Hello AIX Opensource community

sudo -i (or sudo su -) command run slowly our AIX (~ 20 sec).
Have you any idea about this ? truss command show a lot of /etc/passwd checks, ... is there any other debug mode for sudo command ?

I checked skulker command and find it disabled on crontab.
Is there any relation with sudo slowness ? is there any relation with a lot of file on /tmp ?

Local resolution off the hostname are good, and /etc/netsvc.conf are good :
# cat /etc/netsvc.conf
hosts=local4,bind4

# oslevel -s
7200-04-02-2016

# sudo -V
Sudo version 1.8.19p2
Configure options: --prefix=/opt/freeware --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/opt/freeware/libexec --mandir=/opt/freeware/man --sharedstatedir=/opt/freeware/share --sysconfdir=/etc --with-noexec=/opt/freeware/libexec/sudo_noexec.so
Sudoers policy plugin version 1.8.19p2
Sudoers file grammar version 45

Sudoers path: /etc/sudoers
Authentication methods: 'aixauth' 'pam'
Syslog facility if syslog is being used for logging: auth
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Root may run sudo
Log the hostname in the (non-syslog) log file
Log the year in the (non-syslog) log file
Allow some information gathering to give useful error messages
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to log file: /var/adm/sudo.log
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to lecture status dir: /var/lib/sudo/lectured
Path to authentication timestamp dir: /var/run/sudo/ts
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /usr/bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TZ
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
__BASH_FUNC<*
BASH_FUNC_*
RUBYOPT
RUBYLIB
PYTHONUSERBASE
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
BASHOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
AUTHSTATE
LIBPATH
LDR_*
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
XAUTHORIZATION
XAUTHORITY
PS2
PS1
PATH
LS_COLORS
KRB5CCNAME
HOSTNAME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
PAM service name to use
PAM service name to use for login shells
Attempt to establish PAM credentials for the target user
Create a new PAM session for the command to run in
Maximum I/O log sequence number: 0
Enable sudoers netgroup support
Check parent directories for writability when editing files with sudoedit
Allow commands to be run even if sudo cannot write to the audit log
Allow commands to be run even if sudo cannot write to the log file
Log entries larger than this value will be split into multiple syslog messages
File mode to use for the I/O log files: 0600

Local IP address and netmask pairs:
192.85.76.132/255.255.255.128
192.85.76.4/255.255.255.192

Sudoers I/O plugin version 1.8.19p2



Thanks for your help

------------------------------
Abderahim ABBAS
------------------------------

Hi Abderahim,

I see that you are using the older version of sudo and also this version doesn't seem to be from the AIX Toolbox.

One way to get debug output of sudo is to create a /etc/sudo.conf file with the entries like below.

Debug sudo /var/log/sudo_debug.log all@debug
Debug sudoers.so /var/log/sudo_debug.log all@debug

Please check if this can give some hints on the possible problem.

------------------------------
SANGAMESH
------------------------------

Original Message:
Sent: Wed November 03, 2021 04:59 AM
From: Abderahim ABBAS
Subject: sudo run slow

Hello AIX Opensource community

sudo -i (or sudo su -) command run slowly our AIX (~ 20 sec).
Have you any idea about this ? truss command show a lot of /etc/passwd checks, ... is there any other debug mode for sudo command ?

I checked skulker command and find it disabled on crontab.
Is there any relation with sudo slowness ? is there any relation with a lot of file on /tmp ?

Local resolution off the hostname are good, and /etc/netsvc.conf are good :
# cat /etc/netsvc.conf
hosts=local4,bind4

# oslevel -s
7200-04-02-2016

# sudo -V
Sudo version 1.8.19p2
Configure options: --prefix=/opt/freeware --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/opt/freeware/libexec --mandir=/opt/freeware/man --sharedstatedir=/opt/freeware/share --sysconfdir=/etc --with-noexec=/opt/freeware/libexec/sudo_noexec.so
Sudoers policy plugin version 1.8.19p2
Sudoers file grammar version 45

Sudoers path: /etc/sudoers
Authentication methods: 'aixauth' 'pam'
Syslog facility if syslog is being used for logging: auth
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Root may run sudo
Log the hostname in the (non-syslog) log file
Log the year in the (non-syslog) log file
Allow some information gathering to give useful error messages
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to log file: /var/adm/sudo.log
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to lecture status dir: /var/lib/sudo/lectured
Path to authentication timestamp dir: /var/run/sudo/ts
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /usr/bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TZ
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
__BASH_FUNC<*
BASH_FUNC_*
RUBYOPT
RUBYLIB
PYTHONUSERBASE
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
BASHOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
AUTHSTATE
LIBPATH
LDR_*
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
XAUTHORIZATION
XAUTHORITY
PS2
PS1
PATH
LS_COLORS
KRB5CCNAME
HOSTNAME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
PAM service name to use
PAM service name to use for login shells
Attempt to establish PAM credentials for the target user
Create a new PAM session for the command to run in
Maximum I/O log sequence number: 0
Enable sudoers netgroup support
Check parent directories for writability when editing files with sudoedit
Allow commands to be run even if sudo cannot write to the audit log
Allow commands to be run even if sudo cannot write to the log file
Log entries larger than this value will be split into multiple syslog messages
File mode to use for the I/O log files: 0600

Local IP address and netmask pairs:
192.85.76.132/255.255.255.128
192.85.76.4/255.255.255.192

Sudoers I/O plugin version 1.8.19p2



Thanks for your help

------------------------------
Abderahim ABBAS
------------------------------