Annotation of embedaddon/sudo/INSTALL, revision 1.1.1.3
1.1 misho 1: Sudo installation instructions
2: ==============================
3:
4: Sudo uses a `configure' script to probe the capabilities and type
5: of the system in question. In this release, `configure' takes many
6: more options than it did before. Please read this document fully
7: before configuring and building sudo. You may also wish to read the
8: file INSTALL.configure which explains more about the `configure' script.
9:
10: Simple sudo installation
11: ========================
12:
13: For most systems and configurations it is possible simply to:
14:
15: 0) If you are upgrading from a previous version of sudo
16: please read the info in the UPGRADE file before proceeding.
17:
18: 1) Read the `OS dependent notes' section for any particular
19: "gotchas" relating to your operating system.
20:
21: 2) `cd' to the source or build directory and type `./configure'
22: to generate a Makefile and config.h file suitable for
23: building sudo. Before you actually run configure you
24: should read the `Available configure options' section
25: to see if there are any special options you may want
26: or need.
27:
28: 3) Edit the configure-generated Makefile if you wish to
29: change any of the default paths (alternatively, you could
30: have changed the paths via options to `configure'.
31:
32: 5) Type `make' to compile sudo. If you are building sudo
33: in a separate build tree (apart from the sudo source) GNU
34: make will probably be required. If `configure' did its job
35: properly (and you have a supported configuration) there won't
36: be any problems. If this doesn't work, take a look at the
37: TROUBLESHOOTING file for tips on what might have gone wrong.
38: Please mail us if you have a fix or if you are unable to
39: come up with a fix (address at EOF).
40:
41: 6) Type `make install' (as root) to install sudo, visudo, the
42: man pages, and a skeleton sudoers file. Note that the install
43: will not overwrite an existing sudoers file. You can also
44: install various pieces the package via the install-binaries,
45: install-doc, and install-sudoers make targets.
46:
47: 7) Edit the sudoers file with `visudo' as necessary for your
48: site. You will probably want to refer the sample.sudoers
49: file and sudoers man page included with the sudo package.
50:
51: 8) If you want to use syslogd(8) to do the logging, you'll need
52: to update your /etc/syslog.conf file. See the sample.syslog.conf
53: file included in the distribution for an example.
54:
55: Available configure options
56: ===========================
57:
58: This section describes flags accepted by the sudo's `configure' script.
59: Defaults are listed in brackets after the description.
60:
61: Configuration:
62: --cache-file=FILE
63: Cache test results in FILE
64:
65: --config-cache, -C
66: Alias for `--cache-file=config.cache'
67:
68: --help, -h
69: Print the usage/help info
70:
71: --no-create, -n
72: Do not create output files
73:
74: --quiet, --silent, -q
75: Do not print `checking...' messages
76:
77: Directory and file names:
78: --prefix=PREFIX
79: Install architecture-independent files in PREFIX This really only
80: applies to man pages. [/usr/local]
81:
82: --exec-prefix=EPREFIX
83: Install architecture-dependent files in EPREFIX This includes the
84: sudo and visudo executables. [same as prefix]
85:
86: --bindir=DIR
87: Install `sudo' in DIR [EPREFIX/bin]
88:
89: --sbindir=DIR
90: Install `visudo' in DIR [EPREFIX/sbin]
91:
92: --sysconfdir=DIR
93: Install `sudoers' file in DIR [/etc]
94:
95: --mandir=DIR
96: Install man pages in DIR [PREFIX/man]
97:
98: --srcdir=DIR
99: Find the sources in DIR [configure dir or ..]
100:
101: Special features/options:
102: --with-incpath=DIR
103: Adds the specified directory (or directories) to CPPFLAGS
104: so configure and the compiler will look there for include
105: files. Multiple directories may be specified as long as
106: they are space separated.
107: Eg: --with-incpath="/usr/local/include /opt/include"
108:
109: --with-libpath=DIR
110: Adds the specified directory (or directories) to LDFLAGS
111: so configure and the compiler will look there for libraries.
112: Multiple directories may be specified as with --with-incpath.
113:
114: --with-rpath
115: Tells configure to use -Rpath in addition to -Lpath when
116: passing library paths to the loader. This option is on
117: by default for Solaris and SVR4.
118:
119: --with-blibpath[=PATH]
120: Tells configure to construct a -blibpath argument to the
121: loader. If a PATH is specified, it will be used as the
122: base. Otherwise, "/usr/lib:/lib:/usr/local/lib" will be
123: used for gcc and "/usr/lib:/lib" for non-gcc. Additional
124: library paths will be appended as needed by configure.
125: This option is only valid for AIX where it is on by default.
