Changeset a5b9f1e

Timestamp:

11/24/2018 08:21:05 PM (6 years ago)

Author:

DJ Lucas <dj@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 8.4, 9.0, 9.1, bdubbs/svn, elogind, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

2a9e001

Parents:

9939292

Message:

Use wheel group for sample configuration of sudo.
Added pam_wheel.so configuration to /etc/pam.d/su.
update-usbids.service and upadate-pciids.service depend on network-online.target. Fixes #11249.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@20738 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:

• general.ent (modified) (2 diffs)
• general/sysutils/pciutils.xml (modified) (1 diff)
• general/sysutils/usbutils.xml (modified) (1 diff)
• introduction/welcome/changelog.xml (modified) (1 diff)
• postlfs/security/make-ca.xml (modified) (1 diff)
• postlfs/security/shadow.xml (modified) (6 diffs)
• postlfs/security/sudo.xml (modified) (1 diff)

general.ent

@@ -1 +1 @@
 <!-- $LastChangedBy$ $Date$ -->
 
-<!ENTITY day          "22">                   <!-- Always 2 digits -->
+<!ENTITY day          "24">                   <!-- Always 2 digits -->
 <!ENTITY month        "11">                   <!-- Always 2 digits -->
 <!ENTITY year         "2018">
@@ -7 +7 @@
 <!ENTITY copyholder   "The BLFS Development Team">
 <!ENTITY version      "&year;-&month;-&day;">
-<!ENTITY releasedate  "November 22nd, &year;">
+<!ENTITY releasedate  "November 24th, &year;">
 <!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
 <!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->

general/sysutils/pciutils.xml

@@ -155 +155 @@
 Documentation=man:update-pciids(8)
 DefaultDependencies=no
-After=local-fs.target
+After=local-fs.target network-online.target
 Before=shutdown.target
 

general/sysutils/usbutils.xml

@@ -170 +170 @@
 Documentation=man:lusub(8)
 DefaultDependencies=no
-After=local-fs.target
+After=local-fs.target network-online.target
 Before=shutdown.target
 

introduction/welcome/changelog.xml

@@ -44 +44 @@
 
     <listitem>
+      <para>November 24th, 2018</para>
+      <itemizedlist>
+        <listitem>
+          <para>[dj] - Use wheel group for sample configuration of sudo.</para>
+        </listitem>
+        <listitem>
+          <para>[dj] - Added pam_wheel.so configuration to
+          <filename>/etc/pam.d/su</filename>.</para>
+        </listitem>
+        <listitem revision="systemd">
+          <para>[dj] - update-usbids.service and upadate-pciids.service
+          depend on network-online.target. Fixes
+          <ulink url="&blfs-ticket-root;11249">#11249</ulink>.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
+    <listitem>
       <para>November 22nd, 2018</para>
       <itemizedlist>

postlfs/security/make-ca.xml

@@ -116 +116 @@
     trust both for all three roles, the following commands will create
     appropriate OpenSSL trusted certificates (run as the <systemitem
-    class="username">root</systemitem> user):</para>
+    class="username">root</systemitem> user after
+    <xref linkend="wget"/> is installed):</para>
 
 <screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;

postlfs/security/shadow.xml

@@ -359 +359 @@
 #auth      optional    pam_group.so
 
-# include the default auth settings
+# include system auth settings
 auth      include     system-auth
 
@@ -365 +365 @@
 account   required    pam_access.so
 
-# include the default account settings
+# include system account settings
 account   include     system-account
 
@@ -383 +383 @@
 #session   optional    pam_mail.so      standard quiet
 
-# include the default session and password settings
+# include system session and password settings
 session   include     system-session
 password  include     system-password
@@ -411 +411 @@
 # always allow root
 auth      sufficient  pam_rootok.so
+
+# Allow users in the wheel group to execute su without a password
+# disabled by default
+#auth      sufficient  pam_wheel.so trust use_uid
+
+# include system auth settings
 auth      include     system-auth
 
-# include the default account settings
+# limit su to users in the wheel group
+auth      required    pam_wheel.so use_uid
+
+# include system account settings
 account   include     system-account
 
@@ -419 +428 @@
 session   required    pam_env.so
 
-# include system session defaults
+# include system session settings
 session   include     system-session
 
@@ -435 +444 @@
 auth      sufficient  pam_rootok.so
 
-# include system defaults for auth account and session
+# include system auth, account, and session settings
 auth      include     system-auth
 account   include     system-account

postlfs/security/sudo.xml

@@ -223 +223 @@
 ADMIN       ALL = NOPASSWD: ALL</screen>
 
+      <para>
+        Another common configuration is to allow members of the wheel group to
+        execute all commands after providing their own credientials. Use the
+        following command to edit default <filename>/etc/sudoers</filename>
+        file as the <systemitem class="username">root</systemitem> user:
+      </para>
+
+<screen role="nodump"><userinput>sed '/wheel.*) ALL/s/^# //' -i.bak /etc/sudoers</userinput></screen>
+      
       <para>
         For details, see <command>man sudoers</command>.