source: postlfs/security/sudo.xml@ d90cdc8

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY sudo-download-http "http://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
  <!ENTITY sudo-download-ftp  "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
  <!ENTITY sudo-md5sum        "76d12cb91865b5935a930478f4bc93bd">
  <!ENTITY sudo-size          "2.5 MB">
  <!ENTITY sudo-buildsize     "33 MB (with tests)">
  <!ENTITY sudo-time          "0.5 SBU (with tests)">
]>

<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
  <?dbhtml filename="sudo.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>Sudo-&sudo-version;</title>

  <indexterm zone="sudo">
    <primary sortas="a-Sudo">Sudo</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to Sudo</title>

    <para>
      The <application>Sudo</application> package allows a system administrator
      to give certain users (or groups of users) the ability to run
      some (or all) commands as
      <systemitem class="username">root</systemitem> or another user while
      logging the commands and arguments.
    </para>

    &lfs77_checked; &gcc5_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&sudo-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&sudo-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &sudo-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &sudo-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &sudo-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &sudo-time;
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <xref linkend="linux-pam"/>,
      <xref linkend="mitkrb"/>,
      <xref linkend="openldap"/>,
      <xref linkend="server-mail"/> (that provides a
      <command>sendmail</command> command),
      <ulink url="http://www.openafs.org/">AFS</ulink>,
      <ulink url="http://www.fwtk.org/">FWTK</ulink>, and
      <ulink url="http://sourceforge.net/projects/opie/files/">Opie</ulink>
<!--  <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>-->
    </para>

    <para condition="html" role="usernotes">User Notes:
      <ulink url="&blfs-wiki;/sudo"/>
    </para>
  </sect2>

  <sect2 role="installation">
    <title>Installation of Sudo</title>

    <para>
      Install <application>Sudo</application> by running the following commands:
    </para>

<!-- Developer: apparently it is disabled by default, although in configure it
is written otherwise           -disable-static           \-->
<screen><userinput>./configure --prefix=/usr              \
            --libexecdir=/usr/lib      \
            --with-secure-path         \
            --with-all-insults         \
            --with-env-editor          \
            --docdir=/usr/share/doc/sudo-&sudo-version; \
            --with-passprompt="[sudo] password for %p" &amp;&amp;
make</userinput></screen>

    <para>
      To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
      | tee ../make-check.log</command>. Check the results with <command>grep
      failed ../make-check.log</command>.
    </para>

    <para>
      Now, as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>make install &amp;&amp;
ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
     <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
     private programs are installed.  Everything in that directory is a library, so
     they belong under <filename class="directory">/usr/lib</filename> instead of
     <filename class="directory">/usr/libexec</filename>.
    </para>

    <para>
      <parameter>--with-secure-path</parameter>: This switch transparently adds
      <filename class="directory">/sbin</filename> and <filename
      class="directory">/usr/sbin</filename> directories to the
      <envar>PATH</envar> environment variable.
    </para>

    <para>
      <parameter>--with-all-insults</parameter>: This switch includes all the
      <application>sudo</application> insult sets.
    </para>

    <para>
      <parameter>--with-env-editor</parameter>: This switch enables use of the
      environment variable EDITOR for <command>visudo</command>.
    </para>

    <para>
      <parameter>--with-passprompt</parameter>: This switch sets the prompt.
    </para>

    <para>
      <option>--without-pam</option>: Avoids building <application>PAM</application>
      support when <application>PAM</application> is installed on the system.
    </para>

    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
      href="../../xincludes/static-libraries.xml"/>

    <note>
      <para>
        There are many options to <application>sudo</application>'s
        <command>configure</command> command. Check the
        <command>configure --help</command> output for a complete list.
      </para>
    </note>

    <para>
      <command>ln -sfv libsudo_util...</command>: works around a bug in the
      installation process, which links to the previously installed
      version (if there is one) instead of the new one.
    </para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring Sudo</title>

    <sect3 id="sudo-config">
      <title>Config File</title>

      <para>
        <filename>/etc/sudoers</filename>
      </para>

      <indexterm zone="sudo sudo-config">
        <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <para>
        The <filename>sudoers</filename> file can be quite complicated.  It
        is composed of two types of entries: aliases (basically variables) and
        user specifications (which specify who may run what).  The installation
        installs a default configuration that has no privileges installed for any
        user.
     </para>

      <para>
        One example usage is to allow the system administrator to execute
        any program without typing a password each time root privileges are
        needed. This can be configured as:
      </para>

<screen># User alias specification
User_Alias  ADMIN = YourLoginId

# Allow people in group ADMIN to run all commands without a password
ADMIN       ALL = NOPASSWD: ALL</screen>

      <para>
        For details, see <command>man sudoers</command>.
      </para>

      <note>
        <para>
          The <application>Sudo</application> developers highly recommend
          using the <command>visudo</command> program to edit the
          <filename>sudoers</filename> file. This will provide basic sanity
          checking like syntax parsing and file permission to avoid some possible
          mistakes that could lead to a vulnerable configuration.
        </para>
      </note>

      <para>
        If <application>PAM</application> is installed on the system,
        <application>Sudo</application> is built with
        <application>PAM</application> support. In that case, issue the following
        command as the <systemitem class="username">root</systemitem> user
        to create the <application>PAM</application> configuration file:
      </para>

<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/sudo

# include the default auth settings
auth      include     system-auth

# include the default account settings
account   include     system-account

# Set default environment variables for the service user
session   required    pam_env.so

# include system session defaults
session   include     system-session

# End /etc/pam.d/sudo</literal>
EOF
chmod 644 /etc/pam.d/sudo</userinput></screen>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle> 
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          sudo, sudoedit (symlink), sudoreplay, and visudo
        </seg>
        <seg>
          group_file.so, libsudo_util.so,
          sudoers.so, sudo_noexec.so, and system_group.so
        </seg>
        <seg>
          /etc/sudoers.d,
          /usr/lib/sudo,
          /usr/share/doc/sudo-&sudo-version;, and
          /var/{lib,run}/sudo
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="sudo_prog">
        <term><command>sudo</command></term>
        <listitem>
          <para>
            executes a command as another user as permitted by
            the <filename>/etc/sudoers</filename> configuration file.
          </para>
          <indexterm zone="sudo sudo">
            <primary sortas="b-sudo">sudo</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sudoedit">
        <term><command>sudoedit</command></term>
        <listitem>
          <para>
            is a symlink to <command>sudo</command> that implies the
            <option>-e</option> option to invoke an editor as another user.
          </para>
          <indexterm zone="sudo sudoedit">
            <primary sortas="b-sudoedit">sudoedit</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="visudo">
        <term><command>visudo</command></term>
        <listitem>
          <para>
            allows for safer editing of the <filename>sudoers</filename>
            file.
          </para>
          <indexterm zone="sudo visudo">
            <primary sortas="b-visudo">visudo</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sudoreplay">
        <term><command>sudoreplay</command></term>
        <listitem>
          <para>
            is used to play back or list the output
            logs created by <command>sudo</command>.
          </para>
          <indexterm zone="sudo sudoreplay">
            <primary sortas="b-sudoreplay">sudoreplay</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>