source: postlfs/security/sudo.xml@ 8dfc5c3

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 8dfc5c3 was 8dfc5c3, checked in by Krejzi <krejzi@…>, 7 years ago

Fix some URLs

  • Switch to https:// scheme where possible to avoid redirects
  • Unify all kernel.org, Sourceforge and GNU URLs
  • Fix python and perl module URLs to be consistent
  • Fix github provided URLs to properly download tarballs instead of vFOO.tar.gz
  • Use upstream locations for some packages or better/shorter URLs if available
  • Add https:// URLs for gnupg packages

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@19022 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 10.9 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY sudo-download-http "http://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
8 <!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
9 <!ENTITY sudo-md5sum "03da8e711caca6fd93e57751bfb74adc">
10 <!ENTITY sudo-size "2.8 MB">
11 <!ENTITY sudo-buildsize "29 MB (with tests)">
12 <!ENTITY sudo-time "0.3 SBU (with tests)">
13]>
14
15<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Sudo-&sudo-version;</title>
24
25 <indexterm zone="sudo">
26 <primary sortas="a-Sudo">Sudo</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Sudo</title>
31
32 <para>
33 The <application>Sudo</application> package allows a system administrator
34 to give certain users (or groups of users) the ability to run
35 some (or all) commands as
36 <systemitem class="username">root</systemitem> or another user while
37 logging the commands and arguments.
38 </para>
39
40 &lfs80_checked;
41 &gcc7_checked;
42
43 <bridgehead renderas="sect3">Package Information</bridgehead>
44 <itemizedlist spacing="compact">
45 <listitem>
46 <para>
47 Download (HTTP): <ulink url="&sudo-download-http;"/>
48 </para>
49 </listitem>
50 <listitem>
51 <para>
52 Download (FTP): <ulink url="&sudo-download-ftp;"/>
53 </para>
54 </listitem>
55 <listitem>
56 <para>
57 Download MD5 sum: &sudo-md5sum;
58 </para>
59 </listitem>
60 <listitem>
61 <para>
62 Download size: &sudo-size;
63 </para>
64 </listitem>
65 <listitem>
66 <para>
67 Estimated disk space required: &sudo-buildsize;
68 </para>
69 </listitem>
70 <listitem>
71 <para>
72 Estimated build time: &sudo-time;
73 </para>
74 </listitem>
75 </itemizedlist>
76
77 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
78
79 <bridgehead renderas="sect4">Optional</bridgehead>
80 <para role="optional">
81 <xref linkend="linux-pam"/>,
82 <xref linkend="mitkrb"/>,
83 <xref linkend="openldap"/>,
84 <xref linkend="server-mail"/> (that provides a
85 <command>sendmail</command> command),
86 <ulink url="http://www.openafs.org/">AFS</ulink>,
87 <ulink url="http://www.fwtk.org/">FWTK</ulink>, and
88 <ulink url="&sourceforge-dl;/opie/">Opie</ulink>
89<!-- <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>-->
90 </para>
91
92 <para condition="html" role="usernotes">User Notes:
93 <ulink url="&blfs-wiki;/sudo"/>
94 </para>
95 </sect2>
96
97 <sect2 role="installation">
98 <title>Installation of Sudo</title>
99
100 <para>
101 Install <application>Sudo</application> by running the following commands:
102 </para>
103
104<!-- Developer: apparently it is disabled by default, although in configure it
105is written otherwise -disable-static \-->
106<screen><userinput>./configure --prefix=/usr \
107 --libexecdir=/usr/lib \
108 --with-secure-path \
109 --with-all-insults \
110 --with-env-editor \
111 --docdir=/usr/share/doc/sudo-&sudo-version; \
112 --with-passprompt="[sudo] password for %p: " &amp;&amp;
113make</userinput></screen>
114
115 <para>
116 To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
117 | tee ../make-check.log</command>. Check the results with <command>grep
118 failed ../make-check.log</command>.
119 </para>
120
121 <para>
122 Now, as the <systemitem class="username">root</systemitem> user:
123 </para>
124
125<screen role="root"><userinput>make install &amp;&amp;
126ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
127
128 </sect2>
129
130 <sect2 role="commands">
131 <title>Command Explanations</title>
132
133 <para>
134 <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
135 private programs are installed. Everything in that directory is a library, so
136 they belong under <filename class="directory">/usr/lib</filename> instead of
137 <filename class="directory">/usr/libexec</filename>.
138 </para>
139
140 <para>
141 <parameter>--with-secure-path</parameter>: This switch transparently adds
142 <filename class="directory">/sbin</filename> and <filename
143 class="directory">/usr/sbin</filename> directories to the
144 <envar>PATH</envar> environment variable.
145 </para>
146
147 <para>
148 <parameter>--with-all-insults</parameter>: This switch includes all the
149 <application>sudo</application> insult sets.
150 </para>
151
152 <para>
153 <parameter>--with-env-editor</parameter>: This switch enables use of the
154 environment variable EDITOR for <command>visudo</command>.
155 </para>
156
157 <para>
158 <parameter>--with-passprompt</parameter>: This switch sets the prompt.
159 </para>
160
161 <para>
162 <option>--without-pam</option>: This switch avoids building
163 <application>Linux-PAM</application> support when
164 <application>Linux-PAM</application> is installed on the system.
165 </para>
166<!-- See the developer note above before the configure command
167 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
168 href="../../xincludes/static-libraries.xml"/>-->
169
170 <note>
171 <para>
172 There are many options to <application>sudo</application>'s
173 <command>configure</command> command. Check the
174 <command>configure --help</command> output for a complete list.
175 </para>
176 </note>
177
178 <para>
179 <command>ln -sfv libsudo_util...</command>: Works around a bug in the
180 installation process, which links to the previously installed
181 version (if there is one) instead of the new one.
182 </para>
183
184 </sect2>
185
186 <sect2 role="configuration">
187 <title>Configuring Sudo</title>
188
189 <sect3 id="sudo-config">
190 <title>Config File</title>
191
192 <para>
193 <filename>/etc/sudoers</filename>
194 </para>
195
196 <indexterm zone="sudo sudo-config">
197 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
198 </indexterm>
199
200 </sect3>
201
202 <sect3>
203 <title>Configuration Information</title>
204
205 <para>
206 The <filename>sudoers</filename> file can be quite complicated. It
207 is composed of two types of entries: aliases (basically variables) and
208 user specifications (which specify who may run what). The installation
209 installs a default configuration that has no privileges installed for
210 any user.
211 </para>
212
213 <para>
214 One example usage is to allow the system administrator to execute
215 any program without typing a password each time root privileges are
216 needed. This can be configured as:
217 </para>
218
219<screen># User alias specification
220User_Alias ADMIN = <replaceable>YourLoginId</replaceable>
221
222# Allow people in group ADMIN to run all commands without a password
223ADMIN ALL = NOPASSWD: ALL</screen>
224
225 <para>
226 For details, see <command>man sudoers</command>.
227 </para>
228
229 <note>
230 <para>
231 The <application>Sudo</application> developers highly recommend
232 using the <command>visudo</command> program to edit the
233 <filename>sudoers</filename> file. This will provide basic sanity
234 checking like syntax parsing and file permission to avoid some
235 possible mistakes that could lead to a vulnerable configuration.
236 </para>
237 </note>
238
239 <para>
240 If <application>PAM</application> is installed on the system,
241 <application>Sudo</application> is built with
242 <application>PAM</application> support. In that case, issue the
243 following command as the <systemitem class="username">root</systemitem>
244 user to create the <application>PAM</application> configuration file:
245 </para>
246
247<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
248<literal># Begin /etc/pam.d/sudo
249
250# include the default auth settings
251auth include system-auth
252
253# include the default account settings
254account include system-account
255
256# Set default environment variables for the service user
257session required pam_env.so
258
259# include system session defaults
260session include system-session
261
262# End /etc/pam.d/sudo</literal>
263EOF
264chmod 644 /etc/pam.d/sudo</userinput></screen>
265
266 </sect3>
267
268 </sect2>
269
270 <sect2 role="content">
271 <title>Contents</title>
272
273 <segmentedlist>
274 <segtitle>Installed Programs</segtitle>
275 <segtitle>Installed Libraries</segtitle>
276 <segtitle>Installed Directories</segtitle>
277
278 <seglistitem>
279 <seg>
280 sudo, sudoedit (symlink), sudoreplay, and visudo
281 </seg>
282 <seg>
283 group_file.so, libsudo_util.so,
284 sudoers.so, sudo_noexec.so, and system_group.so
285 </seg>
286 <seg>
287 /etc/sudoers.d,
288 /usr/lib/sudo,
289 /usr/share/doc/sudo-&sudo-version;, and
290 /var/{lib,run}/sudo
291 </seg>
292 </seglistitem>
293 </segmentedlist>
294
295 <variablelist>
296 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
297 <?dbfo list-presentation="list"?>
298 <?dbhtml list-presentation="table"?>
299
300 <varlistentry id="sudo_prog">
301 <term><command>sudo</command></term>
302 <listitem>
303 <para>
304 executes a command as another user as permitted by
305 the <filename>/etc/sudoers</filename> configuration file.
306 </para>
307 <indexterm zone="sudo sudo">
308 <primary sortas="b-sudo">sudo</primary>
309 </indexterm>
310 </listitem>
311 </varlistentry>
312
313 <varlistentry id="sudoedit">
314 <term><command>sudoedit</command></term>
315 <listitem>
316 <para>
317 is a symlink to <command>sudo</command> that implies the
318 <option>-e</option> option to invoke an editor as another user.
319 </para>
320 <indexterm zone="sudo sudoedit">
321 <primary sortas="b-sudoedit">sudoedit</primary>
322 </indexterm>
323 </listitem>
324 </varlistentry>
325
326 <varlistentry id="sudoreplay">
327 <term><command>sudoreplay</command></term>
328 <listitem>
329 <para>
330 is used to play back or list the output
331 logs created by <command>sudo</command>.
332 </para>
333 <indexterm zone="sudo sudoreplay">
334 <primary sortas="b-sudoreplay">sudoreplay</primary>
335 </indexterm>
336 </listitem>
337 </varlistentry>
338
339 <varlistentry id="visudo">
340 <term><command>visudo</command></term>
341 <listitem>
342 <para>
343 allows for safer editing of the <filename>sudoers</filename>
344 file.
345 </para>
346 <indexterm zone="sudo visudo">
347 <primary sortas="b-visudo">visudo</primary>
348 </indexterm>
349 </listitem>
350 </varlistentry>
351
352 </variablelist>
353
354 </sect2>
355
356</sect1>
Note: See TracBrowser for help on using the repository browser.