glfs/postlfs/security/sudo.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY sudo-download-http "http://www.sudo.ws/sudo/dist/sudo-&sudo-version;.tar.gz">
  <!ENTITY sudo-download-ftp  "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
  <!ENTITY sudo-md5sum        "a46f6de8645e6c5b6668d30657439d1c">
  <!ENTITY sudo-size          "2.1 MB">
  <!ENTITY sudo-buildsize     "24 MB (additional 1 MB for tests)">
  <!ENTITY sudo-time          "0.4 SBU">
]>

<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
  <?dbhtml filename="sudo.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>Sudo-&sudo-version;</title>

  <indexterm zone="sudo">
    <primary sortas="a-Sudo">Sudo</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to Sudo</title>

    <para>
      The <application>Sudo</application> package allows a system administrator
      to give certain users (or groups of users) the ability to run
      some (or all) commands as
      <systemitem class="username">root</systemitem> or another user while
      logging the commands and arguments.
    </para>

    &lfs74_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&sudo-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&sudo-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &sudo-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &sudo-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &sudo-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &sudo-time;
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Sudo Dependencies</bridgehead>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <ulink url="http://www.openafs.org/">AFS</ulink>,
      <ulink url="http://www.fwtk.org/">FWTK</ulink>,
      <xref linkend="linux-pam"/>,
      <xref linkend="mitkrb"/>,
      an <xref linkend="server-mail"/> (that provides a
      <command>sendmail</command> command),
      <xref linkend="openldap"/>,
      <ulink url="http://sourceforge.net/projects/opie/files/">Opie</ulink> and
      <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>
    </para>

    <para condition="html" role="usernotes">User Notes:
      <ulink url="&blfs-wiki;/sudo"/>
    </para>
  </sect2>

  <sect2 role="installation">
    <title>Installation of Sudo</title>

    <para>
      Install <application>Sudo</application> by running the following commands:
    </para>

<screen><userinput>./configure --prefix=/usr                        \
            --libexecdir=/usr/lib                \
            --docdir=/usr/share/doc/sudo-&sudo-version; \
            --with-timedir=/var/lib/sudo         \
            --with-all-insults                   \
            --with-env-editor                    \
            --with-passprompt="[BLFS sudo] password for %p"&amp;&amp;
make</userinput></screen>

    <para>
      To test the results, issue: <command>env LC_ALL=C make check</command>.
    </para>

    <para>
      Now, as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>make install</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
      <option>--with-timedir=/var/lib/sudo</option>: This switch places
      the variable time stamp files in a FHS compatible location.
    </para>

    <para>
      <option>--with-all-insults</option>: This switch includes all the
      <application>sudo</application> insult sets.
    </para>

    <para>
      <option>--with-env-editor</option>: This switch enables use of the
      environment variable EDITOR for <command>visudo</command>.
    </para>

    <note>
      <para>
        There are many options to <application>sudo</application>'s
        <command>configure</command> command. Check the
        <command>configure --help</command> output for a complete list.
      </para>
    </note>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring Sudo</title>

    <sect3 id="sudo-config">
      <title>Config File</title>

      <para>
        <filename>/etc/sudoers</filename>
      </para>

      <indexterm zone="sudo sudo-config">
        <primary sortas="e-etc-sudoers">/etc/sudoers</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <para>
        The <filename>sudoers</filename> file can be quite complicated.  It
        is composed of two types of entries: aliases (basically variables) and
        user specifications (which specify who may run what).  The installation
        installs a default configuration that has no privileges installed for any
        user.
     </para>

      <para>
        One example usage is to allow the system administrator to execute
        any program without typing a password each time root privileges are
        needed. This can be configured as:
      </para>

<screen># User alias specification
User_Alias  ADMIN = YourLoginId

# Allow people in group ADMIN to run all commands without a password
ADMIN       ALL = NOPASSWD: ALL</screen>

      <para>
        For details, see <command>man sudoers</command>.
      </para>

      <note>
        <para>
          The <application>Sudo</application> developers highly recommend
          using the <command>visudo</command> program to edit the
          <filename>sudoers</filename> file. This will provide basic sanity
          checking like syntax parsing and file permission to avoid some possible
          mistakes that could lead to a vulnerable configuration.
        </para>
      </note>

      <para>
        If you've built <application>Sudo</application> with
        <application>PAM</application> support, issue the following
        command as the <systemitem class="username">root</systemitem> user
        to create the <application>PAM</application> configuration file:
      </para>

<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/sudo

# include the default auth settings
auth      include     system-auth

# include the default account settings
account   include     system-account

# Set default environment variables for the service user
session   required    pam_env.so

# include system session defaults
session   include     system-session

# End /etc/pam.d/sudo</literal>
EOF
chmod 644 /etc/pam.d/sudo</userinput></screen>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle> 
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          sudo, sudoedit (symlink), sudoreplay, and visudo
        </seg>
        <seg>
          group_file.so, sudoers.so, sudo_noexec.so, and system_group.so
        </seg>
        <seg>
          /etc/sudoers.d,
          /usr/lib/sudo,
          /usr/share/doc/sudo-&sudo-version;, and
          /var/lib/sudo
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="sudo_prog">
        <term><command>sudo</command></term>
        <listitem>
          <para>
            executes a command as another user as permitted by
            the <filename>/etc/sudoers</filename> configuration file.
          </para>
          <indexterm zone="sudo sudo">
            <primary sortas="b-sudo">sudo</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sudoedit">
        <term><command>sudoedit</command></term>
        <listitem>
          <para>
            is a symlink to <command>sudo</command> that implies the
            <option>-e</option> option to invoke an editor as another user.
          </para>
          <indexterm zone="sudo sudoedit">
            <primary sortas="b-sudoedit">sudoedit</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="visudo">
        <term><command>visudo</command></term>
        <listitem>
          <para>
            allows for safer editing of the <filename>sudoers</filename>
            file.
          </para>
          <indexterm zone="sudo visudo">
            <primary sortas="b-visudo">visudo</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sudoreplay">
        <term><command>sudoreplay</command></term>
        <listitem>
          <para>
            is used to play back or list the output
            logs created by <command>sudo</command>.
          </para>
          <indexterm zone="sudo sudoreplay">
            <primary sortas="b-sudoreplay">sudoreplay</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>