version 1.11, 2002/01/23 23:03:24 |
version 1.12, 2002/04/25 15:49:03 |
|
|
Installation instructions for Sudo 1.6.5 |
Installation instructions for Sudo 1.6.6 |
======================================== |
======================================== |
|
|
Sudo uses a `configure' script to probe the capabilities and type |
Sudo uses a `configure' script to probe the capabilities and type |
|
|
Find the sources in DIR [configure dir or ..] |
Find the sources in DIR [configure dir or ..] |
|
|
Special features/options: |
Special features/options: |
--with-CC=path |
--with-CC=PATH |
Specifies path to C compiler you wish to use. |
Specifies path to C compiler you wish to use. |
|
|
--with-incpath |
--with-incpath=DIR |
Adds the specified directories to CPPFLAGS so configure and the |
Adds the specified directory (or directories) to CPPFLAGS |
compiler will look there for include files. Multiple directories |
so configure and the compiler will look there for include |
may be specified as long as they are space separated. |
files. Multiple directories may be specified as long as |
|
they are space separated. |
Eg: --with-incpath="/usr/local/include /opt/include" |
Eg: --with-incpath="/usr/local/include /opt/include" |
|
|
--with-libpath |
--with-libpath=DIR |
Adds the specified directories to SUDO_LDFLAGS and VISUDO_LDFLAGS so |
Adds the specified directory (or directories_ to SUDO_LDFLAGS |
configure and the compiler will look there for libraries. Multiple |
and VISUDO_LDFLAGS so configure and the compiler will look |
directories may be specified as with --with-incpath. |
there for libraries. Multiple directories may be specified |
|
as with --with-incpath. |
|
|
--with-libraries |
--with-libraries=LIBRARY |
Adds the specified libaries to SUDO_LIBS and and VISUDO_LIBS so sudo |
Adds the specified library (or libaries) to SUDO_LIBS and |
will link against them. If the library doesn't start with `-l' or end |
and VISUDO_LIBS so sudo will link against them. If the |
in `.a' or `.o' a `-l' will be prepended to it. Multiple libraries may |
library doesn't start with `-l' or end in `.a' or `.o' a |
be specified as long as they are space separated. |
`-l' will be prepended to it. Multiple libraries may be |
|
specified as long as they are space separated. |
|
|
--with-csops |
--with-csops |
Add CSOps standard options. You probably aren't interested in this. |
Add CSOps standard options. You probably aren't interested in this. |
|
|
--with-opie |
--with-opie |
Enable NRL OPIE OTP (One Time Password) support. |
Enable NRL OPIE OTP (One Time Password) support. |
|
|
--with-SecurID=DIR |
--with-SecurID[=DIR] |
Enable SecurID support. If specified, DIR is directory containing |
Enable SecurID support. If specified, DIR is directory containing |
sdiclient.a, sdi_athd.h, sdconf.h, and sdacmvls.h. |
sdiclient.a, sdi_athd.h, sdconf.h, and sdacmvls.h. |
|
|
--with-fwtk=DIR |
--with-fwtk[=DIR] |
Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified, |
Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified, |
DIR is the base directory containing the compiled FWTK package |
DIR is the base directory containing the compiled FWTK package |
(or at least the library and header files). |
(or at least the library and header files). |
|
|
|
|
--with-bsdauth |
--with-bsdauth |
Enable support for BSD authentication on BSD/OS and OpenBSD. |
Enable support for BSD authentication on BSD/OS and OpenBSD. |
This option assumes --with-logincap as well. It is not |
This option implies --with-logincap. It is not possible |
possible to mix BSD authentication with other authentication |
to mix BSD authentication with other authentication methods |
methods (and there really should be no need to do so). Note |
(and there really should be no need to do so). Note that |
that only the newer BSD authentication API is supported. |
only the newer BSD authentication API is supported. If you |
If you don't have /usr/include/bsd_auth.h then you cannot |
don't have /usr/include/bsd_auth.h then you cannot use this. |
use this. |
|
|
|
--disable-root-mailer |
--disable-root-mailer |
By default sudo will run the mailer as root when tattling |
By default sudo will run the mailer as root when tattling |
|
|
user which some people consider to be safer. |
user which some people consider to be safer. |
|
|
--disable-saved-ids |
--disable-saved-ids |
Disable use of POSIX saved IDs. Normally, sudo will try to |
Disable use of POSIX saved IDs. Normally, sudo will try |
use POSIX saved IDs if they are supported. However, some |
to use POSIX saved IDs if they are supported. However, |
implementations are broken. |
some implementations are broken. |
|
|
--disable-setreuid |
--disable-setreuid |
Disable use of the setreuid() function for operating systems |
Disable use of the setreuid() function for operating systems |
where it is broken. 4.4BSD has setreuid() but it doesn't really work. |
where it is broken. 4.4BSD has setreuid() but it doesn't |
|
really work. |
|
|
--disable-sia |
--disable-sia |
Disable SIA support. This is the "Security Integration Architecture" |
Disable SIA support. This is the "Security Integration |
on Digital UNIX. If you disable SIA sudo will use its own |
Architecture" on Digital UNIX. If you disable SIA sudo will |
authentication routines. |
use its own authentication routines. |
|
|
--disable-shadow |
--disable-shadow |
Disable shadow password support. Normally, sudo will compile in shadow |
Disable shadow password support. Normally, sudo will compile |
password support and use a shadow password if it exists. |
in shadow password support and use a shadow password if it |
|
exists. |
|
|
--with-sudoers-mode=mode |
--with-sudoers-mode=MODE |
File mode for the sudoers file (octal). Note that if you wish to |
File mode for the sudoers file (octal). Note that if you |
NFS-mount the sudoers file this must be group readable. Also note |
wish to NFS-mount the sudoers file this must be group |
that this is actually set in the Makefile. The default mode is 0440. |
readable. Also note that this is actually set in the |
|
Makefile. The default mode is 0440. |
|
|
--with-sudoers-uid |
--with-sudoers-uid=UID |
User id that "owns" the sudoers file. Note that this is the numeric |
User id that "owns" the sudoers file. Note that this is |
id, *not* the symbolic name. Also note that this is actually set in |
the numeric id, *not* the symbolic name. Also note that |
the Makefile. The default is 0. |
this is actually set in the Makefile. The default is 0. |
|
|
--with-sudoers-gid |
--with-sudoers-gid=GID |
Group id that "owns" the sudoers file. Note that this is the numeric |
Group id that "owns" the sudoers file. Note that this is |
id, *not* the symbolic name. Also note that this is actually set in |
the numeric id, *not* the symbolic name. Also note that |
the Makefile. The default is 0. |
this is actually set in the Makefile. The default is 0. |
|
|
--with-execv |
--with-execv |
Use execv() to exec the command instead of execvp(). I can't think of |
Use execv() to exec the command instead of execvp(). I can't think of |
|
|
4.3BSD). This is off by default. |
4.3BSD). This is off by default. |
|
|
--without-interfaces |
--without-interfaces |
This option keeps sudo from trying to glean the ip address from each |
This option keeps sudo from trying to glean the ip address |
attached ethernet interface. It is only useful on a machine where |
from each attached ethernet interface. It is only useful |
sudo's interface reading support does not work, which may be the case |
on a machine where sudo's interface reading support does |
on some SysV-based OS's using STREAMS. |
not work, which may be the case on some SysV-based OS's |
|
using STREAMS. |
|
|
--without-passwd |
--without-passwd |
This option excludes authentication via the passwd (or shadow) file. |
This option excludes authentication via the passwd (or |
It should only be used when another, alternate, authentication |
shadow) file. It should only be used when another, alternate, |
scheme is in use. |
authentication scheme is in use. |
|
|
--with-otp-only |
--with-otp-only |
This option is now just an alias for --without-passwd. |
This option is now just an alias for --without-passwd. |
|
|
The following options are also configurable at runtime: |
The following options are also configurable at runtime: |
|
|
--with-long-otp-prompt |
--with-long-otp-prompt |
When validating with a One Time Password scheme (S/Key or OPIE), a |
When validating with a One Time Password scheme (S/Key or |
two-line prompt is used to make it easier to cut and paste the |
OPIE), a two-line prompt is used to make it easier to cut |
challenge to a local window. It's not as pretty as the default but |
and paste the challenge to a local window. It's not as |
some people find it more convenient. |
pretty as the default but some people find it more convenient. |
|
|
--with-logging=TYPE |
--with-logging=TYPE |
How you want to do your logging. You may choose "syslog", "file", |
How you want to do your logging. You may choose "syslog", |
or "both". Setting this to "syslog" is nice because you can keep all |
"file", or "both". Setting this to "syslog" is nice because |
of your sudo logs in one place (see the sample.syslog.conf file). |
you can keep all of your sudo logs in one place (see the |
The default is "syslog". |
sample.syslog.conf file). The default is "syslog". |
|
|
--with-logfac=FACILITY |
--with-logfac=FACILITY |
Determines which syslog facility to log to. This requires a 4.3BSD |
Determines which syslog facility to log to. This requires |
or later version of syslog. You can still set this for ancient |
a 4.3BSD or later version of syslog. You can still set |
syslogs but it will have no effect. The following facilities are |
this for ancient syslogs but it will have no effect. The |
supported: authpriv (if your OS supports it), auth, daemon, user, |
following facilities are supported: authpriv (if your OS |
local0, local1, local2, local3, local4, local5, local6, and local7. |
supports it), auth, daemon, user, local0, local1, local2, |
|
local3, local4, local5, local6, and local7. |
|
|
--with-goodpri=PRIORITY |
--with-goodpri=PRIORITY |
Determines which syslog priority to log successfully authenticated |
Determines which syslog priority to log successfully |
commands. The following priorities are supported: alert, crit, |
authenticated commands. The following priorities are |
debug, emerg, err, info, notice, and warning. |
supported: alert, crit, debug, emerg, err, info, notice, |
|
and warning. |
|
|
--with-badpri=PRIORITY |
--with-badpri=PRIORITY |
Determines which syslog priority to log unauthenticated commands |
Determines which syslog priority to log unauthenticated |
and errors. The following priorities are supported: alert, crit, |
commands and errors. The following priorities are supported: |
debug, emerg, err, info, notice, and warning. |
alert, crit, debug, emerg, err, info, notice, and warning. |
|
|
--with-logpath=path |
--with-logpath=PATH |
Override the default location of the sudo log file and use "path" |
Override the default location of the sudo log file and use |
instead. By default will use /var/log/sudo.log if there is a /var/log |
"path" instead. By default will use /var/log/sudo.log if |
dir, falling back to /var/adm/sudo.log or /usr/adm/sudo.log if not. |
there is a /var/log dir, falling back to /var/adm/sudo.log |
|
or /usr/adm/sudo.log if not. |
|
|
--with-loglen |
--with-loglen=NUMBER |
Number of characters per line for the file log. This is only used if |
Number of characters per line for the file log. This is only used if |
you are to "file" or "both". This value is used to decide when to wrap |
you are to "file" or "both". This value is used to decide when to wrap |
lines for nicer log files. The default is 80. Setting this to 0 |
lines for nicer log files. The default is 80. Setting this to 0 |
|
|
If set, sudo will ignore '.' or '' (current dir) in $PATH. |
If set, sudo will ignore '.' or '' (current dir) in $PATH. |
The $PATH itself is not modified. |
The $PATH itself is not modified. |
|
|
--with-mailto |
--with-mailto=USER|MAIL_ALIAS |
User that mail from sudo is sent to. This should go to a sysadmin at |
User (or mail alias) that mail from sudo is sent to. |
your site. The default is "root". |
This should go to a sysadmin at your site. The default is "root". |
|
|
--with-mailsubject |
--with-mailsubject="SUBJECT OF MAIL" |
Subject of the mail sent to the "mailto" user. The token "%h" |
Subject of the mail sent to the "mailto" user. The token "%h" |
will expand to the hostname of the machine. |
will expand to the hostname of the machine. |
Default is "*** SECURITY information for %h ***". |
Default is "*** SECURITY information for %h ***". |
|
|
Send mail to the "alermail" user if the user is allowed to use sudo but |
Send mail to the "alermail" user if the user is allowed to use sudo but |
the command they are trying is not listed in their sudoers file entry. |
the command they are trying is not listed in their sudoers file entry. |
|
|
--with-passprompt |
--with-passprompt="PASSWORD PROMPT" |
Default prompt to use when asking for a password; can be overridden |
Default prompt to use when asking for a password; can be overridden |
via the -p option and the SUDO_PROMPT environment variable. Supports |
via the -p option and the SUDO_PROMPT environment variable. Supports |
two escapes: "%u" expands to the user's login name and "%h" expands |
two escapes: "%u" expands to the user's login name and "%h" expands |
to the local hostname. Default is "Password:". |
to the local hostname. Default is "Password:". |
|
|
--with-badpass-message |
--with-badpass-message="BAD PASSWORD MESSAGE" |
Message that is displayed if a user enters an incorrect password. |
