# HG changeset patch # User Jan Parcel # Date 1489617438 25200 # Node ID 1bc3a3aa31784c23a896fb4b14527bac2097cf84 # Parent 6d1b867a5d19ad0b23c76934d33beb35202a4beb 25427193 sudo with LDAP and "use_sasl on" broken using LDAP_SASL_QUIET diff -r 6d1b867a5d19 -r 1bc3a3aa3178 components/sudo/Makefile --- a/components/sudo/Makefile Tue Mar 14 09:01:51 2017 -0700 +++ b/components/sudo/Makefile Wed Mar 15 15:37:18 2017 -0700 @@ -59,6 +59,9 @@ CONFIGURE_ENV += "MAKE=$(GMAKE)" CONFIGURE_ENV += "LDFLAGS=$(LDFLAGS)" +# Compile with OpenLDAP headers +CONFIGURE_ENV += "CPPFLAGS=-I/usr/include/openldap" + CONFIGURE_OPTIONS += --with-ldap CONFIGURE_OPTIONS += --with-project CONFIGURE_OPTIONS += --with-rundir=/system/volatile/sudo @@ -112,6 +115,7 @@ +REQUIRED_PACKAGES += library/openldap REQUIRED_PACKAGES += library/zlib REQUIRED_PACKAGES += system/library REQUIRED_PACKAGES += system/library/security/crypto diff -r 6d1b867a5d19 -r 1bc3a3aa3178 components/sudo/TESTING --- a/components/sudo/TESTING Tue Mar 14 09:01:51 2017 -0700 +++ b/components/sudo/TESTING Wed Mar 15 15:37:18 2017 -0700 @@ -17,9 +17,9 @@ openssl dgst -sha224 /usr/bin/ls # make note of the hash -# Add this line to sudoers (replace UID by your user ID and HASH by the ls -# hash): - ALL = sha224: /usr/bin/ls +# Add this line to sudoers (replace LOGIN by your user login name and +# HASH by the ls hash): + ALL = sha224: /usr/bin/ls # This should work (asking you a password first) sudo /usr/bin/ls / @@ -54,19 +54,19 @@ sudo rm * sudo /usr/sbin/audit -s sudo auditreduce * | praudit -s -> file,1970-01-01 00:00:00.000 +00:00, -> file,2014-03-27 10:34:23.000 +00:00, + file,1970-01-01 00:00:00.000 +00:00, + file,2014-03-27 10:34:23.000 +00:00, # Make sure that since the first run we can see new auditing record sudo auditreduce * | praudit -s -> file,2014-03-27 10:34:23.000 +00:00, -> header,158,2,AUE_sudo,,10.0.2.15,2014-03-27 10:34:23.735 +00:00 -> subject,vmarek,root,staff,vmarek,staff,2295,3108723863,5096 202240 10.0.2.2 -> path,/var/share/audit -> path,/usr/sbin/auditreduce -> cmd,argcnt,1,20140327103420.not_terminated.S12-43,envcnt,0, -> return,success,0 -> file,2014-03-27 10:34:23.000 +00:00, + file,2014-03-27 10:34:23.000 +00:00, + header,158,2,AUE_sudo,,10.0.2.15,2014-03-27 10:34:23.735 +00:00 + subject,vmarek,root,staff,vmarek,staff,2295,3108723863,5096 202240 10.0.2.2 + path,/var/share/audit + path,/usr/sbin/auditreduce + cmd,argcnt,1,20140327103420.not_terminated.S12-43,envcnt,0, + return,success,0 + file,2014-03-27 10:34:23.000 +00:00, %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -95,32 +95,32 @@ # Solaris privileges # Add this to the end sudoers keeping the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' above - ALL = () PRIVS="basic,dtrace_kernel,dtrace_proc,dtrace_user" NOPASSWD: /usr/sbin/dtrace, /usr/bin/bash + ALL = () PRIVS="basic,dtrace_kernel,dtrace_proc,dtrace_user" NOPASSWD: /usr/sbin/dtrace, /usr/bin/bash # Just your regular id id -> uid=157888(vmarek) gid=10(staff) + uid=157888(vmarek) gid=10(staff) # Sudo normally turning you into root via the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' line sudo id -> uid=0(root) gid=0(root) + uid=0(root) gid=0(root) # For bash it should leave your ID and just grant dtrace privileges sudo bash -c 'id; ppriv $$' uid=157888(vmarek) gid=10(staff) -> 2296: bash -c id; ppriv $$ -> flags = -> E: basic,dtrace_kernel,dtrace_proc,dtrace_user -> I: basic,dtrace_kernel,dtrace_proc,dtrace_user -> P: basic,dtrace_kernel,dtrace_proc,dtrace_user -> L: basic,dtrace_kernel,dtrace_proc,dtrace_user + 2296: bash -c id; ppriv $$ + flags = + E: basic,dtrace_kernel,dtrace_proc,dtrace_user + I: basic,dtrace_kernel,dtrace_proc,dtrace_user + P: basic,dtrace_kernel,dtrace_proc,dtrace_user + L: basic,dtrace_kernel,dtrace_proc,dtrace_user # dtrace functionality sudo dtrace -l -n 'syscall::b*:entry' -> ID PROVIDER MODULE FUNCTION NAME -> 11282 syscall brk entry -> 11550 syscall brandsys entry -> 11642 syscall bind entry + ID PROVIDER MODULE FUNCTION NAME + 11282 syscall brk entry + 11550 syscall brandsys entry + 11642 syscall bind entry %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff -r 6d1b867a5d19 -r 1bc3a3aa3178 components/sudo/patches/001_configure.ac.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/sudo/patches/001_configure.ac.patch Wed Mar 15 15:37:18 2017 -0700 @@ -0,0 +1,21 @@ +This is a Solaris 11 specific patch, which will not go upstream and may +not be needed in Solaris.next + +Sudo needs to be compiled and linked with OpenLDAP in order to have full +functionality. The name of the OpenLDAP library is usually lldap but in +Solaris 11 that refers to Mozilla ldap. + +diff -rupN old/configure.ac new/configure.ac +--- old/configure.ac 2017-03-01 18:29:39.533375940 -0800 ++++ new/configure.ac 2017-03-01 18:31:58.413934900 -0800 +@@ -3663,8 +3663,9 @@ if test ${with_ldap-'no'} != "no"; then + ]) + # If nothing linked, try -lldap and hope for the best + if test "$found" = "no"; then +- LDAP_LIBS="-lldap" ++ LDAP_LIBS="-lldap-2.4" + fi ++ LDAP_LIBS="-lldap-2.4" + LIBS="${_LIBS} ${LDAP_LIBS}" + dnl check if we need to link with -llber for ber_set_option + OLIBS="$LIBS"