mirror of
https://github.com/Zeckmathederg/glfs.git
synced 2025-01-27 09:42:12 +08:00
25f5fe06b8
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@7669 af4574ff-66df-0310-9fd7-8a98e5e911e0
276 lines
9.4 KiB
XML
276 lines
9.4 KiB
XML
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY % general-entities SYSTEM "../../general.ent">
|
|
%general-entities;
|
|
|
|
<!ENTITY sudo-download-http "http://www.sudo.ws/sudo/dist/sudo-&sudo-version;.tar.gz">
|
|
<!ENTITY sudo-download-ftp "ftp://ftp.twaren.net/Unix/Security/Sudo/sudo-&sudo-version;.tar.gz">
|
|
<!ENTITY sudo-md5sum "5fd96bba35fe29b464f7aa6ad255f0a6">
|
|
<!ENTITY sudo-size "732 KB">
|
|
<!ENTITY sudo-buildsize "4.4 MB">
|
|
<!ENTITY sudo-time "0.1 SBU">
|
|
]>
|
|
|
|
<sect1 id="sudo" xreflabel="sudo-&sudo-version;">
|
|
<?dbhtml filename="sudo.html"?>
|
|
|
|
<sect1info>
|
|
<othername>$LastChangedBy$</othername>
|
|
<date>$Date$</date>
|
|
</sect1info>
|
|
|
|
<title>Sudo-&sudo-version;</title>
|
|
|
|
<indexterm zone="sudo">
|
|
<primary sortas="a-sudo">sudo</primary>
|
|
</indexterm>
|
|
|
|
<sect2 role="package">
|
|
<title>Introduction to Sudo</title>
|
|
|
|
<para>The <application>sudo</application> package allows a system
|
|
administrator to give certain users (or groups of users) the ability to run
|
|
some (or all) commands as
|
|
<systemitem class="username">root</systemitem> or another user while
|
|
logging the commands and arguments.</para>
|
|
|
|
<bridgehead renderas="sect3">Package Information</bridgehead>
|
|
<itemizedlist spacing="compact">
|
|
<listitem>
|
|
<para>Download (HTTP): <ulink url="&sudo-download-http;"/></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Download (FTP): <ulink url="&sudo-download-ftp;"/></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Download MD5 sum: &sudo-md5sum;</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Download size: &sudo-size;</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Estimated disk space required: &sudo-buildsize;</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Estimated build time: &sudo-time;</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<!-- <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
|
<itemizedlist spacing='compact'>
|
|
<listitem>
|
|
<para>Required patch: <ulink
|
|
url="&patch-root;/sudo-&sudo-version;-envvar_fix-1.patch"/></para>
|
|
</listitem>
|
|
</itemizedlist> -->
|
|
|
|
|
|
<bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
|
|
|
|
<bridgehead renderas="sect4">Optional</bridgehead>
|
|
<para role="optional"><xref linkend="linux-pam"/>,
|
|
<ulink url="ftp://ftp.nrl.navy.mil/pub/security/opie">Opie</ulink>,
|
|
<ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>,
|
|
<ulink url="http://www.fwtk.org/">FWTK</ulink>,
|
|
an <xref linkend="server-mail"/> (that provides a
|
|
<command>sendmail</command> command),
|
|
<ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink>,
|
|
<xref linkend="heimdal"/> or <xref linkend="mitkrb"/>,
|
|
<xref linkend="openldap"/>, and
|
|
<ulink url="http://www.openafs.org/">AFS</ulink></para>
|
|
|
|
<para condition="html" role="usernotes">User Notes:
|
|
<ulink url="&blfs-wiki;/sudo"/></para>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="installation">
|
|
<title>Installation of Sudo</title>
|
|
|
|
<para>Install <application>sudo</application> by running
|
|
the following commands:</para>
|
|
|
|
<!-- <screen><userinput>patch -Np1 -i ../sudo-&sudo-version;-envvar_fix-1.patch &&
|
|
-->
|
|
<screen><userinput>./configure --prefix=/usr --libexecdir=/usr/lib \
|
|
--with-ignore-dot --with-all-insults \
|
|
--enable-shell-sets-home --disable-root-sudo \
|
|
--with-logfac=auth --without-pam --without-sendmail &&
|
|
make</userinput></screen>
|
|
|
|
<para>This package does not come with a test suite.</para>
|
|
|
|
<para>Now, as the <systemitem class="username">root</systemitem> user:</para>
|
|
|
|
<screen role="root"><userinput>make install</userinput></screen>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="commands">
|
|
<title>Command Explanations</title>
|
|
|
|
<para><option>--with-ignore-dot</option>: This switch causes
|
|
<application>sudo</application> to ignore '.' in the PATH.</para>
|
|
|
|
<para><option>--with-all-insults</option>: This switch includes all the
|
|
<application>sudo</application> insult sets.</para>
|
|
|
|
<para><option>--enable-shell-sets-home</option>: This switch sets HOME to
|
|
the target user in shell mode.</para>
|
|
|
|
<para><option>--disable-root-sudo</option>: This switch keeps the
|
|
<systemitem class="username">root</systemitem> user from running sudo,
|
|
preventing users from chaining commands to get a root shell.</para>
|
|
|
|
<para><option>--with-logfac=auth</option>: This switch forces use of the
|
|
