Difference between revisions of "Sudo"

From CBLFS
Jump to navigationJump to search
 
(Configuring)
 
(23 intermediate revisions by 10 users not shown)
Line 2: Line 2:
 
|-
 
|-
 
!Download Source:
 
!Download Source:
| http://www.courtesan.com/sudo/dist/sudo-1.6.8p12.tar.gz
+
| http://www.sudo.ws/sudo/dist/sudo-{{Sudo-Version}}.tar.gz
|-
 
!Download Patch:
 
| http://www.linuxfromscratch.org/patches/blfs/svn/sudo-1.6.8p12-envvar_fix-1.patch
 
 
|}
 
|}
  
 
----
 
----
 +
 +
{{Package-Introduction|Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.|http://www.sudo.ws/}}
  
 
== Dependencies ==
 
== Dependencies ==
 +
 +
===Recomended===
 +
* [[Linux-PAM]]
 +
 +
===Optional===
 +
* [[OpenLDAP]]
 +
* [[SELinux]]
 +
 +
== Configuration Information ==
 +
 +
{|style="text-align: left"
 +
|<i>--without-pam</i> builds with out pam support.
 +
|}
  
 
== Non-Multilib ==
 
== Non-Multilib ==
Line 16: Line 28:
 
Compile the package:
 
Compile the package:
  
patch -Np1 -i ../sudo-1.6.8p12-envvar_fix-1.patch &&
 
 
  ./configure --prefix=/usr --libexecdir=/usr/lib \
 
  ./configure --prefix=/usr --libexecdir=/usr/lib \
 
     --enable-noargs-shell --with-ignore-dot --with-all-insults \
 
     --enable-noargs-shell --with-ignore-dot --with-all-insults \
Line 24: Line 35:
 
Install the package
 
Install the package
  
  make install
+
  make install &&
 +
if [ -f /etc/pam.d/su ]; then
 +
  sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo
 +
fi
  
 
== Multilib ==
 
== Multilib ==
Line 32: Line 46:
 
Compile the package:
 
Compile the package:
  
patch -Np1 -i ../sudo-1.6.8p12-envvar_fix-1.patch &&
 
 
  CC="gcc ${BUILD32}" ./configure --prefix=/usr --libexecdir=/usr/lib \
 
  CC="gcc ${BUILD32}" ./configure --prefix=/usr --libexecdir=/usr/lib \
 
     --enable-noargs-shell --with-ignore-dot --with-all-insults \
 
     --enable-noargs-shell --with-ignore-dot --with-all-insults \
Line 40: Line 53:
 
Install the package
 
Install the package
  
  make install
+
  make install &&
 +
if [ -f /etc/pam.d/su ]; then
 +
  sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo
 +
fi
  
 
=== N32 ===
 
=== N32 ===
Line 46: Line 62:
 
Compile the package:
 
Compile the package:
  
patch -Np1 -i ../sudo-1.6.8p12-envvar_fix-1.patch &&
 
 
  CC="gcc ${BUILDN32}" ./configure --prefix=/usr --libdir=/usr/lib32 --libexecdir=/usr/lib \
 
  CC="gcc ${BUILDN32}" ./configure --prefix=/usr --libdir=/usr/lib32 --libexecdir=/usr/lib \
 
     --enable-noargs-shell --with-ignore-dot --with-all-insults \
 
     --enable-noargs-shell --with-ignore-dot --with-all-insults \
Line 54: Line 69:
 
Install the package
 
Install the package
  
  make install
+
  make install &&
 +
if [ -f /etc/pam.d/su ]; then
 +
  sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo
 +
fi
 +
 
 
=== 64Bit ===
 
=== 64Bit ===
  
 
Compile the package:
 
Compile the package:
  
patch -Np1 -i ../sudo-1.6.8p12-envvar_fix-1.patch &&
 
 
  CC="gcc ${BUILD64}" ./configure --prefix=/usr --libdir=/usr/lib64 --libexecdir=/usr/lib \
 
  CC="gcc ${BUILD64}" ./configure --prefix=/usr --libdir=/usr/lib64 --libexecdir=/usr/lib \
 
     --enable-noargs-shell --with-ignore-dot --with-all-insults \
 
     --enable-noargs-shell --with-ignore-dot --with-all-insults \
Line 67: Line 85:
 
Install the package
 
Install the package
  
  make install
+
  make install &&
 +
if [ -f /etc/pam.d/su ]; then
 +
  sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo
 +
fi
 +
 
 +
== Configuring ==
 +
 
 +
To edit the protected sudoers config file, use "visudo"
 +
 
 +
To allow a user full root rights with out a passward, add the following to the file.
 +
 
 +
${username} ALL=(ALL) NOPASSWD:ALL
 +
 
 +
For more options, read the config file, and the man pages.....
 +
 
 +
=== LDAP Configuration ===
 +
 
 +
This is an alternative to /etc/sudoers. You can use both at the same time.
  
== Content ==
+
In order for Sudo to look in ldap we need to put an entry in nsswitch.conf:
 +
 
 +
cat >> /etc/nsswitch.conf << "EOF"
 +
# Begin Sudo Additions to /etc/nsswitch.conf
 +
 +
sudoers: files ldap
 +
 +
# End Sudo Additions to /etc/nsswitch.conf
 +
EOF
 +
 
 +
If you havn't already created a OU dedicated to sudo rules now would be the time to create it:
 +
 
 +
ldapadd -x -D "cn=Manager,'''''<BASE DN>'''''" -W << EOF
 +
dn: ou=Sudoers,'''''<BASE DN>'''''
 +
objectClass: top
 +
objectClass: organizationalUnit
 +
ou: Sudoers
 +
EOF
  
The sudo package allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments.
+
If you havn't already created /etc/ldap.conf from the [[nss_ldap]] page create it now then append the following line for Sudo:
  
Installed Programs: sudo, sudoedit, and visudo
+
cat >> /etc/ldap.conf << "EOF"
 +
# Sudo Section
 +
sudoers_base      ou=Sudoers,'''''<BASE DN>'''''
 +
EOF
  
Installed Library: sudo_noexec.so
+
This is an example entry in the ldap directory:
  
Installed Directories: None
+
cat > temp.ldif << "EOF"
 +
dn: cn='''''<username>'''''+sudoCommand=ALL+sudoHost='''''<hostname>/ALL'''''+sudoRunAs=root,ou=Sudoers,'''''<BASE DN>'''''
 +
sudoHost: '''''<hostname>/ALL'''''
 +
sudoCommand: ALL
 +
objectClass: sudoRole
 +
objectClass: top
 +
sudoUser: '''''<username>'''''
 +
sudoRunAs: root
 +
cn: '''''<username>'''''
 +
EOF
  
=== Short Descriptions ===
+
Then import it into the directory:
  
sudo: executes a command as another user as permitted by the /etc/sudoers configuration file.
+
ldapadd -f temp.ldif -x -D "cn=Manager,'''''<BASE DN>'''''" -W
  
sudoedit: is a hard link to sudo that implies the -e option to invoke an editor as another user.
+
== Content ==
  
visudo: allows for safer editing of the sudoers file.
+
{| style="text-align: left;"
 +
|-
 +
! Installed Programs:
 +
| sudo, sudoedit, and visudo
 +
|-
 +
! Installed Libraries:
 +
| sudo_noexec.so
 +
|-
 +
! Installed Directories:
 +
| None
 +
|}
 +
 
 +
=== Short Descriptions ===
 +
{| style="text-align: left;"
 +
|-
 +
! sudo
 +
|executes a command as another user as permitted by the /etc/sudoers configuration file.
 +
|-
 +
! sudoedit
 +
| is a hard link to sudo that implies the -e option to invoke an editor as another user.
 +
|-
 +
! visudo
 +
|allows for safer editing of the sudoers file.
 +
|-valign="top"
 +
!sudo_noexec.so
 +
| enables support for the "noexec" functionality which prevents a dynamically-linked program being run by sudo from executing another program (think shell escapes).
 +
|}
  
sudo_noexec.so: enables support for the "noexec" functionality which prevents a dynamically-linked program being run by sudo from executing another program (think shell escapes).
+
[[Category:Security]]

Latest revision as of 13:10, 22 March 2009

Download Source: http://www.sudo.ws/sudo/dist/sudo-1.8.8.tar.gz

Introduction to Sudo

Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.

Project Homepage: http://www.sudo.ws/

Dependencies

Recomended

Optional

Configuration Information

--without-pam builds with out pam support.

Non-Multilib

Compile the package:

./configure --prefix=/usr --libexecdir=/usr/lib \
    --enable-noargs-shell --with-ignore-dot --with-all-insults \
    --enable-shell-sets-home &&
make

Install the package

make install &&
if [ -f /etc/pam.d/su ]; then
  sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo
fi

Multilib

32Bit

Compile the package:

CC="gcc ${BUILD32}" ./configure --prefix=/usr --libexecdir=/usr/lib \
    --enable-noargs-shell --with-ignore-dot --with-all-insults \
    --enable-shell-sets-home &&
make

Install the package

make install &&
if [ -f /etc/pam.d/su ]; then
  sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo
fi

N32

Compile the package:

CC="gcc ${BUILDN32}" ./configure --prefix=/usr --libdir=/usr/lib32 --libexecdir=/usr/lib \
    --enable-noargs-shell --with-ignore-dot --with-all-insults \
    --enable-shell-sets-home &&
make

Install the package

make install &&
if [ -f /etc/pam.d/su ]; then
  sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo
fi

64Bit

Compile the package:

CC="gcc ${BUILD64}" ./configure --prefix=/usr --libdir=/usr/lib64 --libexecdir=/usr/lib \
    --enable-noargs-shell --with-ignore-dot --with-all-insults \
    --enable-shell-sets-home &&
make

Install the package

make install &&
if [ -f /etc/pam.d/su ]; then
  sed "s/su$/&do/" /etc/pam.d/su > /etc/pam.d/sudo
fi

Configuring

To edit the protected sudoers config file, use "visudo"

To allow a user full root rights with out a passward, add the following to the file.

${username} ALL=(ALL) NOPASSWD:ALL

For more options, read the config file, and the man pages.....

LDAP Configuration

This is an alternative to /etc/sudoers. You can use both at the same time.

In order for Sudo to look in ldap we need to put an entry in nsswitch.conf:

cat >> /etc/nsswitch.conf << "EOF"
# Begin Sudo Additions to /etc/nsswitch.conf

sudoers: files ldap

# End Sudo Additions to /etc/nsswitch.conf
EOF

If you havn't already created a OU dedicated to sudo rules now would be the time to create it:

ldapadd -x -D "cn=Manager,<BASE DN>" -W << EOF
dn: ou=Sudoers,<BASE DN>
objectClass: top
objectClass: organizationalUnit
ou: Sudoers
EOF

If you havn't already created /etc/ldap.conf from the nss_ldap page create it now then append the following line for Sudo:

cat >> /etc/ldap.conf << "EOF"
# Sudo Section
sudoers_base       ou=Sudoers,<BASE DN>
EOF

This is an example entry in the ldap directory:

cat > temp.ldif << "EOF"
dn: cn=<username>+sudoCommand=ALL+sudoHost=<hostname>/ALL+sudoRunAs=root,ou=Sudoers,<BASE DN>
sudoHost: <hostname>/ALL
sudoCommand: ALL
objectClass: sudoRole
objectClass: top
sudoUser: <username>
sudoRunAs: root
cn: <username>
EOF

Then import it into the directory:

ldapadd -f temp.ldif -x -D "cn=Manager,<BASE DN>" -W

Content

Installed Programs: sudo, sudoedit, and visudo
Installed Libraries: sudo_noexec.so
Installed Directories: None

Short Descriptions

sudo executes a command as another user as permitted by the /etc/sudoers configuration file.
sudoedit is a hard link to sudo that implies the -e option to invoke an editor as another user.
visudo allows for safer editing of the sudoers file.
sudo_noexec.so enables support for the "noexec" functionality which prevents a dynamically-linked program being run by sudo from executing another program (think shell escapes).
Retrieved from "?title=Sudo&oldid=17823"