Secure OS Software for Linux
1748219 Members
4282 Online
108759 Solutions
New Discussion юеВ

What SUDO Special Features to Compile in

 
SOLVED
Go to solution
Michael Steele_2
Honored Contributor

What SUDO Special Features to Compile in

Hi:

Got a big sudo project coming up and I'm just starting to read the material. One of the first decisions is to decide what arguments to include during the compilation. Question: Anybody have procedure that they have followed in their environment with explanations? Especially to any MUST HAVE / DON'T FORGET TO ADD THIS IN / features?

I've attached the Installation instructions beginning at the Special Features section.

9 - 10 point for every answer mostly guaranteed.

Links to Installing Sudo for Dummies also greatly appreciated.
Support Fatherhood - Stop Family Law
5 REPLIES 5
Matti_Kurkela
Honored Contributor
Solution

Re: What SUDO Special Features to Compile in

The compile-time defaults are good for most systems and configurations: the configure process will generally find all the features the underlying OS can support and enable them unless you tell otherwise.

If some compiled-in default is not sufficient, you can tailor it to your requirements with run-time configuration in the overwhelming majority of cases.

For most Linux distributions, there is generally no need to compile sudo at all unless you have special configuration requirements: a pre-compiled, standard sudo package is available in most Linux distributions. Modern distributions often have cryptographic signatures and checksums embedded in their packages, so using the standard version might actually make it easier to verify your system is running the correct version of sudo.

(Installing Sudo for Dummies: if you don't have special requirements, get a pre-packaged version and use the standard package tools of the OS to install it.)

But if you have e.g. an administrative requirement to *always* prompt for a password when using sudo, you could tweak the defaults to match your site policy when compiling your own, using "--with-timeout=0". You should still have the equivalent run-time configuration line

Defaults timestamp_timeout=0

included in your sudoers file, just in case someone later replaces your custom sudo with a default version provided by your OS distribution/vendor.

If you have a requirement for one-time passwords (SKey, NRL OPIE, SecurID), then remember to include the appropriate support options: these might not be included automatically.

Read the description and use your judgement with --disable-root-mailer.

The "noexec" functionality can be very useful when setting up a system for tightly-regulated sudo use. But it's about the newest (= least proven) major part of sudo, so I understand if someone prefers to disable it.

All the other utilities in most modern systems will expect all programs to use PAM for authentication requirements, so sudo should use PAM too unless there is a specific reason to do otherwise.

The LDAP and Kerberos compile-time options should be chosen according to your requirements. If you're sure you won't be centralizing your sudoers configuration with LDAP or using Kerberos, disabling those parts at the compilation time minimizes the amount of security-critical code.

The rest of compile-time-only options are pretty much dependent on the environment you're planning to compile and use sudo in.

MK
MK
Patrick Wallek
Honored Contributor

Re: What SUDO Special Features to Compile in

I thought most current Linux flavors already had sudo built-in. Why the need to compile?
Michael Steele_2
Honored Contributor

Re: What SUDO Special Features to Compile in

OK, let me rephrase the question, what non-default sudo attributes would you compile or add in to sudo?
Support Fatherhood - Stop Family Law
Steven Schweda
Honored Contributor

Re: What SUDO Special Features to Compile in

> [... which] non-default sudo attributes
> would you compile or add in to sudo?

Probably the ones which I expected to use.
"Got a big sudo project" didn't seem to me to
be a very detailed description of the actual
requirements.

If I couldn't identify any special needs now,
then I'd probably use a default/standard kit
until I ran into a case where I needed some
special feature which needed the extra effort
to get enabled.
Michael Steele_2
Honored Contributor

Re: What SUDO Special Features to Compile in

,
Support Fatherhood - Stop Family Law