version 1.6, 2000/11/21 17:58:43 |
version 1.6.4.1, 2002/01/18 16:14:44 |
|
|
Installation instructions for Sudo 1.6.3 |
Installation instructions for Sudo 1.6.5 |
======================================== |
======================================== |
|
|
Sudo uses a `configure' script to probe the capabilities and type |
Sudo uses a `configure' script to probe the capabilities and type |
|
|
building sudo. Before you actually run configure you |
building sudo. Before you actually run configure you |
should read the `Available configure options' section |
should read the `Available configure options' section |
to see if there are any special options you may want |
to see if there are any special options you may want |
or need. Also of interest may be the section on |
or need. |
`Mixing password authentication schemes'. |
|
|
|
4) Edit the configure-generated Makefile if you wish to |
4) Edit the configure-generated Makefile if you wish to |
change any of the default paths (alternately you could |
change any of the default paths (alternately you could |
|
|
--cache-file=FILE |
--cache-file=FILE |
Cache test results in FILE |
Cache test results in FILE |
|
|
--help |
--config-cache, -C |
|
Alias for `--cache-file=config.cache' |
|
|
|
--help, -h |
Print the usage/help info |
Print the usage/help info |
|
|
--no-create |
--no-create, -n |
Do not create output files |
Do not create output files |
|
|
--quiet, --silent |
--quiet, --silent, -q |
Do not print `checking...' messages |
Do not print `checking...' messages |
|
|
Directory and file names: |
Directory and file names: |
|
|
command line. |
command line. |
|
|
--with-bsdauth |
--with-bsdauth |
Enable support for BSD authentication on BSD/OS. This option |
Enable support for BSD authentication on BSD/OS and OpenBSD. |
assumes --with-logincap as well. It is not possible to mix |
This option assumes --with-logincap as well. It is not |
BSD authentication with other authentication methods (and there |
possible to mix BSD authentication with other authentication |
really should be no need to do so). Note that only the newer |
methods (and there really should be no need to do so). Note |
BSD authentication API is supported. If you don't have |
that only the newer BSD authentication API is supported. |
/usr/include/bsd_auth.h then you cannot use this. |
If you don't have /usr/include/bsd_auth.h then you cannot |
|
use this. |
|
|
|
--disable-root-mailer |
|
By default sudo will run the mailer as root when tattling |
|
on a user so as to prevent that user from killing the mailer. |
|
With this option, sudo will run the mailer as the invoking |
|
user which some people consider to be safer. |
|
|
|
--disable-saved-ids |
|
Disable use of POSIX saved IDs. Normally, sudo will try to |
|
use POSIX saved IDs if they are supported. However, some |
|
implementations are broken. If sudo aborts with an error like: |
|
"seteuid(0): Operation not permitted" |
|
you probably need to disable POSIX saved ID support. |
|
|
--disable-sia |
--disable-sia |
Disable SIA support. This is the "Security Integration Architecture" |
Disable SIA support. This is the "Security Integration Architecture" |
on Digital UNIX. If you disable SIA sudo will use its own |
on Digital UNIX. If you disable SIA sudo will use its own |
|
|
on some SysV-based OS's using STREAMS. |
on some SysV-based OS's using STREAMS. |
|
|
--without-passwd |
--without-passwd |
This option authentication via the passwd (or shadow) file. |
This option excludes authentication via the passwd (or shadow) file. |
It should only be used when another, alternate, authentication |
It should only be used when another, alternate, authentication |
scheme is in use. |
scheme is in use. |
|
|
|
|
--with-logging=TYPE |
--with-logging=TYPE |
How you want to do your logging. You may choose "syslog", "file", |
How you want to do your logging. You may choose "syslog", "file", |
or "both". Setting this to "syslog" is nice because you can keep all |
or "both". Setting this to "syslog" is nice because you can keep all |
of your sudo logs in one place (see the FAQ). The default is "syslog". |
of your sudo logs in one place (see the sample.syslog.conf file). |
|
The default is "syslog". |
|
|
--with-logfac=FACILITY |
--with-logfac=FACILITY |
Determines which syslog facility to log to. This requires a 4.3BSD |
Determines which syslog facility to log to. This requires a 4.3BSD |
|
|
just like the original sudo(8). This is off by default. |
just like the original sudo(8). This is off by default. |
|
|
--with-all-insults |
--with-all-insults |
Include all the insult sets listed below. |
Include all the insult sets listed below. You must either specify |
|
--with-insults or enable insults in the sudoers file for this to |
|
have any effect. |
|
|
--with-classic-insults |
--with-classic-insults |
Uses insults from sudo "classic." If you just specify --with-insults |
Uses insults from sudo "classic." If you just specify --with-insults |
|
|
|
|
--with-hal-insults |
--with-hal-insults |
Uses 2001-like insults when an incorrect password is entered. |
Uses 2001-like insults when an incorrect password is entered. |
You must specify --with-insults as well for this to have any effect. |
You must either specify --with-insults or enable insults in the |
|
sudoers file for this to have any effect. |
|
|
--with-goons-insults |
--with-goons-insults |
Insults the user with lines from the "Goon Show" when an incorrect |
Insults the user with lines from the "Goon Show" when an incorrect |
password is entered. You must specify --with-insults as well for |
password is entered. You must either specify --with-insults or |
this to have any effect. |
enable insults in the sudoers file for this to have any effect. |
|
|
--with-secure-path[=path] |
--with-secure-path[=path] |
Path used for every command run from sudo(8). If you don't trust the |
Path used for every command run from sudo(8). If you don't trust the |
|
|
Don't print the lecture the first time a user runs sudo. |
Don't print the lecture the first time a user runs sudo. |
|
|
--with-editor=path |
--with-editor=path |
Specify the default editor used by visudo (and the only editor used |
Specify the default editor path for use by visudo. This may be |
unless --with-env-editor is specified). The default is the path |
a single pathname or a colon-separated list of editors. In |
to vi on your system. |
the latter case, visudo will choose the editor that matches |
|
the user's USER environment variable or the first editor in |
|
the list that exists. The default is the path to vi on your system. |
|
|
--with-env-editor |
--with-env-editor |
Makes visudo consult the EDITOR and VISUAL environment variables before |
Makes visudo consult the EDITOR and VISUAL environment variables before |
falling back on the default editor. Note that this may create a |
falling back on the default editor list (as specified by --with-editor). |
security hole as most editors allow a user to get a shell (which would |
Note that this may create a security hole as it allows the user to |
be a root shell and hence, no logging). |
run any arbitrary command as root without logging. A safer alternative |
|
is to use a colon-separated list of editors with the --with-env-editor |
|
option. visudo will then only use the EDITOR or VISUAL if they match |
|
a value specified via --with-editor. |
|
|
--disable-authentication |
--disable-authentication |
By default, sudo requires the user to authenticate via a |
By default, sudo requires the user to authenticate via a |
|
|
the "#define HAVE_LSEARCH 1" line in config.h and add lsearch.o |
the "#define HAVE_LSEARCH 1" line in config.h and add lsearch.o |
to the LIBOBJS line in the Makefile. |
to the LIBOBJS line in the Makefile. |
|
|
It is not possible to access the sudoers file via NFS on Linux. |
If you are using a Linux kernel older than 2.4 it is not possible |
This is due to a bug in the Linux client-side NFS implementation. |
to access the sudoers file via NFS. This is due to a bug in |
It has been fixed in the developement kernel but, as of Aug 27, |
the Linux client-side NFS implementation that has since been |
1999, the fixes have not made it into the mainstream kernel. |
fixed. There is a workaround on the sudo ftp site, linux_nfs.patch, |
There is a workaround on the sudo ftp site, linux_nfs.patch, |
if you need to NFS-mount sudoers on older Linux kernels. |
if you need to NFS-mount sudoers on Linux. |
|
|
|
Mac OS X: |
Mac OS X: |
It has been reported that for sudo to work on Mac OS X it must |
It has been reported that for sudo to work on Mac OS X it must |