source: postlfs/security/sudo.xml@ a1e0f76

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 7.10 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since a1e0f76 was a1e0f76, checked in by Fernando de Oliveira <fernando@…>, 10 years ago

Update to sudo-1.8.9p3.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@12573 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 9.6 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY sudo-download-http "http://www.sudo.ws/sudo/dist/sudo-&sudo-version;.tar.gz">
8 <!ENTITY sudo-download-ftp " ">
9<!--
10 <!ENTITY sudo-download-ftp "ftp://ftp.twaren.net/Unix/Security/Sudo/sudo-&sudo-version;.tar.gz">
11-->
12 <!ENTITY sudo-md5sum "b105447a1d23b8b6f533f17c2a8d8550">
13 <!ENTITY sudo-size "2.1 MB">
14 <!ENTITY sudo-buildsize "24 MB (additional 1 MB for tests)">
15 <!ENTITY sudo-time "0.4 SBU">
16]>
17
18<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
19 <?dbhtml filename="sudo.html"?>
20
21 <sect1info>
22 <othername>$LastChangedBy$</othername>
23 <date>$Date$</date>
24 </sect1info>
25
26 <title>Sudo-&sudo-version;</title>
27
28 <indexterm zone="sudo">
29 <primary sortas="a-Sudo">Sudo</primary>
30 </indexterm>
31
32 <sect2 role="package">
33 <title>Introduction to Sudo</title>
34
35 <para>
36 The <application>Sudo</application> package allows a system administrator
37 to give certain users (or groups of users) the ability to run
38 some (or all) commands as
39 <systemitem class="username">root</systemitem> or another user while
40 logging the commands and arguments.
41 </para>
42
43 &lfs74_checked;
44
45 <bridgehead renderas="sect3">Package Information</bridgehead>
46 <itemizedlist spacing="compact">
47 <listitem>
48 <para>
49 Download (HTTP): <ulink url="&sudo-download-http;"/>
50 </para>
51 </listitem>
52 <listitem>
53 <para>
54 Download (FTP): <ulink url="&sudo-download-ftp;"/>
55 </para>
56 </listitem>
57 <listitem>
58 <para>
59 Download MD5 sum: &sudo-md5sum;
60 </para>
61 </listitem>
62 <listitem>
63 <para>
64 Download size: &sudo-size;
65 </para>
66 </listitem>
67 <listitem>
68 <para>
69 Estimated disk space required: &sudo-buildsize;
70 </para>
71 </listitem>
72 <listitem>
73 <para>
74 Estimated build time: &sudo-time;
75 </para>
76 </listitem>
77 </itemizedlist>
78
79 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
80
81 <bridgehead renderas="sect4">Optional</bridgehead>
82 <para role="optional">
83 <ulink url="http://www.openafs.org/">AFS</ulink>,
84 <ulink url="http://www.fwtk.org/">FWTK</ulink>,
85 <xref linkend="linux-pam"/>,
86 <xref linkend="mitkrb"/>,
87 an <xref linkend="server-mail"/> (that provides a
88 <command>sendmail</command> command),
89 <xref linkend="openldap"/>,
90 <ulink url="http://sourceforge.net/projects/opie/files/">Opie</ulink> and
91 <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>
92 </para>
93
94 <para condition="html" role="usernotes">User Notes:
95 <ulink url="&blfs-wiki;/sudo"/>
96 </para>
97 </sect2>
98
99 <sect2 role="installation">
100 <title>Installation of Sudo</title>
101
102 <para>
103 Install <application>Sudo</application> by running
104 the following commands (change the value of the optional switch
105 <literal>--with-passprompt</literal> to fit your preference):
106 </para>
107
108<screen><userinput>./configure --prefix=/usr \
109 --libexecdir=/usr/lib \
110 --docdir=/usr/share/doc/sudo-&sudo-version; \
111 --with-timedir=/var/lib/sudo \
112 --with-all-insults \
113 --with-env-editor \
114 --with-passprompt="[sudo] password for %p: "&amp;&amp;
115make</userinput></screen>
116
117 <para>
118 To test the results, issue: <command>env LC_ALL=C make check</command>.
119 </para>
120
121 <para>
122 Now, as the <systemitem class="username">root</systemitem> user:
123 </para>
124
125<screen role="root"><userinput>make install</userinput></screen>
126
127 </sect2>
128
129 <sect2 role="commands">
130 <title>Command Explanations</title>
131
132 <para>
133 <option>--with-timedir=/var/lib/sudo</option>: This switch places
134 the variable time stamp files in a FHS compatible location.
135 </para>
136
137 <para>
138 <option>--with-all-insults</option>: This switch includes all the
139 <application>sudo</application> insult sets.
140 </para>
141
142 <para>
143 <option>--with-env-editor</option>: This switch enables use of the
144 environment variable EDITOR for <command>visudo</command>.
145 </para>
146
147 <note>
148 <para>
149 There are many options to <application>sudo</application>'s
150 <command>configure</command> command. Check the
151 <command>configure --help</command> output for a complete list.
152 </para>
153 </note>
154
155 </sect2>
156
157 <sect2 role="configuration">
158 <title>Configuring Sudo</title>
159
160 <sect3 id="sudo-config">
161 <title>Config File</title>
162
163 <para>
164 <filename>/etc/sudoers</filename>
165 </para>
166
167 <indexterm zone="sudo sudo-config">
168 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
169 </indexterm>
170
171 </sect3>
172
173 <sect3>
174 <title>Configuration Information</title>
175
176 <para>
177 The <filename>sudoers</filename> file can be quite complicated. It
178 is composed of two types of entries: aliases (basically variables) and
179 user specifications (which specify who may run what). The installation
180 installs a default configuration that has no privileges installed for any
181 user.
182 </para>
183
184 <para>
185 One example usage is to allow the system administrator to execute
186 any program without typing a password each time root privileges are
187 needed. This can be configured as:
188 </para>
189
190<screen># User alias specification
191User_Alias ADMIN = YourLoginId
192
193# Allow people in group ADMIN to run all commands without a password
194ADMIN ALL = NOPASSWD: ALL</screen>
195
196 <para>
197 For details, see <command>man sudoers</command>.
198 </para>
199
200 <note>
201 <para>
202 The <application>Sudo</application> developers highly recommend
203 using the <command>visudo</command> program to edit the
204 <filename>sudoers</filename> file. This will provide basic sanity
205 checking like syntax parsing and file permission to avoid some possible
206 mistakes that could lead to a vulnerable configuration.
207 </para>
208 </note>
209
210 <para>
211 If you've built <application>Sudo</application> with
212 <application>PAM</application> support, issue the following
213 command as the <systemitem class="username">root</systemitem> user
214 to create the <application>PAM</application> configuration file:
215 </para>
216
217<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
218<literal># Begin /etc/pam.d/sudo
219
220# include the default auth settings
221auth include system-auth
222
223# include the default account settings
224account include system-account
225
226# Set default environment variables for the service user
227session required pam_env.so
228
229# include system session defaults
230session include system-session
231
232# End /etc/pam.d/sudo</literal>
233EOF
234chmod 644 /etc/pam.d/sudo</userinput></screen>
235
236 </sect3>
237
238 </sect2>
239
240 <sect2 role="content">
241 <title>Contents</title>
242
243 <segmentedlist>
244 <segtitle>Installed Programs</segtitle>
245 <segtitle>Installed Libraries</segtitle>
246 <segtitle>Installed Directories</segtitle>
247
248 <seglistitem>
249 <seg>
250 sudo, sudoedit (symlink), sudoreplay, and visudo
251 </seg>
252 <seg>
253 group_file.so, sudoers.so, sudo_noexec.so, and system_group.so
254 </seg>
255 <seg>
256 /etc/sudoers.d,
257 /usr/lib/sudo,
258 /usr/share/doc/sudo-&sudo-version;, and
259 /var/lib/sudo
260 </seg>
261 </seglistitem>
262 </segmentedlist>
263
264 <variablelist>
265 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
266 <?dbfo list-presentation="list"?>
267 <?dbhtml list-presentation="table"?>
268
269 <varlistentry id="sudo_prog">
270 <term><command>sudo</command></term>
271 <listitem>
272 <para>
273 executes a command as another user as permitted by
274 the <filename>/etc/sudoers</filename> configuration file.
275 </para>
276 <indexterm zone="sudo sudo">
277 <primary sortas="b-sudo">sudo</primary>
278 </indexterm>
279 </listitem>
280 </varlistentry>
281
282 <varlistentry id="sudoedit">
283 <term><command>sudoedit</command></term>
284 <listitem>
285 <para>
286 is a symlink to <command>sudo</command> that implies the
287 <option>-e</option> option to invoke an editor as another user.
288 </para>
289 <indexterm zone="sudo sudoedit">
290 <primary sortas="b-sudoedit">sudoedit</primary>
291 </indexterm>
292 </listitem>
293 </varlistentry>
294
295 <varlistentry id="visudo">
296 <term><command>visudo</command></term>
297 <listitem>
298 <para>
299 allows for safer editing of the <filename>sudoers</filename>
300 file.
301 </para>
302 <indexterm zone="sudo visudo">
303 <primary sortas="b-visudo">visudo</primary>
304 </indexterm>
305 </listitem>
306 </varlistentry>
307
308 <varlistentry id="sudoreplay">
309 <term><command>sudoreplay</command></term>
310 <listitem>
311 <para>
312 is used to play back or list the output
313 logs created by <command>sudo</command>.
314 </para>
315 <indexterm zone="sudo sudoreplay">
316 <primary sortas="b-sudoreplay">sudoreplay</primary>
317 </indexterm>
318 </listitem>
319 </varlistentry>
320
321 </variablelist>
322
323 </sect2>
324
325</sect1>
Note: See TracBrowser for help on using the repository browser.