Annotation of src/usr.bin/sudo/INSTALL, Revision 1.23
1.20 millert 1: Installation instructions for Sudo 1.7
2: ======================================
1.1 millert 3:
4: Sudo uses a `configure' script to probe the capabilities and type
5: of the system in question. In this release, `configure' takes many
6: more options than it did before. Please read this document fully
7: before configuring and building sudo. You may also wish to read the
8: file INSTALL.configure which explains more about the `configure' script.
9:
10: Simple sudo installation
11: ========================
12:
13: For most systems and configurations it is possible simply to:
14:
15: 0) If you are upgrading from a previous version of sudo
16: please read the info in the UPGRADE file before proceeding.
17:
18: 1) If you previously ran `configure' on a different host
19: you will probably want to do a `make distclean' to remove
20: the old `config.cache' file. Otherwise, `configure'
21: will complain and refuse to run. Alternately, one can
22: simply `rm config.cache'.
23:
24: 2) Read the `OS dependent notes' section for any particular
25: "gotchas" relating to your operating system.
26:
27: 3) `cd' to the source or build directory and type `./configure'
28: to generate a Makefile and config.h file suitable for
29: building sudo. Before you actually run configure you
30: should read the `Available configure options' section
31: to see if there are any special options you may want
1.7 millert 32: or need.
1.1 millert 33:
34: 4) Edit the configure-generated Makefile if you wish to
1.16 millert 35: change any of the default paths (alternatively, you could
1.1 millert 36: have changed the paths via options to `configure'.
37:
38: 5) Type `make' to compile sudo. If you are building sudo
39: in a separate build tree (apart from the sudo source)
40: GNU make will probably be required. If `configure' did
41: its job properly (and you have a supported configuration)
42: there won't be any problems. If this doesn't work, take
43: a look at the files TROUBLESHOOTING and PORTING for tips
44: on what might have gone wrong. Please mail us if you have a
45: fix or if you are unable to come up with a fix (address at EOF).
46:
47: 6) Type `make install' (as root) to install sudo, visudo, the
48: man pages, and a skeleton sudoers file. Note that the install
49: will not overwrite an existing sudoers file. You can also
50: install various pieces the package via the install-binaries,
51: install-man, and install-sudoers make targets.
52:
53: 7) Edit the sudoers file with `visudo' as necessary for your
54: site. You will probably want to refer the sample.sudoers
55: file and sudoers man page included with the sudo package.
56:
57: 8) If you want to use syslogd(8) to do the logging, you'll need
58: to update your /etc/syslog.conf file. See the sample.syslog.conf
59: file included in the distribution for an example.
60:
61: Available configure options
62: ===========================
63:
64: This section describes flags accepted by the sudo's `configure' script.
65: Defaults are listed in brackets after the description.
66:
67: Configuration:
68: --cache-file=FILE
69: Cache test results in FILE
70:
1.9 millert 71: --config-cache, -C
72: Alias for `--cache-file=config.cache'
73:
74: --help, -h
1.1 millert 75: Print the usage/help info
76:
1.9 millert 77: --no-create, -n
1.1 millert 78: Do not create output files
79:
1.9 millert 80: --quiet, --silent, -q
1.1 millert 81: Do not print `checking...' messages
82:
83: Directory and file names:
84: --prefix=PREFIX
85: Install architecture-independent files in PREFIX This really only
86: applies to man pages. [/usr/local]
87:
88: --exec-prefix=EPREFIX
89: Install architecture-dependent files in EPREFIX This includes the
90: sudo and visudo executables. [same as prefix]
91:
92: --bindir=DIR
93: Install `sudo' in DIR [EPREFIX/bin]
94:
95: --sbindir=DIR
96: Install `visudo' in DIR [EPREFIX/sbin]
97:
98: --sysconfdir=DIR
99: Install `sudoers' file in DIR [/etc]
100:
101: --mandir=DIR
102: Install man pages in DIR [PREFIX/man]
103:
104: --srcdir=DIR
105: Find the sources in DIR [configure dir or ..]
106:
1.23 ! millert 107: --with-tzdir=DIR
! 108: Set the directory to the system's time zone data files. This
! 109: is only used when sanitizing the TZ environment variable to
! 110: allow for fully-qualified paths in TZ.
! 111: By default, configure will look for an existing "zoneinfo"
! 112: directory in the following locations:
! 113: /usr/share /usr/share/lib /usr/lib /etc
! 114: If no zoneinfo directory is found, the TZ variable may not
! 115: contain a fully-qualified path.
! 116:
1.1 millert 117: Special features/options:
1.12 millert 118: --with-CC=PATH
1.1 millert 119: Specifies path to C compiler you wish to use.
120:
1.12 millert 121: --with-incpath=DIR
1.16 millert 122: Adds the specified directory (or directories) to CPPFLAGS
123: so configure and the compiler will look there for include
124: files. Multiple directories may be specified as long as
125: they are space separated.
1.1 millert 126: Eg: --with-incpath="/usr/local/include /opt/include"
127:
1.12 millert 128: --with-libpath=DIR
1.16 millert 129: Adds the specified directory (or directories) to LDFLAGS
130: so configure and the compiler will look there for libraries.
131: Multiple directories may be specified as with --with-incpath.
1.14 millert 132:
133: --with-rpath
134: Tells configure to use -Rpath in addition to -Lpath when
135: passing library paths to the loader. This option is on
136: by default for Solaris and SVR4.
137:
138: --with-blibpath[=PATH]
1.16 millert 139: Tells configure to construct a -blibpath argument to the
140: loader. If a PATH is specified, it will be used as the
141: base. Otherwise, "/usr/lib:/lib:/usr/local/lib" will be
142: used for gcc and "/usr/lib:/lib" for non-gcc. Additional
143: library paths will be appended as needed by configure.
1.14 millert 144: This option is only valid for AIX where it is on by default.
1.12 millert 145:
146: --with-libraries=LIBRARY
1.16 millert 147: Adds the specified library (or libaries) to SUDO_LIBS and
148: and VISUDO_LIBS so sudo will link against them. If the
149: library doesn't start with `-l' or end in `.a' or `.o' a
150: `-l' will be prepended to it. Multiple libraries may be
151: specified as long as they are space separated.
1.1 millert 152:
153: --with-csops
154: Add CSOps standard options. You probably aren't interested in this.
155:
1.14 millert 156: --with-skey[=DIR]
1.16 millert 157: Enable S/Key OTP (One Time Password) support. If specified,
158: DIR should contain include and lib directories with skey.h
159: and libskey.a respectively.
1.14 millert 160:
161: --with-opie[=DIR]
162: Enable NRL OPIE OTP (One Time Password) support. If specified,
163: DIR should contain include and lib directories with opie.h
164: and libopie.a respectively.
1.1 millert 165:
1.12 millert 166: --with-SecurID[=DIR]
1.1 millert 167: Enable SecurID support. If specified, DIR is directory containing
168: sdiclient.a, sdi_athd.h, sdconf.h, and sdacmvls.h.
169:
1.12 millert 170: --with-fwtk[=DIR]
1.1 millert 171: Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified,
172: DIR is the base directory containing the compiled FWTK package
173: (or at least the library and header files).
174:
1.14 millert 175: --with-kerb4[=DIR]
1.16 millert 176: Enable Kerberos IV support. If specified, DIR is the base
177: directory containing the Kerberos IV include and lib dirs.
178: This uses Kerberos passphrases for authentication but does
179: not use the Kerberos cookie scheme.
1.14 millert 180:
181: --with-kerb5[=DIR]
1.16 millert 182: Enable Kerberos V support. If specified, DIR is the base
183: directory containing the Kerberos V include and lib dirs.
184: This This uses Kerberos passphrases for authentication but
185: does not use the Kerberos cookie scheme. Will not work for
186: Kerberos V older than version 1.1.
1.1 millert 187:
1.15 millert 188: --with-ldap[=DIR]
189: Enable LDAP support. If specified, DIR is the base directory
190: containing the LDAP include and lib directories. Please see
191: README.LDAP for more information.
192:
1.16 millert 193: --with-ldap-conf-file=filename
1.15 millert 194: Path to LDAP configuration file. If specified, sudo reads
195: this file instead of /etc/ldap.conf to locate the LDAP server.
196:
1.16 millert 197: --with-ldap-secret-file=filename
198: Path to LDAP secret password file. If specified, sudo uses
199: this file instead of /etc/ldap.secret to read the secret password
200: when rootbinddn is specified in the ldap config file.
