Beyond Linux® From Scratch (systemd Edition) - Version r12.0-816

Chapter 4. Security

Sudo-1.9.15p2

Introduction to Sudo

The Sudo package allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments.

[Note]

Note

Development versions of BLFS may not build or run some packages properly if LFS or dependencies have been updated since the most recent stable versions of the books.

Package Information

  • Download (HTTP): https://www.sudo.ws/dist/sudo-1.9.15p2.tar.gz

  • Download MD5 sum: ef31b7ef72b386618990cfef94042541

  • Download size: 5.1 MB

  • Estimated disk space required: 67 MB (add 19 MB for tests)

  • Estimated build time: 0.3 SBU (with parallelism=4; add 0.1 SBU for tests)

Sudo Dependencies

Optional

Linux-PAM-1.5.3, MIT Kerberos V5-1.21.2, OpenLDAP-2.6.6, MTA (that provides a sendmail command), AFS, libaudit, Opie, and Sssd

Editor Notes: https://wiki.linuxfromscratch.org/blfs/wiki/sudo

Installation of Sudo

Install Sudo by running the following commands: 

./configure --prefix=/usr              \
            --libexecdir=/usr/lib      \
            --with-secure-path         \
            --with-env-editor          \
            --docdir=/usr/share/doc/sudo-1.9.15p2 \
            --with-passprompt="[sudo] password for %p: " &&
make

To test the results, issue: env LC_ALL=C make check |& tee make-check.log. Check the results with grep failed make-check.log.

Now, as the root user: 

make install

Command Explanations

--libexecdir=/usr/lib: This switch controls where private programs are installed. Everything in that directory is a library, so they belong under /usr/lib instead of /usr/libexec.

--with-secure-path: This switch transparently adds /sbin and /usr/sbin directories to the PATH environment variable.

--with-env-editor: This switch enables use of the environment variable EDITOR for visudo.

--with-passprompt: This switch sets the password prompt. The %p will be expanded to the name of the user whose password is being requested.

--without-pam: This switch avoids building Linux-PAM support when Linux-PAM is installed on the system.

--with-all-insults: This switch includes all the sudo insult sets. Insults are printed if the user types a bad password, and if enabled in /etc/sudoers. Use --with-insults to have them enabled by default. Various sets of insults can be selected with some other switches.

[Note]

Note

There are many options to sudo's configure command. Check the configure --help output for a complete list.

Configuring Sudo

Config File

/etc/sudoers

Configuration Information

The sudoers file can be quite complicated. It is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what). The installation installs a default configuration that has no privileges installed for any user.

A couple of common configuration changes are to set the path for the super user and to allow members of the wheel group to execute all commands after providing their own credentials. Use the following commands to create the /etc/sudoers.d/00-sudo configuration file as the root user: 

cat > /etc/sudoers.d/00-sudo << "EOF"
Defaults secure_path="/usr/sbin:/usr/bin"
%wheel ALL=(ALL) ALL
EOF
[Note]

Note

In very simple installations where there is only one user, it may be easier to just edit the /etc/sudoers file directly. In that case, the secure_path entry may not be needed and using sudo -E ... can import the non-privileged user's full environment into the privileged session.

The files in the /etc/sudoers.d directory are parsed in sorted lexical order. Be careful that entries in an added file do not overwrite previous entries.

For details, see man sudoers.

[Note]

Note

The Sudo developers highly recommend using the visudo program to edit the sudoers file. This will provide basic sanity checking like syntax parsing and file permission to avoid some possible mistakes that could lead to a vulnerable configuration.

If PAM is installed on the system, Sudo is built with PAM support. In that case, issue the following command as the root user to create the PAM configuration file: 

cat > /etc/pam.d/sudo << "EOF"
# Begin /etc/pam.d/sudo

# include the default auth settings
auth      include     system-auth

# include the default account settings
account   include     system-account

# Set default environment variables for the service user
session   required    pam_env.so

# include system session defaults
session   include     system-session

# End /etc/pam.d/sudo
EOF
chmod 644 /etc/pam.d/sudo

Contents

Installed Programs: cvtsudoers, sudo, sudo_logsrvd, sudo_sendlog, sudoedit (symlink), sudoreplay, and visudo
Installed Libraries: audit_json.so, group_file.so, libsudo_util.so, sudoers.so, sudo_intercept.so, sudo_noexec.so, and system_group.so
Installed Directories: /etc/sudoers.d, /usr/lib/sudo, /usr/share/doc/sudo-1.9.15p2, and /var/lib/sudo

Short Descriptions

cvtsudoers

converts between sudoers file formats

sudo

executes a command as another user as permitted by the /etc/sudoers configuration file

sudo_logsrvd

is a sudo event and I/O log server

sudo_sendlog

sends sudo I/O logs to the log server

sudoedit

is a symlink to sudo that implies the -e option to invoke an editor as another user

sudoreplay

is used to play back or list the output logs created by sudo

visudo

allows for safer editing of the sudoers file