1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 |
|
---|
7 | <!ENTITY sudo-download-http "http://www.sudo.ws/sudo/dist/sudo-&sudo-version;.tar.gz">
|
---|
8 | <!ENTITY sudo-download-ftp "ftp://ftp.twaren.net/Unix/Security/Sudo/sudo-&sudo-version;.tar.gz">
|
---|
9 | <!ENTITY sudo-md5sum "06cfeed4ececfce6c82e03974c588066">
|
---|
10 | <!ENTITY sudo-size "581 KB">
|
---|
11 | <!ENTITY sudo-buildsize "3.9 MB">
|
---|
12 | <!ENTITY sudo-time "less than 0.1 SBU">
|
---|
13 | ]>
|
---|
14 |
|
---|
15 | <sect1 id="sudo" xreflabel="sudo-&sudo-version;">
|
---|
16 | <?dbhtml filename="sudo.html"?>
|
---|
17 |
|
---|
18 | <sect1info>
|
---|
19 | <othername>$LastChangedBy$</othername>
|
---|
20 | <date>$Date$</date>
|
---|
21 | </sect1info>
|
---|
22 |
|
---|
23 | <title>Sudo-&sudo-version;</title>
|
---|
24 |
|
---|
25 | <indexterm zone="sudo">
|
---|
26 | <primary sortas="a-sudo">sudo</primary>
|
---|
27 | </indexterm>
|
---|
28 |
|
---|
29 | <sect2 role="package">
|
---|
30 | <title>Introduction to Sudo</title>
|
---|
31 |
|
---|
32 | <para>The <application>sudo</application> package allows a system
|
---|
33 | administrator to give certain users (or groups of users) the ability to run
|
---|
34 | some (or all) commands as
|
---|
35 | <systemitem class="username">root</systemitem> or another user while
|
---|
36 | logging the commands and arguments.</para>
|
---|
37 |
|
---|
38 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
39 | <itemizedlist spacing="compact">
|
---|
40 | <listitem>
|
---|
41 | <para>Download (HTTP): <ulink url="&sudo-download-http;"/></para>
|
---|
42 | </listitem>
|
---|
43 | <listitem>
|
---|
44 | <para>Download (FTP): <ulink url="&sudo-download-ftp;"/></para>
|
---|
45 | </listitem>
|
---|
46 | <listitem>
|
---|
47 | <para>Download MD5 sum: &sudo-md5sum;</para>
|
---|
48 | </listitem>
|
---|
49 | <listitem>
|
---|
50 | <para>Download size: &sudo-size;</para>
|
---|
51 | </listitem>
|
---|
52 | <listitem>
|
---|
53 | <para>Estimated disk space required: &sudo-buildsize;</para>
|
---|
54 | </listitem>
|
---|
55 | <listitem>
|
---|
56 | <para>Estimated build time: &sudo-time;</para>
|
---|
57 | </listitem>
|
---|
58 | </itemizedlist>
|
---|
59 |
|
---|
60 | <!-- <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
61 | <itemizedlist spacing='compact'>
|
---|
62 | <listitem>
|
---|
63 | <para>Required patch: <ulink
|
---|
64 | url="&patch-root;/sudo-&sudo-version;-envvar_fix-1.patch"/></para>
|
---|
65 | </listitem>
|
---|
66 | </itemizedlist> -->
|
---|
67 |
|
---|
68 |
|
---|
69 | <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
|
---|
70 |
|
---|
71 | <bridgehead renderas="sect4">Optional</bridgehead>
|
---|
72 | <para role="optional"><xref linkend="linux-pam"/>,
|
---|
73 | <ulink url="ftp://ftp.nrl.navy.mil/pub/security/opie">Opie</ulink>,
|
---|
74 | <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>,
|
---|
75 | <ulink url="http://www.fwtk.org/">FWTK</ulink>,
|
---|
76 | an <xref linkend="server-mail"/> (that provides a
|
---|
77 | <command>sendmail</command> command),
|
---|
78 | <ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink>,
|
---|
79 | <xref linkend="heimdal"/> or <xref linkend="mitkrb"/>,
|
---|
80 | <xref linkend="openldap"/>, and
|
---|
81 | <ulink url="http://www.openafs.org/">AFS</ulink></para>
|
---|
82 |
|
---|
83 | <para condition="html" role="usernotes">User Notes:
|
---|
84 | <ulink url="&blfs-wiki;/sudo"/></para>
|
---|
85 |
|
---|
86 | </sect2>
|
---|
87 |
|
---|
88 | <sect2 role="installation">
|
---|
89 | <title>Installation of Sudo</title>
|
---|
90 |
|
---|
91 | <para>Install <application>sudo</application> by running
|
---|
92 | the following commands:</para>
|
---|
93 |
|
---|
94 | <!-- <screen><userinput>patch -Np1 -i ../sudo-&sudo-version;-envvar_fix-1.patch &&
|
---|
95 | -->
|
---|
