Context Navigation

sudo.xml@ 510d254

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 510d254 was 88647e80, checked in by Igor Živković <igor@…>, 11 years ago

Openbox: formatting, mention autostart used by openbox-session

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@11254 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 10.3 KB

Rev	Line
[cf341b4]	1	<?xml version="1.0" encoding="ISO-8859-1"?>
[6732c094]	2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
[cf341b4]	4	<!ENTITY % general-entities SYSTEM "../../general.ent">
	5	%general-entities;
	6
[fc87618]	7	<!ENTITY sudo-download-http "http://www.sudo.ws/sudo/dist/sudo-&sudo-version;.tar.gz">
[cfe8b07]	8	<!ENTITY sudo-download-ftp "ftp://ftp.twaren.net/Unix/Security/Sudo/sudo-&sudo-version;.tar.gz">
[1e497c6]	9	<!ENTITY sudo-md5sum "6dac48c73c8e0932980efcddafa569af">
[983b6a6]	10	<!ENTITY sudo-size "1.8 MB">
[1e497c6]	11	<!ENTITY sudo-buildsize "23 MB">
	12	<!ENTITY sudo-time "0.3 SBU">
[cf341b4]	13	]>
	14
[bcd2922]	15	<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
[cf341b4]	16	<?dbhtml filename="sudo.html"?>
	17
	18	<sect1info>
[e19ad480]	19	<othername>$LastChangedBy$</othername>
	20	<date>$Date$</date>
[cf341b4]	21	</sect1info>
	22
	23	<title>Sudo-&sudo-version;</title>
	24
	25	<indexterm zone="sudo">
[bcd2922]	26	<primary sortas="a-Sudo">Sudo</primary>
[cf341b4]	27	</indexterm>
	28
	29	<sect2 role="package">
	30	<title>Introduction to Sudo</title>
	31
[bcd2922]	32	<para>
	33	The <application>Sudo</application> package allows a system administrator
	34	to give certain users (or groups of users) the ability to run
	35	some (or all) commands as
	36	<systemitem class="username">root</systemitem> or another user while
	37	logging the commands and arguments.
	38	</para>
[cf341b4]	39
[3ecfea9]	40	&lfs73_checked;
[a8d3d55a]	41
[cf341b4]	42	<bridgehead renderas="sect3">Package Information</bridgehead>
	43	<itemizedlist spacing="compact">
	44	<listitem>
[bcd2922]	45	<para>
	46	Download (HTTP): <ulink url="&sudo-download-http;"/>
	47	</para>
[cf341b4]	48	</listitem>
	49	<listitem>
[bcd2922]	50	<para>
	51	Download (FTP): <ulink url="&sudo-download-ftp;"/>
	52	</para>
[cf341b4]	53	</listitem>
	54	<listitem>
[bcd2922]	55	<para>
	56	Download MD5 sum: &sudo-md5sum;
	57	</para>
[cf341b4]	58	</listitem>
	59	<listitem>
[bcd2922]	60	<para>
	61	Download size: &sudo-size;
	62	</para>
[cf341b4]	63	</listitem>
	64	<listitem>
[bcd2922]	65	<para>
	66	Estimated disk space required: &sudo-buildsize;
	67	</para>
[cf341b4]	68	</listitem>
	69	<listitem>
[bcd2922]	70	<para>
	71	Estimated build time: &sudo-time;
	72	</para>
[cf341b4]	73	</listitem>
	74	</itemizedlist>
	75
	76	<bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
	77
	78	<bridgehead renderas="sect4">Optional</bridgehead>
[bcd2922]	79	<para role="optional">
	80	<ulink url="http://www.openafs.org/">AFS</ulink>,
	81	<ulink url="http://www.fwtk.org/">FWTK</ulink>,
	82	<xref linkend="linux-pam"/>,
	83	<xref linkend="mitkrb"/>,
	84	an <xref linkend="server-mail"/> (that provides a
	85	<command>sendmail</command> command),
	86	<xref linkend="openldap"/>,
	87	<ulink url="ftp://ftp.nrl.navy.mil/pub/security/opie">Opie</ulink> and
	88	<ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>
	89	</para>
[b35e86b2]	90
[3597eb6]	91	<para condition="html" role="usernotes">User Notes:
[bcd2922]	92	<ulink url="&blfs-wiki;/sudo"/>
	93	</para>
[cf341b4]	94	</sect2>
	95
	96	<sect2 role="installation">
	97	<title>Installation of Sudo</title>
	98
[bcd2922]	99	<para>
	100	Install <application>Sudo</application> by running
	101	the following commands:
	102	</para>
[cf341b4]	103
[1e497c6]	104	<screen><userinput>./configure --prefix=/usr \
	105	--libexecdir=/usr/lib/sudo \
[24f2d4b]	106	--docdir=/usr/share/doc/sudo-&sudo-version; \
[1e497c6]	107	--with-all-insults \
	108	--with-env-editor &&
[cf341b4]	109	make</userinput></screen>
	110
[bcd2922]	111	<para>
	112	This package does not come with a test suite.
	113	</para>
[21755bc]	114
[bcd2922]	115	<para>
	116	Now, as the <systemitem class="username">root</systemitem> user:
	117	</para>
[cf341b4]	118
	119	<screen role="root"><userinput>make install</userinput></screen>
	120
	121	</sect2>
	122
	123	<sect2 role="commands">
	124	<title>Command Explanations</title>
	125
[bcd2922]	126	<para>
	127	<option>--with-all-insults</option>: This switch includes all the
	128	<application>sudo</application> insult sets.
	129	</para>
[cf341b4]	130
[bcd2922]	131	<para>
[0d7900a]	132	<option>--with-env-editor</option>: This switch enables use of the
[bcd2922]	133	environment variable EDITOR for <command>visudo</command>.
	134	</para>
[8890b85f]	135
[1e497c6]	136	<!--
[bcd2922]	137	<para>
[88647e80]	138	<option>--without-pam</option>: This switch disables the use of
[bcd2922]	139	<application>PAM</application> authentication. Omit if you have
	140	<application>Linux PAM</application> installed.
	141	</para>
[8890b85f]	142
[bcd2922]	143	<para>
[88647e80]	144	<option>--without-sendmail</option>: This switch disables the use of
[bcd2922]	145	sendmail. Remove if you have a sendmail compatible MTA.
	146	</para>
[8890b85f]	147
[1e497c6]	148	-->
[33d90fe]	149	<note>
[bcd2922]	150	<para>
	151	There are many options to <application>sudo</application>'s
	152	<command>configure</command> command. Check the
	153	<command>configure --help</command> output for a complete list.
	154	</para>
[33d90fe]	155	</note>
[cf341b4]	156
	157	</sect2>
	158
	159	<sect2 role="configuration">
	160	<title>Configuring Sudo</title>
	161
	162	<sect3 id="sudo-config">
	163	<title>Config File</title>
	164
	165	<para><filename>/etc/sudoers</filename></para>
	166
	167	<indexterm zone="sudo sudo-config">
	168	<primary sortas="e-etc-sudoers">/etc/sudoers</primary>
	169	</indexterm>
	170
	171	</sect3>
	172
	173	<sect3>
	174	<title>Configuration Information</title>
	175
[bcd2922]	176	<para>
	177	The <filename>sudoers</filename> file can be quite complicated. It
	178	is composed of two types of entries: aliases (basically variables) and
	179	user specifications (which specify who may run what). The installation
	180	installs a default configuration that has no privileges installed for any
	181	user.
	182	</para>
[cf341b4]	183
[bcd2922]	184	<para>
	185	One example usage is to allow the system administrator to execute
	186	any program without typing a password each time root privileges are
	187	needed. This can be configured as:
	188	</para>
[bccbdaea]	189
[ed025d6]	190	<screen># User alias specification
[cf341b4]	191	User_Alias ADMIN = YourLoginId
	192
	193	# Allow people in group ADMIN to run all commands without a password
	194	ADMIN ALL = NOPASSWD: ALL</screen>
	195
[bcd2922]	196	<para>
	197	For details, see <command>man sudoers</command>.
	198	</para>
[cf341b4]	199
[3c0f868f]	200	<note>
[bcd2922]	201	<para>
	202	The <application>Sudo</application> developers highly recommend
	203	using the <command>visudo</command> program to edit the
	204	<filename>sudoers</filename> file. This will provide basic sanity
	205	checking like syntax parsing and file permission to avoid some possible
	206	mistakes that could lead to a vulnerable configuration.
	207	</para>
[3c0f868f]	208	</note>
	209
[bcd2922]	210	<para>
	211	If you've built <application>Sudo</application> with
	212	<application>PAM</application> support, issue the following
	213	command as the <systemitem class="username">root</systemitem> user
	214	to create the <application>PAM</application> configuration file:
	215	</para>
[8890b85f]	216
[b3a4f60]	217	<screen role="root"><userinput>cat > /etc/pam.d/sudo << "EOF" &&
	218	# Begin /etc/pam.d/sudo
	219
