[sudo-workers] sudoers.so in an AIX archive rather than as a file

Michael Felt michael at felt.demon.nl
Mon Apr 24 06:07:12 MDT 2017 


On 3/22/2017 6:16 PM, Todd C. Miller wrote:
My apologies for being so slow to reply. been busy.
> Sudo does not support the "archive.a(member.so)" syntax.
>
> Currently, sudo creates SVR4-style shared objects on AIX by using
> the -brtl loader flag.  This makes it possible to install shared
> objects as .so files on all platforms, including AIX.  Having the
> plugins use a common file name across platforms is a good thing
> since it makes it easier to distribute a single set of sudo
> configuration files in a heterogenerous environment.  This is
> especially important for the group provider plugin, since the path
> for it is directly specified in sudoers.
>
> As far as I know, libtool (which sudo uses to create shared objects)
> does not have support for building both 32-bit and 64-bit object
> files.
You are correct that libtool does not build both in a single pass. My 
"solution", rather resolution, is to build a project twice - and then 
merge (using a script) all the archives in the two locations. So, for me 
it is "enough" that sudo call dlopen.

As an example: I just packaged the latest curl:

root at x064:[/data/prj/aixtools/curl-7.54.0]ls -l X*/opt/lib
X32/opt/lib:
total 1656
-rwxr-xr-x   1 bin      bin          837462 Apr 23 10:27 libcurl.a
-rwxr-xr-x   1 bin      bin             910 Apr 23 10:27 libcurl.la
drwxr-xr-x   2 bin      bin            4096 Apr 23 10:27 pkgconfig

Xany/opt/lib:
total 1792
-rwxr-xr-x   1 bin      bin          905579 Apr 23 10:33 libcurl.a
-rwxr-xr-x   1 bin      bin             910 Apr 23 10:33 libcurl.la
drwxr-xr-x   2 bin      bin            4096 Apr 23 10:33 pkgconfig

root at x064:[/data/prj/aixtools/curl-7.54.0]ar -X32 tv X32/opt/lib/libcurl.a
rwxr-xr-x     0/1954  804924 Apr 23 10:27 2017 libcurl.so.4

root at x064:[/data/prj/aixtools/curl-7.54.0]ar -X64 tv X32/opt/lib/libcurl.a
# Xany is the directory I use to combine info from X64 (the extracted 
64-bit build) and X32 (the 32-bit build)

root at x064:[/data/prj/aixtools/curl-7.54.0]ar -X32 tv Xany/opt/lib/libcurl.a
root at x064:[/data/prj/aixtools/curl-7.54.0]ar -X64 tv Xany/opt/lib/libcurl.a
rwxr-xr-x     0/1954  873126 Apr 23 10:33 2017 libcurl.so.4

root at x064:[/data/prj/aixtools/curl-7.54.0/Xany/opt/lib]ksh -x 
/opt/bin/archive_cp.ksh
+ rm -f libcurl.la
+ print

+ [[ -L libcurl.a ]]
+ ar -X32 t ../../../X32/opt/lib/libcurl.a
+ read member
+ ar -X32 x ../../../X32/opt/lib/libcurl.a libcurl.so.4
+ ar -X32 r libcurl.a libcurl.so.4
+ rm libcurl.so.4
+ read member
+ print archive: libcurl.a contents
archive: libcurl.a contents
+ ar -X32_64 tv libcurl.a
rwxr-xr-x     0/1954  873126 Apr 23 10:33 2017 libcurl.so.4
rwxr-xr-x     0/0     804924 Apr 24 11:53 2017 libcurl.so.4
+ print

+ print all archives are:
all archives are:
+ /usr/bin/date
+ print date: Mon Apr 24 11:53:05 UTC 2017

At this point there is/are libraries that contain both sizes and they 
would need to be, in the case of curl here as: "object" == 
libsudo.a(libcurl.so.4), dlflags| RTLD_MEMBER

> In the case of sudo_noexec it is probably not too difficult
> to do so but will require changes to configure and the Makefiles.
> It will no longer be possible to use libtool to build the shared
> object.
>
> It probably makes the most sense to always explicitly build sudo
> as a 32-bit executable on AIX
I am doing this for now, with cost - sudo cannot be used to start 64-bit 
applications (as there are still more 32-bit applications used than 64-bit).
> and then build a 64-bit version of
> sudo_noexec.c in addition to the 32-bit version if supported by the
> compiler.
This makes me think, read - realize - that sudo is not using dlopen but 
is calling an executable.

So, if sudo can examine start one of two sudo_noexec programs (and fork 
from that?) - then the need for "fat" libraries may not be needed.

I'll look into this.
> As far as I know, AIX doesn't support 32-bit and 64-bit
> object files in the same executable, please correct me if I'm wrong.
You are correct that 32-bit and 64-bit objects are not permitted in the 
same executable.
>
>   - todd
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-workers

More information about the sudo-workers mailing list