version 1.1.1.1, 2012/02/21 16:23:01
|
version 1.1.1.5, 2014/06/15 16:12:53
|
Line 7 more options than it did before. Please read this doc
|
Line 7 more options than it did before. Please read this doc
|
before configuring and building sudo. You may also wish to read the |
before configuring and building sudo. You may also wish to read the |
file INSTALL.configure which explains more about the `configure' script. |
file INSTALL.configure which explains more about the `configure' script. |
|
|
|
System requirements |
|
=================== |
|
|
|
To build sudo from the source distribution you need a POSIX-compliant |
|
operating system (any modern version of BSD, Linux or Unix should work), |
|
an ANSI/ISO C compiler that supports the "long long" type, variadic |
|
macros (a C99 feature) as well as the ar, make and ranlib utilities. |
|
|
|
If you wish to modify the parser then you will need flex version |
|
2.5.2 or later and either bison or byacc (sudo comes with a |
|
pre-generated parser). You'll also have to run configure with the |
|
--with-devel option or pass DEVEL=1 to make. You can get flex from |
|
http://flex.sourceforge.net/. You can get GNU bison from |
|
ftp://ftp.gnu.org/pub/gnu/bison/ or any GNU mirror. |
|
|
Simple sudo installation |
Simple sudo installation |
======================== |
======================== |
|
|
Line 19 For most systems and configurations it is possible sim
|
Line 34 For most systems and configurations it is possible sim
|
"gotchas" relating to your operating system. |
"gotchas" relating to your operating system. |
|
|
2) `cd' to the source or build directory and type `./configure' |
2) `cd' to the source or build directory and type `./configure' |
to generate a Makefile and config.h file suitable for | to generate a Makefile and config.h file suitable for building |
building sudo. Before you actually run configure you | sudo. Before you actually run configure you should read the |
should read the `Available configure options' section | `Available configure options' section to see if there are |
to see if there are any special options you may want | any special options you may want or need. |
or need. | |
|
|
3) Edit the configure-generated Makefile if you wish to | 4) Type `make' to compile sudo. If you are building sudo |
change any of the default paths (alternatively, you could | |
have changed the paths via options to `configure'. | |
| |
5) Type `make' to compile sudo. If you are building sudo | |
in a separate build tree (apart from the sudo source) GNU |
in a separate build tree (apart from the sudo source) GNU |
make will probably be required. If `configure' did its job |
make will probably be required. If `configure' did its job |
properly (and you have a supported configuration) there won't |
properly (and you have a supported configuration) there won't |
be any problems. If this doesn't work, take a look at the |
be any problems. If this doesn't work, take a look at the |
TROUBLESHOOTING file for tips on what might have gone wrong. | doc/TROUBLESHOOTING file for tips on what might have gone |
Please mail us if you have a fix or if you are unable to | wrong. Please mail us if you have a fix or if you are unable |
come up with a fix (address at EOF). | to come up with a fix (address at EOF). |
|
|
6) Type `make install' (as root) to install sudo, visudo, the | 5) Type `make install' (as root) to install sudo, visudo, the |
man pages, and a skeleton sudoers file. Note that the install |
man pages, and a skeleton sudoers file. Note that the install |
will not overwrite an existing sudoers file. You can also |
will not overwrite an existing sudoers file. You can also |
install various pieces the package via the install-binaries, |
install various pieces the package via the install-binaries, |
install-doc, and install-sudoers make targets. |
install-doc, and install-sudoers make targets. |
|
|
7) Edit the sudoers file with `visudo' as necessary for your | 6) Edit the sudoers file with `visudo' as necessary for your |
site. You will probably want to refer the sample.sudoers |
site. You will probably want to refer the sample.sudoers |
file and sudoers man page included with the sudo package. |
file and sudoers man page included with the sudo package. |
|
|
8) If you want to use syslogd(8) to do the logging, you'll need | 7) If you want to use syslogd(8) to do the logging, you'll need |
to update your /etc/syslog.conf file. See the sample.syslog.conf |
to update your /etc/syslog.conf file. See the sample.syslog.conf |
file included in the distribution for an example. |
file included in the distribution for an example. |
|
|
Line 74 Configuration:
|
Line 84 Configuration:
|
--quiet, --silent, -q |
--quiet, --silent, -q |
Do not print `checking...' messages |
Do not print `checking...' messages |
|
|
|
--srcdir=DIR |
|
Find the sources in DIR [configure dir or `..'] |
|
|
Directory and file names: |
Directory and file names: |
--prefix=PREFIX |
--prefix=PREFIX |
Install architecture-independent files in PREFIX This really only | Install architecture-independent files in PREFIX. [/usr/local] |
applies to man pages. [/usr/local] | |
|
|
--exec-prefix=EPREFIX |
--exec-prefix=EPREFIX |
Install architecture-dependent files in EPREFIX This includes the | Install architecture-dependent files in EPREFIX. |
sudo and visudo executables. [same as prefix] | This includes the executables and plugins. [same as PREFIX] |
|
|
--bindir=DIR |
--bindir=DIR |
Install `sudo' in DIR [EPREFIX/bin] | Install `sudo', `sudoedit' and `sudoreplay' in DIR. [EPREFIX/bin] |
|
|
--sbindir=DIR |
--sbindir=DIR |
Install `visudo' in DIR [EPREFIX/sbin] | Install `visudo' in DIR. [EPREFIX/sbin] |
|
|
|
--libexecdir=DIR |
|
Install plugins and helper programs in DIR/sudo [PREFIX/libexec/sudo] |
|
|
--sysconfdir=DIR |
--sysconfdir=DIR |
Install `sudoers' file in DIR [/etc] | Look for `sudo.conf' and `sudoers' files in DIR. [/etc] |
|
|
|
--includedir=DIR |
|
Install sudo_plugin.h include file in DIR [PREFIX/include] |
|
|
|
--datarootdir=DIR |
|
Root directory for platform-independent data files [PREFIX/share] |
|
|
|
--localedir=DIR |
|
Install sudo and sudoers locale files in DIR [DATAROOTDIR/locale] |
|
|
--mandir=DIR |
--mandir=DIR |
Install man pages in DIR [PREFIX/man] |
Install man pages in DIR [PREFIX/man] |
|
|
--srcdir=DIR | --docdir=DIR |
Find the sources in DIR [configure dir or ..] | Install other sudo documentation in DIR [DATAROOTDIR/doc/sudo] |
|
|
Special features/options: | --with-plugindir=DIR |
| Set the directory that sudo looks in to find the policy and I/O |
| logging plugins. Defaults to the LIBEXEC/sudo. |
| |
| --with-rundir=DIR |
| Set the directory to be used for sudo-specific files that |
| do not survive a system reboot. This is typically where |
| the time stamp directory is located. By default, configure |
| will use the first existing directory in the following list: |
| /var/run, /var/db, /var/lib, /var/adm, /usr/adm |
| This directory should be cleared when the system reboots. |
| On systems that lack /var/run, the default rundir and vardir |
| may be the same. In this case, only the ts directory inside |
| the rundir needs to be cleared at boot time. |
| |
| --with-vardir=DIR |
| Set the directory to be used for sudo-specific files that |
| survive a system reboot. This is typically where the lecture |
| status directory is stored. By default, configure will use |
| the first existing directory in the following list: |
| /var/db, /var/lib, /var/adm, /usr/adm |
| This directory should not be cleared when the system boots. |
| |
| Compilation options: |
| --disable-hardening |
| Disable the use of compiler/linker exploit mitigation options |
| which are enabled by default. This includes compiling with |
| _FORTIFY_SOURCE defined to 2, building with -fstack-protector |
| and linking with -zrelro, where supported. |
| |
| --enable-pie |
| Build sudo and related programs as as a position independent |
