Difference between revisions of "Sudo"

From CBLFS
Jump to navigationJump to search
m (Added configing to page (visudo))
(Configuring)
Line 100: Line 100:
  
 
For more options, read the config file, and the man pages.....
 
For more options, read the config file, and the man pages.....
 +
 +
=== LDAP Configuration ===
 +
 +
If you havn't already created a OU dedicated to sudo rules now would be the time to create it:
 +
 +
ldapadd -x -D "cn=Manager,<BASE DN>" -W << EOF
 +
dn: ou=Sudoers,''<BASE DN>''
 +
objectClass: top
 +
objectClass: organizationalUnit
 +
ou: Sudoers
 +
EOF
  
 
== Content ==
 
== Content ==

Revision as of 21:35, 15 November 2008

Download Source: http://www.sudo.ws/sudo/dist/sudo-1.8.8.tar.gz

Introduction to Sudo

Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.

Project Homepage: http://www.sudo.ws/

Dependencies

Recomended

Linux-PAM

Optional

Selinux

Configuration Information

--without-pam builds with out pam support.

Non-Multilib

Compile the package:

./configure --prefix=/usr --libexecdir=/usr/lib \
    --enable-noargs-shell --with-ignore-dot --with-all-insults \
    --enable-shell-sets-home &&
make

Install the package

make install &&
if [ -f /etc/pam.d/su ]; then
  sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo
fi

Multilib

32Bit

Compile the package:

CC="gcc ${BUILD32}" ./configure --prefix=/usr --libexecdir=/usr/lib \
    --enable-noargs-shell --with-ignore-dot --with-all-insults \
    --enable-shell-sets-home &&
make

Install the package

make install &&
if [ -f /etc/pam.d/su ]; then
  sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo
fi

N32

Compile the package:

CC="gcc ${BUILDN32}" ./configure --prefix=/usr --libdir=/usr/lib32 --libexecdir=/usr/lib \
    --enable-noargs-shell --with-ignore-dot --with-all-insults \
    --enable-shell-sets-home &&
make

Install the package

make install &&
if [ -f /etc/pam.d/su ]; then
  sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo
fi

64Bit

Compile the package:

CC="gcc ${BUILD64}" ./configure --prefix=/usr --libdir=/usr/lib64 --libexecdir=/usr/lib \
    --enable-noargs-shell --with-ignore-dot --with-all-insults \
    --enable-shell-sets-home &&
make

Install the package

make install &&
if [ -f /etc/pam.d/su ]; then
  sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo
fi


Configuring

To edit the protected sudoers config file, use "visudo"

To allow a user full root rights with out a passward, add the following to the file.

${username} ALL=(ALL) NOPASSWD:ALL

For more options, read the config file, and the man pages.....

LDAP Configuration

If you havn't already created a OU dedicated to sudo rules now would be the time to create it:

ldapadd -x -D "cn=Manager,<BASE DN>" -W << EOF
dn: ou=Sudoers,<BASE DN>
objectClass: top
objectClass: organizationalUnit
ou: Sudoers
EOF

Content

Installed Programs: sudo, sudoedit, and visudo
Installed Libraries: sudo_noexec.so
Installed Directories: None

Short Descriptions

sudo executes a command as another user as permitted by the /etc/sudoers configuration file.
sudoedit is a hard link to sudo that implies the -e option to invoke an editor as another user.
visudo allows for safer editing of the sudoers file.
sudo_noexec.so enables support for the "noexec" functionality which prevents a dynamically-linked program being run by sudo from executing another program (think shell escapes).
Retrieved from "?title=Sudo&oldid=16068"