Sudo problems for Solaris get workarounds

Sudo is a bedrock, foundational level command set for Solaris users. The module is inside of all Unix instances. Oracle’s support website contains two recent reports of the trouble that third party Pluggable Authentication Module (PAM) framework users are experiencing. Logging problems are at hand, too.

Sudo is an everyday tool for Unix administrators. Oracle appears to be responding quickly with workarounds for these issues.

A report from July 1 identifies an Oracle workaround is now available for a sudo hang. “A third party PAM module for sudo (RSA pam_securid) appears hung when it runs on a system with sudo 1.8.30 or later (i.e. Solaris 11.4.20.4.0 or later).”

The problem has an IDR workaround available through regular support channels. Without the workaround, the console session appears to hang when issuing sudo.

Solaris 10 doesn’t suffer from this issue, or another that concerns sudo. A mid-June report details a problem with sudo filling up the filesystem.

Oracle reports on a condition when a mediator is set to openssh and IO logging is enabled. “The timing log file may grow at a rapid pace (tens of MB in minutes), potentially filling up the filesystem. Leftover sudo processes consume a significant portion of CPU time.”

SPARC-based Solaris releases 11.3.36.18.0 through 11.4.23.69.0 can experience the filesystem overload.

Oracle notes that the issue only occurs when sudo is configured to log IO (log_input or log_output is specified in /etc/sudoers) and the ssh mediator is set to openssh.

Oracle advises administrators to use the following command to determine if a system is vulnerable

# ggrep ‘^Defaults.*log_\(output\|input\)’ /etc/sudoers && echo

Solaris administrators can avoid the filesystem filling bug if they disable IO logging in /etc/sudoers

Image from Pixabay

Leave a Reply