126:
127: --with-libraries=LIBRARY
128: Adds the specified library (or libaries) to SUDO_LIBS and
129: and VISUDO_LIBS so sudo will link against them. If the
130: library doesn't start with `-l' or end in `.a' or `.o' a
131: `-l' will be prepended to it. Multiple libraries may be
132: specified as long as they are space separated.
133:
134: --with-plugindir=PATH
135: Set the directory that sudo looks in to find the policy and I/O
136: logging plugins. Defaults to the libexec dir used by configure.
137:
138: --with-efence
139: Link with the "electric fence" debugging malloc.
140:
141: --with-bsm-audit
142: Enable support for sudo BSM audit logs on systems that support
143: it. Currently only supported under FreeBSD and Mac OS X.
144:
145: --with-csops
146: Add CSOps standard options. You probably aren't interested in this.
147:
148: --with-devel
149: Configure development options. This will enable compiler warnings
150: and set the Makefile to be able to regenerate the sudoers parser
151: as well as the manual pages.
152:
153: --with-linux-audit
154: Enable audit support for Linux systems. Audits attempts
155: to run a command as well as SELinux role changes.
156:
157: --with-skey[=DIR]
158: Enable S/Key OTP (One Time Password) support. If specified,
159: DIR should contain include and lib directories with skey.h
160: and libskey.a respectively.
161:
162: --with-opie[=DIR]
163: Enable NRL OPIE OTP (One Time Password) support. If specified,
164: DIR should contain include and lib directories with opie.h
165: and libopie.a respectively.
166:
167: --with-SecurID[=DIR]
168: Enable SecurID support. If specified, DIR is directory containing
1.1.1.2 misho 169: libaceclnt.a, acexport.h, and sdacmvls.h.
1.1 misho 170:
171: --with-fwtk[=DIR]
172: Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified,
173: DIR is the base directory containing the compiled FWTK package
174: (or at least the library and header files).
175:
176: --with-kerb5[=DIR]
177: Enable Kerberos V support. If specified, DIR is the base
178: directory containing the Kerberos V include and lib dirs.
179: This This uses Kerberos passphrases for authentication but
180: does not use the Kerberos cookie scheme. Will not work for
181: Kerberos V older than version 1.1.
182:
1.1.1.2 misho 183: --enable-kerb5-instance=string
184: By default, the user name is used as the principal name
185: when authenticating via Kerberos V. If this option is
186: enabled, the specified instance string will be appended to
187: the user name (separated by a slash) when creating the
188: principal name.
189:
1.1 misho 190: --with-ldap[=DIR]
191: Enable LDAP support. If specified, DIR is the base directory
192: containing the LDAP include and lib directories. Please see
193: README.LDAP for more information.
194:
195: --with-ldap-conf-file=PATH
196: Path to LDAP configuration file. If specified, sudo reads
197: this file instead of /etc/ldap.conf to locate the LDAP server.
198:
199: --with-ldap-secret-file=PATH
200: Path to LDAP secret password file. If specified, sudo uses
201: this file instead of /etc/ldap.secret to read the secret password
202: when rootbinddn is specified in the ldap config file.
203:
1.1.1.3 ! misho 204: --with-sssd
! 205: Enable support for using the System Security Services Daemon
! 206: (SSSD) as a sudoers data source. For more informaton on
! 207: SSD, see http://fedorahosted.org/sssd/
! 208:
! 209: --with-sssd-lib=PATH
! 210: Specify the path to the SSSD shared library, which is loaded
! 211: at run-time.
! 212:
1.1 misho 213: --with-nsswitch[=PATH]
214: Path to nsswitch.conf or "no" to disable nsswitch support.
215: If specified, sudo uses this file instead of /etc/nsswitch.conf.
216: If nsswitch is disabled but LDAP is enabled, sudo will check
217: LDAP first, then the sudoers file.
218:
219: --with-netsvc[=PATH]
220: Path to netsvc.conf or "no" to disable netsvc.conf support.
221: If specified, sudo uses this file instead of /etc/netsvc.conf
222: on AIX systems.
223:
224: --with-aixauth
225: Enable support for the AIX 4.x general authentication function.
226: This will use the authentication scheme specified for the user
227: on the machine. It is on by default for AIX systems that
228: support it.
229:
230: --with-pam
231: Enable PAM support. This is on by default for Darwin, FreeBSD,
232: Linux, Solaris and HP-UX (version 11 and higher).
233:
234: NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo
235: file install. You may either use the sample.pam file included with
236: sudo or use /etc/pam.d/su as a reference. The sample.pam file
237: included with sudo may or may not work with other Linux distributions.
238: On Solaris and HP-UX 11 systems you should check (and understand)
239: the contents of /etc/pam.conf. Do a "man pam.conf" for more
240: information and consider using the "debug" option, if available,
241: with your PAM libraries in /etc/pam.conf to obtain syslog output
242: for debugging purposes.
