Bug 204

Summary: Sudo support for Solaris "project"s used for resource_controls in Solaris 10
Product: Sudo Reporter: Michael Brantley <Michael.Brantley>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: normal    
Version: 1.6.8   
Hardware: Sun   
OS: Solaris 2.x   
Attachments: Patch to provide solaris project support in sudo-1.6.8p12
Patch to provide solaris project support in sudo-1.6.8p12 (revised)
Further patch to configure.in and aclocal.m4 to allow the use of autoconf without errors

Description Michael Brantley 2006-01-19 11:34:45 MST 
Todd,

When upgrading to Solaris 10 we soon discovered that privileged processes 
obtained via sudo did not possess the necessary privileges as controlled by 
the facility documented in the resource_controls(5) and as implemented in the 
project file/NIS map.  The only workaround available was to use the newtask(1) 
command from within sudo-invoked processes to launch subprocesses with the 
correct resource assignments, but this proved to be a problematic solution 
given the huge number of shell scripts that needed to be updated to work 
around the problem.

Rather than take on the task of updating all scripts that made use of sudo, I 
instead made use of the source code available at opensolaris.org to fashion a 
patch so that sudo itself could perform the resource assignments inherent in 
the newtask(1) command.  As such this bug report really is more of a feature 
request in that we would like to submit this patch for inclusion in future 
releases of sudo.  I have done my best to ensure that this patch is 
sympathetic to the existing code and build environment, so hopefully it will 
not require too much effort on your part to perform the necessary code review 
in order to add it to the default build.

As I don't see a way of attaching a file to this interface I will email the 
patch directly to Todd.Miller@courtesan.com.  My apologies in advance if I 
should be submitting this patch in some other manner.

Many thanks for your efforts to develop this excellent software!

Regards,


Michael Brantley
Comment 1 Michael Brantley 2006-01-19 11:36:32 MST 
Created attachment 42 [details]
Patch to provide solaris project support in sudo-1.6.8p12

I guess I won't be emailing it to you after all!  :-)
Comment 2 Michael Brantley 2006-01-19 11:41:01 MST 
Created attachment 43 [details]
Patch to provide solaris project support in sudo-1.6.8p12 (revised)

My apologies - I noticed that a small part of another local modification had
accidentally slipped through with my patch.  This is the same patch file with
those lines omitted.  Please regard this one as my submission.

Many thanks,
--
- Michael
Comment 3 Todd C. Miller 2006-01-19 11:45:01 MST 
Thanks, I'll merge some version of this into the sudo 1.7 cvs tree
Comment 4 Michael Brantley 2006-01-19 12:30:03 MST 
One note that I'm sure is obvious to you Todd but perhaps not to others 
reading the bug report - before running configure with the new --with-project 
option you will need to use autoconf to generate a new version of "configure" 
from the "configure.in" file.  In other words I did not bother submitting a 
new "configure" script with this patch.
--
- Michael
Comment 5 Michael Brantley 2006-01-20 12:43:53 MST 
Created attachment 44 [details]
Further patch to configure.in and aclocal.m4 to allow the use of autoconf without errors

I found that with my changes autoconf generated a buggy configure script.  Upon
investigation I found the article
http://lists.gnu.org/archive/html/autoconf/2002-05/msg00116.html which implied
that the problem was with quoting in the source files, not with autoconf
itself.

Through painful iteration I arrived upon this patch (as computed against the
version created by the previous patch submitted in this bug report) which makes
minor changes to the bracketing usage and enables autoconf-2.59 to create an
error-free configure script.
--
- Michael
Comment 6 Todd C. Miller 2007-06-19 19:28:29 MDT 
Support for this is present in the sudo 1.6.9 beta release.  I did not use gettext() at this time because I intend to convert the rest of sudo to use gettext() in the future.  You can download the latest beta release from http://www.sudo.ws/sudo/beta.html