Context Navigation

source: postlfs/security/sudo.xml@ a927adc

Visit:

12.1 ken/TL2024 lazarus plabs/newcss python3.11 rahul/power-profiles-daemon trunk xry111/llvm18

Last change on this file since a927adc was 0018635, checked in by Bruce Dubbs <bdubbs@…>, 6 months ago
Update to sudo-1.9.15p4.
Property mode set to `100644`
File size: 13.3 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY sudo-download-http "https://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
8	<!ENTITY sudo-download-ftp " ">
9	<!ENTITY sudo-md5sum "5403f4dad2d533f8576c8a6d3eae5cfd">
10	<!ENTITY sudo-size "5.1 MB">
11	<!ENTITY sudo-buildsize "53 MB (add 19 MB for tests)">
12	<!ENTITY sudo-time "0.2 SBU (with parallelism=4; add 0.1 SBU for tests)">
13	]>
14
15	<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
16	<?dbhtml filename="sudo.html"?>
17
18
19	<title>Sudo-&sudo-version;</title>
20
21	<indexterm zone="sudo">
22	<primary sortas="a-Sudo">Sudo</primary>
23	</indexterm>
24
25	<sect2 role="package">
26	<title>Introduction to Sudo</title>
27
28	<para>
29	The <application>Sudo</application> package allows a system administrator
30	to give certain users (or groups of users) the ability to run
31	some (or all) commands as
32	<systemitem class="username">root</systemitem> or another user while
33	logging the commands and arguments.
34	</para>
35
36	&lfs120_checked;
37
38	<bridgehead renderas="sect3">Package Information</bridgehead>
39	<itemizedlist spacing="compact">
40	<listitem>
41	<para>
42	Download (HTTP): <ulink url="&sudo-download-http;"/>
43	</para>
44	</listitem>
45	<listitem>
46	<para>
47	Download (FTP): <ulink url="&sudo-download-ftp;"/>
48	</para>
49	</listitem>
50	<listitem>
51	<para>
52	Download MD5 sum: &sudo-md5sum;
53	</para>
54	</listitem>
55	<listitem>
56	<para>
57	Download size: &sudo-size;
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Estimated disk space required: &sudo-buildsize;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Estimated build time: &sudo-time;
68	</para>
69	</listitem>
70	</itemizedlist>
71
72	<bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
73
74	<bridgehead renderas="sect4">Optional</bridgehead>
75	<para role="optional">
76	<xref linkend="linux-pam"/>,
77	<xref linkend="mitkrb"/>,
78	<xref linkend="openldap"/>,
79	<xref linkend="server-mail"/> (that provides a
80	<command>sendmail</command> command),
81	<ulink url="https://www.openafs.org/">AFS</ulink>,
82	<!-- It seems dead for decades, nowhere to download source code
83	<ulink url="https://www.fwtk.org/">FWTK</ulink>, and
84	-->
85	<ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>,
86	<ulink url="&sourceforge-dl;/opie/">Opie</ulink>, and
87	<ulink url="https://sssd.io/">Sssd</ulink>
88	</para>
89
90	<para condition="html" role="usernotes">Editor Notes:
91	<ulink url="&blfs-wiki;/sudo"/>
92	</para>
93	</sect2>
94
95	<sect2 role="installation">
96	<title>Installation of Sudo</title>
97
98	<para>
99	Install <application>Sudo</application> by running the following commands:
100	</para>
101
102	<screen><userinput>./configure --prefix=/usr \
103	--libexecdir=/usr/lib \
104	--with-secure-path \
105	--with-env-editor \
106	--docdir=/usr/share/doc/sudo-&sudo-version; \
107	--with-passprompt="[sudo] password for %p: " &&
108	make</userinput></screen>
109
110	<para>
111	To test the results, issue:
112	<!-- line breaks in command tags confuse jhalfs -->
113	<command>env LC_ALL=C make check \|& tee make-check.log</command>.
114	Check the results with <command>grep failed make-check.log</command>.
115	</para>
116
117	<para>
118	Now, as the <systemitem class="username">root</systemitem> user:
119	</para>
120
121	<!-- for a DESTDIR install as normal user, use
122	"make install INSTALL_OWNER= DESTDIR=<destdir>"-->
123	<screen role="root"><userinput>make install</userinput></screen>
124
125	</sect2>
126
127	<sect2 role="commands">
128	<title>Command Explanations</title>
129
130	<para>
131	<parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
132	private programs are installed. Everything in that directory is a library, so
133	they belong under <filename class="directory">/usr/lib</filename> instead of
134	<filename class="directory">/usr/libexec</filename>.
135	</para>
136
137	<para>
138	<parameter>--with-secure-path</parameter>: This switch transparently adds
139	<filename class="directory">/sbin</filename> and <filename
140	class="directory">/usr/sbin</filename> directories to the
141	<envar>PATH</envar> environment variable.
142	</para>
143
144	<para>
145	<parameter>--with-env-editor</parameter>: This switch enables use of the
146	environment variable EDITOR for <command>visudo</command>.
147	</para>
148
149	<para>
150	<parameter>--with-passprompt</parameter>: This switch sets the password prompt.
151	The <parameter>%p</parameter> will be expanded to the name of the user whose password is being requested.
152	</para>
153
154	<para>
155	<option>--without-pam</option>: This switch avoids building
156	<application>Linux-PAM</application> support when
157	<application>Linux-PAM</application> is installed on the system.
158	</para>
159
160	<para>
161	<option>--with-all-insults</option>: This switch includes all the
162	sudo insult sets. Insults are printed if the user types a bad
163	password, and if enabled in <filename>/etc/sudoers</filename>. Use
164	<option>--with-insults</option> to have them enabled by default.
165	Various sets of insults can be selected with some other switches.
166	</para>
167
168	<note>
169	<para>
170	There are many options to <application>sudo</application>'s
171	<command>configure</command> command. Check the
172	<command>configure --help</command> output for a complete list.
173	</para>
174	</note>
175	<!-- Seems to be fixed
176	<para>
177	<command>ln -sfv libsudo_util...</command>: Works around a bug in the
178	installation process, which links to the previously installed
179	version (if there is one) instead of the new one.
180	</para>
181	-->
182	</sect2>
183
184	<sect2 role="configuration">
185	<title>Configuring Sudo</title>
186
187	<sect3 id="sudo-config">
188	<title>Config File</title>
189
190	<para>
191	<filename>/etc/sudoers</filename>
192	</para>
193
194	<indexterm zone="sudo sudo-config">
195	<primary sortas="e-etc-sudoers">/etc/sudoers</primary>
196	</indexterm>
197
198	</sect3>
199
200	<sect3>
201	<title>Configuration Information</title>
202
203	<para>
204	The <filename>sudoers</filename> file can be quite complicated. It
205	is composed of two types of entries: aliases (basically variables) and
206	user specifications (which specify who may run what). The installation
207	installs a default configuration that has no privileges installed for
208	any user.
209	</para>
210
211	<para>
212	A couple of common configuration changes are to set the path for the
213	super user and to allow members of the wheel group to execute all
214	commands after providing their own credentials. Use the following
215	commands to create the <filename>/etc/sudoers.d/00-sudo</filename>
216	configuration file as the
217	<systemitem class="username">root</systemitem> user:
218	</para>
219
220	<screen role="root"><userinput>cat > /etc/sudoers.d/00-sudo << "EOF"
221	<literal>Defaults secure_path="/usr/sbin:/usr/bin"
222	%wheel ALL=(ALL) ALL</literal>
223	EOF</userinput></screen>
224
225	<note>
226	<para>
227	In very simple installations where there is only one user, it
228	may be easier to just edit the <filename>/etc/sudoers</filename>
229	file directly. In that case, the <varname>secure_path</varname>
230	entry may not be needed and using <command>sudo -E ...</command> can
231	import the non-privileged user's full environment into the
232	privileged session.
233	</para>
234
235	<para>
236	The files in the <filename class="directory">/etc/sudoers.d</filename>
237	directory are parsed in sorted lexical order. Be careful that entries
238	in an added file do not overwrite previous entries.
239	</para>
240	</note>
241
242	<para>
243	For details, see <command>man sudoers</command>.
244	</para>
245
246	<note>
247	<para>
248	The <application>Sudo</application> developers highly recommend
249	using the <command>visudo</command> program to edit the
250	<filename>sudoers</filename> file. This will provide basic sanity
251	checking like syntax parsing and file permission to avoid some
252	possible mistakes that could lead to a vulnerable configuration.
253	</para>
254	</note>
255
256	<para>
257	If <application>PAM</application> is installed on the system,
258	<application>Sudo</application> is built with
259	<application>PAM</application> support. In that case, issue the
260	following command as the <systemitem class="username">root</systemitem>
261	user to create the <application>PAM</application> configuration file:
262	</para>
263
264	<screen role="root"><userinput>cat > /etc/pam.d/sudo << "EOF"
265	<literal># Begin /etc/pam.d/sudo
266
267	# include the default auth settings
268	auth include system-auth
269
270	# include the default account settings
271	account include system-account
272
273	# Set default environment variables for the service user
274	session required pam_env.so
275
276	# include system session defaults
277	session include system-session
278
279	# End /etc/pam.d/sudo</literal>
280	EOF
281	chmod 644 /etc/pam.d/sudo</userinput></screen>
282
283	</sect3>
284
285	</sect2>
286
287	<sect2 role="content">
288	<title>Contents</title>
289
290	<segmentedlist>
291	<segtitle>Installed Programs</segtitle>
292	<segtitle>Installed Libraries</segtitle>
293	<segtitle>Installed Directories</segtitle>
294
295	<seglistitem>
296	<seg>
297	cvtsudoers, sudo, sudo_logsrvd, sudo_sendlog,
298	sudoedit (symlink), sudoreplay, and visudo
299	</seg>
300	<seg>
301	<!-- [pierre, September 25, 2020] except libsudo_util, the other
302	shared objects in /usr/lib/sudo look more like modules than
303	libraries. Leaving them now, and updating the list, but I think
304	they should not be listed. -->
305	audit_json.so, group_file.so, libsudo_util.so,
306	sudoers.so, sudo_intercept.so, sudo_noexec.so, and system_group.so
307	</seg>
308	<seg>
309	/etc/sudoers.d,
310	/usr/lib/sudo,
311	/usr/share/doc/sudo-&sudo-version;, and
312	/var/lib/sudo
313	</seg>
314	</seglistitem>
315	</segmentedlist>
316
317	<variablelist>
318	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
319	<?dbfo list-presentation="list"?>
320	<?dbhtml list-presentation="table"?>
321
322	<varlistentry id="cvtsudoers">
323	<term><command>cvtsudoers</command></term>
324	<listitem>
325	<para>
326	converts between sudoers file formats
327	</para>
328	<indexterm zone="sudo cvtsudoers">
329	<primary sortas="b-cvtsudoers">cvtsudoers</primary>
330	</indexterm>
331	</listitem>
332	</varlistentry>
333
334	<varlistentry id="sudo_prog">
335	<term><command>sudo</command></term>
336	<listitem>
337	<para>
338	executes a command as another user as permitted by
339	the <filename>/etc/sudoers</filename> configuration file
340	</para>
341	<indexterm zone="sudo sudo">
342	<primary sortas="b-sudo">sudo</primary>
343	</indexterm>
344	</listitem>
345	</varlistentry>
346
347	<varlistentry id="sudo_logsrvd">
348	<term><command>sudo_logsrvd</command></term>
349	<listitem>
350	<para>
351	is a sudo event and I/O log server
352	</para>
353	<indexterm zone="sudo sudo_logsrvd">
354	<primary sortas="b-sudo_logsrvd">sudo_logsrvd</primary>
355	</indexterm>
356	</listitem>
357	</varlistentry>
358
359	<varlistentry id="sudo_sendlog">
360	<term><command>sudo_sendlog</command></term>
361	<listitem>
362	<para>
363	sends sudo I/O logs to the log server
364	</para>
365	<indexterm zone="sudo sudo_sendlog">
366	<primary sortas="b-sudo_sendlog">sudo_sendlog</primary>
367	</indexterm>
368	</listitem>
369	</varlistentry>
370
371	<varlistentry id="sudoedit">
372	<term><command>sudoedit</command></term>
373	<listitem>
374	<para>
375	is a symlink to <command>sudo</command> that implies the
376	<option>-e</option> option to invoke an editor as another user
377	</para>
378	<indexterm zone="sudo sudoedit">
379	<primary sortas="b-sudoedit">sudoedit</primary>
380	</indexterm>
381	</listitem>
382	</varlistentry>
383
384	<varlistentry id="sudoreplay">
385	<term><command>sudoreplay</command></term>
386	<listitem>
387	<para>
388	is used to play back or list the output
389	logs created by <command>sudo</command>
390	</para>
391	<indexterm zone="sudo sudoreplay">
392	<primary sortas="b-sudoreplay">sudoreplay</primary>
393	</indexterm>
394	</listitem>
395	</varlistentry>
396
397	<varlistentry id="visudo">
398	<term><command>visudo</command></term>
399	<listitem>
400	<para>
401	allows for safer editing of the <filename>sudoers</filename>
402	file
403	</para>
404	<indexterm zone="sudo visudo">
405	<primary sortas="b-visudo">visudo</primary>
406	</indexterm>
407	</listitem>
408	</varlistentry>
409
410	</variablelist>
411
412	</sect2>
413
414	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: