source: postlfs/security/sudo.xml@ 6f306ab9

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 6f306ab9 was 6f306ab9, checked in by Andrew Benton <andy@…>, 12 years ago

patch sudo to fix a security problem

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@9256 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 10.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY sudo-download-http "http://www.sudo.ws/sudo/dist/sudo-&sudo-version;.tar.gz">
8 <!ENTITY sudo-download-ftp "ftp://ftp.twaren.net/Unix/Security/Sudo/sudo-&sudo-version;.tar.gz">
9 <!ENTITY sudo-md5sum "000f458e7391be9fdf459a9ad6a4912a">
10 <!ENTITY sudo-size "1.4 MB">
11 <!ENTITY sudo-buildsize "13 MB">
12 <!ENTITY sudo-time "0.2 SBU">
13]>
14
15<sect1 id="sudo" xreflabel="sudo-&sudo-version;">
16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Sudo-&sudo-version;</title>
24
25 <indexterm zone="sudo">
26 <primary sortas="a-sudo">sudo</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Sudo</title>
31
32 <para>The <application>sudo</application> package allows a system
33 administrator to give certain users (or groups of users) the ability to run
34 some (or all) commands as
35 <systemitem class="username">root</systemitem> or another user while
36 logging the commands and arguments.</para>
37
38 &lfs70_checked;
39
40 <bridgehead renderas="sect3">Package Information</bridgehead>
41 <itemizedlist spacing="compact">
42 <listitem>
43 <para>Download (HTTP): <ulink url="&sudo-download-http;"/></para>
44 </listitem>
45 <listitem>
46 <para>Download (FTP): <ulink url="&sudo-download-ftp;"/></para>
47 </listitem>
48 <listitem>
49 <para>Download MD5 sum: &sudo-md5sum;</para>
50 </listitem>
51 <listitem>
52 <para>Download size: &sudo-size;</para>
53 </listitem>
54 <listitem>
55 <para>Estimated disk space required: &sudo-buildsize;</para>
56 </listitem>
57 <listitem>
58 <para>Estimated build time: &sudo-time;</para>
59 </listitem>
60 </itemizedlist>
61
62 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
63 <itemizedlist spacing="compact">
64 <listitem>
65 <para>Required patch: <ulink
66 url="&patch-root;/sudo-&sudo-version;-fprintf_debug-1.patch"/></para>
67 </listitem>
68 </itemizedlist>
69
70 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
71
72 <bridgehead renderas="sect4">Optional</bridgehead>
73 <para role="optional"><xref linkend="linux-pam"/>,
74 <ulink url="ftp://ftp.nrl.navy.mil/pub/security/opie">Opie</ulink>,
75 <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>,
76 <ulink url="http://www.fwtk.org/">FWTK</ulink>,
77 an <xref linkend="server-mail"/> (that provides a
78 <command>sendmail</command> command),
79 <ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink>,
80 <xref linkend="heimdal"/> or <xref linkend="mitkrb"/>,
81 <xref linkend="openldap"/>, and
82 <ulink url="http://www.openafs.org/">AFS</ulink></para>
83
84 <para condition="html" role="usernotes">User Notes:
85 <ulink url="&blfs-wiki;/sudo"/></para>
86
87 </sect2>
88
89 <sect2 role="installation">
90 <title>Installation of Sudo</title>
91
92 <para>Install <application>sudo</application> by running
93 the following commands:</para>
94
95<screen><userinput>patch -p1 &lt; ../sudo-&sudo-version;-fprintf_debug-1.patch &amp;&amp;
96./configure --prefix=/usr \
97 --libexecdir=/usr/lib \
98 --with-ignore-dot \
99 --with-all-insults \
100 --enable-shell-sets-home \
101 --disable-root-sudo \
102 --with-logfac=auth \
103 --without-pam \
104 --without-sendmail &amp;&amp;
105make</userinput></screen>
106
107 <para>This package does not come with a test suite.</para>
108
109 <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
110
111<screen role="root"><userinput>make install</userinput></screen>
112
113 </sect2>
114
115 <sect2 role="commands">
116 <title>Command Explanations</title>
117
118 <para><command>patch -p1 &lt; ...</command>: This patch fixes a
119 vulnerability in the debugging code in sudo versions 1.8.0 through 1.8.3p1
120 that can be used to crash sudo or potentially allow an unauthorized user to
121 achieve root privileges.</para>
122
123 <para><option>--with-ignore-dot</option>: This switch causes
124 <application>sudo</application> to ignore '.' in the PATH.</para>
125
126 <para><option>--with-all-insults</option>: This switch includes all the
127 <application>sudo</application> insult sets.</para>
128
129 <para><option>--enable-shell-sets-home</option>: This switch sets HOME to
130 the target user in shell mode.</para>
131
132 <para><option>--disable-root-sudo</option>: This switch keeps the
133 <systemitem class="username">root</systemitem> user from running sudo,
134 preventing users from chaining commands to get a root shell.</para>
135
136 <para><option>--with-logfac=auth</option>: This switch forces use of the
137 auth facility for logging.</para>
138
139 <para><option>--without-pam</option>: This switch disables the use of
140 <application>PAM</application> authentication. Omit if you have
141 <application>PAM</application> installed.</para>
142
143 <para><option>--without-sendmail</option>: This switch disables the use of
144 sendmail. Remove if you have a sendmail compatible MTA.</para>
145
146 <para><option>--enable-noargs-shell</option>: This switch allows
147 <application>sudo</application> to run a shell if invoked with no
148 arguments.</para>
149
150 <note>
151 <para>There are many options to <application>sudo</application>'s
152 <command>configure</command> command. Check the
153 <command>configure --help</command> output for a complete list.</para>
154 </note>
155
156 </sect2>
157
158 <sect2 role="configuration">
159 <title>Configuring Sudo</title>
160
161 <sect3 id="sudo-config">
162 <title>Config File</title>
163
164 <para><filename>/etc/sudoers</filename></para>
165
166 <indexterm zone="sudo sudo-config">
167 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
168 </indexterm>
169
170 </sect3>
171
172 <sect3>
173 <title>Configuration Information</title>
174
175 <para>The <filename>sudoers</filename> file can be quite complicated. It
176 is composed of two types of entries: aliases (basically variables) and
177 user specifications (which specify who may run what). The installation
178 installs a default configuration that has no privileges installed for any
179 user.</para>
180
181 <para>One example usage is to allow the system administrator to execute
182 any program without typing a password each time root privileges are
183 needed. This can be configured as:</para>
184
185<screen># User alias specification
186User_Alias ADMIN = YourLoginId
187
188# Allow people in group ADMIN to run all commands without a password
189ADMIN ALL = NOPASSWD: ALL</screen>
190
191 <para>For details, see <command>man sudoers</command>.</para>
192
193 <note>
194 <para>The <application>Sudo</application> developers highly recommend
195 using the <command>visudo</command> program to edit the
196 <filename>sudoers</filename> file. This will provide basic sanity
197 checking like syntax parsing and file permission to avoid some possible
198 mistakes that could lead to a vulnerable configuration.</para>
199 </note>
200
201 <para>If you've built <application>Sudo</application> with
202 <application>PAM</application> support, issue the following
203 command as the <systemitem class="username">root</systemitem> user
204 to create the <application>PAM</application> configuration file:</para>
205
206<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF" &amp;&amp;
207# Begin /etc/pam.d/sudo
208
209# include the default auth settings
210auth include system-auth
211
212# include the default account settings
213account include system-account
214
215# Use xauth keys (if available)
216session optional pam_xauth.so
217
218# Set default environment variables for the service user
219session required pam_env.so
220
221# include system session defaults
222session include system-session
223
224# End /etc/pam.d/sudo
225EOF
226chmod 644 /etc/pam.d/sudo</userinput></screen>
227
228 </sect3>
229
230 </sect2>
231
232 <sect2 role="content">
233 <title>Contents</title>
234
235 <segmentedlist>
236 <segtitle>Installed Programs</segtitle>
237 <segtitle>Installed Library</segtitle>
238 <segtitle>Installed Directories</segtitle>
239
240 <seglistitem>
241 <seg>sudo, sudoedit, and visudo</seg>
242 <seg>sudo_noexec.so</seg>
243 <seg>None</seg>
244 </seglistitem>
245 </segmentedlist>
246
247 <variablelist>
248 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
249 <?dbfo list-presentation="list"?>
250 <?dbhtml list-presentation="table"?>
251
252 <varlistentry id="sudo_prog">
253 <term><command>sudo</command></term>
254 <listitem>
255 <para>executes a command as another user as permitted by
256 the <filename>/etc/sudoers</filename> configuration file.
257 </para>
258 <indexterm zone="sudo sudo">
259 <primary sortas="b-sudo">sudo</primary>
260 </indexterm>
261 </listitem>
262 </varlistentry>
263
264 <varlistentry id="sudoedit">
265 <term><command>sudoedit</command></term>
266 <listitem>
267 <para>is a hard link to <command>sudo</command> that implies
268 the <option>-e</option> option to invoke an editor as another
269 user.</para>
270 <indexterm zone="sudo sudoedit">
271 <primary sortas="b-sudoedit">sudoedit</primary>
272 </indexterm>
273 </listitem>
274 </varlistentry>
275
276 <varlistentry id="visudo">
277 <term><command>visudo</command></term>
278 <listitem>
279 <para>allows for safer editing of the <filename>sudoers</filename>
280 file.</para>
281 <indexterm zone="sudo visudo">
282 <primary sortas="b-visudo">visudo</primary>
283 </indexterm>
284 </listitem>
285 </varlistentry>
286
287
288 <varlistentry id="sudo_noexec">
289 <term><filename class='libraryfile'>sudo_noexec.so</filename></term>
290 <listitem>
291 <para>enables support for the "noexec" functionality which prevents
292 a dynamically-linked program being run by sudo from executing
293 another program (think shell escapes).</para>
294 <indexterm zone="sudo sudo_noexec">
295 <primary sortas="c-sudo_noexec">sudo_noexec.so</primary>
296 </indexterm>
297 </listitem>
298 </varlistentry>
299
300 </variablelist>
301
302 </sect2>
303
304</sect1>
Note: See TracBrowser for help on using the repository browser.