Sudo and Solaris zones, unable to open errors

DustinT · April 10, 2013, 8:43am

I've got a Solaris 10 host with two zones. When I'm working with sudo on the host, everything is great. Within the zones I had to edit the .profile to include the /usr/local/whatever directory the sudo executable is in. Then, it all worked fine. Sudo grants permissions and the command is performed. But, there's a nasty error message that appears after every use of sudo. See the code below.

-bash-3.2$ sudo -V
Sudo version 1.8.5p2
Sudoers policy plugin version 1.8.5p2
Sudoers file grammar version 41
Sudoers I/O plugin version 1.8.5p2
-bash-3.2$ sudo cp /etc/skel/.profile /export/home/whatever
Password:
sudo: unable to open /usr/local/var/lib/sudo/<user-id>/4: Read-only file system
-bash-3.2$

Also, and this maybe unrelated, on the host using sudo asks for the password once every few minutes. On the zones, sudo requires the password every time.

What do I need to do to address these two issues?

hergp · April 10, 2013, 9:20am

In a sparse zone, /usr is usually mounted read-only.

To have a writeable /usr/local/var , you can define a loopback mount in the zone configuration

zonecfg -z myzone
   add fs
      set dir=/usr/local/var
      set special=/zones/myzone/usr/local/var
      set type=lofs
    end
    verify
    commit
    exit

You have to create /zones/myzone/usr/local/var in the global zone first, of course.

bitlord · April 11, 2013, 11:55am

DustinT,
Is your zone a full root are spare root? I build mostly build full root zones. To get sudo to work there is a extra step that need to be done. For some reason the linked files that sudo needs become broken, when you build a zone. Do the below command in the zone.

# ldd /usr/local/bin/sudo

If there are any broken links then you have to fix them. Also make sure you add your user to the the sysadmin group. Below I have a link to a blog post with a how-to on what I mentioned above.

My Notes: Creating Zones in Solaris 10

I hope this helps you.

DustinT · April 12, 2013, 11:38am

There doesn't seem to be any broken links.

-bash-3.2$ sudo ldd /usr/local/bin/sudo
Password:
sudo: unable to open /usr/local/var/lib/sudo/trapanid/3: Read-only file system
        libintl.so.8 =>  /usr/local/lib/libintl.so.8
        libiconv.so.2 =>         /usr/local/lib/libiconv.so.2
        libsec.so.1 =>   /usr/lib/libsec.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libavl.so.1 =>   /lib/libavl.so.1
        libmp.so.2 =>    /lib/libmp.so.2
        libmd.so.1 =>    /lib/libmd.so.1
        libscf.so.1 =>   /lib/libscf.so.1
        libdoor.so.1 =>  /lib/libdoor.so.1
        libuutil.so.1 =>         /lib/libuutil.so.1
        libgen.so.1 =>   /lib/libgen.so.1
        libm.so.2 =>     /lib/libm.so.2
        /lib/libm/libm_hwcap1.so.2
        /platform/SUNW,SPARC-Enterprise/lib/libc_psr.so.1

bitlord:

DustinT,
Is your zone a full root are spare root? I build mostly build full root zones. To get sudo to work there is a extra step that need to be done. For some reason the linked files that sudo needs become broken, when you build a zone. Do the below command in the zone.
# ldd /usr/local/bin/sudo
If there are any broken links then you have to fix them. Also make sure you add your user to the the sysadmin group. Below I have a link to a blog post with a how-to on what I mentioned above.

My Notes: Creating Zones in Solaris 10

I hope this helps you.

---------- Post updated at 11:15 AM ---------- Previous update was at 11:14 AM ----------

hergp:

In a sparse zone, /usr is usually mounted read-only.

To have a writeable /usr/local/var , you can define a loopback mount in the zone configuration
zonecfg -z myzone
   add fs
   set dir=/usr/local/var
   set special=/zones/myzone/usr/local/var
   set type=lofs
   end
   verify
   commit
   exit
  
You have to create /zones/myzone/usr/local/var in the global zone first, of course.

I'm not sure I understand the context of how this all fits together. What would be the ramifications of making this change?

---------- Post updated at 11:38 AM ---------- Previous update was at 11:15 AM ----------

Ok, I took another stab at the documentation and figured out what you meant. I think this is the right aproach but when I tried it I had some problems.

  -bash-3.2$ sudo zonecfg -z myzone
  Password:
  zonecfg:myzone> add fs
  zonecfg:myzone:fs> set dir=/usr/local/var
  zonecfg:myzone:fs> set special=/zones/myzone/usr/local/var
  zonecfg:myzone:fs> set type=lofs
  zonecfg:myzone:fs> end
  zonecfg:myzone> verify
  zonecfg:myzone> commit
  zonecfg:myzone> exit
  -bash-3.2$ zoneadm -z myzone boot
  zoneadm: zone 'myzone': only a privileged user may boot a zone.
  -bash-3.2$ sudo zoneadm -z myzone boot
  could not verify fs /usr/local/var: could not access /zones/myzone/usr/local/var: No such file or directory
  zoneadm: zone myzone failed to verify
  -bash-3.2$

hergp:

In a sparse zone, /usr is usually mounted read-only.

To have a writeable /usr/local/var , you can define a loopback mount in the zone configuration
zonecfg -z myzone
   add fs
   set dir=/usr/local/var
   set special=/zones/myzone/usr/local/var
   set type=lofs
   end
   verify
   commit
   exit
  
You have to create /zones/myzone/usr/local/var in the global zone first, of course.

bitlord · April 12, 2013, 1:05pm

DustinT,
Sorry that my fix didn't work. Every time I make a zone I have to do that step. What hergp is trying tohave you do is a loop back, which is done in sparse zones a lot. I don't use these.

What I would like you to do now is compare your sudo setting on your global zone which works to the zone which doesn't work.

ls -l /usr/local/sbin/visudo
---x--x--x  1 root  root   249604 Nov 18  01:09 visudo
ls -  /usr/local/bin/sudo
---s--x--x   1 root  root   249604 Nov 18  01:09 /usr/local/bin/sudo
id
uid=2708(bitlord) gid=2001(users) groups=14(sysadmin)

are you in the sysadmin group?

This what my sudo file looks like.

visudo
%sysadmin ALL-(ALL) NOPASSWD: ALL

Do the files look the same?