Message that is displayed if a user enters an incorrect password. |
The default is "Sorry, try again." unless insults are turned on. |
The default is "Sorry, try again." unless insults are turned on. |
|
|
|
|
a host alias (CNAME entry) due to performance issues and the fact that |
a host alias (CNAME entry) due to performance issues and the fact that |
there is no way to get all aliases from DNS. |
there is no way to get all aliases from DNS. |
|
|
--with-timedir=path |
--with-timedir=PATH |
Override the default location of the sudo timestamp directory and |
Override the default location of the sudo timestamp directory and |
use "path" instead. |
use "path" instead. |
|
|
--with-sendmail=path |
--with-sendmail=PATH |
Override configure's guess as to the location of sendmail. |
Override configure's guess as to the location of sendmail. |
|
|
--without-sendmail |
--without-sendmail |
Do not use sendmail to mail messages to the "mailto" user. |
Do not use sendmail to mail messages to the "mailto" user. |
Use only if don't run sendmail or the equivalent. |
Use only if don't run sendmail or the equivalent. |
|
|
--with-umask |
--with-umask=MASK |
Umask to use when running the root command. The default is 0022. |
Umask to use when running the root command. The default is 0022. |
|
|
--without-umask |
--without-umask |
Preserves the umask of the user invoking sudo. |
Preserves the umask of the user invoking sudo. |
|
|
--with-runas-default=user |
--with-runas-default=USER |
The default user to run commands as if the -u flag is not specified |
The default user to run commands as if the -u flag is not specified |
on the command line. This defaults to "root". |
on the command line. This defaults to "root". |
|
|
--with-exempt=group |
--with-exempt=GROUP |
Users in the specified group don't need to enter a password when |
Users in the specified group don't need to enter a password when |
running sudo. This may be useful for sites that don't want their |
running sudo. This may be useful for sites that don't want their |
"core" sysadmins to have to enter a password but where Jr. sysadmins |
"core" sysadmins to have to enter a password but where Jr. sysadmins |
need to. You should probably use NOPASSWD in sudoers instead. |
need to. You should probably use NOPASSWD in sudoers instead. |
|
|
--with-passwd-tries=tries |
--with-passwd-tries=NUMBER |
Number of tries a user gets to enter his/her password before sudo logs |
Number of tries a user gets to enter his/her password before sudo logs |
the failure and exits. The default is 3. |
the failure and exits. The default is 3. |
|
|
--with-timeout=minutes |
--with-timeout=NUMBER |
Number of minutes that can elapse before sudo will ask for a passwd |
Number of minutes that can elapse before sudo will ask for a passwd |
again. The default is 5, set this to 0 to always prompt for a password. |
again. The default is 5, set this to 0 to always prompt for a password. |
|
|
--with-password-timeout=minutes |
--with-password-timeout=NUMBER |
Number of minutes before the sudo password prompt times out. |
Number of minutes before the sudo password prompt times out. |
The default is 5, set this to 0 for no password timeout. |
The default is 5, set this to 0 for no password timeout. |
|
|
|
|
password is entered. You must either specify --with-insults or |
password is entered. You must either specify --with-insults or |
enable insults in the sudoers file for this to have any effect. |
enable insults in the sudoers file for this to have any effect. |
|
|
--with-secure-path[=path] |
--with-secure-path[=PATH] |
Path used for every command run from sudo(8). If you don't trust the |
Path used for every command run from sudo(8). If you don't trust the |
people running sudo to have a sane PATH environment variable you may |
people running sudo to have a sane PATH environment variable you may |
want to use this. Another use is if you want to have the "root path" |
want to use this. Another use is if you want to have the "root path" |
|
|
--without-lecture |
--without-lecture |
Don't print the lecture the first time a user runs sudo. |
Don't print the lecture the first time a user runs sudo. |
|
|
--with-editor=path |
--with-editor=PATH |
Specify the default editor path for use by visudo. This may be |
Specify the default editor path for use by visudo. This may be |
a single pathname or a colon-separated list of editors. In |
a single pathname or a colon-separated list of editors. In |
the latter case, visudo will choose the editor that matches |
the latter case, visudo will choose the editor that matches |