Annotation of embedaddon/sudo/INSTALL, revision 1.1
1.1 ! misho 1: Sudo installation instructions
! 2: ==============================
! 3:
! 4: Sudo uses a `configure' script to probe the capabilities and type
! 5: of the system in question. In this release, `configure' takes many
! 6: more options than it did before. Please read this document fully
! 7: before configuring and building sudo. You may also wish to read the
! 8: file INSTALL.configure which explains more about the `configure' script.
! 9:
! 10: Simple sudo installation
! 11: ========================
! 12:
! 13: For most systems and configurations it is possible simply to:
! 14:
! 15: 0) If you are upgrading from a previous version of sudo
! 16: please read the info in the UPGRADE file before proceeding.
! 17:
! 18: 1) Read the `OS dependent notes' section for any particular
! 19: "gotchas" relating to your operating system.
! 20:
! 21: 2) `cd' to the source or build directory and type `./configure'
! 22: to generate a Makefile and config.h file suitable for
! 23: building sudo. Before you actually run configure you
! 24: should read the `Available configure options' section
! 25: to see if there are any special options you may want
! 26: or need.
! 27:
! 28: 3) Edit the configure-generated Makefile if you wish to
! 29: change any of the default paths (alternatively, you could
! 30: have changed the paths via options to `configure'.
! 31:
! 32: 5) Type `make' to compile sudo. If you are building sudo
! 33: in a separate build tree (apart from the sudo source) GNU
! 34: make will probably be required. If `configure' did its job
! 35: properly (and you have a supported configuration) there won't
! 36: be any problems. If this doesn't work, take a look at the
! 37: TROUBLESHOOTING file for tips on what might have gone wrong.
! 38: Please mail us if you have a fix or if you are unable to
! 39: come up with a fix (address at EOF).
! 40:
! 41: 6) Type `make install' (as root) to install sudo, visudo, the
! 42: man pages, and a skeleton sudoers file. Note that the install
! 43: will not overwrite an existing sudoers file. You can also
! 44: install various pieces the package via the install-binaries,
! 45: install-doc, and install-sudoers make targets.
! 46:
! 47: 7) Edit the sudoers file with `visudo' as necessary for your
! 48: site. You will probably want to refer the sample.sudoers
! 49: file and sudoers man page included with the sudo package.
! 50:
! 51: 8) If you want to use syslogd(8) to do the logging, you'll need
! 52: to update your /etc/syslog.conf file. See the sample.syslog.conf
! 53: file included in the distribution for an example.
! 54:
! 55: Available configure options
! 56: ===========================
! 57:
! 58: This section describes flags accepted by the sudo's `configure' script.
! 59: Defaults are listed in brackets after the description.
! 60:
! 61: Configuration:
! 62: --cache-file=FILE
! 63: Cache test results in FILE
! 64:
! 65: --config-cache, -C
! 66: Alias for `--cache-file=config.cache'
! 67:
! 68: --help, -h
! 69: Print the usage/help info
! 70:
! 71: --no-create, -n
! 72: Do not create output files
! 73:
! 74: --quiet, --silent, -q
! 75: Do not print `checking...' messages
! 76:
! 77: Directory and file names:
! 78: --prefix=PREFIX
! 79: Install architecture-independent files in PREFIX This really only
! 80: applies to man pages. [/usr/local]
! 81:
! 82: --exec-prefix=EPREFIX
! 83: Install architecture-dependent files in EPREFIX This includes the
! 84: sudo and visudo executables. [same as prefix]
! 85:
! 86: --bindir=DIR
! 87: Install `sudo' in DIR [EPREFIX/bin]
! 88:
! 89: --sbindir=DIR
! 90: Install `visudo' in DIR [EPREFIX/sbin]
! 91:
! 92: --sysconfdir=DIR
! 93: Install `sudoers' file in DIR [/etc]
! 94:
! 95: --mandir=DIR
! 96: Install man pages in DIR [PREFIX/man]
! 97:
! 98: --srcdir=DIR
! 99: Find the sources in DIR [configure dir or ..]
! 100:
! 101: Special features/options:
! 102: --with-incpath=DIR
! 103: Adds the specified directory (or directories) to CPPFLAGS
! 104: so configure and the compiler will look there for include
! 105: files. Multiple directories may be specified as long as
! 106: they are space separated.
! 107: Eg: --with-incpath="/usr/local/include /opt/include"
! 108:
! 109: --with-libpath=DIR
! 110: Adds the specified directory (or directories) to LDFLAGS
! 111: so configure and the compiler will look there for libraries.
! 112: Multiple directories may be specified as with --with-incpath.
! 113:
! 114: --with-rpath
! 115: Tells configure to use -Rpath in addition to -Lpath when
! 116: passing library paths to the loader. This option is on
! 117: by default for Solaris and SVR4.
! 118:
! 119: --with-blibpath[=PATH]
! 120: Tells configure to construct a -blibpath argument to the
! 121: loader. If a PATH is specified, it will be used as the
! 122: base. Otherwise, "/usr/lib:/lib:/usr/local/lib" will be
! 123: used for gcc and "/usr/lib:/lib" for non-gcc. Additional
! 124: library paths will be appended as needed by configure.
! 125: This option is only valid for AIX where it is on by default.
! 126:
! 127: --with-libraries=LIBRARY
! 128: Adds the specified library (or libaries) to SUDO_LIBS and
! 129: and VISUDO_LIBS so sudo will link against them. If the
! 130: library doesn't start with `-l' or end in `.a' or `.o' a
! 131: `-l' will be prepended to it. Multiple libraries may be
! 132: specified as long as they are space separated.
! 133:
! 134: --with-plugindir=PATH
! 135: Set the directory that sudo looks in to find the policy and I/O
! 136: logging plugins. Defaults to the libexec dir used by configure.
! 137:
! 138: --with-efence
! 139: Link with the "electric fence" debugging malloc.
! 140:
! 141: --with-bsm-audit
! 142: Enable support for sudo BSM audit logs on systems that support
! 143: it. Currently only supported under FreeBSD and Mac OS X.
! 144:
! 145: --with-csops
! 146: Add CSOps standard options. You probably aren't interested in this.
! 147:
! 148: --with-devel
! 149: Configure development options. This will enable compiler warnings
! 150: and set the Makefile to be able to regenerate the sudoers parser
! 151: as well as the manual pages.
! 152:
! 153: --with-linux-audit
! 154: Enable audit support for Linux systems. Audits attempts
! 155: to run a command as well as SELinux role changes.
! 156:
! 157: --with-skey[=DIR]
! 158: Enable S/Key OTP (One Time Password) support. If specified,
! 159: DIR should contain include and lib directories with skey.h
! 160: and libskey.a respectively.
! 161:
! 162: --with-opie[=DIR]
! 163: Enable NRL OPIE OTP (One Time Password) support. If specified,
! 164: DIR should contain include and lib directories with opie.h
! 165: and libopie.a respectively.
! 166:
! 167: --with-SecurID[=DIR]
! 168: Enable SecurID support. If specified, DIR is directory containing
! 169: sdiclient.a, sdi_athd.h, sdconf.h, and sdacmvls.h.
! 170:
! 171: --with-fwtk[=DIR]
! 172: Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified,
! 173: DIR is the base directory containing the compiled FWTK package
! 174: (or at least the library and header files).
! 175:
! 176: --with-kerb4[=DIR]
! 177: Enable Kerberos IV support. If specified, DIR is the base
! 178: directory containing the Kerberos IV include and lib dirs.
! 179: This uses Kerberos passphrases for authentication but does
! 180: not use the Kerberos cookie scheme.
! 181:
! 182: --with-kerb5[=DIR]
! 183: Enable Kerberos V support. If specified, DIR is the base
! 184: directory containing the Kerberos V include and lib dirs.
! 185: This This uses Kerberos passphrases for authentication but
! 186: does not use the Kerberos cookie scheme. Will not work for
! 187: Kerberos V older than version 1.1.
! 188:
! 189: --with-ldap[=DIR]
! 190: Enable LDAP support. If specified, DIR is the base directory
! 191: containing the LDAP include and lib directories. Please see
! 192: README.LDAP for more information.
! 193:
! 194: --with-ldap-conf-file=PATH
! 195: Path to LDAP configuration file. If specified, sudo reads
! 196: this file instead of /etc/ldap.conf to locate the LDAP server.
! 197:
! 198: --with-ldap-secret-file=PATH
! 199: Path to LDAP secret password file. If specified, sudo uses
! 200: this file instead of /etc/ldap.secret to read the secret password
! 201: when rootbinddn is specified in the ldap config file.
! 202:
! 203: --with-nsswitch[=PATH]
! 204: Path to nsswitch.conf or "no" to disable nsswitch support.
! 205: If specified, sudo uses this file instead of /etc/nsswitch.conf.
! 206: If nsswitch is disabled but LDAP is enabled, sudo will check
! 207: LDAP first, then the sudoers file.
! 208:
! 209: --with-netsvc[=PATH]
! 210: Path to netsvc.conf or "no" to disable netsvc.conf support.
! 211: If specified, sudo uses this file instead of /etc/netsvc.conf
! 212: on AIX systems.
! 213:
! 214: --with-aixauth
! 215: Enable support for the AIX 4.x general authentication function.
! 216: This will use the authentication scheme specified for the user
! 217: on the machine. It is on by default for AIX systems that
! 218: support it.
! 219:
! 220: --with-pam
! 221: Enable PAM support. This is on by default for Darwin, FreeBSD,
! 222: Linux, Solaris and HP-UX (version 11 and higher).
! 223:
! 224: NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo
! 225: file install. You may either use the sample.pam file included with
! 226: sudo or use /etc/pam.d/su as a reference. The sample.pam file
! 227: included with sudo may or may not work with other Linux distributions.
! 228: On Solaris and HP-UX 11 systems you should check (and understand)
! 229: the contents of /etc/pam.conf. Do a "man pam.conf" for more
! 230: information and consider using the "debug" option, if available,
! 231: with your PAM libraries in /etc/pam.conf to obtain syslog output
! 232: for debugging purposes.
! 233:
! 234: --with-pam-login
! 235: Enable a specific PAM session when sudo is given the -i option.
! 236: This changes the PAM service name when sudo is run with the -i
! 237: option from "sudo" to "sudo-i", allowing for a separate pam
! 238: configuration for sudo's initial login mode.
! 239:
! 240: --with-AFS
! 241: Enable AFS support with Kerberos authentication. Should work under
! 242: AFS 3.3. If your AFS doesn't have -laudit you should be able to
! 243: link without it.
! 244:
! 245: --with-DCE
! 246: Enable DCE support for systems without PAM. Known to work on
! 247: HP-UX 9.X, 10.X, and 11.0; other systems may require source
! 248: code and/or `configure' changes. On systems with PAM support
! 249: (such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the
! 250: DCE PAM module (usually libpam_dce) should be used instead.
! 251:
! 252: --with-logincap
! 253: This adds support for login classes specified in /etc/login.conf.
! 254: It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and
! 255: NetBSD (where available). By default, a login class is not applied
! 256: unless the 'use_loginclass' option is defined in sudoers or the user
! 257: specifies a class on the command line.
! 258:
! 259: --with-bsdauth
! 260: Enable support for BSD authentication. This is the default
! 261: for BSD/OS and OpenBSD systems that support it.
! 262: It is not possible to mix BSD authentication with other
! 263: authentication methods (and there really should be no need
! 264: to do so). Note that only the newer BSD authentication API
! 265: is supported. If you don't have /usr/include/bsd_auth.h
! 266: then you cannot use this.
! 267:
! 268: --with-project
! 269: Enable support for Solaris project resource limits.
! 270: This option is only available on Solaris 9 and above.
! 271:
! 272: --with-noexec[=PATH]
! 273: Enable support for the "noexec" functionality which prevents
! 274: a dynamically-linked program being run by sudo from executing
! 275: another program (think shell escapes). Please see the
! 276: "PREVENTING SHELL ESCAPES" section in the sudoers man page
! 277: for details. If specified, PATH should be a fully qualified
! 278: path name, e.g. /usr/local/libexec/sudo_noexec.so. If PATH
! 279: is "no", noexec support will not be compiled in. The default
! 280: is to compile noexec support if libtool supports building
! 281: shared objects on your OS.
! 282:
! 283: --disable-pam-session
! 284: Disable sudo's PAM session support. This may be needed on
! 285: older PAM implementations or on operating systems where
! 286: opening a PAM session changes the utmp or wtmp files. If
! 287: PAM session support is disabled, resource limits may not
! 288: be updatedin for command being run.
! 289:
! 290: --disable-root-mailer
! 291: By default sudo will run the mailer as root when tattling
! 292: on a user so as to prevent that user from killing the mailer.
! 293: With this option, sudo will run the mailer as the invoking
! 294: user which some people consider to be safer.
! 295:
! 296: --disable-setreuid
! 297: Disable use of the setreuid() function for operating systems
! 298: where it is broken. Mac OS X has setreuid() but it doesn't
! 299: really work.
! 300:
! 301: --disable-setresuid
! 302: Disable use of the setresuid() function for operating systems
! 303: where it is broken (none currently known).
! 304:
! 305: --disable-sia
! 306: Disable SIA support. This is the "Security Integration
! 307: Architecture" on Digital UNIX. If you disable SIA sudo will
! 308: use its own authentication routines.
! 309:
! 310: --disable-shadow
! 311: Disable shadow password support. Normally, sudo will compile
! 312: in shadow password support and use a shadow password if it
! 313: exists.
! 314:
! 315: --with-sudoers-mode=MODE
! 316: File mode for the sudoers file (octal). Note that if you
! 317: wish to NFS-mount the sudoers file this must be group
! 318: readable. Also note that this is actually set in the
! 319: Makefile. The default mode is 0440.
! 320:
! 321: --with-sudoers-uid=UID
! 322: User id that "owns" the sudoers file. Note that this is
! 323: the numeric id, *not* the symbolic name. Also note that
! 324: this is actually set in the Makefile. The default is 0.
! 325:
! 326: --with-sudoers-gid=GID
! 327: Group id that "owns" the sudoers file. Note that this is
! 328: the numeric id, *not* the symbolic name. Also note that
! 329: this is actually set in the Makefile. The default is 0.
! 330:
! 331: --without-interfaces
! 332: This option keeps sudo from trying to glean the ip address
! 333: from each attached ethernet interface. It is only useful
! 334: on a machine where sudo's interface reading support does
! 335: not work, which may be the case on some SysV-based OS's
! 336: using STREAMS.
! 337:
! 338: --without-passwd
! 339: This option excludes authentication via the passwd (or
! 340: shadow) file. It should only be used when another, alternative,
! 341: authentication scheme is in use.
! 342:
! 343: --with-otp-only
! 344: This option is now just an alias for --without-passwd.
! 345:
! 346: --with-stow
! 347: Properly handle GNU stow packaging. The sudoers file will
! 348: physically live in ${prefix}/etc and /etc/sudoers will be
! 349: a symbolic link.
! 350:
! 351: --with-selinux
! 352: Enable support for role based access control (RBAC) on
! 353: systems that support SELinux.
! 354:
! 355: The following options are also configurable at runtime:
! 356:
! 357: --with-long-otp-prompt
! 358: When validating with a One Time Password scheme (S/Key or
! 359: OPIE), a two-line prompt is used to make it easier to cut
! 360: and paste the challenge to a local window. It's not as
! 361: pretty as the default but some people find it more convenient.
! 362:
! 363: --with-logging=TYPE
! 364: How you want to do your logging. You may choose "syslog",
! 365: "file", or "both". Setting this to "syslog" is nice because
! 366: you can keep all of your sudo logs in one place (see the
! 367: sample.syslog.conf file). The default is "syslog".
! 368:
! 369: --with-logfac=FACILITY
! 370: Determines which syslog facility to log to. This requires
! 371: a 4.3BSD or later version of syslog. You can still set
! 372: this for ancient syslogs but it will have no effect. The
! 373: following facilities are supported: authpriv (if your OS
! 374: supports it), auth, daemon, user, local0, local1, local2,
! 375: local3, local4, local5, local6, and local7.
! 376:
! 377: --with-goodpri=PRIORITY
! 378: Determines which syslog priority to log successfully
! 379: authenticated commands. The following priorities are
! 380: supported: alert, crit, debug, emerg, err, info, notice,
! 381: and warning.
! 382:
! 383: --with-badpri=PRIORITY
! 384: Determines which syslog priority to log unauthenticated
! 385: commands and errors. The following priorities are supported:
! 386: alert, crit, debug, emerg, err, info, notice, and warning.
! 387:
! 388: --with-logpath=PATH
! 389: Override the default location of the sudo log file and use
! 390: "path" instead. By default will use /var/log/sudo.log if
! 391: there is a /var/log dir, falling back to /var/adm/sudo.log
! 392: or /usr/adm/sudo.log if not.
! 393:
! 394: --with-loglen=NUMBER
! 395: Number of characters per line for the file log. This is only used if
! 396: you are to "file" or "both". This value is used to decide when to wrap
! 397: lines for nicer log files. The default is 80. Setting this to 0
! 398: will disable the wrapping.
! 399:
! 400: --with-ignore-dot
! 401: If set, sudo will ignore '.' or '' (current dir) in $PATH.
! 402: The $PATH itself is not modified.
! 403:
! 404: --with-mailto=USER|MAIL_ALIAS
! 405: User (or mail alias) that mail from sudo is sent to.
! 406: This should go to a sysadmin at your site. The default is "root".
! 407:
! 408: --with-mailsubject="SUBJECT OF MAIL"
! 409: Subject of the mail sent to the "mailto" user. The token "%h"
! 410: will expand to the hostname of the machine.
! 411: Default is "*** SECURITY information for %h ***".
! 412:
! 413: --without-mail-if-no-user
! 414: Normally, sudo will mail to the "alertmail" user if the user invoking
! 415: sudo is not in the sudoers file. This option disables that behavior.
! 416:
! 417: --with-mail-if-no-host
! 418: Send mail to the "alermail" user if the user exists in the sudoers
! 419: file, but is not allowed to run commands on the current host.
! 420:
! 421: --with-mail-if-noperms
! 422: Send mail to the "alermail" user if the user is allowed to use sudo but
! 423: the command they are trying is not listed in their sudoers file entry.
! 424:
! 425: --with-passprompt="PASSWORD PROMPT"
! 426: Default prompt to use when asking for a password; can be overridden
! 427: via the -p option and the SUDO_PROMPT environment variable. Supports
! 428: the "%H", "%h", "%U" and "%u" escapes as documented in the sudo
! 429: manual page. The default value is "Password:".
! 430:
! 431: --with-badpass-message="BAD PASSWORD MESSAGE"
! 432: Message that is displayed if a user enters an incorrect password.
! 433: The default is "Sorry, try again." unless insults are turned on.
! 434:
! 435: --with-fqdn
! 436: Define this if you want to put fully qualified hostnames in the sudoers
! 437: file. Ie: instead of myhost you would use myhost.mydomain.edu. You may
! 438: still use the short form if you wish (and even mix the two). Beware
! 439: that turning FQDN on requires sudo to make DNS lookups which may make
! 440: sudo unusable if your DNS is totally hosed. Also note that you must
! 441: use the host's official name as DNS knows it. That is, you may not use
! 442: a host alias (CNAME entry) due to performance issues and the fact that
! 443: there is no way to get all aliases from DNS.
! 444:
! 445: --with-timedir=PATH
! 446: Override the default location of the sudo timestamp directory and
! 447: use "path" instead.
! 448:
! 449: --with-sendmail=PATH
! 450: Override configure's guess as to the location of sendmail.
! 451:
! 452: --without-sendmail
! 453: Do not use sendmail to mail messages to the "mailto" user.
! 454: Use only if don't run sendmail or the equivalent.
! 455:
! 456: --with-umask=MASK
! 457: Umask to use when running the root command. The default is 0022.
! 458:
! 459: --without-umask
! 460: Preserves the umask of the user invoking sudo.
! 461:
! 462: --with-umask-override
! 463: Use the umask specified in sudoers even if it is less restrictive
! 464: than the user's. The default is to use the intersection of the
! 465: user's umask and the umask specified in sudoers.
! 466:
! 467: --with-runas-default=USER
! 468: The default user to run commands as if the -u flag is not specified
! 469: on the command line. This defaults to "root".
! 470:
! 471: --with-exempt=GROUP
! 472: Users in the specified group don't need to enter a password when
! 473: running sudo. This may be useful for sites that don't want their
! 474: "core" sysadmins to have to enter a password but where Jr. sysadmins
! 475: need to. You should probably use NOPASSWD in sudoers instead.
! 476:
! 477: --with-passwd-tries=NUMBER
! 478: Number of tries a user gets to enter his/her password before sudo logs
! 479: the failure and exits. The default is 3.
! 480:
! 481: --with-timeout=NUMBER
! 482: Number of minutes that can elapse before sudo will ask for a passwd
! 483: again. The default is 5, set this to 0 to always prompt for a password.
! 484:
! 485: --with-password-timeout=NUMBER
! 486: Number of minutes before the sudo password prompt times out.
! 487: The default is 5, set this to 0 for no password timeout.
! 488:
! 489: --without-tty-tickets
! 490: By default, sudo uses a different ticket file for each user/tty combo.
! 491: With this option disabled, a single ticket will be used for all
! 492: of a user's login sessions.
! 493:
! 494: --with-insults
! 495: Define this if you want to be insulted for typing an incorrect password
! 496: just like the original sudo(8). This is off by default.
! 497:
! 498: --with-insults=disabled
! 499: Include support for insults but disable them unless explicitly
! 500: enabled in sudoers.
! 501:
! 502: --with-all-insults
! 503: Include all the insult sets listed below. You must either specify
! 504: --with-insults or enable insults in the sudoers file for this to
! 505: have any effect.
! 506:
! 507: --with-classic-insults
! 508: Uses insults from sudo "classic." If you just specify --with-insults
! 509: you will get the classic and CSOps insults. This is on by default if
! 510: --with-insults is given.
! 511:
! 512: --with-csops-insults
! 513: Insults the user with an extra set of insults (some quotes, some
! 514: original) from a sysadmin group at CU (CSOps). You must specify
! 515: --with-insults as well for this to have any effect. This is on by
! 516: default if --with-insults is given.
! 517:
! 518: --with-hal-insults
! 519: Uses 2001-like insults when an incorrect password is entered.
! 520: You must either specify --with-insults or enable insults in the
! 521: sudoers file for this to have any effect.
! 522:
! 523: --with-goons-insults
! 524: Insults the user with lines from the "Goon Show" when an incorrect
! 525: password is entered. You must either specify --with-insults or
! 526: enable insults in the sudoers file for this to have any effect.
! 527:
! 528: --with-pc-insults
! 529: Replace politically incorrect insults with less objectionable ones.
! 530:
! 531: --with-secure-path[=PATH]
! 532: Path used for every command run from sudo(8). If you don't trust the
! 533: people running sudo to have a sane PATH environment variable you may
! 534: want to use this. Another use is if you want to have the "root path"
! 535: be separate from the "user path." You will need to customize the path
! 536: for your site. NOTE: this is not applied to users in the group
! 537: specified by --with-exemptgroup. If you do not specify a path,
! 538: "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
! 539:
! 540: --without-lecture
! 541: Don't print the lecture the first time a user runs sudo.
! 542:
! 543: --with-editor=PATH
! 544: Specify the default editor path for use by visudo. This may be a
! 545: single path name or a colon-separated list of editors. In the latter
! 546: case, visudo will choose the editor that matches the user's VISUAL
! 547: or EDITOR environment variables or the first editor in the list that
! 548: exists. The default is the path to vi on your system.
! 549:
! 550: --with-env-editor
! 551: Makes visudo consult the VISUAL and EDITOR environment variables before
! 552: falling back on the default editor list (as specified by --with-editor).
! 553: Note that this may create a security hole as it allows the user to
! 554: run any arbitrary command as root without logging. A safer alternative
! 555: is to use a colon-separated list of editors with the --with-editor
! 556: option. visudo will then only use the VISUAL or EDITOR variables
! 557: if they match a value specified via --with-editor.
! 558:
! 559: --with-askpass=PATH
! 560: Set PATH as the "askpass" program to use when no tty is
! 561: available. Typically, this is a graphical password prompter,
! 562: similar to the one used by ssh. The program must take a
! 563: prompt as an argument and print the received password to
! 564: the standard output.
! 565:
! 566: --with-iologdir[=DIR]
! 567: By default, sudo stores I/O log files in either /var/log/sudo-io,
! 568: /var/adm/sudo-io, or /usr/log/sudo-io. If this option is
! 569: specified, I/O logs will be stored in the indicated directory
! 570: instead.
! 571:
! 572: --disable-authentication
! 573: By default, sudo requires the user to authenticate via a
! 574: password or similar means. This options causes sudo to
! 575: *not* require authentication. It is possible to turn
! 576: authentication back on in sudoers via the PASSWD attribute.
! 577:
! 578: --disable-root-sudo
! 579: Don't let root run sudo. This can be used to prevent people from
! 580: "chaining" sudo commands to get a root shell by doing something
! 581: like "sudo sudo /bin/sh".
! 582:
! 583: --enable-gss-krb5-ccache-name
! 584: Use the gss_krb5_ccache_name() function to set the Kerberos
! 585: V credential cache file name. By default, sudo will use
! 586: the KRB5CCNAME environment variable to set this. While
! 587: gss_krb5_ccache_name() provides a better API to do this it
! 588: is not supported by all Kerberos V and SASL combinations.
! 589:
! 590: --enable-log-host
! 591: Log the hostname in the log file.
! 592:
! 593: --enable-noargs-shell
! 594: If sudo is invoked with no arguments it acts as if the "-s" flag had
! 595: been given. That is, it runs a shell as root (the shell is determined
! 596: by the SHELL environment variable, falling back on the shell listed
! 597: in the invoking user's /etc/passwd entry).
! 598:
! 599: --enable-shell-sets-home
! 600: If sudo is invoked with the "-s" flag the HOME environment variable
! 601: will be set to the home directory of the target user (which is root
! 602: unless the "-u" option is used). This option effectively makes the
! 603: "-s" flag imply "-H".
! 604:
! 605: --disable-path-info
! 606: Normally, sudo will tell the user when a command could not be found
! 607: in their $PATH. Some sites may wish to disable this as it could
! 608: be used to gather information on the location of executables that
! 609: the normal user does not have access to. The disadvantage is that
! 610: if the executable is simply not in the user's path, sudo will tell
! 611: the user that they are not allowed to run it, which can be confusing.
! 612:
! 613: --enable-zlib[=location]
! 614: Enable the use of the zlib compress library when storing
! 615: I/O log files. If specified, location is the base directory
! 616: containing the zlib include and lib directories. The special
! 617: values "system" and "builtin" can be used to indicate that
! 618: the system version of zlib should be used or that the version
! 619: of zlib shipped with sudo should be used instead.
! 620: If this option is not specified, configure will use the
! 621: system zlib if it is present.
! 622:
! 623: --disable-zlib
! 624: Disable the use of the zlib compress library when storing
! 625: I/O log files.
! 626:
! 627: --enable-warnings
! 628: Enable compiler warnings when building sudo with gcc.
! 629:
! 630: --enable-werror
! 631: Enable the -Werror compiler option when building sudo with gcc.
! 632:
! 633: --enable-admin-flag
! 634: Enable the creation of an Ubuntu-style admin flag file
! 635: the first time sudo is run.
! 636:
! 637: --disable-env-reset
! 638: Disable environment resetting. This sets the default value
! 639: of the "env_reset" Defaults option in sudoers to false.
! 640:
! 641: --enable-nls[=location]
! 642: Enable natural language support using the gettext() family
! 643: of functions. If specified, location is the base directory
! 644: containing the libintl include and lib directories. If
! 645: this option is not specified, configure will look for the
! 646: gettext() family of functions in the standard C library
! 647: first, then check for a standalone libintl (linking with
! 648: libiconv as needed).
! 649:
! 650: --disable-nls
! 651: Disable natural language support. By default, sudo will
! 652: use the gettext() family of functions, if available, to
! 653: implement messages in the invoking user's native language.
! 654: Note that translations do not exist for all languages.
! 655:
! 656: Shadow password and C2 support
! 657: ==============================
! 658:
! 659: Shadow passwords (also included with most C2 security packages) are
! 660: supported on most major platforms for which they exist. The
! 661: `configure' script will attempt to determine if your system can use
! 662: shadow passwords and include support for them if so. Shadow password
! 663: support is now compiled in by default (it doesn't hurt anything if you
! 664: don't have them configured). To disable the shadow password support,
! 665: use the --disable-shadow option to configure.
! 666:
! 667: Shadow passwords are known to work on the following platforms:
! 668:
! 669: SunOS 4.x
! 670: Solaris 2.x
! 671: HP-UX >= 9.x
! 672: Ultrix 4.x
! 673: Digital UNIX
! 674: IRIX >= 5.x
! 675: AIX >= 3.2.x
! 676: Linux
! 677: SCO >= 3.2.2
! 678: Pyramid DC/OSx
! 679: UnixWare
! 680: SVR4 (and variants using standard SVR4 shadow passwords)
! 681: 4.4BSD based systems (including OpenBSD, NetBSD, FreeBSD, and Mac OS X)
! 682: Systems using SecureWare's C2 security.
! 683:
! 684: OS dependent notes
! 685: ==================
! 686:
! 687: Linux:
! 688: PAM and LDAP headers are not installed by default on most Linux
! 689: systems. You will need to install the "pam-dev" package if
! 690: /usr/include/security/pam_appl.h is not present on your system.
! 691: If you wish to build with LDAP support you will also need the
! 692: openldap-devel package.
! 693:
! 694: Versions of glibc 2.x previous to 2.0.7 have a broken lsearch().
! 695: You will need to either upgrade to glibc-2.0.7 or use sudo's
! 696: version of lsearch(). To use sudo's lsearch(), comment out
! 697: the "#define HAVE_LSEARCH 1" line in config.h and add lsearch.o
! 698: to the LIBOBJS line in the Makefile.
! 699:
! 700: If you are using a Linux kernel older than 2.4 it is not possible
! 701: to access the sudoers file via NFS. This is due to a bug in
! 702: the Linux client-side NFS implementation that has since been
! 703: fixed. There is a workaround on the sudo ftp site, linux_nfs.patch,
! 704: if you need to NFS-mount sudoers on older Linux kernels.
! 705:
! 706: Solaris 2.x:
! 707: You need to have a C compiler in order to build sudo. Since
! 708: Solaris 2.x does not come with one by default this means that
! 709: you either need to install the Sun Studio compiler suite,
! 710: available for free from www.sun.com, or have a copy of the GNU
! 711: C compiler (gcc) which is distributed on the Solaris Companion
! 712: CD. You can also get them from various places on the net,
! 713: including http://www.sunfreeware.com/
! 714: NOTE: sudo will *not* build with the sun C compiler in BSD
! 715: compatibility mode (/usr/ucb/cc). Sudo is designed to
! 716: compile with the standard C compiler (or gcc) and will
! 717: not build correctly with /usr/ucb/cc. You can set the
! 718: CC environment variable to the non-ucb compiler when
! 719: running `configure' if it is not the first cc in your
! 720: path. Some sites link /usr/ucb/cc to gcc; configure will
! 721: not notice this and still refuse to use /usr/ucb/cc, so
! 722: make sure gcc is also in your path if your site is setup
! 723: this way.
! 724: Also: Older versions of Solaris come with a broken syslogd.
! 725: If you have having problems with sudo logging you should
! 726: make sure you have the latest syslogd patch installed.
! 727: This is a problem for Solaris 2.4 and 2.5 at least.
! 728:
! 729: Mac OS X:
! 730: The pseudo-tty support in the Mac OS X kernel has bugs related
! 731: to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals.
! 732: It does not restart reads and writes when those signals are
! 733: delivered. This may cause problems for some commands when I/O
! 734: logging is enabled. The issue has been reported to Apple and
! 735: is bug id #7952709.
! 736:
! 737: HP-UX:
! 738: The default C compiler shipped with HP-UX is not an ANSI compiler.
! 739: You must use either the HP ANSI C compiler or gcc to build sudo.
! 740: Binary packages of gcc are available from http://hpux.connect.org.uk/.
! 741:
! 742: To prevent PAM from overriding the value of umask on HP-UX 11,
! 743: you will need to add a line like the following to /etc/pam.conf:
! 744:
! 745: sudo session required libpam_hpsec.so.1 bypass_umask
! 746:
! 747: Digital UNIX:
! 748: By default, sudo will use SIA (Security Integration Architecture)
! 749: to validate a user. If you want to use an alternative authentication
! 750: method that does not go through SIA, you need to use the
! 751: --disable-sia option to configure. If you use gcc to compile
! 752: you will get warnings when building interfaces.c. These are
! 753: harmless but if they really bug you, you can edit
! 754: /usr/include/net/if.h around line 123, right after the comment:
! 755: /* forward decls for C++ */
! 756: change the line:
! 757: #ifdef __cplusplus
! 758: to:
! 759: #if defined(__cplusplus) || defined(__GNUC__)
! 760: If you don't like the idea of editing the system header file
! 761: you can just make a copy in gcc's private include tree and
! 762: edit that.
! 763:
! 764: AIX 3.2.x:
! 765: I've had various problems with the AIX C compiler producing
! 766: incorrect code when the -O flag was used. When optimization
! 767: is not used, the problems go away. Gcc does not appear
! 768: to have this problem.
! 769:
! 770: SCO ODT:
! 771: You'll probably need libcrypt_i.a available via anonymous ftp
! 772: from sosco.sco.com. The necessary files are /SLS/lng225b.Z
! 773: and /SLS/lng225b.ltr.Z.
! 774:
! 775: SunOS 4.x:
! 776: SunOS does not ship with an ANSI C compiler. You will need to
! 777: install an ANSI compiler such as gcc to build sudo.
! 778:
! 779: The /bin/sh shipped with SunOS blows up while running configure.
! 780: You can work around this by installing bash or zsh. If you
! 781: have bash or zsh in your path, configure will use it instead
! 782: automatically.
! 783:
! 784: ULTRIX 4.x:
! 785: ULTRIX does not ship with an ANSI C compiler. You will need to
! 786: install an ANSI compiler such as gcc to build sudo.
! 787:
! 788: The /bin/sh shipped with ULTRIX blows up while running configure.
! 789: You can work around this by installing bash or zsh. If you
! 790: have bash or zsh in your path, configure will use it instead
! 791: automatically.
! 792:
! 793: ULTRIX ships with the 4.2BSD syslog(3) which does not
! 794: allow things like logging different facilities to different
! 795: files, redirecting logs to a single loghost and other niceties.
! 796: You may want to just grab and install:
! 797: ftp://www.sudo.ws/pub/sudo/misc/jtkohl-syslog-complete.tar.gz
! 798: (available via anonymous ftp) which is a port if the 4.3BSD
! 799: syslog/syslogd that is backwards compatible with the Ultrix version.
! 800: I recommend it highly. If you do not do this you probably want
! 801: to run configure with --with-logging=file
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to INSTALL CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo