source: postlfs/security/sudo.xml@ 741f35be

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 9.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 741f35be was 741f35be, checked in by Bruce Dubbs <bdubbs@…>, 4 years ago

Update to ffmpeg-4.2.2.
Update to libjpeg-turbo-2.0.4.
Update to sudo-1.8.30.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22533 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 11.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY sudo-download-http "http://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
8 <!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
9 <!ENTITY sudo-md5sum "d56cd5835b1cc9852bd76ddaaa572475">
10 <!ENTITY sudo-size "3.2 MB">
11 <!ENTITY sudo-buildsize "39 MB (with tests)">
12 <!ENTITY sudo-time "0.4 SBU (with tests)">
13]>
14
15<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Sudo-&sudo-version;</title>
24
25 <indexterm zone="sudo">
26 <primary sortas="a-Sudo">Sudo</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Sudo</title>
31
32 <para>
33 The <application>Sudo</application> package allows a system administrator
34 to give certain users (or groups of users) the ability to run
35 some (or all) commands as
36 <systemitem class="username">root</systemitem> or another user while
37 logging the commands and arguments.
38 </para>
39
40 &lfs90_checked;
41
42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
45 <para>
46 Download (HTTP): <ulink url="&sudo-download-http;"/>
47 </para>
48 </listitem>
49 <listitem>
50 <para>
51 Download (FTP): <ulink url="&sudo-download-ftp;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download MD5 sum: &sudo-md5sum;
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download size: &sudo-size;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Estimated disk space required: &sudo-buildsize;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated build time: &sudo-time;
72 </para>
73 </listitem>
74 </itemizedlist>
75
76 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
77
78 <bridgehead renderas="sect4">Optional</bridgehead>
79 <para role="optional">
80 <xref linkend="linux-pam"/>,
81 <xref linkend="mitkrb"/>,
82 <xref linkend="openldap"/>,
83 <xref linkend="server-mail"/> (that provides a
84 <command>sendmail</command> command),
85 <ulink url="http://www.openafs.org/">AFS</ulink>,
86 <ulink url="http://www.fwtk.org/">FWTK</ulink>, and
87 <ulink url="&sourceforge-dl;/opie/">Opie</ulink>
88<!-- <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>-->
89 </para>
90
91 <para condition="html" role="usernotes">User Notes:
92 <ulink url="&blfs-wiki;/sudo"/>
93 </para>
94 </sect2>
95
96 <sect2 role="installation">
97 <title>Installation of Sudo</title>
98
99 <para>
100 First, fix a problem that prevents installation from completion:
101 </para>
102
103<screen><userinput>sed -e '/^pre-install:/{N;s@;@ -a -r $(sudoersdir)/sudoers;@}' \
104 -i plugins/sudoers/Makefile.in</userinput></screen>
105
106 <para>
107 Install <application>Sudo</application> by running the following commands:
108 </para>
109
110<!-- Developer: apparently it is disabled by default, although in configure it
111is written otherwise -disable-static \-->
112<screen><userinput>./configure --prefix=/usr \
113 --libexecdir=/usr/lib \
114 --with-secure-path \
115 --with-all-insults \
116 --with-env-editor \
117 --docdir=/usr/share/doc/sudo-&sudo-version; \
118 --with-passprompt="[sudo] password for %p: " &amp;&amp;
119make</userinput></screen>
120
121 <para>
122 To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
123 | tee ../make-check.log</command>. Check the results with <command>grep
124 failed ../make-check.log</command>. One test, test3, is known to fail
125 if the tests are run as the root user.
126 </para>
127
128 <para>
129 Now, as the <systemitem class="username">root</systemitem> user:
130 </para>
131
132<screen role="root"><userinput>make install &amp;&amp;
133ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
134
135 </sect2>
136
137 <sect2 role="commands">
138 <title>Command Explanations</title>
139
140 <para>
141 <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
142 private programs are installed. Everything in that directory is a library, so
143 they belong under <filename class="directory">/usr/lib</filename> instead of
144 <filename class="directory">/usr/libexec</filename>.
145 </para>
146
147 <para>
148 <parameter>--with-secure-path</parameter>: This switch transparently adds
149 <filename class="directory">/sbin</filename> and <filename
150 class="directory">/usr/sbin</filename> directories to the
151 <envar>PATH</envar> environment variable.
152 </para>
153
154 <para>
155 <parameter>--with-all-insults</parameter>: This switch includes all the
156 <application>sudo</application> insult sets.
157 </para>
158
159 <para>
160 <parameter>--with-env-editor</parameter>: This switch enables use of the
161 environment variable EDITOR for <command>visudo</command>.
162 </para>
163
164 <para>
165 <parameter>--with-passprompt</parameter>: This switch sets the password prompt.
166 </para>
167
168 <para>
169 <option>--without-pam</option>: This switch avoids building
170 <application>Linux-PAM</application> support when
171 <application>Linux-PAM</application> is installed on the system.
172 </para>
173<!-- See the developer note above before the configure command
174 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
175 href="../../xincludes/static-libraries.xml"/>-->
176
177 <note>
178 <para>
179 There are many options to <application>sudo</application>'s
180 <command>configure</command> command. Check the
181 <command>configure --help</command> output for a complete list.
182 </para>
183 </note>
184
185 <para>
186 <command>ln -sfv libsudo_util...</command>: Works around a bug in the
187 installation process, which links to the previously installed
188 version (if there is one) instead of the new one.
189 </para>
190
191 </sect2>
192
193 <sect2 role="configuration">
194 <title>Configuring Sudo</title>
195
196 <sect3 id="sudo-config">
197 <title>Config File</title>
198
199 <para>
200 <filename>/etc/sudoers</filename>
201 </para>
202
203 <indexterm zone="sudo sudo-config">
204 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
205 </indexterm>
206
207 </sect3>
208
209 <sect3>
210 <title>Configuration Information</title>
211
212 <para>
213 The <filename>sudoers</filename> file can be quite complicated. It
214 is composed of two types of entries: aliases (basically variables) and
215 user specifications (which specify who may run what). The installation
216 installs a default configuration that has no privileges installed for
217 any user.
218 </para>
219
220 <para>
221 A couple of common configuration chanes are to set the path for the
222 super user and to allow members of the wheel group to execute all
223 commands after providing their own credientials. Use the following
224 commands to create the <filename>/etc/sudoers.d/sudo</filename>
225 configuration file as the
226 <systemitem class="username">root</systemitem> user:
227 </para>
228
229<screen role="root"><userinput>cat &gt; /etc/sudoers.d/sudo &lt;&lt; "EOF"
230<literal>Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin"
231%wheel ALL=(ALL) ALL</literal>
232EOF</userinput></screen>
233
234 <para>
235 For details, see <command>man sudoers</command>.
236 </para>
237
238 <note>
239 <para>
240 The <application>Sudo</application> developers highly recommend
241 using the <command>visudo</command> program to edit the
242 <filename>sudoers</filename> file. This will provide basic sanity
243 checking like syntax parsing and file permission to avoid some
244 possible mistakes that could lead to a vulnerable configuration.
245 </para>
246 </note>
247
248 <para>
249 If <application>PAM</application> is installed on the system,
250 <application>Sudo</application> is built with
251 <application>PAM</application> support. In that case, issue the
252 following command as the <systemitem class="username">root</systemitem>
253 user to create the <application>PAM</application> configuration file:
254 </para>
255
256<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
257<literal># Begin /etc/pam.d/sudo
258
259# include the default auth settings
260auth include system-auth
261
262# include the default account settings
263account include system-account
264
265# Set default environment variables for the service user
266session required pam_env.so
267
268# include system session defaults
269session include system-session
270
271# End /etc/pam.d/sudo</literal>
272EOF
273chmod 644 /etc/pam.d/sudo</userinput></screen>
274
275 </sect3>
276
277 </sect2>
278
279 <sect2 role="content">
280 <title>Contents</title>
281
282 <segmentedlist>
283 <segtitle>Installed Programs</segtitle>
284 <segtitle>Installed Libraries</segtitle>
285 <segtitle>Installed Directories</segtitle>
286
287 <seglistitem>
288 <seg>
289 cvtsudoers, sudo, sudoedit (symlink), sudoreplay, and visudo
290 </seg>
291 <seg>
292 group_file.so, libsudo_util.so,
293 sudoers.so, sudo_noexec.so, and system_group.so
294 </seg>
295 <seg>
296 /etc/sudoers.d,
297 /usr/lib/sudo,
298 /usr/share/doc/sudo-&sudo-version;, and
299 /var/{lib,run}/sudo
300 </seg>
301 </seglistitem>
302 </segmentedlist>
303
304 <variablelist>
305 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
306 <?dbfo list-presentation="list"?>
307 <?dbhtml list-presentation="table"?>
308
309 <varlistentry id="cvtsudoers">
310 <term><command>cvtsudoers</command></term>
311 <listitem>
312 <para>
313 converts between sudoers file formats.
314 </para>
315 <indexterm zone="sudo cvtsudoers">
316 <primary sortas="b-cvtsudoers">cvtsudoers</primary>
317 </indexterm>
318 </listitem>
319 </varlistentry>
320
321 <varlistentry id="sudo_prog">
322 <term><command>sudo</command></term>
323 <listitem>
324 <para>
325 executes a command as another user as permitted by
326 the <filename>/etc/sudoers</filename> configuration file.
327 </para>
328 <indexterm zone="sudo sudo">
329 <primary sortas="b-sudo">sudo</primary>
330 </indexterm>
331 </listitem>
332 </varlistentry>
333
334 <varlistentry id="sudoedit">
335 <term><command>sudoedit</command></term>
336 <listitem>
337 <para>
338 is a symlink to <command>sudo</command> that implies the
339 <option>-e</option> option to invoke an editor as another user.
340 </para>
341 <indexterm zone="sudo sudoedit">
342 <primary sortas="b-sudoedit">sudoedit</primary>
343 </indexterm>
344 </listitem>
345 </varlistentry>
346
347 <varlistentry id="sudoreplay">
348 <term><command>sudoreplay</command></term>
349 <listitem>
350 <para>
351 is used to play back or list the output
352 logs created by <command>sudo</command>.
353 </para>
354 <indexterm zone="sudo sudoreplay">
355 <primary sortas="b-sudoreplay">sudoreplay</primary>
356 </indexterm>
357 </listitem>
358 </varlistentry>
359
360 <varlistentry id="visudo">
361 <term><command>visudo</command></term>
362 <listitem>
363 <para>
364 allows for safer editing of the <filename>sudoers</filename>
365 file.
366 </para>
367 <indexterm zone="sudo visudo">
368 <primary sortas="b-visudo">visudo</primary>
369 </indexterm>
370 </listitem>
371 </varlistentry>
372
373 </variablelist>
374
375 </sect2>
376
377</sect1>
Note: See TracBrowser for help on using the repository browser.