Difference between revisions of "Sudo"
From CBLFS
Jump to navigationJump to search (→Dependencies) |
(→Configuring) |
||
| (13 intermediate revisions by 5 users not shown) | |||
| Line 2: | Line 2: | ||
|- | |- | ||
!Download Source: | !Download Source: | ||
| − | | http://www. | + | | http://www.sudo.ws/sudo/dist/sudo-{{Sudo-Version}}.tar.gz |
|} | |} | ||
---- | ---- | ||
| − | {{ | + | {{Package-Introduction|Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.|http://www.sudo.ws/}} |
== Dependencies == | == Dependencies == | ||
| − | [[Linux-PAM]] | + | |
| + | ===Recomended=== | ||
| + | * [[Linux-PAM]] | ||
| + | |||
| + | ===Optional=== | ||
| + | * [[OpenLDAP]] | ||
| + | * [[SELinux]] | ||
| + | |||
| + | == Configuration Information == | ||
| + | |||
| + | {|style="text-align: left" | ||
| + | |<i>--without-pam</i> builds with out pam support. | ||
| + | |} | ||
== Non-Multilib == | == Non-Multilib == | ||
| Line 77: | Line 89: | ||
sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo | sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo | ||
fi | fi | ||
| + | |||
| + | == Configuring == | ||
| + | |||
| + | To edit the protected sudoers config file, use "visudo" | ||
| + | |||
| + | To allow a user full root rights with out a passward, add the following to the file. | ||
| + | |||
| + | ${username} ALL=(ALL) NOPASSWD:ALL | ||
| + | |||
| + | For more options, read the config file, and the man pages..... | ||
| + | |||
| + | === LDAP Configuration === | ||
| + | |||
| + | This is an alternative to /etc/sudoers. You can use both at the same time. | ||
| + | |||
| + | In order for Sudo to look in ldap we need to put an entry in nsswitch.conf: | ||
| + | |||
| + | cat >> /etc/nsswitch.conf << "EOF" | ||
| + | # Begin Sudo Additions to /etc/nsswitch.conf | ||
| + | |||
| + | sudoers: files ldap | ||
| + | |||
| + | # End Sudo Additions to /etc/nsswitch.conf | ||
| + | EOF | ||
| + | |||
| + | If you havn't already created a OU dedicated to sudo rules now would be the time to create it: | ||
| + | |||
| + | ldapadd -x -D "cn=Manager,'''''<BASE DN>'''''" -W << EOF | ||
| + | dn: ou=Sudoers,'''''<BASE DN>''''' | ||
| + | objectClass: top | ||
| + | objectClass: organizationalUnit | ||
| + | ou: Sudoers | ||
| + | EOF | ||
| + | |||
| + | If you havn't already created /etc/ldap.conf from the [[nss_ldap]] page create it now then append the following line for Sudo: | ||
| + | |||
| + | cat >> /etc/ldap.conf << "EOF" | ||
| + | # Sudo Section | ||
| + | sudoers_base ou=Sudoers,'''''<BASE DN>''''' | ||
| + | EOF | ||
| + | |||
| + | This is an example entry in the ldap directory: | ||
| + | |||
| + | cat > temp.ldif << "EOF" | ||
| + | dn: cn='''''<username>'''''+sudoCommand=ALL+sudoHost='''''<hostname>/ALL'''''+sudoRunAs=root,ou=Sudoers,'''''<BASE DN>''''' | ||
| + | sudoHost: '''''<hostname>/ALL''''' | ||
| + | sudoCommand: ALL | ||
| + | objectClass: sudoRole | ||
| + | objectClass: top | ||
| + | sudoUser: '''''<username>''''' | ||
| + | sudoRunAs: root | ||
| + | cn: '''''<username>''''' | ||
| + | EOF | ||
| + | |||
| + | Then import it into the directory: | ||
| + | |||
| + | ldapadd -f temp.ldif -x -D "cn=Manager,'''''<BASE DN>'''''" -W | ||
== Content == | == Content == | ||
| Line 107: | Line 176: | ||
| enables support for the "noexec" functionality which prevents a dynamically-linked program being run by sudo from executing another program (think shell escapes). | | enables support for the "noexec" functionality which prevents a dynamically-linked program being run by sudo from executing another program (think shell escapes). | ||
|} | |} | ||
| + | |||
| + | [[Category:Security]] | ||
Latest revision as of 13:10, 22 March 2009
| Download Source: | http://www.sudo.ws/sudo/dist/sudo-1.8.8.tar.gz |
|---|
Contents
Introduction to Sudo
Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.
