Re-Enable sudo from crosh on R117+ Chrome OS without recompiling

chromeos-117-sudo-howto.md

Short guide on how to bypass this:

If you haven't disabled rootfs verification, switch to vt-2 and run /usr/libexec/debugd/helpers/dev_features_rootfs_verification. Then reboot.

Inside crostini, download minioverride.c and compile it with gcc minioverride.c -o minioverride.so -shared (make sure gcc is installed)

In the files app, move minioverride.so into your downloads folder.

Switch to vt2, and in the root terminal, not crostini, run these commands

mkdir -p /usr/local/bin
mv /home/chronos/user/Downloads/minioverride.so /usr/local/bin/
chmod +x /usr/local/bin/minioverride.so
sed -i '1s/^/env LD_PRELOAD=\/usr\/local\/bin\/minioverride.so\n/' /etc/init/ui.conf 
reboot

After rebooting you should be able to use sudo inside crosh as you would normally before updating to 117. It will display the warning, but sudo should work regardless.

NOTE: When you update chrome os versions, this will stop working. You don't need to redo the whole thing, just run /usr/libexec/debugd/helpers/dev_features_rootfs_verification, reboot and run sed -i '1s/^/env LD_PRELOAD=\/usr\/local\/bin\/minioverride.so\n/' /etc/init/ui.conf and reboot again.

1/29 - added fix for landlock policy (fixes permission denied writing to disk) restart the entire process with the updated c code if you want to fix it

minioverride.c

int minijail_no_new_privs(){
    return 0;
}
int minijail_add_fs_restriction_rx(){
    return 0;
}
int minijail_add_fs_restriction_advanced_rw(){
    return 0;
}
int minijail_set_enable_profile_fs_restrictions(){
    return 0;
}
int minijail_enable_default_fs_restrictions(){
    return 0;
}

@eritain i am talking about crostini, but if you know how to move around the files you can do the compile step in crouton or another linux pc. the instructions are just written for crostini to make it simpler

Thanks very much!

I'll probably end up switching to Crostini regardless, but it'll be nice to prepare for the transition from a competent crosh window.

After using a sudo in crosh command following these steps, sudo asks for a password, but it doesn't seem to be the root pass or the user pass?

Anyone know what to do?

After using a sudo in crosh command following these steps, sudo asks for a password, but it doesn't seem to be the root pass or the user pass?

Anyone know what to do?

I powerwashed my machine and relogged as root without debug tools. Works like a charm!

in vt-2, yes

In crostinni it says cc1: fatal error: minioverride.c: No such file or directory
compilation terminated. but i downloaded minioverride.c

you have to put the minioverride.c file you made in the same directory where you're running the gcc command, the home directory of crostini

How do you copy the sed module over to vt2, my chromebook doesn't have a backwards slash and just comes up with a question mark, then the command doesn't run properly.

I think this workaround breaks on the latest 120 update. The desktop interface doesn't get loaded and the screen hangs on the startup logo. Commenting out the override in /etc/init/ui.conf does make the desktop interface work again. I'll do some more testing by rolling back to 119, but I think we've come to the end of the road.

@marcsadler these same steps still work on version 120.0.6099.203 for me. perhaps you typed in the last command wrong?

@marcsadler these same steps still work on version 120.0.6099.203 for me. perhaps you typed in the last command wrong?

Thank you for your reply. I'm on 120.0.6099.235, although like you said I must have done one of the steps wrong because it works again now after reinstalling ChromeOS from recovery. Sorry to have wasted your time.

1/29 - added fix for landlock policy (fixes permission denied writing to disk)
restart the entire process with the updated c code if you want to fix it

You are a lifesaver. Thank you so much

Interesting approach using the LD_PRELOAD hack, it is way smarter than my current workaround on this (disable Landlock LSM with kernel parameter + redirect sudo calls to VT2)

It's interesting that I'm no longer getting the 'Sudo commands will not succeed by default.' message on beta channel 15753.36.0 / 122.0.6261.98 when entering 'shell' now. 🤔

yeah saw this too, change was made here
wonder why that wasn't there from the beginning

@CoolElectronics,

I don't understand the code enough to know but is the 'no-new-privs warning' still shown on those without the 'minioverride' bypass?

@DennisLfromGA yes

Ah, got it, makes sense now.
I guess that's one way to know if the minioverride bypass is working or not.

It could be help.
https://shivankaul.com/blog/editing-read-only-files-chromebook

@Arfonium,

That's the first step listed in the instructions above.

DennyL

you can also do chromebrew and uninstall crew-sudo!

@YeesterPlus,

I think you mean you can also use chromebrew and install crew-sudo!
However with crew-sudo v1.1 you don't need chromebrew.

~DennyL

of you can't compile minioverride.so, you can just download it from here. Tested and works on my Dell Chromebook 5190.

1/29 - added fix for landlock policy (fixes permission denied writing to disk) restart the entire process with the updated c code if you want to fix

Thank you very much for this, I have been pulling my hair out (what's left) trying to get use to VT2.
If a future update stops this from working, is there a way to stop VT2 scrolling or pause when using certain commands.
Once again, thank you so much

no, no crew-sudo, it has issues, instead use this allower

You are a lifesaver. Thank you so much!

of you can't compile minioverride.so, you can just download it from here. Tested and works on my Dell Chromebook 5190.

I don't think i've ever had minioverride.so on my download site, now I might add it just because 🤷‍♀️

of you can't compile minioverride.so, you can just download it from here. Tested and works on my Dell Chromebook 5190.

I don't think i've ever had minioverride.so on my download site, now I might add it just because 🤷‍♀️

Is this up? I can't find that file on the link?

I never had the minioverride.so on my download server, i'll probably put it on in ~1 day

…

On Thu, Oct 17, 2024 at 11:36 PM hattmall1 ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ of you can't compile minioverride.so, you can just download it from here <https://dl.kxtz.dev/>. Tested and works on my Dell Chromebook 5190. I don't think i've ever had minioverride.so on my download site, now I might add it just because 🤷‍♀️ Is this up? I can't find that file on the link? — Reply to this email directly, view it on GitHub <https://gist.github.com/velzie/a5088c9ade6ec4d35435b9826b45d7a3#gistcomment-5241260> or unsubscribe <https://github.com/notifications/unsubscribe-auth/A3X4LQPVFH6SDJT3LFLK3GTZ4B62XBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTENJZGAYDCMZWU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .