Beyond Linux® From Scratch - Version 2013-05-24

Chapter 4. Security

Sudo-1.8.6p3

Introduction to Sudo

The Sudo package allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments.

This package is known to build and work properly using an LFS-7.3 platform.

Package Information

Sudo Dependencies

Optional

AFS, FWTK, Linux-PAM-1.1.6, MIT Kerberos V5-1.11.2, an MTA (that provides a sendmail command), OpenLDAP-2.4.35, Opie and SecurID

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/sudo

Installation of Sudo

Install Sudo by running the following commands: 

./configure --prefix=/usr                   \
            --libexecdir=/usr/lib/sudo      \
            --docdir=/usr/share/doc/sudo-1.8.6p3 \
            --with-all-insults              \
            --with-env-editor               \
            --without-pam                   \
            --without-sendmail &&
make

This package does not come with a test suite.

Now, as the root user: 

make install

Command Explanations

--with-all-insults: This switch includes all the sudo insult sets.

--with-env-editor: This switch enables use of the environment variable EDITOR for visudo.

--without-pam: This switch disables the use of PAM authentication. Omit if you have Linux PAM installed.

--without-sendmail: This switch disables the use of sendmail. Remove if you have a sendmail compatible MTA.

[Note]

Note

There are many options to sudo's configure command. Check the configure --help output for a complete list.

Configuring Sudo

Config File

/etc/sudoers

Configuration Information

The sudoers file can be quite complicated. It is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what). The installation installs a default configuration that has no privileges installed for any user.

One example usage is to allow the system administrator to execute any program without typing a password each time root privileges are needed. This can be configured as: 

# User alias specification
User_Alias  ADMIN = YourLoginId

# Allow people in group ADMIN to run all commands without a password
ADMIN       ALL = NOPASSWD: ALL

For details, see man sudoers.

[Note]

Note

The Sudo developers highly recommend using the visudo program to edit the sudoers file. This will provide basic sanity checking like syntax parsing and file permission to avoid some possible mistakes that could lead to a vulnerable configuration.

If you've built Sudo with PAM support, issue the following command as the root user to create the PAM configuration file: 

cat > /etc/pam.d/sudo << "EOF" &&
# Begin /etc/pam.d/sudo

# include the default auth settings
auth      include     system-auth

# include the default account settings
account   include     system-account

# Set default environment variables for the service user
session   required    pam_env.so

# include system session defaults
session   include     system-session

# End /etc/pam.d/sudo
EOF
chmod 644 /etc/pam.d/sudo

Contents

Installed Programs: sudo, sudoedit, sudoreplay and visudo
Installed Libraries: sudoers.so and sudo_noexec.so
Installed Directories: /usr/lib/sudo and /usr/share/doc/sudo-1.8.6p3

Short Descriptions

sudo

executes a command as another user as permitted by the /etc/sudoers configuration file.

sudoedit

is a hard link to sudo that implies the -e option to invoke an editor as another user.

visudo

allows for safer editing of the sudoers file.

sudoreplay

is used to play back or list the output logs created by sudo.

sudoers.so

is default sudo security policy module.

sudo_noexec.so

enables support for the "noexec" functionality which prevents a dynamically-linked program being run by sudo from executing another program (think shell escapes).

Last updated on 2013-03-03 23:23:09 +0000