Changeset a5b9f1e for postlfs

Timestamp:

11/24/2018 08:21:05 PM (5 years ago)

Author:

DJ Lucas <dj@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 8.4, 9.0, 9.1, bdubbs/svn, elogind, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

2a9e001

Parents:

9939292

Message:

Use wheel group for sample configuration of sudo.
Added pam_wheel.so configuration to /etc/pam.d/su.
update-usbids.service and upadate-pciids.service depend on network-online.target. Fixes #11249.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@20738 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:

postlfs/security

Files:

• make-ca.xml (modified) (1 diff)
• shadow.xml (modified) (6 diffs)
• sudo.xml (modified) (1 diff)

postlfs/security/make-ca.xml

@@ -116 +116 @@
     trust both for all three roles, the following commands will create
     appropriate OpenSSL trusted certificates (run as the <systemitem
-    class="username">root</systemitem> user):</para>
+    class="username">root</systemitem> user after
+    <xref linkend="wget"/> is installed):</para>
 
 <screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;

postlfs/security/shadow.xml

@@ -359 +359 @@
 #auth      optional    pam_group.so
 
-# include the default auth settings
+# include system auth settings
 auth      include     system-auth
 
@@ -365 +365 @@
 account   required    pam_access.so
 
-# include the default account settings
+# include system account settings
 account   include     system-account
 
@@ -383 +383 @@
 #session   optional    pam_mail.so      standard quiet
 
-# include the default session and password settings
+# include system session and password settings
 session   include     system-session
 password  include     system-password
@@ -411 +411 @@
 # always allow root
 auth      sufficient  pam_rootok.so
+
+# Allow users in the wheel group to execute su without a password
+# disabled by default
+#auth      sufficient  pam_wheel.so trust use_uid
+
+# include system auth settings
 auth      include     system-auth
 
-# include the default account settings
+# limit su to users in the wheel group
+auth      required    pam_wheel.so use_uid
+
+# include system account settings
 account   include     system-account
 
@@ -419 +428 @@
 session   required    pam_env.so
 
-# include system session defaults
+# include system session settings
 session   include     system-session
 
@@ -435 +444 @@
 auth      sufficient  pam_rootok.so
 
-# include system defaults for auth account and session
+# include system auth, account, and session settings
 auth      include     system-auth
 account   include     system-account

postlfs/security/sudo.xml

@@ -223 +223 @@
 ADMIN       ALL = NOPASSWD: ALL</screen>
 
+      <para>
+        Another common configuration is to allow members of the wheel group to
+        execute all commands after providing their own credientials. Use the
+        following command to edit default <filename>/etc/sudoers</filename>
+        file as the <systemitem class="username">root</systemitem> user:
+      </para>
+
+<screen role="nodump"><userinput>sed '/wheel.*) ALL/s/^# //' -i.bak /etc/sudoers</userinput></screen>
+      
       <para>
         For details, see <command>man sudoers</command>.