Annotation of embedaddon/sudo/INSTALL, revision 1.1.1.2

1.1       misho       1: Sudo installation instructions
                      2: ==============================
                      3: 
                      4: Sudo uses a `configure' script to probe the capabilities and type
                      5: of the system in question.  In this release, `configure' takes many
                      6: more options than it did before.  Please read this document fully
                      7: before configuring and building sudo.  You may also wish to read the
                      8: file INSTALL.configure which explains more about the `configure' script.
                      9: 
                     10: Simple sudo installation
                     11: ========================
                     12: 
                     13: For most systems and configurations it is possible simply to:
                     14: 
                     15:     0) If you are upgrading from a previous version of sudo
                     16:        please read the info in the UPGRADE file before proceeding.
                     17: 
                     18:     1) Read the `OS dependent notes' section for any particular
                     19:        "gotchas" relating to your operating system.
                     20: 
                     21:     2) `cd' to the source or build directory and type `./configure'
                     22:        to generate a Makefile and config.h file suitable for
                     23:        building sudo.  Before you actually run configure you
                     24:        should read the `Available configure options' section
                     25:        to see if there are any special options you may want
                     26:        or need.
                     27: 
                     28:     3) Edit the configure-generated Makefile if you wish to
                     29:        change any of the default paths (alternatively, you could
                     30:        have changed the paths via options to `configure'.
                     31: 
                     32:     5) Type `make' to compile sudo.  If you are building sudo
                     33:        in a separate build tree (apart from the sudo source) GNU
                     34:        make will probably be required.  If `configure' did its job
                     35:        properly (and you have a supported configuration) there won't
                     36:        be any problems.  If this doesn't work, take a look at the
                     37:        TROUBLESHOOTING file for tips on what might have gone wrong.
                     38:        Please mail us if you have a fix or if you are unable to
                     39:        come up with a fix (address at EOF).
                     40: 
                     41:     6) Type `make install' (as root) to install sudo, visudo, the
                     42:        man pages, and a skeleton sudoers file.  Note that the install
                     43:        will not overwrite an existing sudoers file.  You can also
                     44:        install various pieces the package via the install-binaries,
                     45:        install-doc, and install-sudoers make targets.
                     46: 
                     47:     7) Edit the sudoers file with `visudo' as necessary for your
                     48:        site.  You will probably want to refer the sample.sudoers
                     49:        file and sudoers man page included with the sudo package.
                     50: 
                     51:     8) If you want to use syslogd(8) to do the logging, you'll need
                     52:        to update your /etc/syslog.conf file.  See the sample.syslog.conf
                     53:        file included in the distribution for an example.
                     54: 
                     55: Available configure options
                     56: ===========================
                     57: 
                     58: This section describes flags accepted by the sudo's `configure' script.
                     59: Defaults are listed in brackets after the description.
                     60: 
                     61: Configuration:
                     62:   --cache-file=FILE
                     63:        Cache test results in FILE
                     64: 
                     65:   --config-cache, -C
                     66:        Alias for `--cache-file=config.cache'
                     67: 
                     68:   --help, -h
                     69:        Print the usage/help info
                     70: 
                     71:   --no-create, -n
                     72:        Do not create output files
                     73: 
                     74:   --quiet, --silent, -q
                     75:        Do not print `checking...' messages
                     76: 
                     77: Directory and file names:
                     78:   --prefix=PREFIX
                     79:        Install architecture-independent files in PREFIX This really only
                     80:        applies to man pages.  [/usr/local]
                     81: 
                     82:   --exec-prefix=EPREFIX
                     83:        Install architecture-dependent files in EPREFIX This includes the
                     84:        sudo and visudo executables.  [same as prefix]
                     85: 
                     86:   --bindir=DIR
                     87:        Install `sudo' in DIR [EPREFIX/bin]
                     88: 
                     89:   --sbindir=DIR
                     90:        Install `visudo' in DIR [EPREFIX/sbin]
                     91: 
                     92:   --sysconfdir=DIR
                     93:        Install `sudoers' file in DIR [/etc]
                     94: 
                     95:   --mandir=DIR
                     96:        Install man pages in DIR [PREFIX/man]
                     97: 
                     98:   --srcdir=DIR
                     99:        Find the sources in DIR [configure dir or ..]
                    100: 
                    101: Special features/options:
                    102:   --with-incpath=DIR
                    103:        Adds the specified directory (or directories) to CPPFLAGS
                    104:        so configure and the compiler will look there for include
                    105:        files.  Multiple directories may be specified as long as
                    106:        they are space separated.
                    107:        Eg: --with-incpath="/usr/local/include /opt/include"
                    108: 
                    109:   --with-libpath=DIR
                    110:        Adds the specified directory (or directories) to LDFLAGS
                    111:        so configure and the compiler will look there for libraries.
                    112:        Multiple directories may be specified as with --with-incpath.
