I've got a Solaris 10 host with two zones. When I'm working with sudo on the host, everything is great. Within the zones I had to edit the .profile to include the /usr/local/whatever directory the sudo executable is in. Then, it all worked fine. Sudo grants permissions and the command is performed. But, there's a nasty error message that appears after every use of sudo. See the code below.
-bash-3.2$ sudo -V
Sudo version 1.8.5p2
Sudoers policy plugin version 1.8.5p2
Sudoers file grammar version 41
Sudoers I/O plugin version 1.8.5p2
-bash-3.2$ sudo cp /etc/skel/.profile /export/home/whatever
Password:
sudo: unable to open /usr/local/var/lib/sudo/<user-id>/4: Read-only file system
-bash-3.2$
Also, and this maybe unrelated, on the host using sudo asks for the password once every few minutes. On the zones, sudo requires the password every time.
DustinT,
Is your zone a full root are spare root? I build mostly build full root zones. To get sudo to work there is a extra step that need to be done. For some reason the linked files that sudo needs become broken, when you build a zone. Do the below command in the zone.
# ldd /usr/local/bin/sudo
If there are any broken links then you have to fix them. Also make sure you add your user to the the sysadmin group. Below I have a link to a blog post with a how-to on what I mentioned above.
---------- Post updated at 11:15 AM ---------- Previous update was at 11:14 AM ----------
I'm not sure I understand the context of how this all fits together. What would be the ramifications of making this change?
---------- Post updated at 11:38 AM ---------- Previous update was at 11:15 AM ----------
Ok, I took another stab at the documentation and figured out what you meant. I think this is the right aproach but when I tried it I had some problems.
-bash-3.2$ sudo zonecfg -z myzone
Password:
zonecfg:myzone> add fs
zonecfg:myzone:fs> set dir=/usr/local/var
zonecfg:myzone:fs> set special=/zones/myzone/usr/local/var
zonecfg:myzone:fs> set type=lofs
zonecfg:myzone:fs> end
zonecfg:myzone> verify
zonecfg:myzone> commit
zonecfg:myzone> exit
-bash-3.2$ zoneadm -z myzone boot
zoneadm: zone 'myzone': only a privileged user may boot a zone.
-bash-3.2$ sudo zoneadm -z myzone boot
could not verify fs /usr/local/var: could not access /zones/myzone/usr/local/var: No such file or directory
zoneadm: zone myzone failed to verify
-bash-3.2$
DustinT,
Sorry that my fix didn't work. Every time I make a zone I have to do that step. What hergp is trying tohave you do is a loop back, which is done in sparse zones a lot. I don't use these.
What I would like you to do now is compare your sudo setting on your global zone which works to the zone which doesn't work.
ls -l /usr/local/sbin/visudo
---x--x--x 1 root root 249604 Nov 18 01:09 visudo
ls - /usr/local/bin/sudo
---s--x--x 1 root root 249604 Nov 18 01:09 /usr/local/bin/sudo
id
uid=2708(bitlord) gid=2001(users) groups=14(sysadmin)