source: postlfs/security/sudo.xml@ 858aaf8e

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 858aaf8e was 858aaf8e, checked in by Bruce Dubbs <bdubbs@…>, 11 years ago

Place sudo files in FHS locations

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@11315 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 10.5 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY sudo-download-http "http://www.sudo.ws/sudo/dist/sudo-&sudo-version;.tar.gz">
8 <!ENTITY sudo-download-ftp "ftp://ftp.twaren.net/Unix/Security/Sudo/sudo-&sudo-version;.tar.gz">
9 <!ENTITY sudo-md5sum "a02367090e1dac8d0c1747de1127b6bf">
10 <!ENTITY sudo-size "1.9 MB">
11 <!ENTITY sudo-buildsize "31 MB">
12 <!ENTITY sudo-time "0.3 SBU">
13]>
14
15<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Sudo-&sudo-version;</title>
24
25 <indexterm zone="sudo">
26 <primary sortas="a-Sudo">Sudo</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Sudo</title>
31
32 <para>
33 The <application>Sudo</application> package allows a system administrator
34 to give certain users (or groups of users) the ability to run
35 some (or all) commands as
36 <systemitem class="username">root</systemitem> or another user while
37 logging the commands and arguments.
38 </para>
39
40 &lfs73_checked;
41
42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
45 <para>
46 Download (HTTP): <ulink url="&sudo-download-http;"/>
47 </para>
48 </listitem>
49 <listitem>
50 <para>
51 Download (FTP): <ulink url="&sudo-download-ftp;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download MD5 sum: &sudo-md5sum;
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download size: &sudo-size;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Estimated disk space required: &sudo-buildsize;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated build time: &sudo-time;
72 </para>
73 </listitem>
74 </itemizedlist>
75
76 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
77
78 <bridgehead renderas="sect4">Optional</bridgehead>
79 <para role="optional">
80 <ulink url="http://www.openafs.org/">AFS</ulink>,
81 <ulink url="http://www.fwtk.org/">FWTK</ulink>,
82 <xref linkend="linux-pam"/>,
83 <xref linkend="mitkrb"/>,
84 an <xref linkend="server-mail"/> (that provides a
85 <command>sendmail</command> command),
86 <xref linkend="openldap"/>,
87 <ulink url="ftp://ftp.nrl.navy.mil/pub/security/opie">Opie</ulink> and
88 <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>
89 </para>
90
91 <para condition="html" role="usernotes">User Notes:
92 <ulink url="&blfs-wiki;/sudo"/>
93 </para>
94 </sect2>
95
96 <sect2 role="installation">
97 <title>Installation of Sudo</title>
98
99 <para>
100 Install <application>Sudo</application> by running
101 the following commands:
102 </para>
103
104<screen><userinput>./configure --prefix=/usr \
105 -libexecdir=/usr/lib/sudo \
106 --docdir=/usr/share/doc/sudo-&sudo-version; \
107 --with-timedir=/var/lib/sudo \
108 --with-all-insults \
109 --with-env-editor &amp;&amp;
110make</userinput></screen>
111
112 <para>
113 This package does not come with a test suite.
114 </para>
115
116 <para>
117 Now, as the <systemitem class="username">root</systemitem> user:
118 </para>
119
120<screen role="root"><userinput>make install</userinput></screen>
121
122 </sect2>
123
124 <sect2 role="commands">
125 <title>Command Explanations</title>
126
127 <para>
128 <option>--with-timedir=/var/lib/sudo</option>: This switch places
129 the variable time stamp files in a FHS compatible location.
130 </para>
131
132 <para>
133 <option>--with-all-insults</option>: This switch includes all the
134 <application>sudo</application> insult sets.
135 </para>
136
137 <para>
138 <option>--with-env-editor</option>: This switch enables use of the
139 environment variable EDITOR for <command>visudo</command>.
140 </para>
141
142<!--
143 <para>
144 <option>-&#45;without-pam</option>: This switch disables the use of
145 <application>PAM</application> authentication. Omit if you have
146 <application>Linux PAM</application> installed.
147 </para>
148
149 <para>
150 <option>-&#45;without-sendmail</option>: This switch disables the use of
151 sendmail. Remove if you have a sendmail compatible MTA.
152 </para>
153
154-->
155 <note>
156 <para>
157 There are many options to <application>sudo</application>'s
158 <command>configure</command> command. Check the
159 <command>configure --help</command> output for a complete list.
160 </para>
161 </note>
162
163 </sect2>
164
165 <sect2 role="configuration">
166 <title>Configuring Sudo</title>
167
168 <sect3 id="sudo-config">
169 <title>Config File</title>
170
171 <para><filename>/etc/sudoers</filename></para>
172
173 <indexterm zone="sudo sudo-config">
174 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
175 </indexterm>
176
177 </sect3>
178
179 <sect3>
180 <title>Configuration Information</title>
181
182 <para>
183 The <filename>sudoers</filename> file can be quite complicated. It
184 is composed of two types of entries: aliases (basically variables) and
185 user specifications (which specify who may run what). The installation
186 installs a default configuration that has no privileges installed for any
187 user.
188 </para>
189
190 <para>
191 One example usage is to allow the system administrator to execute
192 any program without typing a password each time root privileges are
193 needed. This can be configured as:
194 </para>
195
196<screen># User alias specification
197User_Alias ADMIN = YourLoginId
198
199# Allow people in group ADMIN to run all commands without a password
200ADMIN ALL = NOPASSWD: ALL</screen>
201
202 <para>
203 For details, see <command>man sudoers</command>.
204 </para>
205
206 <note>
207 <para>
208 The <application>Sudo</application> developers highly recommend
209 using the <command>visudo</command> program to edit the
210 <filename>sudoers</filename> file. This will provide basic sanity
211 checking like syntax parsing and file permission to avoid some possible
212 mistakes that could lead to a vulnerable configuration.
213 </para>
214 </note>
215
216 <para>
217 If you've built <application>Sudo</application> with
218 <application>PAM</application> support, issue the following
219 command as the <systemitem class="username">root</systemitem> user
220 to create the <application>PAM</application> configuration file:
221 </para>
222
223<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF" &amp;&amp;
224# Begin /etc/pam.d/sudo
225
226# include the default auth settings
227auth include system-auth
228
229# include the default account settings
230account include system-account
231
232# Set default environment variables for the service user
233session required pam_env.so
234
235# include system session defaults
236session include system-session
237
238# End /etc/pam.d/sudo
239EOF
240chmod 644 /etc/pam.d/sudo</userinput></screen>
241
242 </sect3>
243
244 </sect2>
245
246 <sect2 role="content">
247 <title>Contents</title>
248
249 <segmentedlist>
250 <segtitle>Installed Programs</segtitle>
251 <segtitle>Installed Libraries</segtitle>
252 <segtitle>Installed Directories</segtitle>
253
254 <seglistitem>
255 <seg>
256 sudo, sudoedit, sudoreplay and visudo
257 </seg>
258 <seg>
259 group_file.so, sudoers.so, system_group.so, and sudo_noexec.so
260 </seg>
261 <seg>
262 /etc/sudoers.d, /var/lib/sudo, /usr/lib/sudo, and
263 /usr/share/doc/sudo-&sudo-version;
264 </seg>
265 </seglistitem>
266 </segmentedlist>
267
268 <variablelist>
269 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
270 <?dbfo list-presentation="list"?>
271 <?dbhtml list-presentation="table"?>
272
273 <varlistentry id="sudo_prog">
274 <term><command>sudo</command></term>
275 <listitem>
276 <para>
277 executes a command as another user as permitted by
278 the <filename>/etc/sudoers</filename> configuration file.
279 </para>
280 <indexterm zone="sudo sudo">
281 <primary sortas="b-sudo">sudo</primary>
282 </indexterm>
283 </listitem>
284 </varlistentry>
285
286 <varlistentry id="sudoedit">
287 <term><command>sudoedit</command></term>
288 <listitem>
289 <para>
290 is a hard link to <command>sudo</command> that implies the
291 <option>-e</option> option to invoke an editor as another user.
292 </para>
293 <indexterm zone="sudo sudoedit">
294 <primary sortas="b-sudoedit">sudoedit</primary>
295 </indexterm>
296 </listitem>
297 </varlistentry>
298
299 <varlistentry id="visudo">
300 <term><command>visudo</command></term>
301 <listitem>
302 <para>
303 allows for safer editing of the <filename>sudoers</filename>
304 file.
305 </para>
306 <indexterm zone="sudo visudo">
307 <primary sortas="b-visudo">visudo</primary>
308 </indexterm>
309 </listitem>
310 </varlistentry>
311
312 <varlistentry id="sudoreplay">
313 <term><command>sudoreplay</command></term>
314 <listitem>
315 <para>
316 is used to play back or list the output
317 logs created by <command>sudo</command>.
318 </para>
319 <indexterm zone="sudo sudoreplay">
320 <primary sortas="b-sudoreplay">sudoreplay</primary>
321 </indexterm>
322 </listitem>
323 </varlistentry>
324<!--
325 <varlistentry id="sudoers">
326 <term><filename class='libraryfile'>sudoers.so</filename></term>
327 <listitem>
328 <para>
329 is default sudo security policy module.
330 </para>
331 <indexterm zone="sudo sudoers">
332 <primary sortas="c-sudoers">sudoers.so</primary>
333 </indexterm>
334 </listitem>
335 </varlistentry>
336
337 <varlistentry id="sudo_noexec">
338 <term><filename class='libraryfile'>sudo_noexec.so</filename></term>
339 <listitem>
340 <para>
341 enables support for the "noexec" functionality which prevents
342 a dynamically-linked program being run by sudo from executing
343 another program (think shell escapes).
344 </para>
345 <indexterm zone="sudo sudo_noexec">
346 <primary sortas="c-sudo_noexec">sudo_noexec.so</primary>
347 </indexterm>
348 </listitem>
349 </varlistentry>
350-->
351 </variablelist>
352
353 </sect2>
354
355</sect1>
Note: See TracBrowser for help on using the repository browser.