[sudo-workers] sudoers.so in an AIX archive rather than as a file
Michael Felt
michael at felt.demon.nl
Mon Apr 24 06:07:12 MDT 2017
On 3/22/2017 6:16 PM, Todd C. Miller wrote:
My apologies for being so slow to reply. been busy.
> Sudo does not support the "archive.a(member.so)" syntax.
>
> Currently, sudo creates SVR4-style shared objects on AIX by using
> the -brtl loader flag. This makes it possible to install shared
> objects as .so files on all platforms, including AIX. Having the
> plugins use a common file name across platforms is a good thing
> since it makes it easier to distribute a single set of sudo
> configuration files in a heterogenerous environment. This is
> especially important for the group provider plugin, since the path
> for it is directly specified in sudoers.
>
> As far as I know, libtool (which sudo uses to create shared objects)
> does not have support for building both 32-bit and 64-bit object
> files.
You are correct that libtool does not build both in a single pass. My
"solution", rather resolution, is to build a project twice - and then
merge (using a script) all the archives in the two locations. So, for me
it is "enough" that sudo call dlopen.
As an example: I just packaged the latest curl:
root at x064:[/data/prj/aixtools/curl-7.54.0]ls -l X*/opt/lib
X32/opt/lib:
total 1656
-rwxr-xr-x 1 bin bin 837462 Apr 23 10:27 libcurl.a
-rwxr-xr-x 1 bin bin 910 Apr 23 10:27 libcurl.la
drwxr-xr-x 2 bin bin 4096 Apr 23 10:27 pkgconfig
Xany/opt/lib:
total 1792
-rwxr-xr-x 1 bin bin 905579 Apr 23 10:33 libcurl.a
-rwxr-xr-x 1 bin bin 910 Apr 23 10:33 libcurl.la
drwxr-xr-x 2 bin bin 4096 Apr 23 10:33 pkgconfig
root at x064:[/data/prj/aixtools/curl-7.54.0]ar -X32 tv X32/opt/lib/libcurl.a
rwxr-xr-x 0/1954 804924 Apr 23 10:27 2017 libcurl.so.4
root at x064:[/data/prj/aixtools/curl-7.54.0]ar -X64 tv X32/opt/lib/libcurl.a
# Xany is the directory I use to combine info from X64 (the extracted
64-bit build) and X32 (the 32-bit build)
root at x064:[/data/prj/aixtools/curl-7.54.0]ar -X32 tv Xany/opt/lib/libcurl.a
root at x064:[/data/prj/aixtools/curl-7.54.0]ar -X64 tv Xany/opt/lib/libcurl.a
rwxr-xr-x 0/1954 873126 Apr 23 10:33 2017 libcurl.so.4
root at x064:[/data/prj/aixtools/curl-7.54.0/Xany/opt/lib]ksh -x
/opt/bin/archive_cp.ksh
+ rm -f libcurl.la
+ print
+ [[ -L libcurl.a ]]
+ ar -X32 t ../../../X32/opt/lib/libcurl.a
+ read member
+ ar -X32 x ../../../X32/opt/lib/libcurl.a libcurl.so.4
+ ar -X32 r libcurl.a libcurl.so.4
+ rm libcurl.so.4
+ read member
+ print archive: libcurl.a contents
archive: libcurl.a contents
+ ar -X32_64 tv libcurl.a
rwxr-xr-x 0/1954 873126 Apr 23 10:33 2017 libcurl.so.4
rwxr-xr-x 0/0 804924 Apr 24 11:53 2017 libcurl.so.4
+ print
+ print all archives are:
all archives are:
+ /usr/bin/date
+ print date: Mon Apr 24 11:53:05 UTC 2017
At this point there is/are libraries that contain both sizes and they
would need to be, in the case of curl here as: "object" ==
libsudo.a(libcurl.so.4), dlflags| RTLD_MEMBER
> In the case of sudo_noexec it is probably not too difficult
> to do so but will require changes to configure and the Makefiles.
> It will no longer be possible to use libtool to build the shared
> object.
>
> It probably makes the most sense to always explicitly build sudo
> as a 32-bit executable on AIX
I am doing this for now, with cost - sudo cannot be used to start 64-bit
applications (as there are still more 32-bit applications used than 64-bit).
> and then build a 64-bit version of
> sudo_noexec.c in addition to the 32-bit version if supported by the
> compiler.
This makes me think, read - realize - that sudo is not using dlopen but
is calling an executable.
So, if sudo can examine start one of two sudo_noexec programs (and fork
from that?) - then the need for "fat" libraries may not be needed.
I'll look into this.
> As far as I know, AIX doesn't support 32-bit and 64-bit
> object files in the same executable, please correct me if I'm wrong.
You are correct that 32-bit and 64-bit objects are not permitted in the
same executable.
>
> - todd
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-workers
More information about the sudo-workers
mailing list