                    113: 
                    114:   --with-rpath
                    115:        Tells configure to use -Rpath in addition to -Lpath when
                    116:        passing library paths to the loader.  This option is on
                    117:        by default for Solaris and SVR4.
                    118: 
                    119:   --with-blibpath[=PATH]
                    120:        Tells configure to construct a -blibpath argument to the
                    121:        loader.  If a PATH is specified, it will be used as the
                    122:        base.  Otherwise, "/usr/lib:/lib:/usr/local/lib" will be
                    123:        used for gcc and "/usr/lib:/lib" for non-gcc.  Additional
                    124:        library paths will be appended as needed by configure.
                    125:        This option is only valid for AIX where it is on by default.
                    126: 
                    127:   --with-libraries=LIBRARY
                    128:        Adds the specified library (or libaries) to SUDO_LIBS and
                    129:        and VISUDO_LIBS so sudo will link against them.  If the
                    130:        library doesn't start with `-l' or end in `.a' or `.o' a
                    131:        `-l' will be prepended to it.  Multiple libraries may be
                    132:        specified as long as they are space separated.
                    133: 
                    134:   --with-plugindir=PATH
                    135:        Set the directory that sudo looks in to find the policy and I/O
                    136:        logging plugins.  Defaults to the libexec dir used by configure.
                    137: 
                    138:   --with-efence
                    139:        Link with the "electric fence" debugging malloc.
                    140: 
                    141:   --with-bsm-audit
                    142:        Enable support for sudo BSM audit logs on systems that support
                    143:        it.  Currently only supported under FreeBSD and Mac OS X.
                    144: 
                    145:   --with-csops
                    146:        Add CSOps standard options.  You probably aren't interested in this.
                    147: 
                    148:   --with-devel
                    149:         Configure development options.  This will enable compiler warnings
                    150:        and set the Makefile to be able to regenerate the sudoers parser
                    151:        as well as the manual pages.
                    152: 
                    153:   --with-linux-audit
                    154:        Enable audit support for Linux systems.  Audits attempts
                    155:        to run a command as well as SELinux role changes.
                    156: 
                    157:   --with-skey[=DIR]
                    158:        Enable S/Key OTP (One Time Password) support.  If specified,
                    159:        DIR should contain include and lib directories with skey.h
                    160:        and libskey.a respectively.
                    161: 
                    162:   --with-opie[=DIR]
                    163:        Enable NRL OPIE OTP (One Time Password) support.  If specified,
                    164:        DIR should contain include and lib directories with opie.h
                    165:        and libopie.a respectively.
                    166: 
                    167:   --with-SecurID[=DIR]
                    168:        Enable SecurID support.  If specified, DIR is directory containing
1.1.1.2 ! misho     169:        libaceclnt.a, acexport.h, and sdacmvls.h.
1.1       misho     170: 
                    171:   --with-fwtk[=DIR]
                    172:        Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified,
                    173:        DIR is the base directory containing the compiled FWTK package
                    174:        (or at least the library and header files).
                    175: 
                    176:   --with-kerb5[=DIR]
                    177:        Enable Kerberos V support.  If specified, DIR is the base
                    178:        directory containing the Kerberos V include and lib dirs.
                    179:        This This uses Kerberos passphrases for authentication but
                    180:        does not use the Kerberos cookie scheme.  Will not work for
                    181:        Kerberos V older than version 1.1.
                    182: 
1.1.1.2 ! misho     183:   --enable-kerb5-instance=string
        !           184:         By default, the user name is used as the principal name
        !           185:         when authenticating via Kerberos V.  If this option is
        !           186:         enabled, the specified instance string will be appended to
        !           187:         the user name (separated by a slash) when creating the
        !           188:         principal name.
        !           189: 
1.1       misho     190:   --with-ldap[=DIR]
                    191:        Enable LDAP support.  If specified, DIR is the base directory
                    192:        containing the LDAP include and lib directories.  Please see
                    193:        README.LDAP for more information.
                    194: 
                    195:   --with-ldap-conf-file=PATH
                    196:        Path to LDAP configuration file.  If specified, sudo reads
                    197:        this file instead of /etc/ldap.conf to locate the LDAP server.
                    198: 
                    199:   --with-ldap-secret-file=PATH
                    200:        Path to LDAP secret password file.  If specified, sudo uses
                    201:        this file instead of /etc/ldap.secret to read the secret password
                    202:        when rootbinddn is specified in the ldap config file.
                    203: 
                    204:   --with-nsswitch[=PATH]
                    205:        Path to nsswitch.conf or "no" to disable nsswitch support.
                    206:        If specified, sudo uses this file instead of /etc/nsswitch.conf.
                    207:        If nsswitch is disabled but LDAP is enabled, sudo will check
                    208:        LDAP first, then the sudoers file.
                    209: 
                    210:   --with-netsvc[=PATH]
                    211:         Path to netsvc.conf or "no" to disable netsvc.conf support.
