source: postlfs/security/sudo.xml@ 45ab6c7

trunk
Last change on this file since 45ab6c7 was 45ab6c7, checked in by Xi Ruoyao <xry111@…>, 3 months ago

more SVN prop clean up

Remove "$LastChanged$" everywhere, and also some unused $Date$

  • Property mode set to 100644
File size: 12.4 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY sudo-download-http "https://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
8 <!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
9 <!ENTITY sudo-md5sum "334f8337d497f2f5df2db72448bd259d">
10 <!ENTITY sudo-size "4.0 MB">
11 <!ENTITY sudo-buildsize "44 MB (add 9 MB for tests)">
12 <!ENTITY sudo-time "0.4 SBU (add 0.1 SBU for tests)">
13]>
14
15<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
19 <date>$Date$</date>
20 </sect1info>
21
22 <title>Sudo-&sudo-version;</title>
23
24 <indexterm zone="sudo">
25 <primary sortas="a-Sudo">Sudo</primary>
26 </indexterm>
27
28 <sect2 role="package">
29 <title>Introduction to Sudo</title>
30
31 <para>
32 The <application>Sudo</application> package allows a system administrator
33 to give certain users (or groups of users) the ability to run
34 some (or all) commands as
35 <systemitem class="username">root</systemitem> or another user while
36 logging the commands and arguments.
37 </para>
38
39 &lfs101_checked;
40
41 <bridgehead renderas="sect3">Package Information</bridgehead>
42 <itemizedlist spacing="compact">
43 <listitem>
44 <para>
45 Download (HTTP): <ulink url="&sudo-download-http;"/>
46 </para>
47 </listitem>
48 <listitem>
49 <para>
50 Download (FTP): <ulink url="&sudo-download-ftp;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download MD5 sum: &sudo-md5sum;
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download size: &sudo-size;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Estimated disk space required: &sudo-buildsize;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated build time: &sudo-time;
71 </para>
72 </listitem>
73 </itemizedlist>
74
75 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
76
77 <bridgehead renderas="sect4">Optional</bridgehead>
78 <para role="optional">
79 <xref linkend="linux-pam"/>,
80 <xref linkend="mitkrb"/>,
81 <xref linkend="openldap"/>,
82 <xref linkend="server-mail"/> (that provides a
83 <command>sendmail</command> command),
84 <ulink url="http://www.openafs.org/">AFS</ulink>,
85 <ulink url="http://www.fwtk.org/">FWTK</ulink>, and
86 <ulink url="&sourceforge-dl;/opie/">Opie</ulink>
87 </para>
88
89 <para condition="html" role="usernotes">User Notes:
90 <ulink url="&blfs-wiki;/sudo"/>
91 </para>
92 </sect2>
93
94 <sect2 role="installation">
95 <title>Installation of Sudo</title>
96
97 <para>
98 Install <application>Sudo</application> by running the following commands:
99 </para>
100
101<screen><userinput>./configure --prefix=/usr \
102 --libexecdir=/usr/lib \
103 --with-secure-path \
104 --with-all-insults \
105 --with-env-editor \
106 --docdir=/usr/share/doc/sudo-&sudo-version; \
107 --with-passprompt="[sudo] password for %p: " &amp;&amp;
108make</userinput></screen>
109
110 <para>
111 To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
112 | tee ../make-check.log</command>. Check the results with <command>grep
113 failed ../make-check.log</command>.
114 </para>
115
116 <para>
117 Now, as the <systemitem class="username">root</systemitem> user:
118 </para>
119
120<screen role="root"><userinput>make install &amp;&amp;
121ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
122
123 </sect2>
124
125 <sect2 role="commands">
126 <title>Command Explanations</title>
127
128 <para>
129 <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
130 private programs are installed. Everything in that directory is a library, so
131 they belong under <filename class="directory">/usr/lib</filename> instead of
132 <filename class="directory">/usr/libexec</filename>.
133 </para>
134
135 <para>
136 <parameter>--with-secure-path</parameter>: This switch transparently adds
137 <filename class="directory">/sbin</filename> and <filename
138 class="directory">/usr/sbin</filename> directories to the
139 <envar>PATH</envar> environment variable.
140 </para>
141
142 <para>
143 <parameter>--with-all-insults</parameter>: This switch includes all the
144 <application>sudo</application> insult sets.
145 </para>
146
147 <para>
148 <parameter>--with-env-editor</parameter>: This switch enables use of the
149 environment variable EDITOR for <command>visudo</command>.
150 </para>
151
152 <para>
153 <parameter>--with-passprompt</parameter>: This switch sets the password prompt.
154 The <parameter>%p</parameter> will be expanded to the name of the user whose password is being requested.
155 </para>
156
157 <para>
158 <option>--without-pam</option>: This switch avoids building
159 <application>Linux-PAM</application> support when
160 <application>Linux-PAM</application> is installed on the system.
161 </para>
162<!-- See the developer note above before the configure command
163 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
164 href="../../xincludes/static-libraries.xml"/>-->
165
166 <note>
167 <para>
168 There are many options to <application>sudo</application>'s
169 <command>configure</command> command. Check the
170 <command>configure --help</command> output for a complete list.
171 </para>
172 </note>
173
174 <para>
175 <command>ln -sfv libsudo_util...</command>: Works around a bug in the
176 installation process, which links to the previously installed
177 version (if there is one) instead of the new one.
178 </para>
179
180 </sect2>
181
182 <sect2 role="configuration">
183 <title>Configuring Sudo</title>
184
185 <sect3 id="sudo-config">
186 <title>Config File</title>
187
188 <para>
189 <filename>/etc/sudoers</filename>
190 </para>
191
192 <indexterm zone="sudo sudo-config">
193 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
194 </indexterm>
195
196 </sect3>
197
198 <sect3>
199 <title>Configuration Information</title>
200
201 <para>
202 The <filename>sudoers</filename> file can be quite complicated. It
203 is composed of two types of entries: aliases (basically variables) and
204 user specifications (which specify who may run what). The installation
205 installs a default configuration that has no privileges installed for
206 any user.
207 </para>
208
209 <para>
210 A couple of common configuration changes are to set the path for the
211 super user and to allow members of the wheel group to execute all
212 commands after providing their own credientials. Use the following
213 commands to create the <filename>/etc/sudoers.d/sudo</filename>
214 configuration file as the
215 <systemitem class="username">root</systemitem> user:
216 </para>
217
218<screen role="root"><userinput>cat &gt; /etc/sudoers.d/sudo &lt;&lt; "EOF"
219<literal>Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin"
220%wheel ALL=(ALL) ALL</literal>
221EOF</userinput></screen>
222
223 <para>
224 For details, see <command>man sudoers</command>.
225 </para>
226
227 <note>
228 <para>
229 The <application>Sudo</application> developers highly recommend
230 using the <command>visudo</command> program to edit the
231 <filename>sudoers</filename> file. This will provide basic sanity
232 checking like syntax parsing and file permission to avoid some
233 possible mistakes that could lead to a vulnerable configuration.
234 </para>
235 </note>
236
237 <para>
238 If <application>PAM</application> is installed on the system,
239 <application>Sudo</application> is built with
240 <application>PAM</application> support. In that case, issue the
241 following command as the <systemitem class="username">root</systemitem>
242 user to create the <application>PAM</application> configuration file:
243 </para>
244
245<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
246<literal># Begin /etc/pam.d/sudo
247
248# include the default auth settings
249auth include system-auth
250
251# include the default account settings
252account include system-account
253
254# Set default environment variables for the service user
255session required pam_env.so
256
257# include system session defaults
258session include system-session
259
260# End /etc/pam.d/sudo</literal>
261EOF
262chmod 644 /etc/pam.d/sudo</userinput></screen>
263
264 </sect3>
265
266 </sect2>
267
268 <sect2 role="content">
269 <title>Contents</title>
270
271 <segmentedlist>
272 <segtitle>Installed Programs</segtitle>
273 <segtitle>Installed Libraries</segtitle>
274 <segtitle>Installed Directories</segtitle>
275
276 <seglistitem>
277 <seg>
278 cvtsudoers, sudo, sudo_logsrvd, sudo_sendlog,
279 sudoedit (symlink), sudoreplay, and visudo
280 </seg>
281 <seg>
282 <!-- [pierre, September 25, 2020] except libsudo_util, the other
283 shared objects in /usr/lib/sudo look more like modules than
284 libraries. Leaving them now, and updating the list, but I think
285 they should not be listed. -->
286 audit_json.so, group_file.so, libsudo_util.so, sample_approval.so,
287 sudoers.so, sudo_noexec.so, and system_group.so
288 </seg>
289 <seg>
290 /etc/sudoers.d,
291 /usr/lib/sudo,
292 /usr/share/doc/sudo-&sudo-version;, and
293 /var/lib/sudo
294 </seg>
295 </seglistitem>
296 </segmentedlist>
297
298 <variablelist>
299 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
300 <?dbfo list-presentation="list"?>
301 <?dbhtml list-presentation="table"?>
302
303 <varlistentry id="cvtsudoers">
304 <term><command>cvtsudoers</command></term>
305 <listitem>
306 <para>
307 converts between sudoers file formats
308 </para>
309 <indexterm zone="sudo cvtsudoers">
310 <primary sortas="b-cvtsudoers">cvtsudoers</primary>
311 </indexterm>
312 </listitem>
313 </varlistentry>
314
315 <varlistentry id="sudo_prog">
316 <term><command>sudo</command></term>
317 <listitem>
318 <para>
319 executes a command as another user as permitted by
320 the <filename>/etc/sudoers</filename> configuration file
321 </para>
322 <indexterm zone="sudo sudo">
323 <primary sortas="b-sudo">sudo</primary>
324 </indexterm>
325 </listitem>
326 </varlistentry>
327
328 <varlistentry id="sudo_logsrvd">
329 <term><command>sudo_logsrvd</command></term>
330 <listitem>
331 <para>
332 is a sudo event and I/O log server
333 </para>
334 <indexterm zone="sudo sudo_logsrvd">
335 <primary sortas="b-sudo_logsrvd">sudo_logsrvd</primary>
336 </indexterm>
337 </listitem>
338 </varlistentry>
339
340 <varlistentry id="sudo_sendlog">
341 <term><command>sudo_sendlog</command></term>
342 <listitem>
343 <para>
344 sends sudo I/O logs to the log server
345 </para>
346 <indexterm zone="sudo sudo_sendlog">
347 <primary sortas="b-sudo_sendlog">sudo_sendlog</primary>
348 </indexterm>
349 </listitem>
350 </varlistentry>
351
352 <varlistentry id="sudoedit">
353 <term><command>sudoedit</command></term>
354 <listitem>
355 <para>
356 is a symlink to <command>sudo</command> that implies the
357 <option>-e</option> option to invoke an editor as another user
358 </para>
359 <indexterm zone="sudo sudoedit">
360 <primary sortas="b-sudoedit">sudoedit</primary>
361 </indexterm>
362 </listitem>
363 </varlistentry>
364
365 <varlistentry id="sudoreplay">
366 <term><command>sudoreplay</command></term>
367 <listitem>
368 <para>
369 is used to play back or list the output
370 logs created by <command>sudo</command>
371 </para>
372 <indexterm zone="sudo sudoreplay">
373 <primary sortas="b-sudoreplay">sudoreplay</primary>
374 </indexterm>
375 </listitem>
376 </varlistentry>
377
378 <varlistentry id="visudo">
379 <term><command>visudo</command></term>
380 <listitem>
381 <para>
382 allows for safer editing of the <filename>sudoers</filename>
383 file
384 </para>
385 <indexterm zone="sudo visudo">
386 <primary sortas="b-visudo">visudo</primary>
387 </indexterm>
388 </listitem>
389 </varlistentry>
390
391 </variablelist>
392
393 </sect2>
394
395</sect1>
Note: See TracBrowser for help on using the repository browser.