96 | <screen><userinput>./configure --prefix=/usr --libexecdir=/usr/lib \
|
---|
97 | --with-ignore-dot --with-all-insults \
|
---|
98 | --enable-shell-sets-home --disable-root-sudo \
|
---|
99 | --with-logfac=auth --without-pam --without-sendmail &&
|
---|
100 | make</userinput></screen>
|
---|
101 |
|
---|
102 | <para>This package does not come with a test suite.</para>
|
---|
103 |
|
---|
104 | <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
|
---|
105 |
|
---|
106 | <screen role="root"><userinput>make install</userinput></screen>
|
---|
107 |
|
---|
108 | </sect2>
|
---|
109 |
|
---|
110 | <sect2 role="commands">
|
---|
111 | <title>Command Explanations</title>
|
---|
112 |
|
---|
113 | <para><option>--with-ignore-dot</option>: This switch causes
|
---|
114 | <application>sudo</application> to ignore '.' in the PATH.</para>
|
---|
115 |
|
---|
116 | <para><option>--with-all-insults</option>: This switch includes all the
|
---|
117 | <application>sudo</application> insult sets.</para>
|
---|
118 |
|
---|
119 | <para><option>--enable-shell-sets-home</option>: This switch sets HOME to
|
---|
120 | the target user in shell mode.</para>
|
---|
121 |
|
---|
122 | <para><option>--disable-root-sudo</option>: This switch keeps the
|
---|
123 | <systemitem class="username">root</systemitem> user from running sudo,
|
---|
124 | preventing users from chaining commands to get a root shell.</para>
|
---|
125 |
|
---|
126 | <para><option>--with-logfac=auth</option>: This switch forces use of the
|
---|
127 | auth facility for logging.</para>
|
---|
128 |
|
---|
129 | <para><option>--without-pam</option>: This switch disables the use of
|
---|
130 | <application>PAM</application> authentication. Omit if you have
|
---|
131 | <application>PAM</application> installed.</para>
|
---|
132 |
|
---|
133 | <para><option>--without-sendmail</option>: This switch disables the use of
|
---|
134 | sendmail. Remove if you have a sendmail compatible MTA.</para>
|
---|
135 |
|
---|
136 | <para><option>--enable-noargs-shell</option>: This switch allows
|
---|
137 | <application>sudo</application> to run a shell if invoked with no
|
---|
138 | arguments.</para>
|
---|
139 |
|
---|
140 | <note>
|
---|
141 | <para>There are many options to <application>sudo</application>'s
|
---|
142 | <command>configure</command> command. Check the
|
---|
143 | <command>configure --help</command> output for a complete list.</para>
|
---|
144 | </note>
|
---|
145 |
|
---|
146 | </sect2>
|
---|
147 |
|
---|
148 | <sect2 role="configuration">
|
---|
149 | <title>Configuring Sudo</title>
|
---|
150 |
|
---|
151 | <sect3 id="sudo-config">
|
---|
152 | <title>Config File</title>
|
---|
153 |
|
---|
154 | <para><filename>/etc/sudoers</filename></para>
|
---|
155 |
|
---|
156 | <indexterm zone="sudo sudo-config">
|
---|
157 | <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
|
---|
158 | </indexterm>
|
---|
159 |
|
---|
160 | </sect3>
|
---|
161 |
|
---|
162 | <sect3>
|
---|
163 | <title>Configuration Information</title>
|
---|
164 |
|
---|
165 | <para>The <filename>sudoers</filename> file can be quite complicated. It
|
---|
166 | is composed of two types of entries: aliases (basically variables) and
|
---|
167 | user specifications (which specify who may run what). The installation
|
---|
168 | installs a default configuration that has no privileges installed for any
|
---|
169 | user.</para>
|
---|
170 |
|
---|
171 | <para>One example usage is to allow the system administrator to execute
|
---|
172 | any program without typing a password each time root privileges are
|
---|
173 | needed. This can be configured as:</para>
|
---|
174 |
|
---|
175 | <screen># User alias specification
|
---|
176 | User_Alias ADMIN = YourLoginId
|
---|
177 |
|
---|
178 | # Allow people in group ADMIN to run all commands without a password
|
---|
179 | ADMIN ALL = NOPASSWD: ALL</screen>