                    212:         If specified, sudo uses this file instead of /etc/netsvc.conf
                    213:         on AIX systems.
                    214: 
                    215:   --with-aixauth
                    216:        Enable support for the AIX 4.x general authentication function.
                    217:        This will use the authentication scheme specified for the user
                    218:        on the machine.  It is on by default for AIX systems that
                    219:        support it.
                    220: 
                    221:   --with-pam
                    222:        Enable PAM support.  This is on by default for Darwin, FreeBSD,
                    223:        Linux, Solaris and HP-UX (version 11 and higher).
                    224: 
                    225:        NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo
                    226:        file install.  You may either use the sample.pam file included with
                    227:        sudo or use /etc/pam.d/su as a reference.  The sample.pam file
                    228:        included with sudo may or may not work with other Linux distributions.
                    229:        On Solaris and HP-UX 11 systems you should check (and understand)
                    230:        the contents of /etc/pam.conf.  Do a "man pam.conf" for more
                    231:        information and consider using the "debug" option, if available,
                    232:        with your PAM libraries in /etc/pam.conf to obtain syslog output
                    233:        for debugging purposes.
                    234: 
                    235:   --with-pam-login
                    236:         Enable a specific PAM session when sudo is given the -i option.
                    237:        This changes the PAM service name when sudo is run with the -i
                    238:        option from "sudo" to "sudo-i", allowing for a separate pam
                    239:        configuration for sudo's initial login mode.
                    240: 
                    241:   --with-AFS
                    242:        Enable AFS support with Kerberos authentication.  Should work under
                    243:        AFS 3.3.  If your AFS doesn't have -laudit you should be able to
                    244:        link without it.
                    245: 
                    246:   --with-DCE
                    247:        Enable DCE support for systems without PAM.  Known to work on
                    248:        HP-UX 9.X, 10.X, and 11.0; other systems may require source
                    249:        code and/or `configure' changes.  On systems with PAM support
                    250:        (such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the
                    251:        DCE PAM module (usually libpam_dce) should be used instead.
                    252: 
                    253:   --with-logincap
                    254:        This adds support for login classes specified in /etc/login.conf.
                    255:        It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and
                    256:        NetBSD (where available).  By default, a login class is not applied
                    257:        unless the 'use_loginclass' option is defined in sudoers or the user
                    258:        specifies a class on the command line.
                    259: 
                    260:   --with-bsdauth
                    261:        Enable support for BSD authentication.  This is the default
                    262:        for BSD/OS and OpenBSD systems that support it.
                    263:        It is not possible to mix BSD authentication with other
                    264:        authentication methods (and there really should be no need
                    265:        to do so).  Note that only the newer BSD authentication API
                    266:        is supported.  If you don't have /usr/include/bsd_auth.h
                    267:        then you cannot use this.
                    268: 
                    269:   --with-project
                    270:        Enable support for Solaris project resource limits.
                    271:        This option is only available on Solaris 9 and above.
                    272: 
                    273:   --with-noexec[=PATH]
                    274:        Enable support for the "noexec" functionality which prevents
                    275:        a dynamically-linked program being run by sudo from executing
                    276:        another program (think shell escapes).  Please see the
                    277:        "PREVENTING SHELL ESCAPES" section in the sudoers man page
                    278:        for details.  If specified, PATH should be a fully qualified
                    279:        path name, e.g. /usr/local/libexec/sudo_noexec.so.  If PATH
                    280:        is "no", noexec support will not be compiled in.  The default
                    281:        is to compile noexec support if libtool supports building
                    282:        shared objects on your OS.
                    283: 
                    284:   --disable-pam-session
                    285:         Disable sudo's PAM session support.  This may be needed on
                    286:         older PAM implementations or on operating systems where
                    287:         opening a PAM session changes the utmp or wtmp files.  If
                    288:         PAM session support is disabled, resource limits may not
1.1.1.2 ! misho     289:         be updated for the command being run.
1.1       misho     290: 
                    291:   --disable-root-mailer
                    292:        By default sudo will run the mailer as root when tattling
                    293:        on a user so as to prevent that user from killing the mailer.
                    294:        With this option, sudo will run the mailer as the invoking
                    295:        user which some people consider to be safer.
                    296: 
                    297:   --disable-setreuid
                    298:        Disable use of the setreuid() function for operating systems
                    299:        where it is broken.  Mac OS X has setreuid() but it doesn't
                    300:        really work.
                    301: 
                    302:   --disable-setresuid
                    303:        Disable use of the setresuid() function for operating systems
                    304:        where it is broken (none currently known).
                    305: 
                    306:   --disable-sia
                    307:        Disable SIA support.  This is the "Security Integration
                    308:        Architecture" on Digital UNIX. If you disable SIA sudo will
                    309:        use its own authentication routines.
