1 | <?xml version="1.0" encoding="UTF-8"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 |
|
---|
7 | <!ENTITY sudo-download-http "https://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
|
---|
8 | <!ENTITY sudo-download-ftp " ">
|
---|
9 | <!ENTITY sudo-md5sum "d584d756e0cd72f1019e8f0aec9e1564">
|
---|
10 | <!ENTITY sudo-size "5.2 MB">
|
---|
11 | <!ENTITY sudo-buildsize "54 MB (add 18 MB for tests)">
|
---|
12 | <!ENTITY sudo-time "0.2 SBU (with parallelism=4; add 0.1 SBU for tests)">
|
---|
13 | ]>
|
---|
14 |
|
---|
15 | <sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
|
---|
16 | <?dbhtml filename="sudo.html"?>
|
---|
17 |
|
---|
18 |
|
---|
19 | <title>Sudo-&sudo-version;</title>
|
---|
20 |
|
---|
21 | <indexterm zone="sudo">
|
---|
22 | <primary sortas="a-Sudo">Sudo</primary>
|
---|
23 | </indexterm>
|
---|
24 |
|
---|
25 | <sect2 role="package">
|
---|
26 | <title>Introduction to Sudo</title>
|
---|
27 |
|
---|
28 | <para>
|
---|
29 | The <application>Sudo</application> package allows a system administrator
|
---|
30 | to give certain users (or groups of users) the ability to run
|
---|
31 | some (or all) commands as
|
---|
32 | <systemitem class="username">root</systemitem> or another user while
|
---|
33 | logging the commands and arguments.
|
---|
34 | </para>
|
---|
35 |
|
---|
36 | &lfs122_checked;
|
---|
37 |
|
---|
38 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
39 | <itemizedlist spacing="compact">
|
---|
40 | <listitem>
|
---|
41 | <para>
|
---|
42 | Download (HTTP): <ulink url="&sudo-download-http;"/>
|
---|
43 | </para>
|
---|
44 | </listitem>
|
---|
45 | <listitem>
|
---|
46 | <para>
|
---|
47 | Download (FTP): <ulink url="&sudo-download-ftp;"/>
|
---|
48 | </para>
|
---|
49 | </listitem>
|
---|
50 | <listitem>
|
---|
51 | <para>
|
---|
52 | Download MD5 sum: &sudo-md5sum;
|
---|
53 | </para>
|
---|
54 | </listitem>
|
---|
55 | <listitem>
|
---|
56 | <para>
|
---|
57 | Download size: &sudo-size;
|
---|
58 | </para>
|
---|
59 | </listitem>
|
---|
60 | <listitem>
|
---|
61 | <para>
|
---|
62 | Estimated disk space required: &sudo-buildsize;
|
---|
63 | </para>
|
---|
64 | </listitem>
|
---|
65 | <listitem>
|
---|
66 | <para>
|
---|
67 | Estimated build time: &sudo-time;
|
---|
68 | </para>
|
---|
69 | </listitem>
|
---|
70 | </itemizedlist>
|
---|
71 |
|
---|
72 | <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
|
---|
73 |
|
---|
74 | <bridgehead renderas="sect4">Optional</bridgehead>
|
---|
75 | <para role="optional">
|
---|
76 | <xref linkend="linux-pam"/>,
|
---|
77 | <xref linkend="mitkrb"/>,
|
---|
78 | <xref linkend="openldap"/>,
|
---|
79 | <xref linkend="server-mail"/> (that provides a
|
---|
80 | <command>sendmail</command> command),
|
---|
81 | <ulink url="https://www.openafs.org/">AFS</ulink>,
|
---|
82 | <!-- It seems dead for decades, nowhere to download source code
|
---|
83 | <ulink url="https://www.fwtk.org/">FWTK</ulink>, and
|
---|
84 | -->
|
---|
85 | <ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>,
|
---|
86 | <ulink url="&sourceforge-dl;/opie/">Opie</ulink>, and
|
---|
87 | <ulink url="https://sssd.io/">Sssd</ulink>
|
---|
88 | </para>
|
---|
89 |
|
---|
90 | </sect2>
|
---|
91 |
|
---|
92 | <sect2 role="installation">
|
---|
93 | <title>Installation of Sudo</title>
|
---|
94 |
|
---|
95 | <para>
|
---|
96 | Install <application>Sudo</application> by running the following commands:
|
---|
97 | </para>
|
---|
98 |
|
---|
99 | <screen><userinput>./configure --prefix=/usr \
|
---|
100 | --libexecdir=/usr/lib \
|
---|
101 | --with-secure-path \
|
---|
102 | --with-env-editor \
|
---|
103 | --docdir=/usr/share/doc/sudo-&sudo-version; \
|
---|
104 | --with-passprompt="[sudo] password for %p: " &&
|
---|
105 | make</userinput></screen>
|
---|
106 |
|
---|
107 | <para>
|
---|
108 | To test the results, issue:
|
---|
109 | <!-- line breaks in command tags confuse jhalfs -->
|
---|
110 | <command>env LC_ALL=C make check |& tee make-check.log</command>.
|
---|
111 | Check the results with <command>grep failed make-check.log</command>.
|
---|
112 | </para>
|
---|
113 |
|
---|
114 | <para>
|
---|
115 | Now, as the <systemitem class="username">root</systemitem> user:
|
---|
116 | </para>
|
---|
117 |
|
---|
118 | <!-- for a DESTDIR install as normal user, use
|
---|
119 | "make install INSTALL_OWNER= DESTDIR=<destdir>"-->
|
---|
120 | <screen role="root"><userinput>make install</userinput></screen>
|
---|
121 |
|
---|
122 | </sect2>
|
---|
123 |
|
---|
124 | <sect2 role="commands">
|
---|
125 | <title>Command Explanations</title>
|
---|
126 |
|
---|
127 | <para>
|
---|
128 | <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
|
---|
129 | private programs are installed. Everything in that directory is a library, so
|
---|
130 | they belong under <filename class="directory">/usr/lib</filename> instead of
|
---|
131 | <filename class="directory">/usr/libexec</filename>.
|
---|
132 | </para>
|
---|
133 |
|
---|
134 | <para>
|
---|
135 | <parameter>--with-secure-path</parameter>: This switch transparently adds
|
---|
136 | <filename class="directory">/sbin</filename> and <filename
|
---|
137 | class="directory">/usr/sbin</filename> directories to the
|
---|
138 | <envar>PATH</envar> environment variable.
|
---|
139 | </para>
|
---|
140 |
|
---|
141 | <para>
|
---|
142 | <parameter>--with-env-editor</parameter>: This switch enables use of the
|
---|
143 | environment variable EDITOR for <command>visudo</command>.
|
---|
144 | </para>
|
---|
145 |
|
---|
146 | <para>
|
---|
147 | <parameter>--with-passprompt</parameter>: This switch sets the password prompt.
|
---|
148 | The <parameter>%p</parameter> will be expanded to the name of the user whose password is being requested.
|
---|
149 | </para>
|
---|
150 |
|
---|
151 | <para>
|
---|
152 | <option>--without-pam</option>: This switch avoids building
|
---|
153 | <application>Linux-PAM</application> support when
|
---|
154 | <application>Linux-PAM</application> is installed on the system.
|
---|
155 | </para>
|
---|
156 |
|
---|
157 | <para>
|
---|
158 | <option>--with-all-insults</option>: This switch includes all the
|
---|
159 | sudo insult sets. Insults are printed if the user types a bad
|
---|
160 | password, and if enabled in <filename>/etc/sudoers</filename>. Use
|
---|
161 | <option>--with-insults</option> to have them enabled by default.
|
---|
162 | Various sets of insults can be selected with some other switches.
|
---|
163 | </para>
|
---|
164 |
|
---|
165 | <note>
|
---|
166 | <para>
|
---|
167 | There are many options to <application>sudo</application>'s
|
---|
168 | <command>configure</command> command. Check the
|
---|
169 | <command>configure --help</command> output for a complete list.
|
---|
170 | </para>
|
---|
171 | </note>
|
---|
172 | <!-- Seems to be fixed
|
---|
173 | <para>
|
---|
174 | <command>ln -sfv libsudo_util...</command>: Works around a bug in the
|
---|
175 | installation process, which links to the previously installed
|
---|
176 | version (if there is one) instead of the new one.
|
---|
177 | </para>
|
---|
178 | -->
|
---|
179 | </sect2>
|
---|
180 |
|
---|
181 | <sect2 role="configuration">
|
---|
182 | <title>Configuring Sudo</title>
|
---|
183 |
|
---|
184 | <sect3 id="sudo-config">
|
---|
185 | <title>Config File</title>
|
---|
186 |
|
---|
187 | <para>
|
---|
188 | <filename>/etc/sudoers</filename>
|
---|
189 | </para>
|
---|
190 |
|
---|
191 | <indexterm zone="sudo sudo-config">
|
---|
192 | <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
|
---|
193 | </indexterm>
|
---|
194 |
|
---|
195 | </sect3>
|
---|
196 |
|
---|
197 | <sect3>
|
---|
198 | <title>Configuration Information</title>
|
---|
199 |
|
---|
200 | <para>
|
---|
201 | The <filename>sudoers</filename> file can be quite complicated. It
|
---|
202 | is composed of two types of entries: aliases (basically variables) and
|
---|
203 | user specifications (which specify who may run what). The installation
|
---|
204 | installs a default configuration that has no privileges installed for
|
---|
205 | any user.
|
---|
206 | </para>
|
---|
207 |
|
---|
208 | <para>
|
---|
209 | A couple of common configuration changes are to set the path for the
|
---|
210 | super user and to allow members of the wheel group to execute all
|
---|
211 | commands after providing their own credentials. Use the following
|
---|
212 | commands to create the <filename>/etc/sudoers.d/00-sudo</filename>
|
---|
213 | configuration file as the
|
---|
214 | <systemitem class="username">root</systemitem> user:
|
---|
215 | </para>
|
---|
216 |
|
---|
217 | <screen role="root"><userinput>cat > /etc/sudoers.d/00-sudo << "EOF"
|
---|
218 | <literal>Defaults secure_path="/usr/sbin:/usr/bin"
|
---|
219 | %wheel ALL=(ALL) ALL</literal>
|
---|
220 | EOF</userinput></screen>
|
---|
221 |
|
---|
222 | <note>
|
---|
223 | <para>
|
---|
224 | In very simple installations where there is only one user, it
|
---|
225 | may be easier to just edit the <filename>/etc/sudoers</filename>
|
---|
226 | file directly. In that case, the <varname>secure_path</varname>
|
---|
227 | entry may not be needed and using <command>sudo -E ...</command> can
|
---|
228 | import the non-privileged user's full environment into the
|
---|
229 | privileged session.
|
---|
230 | </para>
|
---|
231 |
|
---|
232 | <para>
|
---|
233 | The files in the <filename class="directory">/etc/sudoers.d</filename>
|
---|
234 | directory are parsed in sorted lexical order. Be careful that entries
|
---|
235 | in an added file do not overwrite previous entries.
|
---|
236 | </para>
|
---|
237 | </note>
|
---|
238 |
|
---|
239 | <para>
|
---|
240 | For details, see <command>man sudoers</command>.
|
---|
241 | </para>
|
---|
242 |
|
---|
243 | <note>
|
---|
244 | <para>
|
---|
245 | The <application>Sudo</application> developers highly recommend
|
---|
246 | using the <command>visudo</command> program to edit the
|
---|
247 | <filename>sudoers</filename> file. This will provide basic sanity
|
---|
248 | checking like syntax parsing and file permission to avoid some
|
---|
249 | possible mistakes that could lead to a vulnerable configuration.
|
---|
250 | </para>
|
---|
251 | </note>
|
---|
252 |
|
---|
253 | <para>
|
---|
254 | If <application>PAM</application> is installed on the system,
|
---|
255 | <application>Sudo</application> is built with
|
---|
256 | <application>PAM</application> support. In that case, issue the
|
---|
257 | following command as the <systemitem class="username">root</systemitem>
|
---|
258 | user to create the <application>PAM</application> configuration file:
|
---|
259 | </para>
|
---|
260 |
|
---|
261 | <screen role="root"><userinput>cat > /etc/pam.d/sudo << "EOF"
|
---|
262 | <literal># Begin /etc/pam.d/sudo
|
---|
263 |
|
---|
264 | # include the default auth settings
|
---|
265 | auth include system-auth
|
---|
266 |
|
---|
267 | # include the default account settings
|
---|
268 | account include system-account
|
---|
269 |
|
---|
270 | # Set default environment variables for the service user
|
---|
271 | session required pam_env.so
|
---|
272 |
|
---|
273 | # include system session defaults
|
---|
274 | session include system-session
|
---|
275 |
|
---|
276 | # End /etc/pam.d/sudo</literal>
|
---|
277 | EOF
|
---|
278 | chmod 644 /etc/pam.d/sudo</userinput></screen>
|
---|
279 |
|
---|
280 | </sect3>
|
---|
281 |
|
---|
282 | </sect2>
|
---|
283 |
|
---|
284 | <sect2 role="content">
|
---|
285 | <title>Contents</title>
|
---|
286 |
|
---|
287 | <segmentedlist>
|
---|
288 | <segtitle>Installed Programs</segtitle>
|
---|
289 | <segtitle>Installed Libraries</segtitle>
|
---|
290 | <segtitle>Installed Directories</segtitle>
|
---|
291 |
|
---|
292 | <seglistitem>
|
---|
293 | <seg>
|
---|
294 | cvtsudoers, sudo, sudo_logsrvd, sudo_sendlog,
|
---|
295 | sudoedit (symlink), sudoreplay, and visudo
|
---|
296 | </seg>
|
---|
297 | <seg>
|
---|
298 | <!-- [pierre, September 25, 2020] except libsudo_util, the other
|
---|
299 | shared objects in /usr/lib/sudo look more like modules than
|
---|
300 | libraries. Leaving them now, and updating the list, but I think
|
---|
301 | they should not be listed. -->
|
---|
302 | audit_json.so, group_file.so, libsudo_util.so,
|
---|
303 | sudoers.so, sudo_intercept.so, sudo_noexec.so, and system_group.so
|
---|
304 | </seg>
|
---|
305 | <seg>
|
---|
306 | /etc/sudoers.d,
|
---|
307 | /usr/lib/sudo,
|
---|
308 | /usr/share/doc/sudo-&sudo-version;, and
|
---|
309 | /var/lib/sudo
|
---|
310 | </seg>
|
---|
311 | </seglistitem>
|
---|
312 | </segmentedlist>
|
---|
313 |
|
---|
314 | <variablelist>
|
---|
315 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
316 | <?dbfo list-presentation="list"?>
|
---|
317 | <?dbhtml list-presentation="table"?>
|
---|
318 |
|
---|
319 | <varlistentry id="cvtsudoers">
|
---|
320 | <term><command>cvtsudoers</command></term>
|
---|
321 | <listitem>
|
---|
322 | <para>
|
---|
323 | converts between sudoers file formats
|
---|
324 | </para>
|
---|
325 | <indexterm zone="sudo cvtsudoers">
|
---|
326 | <primary sortas="b-cvtsudoers">cvtsudoers</primary>
|
---|
327 | </indexterm>
|
---|
328 | </listitem>
|
---|
329 | </varlistentry>
|
---|
330 |
|
---|
331 | <varlistentry id="sudo_prog">
|
---|
332 | <term><command>sudo</command></term>
|
---|
333 | <listitem>
|
---|
334 | <para>
|
---|
335 | executes a command as another user as permitted by
|
---|
336 | the <filename>/etc/sudoers</filename> configuration file
|
---|
337 | </para>
|
---|
338 | <indexterm zone="sudo sudo">
|
---|
339 | <primary sortas="b-sudo">sudo</primary>
|
---|
340 | </indexterm>
|
---|
341 | </listitem>
|
---|
342 | </varlistentry>
|
---|
343 |
|
---|
344 | <varlistentry id="sudo_logsrvd">
|
---|
345 | <term><command>sudo_logsrvd</command></term>
|
---|
346 | <listitem>
|
---|
347 | <para>
|
---|
348 | is a sudo event and I/O log server
|
---|
349 | </para>
|
---|
350 | <indexterm zone="sudo sudo_logsrvd">
|
---|
351 | <primary sortas="b-sudo_logsrvd">sudo_logsrvd</primary>
|
---|
352 | </indexterm>
|
---|
353 | </listitem>
|
---|
354 | </varlistentry>
|
---|
355 |
|
---|
356 | <varlistentry id="sudo_sendlog">
|
---|
357 | <term><command>sudo_sendlog</command></term>
|
---|
358 | <listitem>
|
---|
359 | <para>
|
---|
360 | sends sudo I/O logs to the log server
|
---|
361 | </para>
|
---|
362 | <indexterm zone="sudo sudo_sendlog">
|
---|
363 | <primary sortas="b-sudo_sendlog">sudo_sendlog</primary>
|
---|
364 | </indexterm>
|
---|
365 | </listitem>
|
---|
366 | </varlistentry>
|
---|
367 |
|
---|
368 | <varlistentry id="sudoedit">
|
---|
369 | <term><command>sudoedit</command></term>
|
---|
370 | <listitem>
|
---|
371 | <para>
|
---|
372 | is a symlink to <command>sudo</command> that implies the
|
---|
373 | <option>-e</option> option to invoke an editor as another user
|
---|
374 | </para>
|
---|
375 | <indexterm zone="sudo sudoedit">
|
---|
376 | <primary sortas="b-sudoedit">sudoedit</primary>
|
---|
377 | </indexterm>
|
---|
378 | </listitem>
|
---|
379 | </varlistentry>
|
---|
380 |
|
---|
381 | <varlistentry id="sudoreplay">
|
---|
382 | <term><command>sudoreplay</command></term>
|
---|
383 | <listitem>
|
---|
384 | <para>
|
---|
385 | is used to play back or list the output
|
---|
386 | logs created by <command>sudo</command>
|
---|
387 | </para>
|
---|
388 | <indexterm zone="sudo sudoreplay">
|
---|
389 | <primary sortas="b-sudoreplay">sudoreplay</primary>
|
---|
390 | </indexterm>
|
---|
391 | </listitem>
|
---|
392 | </varlistentry>
|
---|
393 |
|
---|
394 | <varlistentry id="visudo">
|
---|
395 | <term><command>visudo</command></term>
|
---|
396 | <listitem>
|
---|
397 | <para>
|
---|
398 | allows for safer editing of the <filename>sudoers</filename>
|
---|
399 | file
|
---|
400 | </para>
|
---|
401 | <indexterm zone="sudo visudo">
|
---|
402 | <primary sortas="b-visudo">visudo</primary>
|
---|
403 | </indexterm>
|
---|
404 | </listitem>
|
---|
405 | </varlistentry>
|
---|
406 |
|
---|
407 | </variablelist>
|
---|
408 |
|
---|
409 | </sect2>
|
---|
410 |
|
---|
411 | </sect1>
|
---|