source: postlfs/security/sudo.xml@ ce5616c

10.1 11.0 ken/refactor-virt lazarus qt5new trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since ce5616c was ce5616c, checked in by Bruce Dubbs <bdubbs@…>, 11 months ago

Update to sudo-1.9.4.
Update to feh-3.6.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@23947 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 13.6 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY sudo-download-http "http://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
8 <!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
9 <!ENTITY sudo-md5sum "b654699baebedd095fa525108ea12cbe">
10 <!ENTITY sudo-size "3.8 MB">
11 <!ENTITY sudo-buildsize "41 MB (add 9 MB for tests)">
12 <!ENTITY sudo-time "0.4 SBU (add 0.1 SBU for tests)">
13]>
14
15<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Sudo-&sudo-version;</title>
24
25 <indexterm zone="sudo">
26 <primary sortas="a-Sudo">Sudo</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Sudo</title>
31
32 <para>
33 The <application>Sudo</application> package allows a system administrator
34 to give certain users (or groups of users) the ability to run
35 some (or all) commands as
36 <systemitem class="username">root</systemitem> or another user while
37 logging the commands and arguments.
38 </para>
39
40 &lfs10_checked;
41
42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
45 <para>
46 Download (HTTP): <ulink url="&sudo-download-http;"/>
47 </para>
48 </listitem>
49 <listitem>
50 <para>
51 Download (FTP): <ulink url="&sudo-download-ftp;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download MD5 sum: &sudo-md5sum;
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download size: &sudo-size;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Estimated disk space required: &sudo-buildsize;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated build time: &sudo-time;
72 </para>
73 </listitem>
74 </itemizedlist>
75
76 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
77 <itemizedlist spacing="compact">
78 <listitem>
79 <para>
80 Required patch to fix issues when not using sendmail:
81 <ulink url="&patch-root;/sudo-&sudo-version;-upstream_fix-1.patch"/>
82 </para>
83 </listitem>
84 </itemizedlist>
85
86
87
88 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
89
90 <bridgehead renderas="sect4">Optional</bridgehead>
91 <para role="optional">
92 <xref linkend="linux-pam"/>,
93 <xref linkend="mitkrb"/>,
94 <xref linkend="openldap"/>,
95 <xref linkend="server-mail"/> (that provides a
96 <command>sendmail</command> command),
97 <ulink url="http://www.openafs.org/">AFS</ulink>,
98 <ulink url="http://www.fwtk.org/">FWTK</ulink>, and
99 <ulink url="&sourceforge-dl;/opie/">Opie</ulink>
100<!-- <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>-->
101 </para>
102
103 <para condition="html" role="usernotes">User Notes:
104 <ulink url="&blfs-wiki;/sudo"/>
105 </para>
106 </sect2>
107
108 <sect2 role="installation">
109 <title>Installation of Sudo</title>
110
111<!-- To my understanding, the Makefile.in does test on readable
112 $(sudoersdir)/sudoers anyhow. This sed seems to be redundant.
113
114 <para>
115 First, fix a problem that prevents installation from completion:
116 </para>
117
118<screen><userinput>sed -e '/^pre-install:/{N;s@;@ -a -r $(sudoersdir)/sudoers;@}' \
119 -i plugins/sudoers/Makefile.in</userinput></screen>
120-->
121
122 <para>First, fix a bug identified upstream:</para>
123
124<screen><userinput>patch -Np1 -i ../sudo-&sudo-version;-upstream_fix-1.patch</userinput></screen>
125
126 <para>
127 Install <application>Sudo</application> by running the following commands:
128 </para>
129
130<!-- Developer: apparently it is disabled by default, although in configure it
131is written otherwise -disable-static \-->
132<screen><userinput>./configure --prefix=/usr \
133 --libexecdir=/usr/lib \
134 --with-secure-path \
135 --with-all-insults \
136 --with-env-editor \
137 --docdir=/usr/share/doc/sudo-&sudo-version; \
138 --with-passprompt="[sudo] password for %p: " &amp;&amp;
139make</userinput></screen>
140
141 <para>
142 To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
143 | tee ../make-check.log</command>. Check the results with <command>grep
144 failed ../make-check.log</command>. <!--One test, test3, is known to fail
145 if the tests are run as the root user.-->
146 </para>
147
148 <para>
149 Now, as the <systemitem class="username">root</systemitem> user:
150 </para>
151
152<screen role="root"><userinput>make install &amp;&amp;
153ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
154
155 </sect2>
156
157 <sect2 role="commands">
158 <title>Command Explanations</title>
159
160 <para>
161 <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
162 private programs are installed. Everything in that directory is a library, so
163 they belong under <filename class="directory">/usr/lib</filename> instead of
164 <filename class="directory">/usr/libexec</filename>.
