Bugzilla – Bug 204
Sudo support for Solaris "project"s used for resource_controls in Solaris 10
Last modified: 2007-06-19 19:28:29 MDT
Todd, When upgrading to Solaris 10 we soon discovered that privileged processes obtained via sudo did not possess the necessary privileges as controlled by the facility documented in the resource_controls(5) and as implemented in the project file/NIS map. The only workaround available was to use the newtask(1) command from within sudo-invoked processes to launch subprocesses with the correct resource assignments, but this proved to be a problematic solution given the huge number of shell scripts that needed to be updated to work around the problem. Rather than take on the task of updating all scripts that made use of sudo, I instead made use of the source code available at opensolaris.org to fashion a patch so that sudo itself could perform the resource assignments inherent in the newtask(1) command. As such this bug report really is more of a feature request in that we would like to submit this patch for inclusion in future releases of sudo. I have done my best to ensure that this patch is sympathetic to the existing code and build environment, so hopefully it will not require too much effort on your part to perform the necessary code review in order to add it to the default build. As I don't see a way of attaching a file to this interface I will email the patch directly to Todd.Miller@courtesan.com. My apologies in advance if I should be submitting this patch in some other manner. Many thanks for your efforts to develop this excellent software! Regards, Michael Brantley
Created attachment 42 [details] Patch to provide solaris project support in sudo-1.6.8p12 I guess I won't be emailing it to you after all! :-)
Created attachment 43 [details] Patch to provide solaris project support in sudo-1.6.8p12 (revised) My apologies - I noticed that a small part of another local modification had accidentally slipped through with my patch. This is the same patch file with those lines omitted. Please regard this one as my submission. Many thanks, -- - Michael
Thanks, I'll merge some version of this into the sudo 1.7 cvs tree
One note that I'm sure is obvious to you Todd but perhaps not to others reading the bug report - before running configure with the new --with-project option you will need to use autoconf to generate a new version of "configure" from the "configure.in" file. In other words I did not bother submitting a new "configure" script with this patch. -- - Michael
Created attachment 44 [details] Further patch to configure.in and aclocal.m4 to allow the use of autoconf without errors I found that with my changes autoconf generated a buggy configure script. Upon investigation I found the article http://lists.gnu.org/archive/html/autoconf/2002-05/msg00116.html which implied that the problem was with quoting in the source files, not with autoconf itself. Through painful iteration I arrived upon this patch (as computed against the version created by the previous patch submitted in this bug report) which makes minor changes to the bracketing usage and enables autoconf-2.59 to create an error-free configure script. -- - Michael
Support for this is present in the sudo 1.6.9 beta release. I did not use gettext() at this time because I intend to convert the rest of sudo to use gettext() in the future. You can download the latest beta release from http://www.sudo.ws/sudo/beta.html