                    310: 
                    311:   --disable-shadow
                    312:        Disable shadow password support.  Normally, sudo will compile
                    313:        in shadow password support and use a shadow password if it
                    314:        exists.
                    315: 
                    316:   --with-sudoers-mode=MODE
                    317:        File mode for the sudoers file (octal).  Note that if you
                    318:        wish to NFS-mount the sudoers file this must be group
                    319:        readable.  Also note that this is actually set in the
                    320:        Makefile.  The default mode is 0440.
                    321: 
                    322:   --with-sudoers-uid=UID
                    323:        User id that "owns" the sudoers file.  Note that this is
                    324:        the numeric id, *not* the symbolic name.  Also note that
                    325:        this is actually set in the Makefile.  The default is 0.
                    326: 
                    327:   --with-sudoers-gid=GID
                    328:        Group id that "owns" the sudoers file.  Note that this is
                    329:        the numeric id, *not* the symbolic name.  Also note that
                    330:        this is actually set in the Makefile.  The default is 0.
                    331: 
                    332:   --without-interfaces
                    333:        This option keeps sudo from trying to glean the ip address
                    334:        from each attached ethernet interface.  It is only useful
                    335:        on a machine where sudo's interface reading support does
                    336:        not work, which may be the case on some SysV-based OS's
                    337:        using STREAMS.
                    338: 
                    339:   --without-passwd
                    340:        This option excludes authentication via the passwd (or
                    341:        shadow) file.  It should only be used when another, alternative,
                    342:        authentication scheme is in use.
                    343: 
                    344:   --with-otp-only
                    345:        This option is now just an alias for --without-passwd.
                    346: 
                    347:   --with-stow
                    348:        Properly handle GNU stow packaging.  The sudoers file will
                    349:        physically live in ${prefix}/etc and /etc/sudoers will be
                    350:        a symbolic link.
                    351: 
                    352:   --with-selinux 
                    353:        Enable support for role based access control (RBAC) on
                    354:        systems that support SELinux.
                    355: 
                    356: The following options are also configurable at runtime:
                    357: 
                    358:   --with-long-otp-prompt
                    359:        When validating with a One Time Password scheme (S/Key or
                    360:        OPIE), a two-line prompt is used to make it easier to cut
                    361:        and paste the challenge to a local window.  It's not as
                    362:        pretty as the default but some people find it more convenient.
                    363: 
                    364:   --with-logging=TYPE
                    365:        How you want to do your logging.  You may choose "syslog",
                    366:        "file", or "both".  Setting this to "syslog" is nice because
                    367:        you can keep all of your sudo logs in one place (see the
                    368:        sample.syslog.conf file).  The default is "syslog".
                    369: 
                    370:   --with-logfac=FACILITY
                    371:        Determines which syslog facility to log to.  This requires
                    372:        a 4.3BSD or later version of syslog.  You can still set
                    373:        this for ancient syslogs but it will have no effect.  The
                    374:        following facilities are supported: authpriv (if your OS
                    375:        supports it), auth, daemon, user, local0, local1, local2,
                    376:        local3, local4, local5, local6, and local7.
                    377: 
                    378:   --with-goodpri=PRIORITY
                    379:        Determines which syslog priority to log successfully
                    380:        authenticated commands.  The following priorities are
                    381:        supported: alert, crit, debug, emerg, err, info, notice,
                    382:        and warning.
                    383: 
                    384:   --with-badpri=PRIORITY
                    385:        Determines which syslog priority to log unauthenticated
                    386:        commands and errors.  The following priorities are supported:
                    387:        alert, crit, debug, emerg, err, info, notice, and warning.
                    388: 
                    389:   --with-logpath=PATH
                    390:        Override the default location of the sudo log file and use
                    391:        "path" instead.  By default will use /var/log/sudo.log if
                    392:        there is a /var/log dir, falling back to /var/adm/sudo.log
                    393:        or /usr/adm/sudo.log if not.
                    394: 
                    395:   --with-loglen=NUMBER
                    396:        Number of characters per line for the file log.  This is only used if
                    397:        you are to "file" or "both".  This value is used to decide when to wrap
                    398:        lines for nicer log files.  The default is 80.  Setting this to 0
                    399:        will disable the wrapping.
                    400: 
                    401:   --with-ignore-dot
                    402:        If set, sudo will ignore '.' or '' (current dir) in $PATH.
                    403:        The $PATH itself is not modified.
                    404: 
                    405:   --with-mailto=USER|MAIL_ALIAS
                    406:        User (or mail alias) that mail from sudo is sent to.
                    407:        This should go to a sysadmin at your site.  The default is "root".
                    408: 
                    409:   --with-mailsubject="SUBJECT OF MAIL"
                    410:        Subject of the mail sent to the "mailto" user. The token "%h"
                    411:        will expand to the hostname of the machine.
                    412:        Default is "*** SECURITY information for %h ***".
                    413: 
                    414:   --without-mail-if-no-user
                    415:        Normally, sudo will mail to the "alertmail" user if the user invoking
                    416:        sudo is not in the sudoers file.  This option disables that behavior.
                    417: 
                    418:   --with-mail-if-no-host
                    419:        Send mail to the "alermail" user if the user exists in the sudoers
                    420:        file, but is not allowed to run commands on the current host.
                    421: 
                    422:   --with-mail-if-noperms
                    423:        Send mail to the "alermail" user if the user is allowed to use sudo but
                    424:        the command they are trying is not listed in their sudoers file entry.
                    425: 
                    426:   --with-passprompt="PASSWORD PROMPT"
                    427:        Default prompt to use when asking for a password; can be overridden
                    428:        via the -p option and the SUDO_PROMPT environment variable. Supports
                    429:        the "%H", "%h", "%U" and "%u" escapes as documented in the sudo
                    430:        manual page.  The default value is "Password:".
                    431: 
                    432:   --with-badpass-message="BAD PASSWORD MESSAGE"
                    433:        Message that is displayed if a user enters an incorrect password.
                    434:        The default is "Sorry, try again." unless insults are turned on.
                    435: 
                    436:   --with-fqdn
                    437:        Define this if you want to put fully qualified hostnames in the sudoers
                    438:        file.  Ie: instead of myhost you would use myhost.mydomain.edu.  You may
                    439:        still use the short form if you wish (and even mix the two).  Beware
                    440:        that turning FQDN on requires sudo to make DNS lookups which may make
                    441:        sudo unusable if your DNS is totally hosed.  Also note that you must
                    442:        use the host's official name as DNS knows it.  That is, you may not use
                    443:        a host alias (CNAME entry) due to performance issues and the fact that
                    444:        there is no way to get all aliases from DNS.
                    445: 
                    446:   --with-timedir=PATH
                    447:        Override the default location of the sudo timestamp directory and
                    448:        use "path" instead.
                    449: 
                    450:   --with-sendmail=PATH
                    451:        Override configure's guess as to the location of sendmail.
                    452: 
                    453:   --without-sendmail
                    454:        Do not use sendmail to mail messages to the "mailto" user.
                    455:        Use only if don't run sendmail or the equivalent.
                    456: 
                    457:   --with-umask=MASK
                    458:        Umask to use when running the root command.  The default is 0022.
                    459: 
                    460:   --without-umask
                    461:        Preserves the umask of the user invoking sudo.
                    462: 
                    463:   --with-umask-override
                    464:         Use the umask specified in sudoers even if it is less restrictive
                    465:        than the user's.  The default is to use the intersection of the
                    466:        user's umask and the umask specified in sudoers.
                    467: 
                    468:   --with-runas-default=USER
                    469:        The default user to run commands as if the -u flag is not specified
                    470:        on the command line.  This defaults to "root".
                    471: 
                    472:   --with-exempt=GROUP
                    473:        Users in the specified group don't need to enter a password when
                    474:        running sudo.  This may be useful for sites that don't want their
                    475:        "core" sysadmins to have to enter a password but where Jr. sysadmins
                    476:        need to.  You should probably use NOPASSWD in sudoers instead.
                    477: 
                    478:   --with-passwd-tries=NUMBER
                    479:        Number of tries a user gets to enter his/her password before sudo logs
                    480:        the failure and exits.  The default is 3.
                    481: 
                    482:   --with-timeout=NUMBER
                    483:        Number of minutes that can elapse before sudo will ask for a passwd
                    484:        again.  The default is 5, set this to 0 to always prompt for a password.
                    485: 
                    486:   --with-password-timeout=NUMBER
                    487:        Number of minutes before the sudo password prompt times out.
                    488:        The default is 5, set this to 0 for no password timeout.
                    489: 
                    490:   --without-tty-tickets
                    491:        By default, sudo uses a different ticket file for each user/tty combo.
                    492:        With this option disabled, a single ticket will be used for all
                    493:        of a user's login sessions.
                    494: 
                    495:   --with-insults
                    496:        Define this if you want to be insulted for typing an incorrect password
                    497:        just like the original sudo(8).  This is off by default.
                    498: 
                    499:   --with-insults=disabled
                    500:         Include support for insults but disable them unless explicitly
                    501:         enabled in sudoers.
                    502: 
                    503:   --with-all-insults
                    504:        Include all the insult sets listed below.  You must either specify
                    505:        --with-insults or enable insults in the sudoers file for this to
                    506:        have any effect.
                    507: 
                    508:   --with-classic-insults
                    509:        Uses insults from sudo "classic."  If you just specify --with-insults
                    510:        you will get the classic and CSOps insults.  This is on by default if
                    511:        --with-insults is given.
                    512: 
                    513:   --with-csops-insults
                    514:        Insults the user with an extra set of insults (some quotes, some
                    515:        original) from a sysadmin group at CU (CSOps).  You must specify
                    516:        --with-insults as well for this to have any effect.  This is on by
                    517:        default if --with-insults is given.
                    518: 
                    519:   --with-hal-insults
                    520:        Uses 2001-like insults when an incorrect password is entered.
                    521:        You must either specify --with-insults or enable insults in the
                    522:        sudoers file for this to have any effect.
                    523: 
                    524:   --with-goons-insults
                    525:        Insults the user with lines from the "Goon Show" when an incorrect
                    526:        password is entered.  You must either specify --with-insults or
                    527:        enable insults in the sudoers file for this to have any effect.
                    528: 
                    529:   --with-pc-insults
                    530:        Replace politically incorrect insults with less objectionable ones.
                    531: 
                    532:   --with-secure-path[=PATH]
                    533:        Path used for every command run from sudo(8).  If you don't trust the
                    534:        people running sudo to have a sane PATH environment variable you may
                    535:        want to use this.  Another use is if you want to have the "root path"
                    536:        be separate from the "user path."  You will need to customize the path
                    537:        for your site.  NOTE: this is not applied to users in the group
                    538:        specified by --with-exemptgroup.  If you do not specify a path,
                    539:        "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
                    540: 
                    541:   --without-lecture
                    542:        Don't print the lecture the first time a user runs sudo.
                    543: 
                    544:   --with-editor=PATH
                    545:        Specify the default editor path for use by visudo.  This may be a
                    546:        single path name or a colon-separated list of editors.  In the latter
                    547:        case, visudo will choose the editor that matches the user's VISUAL
                    548:        or EDITOR environment variables or the first editor in the list that
                    549:        exists.  The default is the path to vi on your system.
                    550: 
                    551:   --with-env-editor
                    552:        Makes visudo consult the VISUAL and EDITOR environment variables before
                    553:        falling back on the default editor list (as specified by --with-editor).
                    554:        Note that this may create a security hole as it allows the user to
                    555:        run any arbitrary command as root without logging.  A safer alternative
                    556:        is to use a colon-separated list of editors with the --with-editor
                    557:        option.  visudo will then only use the VISUAL or EDITOR variables
                    558:        if they match a value specified via --with-editor.
                    559: 
                    560:   --with-askpass=PATH
                    561:         Set PATH as the "askpass" program to use when no tty is
                    562:         available.  Typically, this is a graphical password prompter,
                    563:         similar to the one used by ssh.  The program must take a
                    564:         prompt as an argument and print the received password to
                    565:         the standard output.
                    566: 
                    567:   --with-iologdir[=DIR]
                    568:         By default, sudo stores I/O log files in either /var/log/sudo-io,
                    569:         /var/adm/sudo-io, or /usr/log/sudo-io.  If this option is
                    570:         specified, I/O logs will be stored in the indicated directory
                    571:         instead.
                    572: 
                    573:   --disable-authentication
                    574:        By default, sudo requires the user to authenticate via a
                    575:        password or similar means.  This options causes sudo to
                    576:        *not* require authentication.  It is possible to turn
                    577:        authentication back on in sudoers via the PASSWD attribute.
                    578: 
                    579:   --disable-root-sudo
                    580:        Don't let root run sudo.  This can be used to prevent people from
                    581:        "chaining" sudo commands to get a root shell by doing something
                    582:        like "sudo sudo /bin/sh".
                    583: 
                    584:   --enable-gss-krb5-ccache-name
                    585:         Use the gss_krb5_ccache_name() function to set the Kerberos
                    586:         V credential cache file name.  By default, sudo will use
                    587:         the KRB5CCNAME environment variable to set this.  While
                    588:         gss_krb5_ccache_name() provides a better API to do this it
                    589:         is not supported by all Kerberos V and SASL combinations.
                    590: 
                    591:   --enable-log-host
                    592:        Log the hostname in the log file.
                    593: 
                    594:   --enable-noargs-shell
                    595:        If sudo is invoked with no arguments it acts as if the "-s" flag had
                    596:        been given.  That is, it runs a shell as root (the shell is determined
                    597:        by the SHELL environment variable, falling back on the shell listed
                    598:        in the invoking user's /etc/passwd entry).
                    599: 
                    600:   --enable-shell-sets-home
                    601:        If sudo is invoked with the "-s" flag the HOME environment variable
                    602:        will be set to the home directory of the target user (which is root
                    603:        unless the "-u" option is used).  This option effectively makes the
                    604:        "-s" flag imply "-H".
                    605: 
                    606:   --disable-path-info
                    607:        Normally, sudo will tell the user when a command could not be found
                    608:        in their $PATH.  Some sites may wish to disable this as it could
                    609:        be used to gather information on the location of executables that
                    610:        the normal user does not have access to.  The disadvantage is that
                    611:        if the executable is simply not in the user's path, sudo will tell
                    612:        the user that they are not allowed to run it, which can be confusing.
