[solved] 'sudo' can't start anymore

Topic: [solved] 'sudo' can't start anymore (Read 2214 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

[solved] 'sudo' can't start anymore

06 November 2022, 16:55:55

Hi,
after the last update i can't sudo anymore. using the sudo shows:

Quote

sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: unable to load /usr/lib/sudo/sudoers.so: libssl.so.1.1: cannot open shared object file: No such file or directory
sudo: fatal error, unable to load plugins

I suppose that it has to do something with the openssl update to version 3, because: ls /usr/lib/libssl* gives:

Quote

/usr/lib/libssl3.so /usr/lib/libssl.so /usr/lib/libssl.so.3

Re: 'sudo' can't start anymore

Reply #1 – 06 November 2022, 17:08:30

Reinstall latest openssl 3.0.7-2 and reboot it will more likely work

Re: 'sudo' can't start anymore

Reply #2 – 06 November 2022, 17:25:42

Sorry. This didn't worked.

By the way: System is up to date.

just in case:

Code: [Select]

#/etc/pacman.d/mirrorlist 

#fastest first
Server = https://mirror.netcologne.de/artix-linux/$repo/os/$arch
Server = http://artist.artixlinux.org/repos/$repo/os/$arch
Server = https://quantum-mirror.hu/mirrors/pub/artix-linux/$repo/os/$arch
Server = http://mirrors.redcorelinux.org/artixlinux/$repo/os/$arch
Server = https://mirror.linux.pizza/artix-linux/$repo/os/$arch
Server = https://mirror.theanonymouse.xyz/artix-linux/$repo/os/$arch

Server = https://mirrors.dotsrc.org/artix-linux/repos/$repo/os/$arch
Server = http://ftp.ntua.gr/pub/linux/artix-linux/$repo/os/$arch
Server = https://ftp.sh.cvut.cz/artix-linux/$repo/os/$arch
Server = https://mirrors.dotsrc.org/artix-linux/repos/$repo/os/$arch
Server = https://mirror.one.com/artix/$repo/os/$arch
Server = https://artix.cccp.io/$repo/os/$arch
Server = https://quantum-mirror.hu/mirrors/pub/artix-linux/$repo/os/$arch
Server = https://mirror.netcologne.de/artix-linux/$repo/os/$arch
Server = http://mirrors.redcorelinux.org/artixlinux/$repo/os/$arch
Server = https://mirror.pascalpuffke.de/artix-linux/$repo/os/$arch
Server = https://ftp.uni-bayreuth.de/linux/artix-linux/$repo/os/$arch
Server = https://mirror.linux.pizza/artix-linux/$repo/os/$arch
Server = https://artix.unixpeople.org/repos/$repo/os/$arch
Server = https://mirror.theanonymouse.xyz/artix-linux/$repo/os/$arch
Server = https://mirror1.artixlinux.org/repos/$repo/os/$arch
Server = https://eu-mirror.artixlinux.org/repos/$repo/os/$arch
Server = https://ftp.cc.uoc.gr/mirrors/linux/artixlinux/$repo/os/$arch
Server = http://ftp.ntua.gr/pub/linux/artix-linux/$repo/os/$arch
Server = https://artixlinux.qontinuum.space/artixlinux/$repo/os/$arch
Server = https://ftp.ludd.ltu.se/mirrors/artix/$repo/os/$arch
Server = http://artist.artixlinux.org/repos/$repo/os/$arch
Server = https://artix.wheaton.edu/repos/$repo/os/$arch
Server = https://mirror.clarkson.edu/artix-linux/repos/$repo/os/$arch
Server = https://mirrors.rit.edu/artixlinux/$repo/os/$arch
Server = https://mirrors.ocf.berkeley.edu/artix-linux/$repo/os/$arch
Server = http://www.nylxs.com/mirror/repos/$repo/os/$arch
Server = https://mirrors.nettek.us/artix-linux/$repo/os/$arch
Server = https://us-mirror.artixlinux.org/$repo/os/$arch
Server = https://mirror.csclub.uwaterloo.ca/artixlinux/$repo/os/$arch
Server = https://mirror1.cl.netactuate.com/artix/repos/$repo/os/$arch
Server = https://mirrors.tuna.tsinghua.edu.cn/artixlinux/$repo/os/$arch
Server = https://mirrors.aliyun.com/artixlinux/$repo/os/$arch
Server = https://mirror.nju.edu.cn/artixlinux/$repo/os/$arch
Server = https://mobintestserver.ir/artix-linux/$repo/os/$arch
Server = https://mirror.funami.tech/artix/$repo/os/$arch
Server = https://mirror.freedif.org/Artix/$repo/os/$arch
Server = https://mirrors.cloud.tencent.com/artixlinux/$repo/os/$arch
Server = https://mirror.aarnet.edu.au/pub/artix/$repo/os/$arch

Code: [Select]

#/etc/pacman.conf 

[options]
HoldPkg     = pacman glibc
Architecture = auto
CheckSpace
SigLevel    = Required DatabaseOptional
LocalFileSigLevel = Optional

[system]
Include = /etc/pacman.d/mirrorlist

[world]
Include = /etc/pacman.d/mirrorlist

[galaxy]
Include = /etc/pacman.d/mirrorlist

[universe]
Server = https://universe.artixlinux.org/$arch
Server = https://mirror1.artixlinux.org/universe/$arch
Server = https://mirror.pascalpuffke.de/artix-universe/$arch
Server = https://artixlinux.qontinuum.space:4443/universe/os/$arch
Server = https://mirror.alphvino.com/artix-universe/$arch
Server = https://universe.artixlinux.org/$arch

[extra]
Include = /etc/pacman.d/mirrorlist-arch

Code: [Select]

#/etc/pacman.d/mirrorlist-arch

Server = https://mirror.f4st.host/archlinux/$repo/os/$arch
Server = https://mirror.selfnet.de/archlinux/$repo/os/$arch

Re: 'sudo' can't start anymore

Reply #3 – 06 November 2022, 18:03:02

Sorry.

Remove sudo completely by using su.

Code: [Select]

$ su

then

Code: [Select]

# pacman -R sudo

Code: [Select]

# pacman -Syu

Code: [Select]

# pacman -S sudo

That will remove everything bricked in sudo package including those broken/missing so-names.Then reinstall latest sudo version available. But first upgrade everything and only after reinstall sudo

If still problem persist you might have to clean pkg cache. So when reinstall sudo it will fetch the working package and not the one that failed

Code: [Select]

# pacman -R sudo
# pacman -Scc                 #( answer y to both prompts)
# pacman -Syu
# pacman -S sudo

Re: 'sudo' can't start anymore

Reply #4 – 06 November 2022, 18:23:31

Thnaks for your help.
But unfortunatly none of both ways worked.

The last one still gives me the sudo error:

Code: [Select]

[Blob]:~% su
Password: 

[root]:# pacman -R sudo
checking dependencies...
:: inxi optionally requires sudo: inxi -Dx hddtemp-user;-o file-user
:: pacman-contrib optionally requires sudo: privilege elevation for several scripts
:: veracrypt optionally requires sudo: mounting encrypted volumes as nonroot users

Packages (1) sudo-1.9.12-5

Total Removed Size:  7,10 MiB

:: Do you want to remove these packages? [Y/n] 
:: Processing package changes...
(1/1) removing sudo                                                                                [##########################################################] 100%
[root]:# pacman -Scc

Cache directory: /var/cache/pacman/pkg/
:: Do you want to remove ALL files from cache? [y/N] y
removing all files from cache...

Database directory: /var/lib/pacman/
:: Do you want to remove unused repositories? [Y/n] y
removing unused sync repositories...
[root]:# pacman -Syu
:: Synchronizing package databases...
 system is up to date
 world is up to date
 galaxy is up to date
 universe is up to date
 extra is up to date
:: Starting full system upgrade...  
 there is nothing to do
[root]:# pacman -S sudo
resolving dependencies...
looking for conflicting packages...

Packages (1) sudo-1.9.12-5

Total Download Size:   1,72 MiB
Total Installed Size:  7,10 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages...
 sudo-1.9.12-5-x86_64                                                 1762,4 KiB  4,34 MiB/s 00:00 [##########################################################] 100%
(1/1) checking keys in keyring                                                                     [##########################################################] 100%
(1/1) checking package integrity                                                                   [##########################################################] 100%
(1/1) loading package files                                                                        [##########################################################] 100%
(1/1) checking for file conflicts                                                                  [##########################################################] 100%
(1/1) checking available disk space                                                                [##########################################################] 100%
:: Processing package changes...
(1/1) installing sudo                                                                              [##########################################################] 100%
:: Running post-transaction hooks...
(1/1) Creating temporary files...
[root]:# exit
exit
[Blob]:~% sudo
sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: unable to load /usr/lib/sudo/sudoers.so: libssl.so.1.1: cannot open shared object file: No such file or directory
sudo: fatal error, unable to load plugins

Re: 'sudo' can't start anymore

Reply #5 – 06 November 2022, 19:40:25

Do you have anything different inside your /etc/sudo.conf file? You could have some commented out lines that trigger that error

My working /etc/sudo.conf file looks like this. But first look at these 4 lines if you have anything different.

Code: [Select]

# The sudoers plugin is used by default if no Plugin lines are present.
#Plugin sudoers_policy sudoers.so
#Plugin sudoers_io sudoers.so
#Plugin sudoers_audit sudoers.so

It's weird your version of sudo complains about libssl.so.1.1 because there's no more of that but libssl.so.3 since we upgraded recently on openssl 3.x. do you still happen to have openssl version 1.x?

And the whole file looks like this

Code: [Select]

#
# Default /etc/sudo.conf file
#
# Sudo plugins:
#   Plugin plugin_name plugin_path plugin_options ...
#
# The plugin_path is relative to /usr/lib/sudo unless
#   fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
#   that contains the plugin interface structure.
# The plugin_options are optional.
#
# The sudoers plugin is used by default if no Plugin lines are present.
#Plugin sudoers_policy sudoers.so
#Plugin sudoers_io sudoers.so
#Plugin sudoers_audit sudoers.so

#
# Sudo askpass:
#   Path askpass /path/to/askpass
#
# An askpass helper program may be specified to provide a graphical
# password prompt for "sudo -A" support.  Sudo does not ship with its
# own askpass program but can use the OpenSSH askpass.
#
# Use the OpenSSH askpass
#Path askpass /usr/X11R6/bin/ssh-askpass
#
# Use the Gnome OpenSSH askpass
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass

#
# Sudo device search path:
#   Path devsearch /dev/path1:/dev/path2:/dev
#
# A colon-separated list of paths to check when searching for a user's
# terminal device.
#
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev

#
# Sudo command interception:
#   Path intercept /path/to/sudo_intercept.so
#
# Path to a shared library containing replacements for the execv(),
# execve() and fexecve() library functions that perform a policy check
# to verify the command is allowed and simply return an error if not.
# This is used to implement the "intercept" functionality on systems that
# support LD_PRELOAD or its equivalent.
#
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_intercept.so file.
#
#Path intercept /usr/lib/sudo/sudo_intercept.so

#
# Sudo noexec:
#   Path noexec /path/to/sudo_noexec.so
#
# Path to a shared library containing replacements for the execv(),
# execve() and fexecve() library functions that just return an error.
# This is used to implement the "noexec" functionality on systems that
# support LD_PRELOAD or its equivalent.
#
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_noexec.so file.
#
#Path noexec /usr/lib/sudo/sudo_noexec.so

#
# Sudo plugin directory:
#   Path plugin_dir /path/to/plugins
#
# The default directory to use when searching for plugins that are
# specified without a fully qualified path name.
#
#Path plugin_dir /usr/lib/sudo

#
# Sudo developer mode:
#   Set developer_mode true|false
#
# Allow loading of plugins that are owned by non-root or are writable
# by "group" or "other".  Should only be used during plugin development.
#Set developer_mode true

#
# Core dumps:
#   Set disable_coredump true|false
#
# By default, sudo disables core dumps while it is executing (they
# are re-enabled for the command that is run).
# To aid in debugging sudo problems, you may wish to enable core
# dumps by setting "disable_coredump" to false.
#
#Set disable_coredump false

#
# User groups:
#   Set group_source static|dynamic|adaptive
#
# Sudo passes the user's group list to the policy plugin.
# If the user is a member of the maximum number of groups (usually 16),
# sudo will query the group database directly to be sure to include
# the full list of groups.
#
# On some systems, this can be expensive so the behavior is configurable.
# The "group_source" setting has three possible values:
#   static   - use the user's list of groups returned by the kernel.
#   dynamic  - query the group database to find the list of groups.
#   adaptive - if user is in less than the maximum number of groups.
#	       use the kernel list, else query the group database.
#
#Set group_source static

#
# Sudo interface probing:
#   Set probe_interfaces true|false
#
# By default, sudo will probe the system's network interfaces and
# pass the IP address of each enabled interface to the policy plugin.
# On systems with a large number of virtual interfaces this may take
# a noticeable amount of time.
#
#Set probe_interfaces false

#
# Sudo debug files:
#   Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
#
# Sudo and related programs support logging debug information to a file.
# The program is typically sudo, sudoers.so, sudoreplay, or visudo.
#
# Subsystems vary based on the program; "all" matches all subsystems.
# Priority may be crit, err, warn, notice, diag, info, trace, or debug.
# Multiple subsystem@priority may be specified, separated by a comma.
#
#Debug sudo /var/log/sudo_debug all@debug
#Debug sudoers.so /var/log/sudoers_debug all@debug

Re: 'sudo' can't start anymore

Reply #6 – 06 November 2022, 19:59:46

Also i've noticed you use veracrypt that optional requires sudo and it might still rely on libssl.so.1.1 that vercrypt knows of.

My guess is openssl will be moved into staging repo since I already saw it generated others many issues specially with encrypted volumes.

Openssl moved forward but many packages that rely on it did nor receive upgrades

Re: 'sudo' can't start anymore

Reply #7 – 06 November 2022, 20:32:08

Quote from: Surf3r – on 06 November 2022, 19:40:25

Do you have anything different inside your /etc/sudo.conf file?

No, mine is exactly like yours. Everything is commented out ( Has a # at the beginning of the line)

Quote

It's weird your version of sudo complains about libssl.so.1.1 because there's no more of that but libssl.so.3 since we upgraded recently on openssl 3.x. do you still happen to have openssl version 1.x?

As far as i understand it complains about missing libssl.so.1.1 ? The libssl.so.3 is installed

Code: [Select]

[Blob]: ~% openssl version
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

I don't understand why just my sudo wants to use libssl.so.1.1 and everybody elses seem to be happy with libssl.so.3 !!

After talking about Veracrypt, its true, this is also not working, also claws-mail (from arch repo) isn't working and complains about libssl.so.1.1 . I suppose that will get fixed in the next days. But sudo should just work , i guess.

Re: 'sudo' can't start anymore

Reply #8 – 06 November 2022, 21:54:21

I figured that sudo (for unknown reasons) and several other programs still want to use the libssl.so.1.1
Seems that some packages are not up to date in their dependencies.

This is a "quick and dirty" workaround.

I downloaded the old openssl package from the repo ,because my package-cache got cleaned up in the process of trying to fix this.

Then i unpacked the package and copied the old lib's to the /usr/lib folder. I hope that someday all programs got updated and use the new ones.

Code: [Select]

mkdir temphack

cd temphack

wget http://ftp.sh.cvut.cz/artix-linux/system/os/x86_64/openssl-1.1-1.1.1.s-2-x86_64.pkg.tar.zst

tar --use-compress-program=unzstd -xvf openssl-1.1-1.1.1.s-2-x86_64.pkg.tar.zst

su

cp usr/lib/libssl.so.1.1 /usr/lib/

cp usr/lib/libcrypto.so.1.1 /usr/lib

exit

cd ..

rm -r temphack

I just need to remember to delete the libs in a month or so.

Re: [solved] 'sudo' can't start anymore

Reply #9 – 06 November 2022, 23:18:49

Quote from: Blob – on 06 November 2022, 20:32:08

I don't understand why just my sudo wants to use libssl.so.1.1 and everybody elses seem to be happy with libssl.so.3 !!

This is highly suspect that your mirror isn't up to date. sudo should be at 1.9.12-5 as of Nov 04.

Consider changing your mirrors and a -Syyu

Re: [solved] 'sudo' can't start anymore

Reply #10 – 06 November 2022, 23:31:21

The reason is that those dependencies know about libssl.so.1.1 and not the newer version libssl.so.3 so because they find libssl.so.3 they will complain about that saying they need the good old libssl.so.1.1.

I would better wait cos downgrading the way you did think it will not go well with the newer openssl 3.x.y. You can just use su for few days till packages catch openssl from behind.

Re: [solved] 'sudo' can't start anymore

Reply #11 – 07 November 2022, 20:25:58

Quote from: AndBenn – on 06 November 2022, 23:18:49

This is highly suspect that your mirror isn't up to date. sudo should be at 1.9.12-5 as of Nov 04.

This is even more highly suspect, because my system was allready on sudo 1.9.12-5 when the error occured !! (See Posting No. 4)

Quote from: Surf3r – on 06 November 2022, 23:31:21

I would better wait cos downgrading the way you did think it will not go well with the newer openssl 3.x.y. You can just use su for few days till packages catch openssl from behind.

I understand it a little different: this in not a real downgrade, just a kind of parallel installation, because openssl 3.x.y ist still installed.
But yes, it could cause a weird behavior of the system , as every "quick 'n dirty"-hack. But I couldn't use the Mail (clwas-mail) & Veracrypt. That was unbearable to me. And as far as i can tell everything runs in normal conditions.

But still i have no clue why just "my" sudo (sudo-1.9.12-5) wants to use libssl.so.1.1 and everybody elses seem to be happy with libssl.so.3 !!