source: postlfs/security/sudo.xml@ 193bdf3

11.1 lazarus qt5new trunk upgradedb xry111/intltool xry111/test-20220226
Last change on this file since 193bdf3 was 193bdf3, checked in by Bruce Dubbs <bdubbs@…>, 9 months ago

Expand sudo configuration comments

  • Property mode set to 100644
File size: 13.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY sudo-download-http "https://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
8 <!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
9 <!ENTITY sudo-md5sum "f831c1d62835cde89c261465d9c781e4">
10 <!ENTITY sudo-size "4.1 MB">
11 <!ENTITY sudo-buildsize "45 MB (add 14 MB for tests)">
12 <!ENTITY sudo-time "0.5 SBU (add 0.1 SBU for tests)">
13]>
14
15<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
19 <date>$Date$</date>
20 </sect1info>
21
22 <title>Sudo-&sudo-version;</title>
23
24 <indexterm zone="sudo">
25 <primary sortas="a-Sudo">Sudo</primary>
26 </indexterm>
27
28 <sect2 role="package">
29 <title>Introduction to Sudo</title>
30
31 <para>
32 The <application>Sudo</application> package allows a system administrator
33 to give certain users (or groups of users) the ability to run
34 some (or all) commands as
35 <systemitem class="username">root</systemitem> or another user while
36 logging the commands and arguments.
37 </para>
38
39 &lfs110a_checked;
40
41 <bridgehead renderas="sect3">Package Information</bridgehead>
42 <itemizedlist spacing="compact">
43 <listitem>
44 <para>
45 Download (HTTP): <ulink url="&sudo-download-http;"/>
46 </para>
47 </listitem>
48 <listitem>
49 <para>
50 Download (FTP): <ulink url="&sudo-download-ftp;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download MD5 sum: &sudo-md5sum;
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download size: &sudo-size;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Estimated disk space required: &sudo-buildsize;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated build time: &sudo-time;
71 </para>
72 </listitem>
73 </itemizedlist>
74
75 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
76
77 <bridgehead renderas="sect4">Optional</bridgehead>
78 <para role="optional">
79 <xref linkend="linux-pam"/>,
80 <xref linkend="mitkrb"/>,
81 <xref linkend="openldap"/>,
82 <xref linkend="server-mail"/> (that provides a
83 <command>sendmail</command> command),
84 <ulink url="http://www.openafs.org/">AFS</ulink>,
85 <ulink url="http://www.fwtk.org/">FWTK</ulink>, and
86 <ulink url="&sourceforge-dl;/opie/">Opie</ulink>
87 </para>
88
89 <para condition="html" role="usernotes">User Notes:
90 <ulink url="&blfs-wiki;/sudo"/>
91 </para>
92 </sect2>
93
94 <sect2 role="installation">
95 <title>Installation of Sudo</title>
96
97 <para>
98 Install <application>Sudo</application> by running the following commands:
99 </para>
100
101<screen><userinput>./configure --prefix=/usr \
102 --libexecdir=/usr/lib \
103 --with-secure-path \
104 --with-all-insults \
105 --with-env-editor \
106 --docdir=/usr/share/doc/sudo-&sudo-version; \
107 --with-passprompt="[sudo] password for %p: " &amp;&amp;
108make</userinput></screen>
109
110 <para>
111 To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
112 | tee make-check.log</command>. Check the results with <command>grep
113 failed make-check.log</command>.
114 </para>
115
116 <para>
117 Now, as the <systemitem class="username">root</systemitem> user:
118 </para>
119
120<screen role="root"><userinput>make install &amp;&amp;
121ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
122
123 </sect2>
124
125 <sect2 role="commands">
126 <title>Command Explanations</title>
127
128 <para>
129 <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
130 private programs are installed. Everything in that directory is a library, so
131 they belong under <filename class="directory">/usr/lib</filename> instead of
132 <filename class="directory">/usr/libexec</filename>.
133 </para>
134
135 <para>
136 <parameter>--with-secure-path</parameter>: This switch transparently adds
137 <filename class="directory">/sbin</filename> and <filename
138 class="directory">/usr/sbin</filename> directories to the
139 <envar>PATH</envar> environment variable.
140 </para>
141
142 <para>
143 <parameter>--with-all-insults</parameter>: This switch includes all the
144 <application>sudo</application> insult sets.
145 </para>
146
147 <para>
148 <parameter>--with-env-editor</parameter>: This switch enables use of the
149 environment variable EDITOR for <command>visudo</command>.
150 </para>
151
152 <para>
153 <parameter>--with-passprompt</parameter>: This switch sets the password prompt.
154 The <parameter>%p</parameter> will be expanded to the name of the user whose password is being requested.
155 </para>
156
157 <para>
158 <option>--without-pam</option>: This switch avoids building
159 <application>Linux-PAM</application> support when
160 <application>Linux-PAM</application> is installed on the system.
161 </para>
162<!-- See the developer note above before the configure command
163 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
164 href="../../xincludes/static-libraries.xml"/>-->
165
166 <note>
167 <para>
168 There are many options to <application>sudo</application>'s
169 <command>configure</command> command. Check the
170 <command>configure --help</command> output for a complete list.
171 </para>
172 </note>
173
174 <para>
175 <command>ln -sfv libsudo_util...</command>: Works around a bug in the
176 installation process, which links to the previously installed
177 version (if there is one) instead of the new one.
178 </para>
179
180 </sect2>
181
182 <sect2 role="configuration">
183 <title>Configuring Sudo</title>
184
185 <sect3 id="sudo-config">
186 <title>Config File</title>
187
188 <para>
189 <filename>/etc/sudoers</filename>
190 </para>
191
192 <indexterm zone="sudo sudo-config">
193 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
194 </indexterm>
195
196 </sect3>
197
198 <sect3>
199 <title>Configuration Information</title>
200
201 <para>
202 The <filename>sudoers</filename> file can be quite complicated. It
203 is composed of two types of entries: aliases (basically variables) and
204 user specifications (which specify who may run what). The installation
205 installs a default configuration that has no privileges installed for
206 any user.
207 </para>
208
209 <para>
210 A couple of common configuration changes are to set the path for the
211 super user and to allow members of the wheel group to execute all
212 commands after providing their own credientials. Use the following
213 commands to create the <filename>/etc/sudoers.d/sudo</filename>
214 configuration file as the
215 <systemitem class="username">root</systemitem> user:
216 </para>
217
218<screen role="root"><userinput>cat &gt; /etc/sudoers.d/00-sudo &lt;&lt; "EOF"
219<literal>Defaults secure_path="/usr/sbin:/usr/bin"
220%wheel ALL=(ALL) ALL</literal>
221EOF</userinput></screen>
222
223 <note>
224 <para>
225 In very simple installations where there is only one user, it
226 may be easier to just edit the <filename>/etc/sudoers</filename>
227 file directly. In that case, the <varname>secure_path</varname>
228 entry may not be needed and using <command>sudo -E ...</command> can
229 import the non-privileged user's full environment into the
230 privileged session.
231 </para>
232
233 <para>
234 The files in the <filename class="directory">/etc/sudoers.d</filename>
235 directory are parsed in sorted lexical order. Be careful that entries
236 in an added file do not overwrite previous entries.
237 </para>
238 </note>
239
240 <para>
241 For details, see <command>man sudoers</command>.
242 </para>
243
244 <note>
245 <para>
246 The <application>Sudo</application> developers highly recommend
247 using the <command>visudo</command> program to edit the
248 <filename>sudoers</filename> file. This will provide basic sanity
249 checking like syntax parsing and file permission to avoid some
250 possible mistakes that could lead to a vulnerable configuration.