201:
1.20 millert 202: --with-nsswitch[=filename]
203: Path to nsswitch.conf or "no" to disable nsswitch support.
204: If specified, sudo uses this file instead of /etc/nsswitch.conf.
205: If nsswitch is disabled but LDAP is enabled, sudo will check
206: LDAP first, then the sudoers file.
207:
1.21 millert 208: --with-netsvc[=filename]
209: Path to netsvc.conf or "no" to disable netsvc.conf support.
210: If specified, sudo uses this file instead of /etc/netsvc.conf
211: on AIX systems.
212:
1.16 millert 213: --with-aixauth
1.1 millert 214: Enable support for the AIX 4.x general authentication function.
215: This will use the authentication scheme specified for the user
1.16 millert 216: on the machine. It is on by default for AIX systems that
217: support it.
1.1 millert 218:
219: --with-pam
1.16 millert 220: Enable PAM support. This is on by default for Darwin, FreeBSD,
221: Linux, Solaris and HP-UX (version 11 and higher).
222:
223: NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo
1.20 millert 224: file install. You may either use the sample.pam file included with
1.15 millert 225: sudo or use /etc/pam.d/su as a reference. The sample.pam file
226: included with sudo may or may not work with other Linux distributions.
227: On Solaris and HP-UX 11 systems you should check (and understand)
228: the contents of /etc/pam.conf. Do a "man pam.conf" for more
229: information and consider using the "debug" option, if available,
230: with your PAM libraries in /etc/pam.conf to obtain syslog output
231: for debugging purposes.
1.1 millert 232:
233: --with-AFS
1.13 millert 234: Enable AFS support with Kerberos authentication. Should work under
1.1 millert 235: AFS 3.3. If your AFS doesn't have -laudit you should be able to
236: link without it.
237:
238: --with-DCE
1.15 millert 239: Enable DCE support for systems without PAM. Known to work on
240: HP-UX 9.X, 10.X, and 11.0; other systems may require source
241: code and/or `configure' changes. On systems with PAM support
242: (such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the
243: DCE PAM module (usually libpam_dce) should be used instead.
1.1 millert 244:
1.5 millert 245: --with-logincap
1.16 millert 246: This adds support for login classes specified in /etc/login.conf.
247: It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and
248: NetBSD (where available). By default, a login class is not applied
249: unless the 'use_loginclass' option is defined in sudoers or the user
250: specifies a class on the command line.
251:
1.6 millert 252: --with-bsdauth
1.16 millert 253: Enable support for BSD authentication. This is the default
254: for BSD/OS and OpenBSD systems that support it.
255: It is not possible to mix BSD authentication with other
256: authentication methods (and there really should be no need
257: to do so). Note that only the newer BSD authentication API
258: is supported. If you don't have /usr/include/bsd_auth.h
259: then you cannot use this.
1.10 millert 260:
1.20 millert 261: --with-project
262: Enable support for Solaris project resource limits.
263: This option is only available on Solaris 9 and above.
264:
1.15 millert 265: --with-noexec[=PATH]
1.16 millert 266: Enable support for the "noexec" functionality which prevents
267: a dynamically-linked program being run by sudo from executing
268: another program (think shell escapes). Please see the
269: "PREVENTING SHELL ESCAPES" section in the sudoers man page
270: for details. If specified, PATH should be a fully qualified
271: pathname, e.g. /usr/local/libexec/sudo_noexec.so. If PATH
272: is "no", noexec support will not be compiled in. The default
273: is to compile noexec support if libtool supports building
274: shared objects on your OS.
1.15 millert 275:
1.18 millert 276: --disable-pam-session
277: Disable sudo's PAM session support. This may be needed on
278: older PAM implementations or on operating systems where
279: opening a PAM session changes the utmp or wtmp files. If
280: PAM session support is disabled, resource limits may not
281: be updatedin for command being run.
282:
1.10 millert 283: --disable-root-mailer
1.16 millert 284: By default sudo will run the mailer as root when tattling
285: on a user so as to prevent that user from killing the mailer.
286: With this option, sudo will run the mailer as the invoking
287: user which some people consider to be safer.
1.11 millert 288:
289: --disable-setreuid
1.16 millert 290: Disable use of the setreuid() function for operating systems
291: where it is broken. Mac OS X has setreuid() but it doesn't
292: really work.