165 </para>
166
167 <para>
168 <parameter>--with-secure-path</parameter>: This switch transparently adds
169 <filename class="directory">/sbin</filename> and <filename
170 class="directory">/usr/sbin</filename> directories to the
171 <envar>PATH</envar> environment variable.
172 </para>
173
174 <para>
175 <parameter>--with-all-insults</parameter>: This switch includes all the
176 <application>sudo</application> insult sets.
177 </para>
178
179 <para>
180 <parameter>--with-env-editor</parameter>: This switch enables use of the
181 environment variable EDITOR for <command>visudo</command>.
182 </para>
183
184 <para>
185 <parameter>--with-passprompt</parameter>: This switch sets the password prompt.
186 The <parameter>%p</parameter> will be expanded to the name of the user whose password is being requested.
187 </para>
188
189 <para>
190 <option>--without-pam</option>: This switch avoids building
191 <application>Linux-PAM</application> support when
192 <application>Linux-PAM</application> is installed on the system.
193 </para>
194<!-- See the developer note above before the configure command
195 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
196 href="../../xincludes/static-libraries.xml"/>-->
197
198 <note>
199 <para>
200 There are many options to <application>sudo</application>'s
201 <command>configure</command> command. Check the
202 <command>configure --help</command> output for a complete list.
203 </para>
204 </note>
205
206 <para>
207 <command>ln -sfv libsudo_util...</command>: Works around a bug in the
208 installation process, which links to the previously installed
209 version (if there is one) instead of the new one.
210 </para>
211
212 </sect2>
213
214 <sect2 role="configuration">
215 <title>Configuring Sudo</title>
216
217 <sect3 id="sudo-config">
218 <title>Config File</title>
219
220 <para>
221 <filename>/etc/sudoers</filename>
222 </para>
223
224 <indexterm zone="sudo sudo-config">
225 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
226 </indexterm>
227
228 </sect3>
229
230 <sect3>
231 <title>Configuration Information</title>
232
233 <para>
234 The <filename>sudoers</filename> file can be quite complicated. It
235 is composed of two types of entries: aliases (basically variables) and
236 user specifications (which specify who may run what). The installation
237 installs a default configuration that has no privileges installed for
238 any user.
239 </para>
240
241 <para>
242 A couple of common configuration chanes are to set the path for the
243 super user and to allow members of the wheel group to execute all
244 commands after providing their own credientials. Use the following
245 commands to create the <filename>/etc/sudoers.d/sudo</filename>
246 configuration file as the
247 <systemitem class="username">root</systemitem> user:
248 </para>
249
250<screen role="root"><userinput>cat &gt; /etc/sudoers.d/sudo &lt;&lt; "EOF"
251<literal>Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin"
252%wheel ALL=(ALL) ALL</literal>
253EOF</userinput></screen>
254
255 <para>
256 For details, see <command>man sudoers</command>.
257 </para>
258
259 <note>
260 <para>
261 The <application>Sudo</application> developers highly recommend
262 using the <command>visudo</command> program to edit the
263 <filename>sudoers</filename> file. This will provide basic sanity
264 checking like syntax parsing and file permission to avoid some
265 possible mistakes that could lead to a vulnerable configuration.
266 </para>
267 </note>
268
269 <para>
270 If <application>PAM</application> is installed on the system,
271 <application>Sudo</application> is built with
272 <application>PAM</application> support. In that case, issue the
273 following command as the <systemitem class="username">root</systemitem>
274 user to create the <application>PAM</application> configuration file:
275 </para>
276
277<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
278<literal># Begin /etc/pam.d/sudo
279
280# include the default auth settings
281auth include system-auth
282
283# include the default account settings
284account include system-account
285
286# Set default environment variables for the service user
287session required pam_env.so
288
289# include system session defaults
290session include system-session
291
292# End /etc/pam.d/sudo</literal>
293EOF
294chmod 644 /etc/pam.d/sudo</userinput></screen>
295
296 </sect3>
297
298 </sect2>
299
300 <sect2 role="content">
301 <title>Contents</title>
302
303 <segmentedlist>
304 <segtitle>Installed Programs</segtitle>
305 <segtitle>Installed Libraries</segtitle>
306 <segtitle>Installed Directories</segtitle>
307
308 <seglistitem>
309 <seg>
310 cvtsudoers, sudo, sudo_logsrvd, sudo_sendlog,
311 sudoedit (symlink), sudoreplay, and visudo
312 </seg>
313 <seg>
314 <!-- [pierre, September 25, 2020] except libsudo_util, the other
315 shared objects in /usr/lib/sudo look more like modules than
316 libraries. Leaving them now, and updating the list, but I think
317 they should not be listed. -->
318 audit_json.so, group_file.so, libsudo_util.so, sample_approval.so,
319 sudoers.so, sudo_noexec.so, and system_group.so
320 </seg>
321 <seg>
322 /etc/sudoers.d,
323 /usr/lib/sudo,
324 /usr/share/doc/sudo-&sudo-version;, and
325 /var/lib/sudo
326 </seg>
327 </seglistitem>
328 </segmentedlist>
329
330 <variablelist>
331 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
332 <?dbfo list-presentation="list"?>
333 <?dbhtml list-presentation="table"?>
334
335 <varlistentry id="cvtsudoers">
336 <term><command>cvtsudoers</command></term>
337 <listitem>
338 <para>
339 converts between sudoers file formats.
340 </para>
341 <indexterm zone="sudo cvtsudoers">
342 <primary sortas="b-cvtsudoers">cvtsudoers</primary>
343 </indexterm>
344 </listitem>
345 </varlistentry>
346
347 <varlistentry id="sudo_prog">
348 <term><command>sudo</command></term>
349 <listitem>
350 <para>
351 executes a command as another user as permitted by
352 the <filename>/etc/sudoers</filename> configuration file.
353 </para>
354 <indexterm zone="sudo sudo">
355 <primary sortas="b-sudo">sudo</primary>
356 </indexterm>
357 </listitem>
358 </varlistentry>
359
360 <varlistentry id="sudo_logsrvd">
361 <term><command>sudo_logsrvd</command></term>
362 <listitem>
363 <para>
364 is a sudo event and I/O log server.
365 </para>
366 <indexterm zone="sudo sudo_logsrvd">
367 <primary sortas="b-sudo_logsrvd">sudo_logsrvd</primary>
368 </indexterm>
369 </listitem>
370 </varlistentry>
371
372 <varlistentry id="sudo_sendlog">
373 <term><command>sudo_sendlog</command></term>
374 <listitem>
375 <para>
376 sends sudo I/O log to the log server.
377 </para>
378 <indexterm zone="sudo sudo_sendlog">
379 <primary sortas="b-sudo_sendlog">sudo_sendlog</primary>
380 </indexterm>
381 </listitem>
382 </varlistentry>
383
384 <varlistentry id="sudoedit">
385 <term><command>sudoedit</command></term>
386 <listitem>
387 <para>
388 is a symlink to <command>sudo</command> that implies the
389 <option>-e</option> option to invoke an editor as another user.
390 </para>
391 <indexterm zone="sudo sudoedit">
392 <primary sortas="b-sudoedit">sudoedit</primary>
393 </indexterm>
394 </listitem>
395 </varlistentry>
396
397 <varlistentry id="sudoreplay">
398 <term><command>sudoreplay</command></term>
399 <listitem>
400 <para>
401 is used to play back or list the output
402 logs created by <command>sudo</command>.
403 </para>
404 <indexterm zone="sudo sudoreplay">
405 <primary sortas="b-sudoreplay">sudoreplay</primary>
406 </indexterm>
407 </listitem>
408 </varlistentry>
409
410 <varlistentry id="visudo">
411 <term><command>visudo</command></term>
412 <listitem>
413 <para>
414 allows for safer editing of the <filename>sudoers</filename>
415 file.
416 </para>
417 <indexterm zone="sudo visudo">
418 <primary sortas="b-visudo">visudo</primary>
419 </indexterm>
420 </listitem>
421 </varlistentry>
422
423 </variablelist>
424
425 </sect2>
426
427</sect1>
Note: See TracBrowser for help on using the repository browser.