src/usr.bin/sudo/INSTALL - annotate

Return to INSTALL CVS log

Up to [local] / src / usr.bin / sudo

Annotation of src/usr.bin/sudo/INSTALL, Revision 1.12

1.12 ! millert 1: Installation instructions for Sudo 1.6.6
1.3 millert 2: ========================================
1.1 millert 3:
4: Sudo uses a `configure' script to probe the capabilities and type
5: of the system in question. In this release, `configure' takes many
6: more options than it did before. Please read this document fully
7: before configuring and building sudo. You may also wish to read the
8: file INSTALL.configure which explains more about the `configure' script.
9:
10: Simple sudo installation
11: ========================
12:
13: For most systems and configurations it is possible simply to:
14:
15: 0) If you are upgrading from a previous version of sudo
16: please read the info in the UPGRADE file before proceeding.
17:
18: 1) If you previously ran `configure' on a different host
19: you will probably want to do a `make distclean' to remove
20: the old `config.cache' file. Otherwise, `configure'
21: will complain and refuse to run. Alternately, one can
22: simply `rm config.cache'.
23:
24: 2) Read the `OS dependent notes' section for any particular
25: "gotchas" relating to your operating system.
26:
27: 3) `cd' to the source or build directory and type `./configure'
28: to generate a Makefile and config.h file suitable for
29: building sudo. Before you actually run configure you
30: should read the `Available configure options' section
31: to see if there are any special options you may want
1.7 millert 32: or need.
1.1 millert 33:
34: 4) Edit the configure-generated Makefile if you wish to
35: change any of the default paths (alternately you could
36: have changed the paths via options to `configure'.
37:
38: 5) Type `make' to compile sudo. If you are building sudo
39: in a separate build tree (apart from the sudo source)
40: GNU make will probably be required. If `configure' did
41: its job properly (and you have a supported configuration)
42: there won't be any problems. If this doesn't work, take
43: a look at the files TROUBLESHOOTING and PORTING for tips
44: on what might have gone wrong. Please mail us if you have a
45: fix or if you are unable to come up with a fix (address at EOF).
46:
47: 6) Type `make install' (as root) to install sudo, visudo, the
48: man pages, and a skeleton sudoers file. Note that the install
49: will not overwrite an existing sudoers file. You can also
50: install various pieces the package via the install-binaries,
51: install-man, and install-sudoers make targets.
52:
53: 7) Edit the sudoers file with `visudo' as necessary for your
54: site. You will probably want to refer the sample.sudoers
55: file and sudoers man page included with the sudo package.
56:
57: 8) If you want to use syslogd(8) to do the logging, you'll need
58: to update your /etc/syslog.conf file. See the sample.syslog.conf
59: file included in the distribution for an example.
60:
61: Available configure options
62: ===========================
63:
64: This section describes flags accepted by the sudo's `configure' script.
65: Defaults are listed in brackets after the description.
66:
67: Configuration:
68: --cache-file=FILE
69: Cache test results in FILE
70:
1.9 millert 71: --config-cache, -C
72: Alias for `--cache-file=config.cache'
73:
74: --help, -h
1.1 millert 75: Print the usage/help info
76:
1.9 millert 77: --no-create, -n
1.1 millert 78: Do not create output files
79:
1.9 millert 80: --quiet, --silent, -q
1.1 millert 81: Do not print `checking...' messages
82:
83: Directory and file names:
84: --prefix=PREFIX
85: Install architecture-independent files in PREFIX This really only
86: applies to man pages. [/usr/local]
87:
88: --exec-prefix=EPREFIX
89: Install architecture-dependent files in EPREFIX This includes the
90: sudo and visudo executables. [same as prefix]
91:
92: --bindir=DIR
93: Install `sudo' in DIR [EPREFIX/bin]
94:
95: --sbindir=DIR
96: Install `visudo' in DIR [EPREFIX/sbin]
97:
98: --sysconfdir=DIR
99: Install `sudoers' file in DIR [/etc]
100:
101: --mandir=DIR
102: Install man pages in DIR [PREFIX/man]
103:
104: --srcdir=DIR
105: Find the sources in DIR [configure dir or ..]
