that this is an OpenVZ container it's happening on, I am not sure if that is part of the issue.
This is obviously a bug with sudo and hopefully the error will be fixed soon with a new version/update of sudo by the Centos team.
Solution
(it seems that some have said this is because the OpenVZ host does not have auditing in the kernel, it still seems that the sudo maintainers should be able to avoid this bug if it detects no audit capabilities though).
wget http://mirror.centos.org/centos/5.3/os/SRPMS/sudo-1.6.9p17-3.el5.src.rpm
rpm -ivh sudo-1.6.9p17-3.el5.src.rpm
error: cannot create %sourcedir /usr/src/redhat/SOURCES
mkdir -p /usr/src/redhat/SOURCES
rpm -ivh sudo-1.6.9p17-3.el5.src.rpm
vi /usr/src/redhat/SPECS/sudo.spec
Replace:
BuildRequires: audit-libs-devel libcap-devel
with
BuildRequires: libcap-devel
Change "--with-ldap" to "--with-ldap \" and add below it:
--without-audit
For these steps you need the "rpm-build" package. Install it if you don't have the binary "rpmbuild" already.
rpmbuild -bb /usr/src/redhat/SPECS/sudo.spec
You'll get these errors unless you have the other required packages:
error: Failed build dependencies:
pam-devel is needed by sudo-1.6.9p17-3.i386
openldap-devel is needed by sudo-1.6.9p17-3.i386
flex is needed by sudo-1.6.9p17-3.i386
bison is needed by sudo-1.6.9p17-3.i386
automake is needed by sudo-1.6.9p17-3.i386
autoconf is needed by sudo-1.6.9p17-3.i386
libtool is needed by sudo-1.6.9p17-3.i386
libcap-devel is needed by sudo-1.6.9p17-3.i386
yum install pam-devel openldap-devel flex bison automake autoconf libtool libcap-devel
Try again:
rpmbuild -bb /usr/src/redhat/SPECS/sudo.spec
Install new/updated sudo package:
rpm -Uvh --force /usr/src/redhat/RPMS/i386/sudo-1.6.9p17-3.i386.rpm
Now sudo away :)
Tags:
sudo, capabilities, aborting, linux, centos, eg, someuser, somecommand, _, ve, fixes, yum, update, rpm, repository, openvz, container, auditing, kernel, maintainers, detects, audit, wget, http, org, os, srpms, src, ivh, sourcedir, usr, redhat, sources, mkdir, vi, specs, spec, buildrequires, libs, devel, libcap, quot, ldap, install, binary, rpmbuild, bb, ll, errors, packages, dependencies, pam, openldap, flex, bison, automake, autoconf, libtool, updated, uvh, rpms,