source: postlfs/security/sudo.xml@ 5c22cb01

systemd-13485
Last change on this file since 5c22cb01 was 5c22cb01, checked in by Douglas R. Reno <renodr@…>, 6 years ago

Updated lsof URL. Merged from trunk r17090
Updated PIN-Entry dependencies. Merged from trunk r17090
Updated Valgrind dependencies. Merged from trunk r17090
Added note about OpenSSL's Test Suite not supporting parallel make jobs. Merged from trunk r17090.
Restored autoconf to libva-intel-driver. Merged from trunk r17090
Updated to Sudo-1.8.16. Merged from trunk r17127
Changed the configure script in the GCC-5.3.0 page to use the new configure switch for the libstdc++ ABI.
Updated to OpenSSH-7.2p2. Merged from trunk r17106.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/branches/systemd@17199 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 11.0 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY sudo-download-http "http://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
8 <!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
9 <!ENTITY sudo-md5sum "a977449587dc857e129bb20555b46af4">
10 <!ENTITY sudo-size "2.6 MB">
11 <!ENTITY sudo-buildsize "34 MB (with tests)">
12 <!ENTITY sudo-time "0.4 SBU (with tests)">
13]>
14
15<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Sudo-&sudo-version;</title>
24
25 <indexterm zone="sudo">
26 <primary sortas="a-Sudo">Sudo</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Sudo</title>
31
32 <para>
33 The <application>Sudo</application> package allows a system administrator
34 to give certain users (or groups of users) the ability to run
35 some (or all) commands as
36 <systemitem class="username">root</systemitem> or another user while
37 logging the commands and arguments.
38 </para>
39
40 &lfs79_checked;
41
42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
45 <para>
46 Download (HTTP): <ulink url="&sudo-download-http;"/>
47 </para>
48 </listitem>
49 <listitem>
50 <para>
51 Download (FTP): <ulink url="&sudo-download-ftp;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download MD5 sum: &sudo-md5sum;
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download size: &sudo-size;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Estimated disk space required: &sudo-buildsize;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated build time: &sudo-time;
72 </para>
73 </listitem>
74 </itemizedlist>
75
76 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
77
78 <bridgehead renderas="sect4">Optional</bridgehead>
79 <para role="optional">
80 <xref linkend="linux-pam"/>,
81 <xref linkend="mitkrb"/>,
82 <xref linkend="openldap"/>,
83 <xref linkend="server-mail"/> (that provides a
84 <command>sendmail</command> command),
85 <ulink url="http://www.openafs.org/">AFS</ulink>,
86 <ulink url="http://www.fwtk.org/">FWTK</ulink>, and
87 <ulink url="http://sourceforge.net/projects/opie/files/">Opie</ulink>
88<!-- <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink> -->
89 </para>
90
91 <para condition="html" role="usernotes">User Notes:
92 <ulink url="&blfs-wiki;/sudo"/>
93 </para>
94 </sect2>
95
96 <sect2 role="installation">
97 <title>Installation of Sudo</title>
98
99 <para>
100 Install <application>Sudo</application> by running the following commands:
101 </para>
102
103<!-- Developer: apparently it is disabled by default, although in configure it
104is written otherwise -disable-static \-->
105<screen><userinput>./configure --prefix=/usr \
106 --libexecdir=/usr/lib \
107 --with-secure-path \
108 --with-all-insults \
109 --with-env-editor \
110 --docdir=/usr/share/doc/sudo-&sudo-version; \
111 --with-passprompt="[sudo] password for %p" &amp;&amp;
112make</userinput></screen>
113
114 <para>
115 To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
116 | tee ../make-check.log</command>. Check the results with <command>grep
117 failed ../make-check.log</command>.
118 </para>
119
120 <para>
121 Now, as the <systemitem class="username">root</systemitem> user:
122 </para>
123
124<screen role="root"><userinput>make install &amp;&amp;
125ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
126
127 </sect2>
128
129 <sect2 role="commands">
130 <title>Command Explanations</title>
131
132 <para>
133 <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
134 private programs are installed. Everything in that directory is a library, so
135 they belong under <filename class="directory">/usr/lib</filename> instead of
136 <filename class="directory">/usr/libexec</filename>.
137 </para>
138
139 <para>
140 <parameter>--with-secure-path</parameter>: This switch transparently adds
141 <filename class="directory">/sbin</filename> and <filename
142 class="directory">/usr/sbin</filename> directories to the
143 <envar>PATH</envar> environment variable.
144 </para>
145
146 <para>
147 <parameter>--with-all-insults</parameter>: This switch includes all the
148 <application>sudo</application> insult sets.
149 </para>
150
151 <para>
152 <parameter>--with-env-editor</parameter>: This switch enables use of the
153 environment variable EDITOR for <command>visudo</command>.
154 </para>
155
156 <para>
157 <parameter>--with-passprompt</parameter>: This switch sets the password prompt.
158 </para>
159
160 <para>
161 <option>--without-pam</option>: This switch avoids building
162 <application>PAM</application> support when <application>PAM</application> is installed on the system.
163 </para>
164
165 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
166 href="../../xincludes/static-libraries.xml"/>
167
168 <note>
169 <para>
170 There are many options to <application>sudo</application>'s
171 <command>configure</command> command. Check the
172 <command>configure --help</command> output for a complete list.
173 </para>
174 </note>
175
176 <para>
177 <command>ln -sfv libsudo_util...</command>: Works around a bug in the
178 installation process, which links the versioned library to the
179 previously installed version (when present) instead of the new one.
180 </para>
181
182 </sect2>
183
184 <sect2 role="configuration">
185 <title>Configuring Sudo</title>
186
187 <sect3 id="sudo-config">
188 <title>Config File</title>
189
190 <para>
191 <filename>/etc/sudoers</filename>
192 </para>
193
194 <indexterm zone="sudo sudo-config">
195 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
196 </indexterm>
197
198 </sect3>
199
200 <sect3>
201 <title>Configuration Information</title>
202
203 <para>
204 The <filename>sudoers</filename> file can be quite complicated. It
205 is composed of two types of entries: aliases (basically variables) and
206 user specifications (which specify who may run what). The installation
207 installs a default configuration that has no privileges installed for any
208 user.
209 </para>
210
211 <para>
212 One example usage is to allow the system administrator to execute
213 any program without typing a password each time root privileges are
214 needed. This can be configured as:
215 </para>
216
217<screen># User alias specification
218User_Alias ADMIN = YourLoginId
219
220# Allow people in group ADMIN to run all commands without a password
221ADMIN ALL = NOPASSWD: ALL</screen>
222
223 <para>
224 For details, see <command>man sudoers</command>.
225 </para>
226
227 <note>
228 <para>
229 The <application>Sudo</application> developers highly recommend
230 using the <command>visudo</command> program to edit the
231 <filename>sudoers</filename> file. This will provide basic sanity
232 checking like syntax parsing and file permission to avoid some possible
233 mistakes that could lead to a vulnerable configuration.
234 </para>
235 </note>
236
237 <para>
238 If <application>PAM</application> is installed on the system,
239 <application>Sudo</application> is built with
240 <application>PAM</application> support. In that case, issue the following
241 command as the <systemitem class="username">root</systemitem> user
242 to create the <application>PAM</application> configuration file:
243 </para>
244
245<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
246<literal># Begin /etc/pam.d/sudo
247
248# include the default auth settings
249auth include system-auth
250
251# include the default account settings
252account include system-account
253
254# Set default environment variables for the service user
255session required pam_env.so
256
257# include system session defaults
258session include system-session
259
260# End /etc/pam.d/sudo</literal>
261EOF
262chmod 644 /etc/pam.d/sudo</userinput></screen>
263
264 </sect3>
265
266 </sect2>
267
268 <sect2 role="content">
269 <title>Contents</title>
270
271 <segmentedlist>
272 <segtitle>Installed Programs</segtitle>
273 <segtitle>Installed Libraries</segtitle>
274 <segtitle>Installed Directories</segtitle>
275
276 <seglistitem>
277 <seg>
278 sudo,
279 sudoedit (symlink),
280 sudoreplay,
281 and visudo
282 </seg>
283 <seg>
284 group_file.so,
285 libsudo_util.so,
286 sudoers.so,
287 sudo_noexec.so,
288 and system_group.so
289 </seg>
290 <seg>
291 /etc/sudoers.d,
292 /usr/lib/sudo,
293 /usr/share/doc/sudo-&sudo-version;,
294 /var/lib/sudo, and
295 /var/run/sudo
296 </seg>
297 </seglistitem>
298 </segmentedlist>
299
300 <variablelist>
301 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
302 <?dbfo list-presentation="list"?>
303 <?dbhtml list-presentation="table"?>
304
305 <varlistentry id="sudo_prog">
306 <term><command>sudo</command></term>
307 <listitem>
308 <para>
309 executes a command as another user as permitted by
310 the <filename>/etc/sudoers</filename> configuration file.
311 </para>
312 <indexterm zone="sudo sudo">
313 <primary sortas="b-sudo">sudo</primary>
314 </indexterm>
315 </listitem>
316 </varlistentry>
317
318 <varlistentry id="sudoedit">
319 <term><command>sudoedit</command></term>
320 <listitem>
321 <para>
322 is a symlink to <command>sudo</command> that implies the
323 <option>-e</option> option to invoke an editor as another user.
324 </para>
325 <indexterm zone="sudo sudoedit">
326 <primary sortas="b-sudoedit">sudoedit</primary>
327 </indexterm>
328 </listitem>
329 </varlistentry>
330
331 <varlistentry id="sudoreplay">
332 <term><command>sudoreplay</command></term>
333 <listitem>
334 <para>
335 is used to play back or list the output
336 logs created by <command>sudo</command>.
337 </para>
338 <indexterm zone="sudo sudoreplay">
339 <primary sortas="b-sudoreplay">sudoreplay</primary>
340 </indexterm>
341 </listitem>
342 </varlistentry>
343
344 <varlistentry id="visudo">
345 <term><command>visudo</command></term>
346 <listitem>
347 <para>
348 allows for safer editing of the <filename>sudoers</filename>
349 file.
350 </para>
351 <indexterm zone="sudo visudo">
352 <primary sortas="b-visudo">visudo</primary>
353 </indexterm>
354 </listitem>
355 </varlistentry>
356
357 </variablelist>
358
359 </sect2>
360
361</sect1>
Note: See TracBrowser for help on using the repository browser.