source: postlfs/security/sudo.xml@ ddf6739

10.0 10.1 11.0 ken/refactor-virt lazarus qt5new trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since ddf6739 was ddf6739, checked in by Thomas Trepl <thomas@…>, 16 months ago

Upgrade to sudo-1.9.1

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@23299 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 12.0 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY sudo-download-http "http://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
8 <!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
9 <!ENTITY sudo-md5sum "fd95682cbbe929fda7bbe93730934c98">
10 <!ENTITY sudo-size "3.6 MB">
11 <!ENTITY sudo-buildsize "39 MB (with tests)">
12 <!ENTITY sudo-time "0.4 SBU (with tests)">
13]>
14
15<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
16 <?dbhtml filename="sudo.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Sudo-&sudo-version;</title>
24
25 <indexterm zone="sudo">
26 <primary sortas="a-Sudo">Sudo</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Sudo</title>
31
32 <para>
33 The <application>Sudo</application> package allows a system administrator
34 to give certain users (or groups of users) the ability to run
35 some (or all) commands as
36 <systemitem class="username">root</systemitem> or another user while
37 logging the commands and arguments.
38 </para>
39
40 &lfs91_checked;
41
42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
45 <para>
46 Download (HTTP): <ulink url="&sudo-download-http;"/>
47 </para>
48 </listitem>
49 <listitem>
50 <para>
51 Download (FTP): <ulink url="&sudo-download-ftp;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download MD5 sum: &sudo-md5sum;
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download size: &sudo-size;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Estimated disk space required: &sudo-buildsize;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated build time: &sudo-time;
72 </para>
73 </listitem>
74 </itemizedlist>
75
76 <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
77
78 <bridgehead renderas="sect4">Optional</bridgehead>
79 <para role="optional">
80 <xref linkend="linux-pam"/>,
81 <xref linkend="mitkrb"/>,
82 <xref linkend="openldap"/>,
83 <xref linkend="server-mail"/> (that provides a
84 <command>sendmail</command> command),
85 <ulink url="http://www.openafs.org/">AFS</ulink>,
86 <ulink url="http://www.fwtk.org/">FWTK</ulink>, and
87 <ulink url="&sourceforge-dl;/opie/">Opie</ulink>
88<!-- <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>-->
89 </para>
90
91 <para condition="html" role="usernotes">User Notes:
92 <ulink url="&blfs-wiki;/sudo"/>
93 </para>
94 </sect2>
95
96 <sect2 role="installation">
97 <title>Installation of Sudo</title>
98
99<!-- To my understanding, the Makefile.in does test on readable
100 $(sudoersdir)/sudoers anyhow. This sed seems to be redundant.
101
102 <para>
103 First, fix a problem that prevents installation from completion:
104 </para>
105
106<screen><userinput>sed -e '/^pre-install:/{N;s@;@ -a -r $(sudoersdir)/sudoers;@}' \
107 -i plugins/sudoers/Makefile.in</userinput></screen>
108-->
109 <para>
110 Install <application>Sudo</application> by running the following commands:
111 </para>
112
113<!-- Developer: apparently it is disabled by default, although in configure it
114is written otherwise -disable-static \-->
115<screen><userinput>./configure --prefix=/usr \
116 --libexecdir=/usr/lib \
117 --with-secure-path \
118 --with-all-insults \
119 --with-env-editor \
120 --docdir=/usr/share/doc/sudo-&sudo-version; \
121 --with-passprompt="[sudo] password for %p: " &amp;&amp;
122make</userinput></screen>
123
124 <para>
125 To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
126 | tee ../make-check.log</command>. Check the results with <command>grep
127 failed ../make-check.log</command>. <!--One test, test3, is known to fail
128 if the tests are run as the root user.-->
129 </para>
130
131 <para>
132 Now, as the <systemitem class="username">root</systemitem> user:
133 </para>
134
135<screen role="root"><userinput>make install &amp;&amp;
136ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
137
138 </sect2>
139
140 <sect2 role="commands">
141 <title>Command Explanations</title>
142
143 <para>
144 <parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
145 private programs are installed. Everything in that directory is a library, so
146 they belong under <filename class="directory">/usr/lib</filename> instead of
147 <filename class="directory">/usr/libexec</filename>.
148 </para>
149
150 <para>
151 <parameter>--with-secure-path</parameter>: This switch transparently adds
152 <filename class="directory">/sbin</filename> and <filename
153 class="directory">/usr/sbin</filename> directories to the
154 <envar>PATH</envar> environment variable.
155 </para>
156
157 <para>
158 <parameter>--with-all-insults</parameter>: This switch includes all the
159 <application>sudo</application> insult sets.
160 </para>
161
162 <para>
163 <parameter>--with-env-editor</parameter>: This switch enables use of the
164 environment variable EDITOR for <command>visudo</command>.
165 </para>
166
167 <para>
168 <parameter>--with-passprompt</parameter>: This switch sets the password prompt.
169 The <parameter>%p</parameter> will be expanded to the name of the user whose password is being requested.
170 </para>
171
172 <para>
173 <option>--without-pam</option>: This switch avoids building
174 <application>Linux-PAM</application> support when
175 <application>Linux-PAM</application> is installed on the system.
176 </para>
177<!-- See the developer note above before the configure command
178 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
179 href="../../xincludes/static-libraries.xml"/>-->
180
181 <note>
182 <para>