106:
107: Special features/options:
1.12 ! millert 108: --with-CC=PATH
1.1 millert 109: Specifies path to C compiler you wish to use.
110:
1.12 ! millert 111: --with-incpath=DIR
! 112: Adds the specified directory (or directories) to CPPFLAGS
! 113: so configure and the compiler will look there for include
! 114: files. Multiple directories may be specified as long as
! 115: they are space separated.
1.1 millert 116: Eg: --with-incpath="/usr/local/include /opt/include"
117:
1.12 ! millert 118: --with-libpath=DIR
! 119: Adds the specified directory (or directories_ to SUDO_LDFLAGS
! 120: and VISUDO_LDFLAGS so configure and the compiler will look
! 121: there for libraries. Multiple directories may be specified
! 122: as with --with-incpath.
! 123:
! 124: --with-libraries=LIBRARY
! 125: Adds the specified library (or libaries) to SUDO_LIBS and
! 126: and VISUDO_LIBS so sudo will link against them. If the
! 127: library doesn't start with `-l' or end in `.a' or `.o' a
! 128: `-l' will be prepended to it. Multiple libraries may be
! 129: specified as long as they are space separated.
1.1 millert 130:
131: --with-csops
132: Add CSOps standard options. You probably aren't interested in this.
133:
134: --with-skey
135: Enable S/Key OTP (One Time Password) support.
136:
137: --with-opie
138: Enable NRL OPIE OTP (One Time Password) support.
139:
1.12 ! millert 140: --with-SecurID[=DIR]
1.1 millert 141: Enable SecurID support. If specified, DIR is directory containing
142: sdiclient.a, sdi_athd.h, sdconf.h, and sdacmvls.h.
143:
1.12 ! millert 144: --with-fwtk[=DIR]
1.1 millert 145: Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified,
146: DIR is the base directory containing the compiled FWTK package
147: (or at least the library and header files).
148:
149: --with-kerb4
150: Enable kerberos v4 support. Tested only with the Cygnus Network
151: Security package (CNS). This uses kerberos passphrases for
152: authentication but does not use the kerberos cookie scheme.
153:
154: --with-kerb5
155: Enable kerberos v5 support. Tested against MIT Kerberos V,
156: release 1.1, although also expected to work against CNS. This
157: This uses kerberos passphrases for authentication but does not
158: use the kerberos cookie scheme. Will not work for Kerberos V
159: older than version 1.1.
160:
161: --with-authenticate
162: Enable support for the AIX 4.x general authentication function.
163: This will use the authentication scheme specified for the user
164: on the machine.
165:
166: --with-pam
1.4 millert 167: Enable PAM support. Tested on:
168: Redhat Linux 5.x, 6.0, and 6.1
169: Solaris 2.6 and 7
170: HP-UX 11.0
171: NOTE: on RedHat Linux you *must* install an /etc/pam.d/sudo file.
172: You may either use the sample.pam file included with sudo or use
173: /etc/pam.d/su as a reference. On Solaris and HP-UX 11 systems
174: you should check (and understand) the contents of /etc/pam.conf.
175: Do a "man pam.conf" for more information and consider using the
176: "debug" option, if available, with your PAM libraries in
177: /etc/pam.conf to obtain syslog output for debugging purposes.
1.1 millert 178:
179: --with-AFS
180: Enable AFS support with kerberos authentication. Should work under
181: AFS 3.3. If your AFS doesn't have -laudit you should be able to
182: link without it.
183:
184: --with-DCE
1.4 millert 185: Enable DCE support. Known to work on HP-UX 9.X, 10.X, and 11.0.
186: The use of PAM is recommended for HP-UX 11.X systems, since PAM is
187: fully implemented (this is not true for 10.20 and earlier versions).
188: Check to see that your 11.X (or other) system uses DCE via PAM by
189: looking at /etc/pam.conf to see if "libpam_dce" libraries are
190: referenced there. Other platforms may require source code and/or
191: `configure' changes; you should check to see if your platform can
192: access DCE via PAM before using this option.
1.1 millert 193:
1.5 millert 194: --with-logincap
1.6 millert 195: Enable support for BSD login classes where available (OS-dependent).
196: This adds support for the login classes specified in /etc/login.conf.
1.5 millert 197: By default, a login class is not applied unless the 'use_loginclass'
198: option is defined in sudoers or the user specifies a class on the
1.6 millert 199: command line.
200:
201: --with-bsdauth
1.9 millert 202: Enable support for BSD authentication on BSD/OS and OpenBSD.
1.12 ! millert 203: This option implies --with-logincap. It is not possible
! 204: to mix BSD authentication with other authentication methods
! 205: (and there really should be no need to do so). Note that
! 206: only the newer BSD authentication API is supported. If you
! 207: don't have /usr/include/bsd_auth.h then you cannot use this.
1.10 millert 208:
209: --disable-root-mailer
210: By default sudo will run the mailer as root when tattling
211: on a user so as to prevent that user from killing the mailer.
212: With this option, sudo will run the mailer as the invoking
213: user which some people consider to be safer.
1.9 millert 214:
215: --disable-saved-ids
1.12 ! millert 216: Disable use of POSIX saved IDs. Normally, sudo will try
! 217: to use POSIX saved IDs if they are supported. However,
! 218: some implementations are broken.
1.11 millert 219:
220: --disable-setreuid
1.12 ! millert 221: Disable use of the setreuid() function for operating systems
! 222: where it is broken. 4.4BSD has setreuid() but it doesn't
! 223: really work.
1.5 millert 224:
1.1 millert 225: --disable-sia
1.12 ! millert 226: Disable SIA support. This is the "Security Integration
! 227: Architecture" on Digital UNIX. If you disable SIA sudo will
! 228: use its own authentication routines.
1.1 millert 229:
230: --disable-shadow
1.12 ! millert 231: Disable shadow password support. Normally, sudo will compile
! 232: in shadow password support and use a shadow password if it
! 233: exists.
! 234:
! 235: --with-sudoers-mode=MODE
! 236: File mode for the sudoers file (octal). Note that if you
! 237: wish to NFS-mount the sudoers file this must be group
! 238: readable. Also note that this is actually set in the
! 239: Makefile. The default mode is 0440.
! 240:
! 241: --with-sudoers-uid=UID
! 242: User id that "owns" the sudoers file. Note that this is
! 243: the numeric id, *not* the symbolic name. Also note that
! 244: this is actually set in the Makefile. The default is 0.
! 245:
! 246: --with-sudoers-gid=GID
! 247: Group id that "owns" the sudoers file. Note that this is
! 248: the numeric id, *not* the symbolic name. Also note that
! 249: this is actually set in the Makefile. The default is 0.
1.1 millert 250:
251: --with-execv
252: Use execv() to exec the command instead of execvp(). I can't think of
253: a reason to actually do this since execvp() is passed a fully qualified
254: pathname but someone might thoroughly distrust execvp(). Note that if
255: you define this you lose the ability to exec scripts that are missing
256: the '#!/bin/sh' cookie (like /bin/kill on SunOS and /etc/fastboot on
257: 4.3BSD). This is off by default.
258:
259: --without-interfaces
1.12 ! millert 260: This option keeps sudo from trying to glean the ip address
! 261: from each attached ethernet interface. It is only useful
! 262: on a machine where sudo's interface reading support does
! 263: not work, which may be the case on some SysV-based OS's
! 264: using STREAMS.
1.1 millert 265:
266: --without-passwd
1.12 ! millert 267: This option excludes authentication via the passwd (or
! 268: shadow) file. It should only be used when another, alternate,
! 269: authentication scheme is in use.
1.1 millert 270:
271: --with-otp-only
1.12 ! millert 272: This option is now just an alias for --without-passwd.
1.1 millert 273:
1.4 millert 274: The following options are also configurable at runtime:
275:
1.1 millert 276: --with-long-otp-prompt
1.12 ! millert 277: When validating with a One Time Password scheme (S/Key or
! 278: OPIE), a two-line prompt is used to make it easier to cut
! 279: and paste the challenge to a local window. It's not as
! 280: pretty as the default but some people find it more convenient.
1.1 millert 281:
282: --with-logging=TYPE
1.12 ! millert 283: How you want to do your logging. You may choose "syslog",
! 284: "file", or "both". Setting this to "syslog" is nice because
! 285: you can keep all of your sudo logs in one place (see the
! 286: sample.syslog.conf file). The default is "syslog".
1.1 millert 287:
288: --with-logfac=FACILITY
1.12 ! millert 289: Determines which syslog facility to log to. This requires
! 290: a 4.3BSD or later version of syslog. You can still set
! 291: this for ancient syslogs but it will have no effect. The
! 292: following facilities are supported: authpriv (if your OS
! 293: supports it), auth, daemon, user, local0, local1, local2,
! 294: local3, local4, local5, local6, and local7.
1.1 millert 295:
296: --with-goodpri=PRIORITY
1.12 ! millert 297: Determines which syslog priority to log successfully
! 298: authenticated commands. The following priorities are
! 299: supported: alert, crit, debug, emerg, err, info, notice,
! 300: and warning.
1.1 millert 301:
302: --with-badpri=PRIORITY
1.12 ! millert 303: Determines which syslog priority to log unauthenticated
! 304: commands and errors. The following priorities are supported:
! 305: alert, crit, debug, emerg, err, info, notice, and warning.
! 306:
! 307: --with-logpath=PATH
! 308: Override the default location of the sudo log file and use
! 309: "path" instead. By default will use /var/log/sudo.log if
! 310: there is a /var/log dir, falling back to /var/adm/sudo.log
! 311: or /usr/adm/sudo.log if not.
1.1 millert 312:
1.12 ! millert 313: --with-loglen=NUMBER
1.1 millert 314: Number of characters per line for the file log. This is only used if
315: you are to "file" or "both". This value is used to decide when to wrap
316: lines for nicer log files. The default is 80. Setting this to 0
317: will disable the wrapping.
318:
319: --with-ignore-dot
320: If set, sudo will ignore '.' or '' (current dir) in $PATH.
321: The $PATH itself is not modified.
322:
1.12 ! millert 323: --with-mailto=USER|MAIL_ALIAS
! 324: User (or mail alias) that mail from sudo is sent to.
! 325: This should go to a sysadmin at your site. The default is "root".
1.1 millert 326:
1.12 ! millert 327: --with-mailsubject="SUBJECT OF MAIL"
1.1 millert 328: Subject of the mail sent to the "mailto" user. The token "%h"
329: will expand to the hostname of the machine.
330: Default is "*** SECURITY information for %h ***".
331:
332: --without-mail-if-no-user
1.4 millert 333: Normally, sudo will mail to the "alertmail" user if the user invoking
1.1 millert 334: sudo is not in the sudoers file. This option disables that behavior.
335:
336: --with-mail-if-no-host
337: Send mail to the "alermail" user if the user exists in the sudoers
338: file, but is not allowed to run commands on the current host.
339:
340: --with-mail-if-noperms
341: Send mail to the "alermail" user if the user is allowed to use sudo but
342: the command they are trying is not listed in their sudoers file entry.
343:
1.12 ! millert 344: --with-passprompt="PASSWORD PROMPT"
1.1 millert 345: Default prompt to use when asking for a password; can be overridden
346: via the -p option and the SUDO_PROMPT environment variable. Supports
347: two escapes: "%u" expands to the user's login name and "%h" expands
348: to the local hostname. Default is "Password:".
349:
1.12 ! millert 350: --with-badpass-message="BAD PASSWORD MESSAGE"
1.1 millert 351: Message that is displayed if a user enters an incorrect password.
352: The default is "Sorry, try again." unless insults are turned on.
353:
354: --with-fqdn
355: Define this if you want to put fully qualified hostnames in the sudoers
356: file. Ie: instead of myhost you would use myhost.mydomain.edu. You may
357: still use the short form if you wish (and even mix the two). Beware
358: that turning FQDN on requires sudo to make DNS lookups which may make
359: sudo unusable if your DNS is totally hosed. Also note that you must
360: use the host's official name as DNS knows it. That is, you may not use
361: a host alias (CNAME entry) due to performance issues and the fact that
362: there is no way to get all aliases from DNS.
363:
1.12 ! millert 364: --with-timedir=PATH
1.1 millert 365: Override the default location of the sudo timestamp directory and
366: use "path" instead.
367:
1.12 ! millert 368: --with-sendmail=PATH
1.1 millert 369: Override configure's guess as to the location of sendmail.
370:
371: --without-sendmail
372: Do not use sendmail to mail messages to the "mailto" user.
373: Use only if don't run sendmail or the equivalent.
374:
1.12 ! millert 375: --with-umask=MASK
1.1 millert 376: Umask to use when running the root command. The default is 0022.
377:
378: --without-umask
379: Preserves the umask of the user invoking sudo.
380:
1.12 ! millert 381: --with-runas-default=USER
1.1 millert 382: The default user to run commands as if the -u flag is not specified
383: on the command line. This defaults to "root".
384:
1.12 ! millert 385: --with-exempt=GROUP
1.1 millert 386: Users in the specified group don't need to enter a password when
387: running sudo. This may be useful for sites that don't want their
388: "core" sysadmins to have to enter a password but where Jr. sysadmins
389: need to. You should probably use NOPASSWD in sudoers instead.
390:
1.12 ! millert 391: --with-passwd-tries=NUMBER
1.1 millert 392: Number of tries a user gets to enter his/her password before sudo logs
393: the failure and exits. The default is 3.
394:
1.12 ! millert 395: --with-timeout=NUMBER
1.1 millert 396: Number of minutes that can elapse before sudo will ask for a passwd
397: again. The default is 5, set this to 0 to always prompt for a password.
398:
1.12 ! millert 399: --with-password-timeout=NUMBER
1.1 millert 400: Number of minutes before the sudo password prompt times out.
401: The default is 5, set this to 0 for no password timeout.
402:
403: --with-tty-tickets
1.4 millert 404: This makes sudo use a different ticket file for each user/tty combo.
405: Ie: instead of the ticket path being "username" it is "username/tty".
1.1 millert 406: This is useful for "shared" accounts like "operator". Note that this
407: means that there will be more files in the timestamp dir. This is not
408: a problem if your system has a cron job to remove of files from /tmp
409: (or wherever you specified the timestamp dir to be).
410:
411: --with-insults
412: Define this if you want to be insulted for typing an incorrect password
413: just like the original sudo(8). This is off by default.
414:
415: --with-all-insults
1.7 millert 416: Include all the insult sets listed below. You must either specify
417: --with-insults or enable insults in the sudoers file for this to
418: have any effect.
1.1 millert 419:
420: --with-classic-insults
421: Uses insults from sudo "classic." If you just specify --with-insults
422: you will get the classic and CSOps insults. This is on by default if
423: --with-insults is given.
424:
425: --with-csops-insults
426: Insults the user with an extra set of insults (some quotes, some
427: original) from a sysadmin group at CU (CSOps). You must specify
428: --with-insults as well for this to have any effect. This is on by
429: default if --with-insults is given.
430:
431: --with-hal-insults
432: Uses 2001-like insults when an incorrect password is entered.
1.7 millert 433: You must either specify --with-insults or enable insults in the
434: sudoers file for this to have any effect.
1.1 millert 435:
436: --with-goons-insults
437: Insults the user with lines from the "Goon Show" when an incorrect
1.7 millert 438: password is entered. You must either specify --with-insults or
439: enable insults in the sudoers file for this to have any effect.
1.1 millert 440:
1.12 ! millert 441: --with-secure-path[=PATH]
1.1 millert 442: Path used for every command run from sudo(8). If you don't trust the
443: people running sudo to have a sane PATH environment variable you may
444: want to use this. Another use is if you want to have the "root path"
445: be separate from the "user path." You will need to customize the path
446: for your site. NOTE: this is not applied to users in the group
447: specified by --with-exemptgroup. If you do not specify a path,
448: "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
449:
450: --without-lecture
451: Don't print the lecture the first time a user runs sudo.
452:
1.12 ! millert 453: --with-editor=PATH
1.7 millert 454: Specify the default editor path for use by visudo. This may be
455: a single pathname or a colon-separated list of editors. In
456: the latter case, visudo will choose the editor that matches
457: the user's USER environment variable or the first editor in
458: the list that exists. The default is the path to vi on your system.
1.5 millert 459:
460: --with-env-editor
461: Makes visudo consult the EDITOR and VISUAL environment variables before
1.7 millert 462: falling back on the default editor list (as specified by --with-editor).
463: Note that this may create a security hole as it allows the user to
464: run any arbitrary command as root without logging. A safer alternative
465: is to use a colon-separated list of editors with the --with-env-editor
466: option. visudo will then only use the EDITOR or VISUAL if they match
467: a value specified via --with-editor.
1.5 millert 468:
1.1 millert 469: --disable-authentication
470: By default, sudo requires the user to authenticate via a
471: password or similar means. This options causes sudo to
472: *not* require authentication. It is possible to turn
473: authentication back on in sudoers via the PASSWD attribute.
474:
475: --disable-root-sudo
476: Don't let root run sudo. This can be used to prevent people from
477: "chaining" sudo commands to get a root shell by doing something
478: like "sudo sudo /bin/sh".
479:
480: --enable-log-host
481: Log the hostname in the log file.
1.3 millert 482:
483: --enable-noargs-shell
484: If sudo is invoked with no arguments it acts as if the "-s" flag had
485: been given. That is, it runs a shell as root (the shell is determined
486: by the SHELL environment variable, falling back on the shell listed
487: in the invoking user's /etc/passwd entry).
1.1 millert 488:
489: --enable-shell-sets-home
490: If sudo is invoked with the "-s" flag the HOME environment variable
491: will be set to the home directory of the target user (which is root
492: unless the "-u" option is used). This option effectively makes the
493: "-s" flag imply "-H".
494:
495: --disable-path-info
496: Normally, sudo will tell the user when a command could not be found
497: in their $PATH. Some sites may wish to disable this as it could
498: be used to gather information on the location of executables that
499: the normal user does not have access to. The disadvantage is that
500: if the executable is simply not in the user's path, sudo will tell
501: the user that they are not allowed to run it, which can be confusing.
502:
503: Shadow password and C2 support
504: ==============================
505:
506: Shadow passwords (also included with most C2 security packages) are
507: supported on most major platforms for which they exist. The
508: `configure' script will attempt to determine if your system can use
509: shadow passwords and include support for them if so. Shadow password
510: support is now compiled in by default (it doesn't hurt anything if you
511: don't have them configured). To disable the shadow password support,
512: use the --disable-shadow option to configure.
513:
514: Shadow passwords are known to work on the following platforms:
515:
516: SunOS 4.x
517: Solaris 2.x
518: HP-UX >= 9.x
519: Ultrix 4.x
520: Digital UNIX
521: IRIX >= 5.x
522: AIX >= 3.2.x
523: ConvexOS with C2 security (not tested recently)
524: Linux
525: SCO >= 3.2.2
526: Pyramid DC/OSx
527: UnixWare
528: SVR4 (and variants using standard SVR4 shadow passwords)
529: 4.4BSD based systems (including OpenBSD, NetBSD, FreeBSD, and BSD/OS)
530: OS's using SecureWare's C2 security.
531:
532: OS dependent notes
533: ==================
534:
535: OpenBSD < 2.2 and NetBSD < 1.2.1:
536: The fdesc filesystem has a bug wrt /dev/tty handling that
537: causes sudo to hang at the password prompt. The workaround
538: is to run configure with --with-password-timeout=0
539:
540: Solaris 2.x:
541: You need to have a C compiler in order to build sudo.
542: Since Solaris 2.x does not come with one by default this
543: means that you either need to have purchased the unbundled Sun
544: C compiler or have a copy of the GNU C compiler (gcc).
545: The SunSoft Catalyst CD should contain gcc binaries for
546: Solaris. You can also get them from various places on the
547: net, including http://www.sunfreeware.com/
548: NOTE: sudo will *not* build with the sun C compiler in BSD
549: compatibility mode (/usr/ucb/cc). Sudo is designed to
550: compile with the standard C compiler (or gcc) and will
551: not build correctly with /usr/ucb/cc. You can use the
552: `--with-CC' option to point `configure' to the non-ucb
553: compiler if it is not the first cc in your path. Some
554: sites link /usr/ucb/cc to gcc; configure will not notice
555: this an still refuse to use /usr/ucb/cc, so make sure gcc
556: is also in your path if your site is setup this way.
