Changeset bcd2922 for postlfs/security/sudo.xml
- Timestamp:
- 07/20/2012 12:05:51 AM (12 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 3261d55d
- Parents:
- cc13920
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/sudo.xml
rcc13920 rbcd2922 7 7 <!ENTITY sudo-download-http "http://www.sudo.ws/sudo/dist/sudo-&sudo-version;.tar.gz"> 8 8 <!ENTITY sudo-download-ftp "ftp://ftp.twaren.net/Unix/Security/Sudo/sudo-&sudo-version;.tar.gz"> 9 <!ENTITY sudo-md5sum " b9be6df7ecefedff2263052ed9fc5e93">10 <!ENTITY sudo-size "1. 5MB">11 <!ENTITY sudo-buildsize "1 6MB">9 <!ENTITY sudo-md5sum "dc42ed9f0946d92273762d0ae7314d59"> 10 <!ENTITY sudo-size "1.7 MB"> 11 <!ENTITY sudo-buildsize "18 MB"> 12 12 <!ENTITY sudo-time "0.3 SBU"> 13 13 ]> 14 14 15 <sect1 id="sudo" xreflabel=" sudo-&sudo-version;">15 <sect1 id="sudo" xreflabel="Sudo-&sudo-version;"> 16 16 <?dbhtml filename="sudo.html"?> 17 17 … … 24 24 25 25 <indexterm zone="sudo"> 26 <primary sortas="a- sudo">sudo</primary>26 <primary sortas="a-Sudo">Sudo</primary> 27 27 </indexterm> 28 28 … … 30 30 <title>Introduction to Sudo</title> 31 31 32 <para>The <application>sudo</application> package allows a system 33 administrator to give certain users (or groups of users) the ability to run 34 some (or all) commands as 35 <systemitem class="username">root</systemitem> or another user while 36 logging the commands and arguments.</para> 32 <para> 33 The <application>Sudo</application> package allows a system administrator 34 to give certain users (or groups of users) the ability to run 35 some (or all) commands as 36 <systemitem class="username">root</systemitem> or another user while 37 logging the commands and arguments. 38 </para> 37 39 38 40 &lfs71_checked; … … 41 43 <itemizedlist spacing="compact"> 42 44 <listitem> 43 <para>Download (HTTP): <ulink url="&sudo-download-http;"/></para> 44 </listitem> 45 <listitem> 46 <para>Download (FTP): <ulink url="&sudo-download-ftp;"/></para> 47 </listitem> 48 <listitem> 49 <para>Download MD5 sum: &sudo-md5sum;</para> 50 </listitem> 51 <listitem> 52 <para>Download size: &sudo-size;</para> 53 </listitem> 54 <listitem> 55 <para>Estimated disk space required: &sudo-buildsize;</para> 56 </listitem> 57 <listitem> 58 <para>Estimated build time: &sudo-time;</para> 45 <para> 46 Download (HTTP): <ulink url="&sudo-download-http;"/> 47 </para> 48 </listitem> 49 <listitem> 50 <para> 51 Download (FTP): <ulink url="&sudo-download-ftp;"/> 52 </para> 53 </listitem> 54 <listitem> 55 <para> 56 Download MD5 sum: &sudo-md5sum; 57 </para> 58 </listitem> 59 <listitem> 60 <para> 61 Download size: &sudo-size; 62 </para> 63 </listitem> 64 <listitem> 65 <para> 66 Estimated disk space required: &sudo-buildsize; 67 </para> 68 </listitem> 69 <listitem> 70 <para> 71 Estimated build time: &sudo-time; 72 </para> 59 73 </listitem> 60 74 </itemizedlist> … … 63 77 64 78 <bridgehead renderas="sect4">Optional</bridgehead> 65 <para role="optional"><ulink url="http://www.openafs.org/">AFS</ulink>, 66 <xref linkend="linux-pam"/>, 67 <ulink url="http://www.fwtk.org/">FWTK</ulink>, 68 <xref linkend="mitkrb"/>, 69 an <xref linkend="server-mail"/> (that provides a 70 <command>sendmail</command> command), 71 <xref linkend="openldap"/>, 72 <ulink url="ftp://ftp.nrl.navy.mil/pub/security/opie">Opie</ulink> and 73 <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink></para> 79 <para role="optional"> 80 <ulink url="http://www.openafs.org/">AFS</ulink>, 81 <ulink url="http://www.fwtk.org/">FWTK</ulink>, 82 <xref linkend="linux-pam"/>, 83 <xref linkend="mitkrb"/>, 84 an <xref linkend="server-mail"/> (that provides a 85 <command>sendmail</command> command), 86 <xref linkend="openldap"/>, 87 <ulink url="ftp://ftp.nrl.navy.mil/pub/security/opie">Opie</ulink> and 88 <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink> 89 </para> 74 90 75 91 <para condition="html" role="usernotes">User Notes: 76 <ulink url="&blfs-wiki;/sudo"/></para>77 92 <ulink url="&blfs-wiki;/sudo"/> 93 </para> 78 94 </sect2> 79 95 … … 81 97 <title>Installation of Sudo</title> 82 98 83 <para>Install <application>sudo</application> by running 84 the following commands:</para> 99 <para> 100 Install <application>Sudo</application> by running 101 the following commands: 102 </para> 85 103 86 104 <screen><userinput>./configure --prefix=/usr \ … … 93 111 make</userinput></screen> 94 112 95 <para>This package does not come with a test suite.