source: postlfs/security/sudo.xml@ 1ed7820

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY sudo-download-http "http://www.sudo.ws/sudo/dist/sudo-&sudo-version;.tar.gz">
  <!ENTITY sudo-download-ftp  "ftp://ftp.twaren.net/Unix/Security/Sudo/sudo-&sudo-version;.tar.gz">
  <!ENTITY sudo-md5sum        "000f458e7391be9fdf459a9ad6a4912a">
  <!ENTITY sudo-size          "1.4 MB">
  <!ENTITY sudo-buildsize     "13 MB">
  <!ENTITY sudo-time          "0.2 SBU">
]>

<sect1 id="sudo" xreflabel="sudo-&sudo-version;">
  <?dbhtml filename="sudo.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>Sudo-&sudo-version;</title>

  <indexterm zone="sudo">
    <primary sortas="a-sudo">sudo</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to Sudo</title>

    <para>The <application>sudo</application> package allows a system
    administrator to give certain users (or groups of users) the ability to run
    some (or all) commands as
    <systemitem class="username">root</systemitem> or another user while
    logging the commands and arguments.</para>

    &lfs70_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Download (HTTP): <ulink url="&sudo-download-http;"/></para>
      </listitem>
      <listitem>
        <para>Download (FTP): <ulink url="&sudo-download-ftp;"/></para>
      </listitem>
      <listitem>
        <para>Download MD5 sum: &sudo-md5sum;</para>
      </listitem>
      <listitem>
        <para>Download size: &sudo-size;</para>
      </listitem>
      <listitem>
        <para>Estimated disk space required: &sudo-buildsize;</para>
      </listitem>
      <listitem>
        <para>Estimated build time: &sudo-time;</para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional"><xref linkend="linux-pam"/>,
    <ulink url="ftp://ftp.nrl.navy.mil/pub/security/opie">Opie</ulink>,
    <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>,
    <ulink url="http://www.fwtk.org/">FWTK</ulink>,
    an <xref linkend="server-mail"/> (that provides a
    <command>sendmail</command> command),
    <ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink>,
    <xref linkend="heimdal"/> or <xref linkend="mitkrb"/>,
    <xref linkend="openldap"/>, and
    <ulink url="http://www.openafs.org/">AFS</ulink></para>

    <para condition="html" role="usernotes">User Notes:
    <ulink url="&blfs-wiki;/sudo"/></para>

  </sect2>

  <sect2 role="installation">
    <title>Installation of Sudo</title>

    <para>Install <application>sudo</application> by running
    the following commands:</para>

<screen><userinput>./configure --prefix=/usr \
            --libexecdir=/usr/lib \
            --with-ignore-dot \
            --with-all-insults \
            --enable-shell-sets-home \
            --disable-root-sudo \
            --with-logfac=auth \
            --without-pam \
            --without-sendmail &amp;&amp;
make</userinput></screen>

    <para>This package does not come with a test suite.</para>

    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>make install</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para><option>--with-ignore-dot</option>: This switch causes
    <application>sudo</application> to ignore '.' in the PATH.</para>

    <para><option>--with-all-insults</option>: This switch includes all the
    <application>sudo</application> insult sets.</para>

    <para><option>--enable-shell-sets-home</option>: This switch sets HOME to
    the target user in shell mode.</para>

    <para><option>--disable-root-sudo</option>: This switch keeps the
    <systemitem class="username">root</systemitem> user from running sudo,
    preventing users from chaining commands to get a root shell.</para>

    <para><option>--with-logfac=auth</option>: This switch forces use of the
    auth facility for logging.</para>

    <para><option>--without-pam</option>: This switch disables the use of
    <application>PAM</application> authentication. Omit if you have
    <application>PAM</application> installed.</para>

    <para><option>--without-sendmail</option>: This switch disables the use of
    sendmail.  Remove if you have a sendmail compatible MTA.</para>

    <para><option>--enable-noargs-shell</option>: This switch allows
    <application>sudo</application> to run a shell if invoked with no
    arguments.</para>

    <note>
      <para>There are many options to <application>sudo</application>'s
      <command>configure</command> command. Check the
      <command>configure --help</command> output for a complete list.</para>
    </note>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring Sudo</title>

    <sect3 id="sudo-config">
      <title>Config File</title>

      <para><filename>/etc/sudoers</filename></para>

      <indexterm zone="sudo sudo-config">
        <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <para>The <filename>sudoers</filename> file can be quite complicated.  It
      is composed of two types of entries: aliases (basically variables) and
      user specifications (which specify who may run what).  The installation
      installs a default configuration that has no privileges installed for any
      user.</para>

      <para>One example usage is to allow the system administrator to execute
      any program without typing a password each time root privileges are
      needed.  This can be configured as:</para>

<screen># User alias specification
User_Alias  ADMIN = YourLoginId

# Allow people in group ADMIN to run all commands without a password
ADMIN       ALL = NOPASSWD: ALL</screen>

      <para>For details, see <command>man sudoers</command>.</para>

      <note>
        <para>The <application>Sudo</application> developers highly recommend
        using the <command>visudo</command> program to edit the
        <filename>sudoers</filename> file. This will provide basic sanity
        checking like syntax parsing and file permission to avoid some possible
        mistakes that could lead to a vulnerable configuration.</para>
      </note>

      <para>If you've built <application>Sudo</application> with
      <application>PAM</application> support, issue the following
      command as the <systemitem class="username">root</systemitem> user
      to create the <application>PAM</application> configuration file:</para>

<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF" &amp;&amp;
# Begin /etc/pam.d/sudo

# include the default auth settings
auth      include     system-auth

# include the default account settings
account   include     system-account

# Use xauth keys (if available)
session   optional    pam_xauth.so

# Set default environment variables for the service user
session   required    pam_env.so

# include system session defaults
session   include     system-session

# End /etc/pam.d/sudo
EOF
chmod 644 /etc/pam.d/sudo</userinput></screen>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Library</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>sudo, sudoedit, and visudo</seg>
        <seg>sudo_noexec.so</seg>
        <seg>None</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="sudo_prog">
        <term><command>sudo</command></term>
        <listitem>
          <para>executes a command as another user as permitted by
          the <filename>/etc/sudoers</filename> configuration file.
          </para>
          <indexterm zone="sudo sudo">
            <primary sortas="b-sudo">sudo</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sudoedit">
        <term><command>sudoedit</command></term>
        <listitem>
          <para>is a hard link to <command>sudo</command> that implies
          the <option>-e</option> option to invoke an editor as another
          user.</para>
          <indexterm zone="sudo sudoedit">
            <primary sortas="b-sudoedit">sudoedit</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="visudo">
        <term><command>visudo</command></term>
        <listitem>
          <para>allows for safer editing of the <filename>sudoers</filename>
          file.</para>
          <indexterm zone="sudo visudo">
            <primary sortas="b-visudo">visudo</primary>
          </indexterm>
        </listitem>
      </varlistentry>


      <varlistentry id="sudo_noexec">
        <term><filename class='libraryfile'>sudo_noexec.so</filename></term>
        <listitem>
          <para>enables support for the "noexec" functionality which prevents
           a dynamically-linked program being run by sudo from executing
           another program (think shell escapes).</para>
          <indexterm zone="sudo sudo_noexec">
            <primary sortas="c-sudo_noexec">sudo_noexec.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>