| version 1.14, 2003/04/01 15:47:51 |
version 1.15, 2004/09/28 15:10:50 |
|
|
| Installation instructions for Sudo 1.6.7 |
Installation instructions for Sudo 1.6.8 |
| ======================================== |
======================================== |
| |
|
| Sudo uses a `configure' script to probe the capabilities and type |
Sudo uses a `configure' script to probe the capabilities and type |
|
|
| does not use the Kerberos cookie scheme. Will not work for |
does not use the Kerberos cookie scheme. Will not work for |
| Kerberos V older than version 1.1. |
Kerberos V older than version 1.1. |
| |
|
| |
--with-ldap[=DIR] |
| |
Enable LDAP support. If specified, DIR is the base directory |
| |
containing the LDAP include and lib directories. Please see |
| |
README.LDAP for more information. |
| |
|
| |
--with-ldap-conf-file |
| |
Path to LDAP configuration file. If specified, sudo reads |
| |
this file instead of /etc/ldap.conf to locate the LDAP server. |
| |
|
| --with-authenticate |
--with-authenticate |
| Enable support for the AIX 4.x general authentication function. |
Enable support for the AIX 4.x general authentication function. |
| This will use the authentication scheme specified for the user |
This will use the authentication scheme specified for the user |
|
|
| |
|
| --with-pam |
--with-pam |
| Enable PAM support. Tested on: |
Enable PAM support. Tested on: |
| Redhat Linux 5.x, 6.0, and 6.1 |
Redhat Linux >= 5.x |
| Solaris 2.6 and 7 |
Solaris >= 2.6 |
| HP-UX 11.0 |
HP-UX >= 11.0 |
| NOTE: on RedHat Linux you *must* install an /etc/pam.d/sudo file. |
NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo |
| You may either use the sample.pam file included with sudo or use |
file install. You may either use the sample.pam file included with |
| /etc/pam.d/su as a reference. On Solaris and HP-UX 11 systems |
sudo or use /etc/pam.d/su as a reference. The sample.pam file |
| you should check (and understand) the contents of /etc/pam.conf. |
included with sudo may or may not work with other Linux distributions. |
| Do a "man pam.conf" for more information and consider using the |
On Solaris and HP-UX 11 systems you should check (and understand) |
| "debug" option, if available, with your PAM libraries in |
the contents of /etc/pam.conf. Do a "man pam.conf" for more |
| /etc/pam.conf to obtain syslog output for debugging purposes. |
information and consider using the "debug" option, if available, |
| |
with your PAM libraries in /etc/pam.conf to obtain syslog output |
| |
for debugging purposes. |
| |
|
| --with-AFS |
--with-AFS |
| Enable AFS support with Kerberos authentication. Should work under |
Enable AFS support with Kerberos authentication. Should work under |
|
|
| link without it. |
link without it. |
| |
|
| --with-DCE |
--with-DCE |
| Enable DCE support. Known to work on HP-UX 9.X, 10.X, and 11.0. |
Enable DCE support for systems without PAM. Known to work on |
| The use of PAM is recommended for HP-UX 11.X systems, since PAM is |
HP-UX 9.X, 10.X, and 11.0; other systems may require source |
| fully implemented (this is not true for 10.20 and earlier versions). |
code and/or `configure' changes. On systems with PAM support |
| Check to see that your 11.X (or other) system uses DCE via PAM by |
(such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the |
| looking at /etc/pam.conf to see if "libpam_dce" libraries are |
DCE PAM module (usually libpam_dce) should be used instead. |
| referenced there. Other platforms may require source code and/or |
|
| `configure' changes; you should check to see if your platform can |
|
| access DCE via PAM before using this option. |
|
| |
|
| --with-logincap |
--with-logincap |
| Enable support for BSD login classes where available (OS-dependent). |
Enable support for BSD login classes where available (OS-dependent). |
|
|
| only the newer BSD authentication API is supported. If you |
only the newer BSD authentication API is supported. If you |
| don't have /usr/include/bsd_auth.h then you cannot use this. |
don't have /usr/include/bsd_auth.h then you cannot use this. |
| |
|
| |
--with-noexec[=PATH] |
| |
Enable support for the "noexec" functionality which prevents |
| |
a dynamically-linked program being run by sudo from executing |
| |
another program (think shell escapes). Please see the |
| |
"PREVENTING SHELL ESCAPES" section in the sudoers man page |
| |
for details. If specified, PATH should be a fully qualified |
| |
pathname, e.g. /usr/local/libexec/sudo_noexec.so. If PATH |
| |
is "no", noexec support will not be compiled in. The default |
| |
is to compile noexec support if libtool supports building |
| |
shared objects on your OS. |
| |
|
| --disable-root-mailer |
--disable-root-mailer |
| By default sudo will run the mailer as root when tattling |
By default sudo will run the mailer as root when tattling |
| on a user so as to prevent that user from killing the mailer. |
on a user so as to prevent that user from killing the mailer. |
|
|
| password is entered. You must either specify --with-insults or |
password is entered. You must either specify --with-insults or |
| enable insults in the sudoers file for this to have any effect. |
enable insults in the sudoers file for this to have any effect. |
| |
|
| |
--with-pc-insults |
| |
Replace politically incorrect insults with less objectionable ones. |
| |
|
| --with-secure-path[=PATH] |
--with-secure-path[=PATH] |
| Path used for every command run from sudo(8). If you don't trust the |
Path used for every command run from sudo(8). If you don't trust the |
| people running sudo to have a sane PATH environment variable you may |
people running sudo to have a sane PATH environment variable you may |
|
|
| Don't print the lecture the first time a user runs sudo. |
Don't print the lecture the first time a user runs sudo. |
| |
|
| --with-editor=PATH |
--with-editor=PATH |
| Specify the default editor path for use by visudo. This may be |
Specify the default editor path for use by visudo. This may be a |
| a single pathname or a colon-separated list of editors. In |
single pathname or a colon-separated list of editors. In the latter |
| the latter case, visudo will choose the editor that matches |
case, visudo will choose the editor that matches the user's VISUAL |
| the user's USER environment variable or the first editor in |
or EDITOR environment variables or the first editor in the list that |
| the list that exists. The default is the path to vi on your system. |
exists. The default is the path to vi on your system. |
| |
|
| --with-env-editor |
--with-env-editor |
| Makes visudo consult the EDITOR and VISUAL environment variables before |
Makes visudo consult the VISUAL and EDITOR environment variables before |
| falling back on the default editor list (as specified by --with-editor). |
falling back on the default editor list (as specified by --with-editor). |
| Note that this may create a security hole as it allows the user to |
Note that this may create a security hole as it allows the user to |
| run any arbitrary command as root without logging. A safer alternative |
run any arbitrary command as root without logging. A safer alternative |
| is to use a colon-separated list of editors with the --with-env-editor |
is to use a colon-separated list of editors with the --with-editor |
| option. visudo will then only use the EDITOR or VISUAL if they match |
option. visudo will then only use the VISUAL or EDITOR variables |
| a value specified via --with-editor. |
if they match a value specified via --with-editor. |
| |
|
| --disable-authentication |
--disable-authentication |
| By default, sudo requires the user to authenticate via a |
By default, sudo requires the user to authenticate via a |
|
|
| ================== |
================== |
| |
|
| OpenBSD < 2.2 and NetBSD < 1.2.1: |
OpenBSD < 2.2 and NetBSD < 1.2.1: |
| The fdesc filesystem has a bug wrt /dev/tty handling that |
The fdesc file system has a bug wrt /dev/tty handling that |
| causes sudo to hang at the password prompt. The workaround |
causes sudo to hang at the password prompt. The workaround |
| is to run configure with --with-password-timeout=0 |
is to run configure with --with-password-timeout=0 |
| |
|
|
|
| on Dynix, try using the native compiler (cc). You can do so |
on Dynix, try using the native compiler (cc). You can do so |
| by removing the config.cache file and then re-running configure |
by removing the config.cache file and then re-running configure |
| with the --with-CC=cc option. |
with the --with-CC=cc option. |
| |
|
| |
HP-UX: |
| |
The default C compiler shipped with HP-UX does not support creating |
| |
position independent code and so is unable to support sudo's "noexec" |
| |
functionality. You must use either the HP ANSI C compiler or gcc for |
| |
noexec to work. Binary packages of gcc are available from |
| |
http://hpux.connect.org.uk/ and http://hpux.cs.utah.edu/. |
![[BACK]](/icons/back.gif){kind=icon}
Return to INSTALL CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / sudo