| executables (PIE). This improves the effectiveness of address |
| space layout randomization (ASLR) on systems that support it. |
| Sudo will create PIE binaries by default on Linux systems. |
| |
| --disable-pie |
| Disable the creation of position independent executables (PIE), |
| even if the compiler creates PIE binaries by default. This |
| option may be needed on some Linux systems where PIE binaries |
| are not fully supported. |
| |
| --disable-poll |
| Use select() instead of poll() in the event loop. By default, |
| sudo will use poll() on systems that support it. Some systems |
| have a broken poll() implementation and need to use select instead. |
| On Mac OS X, select() is always used since its poll() doesn't |
| support devices. |
| |
| --disable-rpath |
| By default, configure will use -Rpath in addition to -Lpath |
| when passing library paths to the loader. This option will |
| disable the use of -Rpath. |
| |
| --disable-shared |
| Disable dynamic shared object support. By default, sudo |
| is built with a plugin API capable of loading arbitrary |
| policy and I/O logging plugins. If the --disable-shared |
| option is specified, this support is disabled and the default |
| sudoers policy and I/O plugins are embedded in the sudo |
| binary itself. This will also disable the noexec option |
| as it too relies on dynamic shared object support. |
| |
| --enable-static-sudoers |
| By default, the sudoers plugin is built and installed as a |
| dynamic shared object. When the --enable-static-sudoers |
| option is specified, the sudoers plugin is compiled directly |
| into the sudo binary. Unlike --disable-shared, this does |
| not prevent other plugins from being used and the noexec |
| option will continue to function. |
| |
| --enable-zlib[=location] |
| Enable the use of the zlib compress library when storing |
| I/O log files. If specified, location is the base directory |
| containing the zlib include and lib directories. The special |
| values "system" and "builtin" can be used to indicate that |
| the system version of zlib should be used or that the version |
| of zlib shipped with sudo should be used instead. |
| If this option is not specified, configure will use the |
| system zlib if it is present. |
| |
--with-incpath=DIR |
--with-incpath=DIR |
Adds the specified directory (or directories) to CPPFLAGS |
Adds the specified directory (or directories) to CPPFLAGS |
so configure and the compiler will look there for include |
so configure and the compiler will look there for include |
files. Multiple directories may be specified as long as |
files. Multiple directories may be specified as long as |
they are space separated. |
they are space separated. |
Eg: --with-incpath="/usr/local/include /opt/include" | E.g. --with-incpath="/usr/local/include /opt/include" |
|
|
--with-libpath=DIR |
--with-libpath=DIR |
Adds the specified directory (or directories) to LDFLAGS |
Adds the specified directory (or directories) to LDFLAGS |
so configure and the compiler will look there for libraries. |
so configure and the compiler will look there for libraries. |
Multiple directories may be specified as with --with-incpath. |
Multiple directories may be specified as with --with-incpath. |
|
|
--with-rpath |
|
Tells configure to use -Rpath in addition to -Lpath when |
|
passing library paths to the loader. This option is on |
|
by default for Solaris and SVR4. |
|
|
|
--with-blibpath[=PATH] |
|
Tells configure to construct a -blibpath argument to the |
|
loader. If a PATH is specified, it will be used as the |
|
base. Otherwise, "/usr/lib:/lib:/usr/local/lib" will be |
|
used for gcc and "/usr/lib:/lib" for non-gcc. Additional |
|
library paths will be appended as needed by configure. |
|
This option is only valid for AIX where it is on by default. |
|
|
|
--with-libraries=LIBRARY |
--with-libraries=LIBRARY |
Adds the specified library (or libaries) to SUDO_LIBS and | Adds the specified library (or libraries) to SUDO_LIBS and |
and VISUDO_LIBS so sudo will link against them. If the |
and VISUDO_LIBS so sudo will link against them. If the |
library doesn't start with `-l' or end in `.a' or `.o' a |
library doesn't start with `-l' or end in `.a' or `.o' a |
`-l' will be prepended to it. Multiple libraries may be | `-l' will be pre-pended to it. Multiple libraries may be |
specified as long as they are space separated. |
specified as long as they are space separated. |
|
|
--with-plugindir=PATH | --with-libtool=PATH |
Set the directory that sudo looks in to find the policy and I/O | By default, sudo will use the included version of libtool |
logging plugins. Defaults to the libexec dir used by configure. | to build shared libraries. The --with-libtool option can |
| be used to specify a different version of libtool to use. |
| The special values "system" and "builtin" can be used in |
| place of a path to denote the default system libtool (obtained |
| via the user's PATH) and the default libtool that comes |
| with sudo. |
|
|
--with-efence | Optional features: |
Link with the "electric fence" debugging malloc. | --disable-root-mailer |
| By default sudo will run the mailer as root when tattling |
| on a user so as to prevent that user from killing the mailer. |
| With this option, sudo will run the mailer as the invoking |
| user which some people consider to be safer. |
|
|
--with-bsm-audit | --enable-nls[=location] |
Enable support for sudo BSM audit logs on systems that support | Enable natural language support using the gettext() family |
it. Currently only supported under FreeBSD and Mac OS X. | of functions. If specified, location is the base directory |
| containing the libintl include and lib directories. If |
| this option is not specified, configure will look for the |
| gettext() family of functions in the standard C library |
| first, then check for a standalone libintl (linking with |
| libiconv as needed). |
|
|
--with-csops | --disable-nls |
Add CSOps standard options. You probably aren't interested in this. | Disable natural language support. By default, sudo will |
| use the gettext() family of functions, if available, to |
| implement messages in the invoking user's native language. |
| Note that translations do not exist for all languages. |
|
|
--with-devel |
|
Configure development options. This will enable compiler warnings |
|
and set the Makefile to be able to regenerate the sudoers parser |
|
as well as the manual pages. |
|
|
|
--with-linux-audit |
|
Enable audit support for Linux systems. Audits attempts |
|
to run a command as well as SELinux role changes. |
|
|
|
--with-skey[=DIR] |
|
Enable S/Key OTP (One Time Password) support. If specified, |
|
DIR should contain include and lib directories with skey.h |
|
and libskey.a respectively. |
|
|
|
--with-opie[=DIR] |
|
Enable NRL OPIE OTP (One Time Password) support. If specified, |
|
DIR should contain include and lib directories with opie.h |
|
and libopie.a respectively. |
|
|
|
--with-SecurID[=DIR] |
|
Enable SecurID support. If specified, DIR is directory containing |
|
sdiclient.a, sdi_athd.h, sdconf.h, and sdacmvls.h. |
|
|
|
--with-fwtk[=DIR] |
|
Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified, |
|
DIR is the base directory containing the compiled FWTK package |
|
(or at least the library and header files). |
|
|
|
--with-kerb4[=DIR] |
|
Enable Kerberos IV support. If specified, DIR is the base |
|
directory containing the Kerberos IV include and lib dirs. |
|
This uses Kerberos passphrases for authentication but does |
|
not use the Kerberos cookie scheme. |
|
|
|
--with-kerb5[=DIR] |
|
Enable Kerberos V support. If specified, DIR is the base |
|
directory containing the Kerberos V include and lib dirs. |
|
This This uses Kerberos passphrases for authentication but |
|
does not use the Kerberos cookie scheme. Will not work for |
|
Kerberos V older than version 1.1. |
|
|
|
--with-ldap[=DIR] |
--with-ldap[=DIR] |
