Context Navigation

source: postlfs/security/sudo.xml@ 7826062

Visit:

11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 7826062 was 7826062, checked in by Pierre Labastie <pierre.labastie@…>, 2 years ago
Change to 00-sudo also in text
Property mode set to `100644`
File size: 13.1 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY sudo-download-http "https://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
8	<!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
9	<!ENTITY sudo-md5sum "f831c1d62835cde89c261465d9c781e4">
10	<!ENTITY sudo-size "4.1 MB">
11	<!ENTITY sudo-buildsize "45 MB (add 14 MB for tests)">
12	<!ENTITY sudo-time "0.5 SBU (add 0.1 SBU for tests)">
13	]>
14
15	<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
16	<?dbhtml filename="sudo.html"?>
17
18	<sect1info>
19	<date>$Date$</date>
20	</sect1info>
21
22	<title>Sudo-&sudo-version;</title>
23
24	<indexterm zone="sudo">
25	<primary sortas="a-Sudo">Sudo</primary>
26	</indexterm>
27
28	<sect2 role="package">
29	<title>Introduction to Sudo</title>
30
31	<para>
32	The <application>Sudo</application> package allows a system administrator
33	to give certain users (or groups of users) the ability to run
34	some (or all) commands as
35	<systemitem class="username">root</systemitem> or another user while
36	logging the commands and arguments.
37	</para>
38
39	&lfs110a_checked;
40
41	<bridgehead renderas="sect3">Package Information</bridgehead>
42	<itemizedlist spacing="compact">
43	<listitem>
44	<para>
45	Download (HTTP): <ulink url="&sudo-download-http;"/>
46	</para>
47	</listitem>
48	<listitem>
49	<para>
50	Download (FTP): <ulink url="&sudo-download-ftp;"/>
51	</para>
52	</listitem>
53	<listitem>
54	<para>
55	Download MD5 sum: &sudo-md5sum;
56	</para>
57	</listitem>
58	<listitem>
59	<para>
60	Download size: &sudo-size;
61	</para>
62	</listitem>
63	<listitem>
64	<para>
65	Estimated disk space required: &sudo-buildsize;
66	</para>
67	</listitem>
68	<listitem>
69	<para>
70	Estimated build time: &sudo-time;
71	</para>
72	</listitem>
73	</itemizedlist>
74
75	<bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
76
77	<bridgehead renderas="sect4">Optional</bridgehead>
78	<para role="optional">
79	<xref linkend="linux-pam"/>,
80	<xref linkend="mitkrb"/>,
81	<xref linkend="openldap"/>,
82	<xref linkend="server-mail"/> (that provides a
83	<command>sendmail</command> command),
84	<ulink url="http://www.openafs.org/">AFS</ulink>,
85	<ulink url="http://www.fwtk.org/">FWTK</ulink>, and
86	<ulink url="&sourceforge-dl;/opie/">Opie</ulink>
87	</para>
88
89	<para condition="html" role="usernotes">User Notes:
90	<ulink url="&blfs-wiki;/sudo"/>
91	</para>
92	</sect2>
93
94	<sect2 role="installation">
95	<title>Installation of Sudo</title>
96
97	<para>
98	Install <application>Sudo</application> by running the following commands:
99	</para>
100
101	<screen><userinput>./configure --prefix=/usr \
102	--libexecdir=/usr/lib \
103	--with-secure-path \
104	--with-all-insults \
105	--with-env-editor \
106	--docdir=/usr/share/doc/sudo-&sudo-version; \
107	--with-passprompt="[sudo] password for %p: " &&
108	make</userinput></screen>
109
110	<para>
111	To test the results, issue: <command>env LC_ALL=C make check 2>&1
112	\| tee make-check.log</command>. Check the results with <command>grep
113	failed make-check.log</command>.
114	</para>
115
116	<para>
117	Now, as the <systemitem class="username">root</systemitem> user:
118	</para>
119
120	<screen role="root"><userinput>make install &&
121	ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
122
123	</sect2>
124
125	<sect2 role="commands">
126	<title>Command Explanations</title>
127
128	<para>
129	<parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
130	private programs are installed. Everything in that directory is a library, so
131	they belong under <filename class="directory">/usr/lib</filename> instead of
132	<filename class="directory">/usr/libexec</filename>.
133	</para>
134
135	<para>
136	<parameter>--with-secure-path</parameter>: This switch transparently adds
137	<filename class="directory">/sbin</filename> and <filename
138	class="directory">/usr/sbin</filename> directories to the
139	<envar>PATH</envar> environment variable.
140	</para>
141
142	<para>
143	<parameter>--with-all-insults</parameter>: This switch includes all the
144	<application>sudo</application> insult sets.
145	</para>
146
147	<para>
148	<parameter>--with-env-editor</parameter>: This switch enables use of the
149	environment variable EDITOR for <command>visudo</command>.
150	</para>
151
152	<para>
153	<parameter>--with-passprompt</parameter>: This switch sets the password prompt.
154	The <parameter>%p</parameter> will be expanded to the name of the user whose password is being requested.
155	</para>
156
157	<para>
158	<option>--without-pam</option>: This switch avoids building
159	<application>Linux-PAM</application> support when
160	<application>Linux-PAM</application> is installed on the system.
161	</para>
162	<!-- See the developer note above before the configure command
163	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
164	href="../../xincludes/static-libraries.xml"/>-->
165
166	<note>
167	<para>
168	There are many options to <application>sudo</application>'s
169	<command>configure</command> command. Check the
170	<command>configure --help</command> output for a complete list.
171	</para>
172	</note>
173
174	<para>
175	<command>ln -sfv libsudo_util...</command>: Works around a bug in the
176	installation process, which links to the previously installed
177	version (if there is one) instead of the new one.
178	</para>
179
180	</sect2>
181
182	<sect2 role="configuration">
183	<title>Configuring Sudo</title>
184
185	<sect3 id="sudo-config">
186	<title>Config File</title>
187
188	<para>
189	<filename>/etc/sudoers</filename>
190	</para>
191
192	<indexterm zone="sudo sudo-config">
193	<primary sortas="e-etc-sudoers">/etc/sudoers</primary>
194	</indexterm>
195
196	</sect3>
197
198	<sect3>
199	<title>Configuration Information</title>
200
201	<para>
202	The <filename>sudoers</filename> file can be quite complicated. It
203	is composed of two types of entries: aliases (basically variables) and
204	user specifications (which specify who may run what). The installation
205	installs a default configuration that has no privileges installed for
206	any user.
207	</para>
208
209	<para>
210	A couple of common configuration changes are to set the path for the
211	super user and to allow members of the wheel group to execute all
212	commands after providing their own credientials. Use the following
213	commands to create the <filename>/etc/sudoers.d/00-sudo</filename>
214	configuration file as the
215	<systemitem class="username">root</systemitem> user:
216	</para>
217
218	<screen role="root"><userinput>cat > /etc/sudoers.d/00-sudo << "EOF"
219	<literal>Defaults secure_path="/usr/sbin:/usr/bin"
220	%wheel ALL=(ALL) ALL</literal>
221	EOF</userinput></screen>
222
223	<note>
224	<para>
225	In very simple installations where there is only one user, it
226	may be easier to just edit the <filename>/etc/sudoers</filename>
227	file directly. In that case, the <varname>secure_path</varname>
228	entry may not be needed and using <command>sudo -E ...</command> can
229	import the non-privileged user's full environment into the
230	privileged session.
231	</para>
232
233	<para>
234	The files in the <filename class="directory">/etc/sudoers.d</filename>
235	directory are parsed in sorted lexical order. Be careful that entries
236	in an added file do not overwrite previous entries.
237	</para>
238	</note>
239
240	<para>
241	For details, see <command>man sudoers</command>.
242	</para>
243
244	<note>
245	<para>
246	The <application>Sudo</application> developers highly recommend
247	using the <command>visudo</command> program to edit the
248	<filename>sudoers</filename> file. This will provide basic sanity
249	checking like syntax parsing and file permission to avoid some
250	possible mistakes that could lead to a vulnerable configuration.
