25427193 sudo with LDAP and "use_sasl on" broken using LDAP_SASL_QUIET s11u3-sru
authorJan Parcel <jan.parcel@oracle.com>
Wed, 15 Mar 2017 15:37:18 -0700
branchs11u3-sru
changeset 7762 1bc3a3aa3178
parent 7761 6d1b867a5d19
child 7764 be0c0ee57436
25427193 sudo with LDAP and "use_sasl on" broken using LDAP_SASL_QUIET
components/sudo/Makefile
components/sudo/TESTING
components/sudo/patches/001_configure.ac.patch
--- a/components/sudo/Makefile	Tue Mar 14 09:01:51 2017 -0700
+++ b/components/sudo/Makefile	Wed Mar 15 15:37:18 2017 -0700
@@ -59,6 +59,9 @@
 CONFIGURE_ENV +=	"MAKE=$(GMAKE)"
 CONFIGURE_ENV +=	"LDFLAGS=$(LDFLAGS)"
 
+# Compile with OpenLDAP headers
+CONFIGURE_ENV +=	"CPPFLAGS=-I/usr/include/openldap"
+
 CONFIGURE_OPTIONS +=	--with-ldap
 CONFIGURE_OPTIONS +=	--with-project
 CONFIGURE_OPTIONS +=	--with-rundir=/system/volatile/sudo
@@ -112,6 +115,7 @@
 
 
 
+REQUIRED_PACKAGES += library/openldap
 REQUIRED_PACKAGES += library/zlib
 REQUIRED_PACKAGES += system/library
 REQUIRED_PACKAGES += system/library/security/crypto
--- a/components/sudo/TESTING	Tue Mar 14 09:01:51 2017 -0700
+++ b/components/sudo/TESTING	Wed Mar 15 15:37:18 2017 -0700
@@ -17,9 +17,9 @@
 
 openssl dgst -sha224 /usr/bin/ls # make note of the hash
 
-# Add this line to sudoers (replace UID by your user ID and HASH by the ls
-# hash):
-<UID> ALL = sha224:<HASH> /usr/bin/ls
+# Add this line to sudoers (replace LOGIN by your user login name and
+# HASH by the ls hash):
+<LOGIN> ALL = sha224:<HASH> /usr/bin/ls
 
 # This should work (asking you a password first)
 sudo /usr/bin/ls /
@@ -54,19 +54,19 @@
 sudo rm *
 sudo /usr/sbin/audit -s
 sudo auditreduce * | praudit -s
-> file,1970-01-01 00:00:00.000 +00:00,
-> file,2014-03-27 10:34:23.000 +00:00,
+  file,1970-01-01 00:00:00.000 +00:00,
+  file,2014-03-27 10:34:23.000 +00:00,
 
 # Make sure that since the first run we can see new auditing record
 sudo auditreduce * | praudit -s
-> file,2014-03-27 10:34:23.000 +00:00,
-> header,158,2,AUE_sudo,,10.0.2.15,2014-03-27 10:34:23.735 +00:00
-> subject,vmarek,root,staff,vmarek,staff,2295,3108723863,5096 202240 10.0.2.2
-> path,/var/share/audit
-> path,/usr/sbin/auditreduce
-> cmd,argcnt,1,20140327103420.not_terminated.S12-43,envcnt,0,
-> return,success,0
-> file,2014-03-27 10:34:23.000 +00:00,
+  file,2014-03-27 10:34:23.000 +00:00,
+  header,158,2,AUE_sudo,,10.0.2.15,2014-03-27 10:34:23.735 +00:00
+  subject,vmarek,root,staff,vmarek,staff,2295,3108723863,5096 202240 10.0.2.2
+  path,/var/share/audit
+  path,/usr/sbin/auditreduce
+  cmd,argcnt,1,20140327103420.not_terminated.S12-43,envcnt,0,
+  return,success,0
+  file,2014-03-27 10:34:23.000 +00:00,
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
@@ -95,32 +95,32 @@
 # Solaris privileges
 
 # Add this to the end sudoers keeping the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' above
-<UID> ALL = () PRIVS="basic,dtrace_kernel,dtrace_proc,dtrace_user" NOPASSWD: /usr/sbin/dtrace, /usr/bin/bash
+<LOGIN> ALL = () PRIVS="basic,dtrace_kernel,dtrace_proc,dtrace_user" NOPASSWD: /usr/sbin/dtrace, /usr/bin/bash
 
 # Just your regular id
 id
-> uid=157888(vmarek) gid=10(staff)
+  uid=157888(vmarek) gid=10(staff)
 
 # Sudo normally turning you into root via the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' line
 sudo id
-> uid=0(root) gid=0(root)
+  uid=0(root) gid=0(root)
 
 # For bash it should leave your ID and just grant dtrace privileges
 sudo bash -c 'id; ppriv $$'
 uid=157888(vmarek) gid=10(staff)
-> 2296:   bash -c id; ppriv $$
-> flags = <none>
->         E: basic,dtrace_kernel,dtrace_proc,dtrace_user
->         I: basic,dtrace_kernel,dtrace_proc,dtrace_user
->         P: basic,dtrace_kernel,dtrace_proc,dtrace_user
->         L: basic,dtrace_kernel,dtrace_proc,dtrace_user
+  2296:   bash -c id; ppriv $$
+  flags = <none>
+          E: basic,dtrace_kernel,dtrace_proc,dtrace_user
+          I: basic,dtrace_kernel,dtrace_proc,dtrace_user
+          P: basic,dtrace_kernel,dtrace_proc,dtrace_user
+          L: basic,dtrace_kernel,dtrace_proc,dtrace_user
 
 # dtrace functionality
 sudo dtrace -l -n 'syscall::b*:entry'
->    ID   PROVIDER            MODULE                          FUNCTION NAME
-> 11282    syscall                                                 brk entry
-> 11550    syscall                                            brandsys entry
-> 11642    syscall                                                bind entry
+     ID   PROVIDER            MODULE                          FUNCTION NAME
+  11282    syscall                                                 brk entry
+  11550    syscall                                            brandsys entry
+  11642    syscall                                                bind entry
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/sudo/patches/001_configure.ac.patch	Wed Mar 15 15:37:18 2017 -0700
@@ -0,0 +1,21 @@
+This is a Solaris 11 specific patch, which will not go upstream and may
+not be needed in Solaris.next
+
+Sudo needs to be compiled and linked with OpenLDAP in order to have full
+functionality.  The name of the OpenLDAP library is usually lldap but in
+Solaris 11 that refers to Mozilla ldap.
+
+diff -rupN old/configure.ac new/configure.ac
+--- old/configure.ac	2017-03-01 18:29:39.533375940 -0800
++++ new/configure.ac	2017-03-01 18:31:58.413934900 -0800
[email protected]@ -3663,8 +3663,9 @@ if test ${with_ldap-'no'} != "no"; then
+     ])
+     # If nothing linked, try -lldap and hope for the best
+     if test "$found" = "no"; then
+-	LDAP_LIBS="-lldap"
++	LDAP_LIBS="-lldap-2.4"
+     fi
++    LDAP_LIBS="-lldap-2.4"
+     LIBS="${_LIBS} ${LDAP_LIBS}"
+     dnl check if we need to link with -llber for ber_set_option
+     OLIBS="$LIBS"