auth facility for logging.</para>
|
|
|
|
<para><option>--without-pam</option>: This switch disables the use of
|
|
<application>PAM</application> authentication. Omit if you have
|
|
<application>PAM</application> installed.</para>
|
|
|
|
<para><option>--without-sendmail</option>: This switch disables the use of
|
|
sendmail. Remove if you have a sendmail compatible MTA.</para>
|
|
|
|
<para><option>--enable-noargs-shell</option>: This switch allows
|
|
<application>sudo</application> to run a shell if invoked with no
|
|
arguments.</para>
|
|
|
|
<note>
|
|
<para>There are many options to <application>sudo</application>'s
|
|
<command>configure</command> command. Check the
|
|
<command>configure --help</command> output for a complete list.</para>
|
|
</note>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="configuration">
|
|
<title>Configuring Sudo</title>
|
|
|
|
<sect3 id="sudo-config">
|
|
<title>Config File</title>
|
|
|
|
<para><filename>/etc/sudoers</filename></para>
|
|
|
|
<indexterm zone="sudo sudo-config">
|
|
<primary sortas="e-etc-sudoers">/etc/sudoers</primary>
|
|
</indexterm>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Configuration Information</title>
|
|
|
|
<para>The <filename>sudoers</filename> file can be quite complicated. It
|
|
is composed of two types of entries: aliases (basically variables) and
|
|
user specifications (which specify who may run what). The installation
|
|
installs a default configuration that has no privileges installed for any
|
|
user.</para>
|
|
|
|
<para>One example usage is to allow the system administrator to execute
|
|
any program without typing a password each time root privileges are
|
|
needed. This can be configured as:</para>
|
|
|
|
<screen># User alias specification
|
|
User_Alias ADMIN = YourLoginId
|
|
|
|
# Allow people in group ADMIN to run all commands without a password
|
|
ADMIN ALL = NOPASSWD: ALL</screen>
|
|
|
|
<para>For details, see <command>man sudoers</command>.</para>
|
|
|
|
<note>
|
|
<para>The <application>Sudo</application> developers highly recommend
|
|
using the <command>visudo</command> program to edit the
|
|
<filename>sudoers</filename> file. This will provide basic sanity
|
|
checking like syntax parsing and file permission to avoid some possible
|
|
mistakes that could lead to a vulnerable configuration.</para>
|
|
</note>
|
|
|
|
<para>If you've built <application>Sudo</application> with
|
|
<application>PAM</application> support, issue the following
|
|
command as the <systemitem class="username">root</systemitem> user
|
|
to create the <application>PAM</application> configuration file:</para>
|
|
|
|
<screen role="root"><userinput>sed -e 's@/su@/sudo@' -e '/pam_rootok/d' \
|
|
/etc/pam.d/su > /etc/pam.d/sudo</userinput></screen>
|
|
|
|
</sect3>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="content">
|
|
<title>Contents</title>
|
|
|
|
<segmentedlist>
|
|
<segtitle>Installed Programs</segtitle>
|
|
<segtitle>Installed Library</segtitle>
|
|
<segtitle>Installed Directories</segtitle>
|
|
|
|
<seglistitem>
|
|
<seg>sudo, sudoedit, and visudo</seg>
|
|
<seg>sudo_noexec.so</seg>
|
|
<seg>None</seg>
|
|
</seglistitem>
|
|
</segmentedlist>
|
|
|
|
<variablelist>
|
|
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
|
<?dbfo list-presentation="list"?>
|
|
<?dbhtml list-presentation="table"?>
|
|
|
|
<varlistentry id="sudo_prog">
|
|
<term><command>sudo</command></term>
|
|
<listitem>
|
|
<para>executes a command as another user as permitted by
|
|
the <filename>/etc/sudoers</filename> configuration file.
|
|
</para>
|
|
<indexterm zone="sudo sudo">
|
|
<primary sortas="b-sudo">sudo</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="sudoedit">
|
|
<term><command>sudoedit</command></term>
|
|
<listitem>
|
|
<para>is a hard link to <command>sudo</command> that implies
|
|
the <option>-e</option> option to invoke an editor as another
|
|
user.</para>
|
|
<indexterm zone="sudo sudoedit">
|
|
<primary sortas="b-sudoedit">sudoedit</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="visudo">
|
|
<term><command>visudo</command></term>
|
|
<listitem>
|
|
<para>allows for safer editing of the <filename>sudoers</filename>
|
|
file.</para>
|
|
<indexterm zone="sudo visudo">
|
|
<primary sortas="b-visudo">visudo</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
|
|
<varlistentry id="sudo_noexec">
|
|
<term><filename class='libraryfile'>sudo_noexec.so</filename></term>
|
|
<listitem>
|
|
<para>enables support for the "noexec" functionality which prevents
|
|
a dynamically-linked program being run by sudo from executing
|
|
another program (think shell escapes).</para>
|
|
<indexterm zone="sudo sudo_noexec">
|
|
<primary sortas="c-sudo_noexec">sudo_noexec.so</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|