Annotation of src/usr.bin/sudo/INSTALL, Revision 1.3
1.3 ! millert 1: Installation instructions for Sudo 1.6.2
! 2: ========================================
1.1 millert 3:
4: Sudo uses a `configure' script to probe the capabilities and type
5: of the system in question. In this release, `configure' takes many
6: more options than it did before. Please read this document fully
7: before configuring and building sudo. You may also wish to read the
8: file INSTALL.configure which explains more about the `configure' script.
9:
10: Simple sudo installation
11: ========================
12:
13: For most systems and configurations it is possible simply to:
14:
15: 0) If you are upgrading from a previous version of sudo
16: please read the info in the UPGRADE file before proceeding.
17:
18: 1) If you previously ran `configure' on a different host
19: you will probably want to do a `make distclean' to remove
20: the old `config.cache' file. Otherwise, `configure'
21: will complain and refuse to run. Alternately, one can
22: simply `rm config.cache'.
23:
24: 2) Read the `OS dependent notes' section for any particular
25: "gotchas" relating to your operating system.
26:
27: 3) `cd' to the source or build directory and type `./configure'
28: to generate a Makefile and config.h file suitable for
29: building sudo. Before you actually run configure you
30: should read the `Available configure options' section
31: to see if there are any special options you may want
32: or need. Also of interest may be the section on
33: `Mixing password authentication schemes'.
34:
35: 4) Edit the configure-generated Makefile if you wish to
36: change any of the default paths (alternately you could
37: have changed the paths via options to `configure'.
38:
39: 5) Type `make' to compile sudo. If you are building sudo
40: in a separate build tree (apart from the sudo source)
41: GNU make will probably be required. If `configure' did
42: its job properly (and you have a supported configuration)
43: there won't be any problems. If this doesn't work, take
44: a look at the files TROUBLESHOOTING and PORTING for tips
45: on what might have gone wrong. Please mail us if you have a
46: fix or if you are unable to come up with a fix (address at EOF).
47:
48: 6) Type `make install' (as root) to install sudo, visudo, the
49: man pages, and a skeleton sudoers file. Note that the install
50: will not overwrite an existing sudoers file. You can also
51: install various pieces the package via the install-binaries,
52: install-man, and install-sudoers make targets.
53:
54: 7) Edit the sudoers file with `visudo' as necessary for your
55: site. You will probably want to refer the sample.sudoers
56: file and sudoers man page included with the sudo package.
57:
58: 8) If you want to use syslogd(8) to do the logging, you'll need
59: to update your /etc/syslog.conf file. See the sample.syslog.conf
60: file included in the distribution for an example.
61:
62: Available configure options
63: ===========================
64:
65: This section describes flags accepted by the sudo's `configure' script.
66: Defaults are listed in brackets after the description.
67:
68: Configuration:
69: --cache-file=FILE
70: Cache test results in FILE
71:
72: --help
73: Print the usage/help info
74:
75: --no-create
76: Do not create output files
77:
78: --quiet, --silent
79: Do not print `checking...' messages
80:
81: Directory and file names:
82: --prefix=PREFIX
83: Install architecture-independent files in PREFIX This really only
84: applies to man pages. [/usr/local]
85:
86: --exec-prefix=EPREFIX
87: Install architecture-dependent files in EPREFIX This includes the
88: sudo and visudo executables. [same as prefix]
89:
90: --bindir=DIR
91: Install `sudo' in DIR [EPREFIX/bin]
92:
93: --sbindir=DIR
94: Install `visudo' in DIR [EPREFIX/sbin]
95:
96: --sysconfdir=DIR
97: Install `sudoers' file in DIR [/etc]
98:
99: --mandir=DIR
100: Install man pages in DIR [PREFIX/man]
101:
102: --srcdir=DIR
103: Find the sources in DIR [configure dir or ..]
104:
105: Special features/options:
106: --with-CC=path
107: Specifies path to C compiler you wish to use.
108:
109: --with-incpath
110: Adds the specified directories to CPPFLAGS so configure and the
111: compiler will look there for include files. Multiple directories
112: may be specified as long as they are space separated.
113: Eg: --with-incpath="/usr/local/include /opt/include"
114:
115: --with-libpath
116: Adds the specified directories to SUDO_LDFLAGS and VISUDO_LDFLAGS so
117: configure and the compiler will look there for libraries. Multiple
118: directories may be specified as with --with-incpath.
119:
120: --with-libraries
121: Adds the specified libaries to SUDO_LIBS and and VISUDO_LIBS so sudo
122: will link against them. If the library doesn't start with `-l' or end
123: in `.a' or `.o' a `-l' will be prepended to it. Multiple libraries may
124: be specified as long as they are space separated.
125:
126: --with-csops
127: Add CSOps standard options. You probably aren't interested in this.
128:
129: --with-skey
130: Enable S/Key OTP (One Time Password) support.
131:
132: --with-opie
133: Enable NRL OPIE OTP (One Time Password) support.
134:
135: --with-SecurID=DIR
136: Enable SecurID support. If specified, DIR is directory containing
137: sdiclient.a, sdi_athd.h, sdconf.h, and sdacmvls.h.
138:
139: --with-fwtk=DIR
140: Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified,
141: DIR is the base directory containing the compiled FWTK package
142: (or at least the library and header files).
143:
144: --with-kerb4
145: Enable kerberos v4 support. Tested only with the Cygnus Network
146: Security package (CNS). This uses kerberos passphrases for
147: authentication but does not use the kerberos cookie scheme.
148:
149: --with-kerb5
150: Enable kerberos v5 support. Tested against MIT Kerberos V,
151: release 1.1, although also expected to work against CNS. This
152: This uses kerberos passphrases for authentication but does not
153: use the kerberos cookie scheme. Will not work for Kerberos V
154: older than version 1.1.
155:
156: --with-authenticate
157: Enable support for the AIX 4.x general authentication function.
158: This will use the authentication scheme specified for the user
159: on the machine.
160:
161: --with-pam
1.2 millert 162: Enable PAM support. Tested on Redhat Linux 5.x, 6.0 and
163: Solaris 2.6, 7.
164: NOTE: on RedHat Linux (and perhaps others) you *must* install
165: an /etc/pam.d/sudo file. You may either use the sample.pam
166: file included with sudo or use /etc/pam.d/su as a reference.
1.1 millert 167:
168: --with-AFS
169: Enable AFS support with kerberos authentication. Should work under
170: AFS 3.3. If your AFS doesn't have -laudit you should be able to
171: link without it.
172:
173: --with-DCE
174: Enable DCE support. Known to work on HP-UX 9.X and 10.0. Other
175: platforms may require source code and/or `configure' changes.
176:
177: --disable-sia
178: Disable SIA support. This is the "Security Integration Architecture"
179: on Digital UNIX. If you disable SIA sudo will use its own
180: authentication routines.
181:
182: --disable-shadow
183: Disable shadow password support. Normally, sudo will compile in shadow
184: password support and use a shadow password if it exists.
185:
186: --with-sudoers-mode=mode
187: File mode for the sudoers file (octal). Note that if you wish to
188: NFS-mount the sudoers file this must be group readable. Also note
189: that this is actually set in the Makefile. The default mode is 0440.
190:
191: --with-sudoers-uid
192: User id that "owns" the sudoers file. Note that this is the numeric
193: id, *not* the symbolic name. Also note that this is actually set in
194: the Makefile. The default is 0.
195:
196: --with-sudoers-gid
197: Group id that "owns" the sudoers file. Note that this is the numeric
198: id, *not* the symbolic name. Also note that this is actually set in
199: the Makefile. The default is 0.