Project Homepage: http://www.sudo.ws/
Dependencies
Recomended
Optional
Configuration Information
| --without-pam builds with out pam support. |
Non-Multilib
Compile the package:
./configure --prefix=/usr --libexecdir=/usr/lib \
--enable-noargs-shell --with-ignore-dot --with-all-insults \
--enable-shell-sets-home &&
make
Install the package
make install && if [ -f /etc/pam.d/su ]; then sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo fi
Multilib
32Bit
Compile the package:
CC="gcc ${BUILD32}" ./configure --prefix=/usr --libexecdir=/usr/lib \
--enable-noargs-shell --with-ignore-dot --with-all-insults \
--enable-shell-sets-home &&
make
Install the package
make install && if [ -f /etc/pam.d/su ]; then sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo fi
N32
Compile the package:
CC="gcc ${BUILDN32}" ./configure --prefix=/usr --libdir=/usr/lib32 --libexecdir=/usr/lib \
--enable-noargs-shell --with-ignore-dot --with-all-insults \
--enable-shell-sets-home &&
make
Install the package
make install && if [ -f /etc/pam.d/su ]; then sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo fi
64Bit
Compile the package:
CC="gcc ${BUILD64}" ./configure --prefix=/usr --libdir=/usr/lib64 --libexecdir=/usr/lib \
--enable-noargs-shell --with-ignore-dot --with-all-insults \
--enable-shell-sets-home &&
make
Install the package
make install && if [ -f /etc/pam.d/su ]; then sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo fi
Configuring
To edit the protected sudoers config file, use "visudo"
To allow a user full root rights with out a passward, add the following to the file.
${username} ALL=(ALL) NOPASSWD:ALL
For more options, read the config file, and the man pages.....
LDAP Configuration
This is an alternative to /etc/sudoers. You can use both at the same time.
In order for Sudo to look in ldap we need to put an entry in nsswitch.conf:
cat >> /etc/nsswitch.conf << "EOF" # Begin Sudo Additions to /etc/nsswitch.conf sudoers: files ldap # End Sudo Additions to /etc/nsswitch.conf EOF
If you havn't already created a OU dedicated to sudo rules now would be the time to create it:
ldapadd -x -D "cn=Manager,<BASE DN>" -W << EOF dn: ou=Sudoers,<BASE DN> objectClass: top objectClass: organizationalUnit ou: Sudoers EOF
If you havn't already created /etc/ldap.conf from the nss_ldap page create it now then append the following line for Sudo:
cat >> /etc/ldap.conf << "EOF" # Sudo Section sudoers_base ou=Sudoers,<BASE DN> EOF
This is an example entry in the ldap directory:
cat > temp.ldif << "EOF" dn: cn=<username>+sudoCommand=ALL+sudoHost=<hostname>/ALL+sudoRunAs=root,ou=Sudoers,<BASE DN> sudoHost: <hostname>/ALL sudoCommand: ALL objectClass: sudoRole objectClass: top sudoUser: <username> sudoRunAs: root cn: <username> EOF
Then import it into the directory:
ldapadd -f temp.ldif -x -D "cn=Manager,<BASE DN>" -W
Content
| Installed Programs: | sudo, sudoedit, and visudo |
|---|---|
| Installed Libraries: | sudo_noexec.so |
| Installed Directories: | None |
Short Descriptions
| sudo | executes a command as another user as permitted by the /etc/sudoers configuration file. |
|---|---|
| sudoedit | is a hard link to sudo that implies the -e option to invoke an editor as another user. |
| visudo | allows for safer editing of the sudoers file. |
| sudo_noexec.so | enables support for the "noexec" functionality which prevents a dynamically-linked program being run by sudo from executing another program (think shell escapes). |
