version 1.14, 2003/04/01 15:47:51 |
version 1.15, 2004/09/28 15:10:50 |
|
|
Installation instructions for Sudo 1.6.7 |
Installation instructions for Sudo 1.6.8 |
======================================== |
======================================== |
|
|
Sudo uses a `configure' script to probe the capabilities and type |
Sudo uses a `configure' script to probe the capabilities and type |
|
|
does not use the Kerberos cookie scheme. Will not work for |
does not use the Kerberos cookie scheme. Will not work for |
Kerberos V older than version 1.1. |
Kerberos V older than version 1.1. |
|
|
|
--with-ldap[=DIR] |
|
Enable LDAP support. If specified, DIR is the base directory |
|
containing the LDAP include and lib directories. Please see |
|
README.LDAP for more information. |
|
|
|
--with-ldap-conf-file |
|
Path to LDAP configuration file. If specified, sudo reads |
|
this file instead of /etc/ldap.conf to locate the LDAP server. |
|
|
--with-authenticate |
--with-authenticate |
Enable support for the AIX 4.x general authentication function. |
Enable support for the AIX 4.x general authentication function. |
This will use the authentication scheme specified for the user |
This will use the authentication scheme specified for the user |
|
|
|
|
--with-pam |
--with-pam |
Enable PAM support. Tested on: |
Enable PAM support. Tested on: |
Redhat Linux 5.x, 6.0, and 6.1 |
Redhat Linux >= 5.x |
Solaris 2.6 and 7 |
Solaris >= 2.6 |
HP-UX 11.0 |
HP-UX >= 11.0 |
NOTE: on RedHat Linux you *must* install an /etc/pam.d/sudo file. |
NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo |
You may either use the sample.pam file included with sudo or use |
file install. You may either use the sample.pam file included with |
/etc/pam.d/su as a reference. On Solaris and HP-UX 11 systems |
sudo or use /etc/pam.d/su as a reference. The sample.pam file |
you should check (and understand) the contents of /etc/pam.conf. |
included with sudo may or may not work with other Linux distributions. |
Do a "man pam.conf" for more information and consider using the |
On Solaris and HP-UX 11 systems you should check (and understand) |
"debug" option, if available, with your PAM libraries in |
the contents of /etc/pam.conf. Do a "man pam.conf" for more |
/etc/pam.conf to obtain syslog output for debugging purposes. |
information and consider using the "debug" option, if available, |
|
with your PAM libraries in /etc/pam.conf to obtain syslog output |
|
for debugging purposes. |
|
|
--with-AFS |
--with-AFS |
Enable AFS support with Kerberos authentication. Should work under |
Enable AFS support with Kerberos authentication. Should work under |
|
|
link without it. |
link without it. |
|
|
--with-DCE |
--with-DCE |
Enable DCE support. Known to work on HP-UX 9.X, 10.X, and 11.0. |
Enable DCE support for systems without PAM. Known to work on |
The use of PAM is recommended for HP-UX 11.X systems, since PAM is |
HP-UX 9.X, 10.X, and 11.0; other systems may require source |
fully implemented (this is not true for 10.20 and earlier versions). |
code and/or `configure' changes. On systems with PAM support |
Check to see that your 11.X (or other) system uses DCE via PAM by |
(such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the |
looking at /etc/pam.conf to see if "libpam_dce" libraries are |
DCE PAM module (usually libpam_dce) should be used instead. |
referenced there. Other platforms may require source code and/or |
|
`configure' changes; you should check to see if your platform can |
|
access DCE via PAM before using this option. |
|
|
|
--with-logincap |
--with-logincap |
Enable support for BSD login classes where available (OS-dependent). |
Enable support for BSD login classes where available (OS-dependent). |
|
|
only the newer BSD authentication API is supported. If you |
only the newer BSD authentication API is supported. If you |
don't have /usr/include/bsd_auth.h then you cannot use this. |
don't have /usr/include/bsd_auth.h then you cannot use this. |
|
|
|
--with-noexec[=PATH] |
|
Enable support for the "noexec" functionality which prevents |
|
a dynamically-linked program being run by sudo from executing |
|
another program (think shell escapes). Please see the |
|
"PREVENTING SHELL ESCAPES" section in the sudoers man page |
|
for details. If specified, PATH should be a fully qualified |
|
