source: postlfs/security/sudo.xml@ a82b5f44

10.1 11.0 ken/refactor-virt lazarus qt5new trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since a82b5f44 was a82b5f44, checked in by Pierre Labastie <pieere@…>, 13 months ago

sudo-1.9.3p1
wireshark-3.2.7
thunderbird-78.3.0 (security fix)
libuv-1.40.0
posgresql-13.0
cups-filters-1.28.3
libnsl-1.3.0

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@23760 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 13.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY sudo-download-http "http://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
8 <!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
9 <!ENTITY sudo-md5sum "8f230d0f8994f0b21b109370d1fbcf45">
10 <!ENTITY sudo-size "3.8 MB">
11 <!ENTITY sudo-buildsize "49 MB (add 9 MB for tests)">
12 <!ENTITY sudo-time "0.4 SBU (add 0.1 SBU for tests)">
13]>
14
15<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Sudo-&sudo-version;</title>
24
25 <indexterm zone="sudo">
26 <primary sortas="a-Sudo">Sudo</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Sudo</title>
31
32 <para>
33 The <application>Sudo</application> package allows a system administrator
34 to give certain users (or groups of users) the ability to run
35 some (or all) commands as
36 <systemitem class="username">root</systemitem> or another user while
37 logging the commands and arguments.
38 </para>
39
40 &lfs10_checked;
41
42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
45 <para>
46 Download (HTTP): <ulink url="&sudo-download-http;"/>
47 </para>
48 </listitem>
49 <listitem>
50 <para>
51 Download (FTP): <ulink url="&sudo-download-ftp;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download MD5 sum: &sudo-md5sum;
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download size: &sudo-size;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Estimated disk space required: &sudo-buildsize;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated build time: &sudo-time;
72 </para>
73 </listitem>
74 </itemizedlist>
75
76 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
77
78 <bridgehead renderas="sect4">Optional</bridgehead>
79 <para role="optional">
80 <xref linkend="linux-pam"/>,
81 <xref linkend="mitkrb"/>,
82 <xref linkend="openldap"/>,
83 <xref linkend="server-mail"/> (that provides a
84 <command>sendmail</command> command),
85 <ulink url="http://www.openafs.org/">AFS</ulink>,
86 <ulink url="http://www.fwtk.org/">FWTK</ulink>, and
87 <ulink url="&sourceforge-dl;/opie/">Opie</ulink>
88<!-- <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>-->
89 </para>
90
91 <para condition="html" role="usernotes">User Notes:
92 <ulink url="&blfs-wiki;/sudo"/>
93 </para>
94 </sect2>
95
96 <sect2 role="installation">
97 <title>Installation of Sudo</title>
98
99<!-- To my understanding, the Makefile.in does test on readable
100 $(sudoersdir)/sudoers anyhow. This sed seems to be redundant.
101
102 <para>
103 First, fix a problem that prevents installation from completion:
104 </para>
105
106<screen><userinput>sed -e '/^pre-install:/{N;s@;@ -a -r $(sudoersdir)/sudoers;@}' \
107 -i plugins/sudoers/Makefile.in</userinput></screen>
108-->
109 <para>
110 Install <application>Sudo</application> by running the following commands:
111 </para>
112
113<!-- Developer: apparently it is disabled by default, although in configure it
114is written otherwise -disable-static \-->
115<screen><userinput>./configure --prefix=/usr \
116 --libexecdir=/usr/lib \
117 --with-secure-path \
118 --with-all-insults \
119 --with-env-editor \
120 --docdir=/usr/share/doc/sudo-&sudo-version; \
121 --with-passprompt="[sudo] password for %p: " &amp;&amp;
122make</userinput></screen>
123
124 <para>
125 To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
126 | tee ../make-check.log</command>. Check the results with <command>grep
127 failed ../make-check.log</command>. <!--One test, test3, is known to fail
128 if the tests are run as the root user.-->
129 </para>
130
131 <para>
132 Now, as the <systemitem class="username">root</systemitem> user:
133 </para>
134
135<screen role="root"><userinput>make install &amp;&amp;
136ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
137
138 </sect2>
139
140 <sect2 role="commands">
141 <title>Command Explanations</title>
142
143 <para>
144 <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
145 private programs are installed. Everything in that directory is a library, so
146 they belong under <filename class="directory">/usr/lib</filename> instead of
147 <filename class="directory">/usr/libexec</filename>.
148 </para>
149
150 <para>
151 <parameter>--with-secure-path</parameter>: This switch transparently adds
152 <filename class="directory">/sbin</filename> and <filename
153 class="directory">/usr/sbin</filename> directories to the
154 <envar>PATH</envar> environment variable.
155 </para>
156
157 <para>
158 <parameter>--with-all-insults</parameter>: This switch includes all the
159 <application>sudo</application> insult sets.
160 </para>
161
162 <para>
163 <parameter>--with-env-editor</parameter>: This switch enables use of the
164 environment variable EDITOR for <command>visudo</command>.
165 </para>
166
167 <para>
168 <parameter>--with-passprompt</parameter>: This switch sets the password prompt.
169 The <parameter>%p</parameter> will be expanded to the name of the user whose password is being requested.
170 </para>
171
172 <para>
173 <option>--without-pam</option>: This switch avoids building
174 <application>Linux-PAM</application> support when
175 <application>Linux-PAM</application> is installed on the system.
176 </para>
177<!-- See the developer note above before the configure command
178 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
179 href="../../xincludes/static-libraries.xml"/>-->
180
181 <note>
182 <para>
183 There are many options to <application>sudo</application>'s
184 <command>configure</command> command. Check the
185 <command>configure --help</command> output for a complete list.
186 </para>
187 </note>
188
189 <para>
190 <command>ln -sfv libsudo_util...</command>: Works around a bug in the
191 installation process, which links to the previously installed
192 version (if there is one) instead of the new one.
193 </para>
194
195 </sect2>
196
197 <sect2 role="configuration">
198 <title>Configuring Sudo</title>
199
200 <sect3 id="sudo-config">
201 <title>Config File</title>
202
203 <para>
204 <filename>/etc/sudoers</filename>
205 </para>
206
207 <indexterm zone="sudo sudo-config">
208 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
209 </indexterm>
210
211 </sect3>
212
213 <sect3>
214 <title>Configuration Information</title>
215
216 <para>
217 The <filename>sudoers</filename> file can be quite complicated. It
218 is composed of two types of entries: aliases (basically variables) and
219 user specifications (which specify who may run what). The installation
220 installs a default configuration that has no privileges installed for
221 any user.
222 </para>
223
224 <para>
225 A couple of common configuration chanes are to set the path for the
226 super user and to allow members of the wheel group to execute all
227 commands after providing their own credientials. Use the following
228 commands to create the <filename>/etc/sudoers.d/sudo</filename>
229 configuration file as the
230 <systemitem class="username">root</systemitem> user:
231 </para>
232
233<screen role="root"><userinput>cat &gt; /etc/sudoers.d/sudo &lt;&lt; "EOF"
234<literal>Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin"
235%wheel ALL=(ALL) ALL</literal>
236EOF</userinput></screen>
237
238 <para>
239 For details, see <command>man sudoers</command>.
240 </para>
241
242 <note>
243 <para>
244 The <application>Sudo</application> developers highly recommend
245 using the <command>visudo</command> program to edit the
246 <filename>sudoers</filename> file. This will provide basic sanity
247 checking like syntax parsing and file permission to avoid some
248 possible mistakes that could lead to a vulnerable configuration.
249 </para>
250 </note>
251
252 <para>
253 If <application>PAM</application> is installed on the system,
254 <application>Sudo</application> is built with
255 <application>PAM</application> support. In that case, issue the
256 following command as the <systemitem class="username">root</systemitem>
257 user to create the <application>PAM</application> configuration file:
258 </para>
259
260<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
261<literal># Begin /etc/pam.d/sudo
262
263# include the default auth settings
264auth include system-auth
265
266# include the default account settings
267account include system-account
268
269# Set default environment variables for the service user
270session required pam_env.so
271
272# include system session defaults
273session include system-session
274
275# End /etc/pam.d/sudo</literal>
276EOF
277chmod 644 /etc/pam.d/sudo</userinput></screen>
278
279 </sect3>
280
281 </sect2>
282
283 <sect2 role="content">
284 <title>Contents</title>
285
286 <segmentedlist>
287 <segtitle>Installed Programs</segtitle>
288 <segtitle>Installed Libraries</segtitle>
289 <segtitle>Installed Directories</segtitle>
290
291 <seglistitem>
292 <seg>
293 cvtsudoers, sudo, sudo_logsrvd, sudo_sendlog,
294 sudoedit (symlink), sudoreplay, and visudo
295 </seg>
296 <seg>
297 <!-- [pierre, September 25, 2020] except libsudo_util, the other
298 shared objects in /usr/lib/sudo look more like modules than
299 libraries. Leaving them now, and updating the list, but I think
300 they should not be listed. -->
301 audit_json.so, group_file.so, libsudo_util.so, sample_approval.so,
302 sudoers.so, sudo_noexec.so, and system_group.so
303 </seg>
304 <seg>
305 /etc/sudoers.d,
306 /usr/lib/sudo,
307 /usr/share/doc/sudo-&sudo-version;, and
308 /var/lib/sudo
309 </seg>
310 </seglistitem>
311 </segmentedlist>
312
313 <variablelist>
314 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
315 <?dbfo list-presentation="list"?>
316 <?dbhtml list-presentation="table"?>
317
318 <varlistentry id="cvtsudoers">
319 <term><command>cvtsudoers</command></term>
320 <listitem>
321 <para>
322 converts between sudoers file formats.
323 </para>
324 <indexterm zone="sudo cvtsudoers">
325 <primary sortas="b-cvtsudoers">cvtsudoers</primary>
326 </indexterm>
327 </listitem>
328 </varlistentry>
329
330 <varlistentry id="sudo_prog">
331 <term><command>sudo</command></term>
332 <listitem>
333 <para>
334 executes a command as another user as permitted by
335 the <filename>/etc/sudoers</filename> configuration file.
336 </para>
337 <indexterm zone="sudo sudo">
338 <primary sortas="b-sudo">sudo</primary>
339 </indexterm>
340 </listitem>
341 </varlistentry>
342
343 <varlistentry id="sudo_logsrvd">
344 <term><command>sudo_logsrvd</command></term>
345 <listitem>
346 <para>
347 is a sudo event and I/O log server.
348 </para>
349 <indexterm zone="sudo sudo_logsrvd">
350 <primary sortas="b-sudo_logsrvd">sudo_logsrvd</primary>
351 </indexterm>
352 </listitem>
353 </varlistentry>
354
355 <varlistentry id="sudo_sendlog">
356 <term><command>sudo_sendlog</command></term>
357 <listitem>
358 <para>
359 sends sudo I/O log to the log server.
360 </para>
361 <indexterm zone="sudo sudo_sendlog">
362 <primary sortas="b-sudo_sendlog">sudo_sendlog</primary>
363 </indexterm>
364 </listitem>
365 </varlistentry>
366
367 <varlistentry id="sudoedit">
368 <term><command>sudoedit</command></term>
369 <listitem>
370 <para>
371 is a symlink to <command>sudo</command> that implies the
372 <option>-e</option> option to invoke an editor as another user.
373 </para>
374 <indexterm zone="sudo sudoedit">
375 <primary sortas="b-sudoedit">sudoedit</primary>
376 </indexterm>
377 </listitem>
378 </varlistentry>
379
380 <varlistentry id="sudoreplay">
381 <term><command>sudoreplay</command></term>
382 <listitem>
383 <para>
384 is used to play back or list the output
385 logs created by <command>sudo</command>.
386 </para>
387 <indexterm zone="sudo sudoreplay">
388 <primary sortas="b-sudoreplay">sudoreplay</primary>
389 </indexterm>
390 </listitem>
391 </varlistentry>
392
393 <varlistentry id="visudo">
394 <term><command>visudo</command></term>
395 <listitem>
396 <para>
397 allows for safer editing of the <filename>sudoers</filename>
398 file.
399 </para>
400 <indexterm zone="sudo visudo">
401 <primary sortas="b-visudo">visudo</primary>
402 </indexterm>
403 </listitem>
404 </varlistentry>
405
406 </variablelist>
407
408 </sect2>
409
410</sect1>
Note: See TracBrowser for help on using the repository browser.