|
---|
180 |
|
---|
181 | <para>For details, see <command>man sudoers</command>.</para>
|
---|
182 |
|
---|
183 | <note>
|
---|
184 | <para>The <application>Sudo</application> developers highly recommend
|
---|
185 | using the <command>visudo</command> program to edit the
|
---|
186 | <filename>sudoers</filename> file. This will provide basic sanity
|
---|
187 | checking like syntax parsing and file permission to avoid some possible
|
---|
188 | mistakes that could lead to a vulnerable configuration.</para>
|
---|
189 | </note>
|
---|
190 |
|
---|
191 | <para>If you've built <application>Sudo</application> with
|
---|
192 | <application>PAM</application> support, issue the following
|
---|
193 | command as the <systemitem class="username">root</systemitem> user
|
---|
194 | to create the <application>PAM</application> configuration file:</para>
|
---|
195 |
|
---|
196 | <screen role="root"><userinput>sed 's@/su@/sudo@g' /etc/pam.d/su > /etc/pam.d/sudo</userinput></screen>
|
---|
197 |
|
---|
198 | </sect3>
|
---|
199 |
|
---|
200 | </sect2>
|
---|
201 |
|
---|
202 | <sect2 role="content">
|
---|
203 | <title>Contents</title>
|
---|
204 |
|
---|
205 | <segmentedlist>
|
---|
206 | <segtitle>Installed Programs</segtitle>
|
---|
207 | <segtitle>Installed Library</segtitle>
|
---|
208 | <segtitle>Installed Directories</segtitle>
|
---|
209 |
|
---|
210 | <seglistitem>
|
---|
211 | <seg>sudo, sudoedit, and visudo</seg>
|
---|
212 | <seg>sudo_noexec.so</seg>
|
---|
213 | <seg>None</seg>
|
---|
214 | </seglistitem>
|
---|
215 | </segmentedlist>
|
---|
216 |
|
---|
217 | <variablelist>
|
---|
218 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
219 | <?dbfo list-presentation="list"?>
|
---|
220 | <?dbhtml list-presentation="table"?>
|
---|
221 |
|
---|
222 | <varlistentry id="sudo_prog">
|
---|
223 | <term><command>sudo</command></term>
|
---|
224 | <listitem>
|
---|
225 | <para>executes a command as another user as permitted by
|
---|
226 | the <filename>/etc/sudoers</filename> configuration file.
|
---|
227 | </para>
|
---|
228 | <indexterm zone="sudo sudo">
|
---|
229 | <primary sortas="b-sudo">sudo</primary>
|
---|
230 | </indexterm>
|
---|
231 | </listitem>
|
---|
232 | </varlistentry>
|
---|
233 |
|
---|
234 | <varlistentry id="sudoedit">
|
---|
235 | <term><command>sudoedit</command></term>
|
---|
236 | <listitem>
|
---|
237 | <para>is a hard link to <command>sudo</command> that implies
|
---|
238 | the <option>-e</option> option to invoke an editor as another
|
---|
239 | user.</para>
|
---|
240 | <indexterm zone="sudo sudoedit">
|
---|
241 | <primary sortas="b-sudoedit">sudoedit</primary>
|
---|
242 | </indexterm>
|
---|
243 | </listitem>
|
---|
244 | </varlistentry>
|
---|
245 |
|
---|
246 | <varlistentry id="visudo">
|
---|
247 | <term><command>visudo</command></term>
|
---|
248 | <listitem>
|
---|
249 | <para>allows for safer editing of the <filename>sudoers</filename>
|
---|
250 | file.</para>
|
---|
251 | <indexterm zone="sudo visudo">
|
---|
252 | <primary sortas="b-visudo">visudo</primary>
|
---|
253 | </indexterm>
|
---|
254 | </listitem>
|
---|
255 | </varlistentry>
|
---|
256 |
|
---|
257 |
|
---|
258 | <varlistentry id="sudo_noexec">
|
---|
259 | <term><filename class='libraryfile'>sudo_noexec.so</filename></term>
|
---|
260 | <listitem>
|
---|
261 | <para>enables support for the "noexec" functionality which prevents
|
---|
262 | a dynamically-linked program being run by sudo from executing
|
---|
263 | another program (think shell escapes).</para>
|
---|
264 | <indexterm zone="sudo sudo_noexec">
|
---|
265 | <primary sortas="c-sudo_noexec">sudo_noexec.so</primary>
|
---|
266 | </indexterm>
|
---|
267 | </listitem>
|
---|
268 | </varlistentry>
|
---|
269 |
|
---|
270 | </variablelist>
|
---|
271 |
|
---|
272 | </sect2>
|
---|
273 |
|
---|
274 | </sect1>
|
---|