| version 1.15, 2004/09/28 15:10:50 |
version 1.16, 2007/07/26 16:10:15 |
|
|
| Installation instructions for Sudo 1.6.8 |
Installation instructions for Sudo 1.6.9 |
| ======================================== |
======================================== |
| |
|
| Sudo uses a `configure' script to probe the capabilities and type |
Sudo uses a `configure' script to probe the capabilities and type |
|
|
| or need. |
or need. |
| |
|
| 4) Edit the configure-generated Makefile if you wish to |
4) Edit the configure-generated Makefile if you wish to |
| change any of the default paths (alternately you could |
change any of the default paths (alternatively, you could |
| have changed the paths via options to `configure'. |
have changed the paths via options to `configure'. |
| |
|
| 5) Type `make' to compile sudo. If you are building sudo |
5) Type `make' to compile sudo. If you are building sudo |
|
|
| Specifies path to C compiler you wish to use. |
Specifies path to C compiler you wish to use. |
| |
|
| --with-incpath=DIR |
--with-incpath=DIR |
| Adds the specified directory (or directories) to CPPFLAGS |
Adds the specified directory (or directories) to CPPFLAGS |
| so configure and the compiler will look there for include |
so configure and the compiler will look there for include |
| files. Multiple directories may be specified as long as |
files. Multiple directories may be specified as long as |
| they are space separated. |
they are space separated. |
| Eg: --with-incpath="/usr/local/include /opt/include" |
Eg: --with-incpath="/usr/local/include /opt/include" |
| |
|
| --with-libpath=DIR |
--with-libpath=DIR |
| Adds the specified directory (or directories) to LDFLAGS |
Adds the specified directory (or directories) to LDFLAGS |
| so configure and the compiler will look there for libraries. |
so configure and the compiler will look there for libraries. |
| Multiple directories may be specified as with --with-incpath. |
Multiple directories may be specified as with --with-incpath. |
| |
|
| --with-rpath |
--with-rpath |
| Tells configure to use -Rpath in addition to -Lpath when |
Tells configure to use -Rpath in addition to -Lpath when |
|
|
| by default for Solaris and SVR4. |
by default for Solaris and SVR4. |
| |
|
| --with-blibpath[=PATH] |
--with-blibpath[=PATH] |
| Tells configure to construct a -blibpath argument to the |
Tells configure to construct a -blibpath argument to the |
| loader. If a PATH is specified, it will be used as the |
loader. If a PATH is specified, it will be used as the |
| base. Otherwise, "/usr/lib:/lib:/usr/local/lib" will be |
base. Otherwise, "/usr/lib:/lib:/usr/local/lib" will be |
| used for gcc and "/usr/lib:/lib" for non-gcc. Additional |
used for gcc and "/usr/lib:/lib" for non-gcc. Additional |
| library paths will be appended as needed by configure. |
library paths will be appended as needed by configure. |
| This option is only valid for AIX where it is on by default. |
This option is only valid for AIX where it is on by default. |
| |
|
| --with-libraries=LIBRARY |
--with-libraries=LIBRARY |
| Adds the specified library (or libaries) to SUDO_LIBS and |
Adds the specified library (or libaries) to SUDO_LIBS and |
| and VISUDO_LIBS so sudo will link against them. If the |
and VISUDO_LIBS so sudo will link against them. If the |
| library doesn't start with `-l' or end in `.a' or `.o' a |
library doesn't start with `-l' or end in `.a' or `.o' a |
| `-l' will be prepended to it. Multiple libraries may be |
`-l' will be prepended to it. Multiple libraries may be |
| specified as long as they are space separated. |
specified as long as they are space separated. |
| |
|
| --with-csops |
--with-csops |
| Add CSOps standard options. You probably aren't interested in this. |
Add CSOps standard options. You probably aren't interested in this. |
| |
|
| --with-skey[=DIR] |
--with-skey[=DIR] |
| Enable S/Key OTP (One Time Password) support. If specified, |
Enable S/Key OTP (One Time Password) support. If specified, |
| DIR should contain include and lib directories with skey.h |
DIR should contain include and lib directories with skey.h |
| and libskey.a respectively. |
and libskey.a respectively. |
| |
|
| --with-opie[=DIR] |
--with-opie[=DIR] |
| Enable NRL OPIE OTP (One Time Password) support. If specified, |
Enable NRL OPIE OTP (One Time Password) support. If specified, |
|
|
| (or at least the library and header files). |
(or at least the library and header files). |
| |
|
| --with-kerb4[=DIR] |
--with-kerb4[=DIR] |
| Enable Kerberos IV support. If specified, DIR is the base |
Enable Kerberos IV support. If specified, DIR is the base |
| directory containing the Kerberos IV include and lib dirs. |
directory containing the Kerberos IV include and lib dirs. |
| This uses Kerberos passphrases for authentication but does |
This uses Kerberos passphrases for authentication but does |
| not use the Kerberos cookie scheme. |
not use the Kerberos cookie scheme. |
| |
|
| --with-kerb5[=DIR] |
--with-kerb5[=DIR] |
| Enable Kerberos V support. If specified, DIR is the base |
Enable Kerberos V support. If specified, DIR is the base |
| directory containing the Kerberos V include and lib dirs. |
directory containing the Kerberos V include and lib dirs. |
| This This uses Kerberos passphrases for authentication but |
This This uses Kerberos passphrases for authentication but |
| does not use the Kerberos cookie scheme. Will not work for |
does not use the Kerberos cookie scheme. Will not work for |
| Kerberos V older than version 1.1. |
Kerberos V older than version 1.1. |
| |
|
| --with-ldap[=DIR] |
--with-ldap[=DIR] |
| Enable LDAP support. If specified, DIR is the base directory |
Enable LDAP support. If specified, DIR is the base directory |
| containing the LDAP include and lib directories. Please see |
containing the LDAP include and lib directories. Please see |
| README.LDAP for more information. |
README.LDAP for more information. |
| |
|
| --with-ldap-conf-file |
--with-ldap-conf-file=filename |
| Path to LDAP configuration file. If specified, sudo reads |
Path to LDAP configuration file. If specified, sudo reads |
| this file instead of /etc/ldap.conf to locate the LDAP server. |
this file instead of /etc/ldap.conf to locate the LDAP server. |
| |
|
| --with-authenticate |
--with-ldap-secret-file=filename |
| |
Path to LDAP secret password file. If specified, sudo uses |
| |
this file instead of /etc/ldap.secret to read the secret password |
| |
when rootbinddn is specified in the ldap config file. |
| |
|
| |
--with-aixauth |
| Enable support for the AIX 4.x general authentication function. |
Enable support for the AIX 4.x general authentication function. |
| This will use the authentication scheme specified for the user |
This will use the authentication scheme specified for the user |
| on the machine. |
on the machine. It is on by default for AIX systems that |
| |
support it. |
| |
|
| --with-pam |
--with-pam |
| Enable PAM support. Tested on: |
Enable PAM support. This is on by default for Darwin, FreeBSD, |
| Redhat Linux >= 5.x |
Linux, Solaris and HP-UX (version 11 and higher). |
| Solaris >= 2.6 |
|
| HP-UX >= 11.0 |
NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo |
| NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo |
file installed. You may either use the sample.pam file included with |
| file install. You may either use the sample.pam file included with |
|
| sudo or use /etc/pam.d/su as a reference. The sample.pam file |
sudo or use /etc/pam.d/su as a reference. The sample.pam file |
| included with sudo may or may not work with other Linux distributions. |
included with sudo may or may not work with other Linux distributions. |
| On Solaris and HP-UX 11 systems you should check (and understand) |
On Solaris and HP-UX 11 systems you should check (and understand) |
|
|
| DCE PAM module (usually libpam_dce) should be used instead. |
DCE PAM module (usually libpam_dce) should be used instead. |
| |
|
| --with-logincap |
--with-logincap |
| Enable support for BSD login classes where available (OS-dependent). |
This adds support for login classes specified in /etc/login.conf. |
| This adds support for the login classes specified in /etc/login.conf. |
It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and |
| By default, a login class is not applied unless the 'use_loginclass' |
NetBSD (where available). By default, a login class is not applied |
| option is defined in sudoers or the user specifies a class on the |
unless the 'use_loginclass' option is defined in sudoers or the user |
| command line. |
specifies a class on the command line. |
| |
|
| |
--with-project |
| |
Enable support for Solaris project resource limits. |
| |
This option is only available on Solaris 9 and above. |
| |
|
| --with-bsdauth |
--with-bsdauth |
| Enable support for BSD authentication on BSD/OS and OpenBSD. |
Enable support for BSD authentication. This is the default |
| This option implies --with-logincap. It is not possible |
for BSD/OS and OpenBSD systems that support it. |
| to mix BSD authentication with other authentication methods |
It is not possible to mix BSD authentication with other |
| (and there really should be no need to do so). Note that |
authentication methods (and there really should be no need |
| only the newer BSD authentication API is supported. If you |
to do so). Note that only the newer BSD authentication API |
| don't have /usr/include/bsd_auth.h then you cannot use this. |
is supported. If you don't have /usr/include/bsd_auth.h |
| |
then you cannot use this. |
| |
|
| --with-noexec[=PATH] |
--with-noexec[=PATH] |
| Enable support for the "noexec" functionality which prevents |
Enable support for the "noexec" functionality which prevents |
| a dynamically-linked program being run by sudo from executing |
a dynamically-linked program being run by sudo from executing |
| another program (think shell escapes). Please see the |
another program (think shell escapes). Please see the |
| "PREVENTING SHELL ESCAPES" section in the sudoers man page |
"PREVENTING SHELL ESCAPES" section in the sudoers man page |
| for details. If specified, PATH should be a fully qualified |
for details. If specified, PATH should be a fully qualified |
| pathname, e.g. /usr/local/libexec/sudo_noexec.so. If PATH |
pathname, e.g. /usr/local/libexec/sudo_noexec.so. If PATH |
| is "no", noexec support will not be compiled in. The default |
is "no", noexec support will not be compiled in. The default |
| is to compile noexec support if libtool supports building |
is to compile noexec support if libtool supports building |
| shared objects on your OS. |
shared objects on your OS. |
| |
|
| --disable-root-mailer |
--disable-root-mailer |
| By default sudo will run the mailer as root when tattling |
By default sudo will run the mailer as root when tattling |
| on a user so as to prevent that user from killing the mailer. |
on a user so as to prevent that user from killing the mailer. |
| With this option, sudo will run the mailer as the invoking |
With this option, sudo will run the mailer as the invoking |
| user which some people consider to be safer. |
user which some people consider to be safer. |
| |
|
| --disable-saved-ids |
|
| Disable use of POSIX saved IDs. Normally, sudo will try |
|
| to use POSIX saved IDs if they are supported. However, |
|
| some implementations are broken. |
|
| |
|
| --disable-setreuid |
--disable-setreuid |
| Disable use of the setreuid() function for operating systems |
Disable use of the setreuid() function for operating systems |
| where it is broken. 4.4BSD has setreuid() but it doesn't |
where it is broken. Mac OS X has setreuid() but it doesn't |
| really work. |
really work. |
| |
|
| --disable-setresuid |
--disable-setresuid |
| Disable use of the setresuid() function for operating systems |
Disable use of the setresuid() function for operating systems |
| where it is broken (none currently known). |
where it is broken (none currently known). |
| |
|
| --disable-sia |
--disable-sia |
| Disable SIA support. This is the "Security Integration |
Disable SIA support. This is the "Security Integration |
| Architecture" on Digital UNIX. If you disable SIA sudo will |
Architecture" on Digital UNIX. If you disable SIA sudo will |
| use its own authentication routines. |
use its own authentication routines. |
| |
|
| --disable-shadow |
--disable-shadow |
| Disable shadow password support. Normally, sudo will compile |
Disable shadow password support. Normally, sudo will compile |
| in shadow password support and use a shadow password if it |
in shadow password support and use a shadow password if it |
| exists. |
exists. |
| |
|
| --with-sudoers-mode=MODE |
--with-sudoers-mode=MODE |
| File mode for the sudoers file (octal). Note that if you |
File mode for the sudoers file (octal). Note that if you |
| wish to NFS-mount the sudoers file this must be group |
wish to NFS-mount the sudoers file this must be group |
| readable. Also note that this is actually set in the |
readable. Also note that this is actually set in the |
| Makefile. The default mode is 0440. |
Makefile. The default mode is 0440. |
| |
|
| --with-sudoers-uid=UID |
--with-sudoers-uid=UID |
| User id that "owns" the sudoers file. Note that this is |
User id that "owns" the sudoers file. Note that this is |
| the numeric id, *not* the symbolic name. Also note that |
the numeric id, *not* the symbolic name. Also note that |
| this is actually set in the Makefile. The default is 0. |
this is actually set in the Makefile. The default is 0. |
| |
|
| --with-sudoers-gid=GID |
--with-sudoers-gid=GID |
| Group id that "owns" the sudoers file. Note that this is |
Group id that "owns" the sudoers file. Note that this is |
| the numeric id, *not* the symbolic name. Also note that |
the numeric id, *not* the symbolic name. Also note that |
| this is actually set in the Makefile. The default is 0. |
this is actually set in the Makefile. The default is 0. |
| |
|
| --with-execv |
|
| Use execv() to exec the command instead of execvp(). I can't think of |
|
| a reason to actually do this since execvp() is passed a fully qualified |
|
| pathname but someone might thoroughly distrust execvp(). Note that if |
|
| you define this you lose the ability to exec scripts that are missing |
|
| the '#!/bin/sh' cookie (like /bin/kill on SunOS and /etc/fastboot on |
|
| 4.3BSD). This is off by default. |
|
| |
|
| --without-interfaces |
--without-interfaces |
| This option keeps sudo from trying to glean the ip address |
This option keeps sudo from trying to glean the ip address |
| from each attached ethernet interface. It is only useful |
from each attached ethernet interface. It is only useful |
| on a machine where sudo's interface reading support does |
on a machine where sudo's interface reading support does |
| not work, which may be the case on some SysV-based OS's |
not work, which may be the case on some SysV-based OS's |
| using STREAMS. |
using STREAMS. |
| |
|
| --without-passwd |
--without-passwd |
| This option excludes authentication via the passwd (or |
This option excludes authentication via the passwd (or |
| shadow) file. It should only be used when another, alternate, |
shadow) file. It should only be used when another, alternative, |
| authentication scheme is in use. |
authentication scheme is in use. |
| |
|
| --with-otp-only |
--with-otp-only |
| This option is now just an alias for --without-passwd. |
This option is now just an alias for --without-passwd. |
| |
|
| --with-stow |
--with-stow |
| Properly handle GNU stow packaging. The sudoers file will |
Properly handle GNU stow packaging. The sudoers file will |
| physically live in ${prefix}/etc and /etc/sudoers will be |
physically live in ${prefix}/etc and /etc/sudoers will be |
| a symbolic link. |
a symbolic link. |
| |
|
| The following options are also configurable at runtime: |
The following options are also configurable at runtime: |
| |
|
| --with-long-otp-prompt |
--with-long-otp-prompt |
| When validating with a One Time Password scheme (S/Key or |
When validating with a One Time Password scheme (S/Key or |
| OPIE), a two-line prompt is used to make it easier to cut |
OPIE), a two-line prompt is used to make it easier to cut |
| and paste the challenge to a local window. It's not as |
and paste the challenge to a local window. It's not as |
| pretty as the default but some people find it more convenient. |
pretty as the default but some people find it more convenient. |
| |
|
| --with-logging=TYPE |
--with-logging=TYPE |
| How you want to do your logging. You may choose "syslog", |
How you want to do your logging. You may choose "syslog", |
| "file", or "both". Setting this to "syslog" is nice because |
"file", or "both". Setting this to "syslog" is nice because |
| you can keep all of your sudo logs in one place (see the |
you can keep all of your sudo logs in one place (see the |
| sample.syslog.conf file). The default is "syslog". |
sample.syslog.conf file). The default is "syslog". |
| |
|
| --with-logfac=FACILITY |
--with-logfac=FACILITY |
| Determines which syslog facility to log to. This requires |
Determines which syslog facility to log to. This requires |
| a 4.3BSD or later version of syslog. You can still set |
a 4.3BSD or later version of syslog. You can still set |
| this for ancient syslogs but it will have no effect. The |
this for ancient syslogs but it will have no effect. The |
| following facilities are supported: authpriv (if your OS |
following facilities are supported: authpriv (if your OS |
| supports it), auth, daemon, user, local0, local1, local2, |
supports it), auth, daemon, user, local0, local1, local2, |
| local3, local4, local5, local6, and local7. |
local3, local4, local5, local6, and local7. |
| |
|
| --with-goodpri=PRIORITY |
--with-goodpri=PRIORITY |
| Determines which syslog priority to log successfully |
Determines which syslog priority to log successfully |
| authenticated commands. The following priorities are |
authenticated commands. The following priorities are |
| supported: alert, crit, debug, emerg, err, info, notice, |
supported: alert, crit, debug, emerg, err, info, notice, |
| and warning. |
and warning. |
| |
|
| --with-badpri=PRIORITY |
--with-badpri=PRIORITY |
| Determines which syslog priority to log unauthenticated |
Determines which syslog priority to log unauthenticated |
| commands and errors. The following priorities are supported: |
commands and errors. The following priorities are supported: |
| alert, crit, debug, emerg, err, info, notice, and warning. |
alert, crit, debug, emerg, err, info, notice, and warning. |
| |
|
| --with-logpath=PATH |
--with-logpath=PATH |
| Override the default location of the sudo log file and use |
Override the default location of the sudo log file and use |
| "path" instead. By default will use /var/log/sudo.log if |
"path" instead. By default will use /var/log/sudo.log if |
| there is a /var/log dir, falling back to /var/adm/sudo.log |
there is a /var/log dir, falling back to /var/adm/sudo.log |
| or /usr/adm/sudo.log if not. |
or /usr/adm/sudo.log if not. |
| |
|
| --with-loglen=NUMBER |
--with-loglen=NUMBER |
| Number of characters per line for the file log. This is only used if |
Number of characters per line for the file log. This is only used if |
|
|
| The default is "Sorry, try again." unless insults are turned on. |
The default is "Sorry, try again." unless insults are turned on. |
| |
|
| --with-fqdn |
--with-fqdn |
| Define this if you want to put fully qualified hostnames in the sudoers |
Define this if you want to put fully qualified hostnames in the sudoers |
| file. Ie: instead of myhost you would use myhost.mydomain.edu. You may |
file. Ie: instead of myhost you would use myhost.mydomain.edu. You may |
| still use the short form if you wish (and even mix the two). Beware |
still use the short form if you wish (and even mix the two). Beware |
| that turning FQDN on requires sudo to make DNS lookups which may make |
that turning FQDN on requires sudo to make DNS lookups which may make |
|
|
| if they match a value specified via --with-editor. |
if they match a value specified via --with-editor. |
| |
|
| --disable-authentication |
--disable-authentication |
| By default, sudo requires the user to authenticate via a |
By default, sudo requires the user to authenticate via a |
| password or similar means. This options causes sudo to |
password or similar means. This options causes sudo to |
| *not* require authentication. It is possible to turn |
*not* require authentication. It is possible to turn |
| authentication back on in sudoers via the PASSWD attribute. |
authentication back on in sudoers via the PASSWD attribute. |
| |
|
| --disable-root-sudo |
--disable-root-sudo |
| Don't let root run sudo. This can be used to prevent people from |
Don't let root run sudo. This can be used to prevent people from |
|
|
| Solaris. You can also get them from various places on the |
Solaris. You can also get them from various places on the |
| net, including http://www.sunfreeware.com/ |
net, including http://www.sunfreeware.com/ |
| NOTE: sudo will *not* build with the sun C compiler in BSD |
NOTE: sudo will *not* build with the sun C compiler in BSD |
| compatibility mode (/usr/ucb/cc). Sudo is designed to |
compatibility mode (/usr/ucb/cc). Sudo is designed to |
