Sudo-1.9.2
Installation of Sudo
Install Sudo by running the
following commands:
./configure --prefix=/usr \
--libexecdir=/usr/lib \
--with-secure-path \
--with-all-insults \
--with-env-editor \
--docdir=/usr/share/doc/sudo-1.9.2 \
--with-passprompt="[sudo] password for %p: " &&
make
To test the results, issue: env
LC_ALL=C make check 2>&1 | tee
../make-check.log. Check the results with
grep failed
../make-check.log.
Now, as the root
user:
make install &&
ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0
Command Explanations
--libexecdir=/usr/lib
: This
switch controls where private programs are installed. Everything in
that directory is a library, so they belong under /usr/lib
instead of /usr/libexec
.
--with-secure-path
: This
switch transparently adds /sbin
and
/usr/sbin
directories to the
PATH
environment variable.
--with-all-insults
: This
switch includes all the sudo
insult sets.
--with-env-editor
: This
switch enables use of the environment variable EDITOR for
visudo.
--with-passprompt
: This
switch sets the password prompt. The %p
will be expanded to the name of
the user whose password is being requested.
--without-pam
: This switch avoids
building Linux-PAM support when
Linux-PAM is installed on the
system.
Note
There are many options to sudo's
configure command.
Check the configure
--help output for a complete list.
ln -sfv
libsudo_util...: Works around a bug in the
installation process, which links to the previously installed
version (if there is one) instead of the new one.
Configuring Sudo
Configuration Information
The sudoers
file can be quite
complicated. It is composed of two types of entries: aliases
(basically variables) and user specifications (which specify who
may run what). The installation installs a default configuration
that has no privileges installed for any user.
A couple of common configuration chanes are to set the path for
the super user and to allow members of the wheel group to execute
all commands after providing their own credientials. Use the
following commands to create the /etc/sudoers.d/sudo
configuration file as the
root
user:
cat > /etc/sudoers.d/sudo << "EOF"
Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin"
%wheel ALL=(ALL) ALL
EOF
For details, see man
sudoers.
Note
The Sudo developers highly
recommend using the visudo program to edit the
sudoers
file. This will provide
basic sanity checking like syntax parsing and file permission
to avoid some possible mistakes that could lead to a vulnerable
configuration.
If PAM is installed on the
system, Sudo is built with
PAM support. In that case, issue
the following command as the root
user to create the PAM
configuration file:
cat > /etc/pam.d/sudo << "EOF"
# Begin /etc/pam.d/sudo
# include the default auth settings
auth include system-auth
# include the default account settings
account include system-account
# Set default environment variables for the service user
session required pam_env.so
# include system session defaults
session include system-session
# End /etc/pam.d/sudo
EOF
chmod 644 /etc/pam.d/sudo
Contents
Installed Programs:
cvtsudoers, sudo, sudoedit (symlink),
sudoreplay, and visudo
Installed Libraries:
group_file.so, libsudo_util.so,
sudoers.so, sudo_noexec.so, and system_group.so
Installed Directories:
/etc/sudoers.d, /usr/lib/sudo,
/usr/share/doc/sudo-1.9.2, and /var/{lib,run}/sudo
Short Descriptions
cvtsudoers
|
converts between sudoers file formats.
|
sudo
|
executes a command as another user as permitted by the
/etc/sudoers configuration
file.
|
sudoedit
|
is a symlink to sudo that implies the
-e option to invoke an editor
as another user.
|
sudoreplay
|
is used to play back or list the output logs created by
sudo.
|
visudo
|
allows for safer editing of the sudoers file.
|
Last updated on 2020-08-16 08:28:54 -0700