Sudo and Solaris zones, unable to open errors


 
Thread Tools Search this Thread
Operating Systems Solaris Sudo and Solaris zones, unable to open errors
# 1  
Old 04-10-2013
Sudo and Solaris zones, unable to open errors

I've got a Solaris 10 host with two zones. When I'm working with sudo on the host, everything is great. Within the zones I had to edit the .profile to include the /usr/local/whatever directory the sudo executable is in. Then, it all worked fine. Sudo grants permissions and the command is performed. But, there's a nasty error message that appears after every use of sudo. See the code below.
Code:
-bash-3.2$ sudo -V
Sudo version 1.8.5p2
Sudoers policy plugin version 1.8.5p2
Sudoers file grammar version 41
Sudoers I/O plugin version 1.8.5p2
-bash-3.2$ sudo cp /etc/skel/.profile /export/home/whatever
Password:
sudo: unable to open /usr/local/var/lib/sudo/<user-id>/4: Read-only file system
-bash-3.2$

Also, and this maybe unrelated, on the host using sudo asks for the password once every few minutes. On the zones, sudo requires the password every time.

What do I need to do to address these two issues?
# 2  
Old 04-10-2013
In a sparse zone, /usr is usually mounted read-only.

To have a writeable /usr/local/var, you can define a loopback mount in the zone configuration

Code:
zonecfg -z myzone
   add fs
      set dir=/usr/local/var
      set special=/zones/myzone/usr/local/var
      set type=lofs
    end
    verify
    commit
    exit

You have to create /zones/myzone/usr/local/var in the global zone first, of course.
# 3  
Old 04-11-2013
DustinT,
Is your zone a full root are spare root? I build mostly build full root zones. To get sudo to work there is a extra step that need to be done. For some reason the linked files that sudo needs become broken, when you build a zone. Do the below command in the zone.
Code:
# ldd /usr/local/bin/sudo

If there are any broken links then you have to fix them. Also make sure you add your user to the the sysadmin group. Below I have a link to a blog post with a how-to on what I mentioned above.

My Notes: Creating Zones in Solaris 10

I hope this helps you.
# 4  
Old 04-12-2013
There doesn't seem to be any broken links.

Code:
-bash-3.2$ sudo ldd /usr/local/bin/sudo
Password:
sudo: unable to open /usr/local/var/lib/sudo/trapanid/3: Read-only file system
        libintl.so.8 =>  /usr/local/lib/libintl.so.8
        libiconv.so.2 =>         /usr/local/lib/libiconv.so.2
        libsec.so.1 =>   /usr/lib/libsec.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libavl.so.1 =>   /lib/libavl.so.1
        libmp.so.2 =>    /lib/libmp.so.2
        libmd.so.1 =>    /lib/libmd.so.1
        libscf.so.1 =>   /lib/libscf.so.1
        libdoor.so.1 =>  /lib/libdoor.so.1
        libuutil.so.1 =>         /lib/libuutil.so.1
        libgen.so.1 =>   /lib/libgen.so.1
        libm.so.2 =>     /lib/libm.so.2
        /lib/libm/libm_hwcap1.so.2
        /platform/SUNW,SPARC-Enterprise/lib/libc_psr.so.1

Quote:
Originally Posted by bitlord
DustinT,
Is your zone a full root are spare root? I build mostly build full root zones. To get sudo to work there is a extra step that need to be done. For some reason the linked files that sudo needs become broken, when you build a zone. Do the below command in the zone.
Code:
# ldd /usr/local/bin/sudo

If there are any broken links then you have to fix them. Also make sure you add your user to the the sysadmin group. Below I have a link to a blog post with a how-to on what I mentioned above.

My Notes: Creating Zones in Solaris 10

I hope this helps you.
---------- Post updated at 11:15 AM ---------- Previous update was at 11:14 AM ----------

Quote:
Originally Posted by hergp
In a sparse zone, /usr is usually mounted read-only.

To have a writeable /usr/local/var, you can define a loopback mount in the zone configuration

Code:
zonecfg -z myzone
   add fs
      set dir=/usr/local/var
      set special=/zones/myzone/usr/local/var
      set type=lofs
    end
    verify
    commit
    exit

You have to create /zones/myzone/usr/local/var in the global zone first, of course.
I'm not sure I understand the context of how this all fits together. What would be the ramifications of making this change?

---------- Post updated at 11:38 AM ---------- Previous update was at 11:15 AM ----------

Ok, I took another stab at the documentation and figured out what you meant. I think this is the right aproach but when I tried it I had some problems.
Code:
  -bash-3.2$ sudo zonecfg -z myzone
  Password:
  zonecfg:myzone> add fs
  zonecfg:myzone:fs> set dir=/usr/local/var
  zonecfg:myzone:fs> set special=/zones/myzone/usr/local/var
  zonecfg:myzone:fs> set type=lofs
  zonecfg:myzone:fs> end
  zonecfg:myzone> verify
  zonecfg:myzone> commit
  zonecfg:myzone> exit
  -bash-3.2$ zoneadm -z myzone boot
  zoneadm: zone 'myzone': only a privileged user may boot a zone.
  -bash-3.2$ sudo zoneadm -z myzone boot
  could not verify fs /usr/local/var: could not access /zones/myzone/usr/local/var: No such file or directory
  zoneadm: zone myzone failed to verify
  -bash-3.2$

Quote:
Originally Posted by hergp
In a sparse zone, /usr is usually mounted read-only.

To have a writeable /usr/local/var, you can define a loopback mount in the zone configuration

Code:
zonecfg -z myzone
   add fs
      set dir=/usr/local/var
      set special=/zones/myzone/usr/local/var
      set type=lofs
    end
    verify
    commit
    exit

You have to create /zones/myzone/usr/local/var in the global zone first, of course.
# 5  
Old 04-12-2013
DustinT,
Sorry that my fix didn't work. Every time I make a zone I have to do that step. What hergp is trying tohave you do is a loop back, which is done in sparse zones a lot. I don't use these.

What I would like you to do now is compare your sudo setting on your global zone which works to the zone which doesn't work.

Code:
ls -l /usr/local/sbin/visudo
---x--x--x  1 root  root   249604 Nov 18  01:09 visudo
ls -  /usr/local/bin/sudo
---s--x--x   1 root  root   249604 Nov 18  01:09 /usr/local/bin/sudo
id
uid=2708(bitlord) gid=2001(users) groups=14(sysadmin)

are you in the sysadmin group?

This what my sudo file looks like.
Code:
visudo
%sysadmin ALL-(ALL) NOPASSWD: ALL

Do the files look the same?
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Solaris

Unable to fully log into non-global-zones after a SRU

tldr; after SRU patches applied on newly created boot environment, reboot with ability to log into global zone but unable to "fully" log into non-global-zones. Without going into much detail here's what we did; 1) Activated new boot environment with latest SRU patches from Oracle 2)... (1 Reply)
Discussion started by: samthewildone
1 Replies

2. Solaris

Migration of Solaris 10 on physical host to Solaris Zones

Hi All Kindly let me know how can I move Solaris 10 OS running update 10 on physical machine to another machine solaris zone running Solaris 10 update 11 (2 Replies)
Discussion started by: amity
2 Replies

3. Solaris

Is it possible to install Solaris softwares on Open Solaris or Open Indiana?

Hi there, I'm sorry in advance if my question seems stupid, but I can't figure out myself. I was wondering. Is it possible to install a Solaris program on an Open Solaris or Open Indiana operating system? After searching the web for a long time, it seems that Open Solaris was released by... (7 Replies)
Discussion started by: firstpost
7 Replies

4. Cybersecurity

Unable to run 'su' and 'sudo' after changing permissions on /etc

Hello, I'm running rhel6 64bit. Accidentally I ran % chmod -R 777 /etc and after that I have a problem to do 'su' or 'sudo'. When I did sudo it complained that /etc/sudoers has 777 while it should be 0440. I changed that and also restored right permission for: -rw-r--r-- 1 root root 1966 May 19... (2 Replies)
Discussion started by: susja
2 Replies

5. Solaris

Solaris 10 - Unable to boot the system "panic: cannot open /kernel/amd64/unix"

Hi All, I have installed Solaris 10 on my AMD 64 3000+ system. I was playing with grub commands eeprom and bootadm commands. I screwed my boot-file and now am unable to boot the system. Gets error msg as "panic: cannot open /kernel/amd64/unix". I booted the system is filesafe and tried update the... (2 Replies)
Discussion started by: Manjunath K V
2 Replies

6. UNIX for Dummies Questions & Answers

Unable to use the Sudo command. "0509-130 Symbol resolution failed for sudo because:"

Hi! I'm very new to unix, so please keep that in mind with the level of language used if you choose to help :D Thanks! When attempting to use sudo on and AIX machine with oslevel 5.1.0.0, I get the following error: exec(): 0509-036 Cannot load program sudo because of the following errors:... (1 Reply)
Discussion started by: Chloe123
1 Replies

7. Solaris

Unable to access open solaris across the network.

Hi Everyone, I have installed open solaris 10 on one of the x86 machines available but inspite of configuring the IP i am unable to access the machine through the network. Can anyone please help me wih the settings required to access the machine across the network.Its really Urg..Any help is... (13 Replies)
Discussion started by: sankasu
13 Replies

8. Solaris

Unable to open 3966 port in solaris

Unable to open 3966 port for buildforge in Solaris 10, anyone pls help me how to open the 3966 port in solaris. Thanks in Advance (1 Reply)
Discussion started by: durgaprasadr13
1 Replies

9. Solaris

SUDO configuration in Solaris 10 zones

HI All, Is it possible to configure SUDO in non-global zones in a solaris 10 env? If yes, can you please provide the steps to configure. Thanks in advance. Regards, Sagar. (2 Replies)
Discussion started by: sag71155
2 Replies

10. Linux

Unable to send mail - but no errors found :-(

Hi Guys I am using this version of Linux box (as shown below). I am unable to send email from the box. But I am not getting any errors while sending email. :mad: Any idea what could be the reason? What entry should I check? :confused: $ uname -a Linux machine-name 2.4.21-144-smp4G #1... (6 Replies)
Discussion started by: csaha
6 Replies
Login or Register to Ask a Question