mirror of
https://github.com/Zeckmathederg/glfs.git
synced 2025-01-29 10:52:14 +08:00
0d7900a67c
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@11015 af4574ff-66df-0310-9fd7-8a98e5e911e0
350 lines
10 KiB
XML
350 lines
10 KiB
XML
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY % general-entities SYSTEM "../../general.ent">
|
|
%general-entities;
|
|
|
|
<!ENTITY sudo-download-http "http://www.sudo.ws/sudo/dist/sudo-&sudo-version;.tar.gz">
|
|
<!ENTITY sudo-download-ftp "ftp://ftp.twaren.net/Unix/Security/Sudo/sudo-&sudo-version;.tar.gz">
|
|
<!ENTITY sudo-md5sum "a7b5c39a904721956eccddd30689250f">
|
|
<!ENTITY sudo-size "1.8 MB">
|
|
<!ENTITY sudo-buildsize "19 MB">
|
|
<!ENTITY sudo-time "0.2 SBU">
|
|
]>
|
|
|
|
<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
|
|
<?dbhtml filename="sudo.html"?>
|
|
|
|
<sect1info>
|
|
<othername>$LastChangedBy$</othername>
|
|
<date>$Date$</date>
|
|
</sect1info>
|
|
|
|
<title>Sudo-&sudo-version;</title>
|
|
|
|
<indexterm zone="sudo">
|
|
<primary sortas="a-Sudo">Sudo</primary>
|
|
</indexterm>
|
|
|
|
<sect2 role="package">
|
|
<title>Introduction to Sudo</title>
|
|
|
|
<para>
|
|
The <application>Sudo</application> package allows a system administrator
|
|
to give certain users (or groups of users) the ability to run
|
|
some (or all) commands as
|
|
<systemitem class="username">root</systemitem> or another user while
|
|
logging the commands and arguments.
|
|
</para>
|
|
|
|
&lfs72_checked;
|
|
|
|
<bridgehead renderas="sect3">Package Information</bridgehead>
|
|
<itemizedlist spacing="compact">
|
|
<listitem>
|
|
<para>
|
|
Download (HTTP): <ulink url="&sudo-download-http;"/>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Download (FTP): <ulink url="&sudo-download-ftp;"/>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Download MD5 sum: &sudo-md5sum;
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Download size: &sudo-size;
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Estimated disk space required: &sudo-buildsize;
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Estimated build time: &sudo-time;
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
|
|
|
|
<bridgehead renderas="sect4">Optional</bridgehead>
|
|
<para role="optional">
|
|
<ulink url="http://www.openafs.org/">AFS</ulink>,
|
|
<ulink url="http://www.fwtk.org/">FWTK</ulink>,
|
|
<xref linkend="linux-pam"/>,
|
|
<xref linkend="mitkrb"/>,
|
|
an <xref linkend="server-mail"/> (that provides a
|
|
<command>sendmail</command> command),
|
|
<xref linkend="openldap"/>,
|
|
<ulink url="ftp://ftp.nrl.navy.mil/pub/security/opie">Opie</ulink> and
|
|
<ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>
|
|
</para>
|
|
|
|
<para condition="html" role="usernotes">User Notes:
|
|
<ulink url="&blfs-wiki;/sudo"/>
|
|
</para>
|
|
</sect2>
|
|
|
|
<sect2 role="installation">
|
|
<title>Installation of Sudo</title>
|
|
|
|
<para>
|
|
Install <application>Sudo</application> by running
|
|
the following commands:
|
|
</para>
|
|
|
|
<screen><userinput>./configure --prefix=/usr \
|
|
--libexecdir=/usr/lib/sudo \
|
|
--docdir=/usr/share/doc/sudo-&sudo-version; \
|
|
--with-all-insults \
|
|
--with-env-editor \
|
|
--without-pam \
|
|
--without-sendmail &&
|
|
make</userinput></screen>
|
|
|
|
<para>
|
|
This package does not come with a test suite.
|
|
</para>
|
|
|
|
<para>
|
|
Now, as the <systemitem class="username">root</systemitem> user:
|
|
</para>
|
|
|
|
<screen role="root"><userinput>make install</userinput></screen>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="commands">
|
|
<title>Command Explanations</title>
|
|
|
|
<para>
|
|
<option>--with-all-insults</option>: This switch includes all the
|
|
<application>sudo</application> insult sets.
|
|
</para>
|
|
|
|
<para>
|
|
<option>--with-env-editor</option>: This switch enables use of the
|
|
environment variable EDITOR for <command>visudo</command>.
|
|
</para>
|
|
|
|
<para>
|
|
<option>--without-pam</option>: This switch disables the use of
|
|
<application>PAM</application> authentication. Omit if you have
|
|
<application>Linux PAM</application> installed.
|
|
</para>
|
|
|
|
<para>
|
|
<option>--without-sendmail</option>: This switch disables the use of
|
|
sendmail. Remove if you have a sendmail compatible MTA.
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
There are many options to <application>sudo</application>'s
|
|
<command>configure</command> command. Check the
|
|
<command>configure --help</command> output for a complete list.
|
|
</para>
|
|
</note>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="configuration">
|
|
<title>Configuring Sudo</title>
|
|
|
|
<sect3 id="sudo-config">
|
|
<title>Config File</title>
|
|
|
|
<para><filename>/etc/sudoers</filename></para>
|
|
|
|
<indexterm zone="sudo sudo-config">
|
|
<primary sortas="e-etc-sudoers">/etc/sudoers</primary>
|
|
</indexterm>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Configuration Information</title>
|
|
|
|
<para>
|
|
The <filename>sudoers</filename> file can be quite complicated. It
|
|
is composed of two types of entries: aliases (basically variables) and
|
|
user specifications (which specify who may run what). The installation
|
|
installs a default configuration that has no privileges installed for any
|
|
user.
|
|
</para>
|
|
|
|
<para>
|
|
One example usage is to allow the system administrator to execute
|
|
any program without typing a password each time root privileges are
|
|
needed. This can be configured as:
|
|
</para>
|
|
|
|
<screen># User alias specification
|
|
User_Alias ADMIN = YourLoginId
|
|
|
|
# Allow people in group ADMIN to run all commands without a password
|
|
ADMIN ALL = NOPASSWD: ALL</screen>
|
|
|
|
<para>
|
|
For details, see <command>man sudoers</command>.
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
The <application>Sudo</application> developers highly recommend
|
|
using the <command>visudo</command> program to edit the
|
|
<filename>sudoers</filename> file. This will provide basic sanity
|
|
checking like syntax parsing and file permission to avoid some possible
|
|
mistakes that could lead to a vulnerable configuration.
|
|
</para>
|
|
</note>
|
|
|
|
<para>
|
|
If you've built <application>Sudo</application> with
|
|
<application>PAM</application> support, issue the following
|
|
command as the <systemitem class="username">root</systemitem> user
|
|
to create the <application>PAM</application> configuration file:
|
|
</para>
|
|
|
|
<screen role="root"><userinput>cat > /etc/pam.d/sudo << "EOF" &&
|
|
# Begin /etc/pam.d/sudo
|
|
|
|
# include the default auth settings
|
|
auth include system-auth
|
|
|
|
# include the default account settings
|
|
account include system-account
|
|
|
|
# Set default environment variables for the service user
|
|
session required pam_env.so
|
|
|
|
# include system session defaults
|
|
session include system-session
|
|
|
|
# End /etc/pam.d/sudo
|
|
EOF
|
|
chmod 644 /etc/pam.d/sudo</userinput></screen>
|
|
|
|
</sect3>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="content">
|
|
<title>Contents</title>
|
|
|
|
<segmentedlist>
|
|
<segtitle>Installed Programs</segtitle>
|
|
<segtitle>Installed Libraries</segtitle>
|
|
<segtitle>Installed Directories</segtitle>
|
|
|
|
<seglistitem>
|
|
<seg>
|
|
sudo, sudoedit, sudoreplay and visudo
|
|
</seg>
|
|
<seg>
|
|
sudoers.so and sudo_noexec.so
|
|
</seg>
|
|
<seg>
|
|
/usr/lib/sudo and
|
|
/usr/share/doc/sudo-&sudo-version;
|
|
</seg>
|
|
</seglistitem>
|
|
</segmentedlist>
|
|
|
|
<variablelist>
|
|
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
|
<?dbfo list-presentation="list"?>
|
|
<?dbhtml list-presentation="table"?>
|
|
|
|
<varlistentry id="sudo_prog">
|
|
<term><command>sudo</command></term>
|
|
<listitem>
|
|
<para>
|
|
executes a command as another user as permitted by
|
|
the <filename>/etc/sudoers</filename> configuration file.
|
|
</para>
|
|
<indexterm zone="sudo sudo">
|
|
<primary sortas="b-sudo">sudo</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="sudoedit">
|
|
<term><command>sudoedit</command></term>
|
|
<listitem>
|
|
<para>
|
|
is a hard link to <command>sudo</command> that implies the
|
|
<option>-e</option> option to invoke an editor as another user.
|
|
</para>
|
|
<indexterm zone="sudo sudoedit">
|
|
<primary sortas="b-sudoedit">sudoedit</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="visudo">
|
|
<term><command>visudo</command></term>
|
|
<listitem>
|
|
<para>
|
|
allows for safer editing of the <filename>sudoers</filename>
|
|
file.
|
|
</para>
|
|
<indexterm zone="sudo visudo">
|
|
<primary sortas="b-visudo">visudo</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="sudoreplay">
|
|
<term><command>sudoreplay</command></term>
|
|
<listitem>
|
|
<para>
|
|
is used to play back or list the output
|
|
logs created by <command>sudo</command>.
|
|
</para>
|
|
<indexterm zone="sudo sudoreplay">
|
|
<primary sortas="b-sudoreplay">sudoreplay</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="sudoers">
|
|
<term><filename class='libraryfile'>sudoers.so</filename></term>
|
|
<listitem>
|
|
<para>
|
|
is default sudo security policy module.
|
|
</para>
|
|
<indexterm zone="sudo sudoers">
|
|
<primary sortas="c-sudoers">sudoers.so</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="sudo_noexec">
|
|
<term><filename class='libraryfile'>sudo_noexec.so</filename></term>
|
|
<listitem>
|
|
<para>
|
|
enables support for the "noexec" functionality which prevents
|
|
a dynamically-linked program being run by sudo from executing
|
|
another program (think shell escapes).
|
|
</para>
|
|
<indexterm zone="sudo sudo_noexec">
|
|
<primary sortas="c-sudo_noexec">sudo_noexec.so</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|