Re-Enable sudo from crosh on R117+ Chrome OS without recompiling

chromeos-117-sudo-howto.md

Short guide on how to bypass this:

If you haven't disabled rootfs verification, switch to vt-2 and run /usr/libexec/debugd/helpers/dev_features_rootfs_verification. Then reboot.

Inside crostini, download minioverride.c and compile it with gcc minioverride.c -o minioverride.so -shared (make sure gcc is installed)

In the files app, move minioverride.so into your downloads folder.

Switch to vt2, and in the root terminal, not crostini, run these commands

mkdir -p /usr/local/bin
mv /home/chronos/user/Downloads/minioverride.so /usr/local/bin/
chmod +x /usr/local/bin/minioverride.so
sed -i '1s/^/env LD_PRELOAD=\/usr\/local\/bin\/minioverride.so\n/' /etc/init/ui.conf 
reboot

After rebooting you should be able to use sudo inside crosh as you would normally before updating to 117. It will display the warning, but sudo should work regardless.

NOTE: When you update chrome os versions, this will stop working. You don't need to redo the whole thing, just run /usr/libexec/debugd/helpers/dev_features_rootfs_verification, reboot and run sed -i '1s/^/env LD_PRELOAD=\/usr\/local\/bin\/minioverride.so\n/' /etc/init/ui.conf and reboot again.

1/29 - added fix for landlock policy (fixes permission denied writing to disk) restart the entire process with the updated c code if you want to fix it

minioverride.c

int minijail_no_new_privs(){
    return 0;
}
int minijail_add_fs_restriction_rx(){
    return 0;
}
int minijail_add_fs_restriction_advanced_rw(){
    return 0;
}
int minijail_set_enable_profile_fs_restrictions(){
    return 0;
}
int minijail_enable_default_fs_restrictions(){
    return 0;
}

You are a lifesaver. Thank you so much

Interesting approach using the LD_PRELOAD hack, it is way smarter than my current workaround on this (disable Landlock LSM with kernel parameter + redirect sudo calls to VT2)

It's interesting that I'm no longer getting the 'Sudo commands will not succeed by default.' message on beta channel 15753.36.0 / 122.0.6261.98 when entering 'shell' now. 🤔

yeah saw this too, change was made here
wonder why that wasn't there from the beginning

@CoolElectronics,

I don't understand the code enough to know but is the 'no-new-privs warning' still shown on those without the 'minioverride' bypass?

@DennisLfromGA yes

Ah, got it, makes sense now.
I guess that's one way to know if the minioverride bypass is working or not.

It could be help.
https://shivankaul.com/blog/editing-read-only-files-chromebook

@Arfonium,

That's the first step listed in the instructions above.

DennyL

you can also do chromebrew and uninstall crew-sudo!

@YeesterPlus,

I think you mean you can also use chromebrew and install crew-sudo!
However with crew-sudo v1.1 you don't need chromebrew.

~DennyL

of you can't compile minioverride.so, you can just download it from here. Tested and works on my Dell Chromebook 5190.

1/29 - added fix for landlock policy (fixes permission denied writing to disk) restart the entire process with the updated c code if you want to fix

Thank you very much for this, I have been pulling my hair out (what's left) trying to get use to VT2.
If a future update stops this from working, is there a way to stop VT2 scrolling or pause when using certain commands.
Once again, thank you so much

no, no crew-sudo, it has issues, instead use this allower

You are a lifesaver. Thank you so much!