Context Navigation

source: postlfs/security/sudo.xml@ 36a32ef

Visit:

11.0 11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 36a32ef was 36a32ef, checked in by Bruce Dubbs <bdubbs@…>, 3 years ago
Package updates. Update to sudo-1.9.7p1. Update to libreoffice-7.1.4.2.
Property mode set to `100644`
File size: 12.4 KB

Rev	Line
[cf341b4]	1	<?xml version="1.0" encoding="ISO-8859-1"?>
[6732c094]	2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
[cf341b4]	4	<!ENTITY % general-entities SYSTEM "../../general.ent">
	5	%general-entities;
	6
[c6b192c]	7	<!ENTITY sudo-download-http "https://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
[926d146d]	8	<!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
[36a32ef]	9	<!ENTITY sudo-md5sum "0ea3649ef66df80e6ecd04d45ea0f762">
[ff14636]	10	<!ENTITY sudo-size "4.0 MB">
[36a32ef]	11	<!ENTITY sudo-buildsize "43 MB (add 13 MB for tests)">
[a82b5f44]	12	<!ENTITY sudo-time "0.4 SBU (add 0.1 SBU for tests)">
[cf341b4]	13	]>
	14
[bcd2922]	15	<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
[cf341b4]	16	<?dbhtml filename="sudo.html"?>
	17
	18	<sect1info>
[e19ad480]	19	<date>$Date$</date>
[cf341b4]	20	</sect1info>
	21
	22	<title>Sudo-&sudo-version;</title>
	23
	24	<indexterm zone="sudo">
[bcd2922]	25	<primary sortas="a-Sudo">Sudo</primary>
[cf341b4]	26	</indexterm>
	27
	28	<sect2 role="package">
	29	<title>Introduction to Sudo</title>
	30
[bcd2922]	31	<para>
	32	The <application>Sudo</application> package allows a system administrator
	33	to give certain users (or groups of users) the ability to run
	34	some (or all) commands as
	35	<systemitem class="username">root</systemitem> or another user while
	36	logging the commands and arguments.
	37	</para>
[cf341b4]	38
[cac276e]	39	&lfs101_checked;
[a8d3d55a]	40
[cf341b4]	41	<bridgehead renderas="sect3">Package Information</bridgehead>
	42	<itemizedlist spacing="compact">
	43	<listitem>
[bcd2922]	44	<para>
	45	Download (HTTP): <ulink url="&sudo-download-http;"/>
	46	</para>
[cf341b4]	47	</listitem>
	48	<listitem>
[bcd2922]	49	<para>
	50	Download (FTP): <ulink url="&sudo-download-ftp;"/>
	51	</para>
[cf341b4]	52	</listitem>
	53	<listitem>
[bcd2922]	54	<para>
	55	Download MD5 sum: &sudo-md5sum;
	56	</para>
[cf341b4]	57	</listitem>
	58	<listitem>
[bcd2922]	59	<para>
	60	Download size: &sudo-size;
	61	</para>
[cf341b4]	62	</listitem>
	63	<listitem>
[bcd2922]	64	<para>
	65	Estimated disk space required: &sudo-buildsize;
	66	</para>
[cf341b4]	67	</listitem>
	68	<listitem>
[bcd2922]	69	<para>
	70	Estimated build time: &sudo-time;
	71	</para>
[cf341b4]	72	</listitem>
	73	</itemizedlist>
	74
	75	<bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
	76
	77	<bridgehead renderas="sect4">Optional</bridgehead>
[bcd2922]	78	<para role="optional">
	79	<xref linkend="linux-pam"/>,
	80	<xref linkend="mitkrb"/>,
	81	<xref linkend="openldap"/>,
[6b4f8529]	82	<xref linkend="server-mail"/> (that provides a
	83	<command>sendmail</command> command),
	84	<ulink url="http://www.openafs.org/">AFS</ulink>,
[06915b3]	85	<ulink url="http://www.fwtk.org/">FWTK</ulink>, and
[8dfc5c3]	86	<ulink url="&sourceforge-dl;/opie/">Opie</ulink>
[bcd2922]	87	</para>
[b35e86b2]	88
[3597eb6]	89	<para condition="html" role="usernotes">User Notes:
[bcd2922]	90	<ulink url="&blfs-wiki;/sudo"/>
	91	</para>
[cf341b4]	92	</sect2>
	93
	94	<sect2 role="installation">
	95	<title>Installation of Sudo</title>
	96
[bcd2922]	97	<para>
[6e5d584]	98	Install <application>Sudo</application> by running the following commands:
[bcd2922]	99	</para>
[cf341b4]	100
[b9d56ad4]	101	<screen><userinput>./configure --prefix=/usr \
[edaee95]	102	--libexecdir=/usr/lib \
[1a657ca]	103	--with-secure-path \
[b9d56ad4]	104	--with-all-insults \
	105	--with-env-editor \
	106	--docdir=/usr/share/doc/sudo-&sudo-version; \
[9dabcf3]	107	--with-passprompt="[sudo] password for %p: " &&
[cf341b4]	108	make</userinput></screen>
	109
[bcd2922]	110	<para>
[6b4f8529]	111	To test the results, issue: <command>env LC_ALL=C make check 2>&1
[36a32ef]	112	\| tee make-check.log</command>. Check the results with <command>grep
	113	failed make-check.log</command>.