183 There are many options to <application>sudo</application>'s
184 <command>configure</command> command. Check the
185 <command>configure --help</command> output for a complete list.
186 </para>
187 </note>
188
189 <para>
190 <command>ln -sfv libsudo_util...</command>: Works around a bug in the
191 installation process, which links to the previously installed
192 version (if there is one) instead of the new one.
193 </para>
194
195 </sect2>
196
197 <sect2 role="configuration">
198 <title>Configuring Sudo</title>
199
200 <sect3 id="sudo-config">
201 <title>Config File</title>
202
203 <para>
204 <filename>/etc/sudoers</filename>
205 </para>
206
207 <indexterm zone="sudo sudo-config">
208 <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
209 </indexterm>
210
211 </sect3>
212
213 <sect3>
214 <title>Configuration Information</title>
215
216 <para>
217 The <filename>sudoers</filename> file can be quite complicated. It
218 is composed of two types of entries: aliases (basically variables) and
219 user specifications (which specify who may run what). The installation
220 installs a default configuration that has no privileges installed for
221 any user.
222 </para>
223
224 <para>
225 A couple of common configuration chanes are to set the path for the
226 super user and to allow members of the wheel group to execute all
227 commands after providing their own credientials. Use the following
228 commands to create the <filename>/etc/sudoers.d/sudo</filename>
229 configuration file as the
230 <systemitem class="username">root</systemitem> user:
231 </para>
232
233<screen role="root"><userinput>cat &gt; /etc/sudoers.d/sudo &lt;&lt; "EOF"
234<literal>Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin"
235%wheel ALL=(ALL) ALL</literal>
236EOF</userinput></screen>
237
238 <para>
239 For details, see <command>man sudoers</command>.
240 </para>
241
242 <note>
243 <para>
244 The <application>Sudo</application> developers highly recommend
245 using the <command>visudo</command> program to edit the
246 <filename>sudoers</filename> file. This will provide basic sanity
247 checking like syntax parsing and file permission to avoid some
248 possible mistakes that could lead to a vulnerable configuration.
249 </para>
250 </note>
251
252 <para>
253 If <application>PAM</application> is installed on the system,
254 <application>Sudo</application> is built with
255 <application>PAM</application> support. In that case, issue the
256 following command as the <systemitem class="username">root</systemitem>
257 user to create the <application>PAM</application> configuration file:
258 </para>
259
260<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
261<literal># Begin /etc/pam.d/sudo
262
263# include the default auth settings
264auth include system-auth
265
266# include the default account settings
267account include system-account
268
269# Set default environment variables for the service user
270session required pam_env.so
271
272# include system session defaults
273session include system-session
274
275# End /etc/pam.d/sudo</literal>
276EOF
277chmod 644 /etc/pam.d/sudo</userinput></screen>
278
279 </sect3>
280
281 </sect2>
282
283 <sect2 role="content">
284 <title>Contents</title>
285
286 <segmentedlist>
287 <segtitle>Installed Programs</segtitle>
288 <segtitle>Installed Libraries</segtitle>
289 <segtitle>Installed Directories</segtitle>
290
291 <seglistitem>
292 <seg>
293 cvtsudoers, sudo, sudoedit (symlink), sudoreplay, and visudo
294 </seg>
295 <seg>
296 group_file.so, libsudo_util.so,
297 sudoers.so, sudo_noexec.so, and system_group.so
298 </seg>
299 <seg>
300 /etc/sudoers.d,
301 /usr/lib/sudo,
302 /usr/share/doc/sudo-&sudo-version;, and
303 /var/{lib,run}/sudo
304 </seg>
305 </seglistitem>
306 </segmentedlist>
307
308 <variablelist>
309 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
310 <?dbfo list-presentation="list"?>
311 <?dbhtml list-presentation="table"?>
312
313 <varlistentry id="cvtsudoers">
314 <term><command>cvtsudoers</command></term>
315 <listitem>
316 <para>
317 converts between sudoers file formats.
318 </para>
319 <indexterm zone="sudo cvtsudoers">
320 <primary sortas="b-cvtsudoers">cvtsudoers</primary>
321 </indexterm>
322 </listitem>
323 </varlistentry>
324
325 <varlistentry id="sudo_prog">
326 <term><command>sudo</command></term>
327 <listitem>
328 <para>
329 executes a command as another user as permitted by
330 the <filename>/etc/sudoers</filename> configuration file.
331 </para>
332 <indexterm zone="sudo sudo">
333 <primary sortas="b-sudo">sudo</primary>
334 </indexterm>
335 </listitem>
336 </varlistentry>
337
338 <varlistentry id="sudoedit">
339 <term><command>sudoedit</command></term>
340 <listitem>
341 <para>
342 is a symlink to <command>sudo</command> that implies the
343 <option>-e</option> option to invoke an editor as another user.
344 </para>
345 <indexterm zone="sudo sudoedit">
346 <primary sortas="b-sudoedit">sudoedit</primary>
347 </indexterm>
348 </listitem>
349 </varlistentry>
350
351 <varlistentry id="sudoreplay">
352 <term><command>sudoreplay</command></term>
353 <listitem>
354 <para>
355 is used to play back or list the output
356 logs created by <command>sudo</command>.
357 </para>
358 <indexterm zone="sudo sudoreplay">
359 <primary sortas="b-sudoreplay">sudoreplay</primary>
360 </indexterm>
361 </listitem>
362 </varlistentry>
363
364 <varlistentry id="visudo">
365 <term><command>visudo</command></term>
366 <listitem>
367 <para>
368 allows for safer editing of the <filename>sudoers</filename>
369 file.
370 </para>
371 <indexterm zone="sudo visudo">
372 <primary sortas="b-visudo">visudo</primary>
373 </indexterm>
374 </listitem>
375 </varlistentry>
376
377 </variablelist>
378
379 </sect2>
380
381</sect1>
Note: See TracBrowser for help on using the repository browser.