source: postlfs/security/sudo.xml@ a3394a71

systemd-13485
Last change on this file since a3394a71 was a3394a71, checked in by Douglas R. Reno <renodr@…>, 9 years ago

First round of tags for the day.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/branches/systemd@16502 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 10.9 KB
RevLine 
[cf341b4]1<?xml version="1.0" encoding="ISO-8859-1"?>
[6732c094]2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
[cf341b4]4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
[fc87618]7 <!ENTITY sudo-download-http "http://www.sudo.ws/sudo/dist/sudo-&sudo-version;.tar.gz">
[926d146d]8 <!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
[0870572]9 <!ENTITY sudo-md5sum "93dbd1e47c136179ff1b01494c1c0e75">
10 <!ENTITY sudo-size "2.5 MB">
11 <!ENTITY sudo-buildsize "28 MB">
12 <!ENTITY sudo-time "0.5 SBU">
[cf341b4]13]>
14
[bcd2922]15<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
[cf341b4]16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
[e19ad480]19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
[cf341b4]21 </sect1info>
22
23 <title>Sudo-&sudo-version;</title>
24
25 <indexterm zone="sudo">
[bcd2922]26 <primary sortas="a-Sudo">Sudo</primary>
[cf341b4]27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Sudo</title>
31
[bcd2922]32 <para>
33 The <application>Sudo</application> package allows a system administrator
34 to give certain users (or groups of users) the ability to run
35 some (or all) commands as
36 <systemitem class="username">root</systemitem> or another user while
37 logging the commands and arguments.
38 </para>
[cf341b4]39
[a3394a71]40 &lfs78_checked;
[a8d3d55a]41
[cf341b4]42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
[bcd2922]45 <para>
46 Download (HTTP): <ulink url="&sudo-download-http;"/>
47 </para>
[cf341b4]48 </listitem>
49 <listitem>
[bcd2922]50 <para>
51 Download (FTP): <ulink url="&sudo-download-ftp;"/>
52 </para>
[cf341b4]53 </listitem>
54 <listitem>
[bcd2922]55 <para>
56 Download MD5 sum: &sudo-md5sum;
57 </para>
[cf341b4]58 </listitem>
59 <listitem>
[bcd2922]60 <para>
61 Download size: &sudo-size;
62 </para>
[cf341b4]63 </listitem>
64 <listitem>
[bcd2922]65 <para>
66 Estimated disk space required: &sudo-buildsize;
67 </para>
[cf341b4]68 </listitem>
69 <listitem>
[bcd2922]70 <para>
71 Estimated build time: &sudo-time;
72 </para>
[cf341b4]73 </listitem>
74 </itemizedlist>
75
76 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
77
78 <bridgehead renderas="sect4">Optional</bridgehead>
[bcd2922]79 <para role="optional">
80 <xref linkend="linux-pam"/>,
81 <xref linkend="mitkrb"/>,
82 <xref linkend="openldap"/>,
[22275b6b]83 <xref linkend="server-mail"/> (that provides a
84 <command>sendmail</command> command),
85 <ulink url="http://www.openafs.org/">AFS</ulink>,
86 <ulink url="http://www.fwtk.org/">FWTK</ulink>,
87 <ulink url="http://sourceforge.net/projects/opie/files/">Opie</ulink>, and
[bcd2922]88 <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>
89 </para>
[b35e86b2]90
[3597eb6]91 <para condition="html" role="usernotes">User Notes:
[bcd2922]92 <ulink url="&blfs-wiki;/sudo"/>
93 </para>
[cf341b4]94 </sect2>
95
96 <sect2 role="installation">
97 <title>Installation of Sudo</title>
98
[bcd2922]99 <para>
[6e5d584]100 Install <application>Sudo</application> by running the following commands:
[bcd2922]101 </para>
[cf341b4]102
[1c69133]103<!-- Developer: apparently it is disabled by default, although in configure it
104is written otherwise -disable-static \-->
[b9d56ad4]105<screen><userinput>./configure --prefix=/usr \
[edaee95]106 --libexecdir=/usr/lib \
[ac38e9dc]107 --with-secure-path \
[b9d56ad4]108 --with-all-insults \
109 --with-env-editor \
110 --docdir=/usr/share/doc/sudo-&sudo-version; \
[439ebd01]111 --with-passprompt="[sudo] password for %p" &amp;&amp;
[cf341b4]112make</userinput></screen>
113
[bcd2922]114 <para>
[22275b6b]115 To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
116 | tee ../make-check.log</command>. Check the results with <command>grep
117 failed ../make-check.log</command>.
[bcd2922]118 </para>
[21755bc]119
[bcd2922]120 <para>
121 Now, as the <systemitem class="username">root</systemitem> user:
122 </para>
[cf341b4]123
[ac38e9dc]124<screen role="root"><userinput>make install &amp;&amp;
125ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
[cf341b4]126
127 </sect2>
128
129 <sect2 role="commands">
130 <title>Command Explanations</title>
131
[663b79c2]132 <para>
[edaee95]133 <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
[663b79c2]134 private programs are installed. Everything in that directory is a library, so
135 they belong under <filename class="directory">/usr/lib</filename> instead of
136 <filename class="directory">/usr/libexec</filename>.
137 </para>
138
[ac38e9dc]139 <para>
140 <parameter>--with-secure-path</parameter>: This switch transparently adds
141 <filename class="directory">/sbin</filename> and <filename
142 class="directory">/usr/sbin</filename> directories to the
143 <envar>PATH</envar> environment variable.
144 </para>
145
[bcd2922]146 <para>
[f3d174f]147 <parameter>--with-all-insults</parameter>: This switch includes all the
[bcd2922]148 <application>sudo</application> insult sets.
149 </para>
[cf341b4]150
[bcd2922]151 <para>
[f3d174f]152 <parameter>--with-env-editor</parameter>: This switch enables use of the
[bcd2922]153 environment variable EDITOR for <command>visudo</command>.
154 </para>
[8890b85f]155
[f3d174f]156 <para>
[0870572]157 <parameter>--with-passprompt</parameter>: This switch sets the password prompt.
[f3d174f]158 </para>
159
[14c71e0]160 <para>
[0870572]161 <option>--without-pam</option>: This switch avoids building
162 <application>PAM</application> support when <application>PAM</application> is installed on the system.
[14c71e0]163 </para>
164
[b9d56ad4]165 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
166 href="../../xincludes/static-libraries.xml"/>
167
[33d90fe]168 <note>
[bcd2922]169 <para>
170 There are many options to <application>sudo</application>'s
171 <command>configure</command> command. Check the
172 <command>configure --help</command> output for a complete list.
173 </para>
[33d90fe]174 </note>
[cf341b4]175
[ac38e9dc]176 <para>
177 <command>ln -sfv libsudo_util...</command>: Works around a bug in the
178 installation process, which links the versioned library to the
179 previously installed version (when present) instead of the new one.
180 </para>
181
[cf341b4]182 </sect2>
183
184 <sect2 role="configuration">
185 <title>Configuring Sudo</title>
186
187 <sect3 id="sudo-config">
188 <title>Config File</title>
189
[7a47afc]190 <para>
191 <filename>/etc/sudoers</filename>
192 </para>
[cf341b4]193
194 <indexterm zone="sudo sudo-config">
195 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
196 </indexterm>
197
198 </sect3>
199
200 <sect3>
201 <title>Configuration Information</title>
202
[bcd2922]203 <para>
204 The <filename>sudoers</filename> file can be quite complicated. It
205 is composed of two types of entries: aliases (basically variables) and
206 user specifications (which specify who may run what). The installation
207 installs a default configuration that has no privileges installed for any
208 user.
209 </para>
[cf341b4]210
[bcd2922]211 <para>
212 One example usage is to allow the system administrator to execute
213 any program without typing a password each time root privileges are
214 needed. This can be configured as:
215 </para>
[bccbdaea]216
[ed025d6]217<screen># User alias specification
[cf341b4]218User_Alias ADMIN = YourLoginId
219
220# Allow people in group ADMIN to run all commands without a password
221ADMIN ALL = NOPASSWD: ALL</screen>
222
[bcd2922]223 <para>
224 For details, see <command>man sudoers</command>.
225 </para>
[cf341b4]226
[3c0f868f]227 <note>
[bcd2922]228 <para>
229 The <application>Sudo</application> developers highly recommend
230 using the <command>visudo</command> program to edit the
231 <filename>sudoers</filename> file. This will provide basic sanity
232 checking like syntax parsing and file permission to avoid some possible
233 mistakes that could lead to a vulnerable configuration.
234 </para>
[3c0f868f]235 </note>
236
[bcd2922]237 <para>
[14c71e0]238 If <application>PAM</application> is installed on the system,
239 <application>Sudo</application> is built with
240 <application>PAM</application> support. In that case, issue the following
[bcd2922]241 command as the <systemitem class="username">root</systemitem> user
242 to create the <application>PAM</application> configuration file:
243 </para>
[8890b85f]244
[add8d4f]245<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
246<literal># Begin /etc/pam.d/sudo
[b3a4f60]247
248# include the default auth settings
249auth include system-auth
250
251# include the default account settings
252account include system-account
253
254# Set default environment variables for the service user
255session required pam_env.so
256
257# include system session defaults
258session include system-session
259
[add8d4f]260# End /etc/pam.d/sudo</literal>
[b3a4f60]261EOF
262chmod 644 /etc/pam.d/sudo</userinput></screen>
[fd7e0ed6]263
[cf341b4]264 </sect3>
265
266 </sect2>
267
268 <sect2 role="content">
269 <title>Contents</title>
270
271 <segmentedlist>
272 <segtitle>Installed Programs</segtitle>
[7a47afc]273 <segtitle>Installed Libraries</segtitle>
[cf341b4]274 <segtitle>Installed Directories</segtitle>
275
276 <seglistitem>
[bcd2922]277 <seg>
[a1e0f76]278 sudo, sudoedit (symlink), sudoreplay, and visudo
[bcd2922]279 </seg>
280 <seg>
[22275b6b]281 group_file.so, libsudo_util.so,
282 sudoers.so, sudo_noexec.so, and system_group.so
[bcd2922]283 </seg>
284 <seg>
[7a47afc]285 /etc/sudoers.d,
[b378aa0]286 /usr/lib/sudo,
[ac38e9dc]287 /usr/share/doc/sudo-&sudo-version;,
288 /var/lib/sudo, and
289 /var/run/sudo
[bcd2922]290 </seg>
[cf341b4]291 </seglistitem>
292 </segmentedlist>
293
294 <variablelist>
295 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
296 <?dbfo list-presentation="list"?>
297 <?dbhtml list-presentation="table"?>
298
299 <varlistentry id="sudo_prog">
300 <term><command>sudo</command></term>
301 <listitem>
[bcd2922]302 <para>
303 executes a command as another user as permitted by
304 the <filename>/etc/sudoers</filename> configuration file.
[cf341b4]305 </para>
306 <indexterm zone="sudo sudo">
307 <primary sortas="b-sudo">sudo</primary>
308 </indexterm>
309 </listitem>
310 </varlistentry>
311
312 <varlistentry id="sudoedit">
313 <term><command>sudoedit</command></term>
314 <listitem>
[bcd2922]315 <para>
[a1e0f76]316 is a symlink to <command>sudo</command> that implies the
[bcd2922]317 <option>-e</option> option to invoke an editor as another user.
318 </para>
[cf341b4]319 <indexterm zone="sudo sudoedit">
320 <primary sortas="b-sudoedit">sudoedit</primary>
321 </indexterm>
322 </listitem>
323 </varlistentry>
324
[cb0bbd2]325 <varlistentry id="sudoreplay">
326 <term><command>sudoreplay</command></term>
[3c0f868f]327 <listitem>
[bcd2922]328 <para>
[cb0bbd2]329 is used to play back or list the output
330 logs created by <command>sudo</command>.
[bcd2922]331 </para>
[cb0bbd2]332 <indexterm zone="sudo sudoreplay">
333 <primary sortas="b-sudoreplay">sudoreplay</primary>
[3c0f868f]334 </indexterm>
335 </listitem>
336 </varlistentry>
337
[cb0bbd2]338 <varlistentry id="visudo">
339 <term><command>visudo</command></term>
[61b8305]340 <listitem>
[bcd2922]341 <para>
[cb0bbd2]342 allows for safer editing of the <filename>sudoers</filename>
343 file.
[bcd2922]344 </para>
[cb0bbd2]345 <indexterm zone="sudo visudo">
346 <primary sortas="b-visudo">visudo</primary>
[61b8305]347 </indexterm>
348 </listitem>
349 </varlistentry>
[3c0f868f]350
[cf341b4]351 </variablelist>
352
353 </sect2>
354
355</sect1>
Note: See TracBrowser for help on using the repository browser.