                    613: 
                    614:   --enable-zlib[=location]
                    615:        Enable the use of the zlib compress library when storing
                    616:        I/O log files.  If specified, location is the base directory
                    617:        containing the zlib include and lib directories.  The special
                    618:        values "system" and "builtin" can be used to indicate that
                    619:        the system version of zlib should be used or that the version
                    620:        of zlib shipped with sudo should be used instead.
                    621:        If this option is not specified, configure will use the
                    622:        system zlib if it is present.
                    623: 
                    624:   --disable-zlib
                    625:         Disable the use of the zlib compress library when storing
                    626:         I/O log files.
                    627: 
                    628:   --enable-warnings
                    629:        Enable compiler warnings when building sudo with gcc.
                    630: 
                    631:   --enable-werror
                    632:        Enable the -Werror compiler option when building sudo with gcc.
                    633: 
                    634:   --enable-admin-flag
                    635:        Enable the creation of an Ubuntu-style admin flag file
                    636:        the first time sudo is run.
                    637: 
                    638:   --disable-env-reset
                    639:         Disable environment resetting.  This sets the default value
                    640:         of the "env_reset" Defaults option in sudoers to false.
                    641: 
                    642:   --enable-nls[=location]
                    643:         Enable natural language support using the gettext() family
                    644:         of functions.  If specified, location is the base directory
                    645:         containing the libintl include and lib directories.  If
                    646:         this option is not specified, configure will look for the
                    647:         gettext() family of functions in the standard C library
                    648:         first, then check for a standalone libintl (linking with
                    649:         libiconv as needed).
                    650: 
                    651:   --disable-nls
                    652:         Disable natural language support.  By default, sudo will
                    653:         use the gettext() family of functions, if available, to
                    654:         implement messages in the invoking user's native language.
                    655:        Note that translations do not exist for all languages.
                    656: 
                    657: Shadow password and C2 support
                    658: ==============================
                    659: 
                    660: Shadow passwords (also included with most C2 security packages) are
                    661: supported on most major platforms for which they exist.  The
                    662: `configure' script will attempt to determine if your system can use
                    663: shadow passwords and include support for them if so.  Shadow password
                    664: support is now compiled in by default (it doesn't hurt anything if you
                    665: don't have them configured).  To disable the shadow password support,
                    666: use the --disable-shadow option to configure.
                    667: 
                    668: Shadow passwords are known to work on the following platforms:
                    669: 
                    670:     SunOS 4.x
                    671:     Solaris 2.x
                    672:     HP-UX >= 9.x
                    673:     Ultrix 4.x
                    674:     Digital UNIX
                    675:     IRIX >= 5.x
                    676:     AIX >= 3.2.x
                    677:     Linux
                    678:     SCO >= 3.2.2
                    679:     Pyramid DC/OSx
                    680:     UnixWare
                    681:     SVR4 (and variants using standard SVR4 shadow passwords)
                    682:     4.4BSD based systems (including OpenBSD, NetBSD, FreeBSD, and Mac OS X)
                    683:     Systems using SecureWare's C2 security.
                    684: 
                    685: OS dependent notes
                    686: ==================
                    687: 
                    688: Linux:
                    689:     PAM and LDAP headers are not installed by default on most Linux
                    690:     systems.  You will need to install the "pam-dev" package if
                    691:     /usr/include/security/pam_appl.h is not present on your system.
                    692:     If you wish to build with LDAP support you will also need the
                    693:     openldap-devel package.
                    694: 
                    695:     Versions of glibc 2.x previous to 2.0.7 have a broken lsearch().
                    696:     You will need to either upgrade to glibc-2.0.7 or use sudo's
                    697:     version of lsearch().  To use sudo's lsearch(), comment out
                    698:     the "#define HAVE_LSEARCH 1" line in config.h and add lsearch.o
                    699:     to the LIBOBJS line in the Makefile.
                    700: 
                    701:     If you are using a Linux kernel older than 2.4 it is not possible
                    702:     to access the sudoers file via NFS.  This is due to a bug in
                    703:     the Linux client-side NFS implementation that has since been
                    704:     fixed.  There is a workaround on the sudo ftp site, linux_nfs.patch,
                    705:     if you need to NFS-mount sudoers on older Linux kernels.
                    706: 
                    707: Solaris 2.x:
                    708:     You need to have a C compiler in order to build sudo.  Since
                    709:     Solaris 2.x does not come with one by default this means that
                    710:     you either need to install the Sun Studio compiler suite,
                    711:     available for free from www.sun.com, or have a copy of the GNU
                    712:     C compiler (gcc) which is distributed on the Solaris Companion
                    713:     CD.  You can also get them from various places on the net,
                    714:     including http://www.sunfreeware.com/
                    715:     NOTE: sudo will *not* build with the sun C compiler in BSD
                    716:           compatibility mode (/usr/ucb/cc).  Sudo is designed to
                    717:           compile with the standard C compiler (or gcc) and will
                    718:           not build correctly with /usr/ucb/cc.  You can set the
                    719:           CC environment variable to the non-ucb compiler when
                    720:           running `configure' if it is not the first cc in your
                    721:           path.  Some sites link /usr/ucb/cc to gcc; configure will
                    722:           not notice this and still refuse to use /usr/ucb/cc, so
                    723:           make sure gcc is also in your path if your site is setup
                    724:           this way.
                    725:     Also: Older versions of Solaris come with a broken syslogd.
                    726:          If you have having problems with sudo logging you should
                    727:          make sure you have the latest syslogd patch installed.
                    728:          This is a problem for Solaris 2.4 and 2.5 at least.
                    729: 
                    730: Mac OS X:
                    731:     The pseudo-tty support in the Mac OS X kernel has bugs related
                    732:     to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals.
                    733:     It does not restart reads and writes when those signals are
                    734:     delivered.  This may cause problems for some commands when I/O
                    735:     logging is enabled.  The issue has been reported to Apple and
                    736:     is bug id #7952709.
                    737: 
                    738: HP-UX:
                    739:     The default C compiler shipped with HP-UX is not an ANSI compiler.
                    740:     You must use either the HP ANSI C compiler or gcc to build sudo.
                    741:     Binary packages of gcc are available from http://hpux.connect.org.uk/.
                    742: 
                    743:     To prevent PAM from overriding the value of umask on HP-UX 11,
                    744:     you will need to add a line like the following to /etc/pam.conf:
                    745: 
                    746:     sudo       session required        libpam_hpsec.so.1 bypass_umask
                    747: 
1.1.1.2 ! misho     748:     If every command run via sudo displays information about the last
        !           749:     successful login and the last authentication failure you should
        !           750:     make use an /etc/pam.conf line like:
        !           751: 
        !           752:     sudo       session required        libpam_hpsec.so.1 bypass_umask bypass_last_login
        !           753: 
1.1       misho     754: Digital UNIX:
                    755:     By default, sudo will use SIA (Security Integration Architecture)
                    756:     to validate a user.  If you want to use an alternative authentication
                    757:     method that does not go through SIA, you need to use the
                    758:     --disable-sia option to configure.  If you use gcc to compile
                    759:     you will get warnings when building interfaces.c.  These are
                    760:     harmless but if they really bug you, you can edit
                    761:     /usr/include/net/if.h around line 123, right after the comment:
                    762:        /* forward decls for C++ */
                    763:     change the line:
                    764:        #ifdef __cplusplus
                    765:     to:
                    766:        #if defined(__cplusplus) || defined(__GNUC__)
                    767:     If you don't like the idea of editing the system header file
                    768:     you can just make a copy in gcc's private include tree and
                    769:     edit that.
                    770: 
                    771: AIX 3.2.x:
                    772:     I've had various problems with the AIX C compiler producing
                    773:     incorrect code when the -O flag was used.  When optimization
                    774:     is not used, the problems go away.  Gcc does not appear
                    775:     to have this problem.
                    776: 
                    777: SCO ODT:
                    778:     You'll probably need libcrypt_i.a available via anonymous ftp
                    779:     from sosco.sco.com.  The necessary files are /SLS/lng225b.Z
                    780:     and /SLS/lng225b.ltr.Z.
                    781: 
                    782: SunOS 4.x:
                    783:     SunOS does not ship with an ANSI C compiler.  You will need to
                    784:     install an ANSI compiler such as gcc to build sudo.
                    785: 
                    786:     The /bin/sh shipped with SunOS blows up while running configure.
                    787:     You can work around this by installing bash or zsh.  If you
                    788:     have bash or zsh in your path, configure will use it instead
                    789:     automatically.
                    790: 
                    791: ULTRIX 4.x:
                    792:     ULTRIX does not ship with an ANSI C compiler.  You will need to
                    793:     install an ANSI compiler such as gcc to build sudo.
                    794: 
                    795:     The /bin/sh shipped with ULTRIX blows up while running configure.
                    796:     You can work around this by installing bash or zsh.  If you
                    797:     have bash or zsh in your path, configure will use it instead
                    798:     automatically.
                    799: 
                    800:     ULTRIX ships with the 4.2BSD syslog(3) which does not
                    801:     allow things like logging different facilities to different
                    802:     files, redirecting logs to a single loghost and other niceties.
                    803:     You may want to just grab and install:
                    804:        ftp://www.sudo.ws/pub/sudo/misc/jtkohl-syslog-complete.tar.gz
                    805:     (available via anonymous ftp) which is a port if the 4.3BSD
                    806:     syslog/syslogd that is backwards compatible with the Ultrix version.
                    807:     I recommend it highly.  If you do not do this you probably want
                    808:     to run configure with --with-logging=file

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>