| version 1.11, 2002/01/23 23:03:24 |
version 1.12, 2002/04/25 15:49:03 |
|
|
| Installation instructions for Sudo 1.6.5 |
Installation instructions for Sudo 1.6.6 |
| ======================================== |
======================================== |
| |
|
| Sudo uses a `configure' script to probe the capabilities and type |
Sudo uses a `configure' script to probe the capabilities and type |
|
|
| Find the sources in DIR [configure dir or ..] |
Find the sources in DIR [configure dir or ..] |
| |
|
| Special features/options: |
Special features/options: |
| --with-CC=path |
--with-CC=PATH |
| Specifies path to C compiler you wish to use. |
Specifies path to C compiler you wish to use. |
| |
|
| --with-incpath |
--with-incpath=DIR |
| Adds the specified directories to CPPFLAGS so configure and the |
Adds the specified directory (or directories) to CPPFLAGS |
| compiler will look there for include files. Multiple directories |
so configure and the compiler will look there for include |
| may be specified as long as they are space separated. |
files. Multiple directories may be specified as long as |
| |
they are space separated. |
| Eg: --with-incpath="/usr/local/include /opt/include" |
Eg: --with-incpath="/usr/local/include /opt/include" |
| |
|
| --with-libpath |
--with-libpath=DIR |
| Adds the specified directories to SUDO_LDFLAGS and VISUDO_LDFLAGS so |
Adds the specified directory (or directories_ to SUDO_LDFLAGS |
| configure and the compiler will look there for libraries. Multiple |
and VISUDO_LDFLAGS so configure and the compiler will look |
| directories may be specified as with --with-incpath. |
there for libraries. Multiple directories may be specified |
| |
as with --with-incpath. |
| |
|
| --with-libraries |
--with-libraries=LIBRARY |
| Adds the specified libaries to SUDO_LIBS and and VISUDO_LIBS so sudo |
Adds the specified library (or libaries) to SUDO_LIBS and |
| will link against them. If the library doesn't start with `-l' or end |
and VISUDO_LIBS so sudo will link against them. If the |
| in `.a' or `.o' a `-l' will be prepended to it. Multiple libraries may |
library doesn't start with `-l' or end in `.a' or `.o' a |
| be specified as long as they are space separated. |
`-l' will be prepended to it. Multiple libraries may be |
| |
specified as long as they are space separated. |
| |
|
| --with-csops |
--with-csops |
| Add CSOps standard options. You probably aren't interested in this. |
Add CSOps standard options. You probably aren't interested in this. |
|
|
| --with-opie |
--with-opie |
| Enable NRL OPIE OTP (One Time Password) support. |
Enable NRL OPIE OTP (One Time Password) support. |
| |
|
| --with-SecurID=DIR |
--with-SecurID[=DIR] |
| Enable SecurID support. If specified, DIR is directory containing |
Enable SecurID support. If specified, DIR is directory containing |
| sdiclient.a, sdi_athd.h, sdconf.h, and sdacmvls.h. |
sdiclient.a, sdi_athd.h, sdconf.h, and sdacmvls.h. |
| |
|
| --with-fwtk=DIR |
--with-fwtk[=DIR] |
| Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified, |
Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified, |
| DIR is the base directory containing the compiled FWTK package |
DIR is the base directory containing the compiled FWTK package |
| (or at least the library and header files). |
(or at least the library and header files). |
|
|
| |
|
| --with-bsdauth |
--with-bsdauth |
| Enable support for BSD authentication on BSD/OS and OpenBSD. |
Enable support for BSD authentication on BSD/OS and OpenBSD. |
| This option assumes --with-logincap as well. It is not |
This option implies --with-logincap. It is not possible |
| possible to mix BSD authentication with other authentication |
to mix BSD authentication with other authentication methods |
| methods (and there really should be no need to do so). Note |
(and there really should be no need to do so). Note that |
| that only the newer BSD authentication API is supported. |
only the newer BSD authentication API is supported. If you |
| If you don't have /usr/include/bsd_auth.h then you cannot |
don't have /usr/include/bsd_auth.h then you cannot use this. |
| use this. |
|
| |
|
| --disable-root-mailer |
--disable-root-mailer |
| By default sudo will run the mailer as root when tattling |
By default sudo will run the mailer as root when tattling |
|
|
| user which some people consider to be safer. |
user which some people consider to be safer. |
| |
|
| --disable-saved-ids |
--disable-saved-ids |
| Disable use of POSIX saved IDs. Normally, sudo will try to |
Disable use of POSIX saved IDs. Normally, sudo will try |
| use POSIX saved IDs if they are supported. However, some |
to use POSIX saved IDs if they are supported. However, |
| implementations are broken. |
some implementations are broken. |
| |
|
| --disable-setreuid |
--disable-setreuid |
| Disable use of the setreuid() function for operating systems |
Disable use of the setreuid() function for operating systems |
| where it is broken. 4.4BSD has setreuid() but it doesn't really work. |
where it is broken. 4.4BSD has setreuid() but it doesn't |
| |
really work. |
| |
|
| --disable-sia |
--disable-sia |
| Disable SIA support. This is the "Security Integration Architecture" |
Disable SIA support. This is the "Security Integration |
| on Digital UNIX. If you disable SIA sudo will use its own |
Architecture" on Digital UNIX. If you disable SIA sudo will |
| authentication routines. |
use its own authentication routines. |
| |
|
| --disable-shadow |
--disable-shadow |
| Disable shadow password support. Normally, sudo will compile in shadow |
Disable shadow password support. Normally, sudo will compile |
| password support and use a shadow password if it exists. |
in shadow password support and use a shadow password if it |
| |
exists. |
| |
|
| --with-sudoers-mode=mode |
--with-sudoers-mode=MODE |
| File mode for the sudoers file (octal). Note that if you wish to |
File mode for the sudoers file (octal). Note that if you |
| NFS-mount the sudoers file this must be group readable. Also note |
wish to NFS-mount the sudoers file this must be group |
| that this is actually set in the Makefile. The default mode is 0440. |
readable. Also note that this is actually set in the |
| |
Makefile. The default mode is 0440. |
| |
|
| --with-sudoers-uid |
--with-sudoers-uid=UID |
| User id that "owns" the sudoers file. Note that this is the numeric |
User id that "owns" the sudoers file. Note that this is |
| id, *not* the symbolic name. Also note that this is actually set in |
the numeric id, *not* the symbolic name. Also note that |
| the Makefile. The default is 0. |
this is actually set in the Makefile. The default is 0. |
| |
|
| --with-sudoers-gid |
--with-sudoers-gid=GID |
| Group id that "owns" the sudoers file. Note that this is the numeric |
Group id that "owns" the sudoers file. Note that this is |
| id, *not* the symbolic name. Also note that this is actually set in |
the numeric id, *not* the symbolic name. Also note that |
| the Makefile. The default is 0. |
this is actually set in the Makefile. The default is 0. |
| |
|
| --with-execv |
--with-execv |
| Use execv() to exec the command instead of execvp(). I can't think of |
Use execv() to exec the command instead of execvp(). I can't think of |
|
|
| 4.3BSD). This is off by default. |
4.3BSD). This is off by default. |
| |
|
| --without-interfaces |
--without-interfaces |
| This option keeps sudo from trying to glean the ip address from each |
This option keeps sudo from trying to glean the ip address |
| attached ethernet interface. It is only useful on a machine where |
from each attached ethernet interface. It is only useful |
| sudo's interface reading support does not work, which may be the case |
on a machine where sudo's interface reading support does |
| on some SysV-based OS's using STREAMS. |
not work, which may be the case on some SysV-based OS's |
| |
using STREAMS. |
| |
|
| --without-passwd |
--without-passwd |
| This option excludes authentication via the passwd (or shadow) file. |
This option excludes authentication via the passwd (or |
| It should only be used when another, alternate, authentication |
shadow) file. It should only be used when another, alternate, |
| scheme is in use. |
authentication scheme is in use. |
| |
|
| --with-otp-only |
--with-otp-only |
| This option is now just an alias for --without-passwd. |
This option is now just an alias for --without-passwd. |
| |
|
| The following options are also configurable at runtime: |
The following options are also configurable at runtime: |
| |
|
| --with-long-otp-prompt |
--with-long-otp-prompt |
| When validating with a One Time Password scheme (S/Key or OPIE), a |
When validating with a One Time Password scheme (S/Key or |
| two-line prompt is used to make it easier to cut and paste the |
OPIE), a two-line prompt is used to make it easier to cut |
| challenge to a local window. It's not as pretty as the default but |
and paste the challenge to a local window. It's not as |
| some people find it more convenient. |
pretty as the default but some people find it more convenient. |
| |
|
| --with-logging=TYPE |
--with-logging=TYPE |
| How you want to do your logging. You may choose "syslog", "file", |
How you want to do your logging. You may choose "syslog", |
| or "both". Setting this to "syslog" is nice because you can keep all |
"file", or "both". Setting this to "syslog" is nice because |
| of your sudo logs in one place (see the sample.syslog.conf file). |
