source: postlfs/security/sudo.xml@ ce5616c

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY sudo-download-http "http://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
  <!ENTITY sudo-download-ftp  "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
  <!ENTITY sudo-md5sum        "b654699baebedd095fa525108ea12cbe">
  <!ENTITY sudo-size          "3.8 MB">
  <!ENTITY sudo-buildsize     "41 MB (add 9 MB for tests)">
  <!ENTITY sudo-time          "0.4 SBU (add 0.1 SBU for tests)">
]>

<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
  <?dbhtml filename="sudo.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>Sudo-&sudo-version;</title>

  <indexterm zone="sudo">
    <primary sortas="a-Sudo">Sudo</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to Sudo</title>

    <para>
      The <application>Sudo</application> package allows a system administrator
      to give certain users (or groups of users) the ability to run
      some (or all) commands as
      <systemitem class="username">root</systemitem> or another user while
      logging the commands and arguments.
    </para>

    &lfs10_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&sudo-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&sudo-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &sudo-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &sudo-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &sudo-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &sudo-time;
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Required patch to fix issues when not using sendmail:
          <ulink url="&patch-root;/sudo-&sudo-version;-upstream_fix-1.patch"/>
        </para>
      </listitem>
    </itemizedlist>



    <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <xref linkend="linux-pam"/>,
      <xref linkend="mitkrb"/>,
      <xref linkend="openldap"/>,
      <xref linkend="server-mail"/> (that provides a
      <command>sendmail</command> command),
      <ulink url="http://www.openafs.org/">AFS</ulink>,
      <ulink url="http://www.fwtk.org/">FWTK</ulink>, and
      <ulink url="&sourceforge-dl;/opie/">Opie</ulink>
<!--  <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>-->
    </para>

    <para condition="html" role="usernotes">User Notes:
      <ulink url="&blfs-wiki;/sudo"/>
    </para>
  </sect2>

  <sect2 role="installation">
    <title>Installation of Sudo</title>

<!-- To my understanding, the Makefile.in does test on readable
     $(sudoersdir)/sudoers anyhow. This sed seems to be redundant.

    <para>
      First, fix a problem that prevents installation from completion:
    </para>

<screen><userinput>sed -e '/^pre-install:/{N;s@;@ -a -r $(sudoersdir)/sudoers;@}' \
    -i plugins/sudoers/Makefile.in</userinput></screen>
-->

    <para>First, fix a bug identified upstream:</para>

<screen><userinput>patch -Np1 -i ../sudo-&sudo-version;-upstream_fix-1.patch</userinput></screen>

    <para>
      Install <application>Sudo</application> by running the following commands:
    </para>

<!-- Developer: apparently it is disabled by default, although in configure it
is written otherwise           -disable-static           \-->
<screen><userinput>./configure --prefix=/usr              \
            --libexecdir=/usr/lib      \
            --with-secure-path         \
            --with-all-insults         \
            --with-env-editor          \
            --docdir=/usr/share/doc/sudo-&sudo-version; \
            --with-passprompt="[sudo] password for %p: " &amp;&amp;
make</userinput></screen>

    <para>
      To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
      | tee ../make-check.log</command>. Check the results with <command>grep
      failed ../make-check.log</command>. <!--One test, test3, is known to fail
      if the tests are run as the root user.-->
    </para>

    <para>
      Now, as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>make install &amp;&amp;
ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
     <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
     private programs are installed.  Everything in that directory is a library, so
     they belong under <filename class="directory">/usr/lib</filename> instead of
     <filename class="directory">/usr/libexec</filename>.
    </para>

    <para>
      <parameter>--with-secure-path</parameter>: This switch transparently adds
      <filename class="directory">/sbin</filename> and <filename
      class="directory">/usr/sbin</filename> directories to the
      <envar>PATH</envar> environment variable.
    </para>

    <para>
      <parameter>--with-all-insults</parameter>: This switch includes all the
      <application>sudo</application> insult sets.
    </para>

    <para>
      <parameter>--with-env-editor</parameter>: This switch enables use of the
      environment variable EDITOR for <command>visudo</command>.
    </para>

    <para>
      <parameter>--with-passprompt</parameter>: This switch sets the password prompt.
      The <parameter>%p</parameter> will be expanded to the name of the user whose password is being requested.
    </para>

    <para>
      <option>--without-pam</option>: This switch avoids building
      <application>Linux-PAM</application> support when
      <application>Linux-PAM</application> is installed on the system.
    </para>
<!-- See the developer note above before the configure command
    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
      href="../../xincludes/static-libraries.xml"/>-->

    <note>
      <para>
        There are many options to <application>sudo</application>'s
        <command>configure</command> command. Check the
        <command>configure --help</command> output for a complete list.
      </para>
    </note>

    <para>
      <command>ln -sfv libsudo_util...</command>: Works around a bug in the
      installation process, which links to the previously installed
      version (if there is one) instead of the new one.
    </para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring Sudo</title>

    <sect3 id="sudo-config">
      <title>Config File</title>

      <para>
        <filename>/etc/sudoers</filename>
      </para>

      <indexterm zone="sudo sudo-config">
        <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <para>
        The <filename>sudoers</filename> file can be quite complicated.  It
        is composed of two types of entries: aliases (basically variables) and
        user specifications (which specify who may run what).  The installation
        installs a default configuration that has no privileges installed for
        any user.
      </para>

      <para>
        A couple of common configuration chanes are to set the path for the
        super user and to allow members of the wheel group to execute all
        commands after providing their own credientials. Use the following
        commands to create the <filename>/etc/sudoers.d/sudo</filename>
        configuration file as the
        <systemitem class="username">root</systemitem> user:
      </para>

<screen role="root"><userinput>cat &gt; /etc/sudoers.d/sudo &lt;&lt; "EOF"
<literal>Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin"
%wheel ALL=(ALL) ALL</literal>
EOF</userinput></screen>
      
      <para>
        For details, see <command>man sudoers</command>.
      </para>

      <note>
        <para>
          The <application>Sudo</application> developers highly recommend
          using the <command>visudo</command> program to edit the
          <filename>sudoers</filename> file. This will provide basic sanity
          checking like syntax parsing and file permission to avoid some
          possible mistakes that could lead to a vulnerable configuration.
        </para>
      </note>

      <para>
        If <application>PAM</application> is installed on the system,
        <application>Sudo</application> is built with
        <application>PAM</application> support. In that case, issue the
        following command as the <systemitem class="username">root</systemitem>
        user to create the <application>PAM</application> configuration file:
      </para>

<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/sudo

# include the default auth settings
auth      include     system-auth

# include the default account settings
account   include     system-account

# Set default environment variables for the service user
session   required    pam_env.so

# include system session defaults
session   include     system-session

# End /etc/pam.d/sudo</literal>
EOF
chmod 644 /etc/pam.d/sudo</userinput></screen>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          cvtsudoers, sudo, sudo_logsrvd, sudo_sendlog,
          sudoedit (symlink), sudoreplay, and visudo
        </seg>
        <seg>
          <!-- [pierre, September 25, 2020] except libsudo_util, the other
          shared objects in /usr/lib/sudo look more like modules than
          libraries. Leaving them now, and updating the list, but I think
          they should not be listed. -->
          audit_json.so, group_file.so, libsudo_util.so, sample_approval.so,
          sudoers.so, sudo_noexec.so, and system_group.so
        </seg>
        <seg>
          /etc/sudoers.d,
          /usr/lib/sudo,
          /usr/share/doc/sudo-&sudo-version;, and
          /var/lib/sudo
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="cvtsudoers">
        <term><command>cvtsudoers</command></term>
        <listitem>
          <para>
            converts between sudoers file formats.
          </para>
          <indexterm zone="sudo cvtsudoers">
            <primary sortas="b-cvtsudoers">cvtsudoers</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sudo_prog">
        <term><command>sudo</command></term>
        <listitem>
          <para>
            executes a command as another user as permitted by
            the <filename>/etc/sudoers</filename> configuration file.
          </para>
          <indexterm zone="sudo sudo">
            <primary sortas="b-sudo">sudo</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sudo_logsrvd">
        <term><command>sudo_logsrvd</command></term>
        <listitem>
          <para>
            is a sudo event and I/O log server.
          </para>
          <indexterm zone="sudo sudo_logsrvd">
            <primary sortas="b-sudo_logsrvd">sudo_logsrvd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sudo_sendlog">
        <term><command>sudo_sendlog</command></term>
        <listitem>
          <para>
            sends sudo I/O log to the log server.
          </para>
          <indexterm zone="sudo sudo_sendlog">
            <primary sortas="b-sudo_sendlog">sudo_sendlog</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sudoedit">
        <term><command>sudoedit</command></term>
        <listitem>
          <para>
            is a symlink to <command>sudo</command> that implies the
            <option>-e</option> option to invoke an editor as another user.
          </para>
          <indexterm zone="sudo sudoedit">
            <primary sortas="b-sudoedit">sudoedit</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sudoreplay">
        <term><command>sudoreplay</command></term>
        <listitem>
          <para>
            is used to play back or list the output
            logs created by <command>sudo</command>.
          </para>
          <indexterm zone="sudo sudoreplay">
            <primary sortas="b-sudoreplay">sudoreplay</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="visudo">
        <term><command>visudo</command></term>
        <listitem>
          <para>
            allows for safer editing of the <filename>sudoers</filename>
            file.
          </para>
          <indexterm zone="sudo visudo">
            <primary sortas="b-visudo">visudo</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>