1.5 millert 293:
1.13 millert 294: --disable-setresuid
1.16 millert 295: Disable use of the setresuid() function for operating systems
296: where it is broken (none currently known).
1.13 millert 297:
1.1 millert 298: --disable-sia
1.16 millert 299: Disable SIA support. This is the "Security Integration
300: Architecture" on Digital UNIX. If you disable SIA sudo will
301: use its own authentication routines.
1.1 millert 302:
303: --disable-shadow
1.16 millert 304: Disable shadow password support. Normally, sudo will compile
305: in shadow password support and use a shadow password if it
306: exists.
1.12 millert 307:
308: --with-sudoers-mode=MODE
1.16 millert 309: File mode for the sudoers file (octal). Note that if you
310: wish to NFS-mount the sudoers file this must be group
311: readable. Also note that this is actually set in the
312: Makefile. The default mode is 0440.
1.12 millert 313:
314: --with-sudoers-uid=UID
1.16 millert 315: User id that "owns" the sudoers file. Note that this is
316: the numeric id, *not* the symbolic name. Also note that
317: this is actually set in the Makefile. The default is 0.
1.12 millert 318:
319: --with-sudoers-gid=GID
1.16 millert 320: Group id that "owns" the sudoers file. Note that this is
321: the numeric id, *not* the symbolic name. Also note that
322: this is actually set in the Makefile. The default is 0.
1.1 millert 323:
324: --without-interfaces
1.16 millert 325: This option keeps sudo from trying to glean the ip address
326: from each attached ethernet interface. It is only useful
327: on a machine where sudo's interface reading support does
328: not work, which may be the case on some SysV-based OS's
329: using STREAMS.
1.1 millert 330:
331: --without-passwd
1.16 millert 332: This option excludes authentication via the passwd (or
333: shadow) file. It should only be used when another, alternative,
334: authentication scheme is in use.
1.1 millert 335:
336: --with-otp-only
1.16 millert 337: This option is now just an alias for --without-passwd.
1.13 millert 338:
339: --with-stow
1.16 millert 340: Properly handle GNU stow packaging. The sudoers file will
341: physically live in ${prefix}/etc and /etc/sudoers will be
342: a symbolic link.
1.1 millert 343:
1.19 millert 344: --with-selinux
345: Enable support for role based access control (RBAC) on
346: systems that support SELinux.
347:
1.22 millert 348: --with-libvas=[NAME]
349: Enable non-Unix group support using Quest Authentication
350: Services. If NAME is specified, it should be the name of
351: the shared library providing QAS support (libvas.so by default).
352:
353: --with-libvas-rpath=[PATH]
354: The path to search when loading libvas.so (or an alternate
355: name as specified by --with-libvas). This option only has
356: an effect when --with-libvas is specified.
357:
1.4 millert 358: The following options are also configurable at runtime:
359:
1.1 millert 360: --with-long-otp-prompt
1.16 millert 361: When validating with a One Time Password scheme (S/Key or
362: OPIE), a two-line prompt is used to make it easier to cut
363: and paste the challenge to a local window. It's not as
364: pretty as the default but some people find it more convenient.
1.1 millert 365:
366: --with-logging=TYPE
1.16 millert 367: How you want to do your logging. You may choose "syslog",
368: "file", or "both". Setting this to "syslog" is nice because
369: you can keep all of your sudo logs in one place (see the
370: sample.syslog.conf file). The default is "syslog".
1.1 millert 371:
372: --with-logfac=FACILITY
1.16 millert 373: Determines which syslog facility to log to. This requires
374: a 4.3BSD or later version of syslog. You can still set
375: this for ancient syslogs but it will have no effect. The
376: following facilities are supported: authpriv (if your OS
377: supports it), auth, daemon, user, local0, local1, local2,
378: local3, local4, local5, local6, and local7.
1.1 millert 379:
380: --with-goodpri=PRIORITY
1.16 millert 381: Determines which syslog priority to log successfully
382: authenticated commands. The following priorities are
383: supported: alert, crit, debug, emerg, err, info, notice,
384: and warning.
1.1 millert 385:
386: --with-badpri=PRIORITY
1.16 millert 387: Determines which syslog priority to log unauthenticated
388: commands and errors. The following priorities are supported:
389: alert, crit, debug, emerg, err, info, notice, and warning.
