linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-01-27 18:02:12 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
a974ea9638
glfs/postlfs/security/sudo.xml
Igor Živković 709ec432f3 Update to sudo-1.8.16. 
Update to giflib-5.1.3.
Update to nasm-2.12.01.
Update to nmap-7.10.
Update to firefox-45.0.1.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@17127 af4574ff-66df-0310-9fd7-8a98e5e911e0
2016-03-18 10:56:07 +00:00

355 lines
11 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY sudo-download-http "http://www.sudo.ws/dist/sudo-&sudo-version;.tar.gz">
<!ENTITY sudo-download-ftp "ftp://ftp.sudo.ws/pub/sudo/sudo-&sudo-version;.tar.gz">
<!ENTITY sudo-md5sum "a977449587dc857e129bb20555b46af4">
<!ENTITY sudo-size "2.6 MB">
<!ENTITY sudo-buildsize "34 MB (with tests)">
<!ENTITY sudo-time "0.4 SBU (with tests)">
]>
<sect1 id="sudo" xreflabel="Sudo-&sudo-version;">
<?dbhtml filename="sudo.html"?>
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<title>Sudo-&sudo-version;</title>
<indexterm zone="sudo">
<primary sortas="a-Sudo">Sudo</primary>
</indexterm>
<sect2 role="package">
<title>Introduction to Sudo</title>
<para>
The <application>Sudo</application> package allows a system administrator
to give certain users (or groups of users) the ability to run
some (or all) commands as
<systemitem class="username">root</systemitem> or another user while
logging the commands and arguments.
</para>
&lfs79_checked;
<bridgehead renderas="sect3">Package Information</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>
Download (HTTP): <ulink url="&sudo-download-http;"/>
</para>
</listitem>
<listitem>
<para>
Download (FTP): <ulink url="&sudo-download-ftp;"/>
</para>
</listitem>
<listitem>
<para>
Download MD5 sum: &sudo-md5sum;
</para>
</listitem>
<listitem>
<para>
Download size: &sudo-size;
</para>
</listitem>
<listitem>
<para>
Estimated disk space required: &sudo-buildsize;
</para>
</listitem>
<listitem>
<para>
Estimated build time: &sudo-time;
</para>
</listitem>
</itemizedlist>
<bridgehead renderas="sect3">Sudo Dependencies</bridgehead>
<bridgehead renderas="sect4">Optional</bridgehead>
<para role="optional">
<xref linkend="linux-pam"/>,
<xref linkend="mitkrb"/>,
<xref linkend="openldap"/>,
<xref linkend="server-mail"/> (that provides a
<command>sendmail</command> command),
<ulink url="http://www.openafs.org/">AFS</ulink>,
<ulink url="http://www.fwtk.org/">FWTK</ulink>, and
<ulink url="http://sourceforge.net/projects/opie/files/">Opie</ulink>
<!-- <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>-->
</para>
<para condition="html" role="usernotes">User Notes:
<ulink url="&blfs-wiki;/sudo"/>
</para>
</sect2>
<sect2 role="installation">
<title>Installation of Sudo</title>
<para>
Install <application>Sudo</application> by running the following commands:
</para>
<!-- Developer: apparently it is disabled by default, although in configure it
is written otherwise -disable-static \-->
<screen><userinput>./configure --prefix=/usr \
--libexecdir=/usr/lib \
--with-secure-path \
--with-all-insults \
--with-env-editor \
--docdir=/usr/share/doc/sudo-&sudo-version; \
--with-passprompt="[sudo] password for %p" &amp;&amp;
make</userinput></screen>
<para>
To test the results, issue: <command>env LC_ALL=C make check 2&gt;&amp;1
| tee ../make-check.log</command>. Check the results with <command>grep
failed ../make-check.log</command>.
</para>
<para>
Now, as the <systemitem class="username">root</systemitem> user:
</para>
<screen role="root"><userinput>make install &amp;&amp;
ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0</userinput></screen>
</sect2>
<sect2 role="commands">
<title>Command Explanations</title>
<para>
<parameter>--libexecdir=/usr/lib</parameter>: This switch controls where
private programs are installed. Everything in that directory is a library, so
they belong under <filename class="directory">/usr/lib</filename> instead of
<filename class="directory">/usr/libexec</filename>.
</para>
<para>
<parameter>--with-secure-path</parameter>: This switch transparently adds
<filename class="directory">/sbin</filename> and <filename
class="directory">/usr/sbin</filename> directories to the
<envar>PATH</envar> environment variable.
</para>
<para>
<parameter>--with-all-insults</parameter>: This switch includes all the
<application>sudo</application> insult sets.
</para>
<para>
<parameter>--with-env-editor</parameter>: This switch enables use of the
environment variable EDITOR for <command>visudo</command>.
</para>
<para>
<parameter>--with-passprompt</parameter>: This switch sets the prompt.
</para>
<para>
<option>--without-pam</option>: Avoids building <application>PAM</application>
support when <application>PAM</application> is installed on the system.
</para>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../xincludes/static-libraries.xml"/>
<note>
<para>
There are many options to <application>sudo</application>'s
<command>configure</command> command. Check the
<command>configure --help</command> output for a complete list.
</para>
</note>
<para>
<command>ln -sfv libsudo_util...</command>: works around a bug in the
installation process, which links to the previously installed
version (if there is one) instead of the new one.
</para>
</sect2>
<sect2 role="configuration">
<title>Configuring Sudo</title>
<sect3 id="sudo-config">
<title>Config File</title>
<para>
<filename>/etc/sudoers</filename>
</para>
<indexterm zone="sudo sudo-config">
<primary sortas="e-etc-sudoers">/etc/sudoers</primary>
</indexterm>
</sect3>
<sect3>
<title>Configuration Information</title>
<para>
The <filename>sudoers</filename> file can be quite complicated. It
is composed of two types of entries: aliases (basically variables) and
user specifications (which specify who may run what). The installation
installs a default configuration that has no privileges installed for any
user.
</para>
<para>
One example usage is to allow the system administrator to execute
any program without typing a password each time root privileges are
needed. This can be configured as:
</para>
<screen># User alias specification
User_Alias ADMIN = YourLoginId
# Allow people in group ADMIN to run all commands without a password
ADMIN ALL = NOPASSWD: ALL</screen>
<para>
For details, see <command>man sudoers</command>.
</para>
<note>
<para>
The <application>Sudo</application> developers highly recommend
using the <command>visudo</command> program to edit the
<filename>sudoers</filename> file. This will provide basic sanity
checking like syntax parsing and file permission to avoid some possible
mistakes that could lead to a vulnerable configuration.
</para>
</note>
<para>
If <application>PAM</application> is installed on the system,
<application>Sudo</application> is built with
<application>PAM</application> support. In that case, issue the following
command as the <systemitem class="username">root</systemitem> user
to create the <application>PAM</application> configuration file:
</para>
<screen role="root"><userinput>cat &gt; /etc/pam.d/sudo &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/sudo
# include the default auth settings
auth include system-auth
# include the default account settings
account include system-account
# Set default environment variables for the service user
session required pam_env.so
# include system session defaults
session include system-session
# End /etc/pam.d/sudo</literal>
EOF
chmod 644 /etc/pam.d/sudo</userinput></screen>
</sect3>
</sect2>
<sect2 role="content">
<title>Contents</title>
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>
sudo, sudoedit (symlink), sudoreplay, and visudo
</seg>
<seg>
group_file.so, libsudo_util.so,
sudoers.so, sudo_noexec.so, and system_group.so
</seg>
<seg>
/etc/sudoers.d,
/usr/lib/sudo,
/usr/share/doc/sudo-&sudo-version;, and
/var/{lib,run}/sudo
</seg>
</seglistitem>
</segmentedlist>
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
<varlistentry id="sudo_prog">
<term><command>sudo</command></term>
<listitem>
<para>
executes a command as another user as permitted by
the <filename>/etc/sudoers</filename> configuration file.
</para>
<indexterm zone="sudo sudo">
<primary sortas="b-sudo">sudo</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="sudoedit">
<term><command>sudoedit</command></term>
<listitem>
<para>
is a symlink to <command>sudo</command> that implies the
<option>-e</option> option to invoke an editor as another user.
</para>
<indexterm zone="sudo sudoedit">
<primary sortas="b-sudoedit">sudoedit</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="sudoreplay">
<term><command>sudoreplay</command></term>
<listitem>
<para>
is used to play back or list the output
logs created by <command>sudo</command>.
</para>
<indexterm zone="sudo sudoreplay">
<primary sortas="b-sudoreplay">sudoreplay</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="visudo">
<term><command>visudo</command></term>
<listitem>
<para>
allows for safer editing of the <filename>sudoers</filename>
file.
</para>
<indexterm zone="sudo visudo">
<primary sortas="b-visudo">visudo</primary>
</indexterm>
</listitem>
</varlistentry>
</variablelist>
</sect2>
</sect1>
Reference in New Issue View Git Blame Copy Permalink