version 1.15, 2004/09/28 15:10:50 |
version 1.16, 2007/07/26 16:10:15 |
|
|
Installation instructions for Sudo 1.6.8 |
Installation instructions for Sudo 1.6.9 |
======================================== |
======================================== |
|
|
Sudo uses a `configure' script to probe the capabilities and type |
Sudo uses a `configure' script to probe the capabilities and type |
|
|
or need. |
or need. |
|
|
4) Edit the configure-generated Makefile if you wish to |
4) Edit the configure-generated Makefile if you wish to |
change any of the default paths (alternately you could |
change any of the default paths (alternatively, you could |
have changed the paths via options to `configure'. |
have changed the paths via options to `configure'. |
|
|
5) Type `make' to compile sudo. If you are building sudo |
5) Type `make' to compile sudo. If you are building sudo |
|
|
Specifies path to C compiler you wish to use. |
Specifies path to C compiler you wish to use. |
|
|
--with-incpath=DIR |
--with-incpath=DIR |
Adds the specified directory (or directories) to CPPFLAGS |
Adds the specified directory (or directories) to CPPFLAGS |
so configure and the compiler will look there for include |
so configure and the compiler will look there for include |
files. Multiple directories may be specified as long as |
files. Multiple directories may be specified as long as |
they are space separated. |
they are space separated. |
Eg: --with-incpath="/usr/local/include /opt/include" |
Eg: --with-incpath="/usr/local/include /opt/include" |
|
|
--with-libpath=DIR |
--with-libpath=DIR |
Adds the specified directory (or directories) to LDFLAGS |
Adds the specified directory (or directories) to LDFLAGS |
so configure and the compiler will look there for libraries. |
so configure and the compiler will look there for libraries. |
Multiple directories may be specified as with --with-incpath. |
Multiple directories may be specified as with --with-incpath. |
|
|
--with-rpath |
--with-rpath |
Tells configure to use -Rpath in addition to -Lpath when |
Tells configure to use -Rpath in addition to -Lpath when |
|
|
by default for Solaris and SVR4. |
by default for Solaris and SVR4. |
|
|
--with-blibpath[=PATH] |
--with-blibpath[=PATH] |
Tells configure to construct a -blibpath argument to the |
Tells configure to construct a -blibpath argument to the |
loader. If a PATH is specified, it will be used as the |
loader. If a PATH is specified, it will be used as the |
base. Otherwise, "/usr/lib:/lib:/usr/local/lib" will be |
base. Otherwise, "/usr/lib:/lib:/usr/local/lib" will be |
used for gcc and "/usr/lib:/lib" for non-gcc. Additional |
used for gcc and "/usr/lib:/lib" for non-gcc. Additional |
library paths will be appended as needed by configure. |
library paths will be appended as needed by configure. |
This option is only valid for AIX where it is on by default. |
This option is only valid for AIX where it is on by default. |
|
|
--with-libraries=LIBRARY |
--with-libraries=LIBRARY |
Adds the specified library (or libaries) to SUDO_LIBS and |
Adds the specified library (or libaries) to SUDO_LIBS and |
and VISUDO_LIBS so sudo will link against them. If the |
and VISUDO_LIBS so sudo will link against them. If the |
library doesn't start with `-l' or end in `.a' or `.o' a |
library doesn't start with `-l' or end in `.a' or `.o' a |
`-l' will be prepended to it. Multiple libraries may be |
`-l' will be prepended to it. Multiple libraries may be |
specified as long as they are space separated. |
specified as long as they are space separated. |
|
|
--with-csops |
--with-csops |
Add CSOps standard options. You probably aren't interested in this. |
Add CSOps standard options. You probably aren't interested in this. |
|
|
--with-skey[=DIR] |
--with-skey[=DIR] |
Enable S/Key OTP (One Time Password) support. If specified, |
Enable S/Key OTP (One Time Password) support. If specified, |
DIR should contain include and lib directories with skey.h |
DIR should contain include and lib directories with skey.h |
and libskey.a respectively. |
and libskey.a respectively. |
|
|
--with-opie[=DIR] |
--with-opie[=DIR] |