| compile with the standard C compiler (or gcc) and will |
compile with the standard C compiler (or gcc) and will |
| not build correctly with /usr/ucb/cc. You can use the |
not build correctly with /usr/ucb/cc. You can use the |
| `--with-CC' option to point `configure' to the non-ucb |
`--with-CC' option to point `configure' to the non-ucb |
| compiler if it is not the first cc in your path. Some |
compiler if it is not the first cc in your path. Some |
| sites link /usr/ucb/cc to gcc; configure will not notice |
sites link /usr/ucb/cc to gcc; configure will not notice |
| this an still refuse to use /usr/ucb/cc, so make sure gcc |
this an still refuse to use /usr/ucb/cc, so make sure gcc |
| is also in your path if your site is setup this way. |
is also in your path if your site is setup this way. |
| Also: Many versions of Solaris come with a broken syslogd. |
Also: Many versions of Solaris come with a broken syslogd. |
| If you have having problems with sudo logging you should |
If you have having problems with sudo logging you should |
| make sure you have the latest syslogd patch installed. |
make sure you have the latest syslogd patch installed. |
|
|
| |
|
| Digital UNIX: |
Digital UNIX: |
| By default, sudo will use SIA (Security Integration Architecture) |
By default, sudo will use SIA (Security Integration Architecture) |
| to validate a user. If you want to use an alternate authentication |
to validate a user. If you want to use an alternative authentication |
| method that does not go through SIA, you need to use the |
method that does not go through SIA, you need to use the |
| --disable-sia option to configure. If you use gcc to compile |
--disable-sia option to configure. If you use gcc to compile |
| you will get warnings when building interfaces.c. These are |
you will get warnings when building interfaces.c. These are |
|
|
| edit that. |
edit that. |
| |
|
| Linux: |
Linux: |
| NOTE: Reportedly, Linux's execvp(3) doesn't always execute |
PAM and LDAP headers are not installed by default on most Linux |
| scripts that lack the "#!/some/shell" header correctly. |
systems. You will need to install the "pav-dev" package if |
| The workaround is to give all your scripts a proper |
/usr/include/security/pam_appl.h is not present on your system. |
| header. |
If you wish to build with LDAP support you will also need the |
| |
openldap-devel package. |
| |
|
| Versions of glibc 2.x previous to 2.0.7 have a broken lsearch(). |
Versions of glibc 2.x previous to 2.0.7 have a broken lsearch(). |
| You will need to either upgrade to glibc-2.0.7 or use sudo's |
You will need to either upgrade to glibc-2.0.7 or use sudo's |
| version of lsearch(). To use sudo's lsearch(), comment out |
version of lsearch(). To use sudo's lsearch(), comment out |
|
|
| fixed. There is a workaround on the sudo ftp site, linux_nfs.patch, |
fixed. There is a workaround on the sudo ftp site, linux_nfs.patch, |
| if you need to NFS-mount sudoers on older Linux kernels. |
if you need to NFS-mount sudoers on older Linux kernels. |
| |
|
| Linux kernels 2.2.16-2.2.19 appear to have broken POSIX saved |
|
| ID support. You must run configure with the --disable-saved-ids |
|
| flag to get a working sudo. |
|
| |
|
| Mac OS X: |
Mac OS X: |
| It has been reported that for sudo to work on Mac OS X it must |
It has been reported that for sudo to work on Mac OS X it must |
| either be built with the --with-password-timeout=0 option or the |
either be built with the --with-password-timeout=0 option or the |
|
|
| functionality. You must use either the HP ANSI C compiler or gcc for |
functionality. You must use either the HP ANSI C compiler or gcc for |
| noexec to work. Binary packages of gcc are available from |
noexec to work. Binary packages of gcc are available from |
| http://hpux.connect.org.uk/ and http://hpux.cs.utah.edu/. |
http://hpux.connect.org.uk/ and http://hpux.cs.utah.edu/. |
| |
|
| |
SunOS 4.x: |
| |
The /bin/sh shipped with SunOS blows up while running configure. |
| |
You can work around this by installalling bash or zsh. If you |
| |
have bash or zsh in your path, configure will use it instead |
| |
automatically. |
![[BACK]](/icons/back.gif){kind=icon}
Return to INSTALL CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / sudo