1.12 millert 390:
391: --with-logpath=PATH
1.16 millert 392: Override the default location of the sudo log file and use
393: "path" instead. By default will use /var/log/sudo.log if
394: there is a /var/log dir, falling back to /var/adm/sudo.log
395: or /usr/adm/sudo.log if not.
1.1 millert 396:
1.12 millert 397: --with-loglen=NUMBER
1.1 millert 398: Number of characters per line for the file log. This is only used if
399: you are to "file" or "both". This value is used to decide when to wrap
400: lines for nicer log files. The default is 80. Setting this to 0
401: will disable the wrapping.
402:
403: --with-ignore-dot
404: If set, sudo will ignore '.' or '' (current dir) in $PATH.
405: The $PATH itself is not modified.
406:
1.12 millert 407: --with-mailto=USER|MAIL_ALIAS
408: User (or mail alias) that mail from sudo is sent to.
409: This should go to a sysadmin at your site. The default is "root".
1.1 millert 410:
1.12 millert 411: --with-mailsubject="SUBJECT OF MAIL"
1.1 millert 412: Subject of the mail sent to the "mailto" user. The token "%h"
413: will expand to the hostname of the machine.
414: Default is "*** SECURITY information for %h ***".
415:
416: --without-mail-if-no-user
1.4 millert 417: Normally, sudo will mail to the "alertmail" user if the user invoking
1.1 millert 418: sudo is not in the sudoers file. This option disables that behavior.
419:
420: --with-mail-if-no-host
421: Send mail to the "alermail" user if the user exists in the sudoers
422: file, but is not allowed to run commands on the current host.
423:
424: --with-mail-if-noperms
425: Send mail to the "alermail" user if the user is allowed to use sudo but
426: the command they are trying is not listed in their sudoers file entry.
427:
1.12 millert 428: --with-passprompt="PASSWORD PROMPT"
1.1 millert 429: Default prompt to use when asking for a password; can be overridden
430: via the -p option and the SUDO_PROMPT environment variable. Supports
1.17 millert 431: the "%H", "%h", "%U" and "%u" escapes as documented in the sudo
432: manual page. The default value is "Password:".
1.1 millert 433:
1.12 millert 434: --with-badpass-message="BAD PASSWORD MESSAGE"
1.1 millert 435: Message that is displayed if a user enters an incorrect password.
436: The default is "Sorry, try again." unless insults are turned on.
437:
438: --with-fqdn
1.16 millert 439: Define this if you want to put fully qualified hostnames in the sudoers
1.1 millert 440: file. Ie: instead of myhost you would use myhost.mydomain.edu. You may
441: still use the short form if you wish (and even mix the two). Beware
442: that turning FQDN on requires sudo to make DNS lookups which may make
443: sudo unusable if your DNS is totally hosed. Also note that you must
444: use the host's official name as DNS knows it. That is, you may not use
445: a host alias (CNAME entry) due to performance issues and the fact that
446: there is no way to get all aliases from DNS.
447:
1.12 millert 448: --with-timedir=PATH
1.1 millert 449: Override the default location of the sudo timestamp directory and
450: use "path" instead.
451:
1.12 millert 452: --with-sendmail=PATH
1.1 millert 453: Override configure's guess as to the location of sendmail.
454:
455: --without-sendmail
456: Do not use sendmail to mail messages to the "mailto" user.
457: Use only if don't run sendmail or the equivalent.
458:
1.12 millert 459: --with-umask=MASK
1.1 millert 460: Umask to use when running the root command. The default is 0022.
461:
462: --without-umask
463: Preserves the umask of the user invoking sudo.
464:
1.12 millert 465: --with-runas-default=USER
1.1 millert 466: The default user to run commands as if the -u flag is not specified
467: on the command line. This defaults to "root".
468:
1.12 millert 469: --with-exempt=GROUP
1.1 millert 470: Users in the specified group don't need to enter a password when
471: running sudo. This may be useful for sites that don't want their
472: "core" sysadmins to have to enter a password but where Jr. sysadmins
473: need to. You should probably use NOPASSWD in sudoers instead.
474:
1.12 millert 475: --with-passwd-tries=NUMBER
1.1 millert 476: Number of tries a user gets to enter his/her password before sudo logs
477: the failure and exits. The default is 3.
478:
1.12 millert 479: --with-timeout=NUMBER
1.1 millert 480: Number of minutes that can elapse before sudo will ask for a passwd
481: again. The default is 5, set this to 0 to always prompt for a password.
482:
1.12 millert 483: --with-password-timeout=NUMBER
1.1 millert 484: Number of minutes before the sudo password prompt times out.
485: The default is 5, set this to 0 for no password timeout.
486:
487: --with-tty-tickets
1.4 millert 488: This makes sudo use a different ticket file for each user/tty combo.
489: Ie: instead of the ticket path being "username" it is "username/tty".
1.1 millert 490: This is useful for "shared" accounts like "operator". Note that this
491: means that there will be more files in the timestamp dir. This is not
492: a problem if your system has a cron job to remove of files from /tmp
493: (or wherever you specified the timestamp dir to be).
494:
495: --with-insults
496: Define this if you want to be insulted for typing an incorrect password
497: just like the original sudo(8). This is off by default.
498:
499: --with-all-insults
1.7 millert 500: Include all the insult sets listed below. You must either specify
501: --with-insults or enable insults in the sudoers file for this to
502: have any effect.
1.1 millert 503:
504: --with-classic-insults
505: Uses insults from sudo "classic." If you just specify --with-insults
506: you will get the classic and CSOps insults. This is on by default if
507: --with-insults is given.
508:
509: --with-csops-insults
510: Insults the user with an extra set of insults (some quotes, some
511: original) from a sysadmin group at CU (CSOps). You must specify
512: --with-insults as well for this to have any effect. This is on by
513: default if --with-insults is given.
514:
515: --with-hal-insults
516: Uses 2001-like insults when an incorrect password is entered.
1.7 millert 517: You must either specify --with-insults or enable insults in the
518: sudoers file for this to have any effect.
1.1 millert 519:
520: --with-goons-insults
521: Insults the user with lines from the "Goon Show" when an incorrect
1.7 millert 522: password is entered. You must either specify --with-insults or
523: enable insults in the sudoers file for this to have any effect.
1.1 millert 524:
1.15 millert 525: --with-pc-insults
526: Replace politically incorrect insults with less objectionable ones.
527:
1.12 millert 528: --with-secure-path[=PATH]
1.1 millert 529: Path used for every command run from sudo(8). If you don't trust the
530: people running sudo to have a sane PATH environment variable you may
531: want to use this. Another use is if you want to have the "root path"
532: be separate from the "user path." You will need to customize the path
533: for your site. NOTE: this is not applied to users in the group
534: specified by --with-exemptgroup. If you do not specify a path,
535: "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
536:
537: --without-lecture
538: Don't print the lecture the first time a user runs sudo.
539:
1.12 millert 540: --with-editor=PATH
1.15 millert 541: Specify the default editor path for use by visudo. This may be a
542: single pathname or a colon-separated list of editors. In the latter
543: case, visudo will choose the editor that matches the user's VISUAL
544: or EDITOR environment variables or the first editor in the list that
545: exists. The default is the path to vi on your system.
1.5 millert 546:
547: --with-env-editor
1.15 millert 548: Makes visudo consult the VISUAL and EDITOR environment variables before
1.7 millert 549: falling back on the default editor list (as specified by --with-editor).
550: Note that this may create a security hole as it allows the user to
551: run any arbitrary command as root without logging. A safer alternative
1.15 millert 552: is to use a colon-separated list of editors with the --with-editor
553: option. visudo will then only use the VISUAL or EDITOR variables
554: if they match a value specified via --with-editor.
1.5 millert 555:
1.20 millert 556: --with-askpass=PATH
557: Set PATH as the "askpass" program to use when no tty is
558: available. Typically, this is a graphical password prompter,
559: similar to the one used by ssh. The program must take a
560: prompt as an argument and print the received password to
561: the standard output.
562:
1.1 millert 563: --disable-authentication
1.16 millert 564: By default, sudo requires the user to authenticate via a
565: password or similar means. This options causes sudo to
566: *not* require authentication. It is possible to turn
567: authentication back on in sudoers via the PASSWD attribute.
1.1 millert 568:
569: --disable-root-sudo
570: Don't let root run sudo. This can be used to prevent people from
571: "chaining" sudo commands to get a root shell by doing something
572: like "sudo sudo /bin/sh".
573:
1.20 millert 574: --enable-gss-krb5-ccache-name
575: Use the gss_krb5_ccache_name() function to set the Kerberos
576: V credential cache file name. By default, sudo will use
577: the KRB5CCNAME environment variable to set this. While
578: gss_krb5_ccache_name() provides a better API to do this it
579: is not supported by all Kerberos V and SASL combinations.
580:
1.1 millert 581: --enable-log-host
582: Log the hostname in the log file.
1.3 millert 583:
584: --enable-noargs-shell
585: If sudo is invoked with no arguments it acts as if the "-s" flag had
586: been given. That is, it runs a shell as root (the shell is determined
587: by the SHELL environment variable, falling back on the shell listed
588: in the invoking user's /etc/passwd entry).
1.1 millert 589:
590: --enable-shell-sets-home
591: If sudo is invoked with the "-s" flag the HOME environment variable
592: will be set to the home directory of the target user (which is root
593: unless the "-u" option is used). This option effectively makes the
594: "-s" flag imply "-H".
595:
596: --disable-path-info
597: Normally, sudo will tell the user when a command could not be found
598: in their $PATH. Some sites may wish to disable this as it could
599: be used to gather information on the location of executables that
600: the normal user does not have access to. The disadvantage is that
601: if the executable is simply not in the user's path, sudo will tell
602: the user that they are not allowed to run it, which can be confusing.
603:
604: Shadow password and C2 support
605: ==============================
606:
607: Shadow passwords (also included with most C2 security packages) are
608: supported on most major platforms for which they exist. The
609: `configure' script will attempt to determine if your system can use
610: shadow passwords and include support for them if so. Shadow password
611: support is now compiled in by default (it doesn't hurt anything if you
612: don't have them configured). To disable the shadow password support,
613: use the --disable-shadow option to configure.
614:
615: Shadow passwords are known to work on the following platforms:
616:
617: SunOS 4.x
618: Solaris 2.x
619: HP-UX >= 9.x
620: Ultrix 4.x
621: Digital UNIX
622: IRIX >= 5.x
623: AIX >= 3.2.x
624: ConvexOS with C2 security (not tested recently)
625: Linux
626: SCO >= 3.2.2
627: Pyramid DC/OSx
628: UnixWare
629: SVR4 (and variants using standard SVR4 shadow passwords)
630: 4.4BSD based systems (including OpenBSD, NetBSD, FreeBSD, and BSD/OS)
631: OS's using SecureWare's C2 security.
632:
633: OS dependent notes
634: ==================
635:
636: OpenBSD < 2.2 and NetBSD < 1.2.1:
1.15 millert 637: The fdesc file system has a bug wrt /dev/tty handling that
1.1 millert 638: causes sudo to hang at the password prompt. The workaround
639: is to run configure with --with-password-timeout=0
640:
641: Solaris 2.x:
642: You need to have a C compiler in order to build sudo.
643: Since Solaris 2.x does not come with one by default this
644: means that you either need to have purchased the unbundled Sun
645: C compiler or have a copy of the GNU C compiler (gcc).
646: The SunSoft Catalyst CD should contain gcc binaries for
647: Solaris. You can also get them from various places on the
648: net, including http://www.sunfreeware.com/
649: NOTE: sudo will *not* build with the sun C compiler in BSD
1.16 millert 650: compatibility mode (/usr/ucb/cc). Sudo is designed to
651: compile with the standard C compiler (or gcc) and will
652: not build correctly with /usr/ucb/cc. You can use the
653: `--with-CC' option to point `configure' to the non-ucb
654: compiler if it is not the first cc in your path. Some
655: sites link /usr/ucb/cc to gcc; configure will not notice
656: this an still refuse to use /usr/ucb/cc, so make sure gcc
657: is also in your path if your site is setup this way.
1.1 millert 658: Also: Many versions of Solaris come with a broken syslogd.
659: If you have having problems with sudo logging you should
660: make sure you have the latest syslogd patch installed.
661: This is a problem for Solaris 2.4 and 2.5 at least.
662:
663: AIX 3.2.x:
664: I've had various problems with the AIX C compiler producing
665: incorrect code when the -O flag was used. When optimization
666: is not used, the problems go away. Gcc does not appear
667: to have this problem.
668:
669: Also, the AIX 3.2.x lex will not work with sudo's parse.lex.
670: This should not be a problem as sudo comes shipped with
671: a pre-generated lex.yy.c (created by flex). If you want
672: to modify the lex tokenizer, make sure you grab a copy of
673: flex from ftp.ee.lbl.gov (also available on most GNU mirrors)
674: and sudo will use that instead.
675:
676: Ultrix 4.x:
677: Ultrix still ships with the 4.2BSD syslog(3) which does not
678: allow things like logging different facilities to different
679: files, redirecting logs to a single loghost and other niceties.
680: You may want to just grab and install:
681: ftp://gatekeeper.dec.com/pub/DEC/jtkohl-syslog-complete.tar.Z
682: (available via anonymous ftp) which is a port if the 4.3BSD
683: syslog/syslogd that is backwards compatible with the Ultrix version.
684: I recommend it highly. If you do not do this you probably want
685: to run configure with --with-logging=file
686:
687: Digital UNIX:
688: By default, sudo will use SIA (Security Integration Architecture)
1.16 millert 689: to validate a user. If you want to use an alternative authentication
1.1 millert 690: method that does not go through SIA, you need to use the
691: --disable-sia option to configure. If you use gcc to compile
692: you will get warnings when building interfaces.c. These are
693: harmless but if they really bug you, you can edit
694: /usr/include/net/if.h around line 123, right after the comment:
695: /* forward decls for C++ */
696: change the line:
697: #ifdef __cplusplus
698: to:
699: #if defined(__cplusplus) || defined(__GNUC__)
700: If you don't like the idea of editing the system header file
701: you can just make a copy in gcc's private include tree and
702: edit that.
703:
704: Linux:
1.16 millert 705: PAM and LDAP headers are not installed by default on most Linux
706: systems. You will need to install the "pav-dev" package if
707: /usr/include/security/pam_appl.h is not present on your system.
708: If you wish to build with LDAP support you will also need the
709: openldap-devel package.
710:
1.1 millert 711: Versions of glibc 2.x previous to 2.0.7 have a broken lsearch().
712: You will need to either upgrade to glibc-2.0.7 or use sudo's
713: version of lsearch(). To use sudo's lsearch(), comment out
714: the "#define HAVE_LSEARCH 1" line in config.h and add lsearch.o
715: to the LIBOBJS line in the Makefile.
716:
1.9 millert 717: If you are using a Linux kernel older than 2.4 it is not possible
718: to access the sudoers file via NFS. This is due to a bug in
719: the Linux client-side NFS implementation that has since been
720: fixed. There is a workaround on the sudo ftp site, linux_nfs.patch,
721: if you need to NFS-mount sudoers on older Linux kernels.
1.11 millert 722:
1.1 millert 723: Mac OS X:
724: It has been reported that for sudo to work on Mac OS X it must
725: either be built with the --with-password-timeout=0 option or the
726: password timeout must be disabled in the Defaults line in the
727: sudoers file. If sudo just hangs when you try to enter a password,
728: you need to disable the password timeout (Note: this is not a bug
729: in sudo).
730:
731: SCO ODT:
732: You'll probably need libcrypt_i.a available via anonymous ftp
733: from sosco.sco.com. The necessary files are /SLS/lng225b.Z
734: and /SLS/lng225b.ltr.Z.
1.5 millert 735:
736: Dynix:
737: Some people have experienced problems building sudo with gcc
738: on Dynix. If you experience problems compiling sudo using gcc
739: on Dynix, try using the native compiler (cc). You can do so
740: by removing the config.cache file and then re-running configure
741: with the --with-CC=cc option.
1.15 millert 742:
743: HP-UX:
744: The default C compiler shipped with HP-UX does not support creating
745: position independent code and so is unable to support sudo's "noexec"
746: functionality. You must use either the HP ANSI C compiler or gcc for
747: noexec to work. Binary packages of gcc are available from
748: http://hpux.connect.org.uk/ and http://hpux.cs.utah.edu/.
1.20 millert 749:
750: To prevent PAM from overriding the value of umask on HP-UX 11,
751: you will need to add a line like the following to /etc/pam.conf:
752:
753: sudo session required libpam_hpsec.so.1 bypass_umask
1.16 millert 754:
755: SunOS 4.x:
756: The /bin/sh shipped with SunOS blows up while running configure.
757: You can work around this by installalling bash or zsh. If you
758: have bash or zsh in your path, configure will use it instead
759: automatically.