Enable NRL OPIE OTP (One Time Password) support. If specified, |
Enable NRL OPIE OTP (One Time Password) support. If specified, |
|
|
(or at least the library and header files). |
(or at least the library and header files). |
|
|
--with-kerb4[=DIR] |
--with-kerb4[=DIR] |
Enable Kerberos IV support. If specified, DIR is the base |
Enable Kerberos IV support. If specified, DIR is the base |
directory containing the Kerberos IV include and lib dirs. |
directory containing the Kerberos IV include and lib dirs. |
This uses Kerberos passphrases for authentication but does |
This uses Kerberos passphrases for authentication but does |
not use the Kerberos cookie scheme. |
not use the Kerberos cookie scheme. |
|
|
--with-kerb5[=DIR] |
--with-kerb5[=DIR] |
Enable Kerberos V support. If specified, DIR is the base |
Enable Kerberos V support. If specified, DIR is the base |
directory containing the Kerberos V include and lib dirs. |
directory containing the Kerberos V include and lib dirs. |
This This uses Kerberos passphrases for authentication but |
This This uses Kerberos passphrases for authentication but |
does not use the Kerberos cookie scheme. Will not work for |
does not use the Kerberos cookie scheme. Will not work for |
Kerberos V older than version 1.1. |
Kerberos V older than version 1.1. |
|
|
--with-ldap[=DIR] |
--with-ldap[=DIR] |
Enable LDAP support. If specified, DIR is the base directory |
Enable LDAP support. If specified, DIR is the base directory |
containing the LDAP include and lib directories. Please see |
containing the LDAP include and lib directories. Please see |
README.LDAP for more information. |
README.LDAP for more information. |
|
|
--with-ldap-conf-file |
--with-ldap-conf-file=filename |
Path to LDAP configuration file. If specified, sudo reads |
Path to LDAP configuration file. If specified, sudo reads |
this file instead of /etc/ldap.conf to locate the LDAP server. |
this file instead of /etc/ldap.conf to locate the LDAP server. |
|
|
--with-authenticate |
--with-ldap-secret-file=filename |
|
Path to LDAP secret password file. If specified, sudo uses |
|
this file instead of /etc/ldap.secret to read the secret password |
|
when rootbinddn is specified in the ldap config file. |
|
|
|
--with-aixauth |
Enable support for the AIX 4.x general authentication function. |
Enable support for the AIX 4.x general authentication function. |
This will use the authentication scheme specified for the user |
This will use the authentication scheme specified for the user |
on the machine. |
on the machine. It is on by default for AIX systems that |
|
support it. |
|
|
--with-pam |
--with-pam |
Enable PAM support. Tested on: |
Enable PAM support. This is on by default for Darwin, FreeBSD, |
Redhat Linux >= 5.x |
Linux, Solaris and HP-UX (version 11 and higher). |
Solaris >= 2.6 |
|
HP-UX >= 11.0 |
NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo |
NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo |
file installed. You may either use the sample.pam file included with |
file install. You may either use the sample.pam file included with |
|
sudo or use /etc/pam.d/su as a reference. The sample.pam file |
sudo or use /etc/pam.d/su as a reference. The sample.pam file |
included with sudo may or may not work with other Linux distributions. |
included with sudo may or may not work with other Linux distributions. |
On Solaris and HP-UX 11 systems you should check (and understand) |
On Solaris and HP-UX 11 systems you should check (and understand) |
|
|
DCE PAM module (usually libpam_dce) should be used instead. |
DCE PAM module (usually libpam_dce) should be used instead. |
|
|
--with-logincap |
--with-logincap |
Enable support for BSD login classes where available (OS-dependent). |
This adds support for login classes specified in /etc/login.conf. |
This adds support for the login classes specified in /etc/login.conf. |
It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and |
By default, a login class is not applied unless the 'use_loginclass' |
NetBSD (where available). By default, a login class is not applied |
option is defined in sudoers or the user specifies a class on the |
unless the 'use_loginclass' option is defined in sudoers or the user |
command line. |
specifies a class on the command line. |
|
|
|
--with-project |
|
Enable support for Solaris project resource limits. |
|
This option is only available on Solaris 9 and above. |
|
|
--with-bsdauth |
--with-bsdauth |
Enable support for BSD authentication on BSD/OS and OpenBSD. |
Enable support for BSD authentication. This is the default |
This option implies --with-logincap. It is not possible |
for BSD/OS and OpenBSD systems that support it. |
to mix BSD authentication with other authentication methods |
It is not possible to mix BSD authentication with other |
(and there really should be no need to do so). Note that |
authentication methods (and there really should be no need |
only the newer BSD authentication API is supported. If you |
to do so). Note that only the newer BSD authentication API |
don't have /usr/include/bsd_auth.h then you cannot use this. |
is supported. If you don't have /usr/include/bsd_auth.h |
|
then you cannot use this. |
|
|
--with-noexec[=PATH] |
--with-noexec[=PATH] |
Enable support for the "noexec" functionality which prevents |
Enable support for the "noexec" functionality which prevents |
a dynamically-linked program being run by sudo from executing |
a dynamically-linked program being run by sudo from executing |
another program (think shell escapes). Please see the |
another program (think shell escapes). Please see the |
"PREVENTING SHELL ESCAPES" section in the sudoers man page |
"PREVENTING SHELL ESCAPES" section in the sudoers man page |
for details. If specified, PATH should be a fully qualified |
for details. If specified, PATH should be a fully qualified |
pathname, e.g. /usr/local/libexec/sudo_noexec.so. If PATH |
pathname, e.g. /usr/local/libexec/sudo_noexec.so. If PATH |
is "no", noexec support will not be compiled in. The default |
is "no", noexec support will not be compiled in. The default |
is to compile noexec support if libtool supports building |
is to compile noexec support if libtool supports building |
shared objects on your OS. |
shared objects on your OS. |
|
|
--disable-root-mailer |
--disable-root-mailer |
By default sudo will run the mailer as root when tattling |
By default sudo will run the mailer as root when tattling |
on a user so as to prevent that user from killing the mailer. |
on a user so as to prevent that user from killing the mailer. |
With this option, sudo will run the mailer as the invoking |
With this option, sudo will run the mailer as the invoking |
user which some people consider to be safer. |
user which some people consider to be safer. |
|
|
--disable-saved-ids |
|
Disable use of POSIX saved IDs. Normally, sudo will try |
|
to use POSIX saved IDs if they are supported. However, |
|
some implementations are broken. |
|
|
|
--disable-setreuid |
--disable-setreuid |
Disable use of the setreuid() function for operating systems |
Disable use of the setreuid() function for operating systems |
where it is broken. 4.4BSD has setreuid() but it doesn't |
where it is broken. Mac OS X has setreuid() but it doesn't |
really work. |
really work. |
|
|
--disable-setresuid |
--disable-setresuid |
Disable use of the setresuid() function for operating systems |
Disable use of the setresuid() function for operating systems |
where it is broken (none currently known). |
where it is broken (none currently known). |
|
|
--disable-sia |
--disable-sia |
Disable SIA support. This is the "Security Integration |
Disable SIA support. This is the "Security Integration |
Architecture" on Digital UNIX. If you disable SIA sudo will |
Architecture" on Digital UNIX. If you disable SIA sudo will |
use its own authentication routines. |
use its own authentication routines. |
|
|
--disable-shadow |
--disable-shadow |
Disable shadow password support. Normally, sudo will compile |
Disable shadow password support. Normally, sudo will compile |
in shadow password support and use a shadow password if it |
in shadow password support and use a shadow password if it |
exists. |
exists. |
|
|
--with-sudoers-mode=MODE |
--with-sudoers-mode=MODE |
File mode for the sudoers file (octal). Note that if you |
File mode for the sudoers file (octal). Note that if you |
wish to NFS-mount the sudoers file this must be group |
wish to NFS-mount the sudoers file this must be group |
readable. Also note that this is actually set in the |
readable. Also note that this is actually set in the |
Makefile. The default mode is 0440. |
Makefile. The default mode is 0440. |
|
|
--with-sudoers-uid=UID |
--with-sudoers-uid=UID |
User id that "owns" the sudoers file. Note that this is |
User id that "owns" the sudoers file. Note that this is |
the numeric id, *not* the symbolic name. Also note that |
the numeric id, *not* the symbolic name. Also note that |
this is actually set in the Makefile. The default is 0. |
this is actually set in the Makefile. The default is 0. |
|
|
--with-sudoers-gid=GID |
--with-sudoers-gid=GID |
Group id that "owns" the sudoers file. Note that this is |
Group id that "owns" the sudoers file. Note that this is |
the numeric id, *not* the symbolic name. Also note that |
the numeric id, *not* the symbolic name. Also note that |
this is actually set in the Makefile. The default is 0. |
this is actually set in the Makefile. The default is 0. |
|
|
--with-execv |
|
Use execv() to exec the command instead of execvp(). I can't think of |
|
a reason to actually do this since execvp() is passed a fully qualified |
|
pathname but someone might thoroughly distrust execvp(). Note that if |
|
you define this you lose the ability to exec scripts that are missing |
|
the '#!/bin/sh' cookie (like /bin/kill on SunOS and /etc/fastboot on |
|
4.3BSD). This is off by default. |
|
|
|
--without-interfaces |
--without-interfaces |
This option keeps sudo from trying to glean the ip address |
This option keeps sudo from trying to glean the ip address |
from each attached ethernet interface. It is only useful |
from each attached ethernet interface. It is only useful |
on a machine where sudo's interface reading support does |
on a machine where sudo's interface reading support does |
not work, which may be the case on some SysV-based OS's |
not work, which may be the case on some SysV-based OS's |
using STREAMS. |
using STREAMS. |
|
|
--without-passwd |
--without-passwd |
This option excludes authentication via the passwd (or |
This option excludes authentication via the passwd (or |
shadow) file. It should only be used when another, alternate, |
shadow) file. It should only be used when another, alternative, |
authentication scheme is in use. |
authentication scheme is in use. |
|
|
--with-otp-only |
--with-otp-only |
This option is now just an alias for --without-passwd. |
This option is now just an alias for --without-passwd. |
|
|
--with-stow |
--with-stow |
Properly handle GNU stow packaging. The sudoers file will |
Properly handle GNU stow packaging. The sudoers file will |
physically live in ${prefix}/etc and /etc/sudoers will be |
physically live in ${prefix}/etc and /etc/sudoers will be |
a symbolic link. |
a symbolic link. |
|
|
The following options are also configurable at runtime: |
The following options are also configurable at runtime: |
|
|
--with-long-otp-prompt |
--with-long-otp-prompt |
When validating with a One Time Password scheme (S/Key or |
When validating with a One Time Password scheme (S/Key or |
OPIE), a two-line prompt is used to make it easier to cut |
OPIE), a two-line prompt is used to make it easier to cut |
and paste the challenge to a local window. It's not as |
and paste the challenge to a local window. It's not as |
pretty as the default but some people find it more convenient. |
pretty as the default but some people find it more convenient. |
|
|
--with-logging=TYPE |
--with-logging=TYPE |
How you want to do your logging. You may choose "syslog", |
How you want to do your logging. You may choose "syslog", |
"file", or "both". Setting this to "syslog" is nice because |
"file", or "both". Setting this to "syslog" is nice because |
you can keep all of your sudo logs in one place (see the |
you can keep all of your sudo logs in one place (see the |
sample.syslog.conf file). The default is "syslog". |
sample.syslog.conf file). The default is "syslog". |
|
|
--with-logfac=FACILITY |
--with-logfac=FACILITY |
Determines which syslog facility to log to. This requires |
Determines which syslog facility to log to. This requires |
a 4.3BSD or later version of syslog. You can still set |
a 4.3BSD or later version of syslog. You can still set |
this for ancient syslogs but it will have no effect. The |
this for ancient syslogs but it will have no effect. The |
following facilities are supported: authpriv (if your OS |
following facilities are supported: authpriv (if your OS |
supports it), auth, daemon, user, local0, local1, local2, |
supports it), auth, daemon, user, local0, local1, local2, |
local3, local4, local5, local6, and local7. |
local3, local4, local5, local6, and local7. |
|
|
--with-goodpri=PRIORITY |
--with-goodpri=PRIORITY |
Determines which syslog priority to log successfully |
Determines which syslog priority to log successfully |
authenticated commands. The following priorities are |
authenticated commands. The following priorities are |
supported: alert, crit, debug, emerg, err, info, notice, |
supported: alert, crit, debug, emerg, err, info, notice, |
and warning. |
and warning. |
|
|
--with-badpri=PRIORITY |
--with-badpri=PRIORITY |
Determines which syslog priority to log unauthenticated |
Determines which syslog priority to log unauthenticated |
commands and errors. The following priorities are supported: |
commands and errors. The following priorities are supported: |
alert, crit, debug, emerg, err, info, notice, and warning. |
alert, crit, debug, emerg, err, info, notice, and warning. |
|
|
--with-logpath=PATH |
--with-logpath=PATH |
Override the default location of the sudo log file and use |
Override the default location of the sudo log file and use |
"path" instead. By default will use /var/log/sudo.log if |
"path" instead. By default will use /var/log/sudo.log if |
there is a /var/log dir, falling back to /var/adm/sudo.log |
there is a /var/log dir, falling back to /var/adm/sudo.log |
or /usr/adm/sudo.log if not. |
or /usr/adm/sudo.log if not. |
|
|
--with-loglen=NUMBER |
--with-loglen=NUMBER |
Number of characters per line for the file log. This is only used if |
Number of characters per line for the file log. This is only used if |
|
|
The default is "Sorry, try again." unless insults are turned on. |
The default is "Sorry, try again." unless insults are turned on. |
|
|
--with-fqdn |
--with-fqdn |
Define this if you want to put fully qualified hostnames in the sudoers |
Define this if you want to put fully qualified hostnames in the sudoers |
file. Ie: instead of myhost you would use myhost.mydomain.edu. You may |
file. Ie: instead of myhost you would use myhost.mydomain.edu. You may |
still use the short form if you wish (and even mix the two). Beware |
still use the short form if you wish (and even mix the two). Beware |
that turning FQDN on requires sudo to make DNS lookups which may make |
that turning FQDN on requires sudo to make DNS lookups which may make |
|
|
if they match a value specified via --with-editor. |
if they match a value specified via --with-editor. |
|
|
--disable-authentication |
--disable-authentication |
By default, sudo requires the user to authenticate via a |
By default, sudo requires the user to authenticate via a |
password or similar means. This options causes sudo to |
password or similar means. This options causes sudo to |
*not* require authentication. It is possible to turn |
*not* require authentication. It is possible to turn |
authentication back on in sudoers via the PASSWD attribute. |
authentication back on in sudoers via the PASSWD attribute. |
|
|
--disable-root-sudo |
--disable-root-sudo |
Don't let root run sudo. This can be used to prevent people from |
Don't let root run sudo. This can be used to prevent people from |
|
|
Solaris. You can also get them from various places on the |
Solaris. You can also get them from various places on the |
net, including http://www.sunfreeware.com/ |
net, including http://www.sunfreeware.com/ |
NOTE: sudo will *not* build with the sun C compiler in BSD |
NOTE: sudo will *not* build with the sun C compiler in BSD |
compatibility mode (/usr/ucb/cc). Sudo is designed to |
