source: postlfs/security/sudo.xml@ bb5e583

10.1 11.0 11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since bb5e583 was bb5e583, checked in by Tim Tassonis <stuff@…>, 3 years ago

Update to sudo-1.9.5p2 (Critical security release)

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@24144 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 12.5 KB
RevLine 
[cf341b4]1<?xml version="1.0" encoding="ISO-8859-1"?>
[6732c094]2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
[cf341b4]4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
[06915b3]7 <!ENTITY sudo-download-http "http://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
[926d146d]8 <!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
[bb5e583]9 <!ENTITY sudo-md5sum "e6bc4c18c06346e6b3431637a2b5f3d5">
10 <!ENTITY sudo-size "3.9 MB">
[c513d6e6]11 <!ENTITY sudo-buildsize "60 MB (add 9 MB for tests)">
[a82b5f44]12 <!ENTITY sudo-time "0.4 SBU (add 0.1 SBU for tests)">
[cf341b4]13]>
14
[bcd2922]15<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
[cf341b4]16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
[e19ad480]19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
[cf341b4]21 </sect1info>
22
23 <title>Sudo-&sudo-version;</title>
24
25 <indexterm zone="sudo">
[bcd2922]26 <primary sortas="a-Sudo">Sudo</primary>
[cf341b4]27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Sudo</title>
31
[bcd2922]32 <para>
33 The <application>Sudo</application> package allows a system administrator
34 to give certain users (or groups of users) the ability to run
35 some (or all) commands as
36 <systemitem class="username">root</systemitem> or another user while
37 logging the commands and arguments.
38 </para>
[cf341b4]39
[b3caf56]40 &lfs10_checked;
[a8d3d55a]41
[cf341b4]42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
[bcd2922]45 <para>
46 Download (HTTP): <ulink url="&sudo-download-http;"/>
47 </para>
[cf341b4]48 </listitem>
49 <listitem>
[bcd2922]50 <para>
51 Download (FTP): <ulink url="&sudo-download-ftp;"/>
52 </para>
[cf341b4]53 </listitem>
54 <listitem>
[bcd2922]55 <para>
56 Download MD5 sum: &sudo-md5sum;
57 </para>
[cf341b4]58 </listitem>
59 <listitem>
[bcd2922]60 <para>
61 Download size: &sudo-size;
62 </para>
[cf341b4]63 </listitem>
64 <listitem>
[bcd2922]65 <para>
66 Estimated disk space required: &sudo-buildsize;
67 </para>
[cf341b4]68 </listitem>
69 <listitem>
[bcd2922]70 <para>
71 Estimated build time: &sudo-time;
72 </para>
[cf341b4]73 </listitem>
74 </itemizedlist>
75
76 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
77
78 <bridgehead renderas="sect4">Optional</bridgehead>
[bcd2922]79 <para role="optional">
80 <xref linkend="linux-pam"/>,
81 <xref linkend="mitkrb"/>,
82 <xref linkend="openldap"/>,
[6b4f8529]83 <xref linkend="server-mail"/> (that provides a
84 <command>sendmail</command> command),
85 <ulink url="http://www.openafs.org/">AFS</ulink>,
[06915b3]86 <ulink url="http://www.fwtk.org/">FWTK</ulink>, and
[8dfc5c3]87 <ulink url="&sourceforge-dl;/opie/">Opie</ulink>
[bcd2922]88 </para>
[b35e86b2]89
[3597eb6]90 <para condition="html" role="usernotes">User Notes:
[bcd2922]91 <ulink url="&blfs-wiki;/sudo"/>
92 </para>
[cf341b4]93 </sect2>
94
95 <sect2 role="installation">
96 <title>Installation of Sudo</title>
97
[bcd2922]98 <para>
[6e5d584]99 Install <application>Sudo</application> by running the following commands:
[bcd2922]100 </para>
[cf341b4]101
[b9d56ad4]102<screen><userinput>./configure --prefix=/usr \
[edaee95]103 --libexecdir=/usr/lib \
[1a657ca]104 --with-secure-path \
[b9d56ad4]105 --with-all-insults \
106 --with-env-editor \
107 --docdir=/usr/share/doc/sudo-&sudo-version; \
[9dabcf3]108 --with-passprompt="[sudo] password for %p: " &amp;&amp;
[cf341b4]109make</userinput></screen>
110
[bcd2922]111 <para>
[6b4f8529]112 To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
113 | tee ../make-check.log</command>. Check the results with <command>grep
[4676c15d]114 failed ../make-check.log</command>.
[bcd2922]115 </para>
[21755bc]116
[bcd2922]117 <para>
118 Now, as the <systemitem class="username">root</systemitem> user:
119 </para>
[cf341b4]120
[2809c8c]121<screen role="root"><userinput>make install &amp;&amp;
122ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
[cf341b4]123
124 </sect2>
125
126 <sect2 role="commands">
127 <title>Command Explanations</title>
128
[663b79c2]129 <para>
[edaee95]130 <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
[663b79c2]131 private programs are installed. Everything in that directory is a library, so
132 they belong under <filename class="directory">/usr/lib</filename> instead of
133 <filename class="directory">/usr/libexec</filename>.
[8466229]134 </para>
135
136 <para>
137 <parameter>--with-secure-path</parameter>: This switch transparently adds
138 <filename class="directory">/sbin</filename> and <filename
139 class="directory">/usr/sbin</filename> directories to the
140 <envar>PATH</envar> environment variable.
[663b79c2]141 </para>
142
[bcd2922]143 <para>
[f3d174f]144 <parameter>--with-all-insults</parameter>: This switch includes all the
[bcd2922]145 <application>sudo</application> insult sets.
146 </para>
[cf341b4]147
[bcd2922]148 <para>
[f3d174f]149 <parameter>--with-env-editor</parameter>: This switch enables use of the
[bcd2922]150 environment variable EDITOR for <command>visudo</command>.
151 </para>
[8890b85f]152
[f3d174f]153 <para>
[ecea644]154 <parameter>--with-passprompt</parameter>: This switch sets the password prompt.
[7f99ddf]155 The <parameter>%p</parameter> will be expanded to the name of the user whose password is being requested.
[f3d174f]156 </para>
157
[14c71e0]158 <para>
[f586237]159 <option>--without-pam</option>: This switch avoids building
160 <application>Linux-PAM</application> support when
161 <application>Linux-PAM</application> is installed on the system.
[14c71e0]162 </para>
[17b685f1]163<!-- See the developer note above before the configure command
[b9d56ad4]164 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
[f1d7196]165 href="../../xincludes/static-libraries.xml"/>-->
[b9d56ad4]166
[33d90fe]167 <note>
[bcd2922]168 <para>
169 There are many options to <application>sudo</application>'s
170 <command>configure</command> command. Check the
171 <command>configure --help</command> output for a complete list.
172 </para>
[33d90fe]173 </note>
[cf341b4]174
[2809c8c]175 <para>
[f586237]176 <command>ln -sfv libsudo_util...</command>: Works around a bug in the
[2809c8c]177 installation process, which links to the previously installed
178 version (if there is one) instead of the new one.
179 </para>
180
[cf341b4]181 </sect2>
182
183 <sect2 role="configuration">
184 <title>Configuring Sudo</title>
185
186 <sect3 id="sudo-config">
187 <title>Config File</title>
188
[7a47afc]189 <para>
190 <filename>/etc/sudoers</filename>
191 </para>
[cf341b4]192
193 <indexterm zone="sudo sudo-config">
194 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
195 </indexterm>
196
197 </sect3>
198
199 <sect3>
200 <title>Configuration Information</title>
201
[bcd2922]202 <para>
203 The <filename>sudoers</filename> file can be quite complicated. It
204 is composed of two types of entries: aliases (basically variables) and
205 user specifications (which specify who may run what). The installation
[b4c31a6]206 installs a default configuration that has no privileges installed for
207 any user.
[bcd2922]208 </para>
[bccbdaea]209
[a5b9f1e]210 <para>
[c513d6e6]211 A couple of common configuration changes are to set the path for the
[77b64bd]212 super user and to allow members of the wheel group to execute all
213 commands after providing their own credientials. Use the following
214 commands to create the <filename>/etc/sudoers.d/sudo</filename>
215 configuration file as the
216 <systemitem class="username">root</systemitem> user:
[a5b9f1e]217 </para>
218
[77b64bd]219<screen role="root"><userinput>cat &gt; /etc/sudoers.d/sudo &lt;&lt; "EOF"
220<literal>Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin"
221%wheel ALL=(ALL) ALL</literal>
222EOF</userinput></screen>
[a5b9f1e]223
[bcd2922]224 <para>
225 For details, see <command>man sudoers</command>.
226 </para>
[cf341b4]227
[3c0f868f]228 <note>
[bcd2922]229 <para>
230 The <application>Sudo</application> developers highly recommend
231 using the <command>visudo</command> program to edit the
232 <filename>sudoers</filename> file. This will provide basic sanity
[b4c31a6]233 checking like syntax parsing and file permission to avoid some
234 possible mistakes that could lead to a vulnerable configuration.
[bcd2922]235 </para>
[3c0f868f]236 </note>
237
[bcd2922]238 <para>
[14c71e0]239 If <application>PAM</application> is installed on the system,
240 <application>Sudo</application> is built with
[b4c31a6]241 <application>PAM</application> support. In that case, issue the
242 following command as the <systemitem class="username">root</systemitem>
243 user to create the <application>PAM</application> configuration file:
[bcd2922]244 </para>
[8890b85f]245
[add8d4f]246<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
247<literal># Begin /etc/pam.d/sudo
[b3a4f60]248
249# include the default auth settings
250auth include system-auth
251
252# include the default account settings
253account include system-account
254
255# Set default environment variables for the service user
256session required pam_env.so
257
258# include system session defaults
259session include system-session
260
[add8d4f]261# End /etc/pam.d/sudo</literal>
[b3a4f60]262EOF
263chmod 644 /etc/pam.d/sudo</userinput></screen>
[fd7e0ed6]264
[cf341b4]265 </sect3>
266
267 </sect2>
268
269 <sect2 role="content">
270 <title>Contents</title>
271
272 <segmentedlist>
273 <segtitle>Installed Programs</segtitle>
[9d53187]274 <segtitle>Installed Libraries</segtitle>
[cf341b4]275 <segtitle>Installed Directories</segtitle>
276
277 <seglistitem>
[bcd2922]278 <seg>
[a82b5f44]279 cvtsudoers, sudo, sudo_logsrvd, sudo_sendlog,
280 sudoedit (symlink), sudoreplay, and visudo
[bcd2922]281 </seg>
282 <seg>
[a82b5f44]283 <!-- [pierre, September 25, 2020] except libsudo_util, the other
284 shared objects in /usr/lib/sudo look more like modules than
285 libraries. Leaving them now, and updating the list, but I think
286 they should not be listed. -->
287 audit_json.so, group_file.so, libsudo_util.so, sample_approval.so,
[6b4f8529]288 sudoers.so, sudo_noexec.so, and system_group.so
[bcd2922]289 </seg>
290 <seg>
[7a47afc]291 /etc/sudoers.d,
[b378aa0]292 /usr/lib/sudo,
[06915b3]293 /usr/share/doc/sudo-&sudo-version;, and
[a82b5f44]294 /var/lib/sudo
[bcd2922]295 </seg>
[cf341b4]296 </seglistitem>
297 </segmentedlist>
298
299 <variablelist>
300 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
301 <?dbfo list-presentation="list"?>
302 <?dbhtml list-presentation="table"?>
303
[d7bbb40]304 <varlistentry id="cvtsudoers">
305 <term><command>cvtsudoers</command></term>
306 <listitem>
307 <para>
308 converts between sudoers file formats.
309 </para>
310 <indexterm zone="sudo cvtsudoers">
311 <primary sortas="b-cvtsudoers">cvtsudoers</primary>
312 </indexterm>
313 </listitem>
314 </varlistentry>
315
[cf341b4]316 <varlistentry id="sudo_prog">
317 <term><command>sudo</command></term>
318 <listitem>
[bcd2922]319 <para>
320 executes a command as another user as permitted by
321 the <filename>/etc/sudoers</filename> configuration file.
[cf341b4]322 </para>
323 <indexterm zone="sudo sudo">
324 <primary sortas="b-sudo">sudo</primary>
325 </indexterm>
326 </listitem>
327 </varlistentry>
328
[a82b5f44]329 <varlistentry id="sudo_logsrvd">
330 <term><command>sudo_logsrvd</command></term>
331 <listitem>
332 <para>
333 is a sudo event and I/O log server.
334 </para>
335 <indexterm zone="sudo sudo_logsrvd">
336 <primary sortas="b-sudo_logsrvd">sudo_logsrvd</primary>
337 </indexterm>
338 </listitem>
339 </varlistentry>
340
341 <varlistentry id="sudo_sendlog">
342 <term><command>sudo_sendlog</command></term>
343 <listitem>
344 <para>
[c513d6e6]345 sends sudo I/O logs to the log server.
[a82b5f44]346 </para>
347 <indexterm zone="sudo sudo_sendlog">
348 <primary sortas="b-sudo_sendlog">sudo_sendlog</primary>
349 </indexterm>
350 </listitem>
351 </varlistentry>
352
[cf341b4]353 <varlistentry id="sudoedit">
354 <term><command>sudoedit</command></term>
355 <listitem>
[bcd2922]356 <para>
[a1e0f76]357 is a symlink to <command>sudo</command> that implies the
[bcd2922]358 <option>-e</option> option to invoke an editor as another user.
359 </para>
[cf341b4]360 <indexterm zone="sudo sudoedit">
361 <primary sortas="b-sudoedit">sudoedit</primary>
362 </indexterm>
363 </listitem>
364 </varlistentry>
365
[72d90b67]366 <varlistentry id="sudoreplay">
367 <term><command>sudoreplay</command></term>
[3c0f868f]368 <listitem>
[bcd2922]369 <para>
[72d90b67]370 is used to play back or list the output
371 logs created by <command>sudo</command>.
[bcd2922]372 </para>
[72d90b67]373 <indexterm zone="sudo sudoreplay">
374 <primary sortas="b-sudoreplay">sudoreplay</primary>
[3c0f868f]375 </indexterm>
376 </listitem>
377 </varlistentry>
378
[72d90b67]379 <varlistentry id="visudo">
380 <term><command>visudo</command></term>
[61b8305]381 <listitem>
[bcd2922]382 <para>
[72d90b67]383 allows for safer editing of the <filename>sudoers</filename>
384 file.
[bcd2922]385 </para>
[72d90b67]386 <indexterm zone="sudo visudo">
387 <primary sortas="b-visudo">visudo</primary>
[61b8305]388 </indexterm>
389 </listitem>
390 </varlistentry>
[3c0f868f]391
[cf341b4]392 </variablelist>
393
394 </sect2>
395
396</sect1>
Note: See TracBrowser for help on using the repository browser.