[bcd2922]	114	</para>
[21755bc]	115
[bcd2922]	116	<para>
	117	Now, as the <systemitem class="username">root</systemitem> user:
	118	</para>
[cf341b4]	119
[2809c8c]	120	<screen role="root"><userinput>make install &&
	121	ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
[cf341b4]	122
	123	</sect2>
	124
	125	<sect2 role="commands">
	126	<title>Command Explanations</title>
	127
[663b79c2]	128	<para>
[edaee95]	129	<parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
[663b79c2]	130	private programs are installed. Everything in that directory is a library, so
	131	they belong under <filename class="directory">/usr/lib</filename> instead of
	132	<filename class="directory">/usr/libexec</filename>.
[8466229]	133	</para>
	134
	135	<para>
	136	<parameter>--with-secure-path</parameter>: This switch transparently adds
	137	<filename class="directory">/sbin</filename> and <filename
	138	class="directory">/usr/sbin</filename> directories to the
	139	<envar>PATH</envar> environment variable.
[663b79c2]	140	</para>
	141
[bcd2922]	142	<para>
[f3d174f]	143	<parameter>--with-all-insults</parameter>: This switch includes all the
[bcd2922]	144	<application>sudo</application> insult sets.
	145	</para>
[cf341b4]	146
[bcd2922]	147	<para>
[f3d174f]	148	<parameter>--with-env-editor</parameter>: This switch enables use of the
[bcd2922]	149	environment variable EDITOR for <command>visudo</command>.
	150	</para>
[8890b85f]	151
[f3d174f]	152	<para>
[ecea644]	153	<parameter>--with-passprompt</parameter>: This switch sets the password prompt.
[7f99ddf]	154	The <parameter>%p</parameter> will be expanded to the name of the user whose password is being requested.
[f3d174f]	155	</para>
	156
[14c71e0]	157	<para>
[f586237]	158	<option>--without-pam</option>: This switch avoids building
	159	<application>Linux-PAM</application> support when
	160	<application>Linux-PAM</application> is installed on the system.
[14c71e0]	161	</para>
[17b685f1]	162	<!-- See the developer note above before the configure command
[b9d56ad4]	163	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
[f1d7196]	164	href="../../xincludes/static-libraries.xml"/>-->
[b9d56ad4]	165
[33d90fe]	166	<note>
[bcd2922]	167	<para>
	168	There are many options to <application>sudo</application>'s
	169	<command>configure</command> command. Check the
	170	<command>configure --help</command> output for a complete list.
	171	</para>
[33d90fe]	172	</note>
[cf341b4]	173
[2809c8c]	174	<para>
[f586237]	175	<command>ln -sfv libsudo_util...</command>: Works around a bug in the
[2809c8c]	176	installation process, which links to the previously installed
	177	version (if there is one) instead of the new one.
	178	</para>
	179
[cf341b4]	180	</sect2>
	181
	182	<sect2 role="configuration">
	183	<title>Configuring Sudo</title>
	184
	185	<sect3 id="sudo-config">
	186	<title>Config File</title>
	187
[7a47afc]	188	<para>
	189	<filename>/etc/sudoers</filename>
	190	</para>
[cf341b4]	191
	192	<indexterm zone="sudo sudo-config">
	193	<primary sortas="e-etc-sudoers">/etc/sudoers</primary>
	194	</indexterm>
	195
	196	</sect3>
	197
	198	<sect3>
	199	<title>Configuration Information</title>
	200
[bcd2922]	201	<para>
	202	The <filename>sudoers</filename> file can be quite complicated. It
	203	is composed of two types of entries: aliases (basically variables) and
	204	user specifications (which specify who may run what). The installation
[b4c31a6]	205	installs a default configuration that has no privileges installed for
	206	any user.
[bcd2922]	207	</para>
[bccbdaea]	208
[a5b9f1e]	209	<para>
[c513d6e6]	210	A couple of common configuration changes are to set the path for the
[77b64bd]	211	super user and to allow members of the wheel group to execute all
	212	commands after providing their own credientials. Use the following
	213	commands to create the <filename>/etc/sudoers.d/sudo</filename>
	214	configuration file as the
	215	<systemitem class="username">root</systemitem> user:
[a5b9f1e]	216	</para>
	217
[77b64bd]	218	<screen role="root"><userinput>cat > /etc/sudoers.d/sudo << "EOF"
	219	<literal>Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin"
	220	%wheel ALL=(ALL) ALL</literal>
	221	EOF</userinput></screen>
[a5b9f1e]	222
[bcd2922]	223	<para>
	224	For details, see <command>man sudoers</command>.
	225	</para>
[cf341b4]	226
[3c0f868f]	227	<note>
[bcd2922]	228	<para>
	229	The <application>Sudo</application> developers highly recommend
	230	using the <command>visudo</command> program to edit the
	231	<filename>sudoers</filename> file. This will provide basic sanity
[b4c31a6]	232	checking like syntax parsing and file permission to avoid some
	233	possible mistakes that could lead to a vulnerable configuration.
[bcd2922]	234	</para>
[3c0f868f]	235	</note>
	236
[bcd2922]	237	<para>
[14c71e0]	238	If <application>PAM</application> is installed on the system,
	239	<application>Sudo</application> is built with
[b4c31a6]	240	<application>PAM</application> support. In that case, issue the
	241	following command as the <systemitem class="username">root</systemitem>
	242	user to create the <application>PAM</application> configuration file:
[bcd2922]	243	</para>
[8890b85f]	244
[add8d4f]	245	<screen role="root"><userinput>cat > /etc/pam.d/sudo << "EOF"
	246	<literal># Begin /etc/pam.d/sudo
[b3a4f60]	247
	248	# include the default auth settings
	249	auth include system-auth
	250
	251	# include the default account settings
	252	account include system-account
	253
	254	# Set default environment variables for the service user
	255	session required pam_env.so
	256
	257	# include system session defaults
	258	session include system-session
	259
[add8d4f]	260	# End /etc/pam.d/sudo</literal>
[b3a4f60]	261	EOF
	262	chmod 644 /etc/pam.d/sudo</userinput></screen>
[fd7e0ed6]	263
[cf341b4]	264	</sect3>
	265
	266	</sect2>
	267
	268	<sect2 role="content">
	269	<title>Contents</title>
	270
	271	<segmentedlist>
	272	<segtitle>Installed Programs</segtitle>
[9d53187]	273	<segtitle>Installed Libraries</segtitle>
[cf341b4]	274	<segtitle>Installed Directories</segtitle>
	275
	276	<seglistitem>
[bcd2922]	277	<seg>
[a82b5f44]	278	cvtsudoers, sudo, sudo_logsrvd, sudo_sendlog,
	279	sudoedit (symlink), sudoreplay, and visudo
[bcd2922]	280	</seg>
	281	<seg>
[a82b5f44]	282	<!-- [pierre, September 25, 2020] except libsudo_util, the other
	283	shared objects in /usr/lib/sudo look more like modules than
	284	libraries. Leaving them now, and updating the list, but I think
	285	they should not be listed. -->
	286	audit_json.so, group_file.so, libsudo_util.so, sample_approval.so,
[6b4f8529]	287	sudoers.so, sudo_noexec.so, and system_group.so
[bcd2922]	288	</seg>
	289	<seg>
[7a47afc]	290	/etc/sudoers.d,
[b378aa0]	291	/usr/lib/sudo,
[06915b3]	292	/usr/share/doc/sudo-&sudo-version;, and
[a82b5f44]	293	/var/lib/sudo
[bcd2922]	294	</seg>
[cf341b4]	295	</seglistitem>
	296	</segmentedlist>
	297
	298	<variablelist>
	299	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
	300	<?dbfo list-presentation="list"?>
	301	<?dbhtml list-presentation="table"?>
	302
[d7bbb40]	303	<varlistentry id="cvtsudoers">
	304	<term><command>cvtsudoers</command></term>
	305	<listitem>
	306	<para>
[4c24eb0a]	307	converts between sudoers file formats
[d7bbb40]	308	</para>
	309	<indexterm zone="sudo cvtsudoers">
	310	<primary sortas="b-cvtsudoers">cvtsudoers</primary>
	311	</indexterm>
	312	</listitem>
	313	</varlistentry>
	314
[cf341b4]	315	<varlistentry id="sudo_prog">
	316	<term><command>sudo</command></term>
	317	<listitem>
[bcd2922]	318	<para>
	319	executes a command as another user as permitted by
[4c24eb0a]	320	the <filename>/etc/sudoers</filename> configuration file
[cf341b4]	321	</para>
	322	<indexterm zone="sudo sudo">
	323	<primary sortas="b-sudo">sudo</primary>
	324	</indexterm>
	325	</listitem>
	326	</varlistentry>
	327
[a82b5f44]	328	<varlistentry id="sudo_logsrvd">
	329	<term><command>sudo_logsrvd</command></term>
	330	<listitem>
	331	<para>
[4c24eb0a]	332	is a sudo event and I/O log server
[a82b5f44]	333	</para>
	334	<indexterm zone="sudo sudo_logsrvd">
	335	<primary sortas="b-sudo_logsrvd">sudo_logsrvd</primary>
	336	</indexterm>
	337	</listitem>
	338	</varlistentry>
	339
	340	<varlistentry id="sudo_sendlog">
	341	<term><command>sudo_sendlog</command></term>
	342	<listitem>
	343	<para>
[4c24eb0a]	344	sends sudo I/O logs to the log server
[a82b5f44]	345	</para>
	346	<indexterm zone="sudo sudo_sendlog">
	347	<primary sortas="b-sudo_sendlog">sudo_sendlog</primary>
	348	</indexterm>
	349	</listitem>
	350	</varlistentry>
	351
[cf341b4]	352	<varlistentry id="sudoedit">
	353	<term><command>sudoedit</command></term>
	354	<listitem>
[bcd2922]	355	<para>
[a1e0f76]	356	is a symlink to <command>sudo</command> that implies the
[4c24eb0a]	357	<option>-e</option> option to invoke an editor as another user
[bcd2922]	358	</para>
[cf341b4]	359	<indexterm zone="sudo sudoedit">
	360	<primary sortas="b-sudoedit">sudoedit</primary>
	361	</indexterm>
	362	</listitem>
	363	</varlistentry>
	364
[72d90b67]	365	<varlistentry id="sudoreplay">
	366	<term><command>sudoreplay</command></term>
[3c0f868f]	367	<listitem>
[bcd2922]	368	<para>
[72d90b67]	369	is used to play back or list the output
[4c24eb0a]	370	logs created by <command>sudo</command>
[bcd2922]	371	</para>
[72d90b67]	372	<indexterm zone="sudo sudoreplay">
	373	<primary sortas="b-sudoreplay">sudoreplay</primary>
[3c0f868f]	374	</indexterm>
	375	</listitem>
	376	</varlistentry>
	377
[72d90b67]	378	<varlistentry id="visudo">
	379	<term><command>visudo</command></term>
[61b8305]	380	<listitem>
[bcd2922]	381	<para>
[72d90b67]	382	allows for safer editing of the <filename>sudoers</filename>
[4c24eb0a]	383	file
[bcd2922]	384	</para>
[72d90b67]	385	<indexterm zone="sudo visudo">
	386	<primary sortas="b-visudo">visudo</primary>
[61b8305]	387	</indexterm>
	388	</listitem>
	389	</varlistentry>
[3c0f868f]	390
[cf341b4]	391	</variablelist>
	392
	393	</sect2>
	394
	395	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: