source: postlfs/security/sudo.xml@ 4676c15d

10.1 11.0 ken/refactor-virt lazarus qt5new trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 4676c15d was 4676c15d, checked in by Bruce Dubbs <bdubbs@…>, 10 months ago

Update to icu4c-68_2.
Update to sudo-1.9.4p1.
Update to LWP-Protocol-https-6.10 (Perl Module).
Update to node-14.15.3.
Update to bind-9.16.9 (including utils).

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@24003 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 12.5 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY sudo-download-http "http://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
8 <!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
9 <!ENTITY sudo-md5sum "f332f458ba1d2aa479588bd6a9f8abdd">
10 <!ENTITY sudo-size "3.8 MB">
11 <!ENTITY sudo-buildsize "41 MB (add 9 MB for tests)">
12 <!ENTITY sudo-time "0.4 SBU (add 0.1 SBU for tests)">
13]>
14
15<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Sudo-&sudo-version;</title>
24
25 <indexterm zone="sudo">
26 <primary sortas="a-Sudo">Sudo</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Sudo</title>
31
32 <para>
33 The <application>Sudo</application> package allows a system administrator
34 to give certain users (or groups of users) the ability to run
35 some (or all) commands as
36 <systemitem class="username">root</systemitem> or another user while
37 logging the commands and arguments.
38 </para>
39
40 &lfs10_checked;
41
42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
45 <para>
46 Download (HTTP): <ulink url="&sudo-download-http;"/>
47 </para>
48 </listitem>
49 <listitem>
50 <para>
51 Download (FTP): <ulink url="&sudo-download-ftp;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download MD5 sum: &sudo-md5sum;
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download size: &sudo-size;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Estimated disk space required: &sudo-buildsize;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated build time: &sudo-time;
72 </para>
73 </listitem>
74 </itemizedlist>
75
76 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
77
78 <bridgehead renderas="sect4">Optional</bridgehead>
79 <para role="optional">
80 <xref linkend="linux-pam"/>,
81 <xref linkend="mitkrb"/>,
82 <xref linkend="openldap"/>,
83 <xref linkend="server-mail"/> (that provides a
84 <command>sendmail</command> command),
85 <ulink url="http://www.openafs.org/">AFS</ulink>,
86 <ulink url="http://www.fwtk.org/">FWTK</ulink>, and
87 <ulink url="&sourceforge-dl;/opie/">Opie</ulink>
88 </para>
89
90 <para condition="html" role="usernotes">User Notes:
91 <ulink url="&blfs-wiki;/sudo"/>
92 </para>
93 </sect2>
94
95 <sect2 role="installation">
96 <title>Installation of Sudo</title>
97
98 <para>
99 Install <application>Sudo</application> by running the following commands:
100 </para>
101
102<screen><userinput>./configure --prefix=/usr \
103 --libexecdir=/usr/lib \
104 --with-secure-path \
105 --with-all-insults \
106 --with-env-editor \
107 --docdir=/usr/share/doc/sudo-&sudo-version; \
108 --with-passprompt="[sudo] password for %p: " &amp;&amp;
109make</userinput></screen>
110
111 <para>
112 To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
113 | tee ../make-check.log</command>. Check the results with <command>grep
114 failed ../make-check.log</command>.
115 </para>
116
117 <para>
118 Now, as the <systemitem class="username">root</systemitem> user:
119 </para>
120
121<screen role="root"><userinput>make install &amp;&amp;
122ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
123
124 </sect2>
125
126 <sect2 role="commands">
127 <title>Command Explanations</title>
128
129 <para>
130 <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
131 private programs are installed. Everything in that directory is a library, so
132 they belong under <filename class="directory">/usr/lib</filename> instead of
133 <filename class="directory">/usr/libexec</filename>.
134 </para>
135
136 <para>
137 <parameter>--with-secure-path</parameter>: This switch transparently adds
138 <filename class="directory">/sbin</filename> and <filename
139 class="directory">/usr/sbin</filename> directories to the
140 <envar>PATH</envar> environment variable.
141 </para>
142
143 <para>
144 <parameter>--with-all-insults</parameter>: This switch includes all the
145 <application>sudo</application> insult sets.
146 </para>
147
148 <para>
149 <parameter>--with-env-editor</parameter>: This switch enables use of the
150 environment variable EDITOR for <command>visudo</command>.
151 </para>
152
153 <para>
154 <parameter>--with-passprompt</parameter>: This switch sets the password prompt.
155 The <parameter>%p</parameter> will be expanded to the name of the user whose password is being requested.
156 </para>
157
158 <para>
159 <option>--without-pam</option>: This switch avoids building
160 <application>Linux-PAM</application> support when
161 <application>Linux-PAM</application> is installed on the system.
162 </para>
163<!-- See the developer note above before the configure command
164 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
165 href="../../xincludes/static-libraries.xml"/>-->
166
167 <note>
168 <para>
169 There are many options to <application>sudo</application>'s
170 <command>configure</command> command. Check the
171 <command>configure --help</command> output for a complete list.
172 </para>
173 </note>
174
175 <para>
176 <command>ln -sfv libsudo_util...</command>: Works around a bug in the
177 installation process, which links to the previously installed
178 version (if there is one) instead of the new one.
179 </para>
180
181 </sect2>
182
183 <sect2 role="configuration">
184 <title>Configuring Sudo</title>
185
186 <sect3 id="sudo-config">
187 <title>Config File</title>
188
189 <para>
190 <filename>/etc/sudoers</filename>
191 </para>
192
193 <indexterm zone="sudo sudo-config">
194 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
195 </indexterm>
196
197 </sect3>
198
199 <sect3>
200 <title>Configuration Information</title>
201
202 <para>
203 The <filename>sudoers</filename> file can be quite complicated. It
204 is composed of two types of entries: aliases (basically variables) and
205 user specifications (which specify who may run what). The installation
206 installs a default configuration that has no privileges installed for
207 any user.
208 </para>
209
210 <para>
211 A couple of common configuration chanes are to set the path for the
212 super user and to allow members of the wheel group to execute all
213 commands after providing their own credientials. Use the following
214 commands to create the <filename>/etc/sudoers.d/sudo</filename>
215 configuration file as the
216 <systemitem class="username">root</systemitem> user:
217 </para>
218
219<screen role="root"><userinput>cat &gt; /etc/sudoers.d/sudo &lt;&lt; "EOF"
220<literal>Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin"
221%wheel ALL=(ALL) ALL</literal>
222EOF</userinput></screen>
223
224 <para>
225 For details, see <command>man sudoers</command>.
226 </para>
227
228 <note>
229 <para>
230 The <application>Sudo</application> developers highly recommend
231 using the <command>visudo</command> program to edit the
232 <filename>sudoers</filename> file. This will provide basic sanity
233 checking like syntax parsing and file permission to avoid some
234 possible mistakes that could lead to a vulnerable configuration.
235 </para>
236 </note>
237
238 <para>
239 If <application>PAM</application> is installed on the system,
240 <application>Sudo</application> is built with
241 <application>PAM</application> support. In that case, issue the
242 following command as the <systemitem class="username">root</systemitem>
243 user to create the <application>PAM</application> configuration file:
244 </para>
245
246<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
247<literal># Begin /etc/pam.d/sudo
248
249# include the default auth settings
250auth include system-auth
251
252# include the default account settings
253account include system-account
254
255# Set default environment variables for the service user
256session required pam_env.so
257
258# include system session defaults
259session include system-session
260
261# End /etc/pam.d/sudo</literal>
262EOF
263chmod 644 /etc/pam.d/sudo</userinput></screen>
264
265 </sect3>
266
267 </sect2>
268
269 <sect2 role="content">
270 <title>Contents</title>
271
272 <segmentedlist>
273 <segtitle>Installed Programs</segtitle>
274 <segtitle>Installed Libraries</segtitle>
275 <segtitle>Installed Directories</segtitle>
276
277 <seglistitem>
278 <seg>
279 cvtsudoers, sudo, sudo_logsrvd, sudo_sendlog,
280 sudoedit (symlink), sudoreplay, and visudo
281 </seg>
282 <seg>
283 <!-- [pierre, September 25, 2020] except libsudo_util, the other
284 shared objects in /usr/lib/sudo look more like modules than
285 libraries. Leaving them now, and updating the list, but I think
286 they should not be listed. -->
287 audit_json.so, group_file.so, libsudo_util.so, sample_approval.so,
288 sudoers.so, sudo_noexec.so, and system_group.so
289 </seg>
290 <seg>
291 /etc/sudoers.d,
292 /usr/lib/sudo,
293 /usr/share/doc/sudo-&sudo-version;, and
294 /var/lib/sudo
295 </seg>
296 </seglistitem>
297 </segmentedlist>
298
299 <variablelist>
300 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
301 <?dbfo list-presentation="list"?>
302 <?dbhtml list-presentation="table"?>
303
304 <varlistentry id="cvtsudoers">
305 <term><command>cvtsudoers</command></term>
306 <listitem>
307 <para>
308 converts between sudoers file formats.
309 </para>
310 <indexterm zone="sudo cvtsudoers">
311 <primary sortas="b-cvtsudoers">cvtsudoers</primary>
312 </indexterm>
313 </listitem>
314 </varlistentry>
315
316 <varlistentry id="sudo_prog">
317 <term><command>sudo</command></term>
318 <listitem>
319 <para>
320 executes a command as another user as permitted by
321 the <filename>/etc/sudoers</filename> configuration file.
322 </para>
323 <indexterm zone="sudo sudo">
324 <primary sortas="b-sudo">sudo</primary>
325 </indexterm>
326 </listitem>
327 </varlistentry>
328
329 <varlistentry id="sudo_logsrvd">
330 <term><command>sudo_logsrvd</command></term>
331 <listitem>
332 <para>
333 is a sudo event and I/O log server.
334 </para>
335 <indexterm zone="sudo sudo_logsrvd">
336 <primary sortas="b-sudo_logsrvd">sudo_logsrvd</primary>
337 </indexterm>
338 </listitem>
339 </varlistentry>
340
341 <varlistentry id="sudo_sendlog">
342 <term><command>sudo_sendlog</command></term>
343 <listitem>
344 <para>
345 sends sudo I/O log to the log server.
346 </para>
347 <indexterm zone="sudo sudo_sendlog">
348 <primary sortas="b-sudo_sendlog">sudo_sendlog</primary>
349 </indexterm>
350 </listitem>
351 </varlistentry>
352
353 <varlistentry id="sudoedit">
354 <term><command>sudoedit</command></term>
355 <listitem>
356 <para>
357 is a symlink to <command>sudo</command> that implies the
358 <option>-e</option> option to invoke an editor as another user.
359 </para>
360 <indexterm zone="sudo sudoedit">
361 <primary sortas="b-sudoedit">sudoedit</primary>
362 </indexterm>
363 </listitem>
364 </varlistentry>
365
366 <varlistentry id="sudoreplay">
367 <term><command>sudoreplay</command></term>
368 <listitem>
369 <para>
370 is used to play back or list the output
371 logs created by <command>sudo</command>.
372 </para>
373 <indexterm zone="sudo sudoreplay">
374 <primary sortas="b-sudoreplay">sudoreplay</primary>
375 </indexterm>
376 </listitem>
377 </varlistentry>
378
379 <varlistentry id="visudo">
380 <term><command>visudo</command></term>
381 <listitem>
382 <para>
383 allows for safer editing of the <filename>sudoers</filename>
384 file.
385 </para>
386 <indexterm zone="sudo visudo">
387 <primary sortas="b-visudo">visudo</primary>
388 </indexterm>
389 </listitem>
390 </varlistentry>
391
392 </variablelist>
393
394 </sect2>
395
396</sect1>
Note: See TracBrowser for help on using the repository browser.