Solaris Zones and visudo problems: visudo: /usr/local/etc/sudoers: Read-only file system

A few weeks ago I ran into some problems working on a Solaris system. I knew there were zones on it, but the error that Solaris kicked to me, really wasn’t particularly helpful. I certainly knew that the filesystem was writable. Anyhow, for our current setup, sudoers modifications must be made from the global zone. I’m fairly sure I could institute a local sudoers, but since I’m new in my position, I didn’t really want to go causing waves.

ERROR:

# /usr/local/sbin/visudo
visudo: /usr/local/etc/sudoers: Read-only file system
# hostname
appserver.sierraleone.appserver-devapp1

SITUATION:

I’m in a Solaris zone. Modifications must be made in the Global Zone
# /usr/sbin/zoneadm list
global
apache
macau
ireland
rhodesia
uruguay
sierraleone
kenya
testing
westernsahara
algeria
canada
newguinea
oman
haiti
vietnam
antarctica
liberia
# /bin/grep benicio /etc/passwd
# /bin/hostname

appserver-devapp1

visudo works just fine in the global zone. I just had to log out of the individual container.
There are security ramifications to how I did this. I happened to be adding a developer to a box where he already had access to many of the systems.

I think there could be two ways to handle this. I could setup individualized local sudoers in each container, but that does get a bit cumbersome. The only other thing I can think of is to come up with some sort of username/usergroup security hierarchy so that the end users would use different users in different zone. That is equally cumbersome and worse it puts pressure on the end users to modify their behaviour due to a design problem.

I’ll do some research and try to see if Sun has an idea on how best to manage this or if a smarter admin has already posted a tutorial about this.