557: Also: Many versions of Solaris come with a broken syslogd.
558: If you have having problems with sudo logging you should
559: make sure you have the latest syslogd patch installed.
560: This is a problem for Solaris 2.4 and 2.5 at least.
561:
562: AIX 3.2.x:
563: I've had various problems with the AIX C compiler producing
564: incorrect code when the -O flag was used. When optimization
565: is not used, the problems go away. Gcc does not appear
566: to have this problem.
567:
568: Also, the AIX 3.2.x lex will not work with sudo's parse.lex.
569: This should not be a problem as sudo comes shipped with
570: a pre-generated lex.yy.c (created by flex). If you want
571: to modify the lex tokenizer, make sure you grab a copy of
572: flex from ftp.ee.lbl.gov (also available on most GNU mirrors)
573: and sudo will use that instead.
574:
575: Ultrix 4.x:
576: Ultrix still ships with the 4.2BSD syslog(3) which does not
577: allow things like logging different facilities to different
578: files, redirecting logs to a single loghost and other niceties.
579: You may want to just grab and install:
580: ftp://gatekeeper.dec.com/pub/DEC/jtkohl-syslog-complete.tar.Z
581: (available via anonymous ftp) which is a port if the 4.3BSD
582: syslog/syslogd that is backwards compatible with the Ultrix version.
583: I recommend it highly. If you do not do this you probably want
584: to run configure with --with-logging=file
585:
586: Digital UNIX:
587: By default, sudo will use SIA (Security Integration Architecture)
588: to validate a user. If you want to use an alternate authentication
589: method that does not go through SIA, you need to use the
590: --disable-sia option to configure. If you use gcc to compile
591: you will get warnings when building interfaces.c. These are
592: harmless but if they really bug you, you can edit
593: /usr/include/net/if.h around line 123, right after the comment:
594: /* forward decls for C++ */
595: change the line:
596: #ifdef __cplusplus
597: to:
598: #if defined(__cplusplus) || defined(__GNUC__)
599: If you don't like the idea of editing the system header file
600: you can just make a copy in gcc's private include tree and
601: edit that.
602:
603: Linux:
604: NOTE: Reportedly, Linux's execvp(3) doesn't always execute
605: scripts that lack the "#!/some/shell" header correctly.
606: The workaround is to give all your scripts a proper
607: header.
608: Versions of glibc 2.x previous to 2.0.7 have a broken lsearch().
609: You will need to either upgrade to glibc-2.0.7 or use sudo's
610: version of lsearch(). To use sudo's lsearch(), comment out
611: the "#define HAVE_LSEARCH 1" line in config.h and add lsearch.o
612: to the LIBOBJS line in the Makefile.
613:
1.9 millert 614: If you are using a Linux kernel older than 2.4 it is not possible
615: to access the sudoers file via NFS. This is due to a bug in
616: the Linux client-side NFS implementation that has since been
617: fixed. There is a workaround on the sudo ftp site, linux_nfs.patch,
618: if you need to NFS-mount sudoers on older Linux kernels.
1.11 millert 619:
620: Linux kernels 2.2.16-2.2.19 appear to have broken POSIX saved
621: ID support. You must run configure with the --disable-saved-ids
622: flag to get a working sudo.
1.1 millert 623:
624: Mac OS X:
625: It has been reported that for sudo to work on Mac OS X it must
626: either be built with the --with-password-timeout=0 option or the
627: password timeout must be disabled in the Defaults line in the
628: sudoers file. If sudo just hangs when you try to enter a password,
629: you need to disable the password timeout (Note: this is not a bug
630: in sudo).
631:
632: SCO ODT:
633: You'll probably need libcrypt_i.a available via anonymous ftp
634: from sosco.sco.com. The necessary files are /SLS/lng225b.Z
635: and /SLS/lng225b.ltr.Z.
1.5 millert 636:
637: Dynix:
638: Some people have experienced problems building sudo with gcc
639: on Dynix. If you experience problems compiling sudo using gcc
640: on Dynix, try using the native compiler (cc). You can do so
641: by removing the config.cache file and then re-running configure
642: with the --with-CC=cc option.