you can keep all of your sudo logs in one place (see the |
| The default is "syslog". |
sample.syslog.conf file). The default is "syslog". |
| |
|
| --with-logfac=FACILITY |
--with-logfac=FACILITY |
| Determines which syslog facility to log to. This requires a 4.3BSD |
Determines which syslog facility to log to. This requires |
| or later version of syslog. You can still set this for ancient |
a 4.3BSD or later version of syslog. You can still set |
| syslogs but it will have no effect. The following facilities are |
this for ancient syslogs but it will have no effect. The |
| supported: authpriv (if your OS supports it), auth, daemon, user, |
following facilities are supported: authpriv (if your OS |
| local0, local1, local2, local3, local4, local5, local6, and local7. |
supports it), auth, daemon, user, local0, local1, local2, |
| |
local3, local4, local5, local6, and local7. |
| |
|
| --with-goodpri=PRIORITY |
--with-goodpri=PRIORITY |
| Determines which syslog priority to log successfully authenticated |
Determines which syslog priority to log successfully |
| commands. The following priorities are supported: alert, crit, |
authenticated commands. The following priorities are |
| debug, emerg, err, info, notice, and warning. |
supported: alert, crit, debug, emerg, err, info, notice, |
| |
and warning. |
| |
|
| --with-badpri=PRIORITY |
--with-badpri=PRIORITY |
| Determines which syslog priority to log unauthenticated commands |
Determines which syslog priority to log unauthenticated |
| and errors. The following priorities are supported: alert, crit, |
commands and errors. The following priorities are supported: |
| debug, emerg, err, info, notice, and warning. |
alert, crit, debug, emerg, err, info, notice, and warning. |
| |
|
| --with-logpath=path |
--with-logpath=PATH |
| Override the default location of the sudo log file and use "path" |
Override the default location of the sudo log file and use |
| instead. By default will use /var/log/sudo.log if there is a /var/log |
"path" instead. By default will use /var/log/sudo.log if |
| dir, falling back to /var/adm/sudo.log or /usr/adm/sudo.log if not. |
there is a /var/log dir, falling back to /var/adm/sudo.log |
| |
or /usr/adm/sudo.log if not. |
| |
|
| --with-loglen |
--with-loglen=NUMBER |
| Number of characters per line for the file log. This is only used if |
Number of characters per line for the file log. This is only used if |
| you are to "file" or "both". This value is used to decide when to wrap |
you are to "file" or "both". This value is used to decide when to wrap |
| lines for nicer log files. The default is 80. Setting this to 0 |
lines for nicer log files. The default is 80. Setting this to 0 |
|
|
| If set, sudo will ignore '.' or '' (current dir) in $PATH. |
If set, sudo will ignore '.' or '' (current dir) in $PATH. |
| The $PATH itself is not modified. |
The $PATH itself is not modified. |
| |
|
| --with-mailto |
--with-mailto=USER|MAIL_ALIAS |
| User that mail from sudo is sent to. This should go to a sysadmin at |
User (or mail alias) that mail from sudo is sent to. |
| your site. The default is "root". |
This should go to a sysadmin at your site. The default is "root". |
| |
|
| --with-mailsubject |
--with-mailsubject="SUBJECT OF MAIL" |
| Subject of the mail sent to the "mailto" user. The token "%h" |
Subject of the mail sent to the "mailto" user. The token "%h" |
| will expand to the hostname of the machine. |
will expand to the hostname of the machine. |
| Default is "*** SECURITY information for %h ***". |
Default is "*** SECURITY information for %h ***". |
|
|
| Send mail to the "alermail" user if the user is allowed to use sudo but |
Send mail to the "alermail" user if the user is allowed to use sudo but |
| the command they are trying is not listed in their sudoers file entry. |
the command they are trying is not listed in their sudoers file entry. |
| |
|
| --with-passprompt |
--with-passprompt="PASSWORD PROMPT" |
| Default prompt to use when asking for a password; can be overridden |
Default prompt to use when asking for a password; can be overridden |
| via the -p option and the SUDO_PROMPT environment variable. Supports |
via the -p option and the SUDO_PROMPT environment variable. Supports |
| two escapes: "%u" expands to the user's login name and "%h" expands |
two escapes: "%u" expands to the user's login name and "%h" expands |
| to the local hostname. Default is "Password:". |
to the local hostname. Default is "Password:". |
| |
|
| --with-badpass-message |
--with-badpass-message="BAD PASSWORD MESSAGE" |
| Message that is displayed if a user enters an incorrect password. |
Message that is displayed if a user enters an incorrect password. |
| The default is "Sorry, try again." unless insults are turned on. |
The default is "Sorry, try again." unless insults are turned on. |
| |
|
|
|
| a host alias (CNAME entry) due to performance issues and the fact that |
a host alias (CNAME entry) due to performance issues and the fact that |
| there is no way to get all aliases from DNS. |
there is no way to get all aliases from DNS. |
| |
|
| --with-timedir=path |
--with-timedir=PATH |
| Override the default location of the sudo timestamp directory and |
Override the default location of the sudo timestamp directory and |
| use "path" instead. |
use "path" instead. |
| |
|
| --with-sendmail=path |
--with-sendmail=PATH |
| Override configure's guess as to the location of sendmail. |
Override configure's guess as to the location of sendmail. |
| |
|
| --without-sendmail |
--without-sendmail |
| Do not use sendmail to mail messages to the "mailto" user. |
Do not use sendmail to mail messages to the "mailto" user. |
| Use only if don't run sendmail or the equivalent. |
Use only if don't run sendmail or the equivalent. |
| |
|
| --with-umask |
--with-umask=MASK |
| Umask to use when running the root command. The default is 0022. |
Umask to use when running the root command. The default is 0022. |
| |
|
| --without-umask |
--without-umask |
| Preserves the umask of the user invoking sudo. |
Preserves the umask of the user invoking sudo. |
| |
|
| --with-runas-default=user |
--with-runas-default=USER |
| The default user to run commands as if the -u flag is not specified |
The default user to run commands as if the -u flag is not specified |
| on the command line. This defaults to "root". |
on the command line. This defaults to "root". |
| |
|
| --with-exempt=group |
--with-exempt=GROUP |
| Users in the specified group don't need to enter a password when |
Users in the specified group don't need to enter a password when |
| running sudo. This may be useful for sites that don't want their |
running sudo. This may be useful for sites that don't want their |
| "core" sysadmins to have to enter a password but where Jr. sysadmins |
"core" sysadmins to have to enter a password but where Jr. sysadmins |
| need to. You should probably use NOPASSWD in sudoers instead. |
need to. You should probably use NOPASSWD in sudoers instead. |
| |
|
| --with-passwd-tries=tries |
--with-passwd-tries=NUMBER |
| Number of tries a user gets to enter his/her password before sudo logs |
Number of tries a user gets to enter his/her password before sudo logs |
| the failure and exits. The default is 3. |
the failure and exits. The default is 3. |
| |
|
| --with-timeout=minutes |
--with-timeout=NUMBER |
| Number of minutes that can elapse before sudo will ask for a passwd |
Number of minutes that can elapse before sudo will ask for a passwd |
| again. The default is 5, set this to 0 to always prompt for a password. |
again. The default is 5, set this to 0 to always prompt for a password. |
| |
|
| --with-password-timeout=minutes |
--with-password-timeout=NUMBER |
| Number of minutes before the sudo password prompt times out. |
Number of minutes before the sudo password prompt times out. |
| The default is 5, set this to 0 for no password timeout. |
The default is 5, set this to 0 for no password timeout. |
| |
|
|
|
| password is entered. You must either specify --with-insults or |
password is entered. You must either specify --with-insults or |
| enable insults in the sudoers file for this to have any effect. |
enable insults in the sudoers file for this to have any effect. |
| |
|
| --with-secure-path[=path] |
--with-secure-path[=PATH] |
| Path used for every command run from sudo(8). If you don't trust the |
Path used for every command run from sudo(8). If you don't trust the |
| people running sudo to have a sane PATH environment variable you may |
people running sudo to have a sane PATH environment variable you may |
| want to use this. Another use is if you want to have the "root path" |
want to use this. Another use is if you want to have the "root path" |
|
|
| --without-lecture |
--without-lecture |
| Don't print the lecture the first time a user runs sudo. |
Don't print the lecture the first time a user runs sudo. |
| |
|
| --with-editor=path |
--with-editor=PATH |
| Specify the default editor path for use by visudo. This may be |
Specify the default editor path for use by visudo. This may be |
| a single pathname or a colon-separated list of editors. In |
a single pathname or a colon-separated list of editors. In |
| the latter case, visudo will choose the editor that matches |
the latter case, visudo will choose the editor that matches |
![[BACK]](/icons/back.gif){kind=icon}
Return to INSTALL CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / sudo