Template Version: @(#)sac_nextcase 1.66 04/17/08 SMI
This information is Copyright 2008 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
sudo
1.2. Name of Document Author/Supplier:
Author: Joep Vesseur
1.3 Date of This Document:
10 June, 2008
4. Technical Description
Release binding: minor
Target Consolidation: SFW
1. Summary
sudo(1) is a popular, cross platform administrative
utility that allows an organization to define adminis-
trative tasks and assign them to specific (groups) of
users while defining the context the tasks will operate
with. The purpose of sudo(1) is much like the purpose
of RBAC.
This case proposes to integrate the current stable ver-
sion of sudo(1) in Solaris (at the time of writing,
this is 1.6.9p16).
2. Details
While, from a Solaris perspective, there are a number
of features that sudo(1) lacks, this case proposes to
integrate it anyway. The main reason to provide sudo(1)
on Solaris is to enable administrators to adopt Solaris
more easily and bring it under control of the heteroge-
neous environment they are currently maintaining using
sudo(1) on other platforms.
For this case, we propose to integrate the current ver-
sion of sudo as is. We acknowledge that Solaris spe-
cific additions to sudo(1) would make sudo(1) a better
Solaris citizen, but we defer those additions to future
projects based on the willingness of the community to
invest in Solaris specific features.
2.1. Auditing
sudo(1) currently does not use any of the Solaris
Auditing functionality. For this case, we do not pro-
pose to add this functionality, based on our believe
that the current demand for sudo(1) is from users with-
out any auditing infrastructure (in the Solaris Audit-
ing sense).
sudo(1) will be explicitly left out of the CC evalua-
tion target.
We will engage with the community to see if they are
willing to develop/accept Solaris specific auditing
changes in the future, but we believe the current
project is complete without these additions. We there-
fore refer any auditing enhancements to a possible
future project.
2.2. Extending sudoers with privilege specifications
Another Solaris-specific extension to sudo(1) would be
to allow it to use privilege specifications inside its
sudoers-file. This would allow one to specify addi-
tional privileges for some administrative tasks,
instead of assigning the full root privileges, much
like we allow for in exec_attr(4).
Again, we will engage with the community to see if they
are willing to accept this kind of Solaris specific
changes upstream, but for now, we believe this case is
complete without this additional Solaris-ism.
2.3. Merging sudo/RBAC
In the long run, based on a "runs best on
Solaris"-principle, we would like to merge the benefits
from sudo(1) and RBAC allowing sudo(1) users to benefit
from the RBAC framework, and allowing RBAC users to
benefit from sudo-specific features. That is not this
case, however.
3. Compilation options
sudo(1) will be configured with the following options
--with-CC=cc --prefix=/usr --with-ldap --with-project
--with-privileges --with-pam
These options will allow administrators to make use of
Solaris-specific project features (part of standard
sudo), and to store the sudoers(4) configuration in an
LDAP database if they wish to do so. Since the LDAP
schema to use differs from LDAP server to LDAP server,
we intend to deliver example schema files for OpenLDAP
based servers and SunONE based servers in
/usr/share/doc, together with a conversion utility to
create ldif files. These extra files are part of the
normal sudo-package, but normally only available in the
source package.
4. Interface table
This case delivers the following files
+---------------------------------------------------------------+
|Exported Interfaces Classification|
|---------------------------------------------------------------|
|SUNWsudo Committed |
|/etc/sudoers Uncommitted |
|/usr/bin/sudo Uncommitted |
|/usr/bin/sudoedit Uncommitted |
|/usr/lib/sudo_noexec.so Project Private |
|/usr/lib/sparcv9/sudo_noexec.so Project Private |
|/usr/lib/amd64/sudo_noexec.so Project Private |
|/usr/sbin/visudo Uncommitted |
|/usr/share/doc/sudo-<version>/ Uncommitted |
|/usr/share/doc/sudo-<version>/BUGS Uncommitted |
|/usr/share/doc/sudo-<version>/CHANGES Uncommitted |
|/usr/share/doc/sudo-<version>/HISTORY Uncommitted |
|/usr/share/doc/sudo-<version>/LICENSE Uncommitted |
|/usr/share/doc/sudo-<version>/README Uncommitted |
|/usr/share/doc/sudo-<version>/README.LDAP Uncommitted |
|/usr/share/doc/sudo-<version>/TROUBLESHOOTING Uncommitted |
|/usr/share/doc/sudo-<version>/UPGRADE Uncommitted |
|/usr/share/doc/sudo-<version>/sample.sudoers Uncommitted |
|/usr/share/doc/sudo-<version>/sample.syslog.conf Uncommitted |
|/usr/share/lib/ldif/sudo-schema.OpenLDAP Uncommitted |
|/usr/share/lib/ldif/sudo-schema.iPlanet Uncommitted |
|/usr/share/lib/ldif/sudoers2ldif Uncommitted |
|/usr/share/man/man1m/sudo.1m Uncommitted |
|/usr/share/man/man1m/sudoedit.1m Uncommitted |
|/usr/share/man/man1m/visudo.1m Uncommitted |
|/usr/share/man/man4/sudoers.4 Uncommitted |
+---------------------------------------------------------------+
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
SFW
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