	220	# include the default auth settings
	221	auth include system-auth
	222
	223	# include the default account settings
	224	account include system-account
	225
	226	# Set default environment variables for the service user
	227	session required pam_env.so
	228
	229	# include system session defaults
	230	session include system-session
	231
	232	# End /etc/pam.d/sudo
	233	EOF
	234	chmod 644 /etc/pam.d/sudo</userinput></screen>
[fd7e0ed6]	235
[cf341b4]	236	</sect3>
	237
	238	</sect2>
	239
	240	<sect2 role="content">
	241	<title>Contents</title>
	242
	243	<segmentedlist>
	244	<segtitle>Installed Programs</segtitle>
[c3c56b2]	245	<segtitle>Installed Libraries</segtitle>
[cf341b4]	246	<segtitle>Installed Directories</segtitle>
	247
	248	<seglistitem>
[bcd2922]	249	<seg>
	250	sudo, sudoedit, sudoreplay and visudo
	251	</seg>
	252	<seg>
	253	sudoers.so and sudo_noexec.so
	254	</seg>
	255	<seg>
	256	/usr/lib/sudo and
	257	/usr/share/doc/sudo-&sudo-version;
	258	</seg>
[cf341b4]	259	</seglistitem>
	260	</segmentedlist>
	261
	262	<variablelist>
	263	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
	264	<?dbfo list-presentation="list"?>
	265	<?dbhtml list-presentation="table"?>
	266
	267	<varlistentry id="sudo_prog">
	268	<term><command>sudo</command></term>
	269	<listitem>
[bcd2922]	270	<para>
	271	executes a command as another user as permitted by
	272	the <filename>/etc/sudoers</filename> configuration file.
[cf341b4]	273	</para>
	274	<indexterm zone="sudo sudo">
	275	<primary sortas="b-sudo">sudo</primary>
	276	</indexterm>
	277	</listitem>
	278	</varlistentry>
	279
	280	<varlistentry id="sudoedit">
	281	<term><command>sudoedit</command></term>
	282	<listitem>
[bcd2922]	283	<para>
	284	is a hard link to <command>sudo</command> that implies the
	285	<option>-e</option> option to invoke an editor as another user.
	286	</para>
[cf341b4]	287	<indexterm zone="sudo sudoedit">
	288	<primary sortas="b-sudoedit">sudoedit</primary>
	289	</indexterm>
	290	</listitem>
	291	</varlistentry>
	292
[3c0f868f]	293	<varlistentry id="visudo">
	294	<term><command>visudo</command></term>
	295	<listitem>
[bcd2922]	296	<para>
	297	allows for safer editing of the <filename>sudoers</filename>
	298	file.
	299	</para>
[3c0f868f]	300	<indexterm zone="sudo visudo">
	301	<primary sortas="b-visudo">visudo</primary>
	302	</indexterm>
	303	</listitem>
	304	</varlistentry>
	305
[61b8305]	306	<varlistentry id="sudoreplay">
	307	<term><command>sudoreplay</command></term>
	308	<listitem>
[bcd2922]	309	<para>
[0d7900a]	310	is used to play back or list the output
[bcd2922]	311	logs created by <command>sudo</command>.
	312	</para>
[61b8305]	313	<indexterm zone="sudo sudoreplay">
	314	<primary sortas="b-sudoreplay">sudoreplay</primary>
	315	</indexterm>
	316	</listitem>
	317	</varlistentry>
	318
	319	<varlistentry id="sudoers">
	320	<term><filename class='libraryfile'>sudoers.so</filename></term>
	321	<listitem>
[bcd2922]	322	<para>
	323	is default sudo security policy module.
	324	</para>
[61b8305]	325	<indexterm zone="sudo sudoers">
	326	<primary sortas="c-sudoers">sudoers.so</primary>
	327	</indexterm>
	328	</listitem>
	329	</varlistentry>
[3c0f868f]	330
[cf341b4]	331	<varlistentry id="sudo_noexec">
	332	<term><filename class='libraryfile'>sudo_noexec.so</filename></term>
	333	<listitem>
[bcd2922]	334	<para>
	335	enables support for the "noexec" functionality which prevents
	336	a dynamically-linked program being run by sudo from executing
	337	another program (think shell escapes).
	338	</para>
[cf341b4]	339	<indexterm zone="sudo sudo_noexec">
	340	<primary sortas="c-sudo_noexec">sudo_noexec.so</primary>
	341	</indexterm>
	342	</listitem>
	343	</varlistentry>
	344
	345	</variablelist>
	346
	347	</sect2>
	348
	349	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/sudo.xml@ 510d254

Download in other formats: