%general-entities; ]> $LastChangedBy$ $Date$ Sudo The Sudo package allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments. &lfs10_checked; Package Information Download (HTTP): Download (FTP): Download MD5 sum: &sudo-md5sum; Download size: &sudo-size; Estimated disk space required: &sudo-buildsize; Estimated build time: &sudo-time; Additional Downloads Required patch to fix issues when not using sendmail: Sudo Dependencies Optional , , , (that provides a sendmail command), AFS, FWTK, and Opie User Notes: First, fix a bug identified upstream: patch -Np1 -i ../sudo-&sudo-version;-upstream_fix-1.patch Install Sudo by running the following commands: ./configure --prefix=/usr \ --libexecdir=/usr/lib \ --with-secure-path \ --with-all-insults \ --with-env-editor \ --docdir=/usr/share/doc/sudo-&sudo-version; \ --with-passprompt="[sudo] password for %p: " && make To test the results, issue: env LC_ALL=C make check 2>&1 | tee ../make-check.log. Check the results with grep failed ../make-check.log. Now, as the root user: make install && ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0 --libexecdir=/usr/lib: This switch controls where private programs are installed. Everything in that directory is a library, so they belong under /usr/lib instead of /usr/libexec. --with-secure-path: This switch transparently adds /sbin and /usr/sbin directories to the PATH environment variable. --with-all-insults: This switch includes all the sudo insult sets. --with-env-editor: This switch enables use of the environment variable EDITOR for visudo. --with-passprompt: This switch sets the password prompt. The %p will be expanded to the name of the user whose password is being requested. --without-pam: This switch avoids building Linux-PAM support when Linux-PAM is installed on the system. There are many options to sudo's configure command. Check the configure --help output for a complete list. ln -sfv libsudo_util...: Works around a bug in the installation process, which links to the previously installed version (if there is one) instead of the new one. /etc/sudoers /etc/sudoers The sudoers file can be quite complicated. It is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what). The installation installs a default configuration that has no privileges installed for any user. A couple of common configuration chanes are to set the path for the super user and to allow members of the wheel group to execute all commands after providing their own credientials. Use the following commands to create the /etc/sudoers.d/sudo configuration file as the root user: cat > /etc/sudoers.d/sudo << "EOF" Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin" %wheel ALL=(ALL) ALL EOF For details, see man sudoers. The Sudo developers highly recommend using the visudo program to edit the sudoers file. This will provide basic sanity checking like syntax parsing and file permission to avoid some possible mistakes that could lead to a vulnerable configuration. If PAM is installed on the system, Sudo is built with PAM support. In that case, issue the following command as the root user to create the PAM configuration file: cat > /etc/pam.d/sudo << "EOF" # Begin /etc/pam.d/sudo # include the default auth settings auth include system-auth # include the default account settings account include system-account # Set default environment variables for the service user session required pam_env.so # include system session defaults session include system-session # End /etc/pam.d/sudo EOF chmod 644 /etc/pam.d/sudo Installed Programs Installed Libraries Installed Directories cvtsudoers, sudo, sudo_logsrvd, sudo_sendlog, sudoedit (symlink), sudoreplay, and visudo audit_json.so, group_file.so, libsudo_util.so, sample_approval.so, sudoers.so, sudo_noexec.so, and system_group.so /etc/sudoers.d, /usr/lib/sudo, /usr/share/doc/sudo-&sudo-version;, and /var/lib/sudo Short Descriptions cvtsudoers converts between sudoers file formats. cvtsudoers sudo executes a command as another user as permitted by the /etc/sudoers configuration file. sudo sudo_logsrvd is a sudo event and I/O log server. sudo_logsrvd sudo_sendlog sends sudo I/O log to the log server. sudo_sendlog sudoedit is a symlink to sudo that implies the -e option to invoke an editor as another user. sudoedit sudoreplay is used to play back or list the output logs created by sudo. sudoreplay visudo allows for safer editing of the sudoers file. visudo