source: postlfs/security/sudo.xml@ 3c0f868f

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
   "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY sudo-download-http "http://www.courtesan.com/sudo/dist/sudo-&sudo-version;.tar.gz">
  <!ENTITY sudo-download-ftp " ">
  <!ENTITY sudo-md5sum "b29893c06192df6230dd5f340f3badf5">
  <!ENTITY sudo-size "576 KB">
  <!ENTITY sudo-buildsize "3.6 MB">
  <!ENTITY sudo-time "less than 0.1 SBU">
]>

<sect1 id="sudo" xreflabel="sudo-&sudo-version;">
  <?dbhtml filename="sudo.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
    <keywordset>
      <keyword role="package">sudo-&sudo-version;.tar</keyword>
      <keyword role="ftpdir">sudo</keyword>
    </keywordset>
  </sect1info>

  <title>Sudo-&sudo-version;</title>

  <indexterm zone="sudo">
    <primary sortas="a-sudo">sudo</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to Sudo</title>

    <para>The <application>sudo</application> package allows a system
    administrator to give certain users (or groups of users) the ability to run
    some (or all) commands as
    <systemitem class="username">root</systemitem> or another user while
    logging the commands and arguments.</para>

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Download (HTTP): <ulink url="&sudo-download-http;"/></para>
      </listitem>
      <listitem>
        <para>Download (FTP): <ulink url="&sudo-download-ftp;"/></para>
      </listitem>
      <listitem>
        <para>Download MD5 sum: &sudo-md5sum;</para>
      </listitem>
      <listitem>
        <para>Download size: &sudo-size;</para>
      </listitem>
      <listitem>
        <para>Estimated disk space required: &sudo-buildsize;</para>
      </listitem>
      <listitem>
        <para>Estimated build time: &sudo-time;</para>
      </listitem>
    </itemizedlist>

<!--
    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing='compact'>
      <listitem>
        <para>Required patch: <ulink
        url="&patch-root;/sudo-&sudo-version;-xxxx-1.patch"/></para>
      </listitem>
    </itemizedlist>
    <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>

    <bridgehead renderas="sect4">Optional</bridgehead>


-->
  </sect2>

  <sect2 role="installation">
    <title>Installation of Sudo</title>

    <para>Install <application>sudo</application> by running
    the following commands:</para>

<screen><userinput>./configure --prefix=/usr --libexecdir=/usr/lib \
    --enable-noargs-shell --with-ignore-dot --with-all-insults \
    --enable-shell-sets-home &amp;&amp;
make</userinput></screen>

    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>make install</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para><option>--enable-noargs-shell</option>: This switch allows
    <application>sudo</application> to run a shell if invoked with no
    arguments.</para>

    <para><option>--with-ignore-dot</option>: This switch causes
    <application>sudo</application> to ignore '.' in the PATH.</para>

    <para><option>--with-all-insults</option>: This switch includes all the
    <application>sudo</application> insult sets.</para>

    <para><option>--enable-shell-sets-home</option>: This switch sets HOME to
    the target user in shell mode.</para>

    <note>
      <para>There are many options to <application>sudo</application>'s
      <command>configure</command> command.  Check the
      <command>configure --help</command>  output for a complete list.</para>
    </note>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring Sudo</title>

    <sect3 id="sudo-config">
      <title>Config File</title>

      <para><filename>/etc/sudoers</filename></para>

      <indexterm zone="sudo sudo-config">
        <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <para>The <filename>sudoers</filename> file can be quite complicated.  It
      is composed of two types of entries: aliases (basically variables) and
      user specifications (which specify who may run what).  The installation
      installs a default configuration that has no privileges installed for any
      user.</para>

      <para>One example usage is to allow the system administrator to execute
      any program without typing a password each time root privileges are
      needed.  This can be configured as:</para>

      <screen># User alias specification
User_Alias  ADMIN = YourLoginId

# Allow people in group ADMIN to run all commands without a password
ADMIN       ALL = NOPASSWD: ALL</screen>

      <para>For details, see <command>man sudoers</command>.</para>

      <note>
        <para>The <application>Sudo</application> developers highly recommend
        using the <command>visudo</command> program to edit the
        <filename>sudoers</filename> file. This will provide basic sanity
        checking like syntax parsing and file permission to avoid some possible
        mistakes that could lead to a vulnerable configuration.</para>
      </note>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Library</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>sudo, sudoedit, and visudo</seg>
        <seg>sudo_noexec.so</seg>
        <seg>None</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="sudo_prog">
        <term><command>sudo</command></term>
        <listitem>
          <para>executes a command as another user as permitted by
          the <filename>/etc/sudoers</filename> configuration file.
          </para>
          <indexterm zone="sudo sudo">
            <primary sortas="b-sudo">sudo</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sudoedit">
        <term><command>sudoedit</command></term>
        <listitem>
          <para>is a hard link to <command>sudo</command> that implies
          the <option>-e</option> option to invoke an editor as another
          user.</para>
          <indexterm zone="sudo sudoedit">
            <primary sortas="b-sudoedit">sudoedit</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="visudo">
        <term><command>visudo</command></term>
        <listitem>
          <para>allows for safer editing of the <filename>sudoers</filename>
          file.</para>
          <indexterm zone="sudo visudo">
            <primary sortas="b-visudo">visudo</primary>
          </indexterm>
        </listitem>
      </varlistentry>


      <varlistentry id="sudo_noexec">
        <term><filename class='libraryfile'>sudo_noexec.so</filename></term>
        <listitem>
          <para>enables support for the "noexec" functionality which prevents
           a dynamically-linked program being run by sudo from executing
           another program (think shell escapes).</para>
          <indexterm zone="sudo sudo_noexec">
            <primary sortas="c-sudo_noexec">sudo_noexec.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>