compatibility mode (/usr/ucb/cc). Sudo is designed to |
compile with the standard C compiler (or gcc) and will |
compile with the standard C compiler (or gcc) and will |
not build correctly with /usr/ucb/cc. You can use the |
not build correctly with /usr/ucb/cc. You can use the |
`--with-CC' option to point `configure' to the non-ucb |
`--with-CC' option to point `configure' to the non-ucb |
compiler if it is not the first cc in your path. Some |
compiler if it is not the first cc in your path. Some |
sites link /usr/ucb/cc to gcc; configure will not notice |
sites link /usr/ucb/cc to gcc; configure will not notice |
this an still refuse to use /usr/ucb/cc, so make sure gcc |
this an still refuse to use /usr/ucb/cc, so make sure gcc |
is also in your path if your site is setup this way. |
is also in your path if your site is setup this way. |
Also: Many versions of Solaris come with a broken syslogd. |
Also: Many versions of Solaris come with a broken syslogd. |
If you have having problems with sudo logging you should |
If you have having problems with sudo logging you should |
make sure you have the latest syslogd patch installed. |
make sure you have the latest syslogd patch installed. |
|
|
|
|
Digital UNIX: |
Digital UNIX: |
By default, sudo will use SIA (Security Integration Architecture) |
By default, sudo will use SIA (Security Integration Architecture) |
to validate a user. If you want to use an alternate authentication |
to validate a user. If you want to use an alternative authentication |
method that does not go through SIA, you need to use the |
method that does not go through SIA, you need to use the |
--disable-sia option to configure. If you use gcc to compile |
--disable-sia option to configure. If you use gcc to compile |
you will get warnings when building interfaces.c. These are |
you will get warnings when building interfaces.c. These are |
|
|
edit that. |
edit that. |
|
|
Linux: |
Linux: |
NOTE: Reportedly, Linux's execvp(3) doesn't always execute |
PAM and LDAP headers are not installed by default on most Linux |
scripts that lack the "#!/some/shell" header correctly. |
systems. You will need to install the "pav-dev" package if |
The workaround is to give all your scripts a proper |
/usr/include/security/pam_appl.h is not present on your system. |
header. |
If you wish to build with LDAP support you will also need the |
|
openldap-devel package. |
|
|
Versions of glibc 2.x previous to 2.0.7 have a broken lsearch(). |
Versions of glibc 2.x previous to 2.0.7 have a broken lsearch(). |
You will need to either upgrade to glibc-2.0.7 or use sudo's |
You will need to either upgrade to glibc-2.0.7 or use sudo's |
version of lsearch(). To use sudo's lsearch(), comment out |
version of lsearch(). To use sudo's lsearch(), comment out |
|
|
fixed. There is a workaround on the sudo ftp site, linux_nfs.patch, |
fixed. There is a workaround on the sudo ftp site, linux_nfs.patch, |
if you need to NFS-mount sudoers on older Linux kernels. |
if you need to NFS-mount sudoers on older Linux kernels. |
|
|
Linux kernels 2.2.16-2.2.19 appear to have broken POSIX saved |
|
ID support. You must run configure with the --disable-saved-ids |
|
flag to get a working sudo. |
|
|
|
Mac OS X: |
Mac OS X: |
It has been reported that for sudo to work on Mac OS X it must |
It has been reported that for sudo to work on Mac OS X it must |
either be built with the --with-password-timeout=0 option or the |
either be built with the --with-password-timeout=0 option or the |
|
|
functionality. You must use either the HP ANSI C compiler or gcc for |
functionality. You must use either the HP ANSI C compiler or gcc for |
noexec to work. Binary packages of gcc are available from |
noexec to work. Binary packages of gcc are available from |
http://hpux.connect.org.uk/ and http://hpux.cs.utah.edu/. |
http://hpux.connect.org.uk/ and http://hpux.cs.utah.edu/. |
|
|
|
SunOS 4.x: |
|
The /bin/sh shipped with SunOS blows up while running configure. |
|
You can work around this by installalling bash or zsh. If you |
|
have bash or zsh in your path, configure will use it instead |
|
automatically. |