251 </para>
252 </note>
253
254 <para>
255 If <application>PAM</application> is installed on the system,
256 <application>Sudo</application> is built with
257 <application>PAM</application> support. In that case, issue the
258 following command as the <systemitem class="username">root</systemitem>
259 user to create the <application>PAM</application> configuration file:
260 </para>
261
262<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
263<literal># Begin /etc/pam.d/sudo
264
265# include the default auth settings
266auth include system-auth
267
268# include the default account settings
269account include system-account
270
271# Set default environment variables for the service user
272session required pam_env.so
273
274# include system session defaults
275session include system-session
276
277# End /etc/pam.d/sudo</literal>
278EOF
279chmod 644 /etc/pam.d/sudo</userinput></screen>
280
281 </sect3>
282
283 </sect2>
284
285 <sect2 role="content">
286 <title>Contents</title>
287
288 <segmentedlist>
289 <segtitle>Installed Programs</segtitle>
290 <segtitle>Installed Libraries</segtitle>
291 <segtitle>Installed Directories</segtitle>
292
293 <seglistitem>
294 <seg>
295 cvtsudoers, sudo, sudo_logsrvd, sudo_sendlog,
296 sudoedit (symlink), sudoreplay, and visudo
297 </seg>
298 <seg>
299 <!-- [pierre, September 25, 2020] except libsudo_util, the other
300 shared objects in /usr/lib/sudo look more like modules than
301 libraries. Leaving them now, and updating the list, but I think
302 they should not be listed. -->
303 audit_json.so, group_file.so, libsudo_util.so, sample_approval.so,
304 sudoers.so, sudo_noexec.so, and system_group.so
305 </seg>
306 <seg>
307 /etc/sudoers.d,
308 /usr/lib/sudo,
309 /usr/share/doc/sudo-&sudo-version;, and
310 /var/lib/sudo
311 </seg>
312 </seglistitem>
313 </segmentedlist>
314
315 <variablelist>
316 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
317 <?dbfo list-presentation="list"?>
318 <?dbhtml list-presentation="table"?>
319
320 <varlistentry id="cvtsudoers">
321 <term><command>cvtsudoers</command></term>
322 <listitem>
323 <para>
324 converts between sudoers file formats
325 </para>
326 <indexterm zone="sudo cvtsudoers">
327 <primary sortas="b-cvtsudoers">cvtsudoers</primary>
328 </indexterm>
329 </listitem>
330 </varlistentry>
331
332 <varlistentry id="sudo_prog">
333 <term><command>sudo</command></term>
334 <listitem>
335 <para>
336 executes a command as another user as permitted by
337 the <filename>/etc/sudoers</filename> configuration file
338 </para>
339 <indexterm zone="sudo sudo">
340 <primary sortas="b-sudo">sudo</primary>
341 </indexterm>
342 </listitem>
343 </varlistentry>
344
345 <varlistentry id="sudo_logsrvd">
346 <term><command>sudo_logsrvd</command></term>
347 <listitem>
348 <para>
349 is a sudo event and I/O log server
350 </para>
351 <indexterm zone="sudo sudo_logsrvd">
352 <primary sortas="b-sudo_logsrvd">sudo_logsrvd</primary>
353 </indexterm>
354 </listitem>
355 </varlistentry>
356
357 <varlistentry id="sudo_sendlog">
358 <term><command>sudo_sendlog</command></term>
359 <listitem>
360 <para>
361 sends sudo I/O logs to the log server
362 </para>
363 <indexterm zone="sudo sudo_sendlog">
364 <primary sortas="b-sudo_sendlog">sudo_sendlog</primary>
365 </indexterm>
366 </listitem>
367 </varlistentry>
368
369 <varlistentry id="sudoedit">
370 <term><command>sudoedit</command></term>
371 <listitem>
372 <para>
373 is a symlink to <command>sudo</command> that implies the
374 <option>-e</option> option to invoke an editor as another user
375 </para>
376 <indexterm zone="sudo sudoedit">
377 <primary sortas="b-sudoedit">sudoedit</primary>
378 </indexterm>
379 </listitem>
380 </varlistentry>
381
382 <varlistentry id="sudoreplay">
383 <term><command>sudoreplay</command></term>
384 <listitem>
385 <para>
386 is used to play back or list the output
387 logs created by <command>sudo</command>
388 </para>
389 <indexterm zone="sudo sudoreplay">
390 <primary sortas="b-sudoreplay">sudoreplay</primary>
391 </indexterm>
392 </listitem>
393 </varlistentry>
394
395 <varlistentry id="visudo">
396 <term><command>visudo</command></term>
397 <listitem>
398 <para>
399 allows for safer editing of the <filename>sudoers</filename>
400 file
401 </para>
402 <indexterm zone="sudo visudo">
403 <primary sortas="b-visudo">visudo</primary>
404 </indexterm>
405 </listitem>
406 </varlistentry>
407
408 </variablelist>
409
410 </sect2>
411
412</sect1>
Note: See TracBrowser for help on using the repository browser.