Enable LDAP support. If specified, DIR is the base directory |
Enable LDAP support. If specified, DIR is the base directory |
containing the LDAP include and lib directories. Please see |
containing the LDAP include and lib directories. Please see |
Line 200 Special features/options:
|
Line 267 Special features/options:
|
this file instead of /etc/ldap.secret to read the secret password |
this file instead of /etc/ldap.secret to read the secret password |
when rootbinddn is specified in the ldap config file. |
when rootbinddn is specified in the ldap config file. |
|
|
--with-nsswitch[=PATH] | --with-logincap |
Path to nsswitch.conf or "no" to disable nsswitch support. | This adds support for login classes specified in /etc/login.conf. |
If specified, sudo uses this file instead of /etc/nsswitch.conf. | It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and |
If nsswitch is disabled but LDAP is enabled, sudo will check | NetBSD (where available). By default, a login class is not applied |
LDAP first, then the sudoers file. | unless the 'use_loginclass' option is defined in sudoers or the user |
| specifies a class on the command line. |
|
|
|
--with-interfaces=no, --without-interfaces |
|
This option keeps sudo from trying to glean the ip address |
|
from each attached Ethernet interface. It is only useful |
|
on a machine where sudo's interface reading support does |
|
not work, which may be the case on some SysV-based OS's |
|
using STREAMS. |
|
|
|
--with-noexec[=PATH] |
|
Enable support for the "noexec" functionality which prevents |
|
a dynamically-linked program being run by sudo from executing |
|
another program (think shell escapes). Please see the |
|
"PREVENTING SHELL ESCAPES" section in the sudoers man page |
|
for details. If specified, PATH should be a fully qualified |
|
path name, e.g. /usr/local/libexec/sudo_noexec.so. If PATH |
|
is "no", noexec support will not be compiled in. The default |
|
is to compile noexec support if libtool supports building |
|
shared objects on your OS. |
|
|
|
--with-selinux |
|
Enable support for role based access control (RBAC) on |
|
systems that support SELinux. |
|
|
|
--with-sssd |
|
Enable support for using the System Security Services Daemon |
|
(SSSD) as a sudoers data source. For more information on |
|
SSD, see http://fedorahosted.org/sssd/ |
|
|
|
--with-sssd-lib=PATH |
|
Specify the path to the SSSD shared library, which is loaded |
|
at run-time. |
|
|
|
Operating system-specific options: |
|
--disable-setreuid |
|
Disable use of the setreuid() function for operating systems |
|
where it is broken. For instance, 4.4BSD has setreuid() |
|
that is not fully functional. |
|
|
|
--disable-setresuid |
|
Disable use of the setresuid() function for operating systems |
|
where it is broken (none currently known). |
|
|
|
--enable-admin-flag |
|
Enable the creation of an Ubuntu-style admin flag file |
|
the first time sudo is run. |
|
|
|
--with-bsm-audit |
|
Enable support for sudo BSM audit logs on systems that support it. |
|
This includes recent versions of FreeBSD, Mac OS X and Solaris. |
|
|
|
--with-linux-audit |
|
Enable audit support for Linux systems. Audits attempts |
|
to run a command as well as SELinux role changes. |
|
|
|
--with-man |
|
Use the "man" macros for manual pages. By default, mdoc versions |
|
of the manuals are installed if supported. This can be used to |
|
override configure's test for "nroff -mdoc" support. |
|
|
|
--with-mdoc |
|
Use the "mdoc" macros for manual pages. By default, mdoc versions |
|
of the manuals are installed if supported. This can be used to |
|
override configure's test for "nroff -mdoc" support. |
|
|
--with-netsvc[=PATH] |
--with-netsvc[=PATH] |
Path to netsvc.conf or "no" to disable netsvc.conf support. |
Path to netsvc.conf or "no" to disable netsvc.conf support. |
If specified, sudo uses this file instead of /etc/netsvc.conf |
If specified, sudo uses this file instead of /etc/netsvc.conf |
on AIX systems. | on AIX systems. If netsvc support is disabled but LDAP is |
| enabled, sudo will check LDAP first, then the sudoers file. |
|
|
|
--with-nsswitch[=PATH] |
|
Path to nsswitch.conf or "no" to disable nsswitch support. |
|
If specified, sudo uses this file instead of /etc/nsswitch.conf. |
|
If nsswitch support is disabled but LDAP is enabled, sudo will |
|
check LDAP first, then the sudoers file. |
|
|
|
--with-project |
|
Enable support for Solaris project resource limits. |
|
This option is only available on Solaris 9 and above. |
|
|
|
Authentication options: |
|
--with-AFS |
|
Enable AFS support with Kerberos authentication. Should work under |
|
AFS 3.3. If your AFS doesn't have -laudit you should be able to |
|
link without it. |
|
|
--with-aixauth |
--with-aixauth |
Enable support for the AIX 4.x general authentication function. |
Enable support for the AIX 4.x general authentication function. |
This will use the authentication scheme specified for the user |
This will use the authentication scheme specified for the user |
on the machine. It is on by default for AIX systems that |
on the machine. It is on by default for AIX systems that |
support it. |
support it. |
|
|
|
--with-bsdauth |
|
Enable support for BSD authentication. This is the default |
|
for BSD/OS and OpenBSD systems that support it. |
|
It is not possible to mix BSD authentication with other |
|
authentication methods (and there really should be no need |
|
to do so). Note that only the newer BSD authentication API |
|
is supported. If you don't have /usr/include/bsd_auth.h |
|
then you cannot use this. |
|
|
|
--with-DCE |
|
Enable DCE support for systems without PAM. Known to work on |
|
HP-UX 9.X, 10.X, and 11.0; other systems may require source |
|
code and/or `configure' changes. On systems with PAM support |
|
(such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the |
|
DCE PAM module (usually libpam_dce) should be used instead. |
|
|
|
--with-fwtk[=DIR] |
|
Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified, |
|
DIR is the base directory containing the compiled FWTK package |
|
(or at least the library and header files). |
|
|
|
--with-kerb5[=DIR] |
|
Enable Kerberos V support. If specified, DIR is the base |
|
directory containing the Kerberos V include and lib dirs. |
|
This uses Kerberos pass phrases for authentication but |
|
does not use the Kerberos cookie scheme. Will not work for |
|
Kerberos V older than version 1.1. |
|
|
|
--enable-kerb5-instance=string |
|
By default, the user name is used as the principal name |
|
when authenticating via Kerberos V. If this option is |
|
enabled, the specified instance string will be appended to |
|
the user name (separated by a slash) when creating the |
|
principal name. |
|
|
|
--with-opie[=DIR] |
|
Enable NRL OPIE OTP (One Time Password) support. If specified, |
|
DIR should contain include and lib directories with opie.h |
|
and libopie.a respectively. |
|
|
|
--with-otp-only |
|
This option is now just an alias for --without-passwd. |
|
|
--with-pam |
--with-pam |
Enable PAM support. This is on by default for Darwin, FreeBSD, |
Enable PAM support. This is on by default for Darwin, FreeBSD, |
Linux, Solaris and HP-UX (version 11 and higher). |
Linux, Solaris and HP-UX (version 11 and higher). |
Line 237 Special features/options:
|
Line 428 Special features/options:
|
option from "sudo" to "sudo-i", allowing for a separate pam |
option from "sudo" to "sudo-i", allowing for a separate pam |
configuration for sudo's initial login mode. |
configuration for sudo's initial login mode. |
|
|
--with-AFS |
|
Enable AFS support with Kerberos authentication. Should work under |
|
AFS 3.3. If your AFS doesn't have -laudit you should be able to |
|
link without it. |
|
|
|
--with-DCE |
|
Enable DCE support for systems without PAM. Known to work on |
|
HP-UX 9.X, 10.X, and 11.0; other systems may require source |
|
code and/or `configure' changes. On systems with PAM support |
|
(such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the |
|
DCE PAM module (usually libpam_dce) should be used instead. |
|
|
|
--with-logincap |
|
This adds support for login classes specified in /etc/login.conf. |
|
It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and |
|
NetBSD (where available). By default, a login class is not applied |
|
unless the 'use_loginclass' option is defined in sudoers or the user |
|
specifies a class on the command line. |
|
|
|
--with-bsdauth |
|
Enable support for BSD authentication. This is the default |
|
for BSD/OS and OpenBSD systems that support it. |
|
It is not possible to mix BSD authentication with other |
|
authentication methods (and there really should be no need |
|
to do so). Note that only the newer BSD authentication API |
|
is supported. If you don't have /usr/include/bsd_auth.h |
|
then you cannot use this. |
|
|
|
--with-project |
|
Enable support for Solaris project resource limits. |
|
This option is only available on Solaris 9 and above. |
|
|
|
--with-noexec[=PATH] |
|
Enable support for the "noexec" functionality which prevents |
|
a dynamically-linked program being run by sudo from executing |
|
another program (think shell escapes). Please see the |
|
"PREVENTING SHELL ESCAPES" section in the sudoers man page |
|
for details. If specified, PATH should be a fully qualified |
|
path name, e.g. /usr/local/libexec/sudo_noexec.so. If PATH |
|
is "no", noexec support will not be compiled in. The default |
|
is to compile noexec support if libtool supports building |
|
shared objects on your OS. |
|
|
|
--disable-pam-session |
--disable-pam-session |
Disable sudo's PAM session support. This may be needed on |
Disable sudo's PAM session support. This may be needed on |
older PAM implementations or on operating systems where |
older PAM implementations or on operating systems where |
opening a PAM session changes the utmp or wtmp files. If |
opening a PAM session changes the utmp or wtmp files. If |
PAM session support is disabled, resource limits may not |
PAM session support is disabled, resource limits may not |
be updatedin for command being run. | be updated for the command being run. |
|
|
--disable-root-mailer | --with-passwd=no, --without-passwd |
By default sudo will run the mailer as root when tattling | This option excludes authentication via the passwd (or |
on a user so as to prevent that user from killing the mailer. | shadow) file. It should only be used when another, alternative, |
With this option, sudo will run the mailer as the invoking | authentication scheme is in use. |
user which some people consider to be safer. | |
|
|
--disable-setreuid | --with-SecurID[=DIR] |
Disable use of the setreuid() function for operating systems | Enable SecurID support. If specified, DIR is directory containing |
where it is broken. Mac OS X has setreuid() but it doesn't | libaceclnt.a, acexport.h, and sdacmvls.h. |
really work. | |
|
|
--disable-setresuid | --with-skey[=DIR] |
Disable use of the setresuid() function for operating systems | Enable S/Key OTP (One Time Password) support. If specified, |
where it is broken (none currently known). | DIR should contain include and lib directories with skey.h |
| and libskey.a respectively. |
|
|
--disable-sia |
--disable-sia |
Disable SIA support. This is the "Security Integration |
Disable SIA support. This is the "Security Integration |
Line 312 Special features/options:
|
Line 459 Special features/options:
|
in shadow password support and use a shadow password if it |
in shadow password support and use a shadow password if it |
exists. |
exists. |
|
|
--with-sudoers-mode=MODE | --enable-gss-krb5-ccache-name |
File mode for the sudoers file (octal). Note that if you | Use the gss_krb5_ccache_name() function to set the Kerberos |
wish to NFS-mount the sudoers file this must be group | V credential cache file name. By default, sudo will use |
readable. Also note that this is actually set in the | the KRB5CCNAME environment variable to set this. While |
Makefile. The default mode is 0440. | gss_krb5_ccache_name() provides a better API to do this it |
| is not supported by all Kerberos V and SASL combinations. |
|
|
--with-sudoers-uid=UID | Development options: |
User id that "owns" the sudoers file. Note that this is | --enable-env-debug |
the numeric id, *not* the symbolic name. Also note that | Enable debugging of the environment setting functions. This |
this is actually set in the Makefile. The default is 0. | enables extra checks to make sure the environment does not |
| become corrupted. |
|
|
--with-sudoers-gid=GID | --enable-warnings |
Group id that "owns" the sudoers file. Note that this is | Enable compiler warnings when building sudo with gcc. |
the numeric id, *not* the symbolic name. Also note that | |
this is actually set in the Makefile. The default is 0. | |
|
|
--without-interfaces | --enable-werror |
This option keeps sudo from trying to glean the ip address | Enable the -Werror compiler option when building sudo with gcc. |
from each attached ethernet interface. It is only useful | |
on a machine where sudo's interface reading support does | |
not work, which may be the case on some SysV-based OS's | |
using STREAMS. | |
|
|
--without-passwd | --with-devel |
This option excludes authentication via the passwd (or | Configure development options. This will enable compiler warnings |
shadow) file. It should only be used when another, alternative, | and set up the Makefile to be able to regenerate the sudoers parser |
authentication scheme is in use. | as well as the manual pages. |
|
|
--with-otp-only | --with-efence |
This option is now just an alias for --without-passwd. | Link with the "electric fence" debugging malloc. |
|
|
--with-stow | Options that set runtime-changeable default values: |
Properly handle GNU stow packaging. The sudoers file will | --disable-authentication |
physically live in ${prefix}/etc and /etc/sudoers will be | By default, sudo requires the user to authenticate via a |
a symbolic link. | password or similar means. This options causes sudo to |
| *not* require authentication. It is possible to turn |
| authentication back on in sudoers via the PASSWD attribute. |
| Sudoers option: !authenticate |
|
|
--with-selinux | --disable-env-reset |
Enable support for role based access control (RBAC) on | Disable environment resetting. This sets the default value |
systems that support SELinux. | of the "env_reset" Defaults option in sudoers to false. |
| Sudoers option: !env_reset |
|
|
The following options are also configurable at runtime: | --disable-path-info |
| Normally, sudo will tell the user when a command could not be found |
| in their $PATH. Some sites may wish to disable this as it could |
| be used to gather information on the location of executables that |
| the normal user does not have access to. The disadvantage is that |
| if the executable is simply not in the user's path, sudo will tell |
| the user that they are not allowed to run it, which can be confusing. |
| Sudoers option: path_info |
|
|
--with-long-otp-prompt | --disable-root-sudo |
When validating with a One Time Password scheme (S/Key or | Don't let root run sudo. This can be used to prevent people from |
OPIE), a two-line prompt is used to make it easier to cut | "chaining" sudo commands to get a root shell by doing something |
and paste the challenge to a local window. It's not as | like "sudo sudo /bin/sh". |
pretty as the default but some people find it more convenient. | Sudoers option: !root_sudo |
|
|
--with-logging=TYPE | --disable-zlib |
How you want to do your logging. You may choose "syslog", | Disable the use of the zlib compress library when storing |
"file", or "both". Setting this to "syslog" is nice because | I/O log files. |
you can keep all of your sudo logs in one place (see the | Sudoers option: !compress_io |
sample.syslog.conf file). The default is "syslog". | |
|
|
--with-logfac=FACILITY | --enable-log-host |
Determines which syslog facility to log to. This requires | Log the hostname in the log file. |
a 4.3BSD or later version of syslog. You can still set | Sudoers option: log_host |
this for ancient syslogs but it will have no effect. The | |
following facilities are supported: authpriv (if your OS | |
supports it), auth, daemon, user, local0, local1, local2, | |
local3, local4, local5, local6, and local7. | |
|
|
--with-goodpri=PRIORITY | --enable-noargs-shell |
Determines which syslog priority to log successfully | If sudo is invoked with no arguments it acts as if the "-s" flag had |
authenticated commands. The following priorities are | been given. That is, it runs a shell as root (the shell is determined |
supported: alert, crit, debug, emerg, err, info, notice, | by the SHELL environment variable, falling back on the shell listed |
and warning. | in the invoking user's /etc/passwd entry). |
| Sudoers option: shell_noargs |
|
|
|
--enable-shell-sets-home |
|
If sudo is invoked with the "-s" flag the HOME environment variable |
|
will be set to the home directory of the target user (which is root |
|
unless the "-u" option is used). This option effectively makes the |
|
"-s" flag imply "-H". |
|
Sudoers option: set_home |
|
|
|
--with-all-insults |
|
Include all the insult sets listed below. You must either specify |
|
--with-insults or enable insults in the sudoers file for this to |
|
have any effect. |
|
|
|
--with-askpass=PATH |
|
Set PATH as the "askpass" program to use when no tty is |
|
available. Typically, this is a graphical password prompter, |
|
similar to the one used by ssh. The program must take a |
|
prompt as an argument and print the received password to |
|
the standard output. This value may overridden at run-time |
|
in the sudo.conf file. |
|
|
|
--with-badpass-message="BAD PASSWORD MESSAGE" |
|
Message that is displayed if a user enters an incorrect password. |
|
The default is "Sorry, try again." unless insults are turned on. |
|
Sudoers option: badpass_message |
|
|
--with-badpri=PRIORITY |
--with-badpri=PRIORITY |
Determines which syslog priority to log unauthenticated |
Determines which syslog priority to log unauthenticated |
commands and errors. The following priorities are supported: |
commands and errors. The following priorities are supported: |
alert, crit, debug, emerg, err, info, notice, and warning. |
alert, crit, debug, emerg, err, info, notice, and warning. |
|
Sudoers option: syslog_badpri |
|
|
--with-logpath=PATH | --with-classic-insults |
Override the default location of the sudo log file and use | Uses insults from sudo "classic." If you just specify --with-insults |
"path" instead. By default will use /var/log/sudo.log if | you will get the classic and CSOps insults. This is on by default if |
there is a /var/log dir, falling back to /var/adm/sudo.log | --with-insults is given. |
or /usr/adm/sudo.log if not. | |
|
|
--with-loglen=NUMBER | --with-csops-insults |
Number of characters per line for the file log. This is only used if | Insults the user with an extra set of insults (some quotes, some |
you are to "file" or "both". This value is used to decide when to wrap | original) from a sysadmin group at CU (CSOps). You must specify |
lines for nicer log files. The default is 80. Setting this to 0 | --with-insults as well for this to have any effect. This is on by |
will disable the wrapping. | default if --with-insults is given. |
|
|
--with-ignore-dot | --with-editor=PATH |
If set, sudo will ignore '.' or '' (current dir) in $PATH. | Specify the default editor path for use by visudo. This may be a |
The $PATH itself is not modified. | single path name or a colon-separated list of editors. In the latter |
| case, visudo will choose the editor that matches the user's VISUAL |
| or EDITOR environment variables or the first editor in the list that |
| exists. The default is the path to vi on your system. |
| Sudoers option: editor |
|
|
--with-mailto=USER|MAIL_ALIAS | --with-env-editor |
User (or mail alias) that mail from sudo is sent to. | Makes visudo consult the VISUAL and EDITOR environment variables before |
This should go to a sysadmin at your site. The default is "root". | falling back on the default editor list (as specified by --with-editor). |
| Note that this may create a security hole as it allows the user to |
| run any arbitrary command as root without logging. A safer alternative |
| is to use a colon-separated list of editors with the --with-editor |
| option. visudo will then only use the VISUAL or EDITOR variables |
| if they match a value specified via --with-editor. |
| Sudoers option: env_editor |
|
|
--with-mailsubject="SUBJECT OF MAIL" | --with-exempt=GROUP |
Subject of the mail sent to the "mailto" user. The token "%h" | Users in the specified group don't need to enter a password when |
will expand to the hostname of the machine. | running sudo. This may be useful for sites that don't want their |
Default is "*** SECURITY information for %h ***". | "core" sysadmins to have to enter a password but where Jr. sysadmins |
| need to. You should probably use NOPASSWD in sudoers instead. |
| Sudoers option: exempt_group |
|
|
--without-mail-if-no-user |
|
Normally, sudo will mail to the "alertmail" user if the user invoking |
|
sudo is not in the sudoers file. This option disables that behavior. |
|
|
|
--with-mail-if-no-host |
|
Send mail to the "alermail" user if the user exists in the sudoers |
|
file, but is not allowed to run commands on the current host. |
|
|
|
--with-mail-if-noperms |
|
Send mail to the "alermail" user if the user is allowed to use sudo but |
|
the command they are trying is not listed in their sudoers file entry. |
|
|
|
--with-passprompt="PASSWORD PROMPT" |
|
Default prompt to use when asking for a password; can be overridden |
|
via the -p option and the SUDO_PROMPT environment variable. Supports |
|
the "%H", "%h", "%U" and "%u" escapes as documented in the sudo |
|
manual page. The default value is "Password:". |
|
|
|
--with-badpass-message="BAD PASSWORD MESSAGE" |
|
Message that is displayed if a user enters an incorrect password. |
|
The default is "Sorry, try again." unless insults are turned on. |
|
|
|
--with-fqdn |
--with-fqdn |
Define this if you want to put fully qualified hostnames in the sudoers | Define this if you want to put fully qualified host names in the sudoers |
file. Ie: instead of myhost you would use myhost.mydomain.edu. You may |
file. Ie: instead of myhost you would use myhost.mydomain.edu. You may |
still use the short form if you wish (and even mix the two). Beware |
still use the short form if you wish (and even mix the two). Beware |
that turning FQDN on requires sudo to make DNS lookups which may make |
that turning FQDN on requires sudo to make DNS lookups which may make |
Line 441 The following options are also configurable at runtime
|
Line 606 The following options are also configurable at runtime
|
use the host's official name as DNS knows it. That is, you may not use |
use the host's official name as DNS knows it. That is, you may not use |
a host alias (CNAME entry) due to performance issues and the fact that |
a host alias (CNAME entry) due to performance issues and the fact that |
there is no way to get all aliases from DNS. |
there is no way to get all aliases from DNS. |
|
Sudoers option: fqdn |
|
|
--with-timedir=PATH | --with-goodpri=PRIORITY |
Override the default location of the sudo timestamp directory and | Determines which syslog priority to log successfully |
use "path" instead. | authenticated commands. The following priorities are |
| supported: alert, crit, debug, emerg, err, info, notice, |
| and warning. |
| Sudoers option: syslog_goodpri |
|
|
--with-sendmail=PATH | --with-goons-insults |
Override configure's guess as to the location of sendmail. | Insults the user with lines from the "Goon Show" when an incorrect |
| password is entered. You must either specify --with-insults or |
| enable insults in the sudoers file for this to have any effect. |
|
|
--without-sendmail | --with-hal-insults |
Do not use sendmail to mail messages to the "mailto" user. | Uses 2001-like insults when an incorrect password is entered. |
Use only if don't run sendmail or the equivalent. | You must either specify --with-insults or enable insults in the |
| sudoers file for this to have any effect. |
|
|
--with-umask=MASK | --with-ignore-dot |
Umask to use when running the root command. The default is 0022. | If set, sudo will ignore '.' or '' (current dir) in $PATH. |
| The $PATH itself is not modified. |
| Sudoers option: ignore_dot |
|
|
--without-umask | --with-insults |
Preserves the umask of the user invoking sudo. | Define this if you want to be insulted for typing an incorrect password |
| just like the original sudo(8). This is off by default. |
| Sudoers option: insults |
|
|
--with-umask-override | --with-insults=disabled |
Use the umask specified in sudoers even if it is less restrictive | Include support for insults but disable them unless explicitly |
than the user's. The default is to use the intersection of the | enabled in sudoers. |
user's umask and the umask specified in sudoers. | Sudoers option: !insults |
|
|
--with-runas-default=USER | --with-iologdir[=DIR] |
The default user to run commands as if the -u flag is not specified | By default, sudo stores I/O log files in either /var/log/sudo-io, |
on the command line. This defaults to "root". | /var/adm/sudo-io, or /usr/log/sudo-io. If this option is |
| specified, I/O logs will be stored in the indicated directory |
| instead. |
| Sudoers option: iolog_dir |
|
|
--with-exempt=GROUP | --with-lecture=no, --without-lecture |
Users in the specified group don't need to enter a password when | Don't print the lecture the first time a user runs sudo. |
running sudo. This may be useful for sites that don't want their | Sudoers option: !lecture |
"core" sysadmins to have to enter a password but where Jr. sysadmins | |
need to. You should probably use NOPASSWD in sudoers instead. | |
|
|
--with-passwd-tries=NUMBER | --with-logfac=FACILITY |
Number of tries a user gets to enter his/her password before sudo logs | Determines which syslog facility to log to. This requires |
the failure and exits. The default is 3. | a 4.3BSD or later version of syslog. You can still set |
| this for ancient syslogs but it will have no effect. The |
| following facilities are supported: authpriv (if your OS |
| supports it), auth, daemon, user, local0, local1, local2, |
| local3, local4, local5, local6, and local7. |
| Sudoers option: syslog |
|
|
--with-timeout=NUMBER | --with-logging=TYPE |
Number of minutes that can elapse before sudo will ask for a passwd | How you want to do your logging. You may choose "syslog", |
again. The default is 5, set this to 0 to always prompt for a password. | "file", or "both". Setting this to "syslog" is nice because |
| you can keep all of your sudo logs in one place (see the |
| sample.syslog.conf file). The default is "syslog". |
| Sudoers options: syslog and logfile |
|
|
--with-password-timeout=NUMBER | --with-loglen=NUMBER |
Number of minutes before the sudo password prompt times out. | Number of characters per line for the file log. This is only used if |
The default is 5, set this to 0 for no password timeout. | you are to "file" or "both". This value is used to decide when to wrap |
| lines for nicer log files. The default is 80. Setting this to 0 |
| will disable the wrapping. |
| Sudoers options: loglinelen |
|
|
--without-tty-tickets | --with-logpath=PATH |
By default, sudo uses a different ticket file for each user/tty combo. | Override the default location of the sudo log file and use |
With this option disabled, a single ticket will be used for all | "path" instead. By default will use /var/log/sudo.log if |
of a user's login sessions. | there is a /var/log dir, falling back to /var/adm/sudo.log |
| or /usr/adm/sudo.log if not. |
| Sudoers option: logfile |
|
|
--with-insults | --with-long-otp-prompt |
Define this if you want to be insulted for typing an incorrect password | When validating with a One Time Password scheme (S/Key or |
just like the original sudo(8). This is off by default. | OPIE), a two-line prompt is used to make it easier to cut |
| and paste the challenge to a local window. It's not as |
| pretty as the default but some people find it more convenient. |
| Sudoers option: long_otp_prompt |
|
|
--with-insults=disabled | --with-mail-if-no-user=no, --without-mail-if-no-user |
Include support for insults but disable them unless explicitly | Normally, sudo will mail to the "alertmail" user if the user invoking |
enabled in sudoers. | sudo is not in the sudoers file. This option disables that behavior. |
| Sudoers option: mail_no_user |
|
|
--with-all-insults | --with-mail-if-no-host |
Include all the insult sets listed below. You must either specify | Send mail to the "alermail" user if the user exists in the sudoers |
--with-insults or enable insults in the sudoers file for this to | file, but is not allowed to run commands on the current host. |
have any effect. | Sudoers option: mail_no_host |
|
|
--with-classic-insults | --with-mail-if-noperms |
Uses insults from sudo "classic." If you just specify --with-insults | Send mail to the "alermail" user if the user is allowed to use sudo but |
you will get the classic and CSOps insults. This is on by default if | the command they are trying is not listed in their sudoers file entry. |
--with-insults is given. | Sudoers option: mail_no_perms |
|
|
--with-csops-insults | --with-mailsubject="SUBJECT OF MAIL" |
Insults the user with an extra set of insults (some quotes, some | Subject of the mail sent to the "mailto" user. The token "%h" |
original) from a sysadmin group at CU (CSOps). You must specify | will expand to the hostname of the machine. |
--with-insults as well for this to have any effect. This is on by | Default is "*** SECURITY information for %h ***". |
default if --with-insults is given. | Sudoers option: mailsub |
|
|
--with-hal-insults | --with-mailto=USER|MAIL_ALIAS |
Uses 2001-like insults when an incorrect password is entered. | User (or mail alias) that mail from sudo is sent to. |
You must either specify --with-insults or enable insults in the | This should go to a sysadmin at your site. The default is "root". |
sudoers file for this to have any effect. | Sudoers option: mailto |
|
|
--with-goons-insults | --with-passprompt="PASSWORD PROMPT" |
Insults the user with lines from the "Goon Show" when an incorrect | Default prompt to use when asking for a password; can be overridden |
password is entered. You must either specify --with-insults or | via the -p option and the SUDO_PROMPT environment variable. Supports |
enable insults in the sudoers file for this to have any effect. | the "%H", "%h", "%U" and "%u" escapes as documented in the sudo |
| manual page. The default value is "Password:". |
| Sudoers option: passprompt |
|
|
|
--with-password-timeout=NUMBER |
|
Number of minutes before the sudo password prompt times out. |
|
The default is 5, set this to 0 for no password timeout. |
|
Sudoers option: passwd_timeout |
|
|
|
--with-passwd-tries=NUMBER |
|
Number of tries a user gets to enter his/her password before sudo logs |
|
the failure and exits. The default is 3. |
|
Sudoers option: passwd_tries |
|
|
--with-pc-insults |
--with-pc-insults |
Replace politically incorrect insults with less objectionable ones. |
Replace politically incorrect insults with less objectionable ones. |
|
|
|
--with-runas-default=USER |
|
The default user to run commands as if the -u flag is not specified |
|
on the command line. This defaults to "root". |
|
Sudoers option: runas_default |
|
|
--with-secure-path[=PATH] |
--with-secure-path[=PATH] |
Path used for every command run from sudo(8). If you don't trust the |
Path used for every command run from sudo(8). If you don't trust the |
people running sudo to have a sane PATH environment variable you may |
people running sudo to have a sane PATH environment variable you may |
Line 536 The following options are also configurable at runtime
|
Line 747 The following options are also configurable at runtime
|
for your site. NOTE: this is not applied to users in the group |
for your site. NOTE: this is not applied to users in the group |
specified by --with-exemptgroup. If you do not specify a path, |
specified by --with-exemptgroup. If you do not specify a path, |
"/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used. |
"/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used. |
|
Sudoers option: secure_path |
|
|
--without-lecture | --with-sendmail=PATH |
Don't print the lecture the first time a user runs sudo. | Override configure's guess as to the location of sendmail. |
| Sudoers option: mailerpath |
|
|
--with-editor=PATH | --with-sendmail=no, --without-sendmail |
Specify the default editor path for use by visudo. This may be a | Do not use sendmail to mail messages to the "mailto" user. |
single path name or a colon-separated list of editors. In the latter | Use only if you don't run sendmail or the equivalent. |
case, visudo will choose the editor that matches the user's VISUAL | Sudoers options: !mailerpath or !mailto |
or EDITOR environment variables or the first editor in the list that | |
exists. The default is the path to vi on your system. | |
|
|
--with-env-editor | --with-sudoers-mode=MODE |
Makes visudo consult the VISUAL and EDITOR environment variables before | File mode for the sudoers file (octal). Note that if you |
falling back on the default editor list (as specified by --with-editor). | wish to NFS-mount the sudoers file this must be group |
Note that this may create a security hole as it allows the user to | readable. This value may overridden at run-time in the |
run any arbitrary command as root without logging. A safer alternative | sudo.conf file. The default mode is 0440. |
is to use a colon-separated list of editors with the --with-editor | |
option. visudo will then only use the VISUAL or EDITOR variables | |
if they match a value specified via --with-editor. | |
|
|
--with-askpass=PATH | --with-sudoers-uid=UID |
Set PATH as the "askpass" program to use when no tty is | User id that "owns" the sudoers file. Note that this is |
available. Typically, this is a graphical password prompter, | the numeric id, *not* the symbolic name. This value may |
similar to the one used by ssh. The program must take a | overridden at run-time in the sudo.conf file. The default |
prompt as an argument and print the received password to | is 0. |
the standard output. | |
|
|
--with-iologdir[=DIR] | --with-sudoers-gid=GID |
By default, sudo stores I/O log files in either /var/log/sudo-io, | Group id that "owns" the sudoers file. Note that this is |
/var/adm/sudo-io, or /usr/log/sudo-io. If this option is | the numeric id, *not* the symbolic name. This value may |
specified, I/O logs will be stored in the indicated directory | overridden at run-time in the sudo.conf file. The default |
instead. | is 0. |
|
|
--disable-authentication | --with-timeout=NUMBER |
By default, sudo requires the user to authenticate via a | Number of minutes that can elapse before sudo will ask for a passwd |
password or similar means. This options causes sudo to | again. The default is 5, set this to 0 to always prompt for a password. |
*not* require authentication. It is possible to turn | Sudoers option: timestamp_timeout |
authentication back on in sudoers via the PASSWD attribute. | |
|
|
--disable-root-sudo | --with-tty-tickets=no, --without-tty-tickets |
Don't let root run sudo. This can be used to prevent people from | By default, sudo uses a different ticket file for each user/tty combo. |
"chaining" sudo commands to get a root shell by doing something | With this option disabled, a single ticket will be used for all |
like "sudo sudo /bin/sh". | of a user's login sessions. |
| Sudoers option: tty_tickets |
|
|
--enable-gss-krb5-ccache-name | --with-umask=MASK |
Use the gss_krb5_ccache_name() function to set the Kerberos | Umask to use when running the root command. The default is 0022. |
V credential cache file name. By default, sudo will use | Sudoers option: umask |
the KRB5CCNAME environment variable to set this. While | |
gss_krb5_ccache_name() provides a better API to do this it | |
is not supported by all Kerberos V and SASL combinations. | |
|
|
--enable-log-host | --with-umask=no, --without-umask |
Log the hostname in the log file. | Preserves the umask of the user invoking sudo. |
| Sudoers option: !umask |
|
|
--enable-noargs-shell | --with-umask-override |
If sudo is invoked with no arguments it acts as if the "-s" flag had | Use the umask specified in sudoers even if it is less restrictive |
been given. That is, it runs a shell as root (the shell is determined | than the user's. The default is to use the intersection of the |
by the SHELL environment variable, falling back on the shell listed | user's umask and the umask specified in sudoers. |
in the invoking user's /etc/passwd entry). | Sudoers option: umask_override |
|
|
--enable-shell-sets-home | OS dependent notes |
If sudo is invoked with the "-s" flag the HOME environment variable | ================== |
will be set to the home directory of the target user (which is root | |
unless the "-u" option is used). This option effectively makes the | |
"-s" flag imply "-H". | |
|
|
--disable-path-info | HP-UX: |
Normally, sudo will tell the user when a command could not be found | The default C compiler shipped with HP-UX is not an ANSI compiler. |
in their $PATH. Some sites may wish to disable this as it could | You must use either the HP ANSI C compiler or gcc to build sudo. |
be used to gather information on the location of executables that | Binary packages of gcc are available from http://hpux.connect.org.uk/. |
the normal user does not have access to. The disadvantage is that | |
if the executable is simply not in the user's path, sudo will tell | |
the user that they are not allowed to run it, which can be confusing. | |
|
|
--enable-zlib[=location] | To prevent PAM from overriding the value of umask on HP-UX 11, |
Enable the use of the zlib compress library when storing | you will need to add a line like the following to /etc/pam.conf: |
I/O log files. If specified, location is the base directory | |
containing the zlib include and lib directories. The special | |
values "system" and "builtin" can be used to indicate that | |
the system version of zlib should be used or that the version | |
of zlib shipped with sudo should be used instead. | |
If this option is not specified, configure will use the | |
system zlib if it is present. | |
|
|
--disable-zlib | sudo session required libpam_hpsec.so.1 bypass_umask |
Disable the use of the zlib compress library when storing | |
I/O log files. | |
|
|
--enable-warnings | If every command run via sudo displays information about the last |
Enable compiler warnings when building sudo with gcc. | successful login and the last authentication failure you should |
| make use an /etc/pam.conf line like: |
|
|
--enable-werror | sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login |
Enable the -Werror compiler option when building sudo with gcc. | |
|
|
--enable-admin-flag |
|
Enable the creation of an Ubuntu-style admin flag file |
|
the first time sudo is run. |
|
|
|
--disable-env-reset |
|
Disable environment resetting. This sets the default value |
|
of the "env_reset" Defaults option in sudoers to false. |
|
|
|
--enable-nls[=location] |
|
Enable natural language support using the gettext() family |
|
of functions. If specified, location is the base directory |
|
containing the libintl include and lib directories. If |
|
this option is not specified, configure will look for the |
|
gettext() family of functions in the standard C library |
|
first, then check for a standalone libintl (linking with |
|
libiconv as needed). |
|
|
|
--disable-nls |
|
Disable natural language support. By default, sudo will |
|
use the gettext() family of functions, if available, to |
|
implement messages in the invoking user's native language. |
|
Note that translations do not exist for all languages. |
|
|
|
Shadow password and C2 support |
|
============================== |
|
|
|
Shadow passwords (also included with most C2 security packages) are |
|
supported on most major platforms for which they exist. The |
|
`configure' script will attempt to determine if your system can use |
|
shadow passwords and include support for them if so. Shadow password |
|
support is now compiled in by default (it doesn't hurt anything if you |
|
don't have them configured). To disable the shadow password support, |
|
use the --disable-shadow option to configure. |
|
|
|
Shadow passwords are known to work on the following platforms: |
|
|
|
SunOS 4.x |
|
Solaris 2.x |
|
HP-UX >= 9.x |
|
Ultrix 4.x |
|
Digital UNIX |
|
IRIX >= 5.x |
|
AIX >= 3.2.x |
|
Linux |
|
SCO >= 3.2.2 |
|
Pyramid DC/OSx |
|
UnixWare |
|
SVR4 (and variants using standard SVR4 shadow passwords) |
|
4.4BSD based systems (including OpenBSD, NetBSD, FreeBSD, and Mac OS X) |
|
Systems using SecureWare's C2 security. |
|
|
|
OS dependent notes |
|
================== |
|
|
|
Linux: |
Linux: |
PAM and LDAP headers are not installed by default on most Linux |
PAM and LDAP headers are not installed by default on most Linux |
systems. You will need to install the "pam-dev" package if |
systems. You will need to install the "pam-dev" package if |
Line 691 Linux:
|
Line 827 Linux:
|
If you wish to build with LDAP support you will also need the |
If you wish to build with LDAP support you will also need the |
openldap-devel package. |
openldap-devel package. |
|
|
Versions of glibc 2.x previous to 2.0.7 have a broken lsearch(). |
|
You will need to either upgrade to glibc-2.0.7 or use sudo's |
|
version of lsearch(). To use sudo's lsearch(), comment out |
|
the "#define HAVE_LSEARCH 1" line in config.h and add lsearch.o |
|
to the LIBOBJS line in the Makefile. |
|
|
|
If you are using a Linux kernel older than 2.4 it is not possible |
|
to access the sudoers file via NFS. This is due to a bug in |
|
the Linux client-side NFS implementation that has since been |
|
fixed. There is a workaround on the sudo ftp site, linux_nfs.patch, |
|
if you need to NFS-mount sudoers on older Linux kernels. |
|
|
|
Solaris 2.x: |
|
You need to have a C compiler in order to build sudo. Since |
|
Solaris 2.x does not come with one by default this means that |
|
you either need to install the Sun Studio compiler suite, |
|
available for free from www.sun.com, or have a copy of the GNU |
|
C compiler (gcc) which is distributed on the Solaris Companion |
|
CD. You can also get them from various places on the net, |
|
including http://www.sunfreeware.com/ |
|
NOTE: sudo will *not* build with the sun C compiler in BSD |
|
compatibility mode (/usr/ucb/cc). Sudo is designed to |
|
compile with the standard C compiler (or gcc) and will |
|
not build correctly with /usr/ucb/cc. You can set the |
|
CC environment variable to the non-ucb compiler when |
|
running `configure' if it is not the first cc in your |
|
path. Some sites link /usr/ucb/cc to gcc; configure will |
|
not notice this and still refuse to use /usr/ucb/cc, so |
|
make sure gcc is also in your path if your site is setup |
|
this way. |
|
Also: Older versions of Solaris come with a broken syslogd. |
|
If you have having problems with sudo logging you should |
|
make sure you have the latest syslogd patch installed. |
|
This is a problem for Solaris 2.4 and 2.5 at least. |
|
|
|
Mac OS X: |
Mac OS X: |
The pseudo-tty support in the Mac OS X kernel has bugs related |
The pseudo-tty support in the Mac OS X kernel has bugs related |
to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals. |
to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals. |
Line 734 Mac OS X:
|
Line 835 Mac OS X:
|
logging is enabled. The issue has been reported to Apple and |
logging is enabled. The issue has been reported to Apple and |
is bug id #7952709. |
is bug id #7952709. |
|
|
HP-UX: | Solaris: |
The default C compiler shipped with HP-UX is not an ANSI compiler. | You need to have a C compiler in order to build sudo. Since |
You must use either the HP ANSI C compiler or gcc to build sudo. | Solaris does not come with one by default this means that you |
Binary packages of gcc are available from http://hpux.connect.org.uk/. | either need to either install the Solaris Studio compiler suite, |
| available for free from www.oracle.com, or install the GNU C |
| compiler (gcc) which is can be installed via the pkg utility |
| on Solaris 11 and higher and is distributed on the Solaris |
| Companion CD for older Solaris releases. You can also download |
| gcc packages from http://www.opencsw.org/packages/CSWgcc4core/ |
|
|
To prevent PAM from overriding the value of umask on HP-UX 11, |
|
you will need to add a line like the following to /etc/pam.conf: |
|
|
|
sudo session required libpam_hpsec.so.1 bypass_umask |
|
|
|
Digital UNIX: |
|
By default, sudo will use SIA (Security Integration Architecture) |
|
to validate a user. If you want to use an alternative authentication |
|
method that does not go through SIA, you need to use the |
|
--disable-sia option to configure. If you use gcc to compile |
|
you will get warnings when building interfaces.c. These are |
|
harmless but if they really bug you, you can edit |
|
/usr/include/net/if.h around line 123, right after the comment: |
|
/* forward decls for C++ */ |
|
change the line: |
|
#ifdef __cplusplus |
|
to: |
|
#if defined(__cplusplus) || defined(__GNUC__) |
|
If you don't like the idea of editing the system header file |
|
you can just make a copy in gcc's private include tree and |
|
edit that. |
|
|
|
AIX 3.2.x: |
|
I've had various problems with the AIX C compiler producing |
|
incorrect code when the -O flag was used. When optimization |
|
is not used, the problems go away. Gcc does not appear |
|
to have this problem. |
|
|
|
SCO ODT: |
|
You'll probably need libcrypt_i.a available via anonymous ftp |
|
from sosco.sco.com. The necessary files are /SLS/lng225b.Z |
|
and /SLS/lng225b.ltr.Z. |
|
|
|
SunOS 4.x: |
SunOS 4.x: |
SunOS does not ship with an ANSI C compiler. You will need to |
SunOS does not ship with an ANSI C compiler. You will need to |
install an ANSI compiler such as gcc to build sudo. |
install an ANSI compiler such as gcc to build sudo. |
|
|
The /bin/sh shipped with SunOS blows up while running configure. |
The /bin/sh shipped with SunOS blows up while running configure. |
You can work around this by installing bash or zsh. If you |
You can work around this by installing bash or zsh. If you |
have bash or zsh in your path, configure will use it instead | have bash or zsh in your path, configure will use it automatically. |
automatically. | |
| |
ULTRIX 4.x: | |
ULTRIX does not ship with an ANSI C compiler. You will need to | |
install an ANSI compiler such as gcc to build sudo. | |
| |
The /bin/sh shipped with ULTRIX blows up while running configure. | |
You can work around this by installing bash or zsh. If you | |
have bash or zsh in your path, configure will use it instead | |
automatically. | |
| |
ULTRIX ships with the 4.2BSD syslog(3) which does not | |
allow things like logging different facilities to different | |
files, redirecting logs to a single loghost and other niceties. | |
You may want to just grab and install: | |
ftp://www.sudo.ws/pub/sudo/misc/jtkohl-syslog-complete.tar.gz | |
(available via anonymous ftp) which is a port if the 4.3BSD | |
syslog/syslogd that is backwards compatible with the Ultrix version. | |
I recommend it highly. If you do not do this you probably want | |
to run configure with --with-logging=file | |