251	</para>
252	</note>
253
254	<para>
255	If <application>PAM</application> is installed on the system,
256	<application>Sudo</application> is built with
257	<application>PAM</application> support. In that case, issue the
258	following command as the <systemitem class="username">root</systemitem>
259	user to create the <application>PAM</application> configuration file:
260	</para>
261
262	<screen role="root"><userinput>cat > /etc/pam.d/sudo << "EOF"
263	<literal># Begin /etc/pam.d/sudo
264
265	# include the default auth settings
266	auth include system-auth
267
268	# include the default account settings
269	account include system-account
270
271	# Set default environment variables for the service user
272	session required pam_env.so
273
274	# include system session defaults
275	session include system-session
276
277	# End /etc/pam.d/sudo</literal>
278	EOF
279	chmod 644 /etc/pam.d/sudo</userinput></screen>
280
281	</sect3>
282
283	</sect2>
284
285	<sect2 role="content">
286	<title>Contents</title>
287
288	<segmentedlist>
289	<segtitle>Installed Programs</segtitle>
290	<segtitle>Installed Libraries</segtitle>
291	<segtitle>Installed Directories</segtitle>
292
293	<seglistitem>
294	<seg>
295	cvtsudoers, sudo, sudo_logsrvd, sudo_sendlog,
296	sudoedit (symlink), sudoreplay, and visudo
297	</seg>
298	<seg>
299	<!-- [pierre, September 25, 2020] except libsudo_util, the other
300	shared objects in /usr/lib/sudo look more like modules than
301	libraries. Leaving them now, and updating the list, but I think
302	they should not be listed. -->
303	audit_json.so, group_file.so, libsudo_util.so, sample_approval.so,
304	sudoers.so, sudo_noexec.so, and system_group.so
305	</seg>
306	<seg>
307	/etc/sudoers.d,
308	/usr/lib/sudo,
309	/usr/share/doc/sudo-&sudo-version;, and
310	/var/lib/sudo
311	</seg>
312	</seglistitem>
313	</segmentedlist>
314
315	<variablelist>
316	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
317	<?dbfo list-presentation="list"?>
318	<?dbhtml list-presentation="table"?>
319
320	<varlistentry id="cvtsudoers">
321	<term><command>cvtsudoers</command></term>
322	<listitem>
323	<para>
324	converts between sudoers file formats
325	</para>
326	<indexterm zone="sudo cvtsudoers">
327	<primary sortas="b-cvtsudoers">cvtsudoers</primary>
328	</indexterm>
329	</listitem>
330	</varlistentry>
331
332	<varlistentry id="sudo_prog">
333	<term><command>sudo</command></term>
334	<listitem>
335	<para>
336	executes a command as another user as permitted by
337	the <filename>/etc/sudoers</filename> configuration file
338	</para>
339	<indexterm zone="sudo sudo">
340	<primary sortas="b-sudo">sudo</primary>
341	</indexterm>
342	</listitem>
343	</varlistentry>
344
345	<varlistentry id="sudo_logsrvd">
346	<term><command>sudo_logsrvd</command></term>
347	<listitem>
348	<para>
349	is a sudo event and I/O log server
350	</para>
351	<indexterm zone="sudo sudo_logsrvd">
352	<primary sortas="b-sudo_logsrvd">sudo_logsrvd</primary>
353	</indexterm>
354	</listitem>
355	</varlistentry>
356
357	<varlistentry id="sudo_sendlog">
358	<term><command>sudo_sendlog</command></term>
359	<listitem>
360	<para>
361	sends sudo I/O logs to the log server
362	</para>
363	<indexterm zone="sudo sudo_sendlog">
364	<primary sortas="b-sudo_sendlog">sudo_sendlog</primary>
365	</indexterm>
366	</listitem>
367	</varlistentry>
368
369	<varlistentry id="sudoedit">
370	<term><command>sudoedit</command></term>
371	<listitem>
372	<para>
373	is a symlink to <command>sudo</command> that implies the
374	<option>-e</option> option to invoke an editor as another user
375	</para>
376	<indexterm zone="sudo sudoedit">
377	<primary sortas="b-sudoedit">sudoedit</primary>
378	</indexterm>
379	</listitem>
380	</varlistentry>
381
382	<varlistentry id="sudoreplay">
383	<term><command>sudoreplay</command></term>
384	<listitem>
385	<para>
386	is used to play back or list the output
387	logs created by <command>sudo</command>
388	</para>
389	<indexterm zone="sudo sudoreplay">
390	<primary sortas="b-sudoreplay">sudoreplay</primary>
391	</indexterm>
392	</listitem>
393	</varlistentry>
394
395	<varlistentry id="visudo">
396	<term><command>visudo</command></term>
397	<listitem>
398	<para>
399	allows for safer editing of the <filename>sudoers</filename>
400	file
401	</para>
402	<indexterm zone="sudo visudo">
403	<primary sortas="b-visudo">visudo</primary>
404	</indexterm>
405	</listitem>
406	</varlistentry>
407
408	</variablelist>
409
410	</sect2>
411
412	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: