source: postlfs/security/sudo.xml@ b24abc9

10.0 10.1 11.0 11.1 11.2 9.1 lazarus qt5new trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since b24abc9 was b24abc9, checked in by Tim Tassonis <stuff@…>, 3 years ago

Update to sudo-1.8.29.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22323 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 11.6 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY sudo-download-http "http://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
8 <!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
9 <!ENTITY sudo-md5sum "b28dabff9c460f115fe74de4d6a6f79d">
10 <!ENTITY sudo-size "3.2 MB">
11 <!ENTITY sudo-buildsize "31 MB (without tests)">
12 <!ENTITY sudo-time "0.3 SBU (with tests)">
13]>
14
15<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Sudo-&sudo-version;</title>
24
25 <indexterm zone="sudo">
26 <primary sortas="a-Sudo">Sudo</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Sudo</title>
31
32 <para>
33 The <application>Sudo</application> package allows a system administrator
34 to give certain users (or groups of users) the ability to run
35 some (or all) commands as
36 <systemitem class="username">root</systemitem> or another user while
37 logging the commands and arguments.
38 </para>
39
40 &lfs90_checked;
41
42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
45 <para>
46 Download (HTTP): <ulink url="&sudo-download-http;"/>
47 </para>
48 </listitem>
49 <listitem>
50 <para>
51 Download (FTP): <ulink url="&sudo-download-ftp;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download MD5 sum: &sudo-md5sum;
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download size: &sudo-size;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Estimated disk space required: &sudo-buildsize;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated build time: &sudo-time;
72 </para>
73 </listitem>
74 </itemizedlist>
75
76 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
77
78 <bridgehead renderas="sect4">Optional</bridgehead>
79 <para role="optional">
80 <xref linkend="linux-pam"/>,
81 <xref linkend="mitkrb"/>,
82 <xref linkend="openldap"/>,
83 <xref linkend="server-mail"/> (that provides a
84 <command>sendmail</command> command),
85 <ulink url="http://www.openafs.org/">AFS</ulink>,
86 <ulink url="http://www.fwtk.org/">FWTK</ulink>, and
87 <ulink url="&sourceforge-dl;/opie/">Opie</ulink>
88<!-- <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>-->
89 </para>
90
91 <para condition="html" role="usernotes">User Notes:
92 <ulink url="&blfs-wiki;/sudo"/>
93 </para>
94 </sect2>
95
96 <sect2 role="installation">
97 <title>Installation of Sudo</title>
98
99 <para>
100 Install <application>Sudo</application> by running the following commands:
101 </para>
102
103<!-- Developer: apparently it is disabled by default, although in configure it
104is written otherwise -disable-static \-->
105<screen><userinput>./configure --prefix=/usr \
106 --libexecdir=/usr/lib \
107 --with-secure-path \
108 --with-all-insults \
109 --with-env-editor \
110 --docdir=/usr/share/doc/sudo-&sudo-version; \
111 --with-passprompt="[sudo] password for %p: " &amp;&amp;
112make</userinput></screen>
113
114 <para>
115 To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
116 | tee ../make-check.log</command>. Check the results with <command>grep
117 failed ../make-check.log</command>. One test, test3, is known to fail
118 if the tests are run as the root user.
119 </para>
120
121 <para>
122 Now, as the <systemitem class="username">root</systemitem> user:
123 </para>
124
125<screen role="root"><userinput>make install &amp;&amp;
126ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
127
128 </sect2>
129
130 <sect2 role="commands">
131 <title>Command Explanations</title>
132
133 <para>
134 <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
135 private programs are installed. Everything in that directory is a library, so
136 they belong under <filename class="directory">/usr/lib</filename> instead of
137 <filename class="directory">/usr/libexec</filename>.
138 </para>
139
140 <para>
141 <parameter>--with-secure-path</parameter>: This switch transparently adds
142 <filename class="directory">/sbin</filename> and <filename
143 class="directory">/usr/sbin</filename> directories to the
144 <envar>PATH</envar> environment variable.
145 </para>
146
147 <para>
148 <parameter>--with-all-insults</parameter>: This switch includes all the
149 <application>sudo</application> insult sets.
150 </para>
151
152 <para>
153 <parameter>--with-env-editor</parameter>: This switch enables use of the
154 environment variable EDITOR for <command>visudo</command>.
155 </para>
156
157 <para>
158 <parameter>--with-passprompt</parameter>: This switch sets the password prompt.
159 </para>
160
161 <para>
162 <option>--without-pam</option>: This switch avoids building
163 <application>Linux-PAM</application> support when
164 <application>Linux-PAM</application> is installed on the system.
165 </para>
166<!-- See the developer note above before the configure command
167 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
168 href="../../xincludes/static-libraries.xml"/>-->
169
170 <note>
171 <para>
172 There are many options to <application>sudo</application>'s
173 <command>configure</command> command. Check the
174 <command>configure --help</command> output for a complete list.
175 </para>
176 </note>
177
178 <para>
179 <command>ln -sfv libsudo_util...</command>: Works around a bug in the
180 installation process, which links to the previously installed
181 version (if there is one) instead of the new one.
182 </para>
183
184 </sect2>
185
186 <sect2 role="configuration">
187 <title>Configuring Sudo</title>
188
189 <sect3 id="sudo-config">
190 <title>Config File</title>
191
192 <para>
193 <filename>/etc/sudoers</filename>
194 </para>
195
196 <indexterm zone="sudo sudo-config">
197 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
198 </indexterm>
199
200 </sect3>
201
202 <sect3>
203 <title>Configuration Information</title>
204
205 <para>
206 The <filename>sudoers</filename> file can be quite complicated. It
207 is composed of two types of entries: aliases (basically variables) and
208 user specifications (which specify who may run what). The installation
209 installs a default configuration that has no privileges installed for
210 any user.
211 </para>
212
213 <para>
214 A couple of common configuration chanes are to set the path for the
215 super user and to allow members of the wheel group to execute all
216 commands after providing their own credientials. Use the following
217 commands to create the <filename>/etc/sudoers.d/sudo</filename>
218 configuration file as the
219 <systemitem class="username">root</systemitem> user:
220 </para>
221
222<screen role="root"><userinput>cat &gt; /etc/sudoers.d/sudo &lt;&lt; "EOF"
223<literal>Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin"
224%wheel ALL=(ALL) ALL</literal>
225EOF</userinput></screen>
226
227 <para>
228 For details, see <command>man sudoers</command>.
229 </para>
230
231 <note>
232 <para>
233 The <application>Sudo</application> developers highly recommend
234 using the <command>visudo</command> program to edit the
235 <filename>sudoers</filename> file. This will provide basic sanity
236 checking like syntax parsing and file permission to avoid some
237 possible mistakes that could lead to a vulnerable configuration.
238 </para>
239 </note>
240
241 <para>
242 If <application>PAM</application> is installed on the system,
243 <application>Sudo</application> is built with
244 <application>PAM</application> support. In that case, issue the
245 following command as the <systemitem class="username">root</systemitem>
246 user to create the <application>PAM</application> configuration file:
247 </para>
248
249<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
250<literal># Begin /etc/pam.d/sudo
251
252# include the default auth settings
253auth include system-auth
254
255# include the default account settings
256account include system-account
257
258# Set default environment variables for the service user
259session required pam_env.so
260
261# include system session defaults
262session include system-session
263
264# End /etc/pam.d/sudo</literal>
265EOF
266chmod 644 /etc/pam.d/sudo</userinput></screen>
267
268 </sect3>
269
270 </sect2>
271
272 <sect2 role="content">
273 <title>Contents</title>
274
275 <segmentedlist>
276 <segtitle>Installed Programs</segtitle>
277 <segtitle>Installed Libraries</segtitle>
278 <segtitle>Installed Directories</segtitle>
279
280 <seglistitem>
281 <seg>
282 cvtsudoers, sudo, sudoedit (symlink), sudoreplay, and visudo
283 </seg>
284 <seg>
285 group_file.so, libsudo_util.so,
286 sudoers.so, sudo_noexec.so, and system_group.so
287 </seg>
288 <seg>
289 /etc/sudoers.d,
290 /usr/lib/sudo,
291 /usr/share/doc/sudo-&sudo-version;, and
292 /var/{lib,run}/sudo
293 </seg>
294 </seglistitem>
295 </segmentedlist>
296
297 <variablelist>
298 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
299 <?dbfo list-presentation="list"?>
300 <?dbhtml list-presentation="table"?>
301
302 <varlistentry id="cvtsudoers">
303 <term><command>cvtsudoers</command></term>
304 <listitem>
305 <para>
306 converts between sudoers file formats.
307 </para>
308 <indexterm zone="sudo cvtsudoers">
309 <primary sortas="b-cvtsudoers">cvtsudoers</primary>
310 </indexterm>
311 </listitem>
312 </varlistentry>
313
314 <varlistentry id="sudo_prog">
315 <term><command>sudo</command></term>
316 <listitem>
317 <para>
318 executes a command as another user as permitted by
319 the <filename>/etc/sudoers</filename> configuration file.
320 </para>
321 <indexterm zone="sudo sudo">
322 <primary sortas="b-sudo">sudo</primary>
323 </indexterm>
324 </listitem>
325 </varlistentry>
326
327 <varlistentry id="sudoedit">
328 <term><command>sudoedit</command></term>
329 <listitem>
330 <para>
331 is a symlink to <command>sudo</command> that implies the
332 <option>-e</option> option to invoke an editor as another user.
333 </para>
334 <indexterm zone="sudo sudoedit">
335 <primary sortas="b-sudoedit">sudoedit</primary>
336 </indexterm>
337 </listitem>
338 </varlistentry>
339
340 <varlistentry id="sudoreplay">
341 <term><command>sudoreplay</command></term>
342 <listitem>
343 <para>
344 is used to play back or list the output
345 logs created by <command>sudo</command>.
346 </para>
347 <indexterm zone="sudo sudoreplay">
348 <primary sortas="b-sudoreplay">sudoreplay</primary>
349 </indexterm>
350 </listitem>
351 </varlistentry>
352
353 <varlistentry id="visudo">
354 <term><command>visudo</command></term>
355 <listitem>
356 <para>
357 allows for safer editing of the <filename>sudoers</filename>
358 file.
359 </para>
360 <indexterm zone="sudo visudo">
361 <primary sortas="b-visudo">visudo</primary>
362 </indexterm>
363 </listitem>
364 </varlistentry>
365
366 </variablelist>
367
368 </sect2>
369
370</sect1>
Note: See TracBrowser for help on using the repository browser.