200:
201: --with-execv
202: Use execv() to exec the command instead of execvp(). I can't think of
203: a reason to actually do this since execvp() is passed a fully qualified
204: pathname but someone might thoroughly distrust execvp(). Note that if
205: you define this you lose the ability to exec scripts that are missing
206: the '#!/bin/sh' cookie (like /bin/kill on SunOS and /etc/fastboot on
207: 4.3BSD). This is off by default.
208:
209: --without-interfaces
210: This option keeps sudo from trying to glean the ip address from each
211: attached ethernet interface. It is only useful on a machine where
212: sudo's interface reading support does not work, which may be the case
213: on some SysV-based OS's using STREAMS.
214:
215: --without-passwd
216: This option authentication via the passwd (or shadow) file.
217: It should only be used when another, alternate, authentication
218: scheme is in use.
219:
220: --with-editor=path
221: Specify the default editor used by visudo (and the only editor used
222: unless --with-env-editor is specified). The default is the path
223: to vi on your system.
224:
225: --with-env-editor
226: Makes visudo consult the EDITOR and VISUAL environment variables before
227: falling back on the default editor. Note that this may create a
228: security hole as most editors allow a user to get a shell (which would
229: be a root shell and hence, no logging).
230:
231: The following options are also configurable at runtime:
232:
233: --with-otp-only
234: This option is now just an alias for --without-passwd.
235:
236: --with-long-otp-prompt
237: When validating with a One Time Password scheme (S/Key or OPIE), a
238: two-line prompt is used to make it easier to cut and paste the
239: challenge to a local window. It's not as pretty as the default but
240: some people find it more convenient.
241:
242: --with-logging=TYPE
243: How you want to do your logging. You may choose "syslog", "file",
244: or "both". Setting this to "syslog" is nice because you can keep all
245: of your sudo logs in one place (see the FAQ). The default is "syslog".
246:
247: --with-logfac=FACILITY
248: Determines which syslog facility to log to. This requires a 4.3BSD
249: or later version of syslog. You can still set this for ancient
250: syslogs but it will have no effect. The following facilities are
251: supported: authpriv (if your OS supports it), auth, daemon, user,
252: local0, local1, local2, local3, local4, local5, local6, and local7.
253:
254: --with-goodpri=PRIORITY
255: Determines which syslog priority to log successfully authenticated
256: commands. The following priorities are supported: alert, crit,
257: debug, emerg, err, info, notice, and warning.
258:
259: --with-badpri=PRIORITY
260: Determines which syslog priority to log unauthenticated commands
261: and errors. The following priorities are supported: alert, crit,
262: debug, emerg, err, info, notice, and warning.
263:
264: --with-logpath=path
265: Override the default location of the sudo log file and use "path"
266: instead. By default will use /var/log/sudo.log if there is a /var/log
267: dir, falling back to /var/adm/sudo.log or /usr/adm/sudo.log if not.
268:
269: --with-loglen
270: Number of characters per line for the file log. This is only used if
271: you are to "file" or "both". This value is used to decide when to wrap
272: lines for nicer log files. The default is 80. Setting this to 0
273: will disable the wrapping.
274:
275: --with-ignore-dot
276: If set, sudo will ignore '.' or '' (current dir) in $PATH.
277: The $PATH itself is not modified.
278:
279: --with-mailto
280: User that mail from sudo is sent to. This should go to a sysadmin at
281: your site. The default is "root".
282:
283: --with-mailsubject
284: Subject of the mail sent to the "mailto" user. The token "%h"
285: will expand to the hostname of the machine.
286: Default is "*** SECURITY information for %h ***".
287:
288: --without-mail-if-no-user
289: Normally, sudo will mail to the "alermail" user if the user invoking
290: sudo is not in the sudoers file. This option disables that behavior.
291:
292: --with-mail-if-no-host
293: Send mail to the "alermail" user if the user exists in the sudoers
294: file, but is not allowed to run commands on the current host.
295:
296: --with-mail-if-noperms
297: Send mail to the "alermail" user if the user is allowed to use sudo but
298: the command they are trying is not listed in their sudoers file entry.
299:
300: --with-passprompt
301: Default prompt to use when asking for a password; can be overridden
302: via the -p option and the SUDO_PROMPT environment variable. Supports
303: two escapes: "%u" expands to the user's login name and "%h" expands
304: to the local hostname. Default is "Password:".
305:
306: --with-badpass-message
307: Message that is displayed if a user enters an incorrect password.
308: The default is "Sorry, try again." unless insults are turned on.
309:
310: --with-fqdn
311: Define this if you want to put fully qualified hostnames in the sudoers
312: file. Ie: instead of myhost you would use myhost.mydomain.edu. You may
313: still use the short form if you wish (and even mix the two). Beware
314: that turning FQDN on requires sudo to make DNS lookups which may make
315: sudo unusable if your DNS is totally hosed. Also note that you must
316: use the host's official name as DNS knows it. That is, you may not use
317: a host alias (CNAME entry) due to performance issues and the fact that
318: there is no way to get all aliases from DNS.
319:
320: --with-timedir=path
321: Override the default location of the sudo timestamp directory and
322: use "path" instead.
323:
324: --with-sendmail=path
325: Override configure's guess as to the location of sendmail.
326:
327: --without-sendmail
328: Do not use sendmail to mail messages to the "mailto" user.
329: Use only if don't run sendmail or the equivalent.
330:
331: --with-umask
332: Umask to use when running the root command. The default is 0022.
333:
334: --without-umask
335: Preserves the umask of the user invoking sudo.
336:
337: --with-runas-default=user
338: The default user to run commands as if the -u flag is not specified
339: on the command line. This defaults to "root".
340:
341: --with-exempt=group
342: Users in the specified group don't need to enter a password when
343: running sudo. This may be useful for sites that don't want their
344: "core" sysadmins to have to enter a password but where Jr. sysadmins
345: need to. You should probably use NOPASSWD in sudoers instead.
346:
347: --with-passwd-tries=tries
348: Number of tries a user gets to enter his/her password before sudo logs
349: the failure and exits. The default is 3.
350:
351: --with-timeout=minutes
352: Number of minutes that can elapse before sudo will ask for a passwd
353: again. The default is 5, set this to 0 to always prompt for a password.
354:
355: --with-password-timeout=minutes
356: Number of minutes before the sudo password prompt times out.
357: The default is 5, set this to 0 for no password timeout.
358:
359: --with-tty-tickets
360: This makes sudo use a different ticket file for each tty (per user).
361: Ie: instead of the ticket file being "username" it is "username:tty".
362: This is useful for "shared" accounts like "operator". Note that this
363: means that there will be more files in the timestamp dir. This is not
364: a problem if your system has a cron job to remove of files from /tmp
365: (or wherever you specified the timestamp dir to be).
366:
367: --with-insults
368: Define this if you want to be insulted for typing an incorrect password
369: just like the original sudo(8). This is off by default.
370:
371: --with-all-insults
372: Include all the insult sets listed below.
373:
374: --with-classic-insults
375: Uses insults from sudo "classic." If you just specify --with-insults
376: you will get the classic and CSOps insults. This is on by default if
377: --with-insults is given.
378:
379: --with-csops-insults
380: Insults the user with an extra set of insults (some quotes, some
381: original) from a sysadmin group at CU (CSOps). You must specify
382: --with-insults as well for this to have any effect. This is on by
383: default if --with-insults is given.
384:
385: --with-hal-insults
386: Uses 2001-like insults when an incorrect password is entered.
387: You must specify --with-insults as well for this to have any effect.
388:
389: --with-goons-insults
390: Insults the user with lines from the "Goon Show" when an incorrect
391: password is entered. You must specify --with-insults as well for
392: this to have any effect.
393:
394: --with-secure-path[=path]
395: Path used for every command run from sudo(8). If you don't trust the
396: people running sudo to have a sane PATH environment variable you may
397: want to use this. Another use is if you want to have the "root path"
398: be separate from the "user path." You will need to customize the path
399: for your site. NOTE: this is not applied to users in the group
400: specified by --with-exemptgroup. If you do not specify a path,
401: "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
402:
403: --without-lecture
404: Don't print the lecture the first time a user runs sudo.
405:
406: --disable-authentication
407: By default, sudo requires the user to authenticate via a
408: password or similar means. This options causes sudo to
409: *not* require authentication. It is possible to turn
410: authentication back on in sudoers via the PASSWD attribute.
411:
412: --disable-root-sudo
413: Don't let root run sudo. This can be used to prevent people from
414: "chaining" sudo commands to get a root shell by doing something
415: like "sudo sudo /bin/sh".
416:
417: --enable-log-host
418: Log the hostname in the log file.
1.3 ! millert 419:
! 420: --enable-noargs-shell
! 421: If sudo is invoked with no arguments it acts as if the "-s" flag had
! 422: been given. That is, it runs a shell as root (the shell is determined
! 423: by the SHELL environment variable, falling back on the shell listed
! 424: in the invoking user's /etc/passwd entry).
1.1 millert 425:
426: --enable-shell-sets-home
427: If sudo is invoked with the "-s" flag the HOME environment variable
428: will be set to the home directory of the target user (which is root
429: unless the "-u" option is used). This option effectively makes the
430: "-s" flag imply "-H".
431:
432: --disable-path-info
433: Normally, sudo will tell the user when a command could not be found
434: in their $PATH. Some sites may wish to disable this as it could
435: be used to gather information on the location of executables that
436: the normal user does not have access to. The disadvantage is that
437: if the executable is simply not in the user's path, sudo will tell
438: the user that they are not allowed to run it, which can be confusing.
439:
440: Shadow password and C2 support
441: ==============================
442:
443: Shadow passwords (also included with most C2 security packages) are
444: supported on most major platforms for which they exist. The
445: `configure' script will attempt to determine if your system can use
446: shadow passwords and include support for them if so. Shadow password
447: support is now compiled in by default (it doesn't hurt anything if you
448: don't have them configured). To disable the shadow password support,
449: use the --disable-shadow option to configure.
450:
451: Shadow passwords are known to work on the following platforms:
452:
453: SunOS 4.x
454: Solaris 2.x
455: HP-UX >= 9.x
456: Ultrix 4.x
457: Digital UNIX
458: IRIX >= 5.x
459: AIX >= 3.2.x
460: ConvexOS with C2 security (not tested recently)
461: Linux
462: SCO >= 3.2.2
463: Pyramid DC/OSx
464: UnixWare
465: SVR4 (and variants using standard SVR4 shadow passwords)
466: 4.4BSD based systems (including OpenBSD, NetBSD, FreeBSD, and BSD/OS)
467: OS's using SecureWare's C2 security.
468:
469: OS dependent notes
470: ==================
471:
472: OpenBSD < 2.2 and NetBSD < 1.2.1:
473: The fdesc filesystem has a bug wrt /dev/tty handling that
474: causes sudo to hang at the password prompt. The workaround
475: is to run configure with --with-password-timeout=0
476:
477: Solaris 2.x:
478: You need to have a C compiler in order to build sudo.
479: Since Solaris 2.x does not come with one by default this
480: means that you either need to have purchased the unbundled Sun
481: C compiler or have a copy of the GNU C compiler (gcc).
482: The SunSoft Catalyst CD should contain gcc binaries for
483: Solaris. You can also get them from various places on the
484: net, including http://www.sunfreeware.com/
485: NOTE: sudo will *not* build with the sun C compiler in BSD
486: compatibility mode (/usr/ucb/cc). Sudo is designed to
487: compile with the standard C compiler (or gcc) and will
488: not build correctly with /usr/ucb/cc. You can use the
489: `--with-CC' option to point `configure' to the non-ucb
490: compiler if it is not the first cc in your path. Some
491: sites link /usr/ucb/cc to gcc; configure will not notice
492: this an still refuse to use /usr/ucb/cc, so make sure gcc
493: is also in your path if your site is setup this way.
494: Also: Many versions of Solaris come with a broken syslogd.
495: If you have having problems with sudo logging you should
496: make sure you have the latest syslogd patch installed.
497: This is a problem for Solaris 2.4 and 2.5 at least.
498:
499: AIX 3.2.x:
500: I've had various problems with the AIX C compiler producing
501: incorrect code when the -O flag was used. When optimization
502: is not used, the problems go away. Gcc does not appear
503: to have this problem.
504:
505: Also, the AIX 3.2.x lex will not work with sudo's parse.lex.
506: This should not be a problem as sudo comes shipped with
507: a pre-generated lex.yy.c (created by flex). If you want
508: to modify the lex tokenizer, make sure you grab a copy of
509: flex from ftp.ee.lbl.gov (also available on most GNU mirrors)
510: and sudo will use that instead.
511:
512: Ultrix 4.x:
513: Ultrix still ships with the 4.2BSD syslog(3) which does not
514: allow things like logging different facilities to different
515: files, redirecting logs to a single loghost and other niceties.
516: You may want to just grab and install:
517: ftp://gatekeeper.dec.com/pub/DEC/jtkohl-syslog-complete.tar.Z
518: (available via anonymous ftp) which is a port if the 4.3BSD
519: syslog/syslogd that is backwards compatible with the Ultrix version.
520: I recommend it highly. If you do not do this you probably want
521: to run configure with --with-logging=file
522:
523: Digital UNIX:
524: By default, sudo will use SIA (Security Integration Architecture)
525: to validate a user. If you want to use an alternate authentication
526: method that does not go through SIA, you need to use the
527: --disable-sia option to configure. If you use gcc to compile
528: you will get warnings when building interfaces.c. These are
529: harmless but if they really bug you, you can edit
530: /usr/include/net/if.h around line 123, right after the comment:
531: /* forward decls for C++ */
532: change the line:
533: #ifdef __cplusplus
534: to:
535: #if defined(__cplusplus) || defined(__GNUC__)
536: If you don't like the idea of editing the system header file
537: you can just make a copy in gcc's private include tree and
538: edit that.
539:
540: Linux:
541: NOTE: Reportedly, Linux's execvp(3) doesn't always execute
542: scripts that lack the "#!/some/shell" header correctly.
543: The workaround is to give all your scripts a proper
544: header.
545: Versions of glibc 2.x previous to 2.0.7 have a broken lsearch().
546: You will need to either upgrade to glibc-2.0.7 or use sudo's
547: version of lsearch(). To use sudo's lsearch(), comment out
548: the "#define HAVE_LSEARCH 1" line in config.h and add lsearch.o
549: to the LIBOBJS line in the Makefile.
550:
551: It is not possible to access the sudoers file via NFS on Linux.
552: This is due to a bug in the Linux client-side NFS implementation.
553: It has been fixed in the developement kernel but, as of Aug 27, 1999,
554: the fixes have not made it into the mainstream kernel.
555:
556: Mac OS X:
557: It has been reported that for sudo to work on Mac OS X it must
558: either be built with the --with-password-timeout=0 option or the
559: password timeout must be disabled in the Defaults line in the
560: sudoers file. If sudo just hangs when you try to enter a password,
561: you need to disable the password timeout (Note: this is not a bug
562: in sudo).
563:
564: SCO ODT:
565: You'll probably need libcrypt_i.a available via anonymous ftp
566: from sosco.sco.com. The necessary files are /SLS/lng225b.Z
567: and /SLS/lng225b.ltr.Z.