</para> 96 97 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 113 <para> 114 This package does not come with a test suite. 115 </para> 116 117 <para> 118 Now, as the <systemitem class="username">root</systemitem> user: 119 </para> 98 120 99 121 <screen role="root"><userinput>make install</userinput></screen> … … 104 126 <title>Command Explanations</title> 105 127 106 <para><option>--with-all-insults</option>: This switch includes all the 107 <application>sudo</application> insult sets.</para> 108 109 <para><option>--with-env-editor</option>: This switch enables use of the 110 environment variable EDITOR for <command>visudo</command>.</para> 111 112 <para><option>--without-pam</option>: This switch disables the use of 113 <application>PAM</application> authentication. Omit if you have 114 <application>Linux PAM</application> installed.</para> 115 116 <para><option>--without-sendmail</option>: This switch disables the use of 117 sendmail. Remove if you have a sendmail compatible MTA.</para> 128 <para> 129 <option>--with-all-insults</option>: This switch includes all the 130 <application>sudo</application> insult sets. 131 </para> 132 133 <para> 134 <option>--with-env-editor</option>: This switch enables use of the 135 environment variable EDITOR for <command>visudo</command>. 136 </para> 137 138 <para> 139 <option>--without-pam</option>: This switch disables the use of 140 <application>PAM</application> authentication. Omit if you have 141 <application>Linux PAM</application> installed. 142 </para> 143 144 <para> 145 <option>--without-sendmail</option>: This switch disables the use of 146 sendmail. Remove if you have a sendmail compatible MTA. 147 </para> 118 148 119 149 <note> 120 <para>There are many options to <application>sudo</application>'s 121 <command>configure</command> command. Check the 122 <command>configure --help</command> output for a complete list.</para> 150 <para> 151 There are many options to <application>sudo</application>'s 152 <command>configure</command> command. Check the 153 <command>configure --help</command> output for a complete list. 154 </para> 123 155 </note> 124 156 … … 142 174 <title>Configuration Information</title> 143 175 144 <para>The <filename>sudoers</filename> file can be quite complicated. It 145 is composed of two types of entries: aliases (basically variables) and 146 user specifications (which specify who may run what). The installation 147 installs a default configuration that has no privileges installed for any 148 user.</para> 149 150 <para>One example usage is to allow the system administrator to execute 151 any program without typing a password each time root privileges are 152 needed. This can be configured as:</para> 176 <para> 177 The <filename>sudoers</filename> file can be quite complicated. It 178 is composed of two types of entries: aliases (basically variables) and 179 user specifications (which specify who may run what). The installation 180 installs a default configuration that has no privileges installed for any 181 user. 182 </para> 183 184 <para> 185 One example usage is to allow the system administrator to execute 186 any program without typing a password each time root privileges are 187 needed. This can be configured as: 188 </para> 153 189 154 190 <screen># User alias specification … … 158 194 ADMIN ALL = NOPASSWD: ALL</screen> 159 195 160 <para>For details, see <command>man sudoers</command>.</para> 196 <para> 197 For details, see <command>man sudoers</command>. 198 </para> 161 199 162 200 <note> 163 <para>The <application>Sudo</application> developers highly recommend 164 using the <command>visudo</command> program to edit the 165 <filename>sudoers</filename> file. This will provide basic sanity 166 checking like syntax parsing and file permission to avoid some possible 167 mistakes that could lead to a vulnerable configuration.</para> 201 <para> 202 The <application>Sudo</application> developers highly recommend 203 using the <command>visudo</command> program to edit the 204 <filename>sudoers</filename> file. This will provide basic sanity 205 checking like syntax parsing and file permission to avoid some possible 206 mistakes that could lead to a vulnerable configuration. 207 </para> 168 208 </note> 169 209 170 <para>If you've built <application>Sudo</application> with 171 <application>PAM</application> support, issue the following 172 command as the <systemitem class="username">root</systemitem> user 173 to create the <application>PAM</application> configuration file:</para> 210 <para> 211 If you've built <application>Sudo</application> with 212 <application>PAM</application> support, issue the following 213 command as the <systemitem class="username">root</systemitem> user 214 to create the <application>PAM</application> configuration file: 215 </para> 174 216 175 217 <screen role="root"><userinput>cat > /etc/pam.d/sudo << "EOF" && … … 205 247 206 248 <seglistitem> 207 <seg>sudo, sudoedit, sudoreplay and visudo</seg> 208 <seg>sudoers.so and sudo_noexec.so</seg> 209 <seg>None</seg> 249 <seg> 250 sudo, sudoedit, sudoreplay and visudo 251 </seg> 252 <seg> 253 sudoers.so and sudo_noexec.so 254 </seg> 255 <seg> 256 /usr/lib/sudo and 257 /usr/share/doc/sudo-&sudo-version; 258 </seg> 210 259 </seglistitem> 211 260 </segmentedlist> … … 219 268 <term><command>sudo</command></term> 220 269 <listitem> 221 <para>executes a command as another user as permitted by 222 the <filename>/etc/sudoers</filename> configuration file. 270 <para> 271 executes a command as another user as permitted by 272 the <filename>/etc/sudoers</filename> configuration file. 223 273 </para> 224 274 <indexterm zone="sudo sudo"> … … 231 281 <term><command>sudoedit</command></term> 232 282 <listitem> 233 <para>is a hard link to <command>sudo</command> that implies 234 the <option>-e</option> option to invoke an editor as another 235 user.</para> 283 <para> 284 is a hard link to <command>sudo</command> that implies the 285 <option>-e</option> option to invoke an editor as another user. 286 </para> 236 287 <indexterm zone="sudo sudoedit"> 237 288 <primary sortas="b-sudoedit">sudoedit</primary> … … 243 294 <term><command>visudo</command></term> 244 295 <listitem> 245 <para>allows for safer editing of the <filename>sudoers</filename> 246 file.</para> 296 <para> 297 allows for safer editing of the <filename>sudoers</filename> 298 file. 299 </para> 247 300 <indexterm zone="sudo visudo"> 248 301 <primary sortas="b-visudo">visudo</primary> … … 254 307 <term><command>sudoreplay</command></term> 255 308 <listitem> 256 <para>is used to play back or list the output 257 logs created by <command>sudo</command>.</para> 309 <para> 310 is used to play back or list the output 311 logs created by <command>sudo</command>. 312 </para> 258 313 <indexterm zone="sudo sudoreplay"> 259 314 <primary sortas="b-sudoreplay">sudoreplay</primary> … … 265 320 <term><filename class='libraryfile'>sudoers.so</filename></term> 266 321 <listitem> 267 <para>is default sudo security policy module.</para> 322 <para> 323 is default sudo security policy module. 324 </para> 268 325 <indexterm zone="sudo sudoers"> 269 326 <primary sortas="c-sudoers">sudoers.so</primary> … … 275 332 <term><filename class='libraryfile'>sudo_noexec.so</filename></term> 276 333 <listitem> 277 <para>enables support for the "noexec" functionality which prevents 278 a dynamically-linked program being run by sudo from executing 279 another program (think shell escapes).</para> 334 <para> 335 enables support for the "noexec" functionality which prevents 336 a dynamically-linked program being run by sudo from executing 337 another program (think shell escapes). 338 </para> 280 339 <indexterm zone="sudo sudo_noexec"> 281 340 <primary sortas="c-sudo_noexec">sudo_noexec.so</primary>
Note:
See TracChangeset
for help on using the changeset viewer.