pathname, e.g. /usr/local/libexec/sudo_noexec.so. If PATH |
|
is "no", noexec support will not be compiled in. The default |
|
is to compile noexec support if libtool supports building |
|
shared objects on your OS. |
|
|
--disable-root-mailer |
--disable-root-mailer |
By default sudo will run the mailer as root when tattling |
By default sudo will run the mailer as root when tattling |
on a user so as to prevent that user from killing the mailer. |
on a user so as to prevent that user from killing the mailer. |
|
|
password is entered. You must either specify --with-insults or |
password is entered. You must either specify --with-insults or |
enable insults in the sudoers file for this to have any effect. |
enable insults in the sudoers file for this to have any effect. |
|
|
|
--with-pc-insults |
|
Replace politically incorrect insults with less objectionable ones. |
|
|
--with-secure-path[=PATH] |
--with-secure-path[=PATH] |
Path used for every command run from sudo(8). If you don't trust the |
Path used for every command run from sudo(8). If you don't trust the |
people running sudo to have a sane PATH environment variable you may |
people running sudo to have a sane PATH environment variable you may |
|
|
Don't print the lecture the first time a user runs sudo. |
Don't print the lecture the first time a user runs sudo. |
|
|
--with-editor=PATH |
--with-editor=PATH |
Specify the default editor path for use by visudo. This may be |
Specify the default editor path for use by visudo. This may be a |
a single pathname or a colon-separated list of editors. In |
single pathname or a colon-separated list of editors. In the latter |
the latter case, visudo will choose the editor that matches |
case, visudo will choose the editor that matches the user's VISUAL |
the user's USER environment variable or the first editor in |
or EDITOR environment variables or the first editor in the list that |
the list that exists. The default is the path to vi on your system. |
exists. The default is the path to vi on your system. |
|
|
--with-env-editor |
--with-env-editor |
Makes visudo consult the EDITOR and VISUAL environment variables before |
Makes visudo consult the VISUAL and EDITOR environment variables before |
falling back on the default editor list (as specified by --with-editor). |
falling back on the default editor list (as specified by --with-editor). |
Note that this may create a security hole as it allows the user to |
Note that this may create a security hole as it allows the user to |
run any arbitrary command as root without logging. A safer alternative |
run any arbitrary command as root without logging. A safer alternative |
is to use a colon-separated list of editors with the --with-env-editor |
is to use a colon-separated list of editors with the --with-editor |
option. visudo will then only use the EDITOR or VISUAL if they match |
option. visudo will then only use the VISUAL or EDITOR variables |
a value specified via --with-editor. |
if they match a value specified via --with-editor. |
|
|
--disable-authentication |
--disable-authentication |
By default, sudo requires the user to authenticate via a |
By default, sudo requires the user to authenticate via a |
|
|
================== |
================== |
|
|
OpenBSD < 2.2 and NetBSD < 1.2.1: |
OpenBSD < 2.2 and NetBSD < 1.2.1: |
The fdesc filesystem has a bug wrt /dev/tty handling that |
The fdesc file system has a bug wrt /dev/tty handling that |
causes sudo to hang at the password prompt. The workaround |
causes sudo to hang at the password prompt. The workaround |
is to run configure with --with-password-timeout=0 |
is to run configure with --with-password-timeout=0 |
|
|
|
|
on Dynix, try using the native compiler (cc). You can do so |
on Dynix, try using the native compiler (cc). You can do so |
by removing the config.cache file and then re-running configure |
by removing the config.cache file and then re-running configure |
with the --with-CC=cc option. |
with the --with-CC=cc option. |
|
|
|
HP-UX: |
|
The default C compiler shipped with HP-UX does not support creating |
|
position independent code and so is unable to support sudo's "noexec" |
|
functionality. You must use either the HP ANSI C compiler or gcc for |
|
noexec to work. Binary packages of gcc are available from |
|
http://hpux.connect.org.uk/ and http://hpux.cs.utah.edu/. |