243:
244: --with-pam-login
245: Enable a specific PAM session when sudo is given the -i option.
246: This changes the PAM service name when sudo is run with the -i
247: option from "sudo" to "sudo-i", allowing for a separate pam
248: configuration for sudo's initial login mode.
249:
250: --with-AFS
251: Enable AFS support with Kerberos authentication. Should work under
252: AFS 3.3. If your AFS doesn't have -laudit you should be able to
253: link without it.
254:
255: --with-DCE
256: Enable DCE support for systems without PAM. Known to work on
257: HP-UX 9.X, 10.X, and 11.0; other systems may require source
258: code and/or `configure' changes. On systems with PAM support
259: (such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the
260: DCE PAM module (usually libpam_dce) should be used instead.
261:
262: --with-logincap
263: This adds support for login classes specified in /etc/login.conf.
264: It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and
265: NetBSD (where available). By default, a login class is not applied
266: unless the 'use_loginclass' option is defined in sudoers or the user
267: specifies a class on the command line.
268:
269: --with-bsdauth
270: Enable support for BSD authentication. This is the default
271: for BSD/OS and OpenBSD systems that support it.
272: It is not possible to mix BSD authentication with other
273: authentication methods (and there really should be no need
274: to do so). Note that only the newer BSD authentication API
275: is supported. If you don't have /usr/include/bsd_auth.h
276: then you cannot use this.
277:
278: --with-project
279: Enable support for Solaris project resource limits.
280: This option is only available on Solaris 9 and above.
281:
282: --with-noexec[=PATH]
283: Enable support for the "noexec" functionality which prevents
284: a dynamically-linked program being run by sudo from executing
285: another program (think shell escapes). Please see the
286: "PREVENTING SHELL ESCAPES" section in the sudoers man page
287: for details. If specified, PATH should be a fully qualified
288: path name, e.g. /usr/local/libexec/sudo_noexec.so. If PATH
289: is "no", noexec support will not be compiled in. The default
290: is to compile noexec support if libtool supports building
291: shared objects on your OS.
292:
293: --disable-pam-session
294: Disable sudo's PAM session support. This may be needed on
295: older PAM implementations or on operating systems where
296: opening a PAM session changes the utmp or wtmp files. If
297: PAM session support is disabled, resource limits may not
1.1.1.2 misho 298: be updated for the command being run.
1.1 misho 299:
300: --disable-root-mailer
301: By default sudo will run the mailer as root when tattling
302: on a user so as to prevent that user from killing the mailer.
303: With this option, sudo will run the mailer as the invoking
304: user which some people consider to be safer.
305:
306: --disable-setreuid
307: Disable use of the setreuid() function for operating systems
308: where it is broken. Mac OS X has setreuid() but it doesn't
309: really work.
310:
311: --disable-setresuid
312: Disable use of the setresuid() function for operating systems
313: where it is broken (none currently known).
314:
315: --disable-sia
316: Disable SIA support. This is the "Security Integration
317: Architecture" on Digital UNIX. If you disable SIA sudo will
318: use its own authentication routines.
319:
320: --disable-shadow
321: Disable shadow password support. Normally, sudo will compile
322: in shadow password support and use a shadow password if it
323: exists.
324:
325: --with-sudoers-mode=MODE
326: File mode for the sudoers file (octal). Note that if you
327: wish to NFS-mount the sudoers file this must be group
328: readable. Also note that this is actually set in the
329: Makefile. The default mode is 0440.
330:
331: --with-sudoers-uid=UID
332: User id that "owns" the sudoers file. Note that this is
333: the numeric id, *not* the symbolic name. Also note that
334: this is actually set in the Makefile. The default is 0.
335:
336: --with-sudoers-gid=GID
337: Group id that "owns" the sudoers file. Note that this is
338: the numeric id, *not* the symbolic name. Also note that
339: this is actually set in the Makefile. The default is 0.
340:
341: --without-interfaces
342: This option keeps sudo from trying to glean the ip address
343: from each attached ethernet interface. It is only useful
344: on a machine where sudo's interface reading support does
345: not work, which may be the case on some SysV-based OS's
346: using STREAMS.
347:
348: --without-passwd
349: This option excludes authentication via the passwd (or
350: shadow) file. It should only be used when another, alternative,
351: authentication scheme is in use.
352:
353: --with-otp-only
354: This option is now just an alias for --without-passwd.
355:
356: --with-selinux
357: Enable support for role based access control (RBAC) on
358: systems that support SELinux.
359:
1.1.1.3 ! misho 360: --with-man
! 361: Use the "man" macros for manual pages. By default, mdoc
! 362: versions of the manuals are installed. This can be used
! 363: to override configure's test for "nroff -mdoc" support.
! 364:
! 365: --with-mdoc
! 366: Use the "mdoc" macros for manual pages. By default, mdoc
! 367: versions of the manuals are installed. This can be used
! 368: to override configure's test for "nroff -mdoc" support.
! 369:
1.1 misho 370: The following options are also configurable at runtime:
371:
372: --with-long-otp-prompt
373: When validating with a One Time Password scheme (S/Key or
374: OPIE), a two-line prompt is used to make it easier to cut
375: and paste the challenge to a local window. It's not as
376: pretty as the default but some people find it more convenient.
377:
378: --with-logging=TYPE
379: How you want to do your logging. You may choose "syslog",
380: "file", or "both". Setting this to "syslog" is nice because
381: you can keep all of your sudo logs in one place (see the
382: sample.syslog.conf file). The default is "syslog".
383:
384: --with-logfac=FACILITY
385: Determines which syslog facility to log to. This requires
386: a 4.3BSD or later version of syslog. You can still set
387: this for ancient syslogs but it will have no effect. The
388: following facilities are supported: authpriv (if your OS
389: supports it), auth, daemon, user, local0, local1, local2,
390: local3, local4, local5, local6, and local7.
391:
392: --with-goodpri=PRIORITY
393: Determines which syslog priority to log successfully
394: authenticated commands. The following priorities are
395: supported: alert, crit, debug, emerg, err, info, notice,
396: and warning.
397:
398: --with-badpri=PRIORITY
399: Determines which syslog priority to log unauthenticated
400: commands and errors. The following priorities are supported:
401: alert, crit, debug, emerg, err, info, notice, and warning.
402:
403: --with-logpath=PATH
404: Override the default location of the sudo log file and use
405: "path" instead. By default will use /var/log/sudo.log if
406: there is a /var/log dir, falling back to /var/adm/sudo.log
407: or /usr/adm/sudo.log if not.
408:
409: --with-loglen=NUMBER
410: Number of characters per line for the file log. This is only used if
411: you are to "file" or "both". This value is used to decide when to wrap
412: lines for nicer log files. The default is 80. Setting this to 0
413: will disable the wrapping.
414:
415: --with-ignore-dot
416: If set, sudo will ignore '.' or '' (current dir) in $PATH.
417: The $PATH itself is not modified.
418:
419: --with-mailto=USER|MAIL_ALIAS
420: User (or mail alias) that mail from sudo is sent to.
421: This should go to a sysadmin at your site. The default is "root".
422:
423: --with-mailsubject="SUBJECT OF MAIL"
424: Subject of the mail sent to the "mailto" user. The token "%h"
425: will expand to the hostname of the machine.
426: Default is "*** SECURITY information for %h ***".
427:
428: --without-mail-if-no-user
429: Normally, sudo will mail to the "alertmail" user if the user invoking
430: sudo is not in the sudoers file. This option disables that behavior.
431:
432: --with-mail-if-no-host
433: Send mail to the "alermail" user if the user exists in the sudoers
434: file, but is not allowed to run commands on the current host.
435:
436: --with-mail-if-noperms
437: Send mail to the "alermail" user if the user is allowed to use sudo but
438: the command they are trying is not listed in their sudoers file entry.
439:
440: --with-passprompt="PASSWORD PROMPT"
441: Default prompt to use when asking for a password; can be overridden
442: via the -p option and the SUDO_PROMPT environment variable. Supports
443: the "%H", "%h", "%U" and "%u" escapes as documented in the sudo
444: manual page. The default value is "Password:".
445:
446: --with-badpass-message="BAD PASSWORD MESSAGE"
447: Message that is displayed if a user enters an incorrect password.
448: The default is "Sorry, try again." unless insults are turned on.
449:
450: --with-fqdn
451: Define this if you want to put fully qualified hostnames in the sudoers
452: file. Ie: instead of myhost you would use myhost.mydomain.edu. You may
453: still use the short form if you wish (and even mix the two). Beware
454: that turning FQDN on requires sudo to make DNS lookups which may make
455: sudo unusable if your DNS is totally hosed. Also note that you must
456: use the host's official name as DNS knows it. That is, you may not use
457: a host alias (CNAME entry) due to performance issues and the fact that
458: there is no way to get all aliases from DNS.
459:
460: --with-timedir=PATH
461: Override the default location of the sudo timestamp directory and
462: use "path" instead.
463:
464: --with-sendmail=PATH
465: Override configure's guess as to the location of sendmail.
466:
467: --without-sendmail
468: Do not use sendmail to mail messages to the "mailto" user.
469: Use only if don't run sendmail or the equivalent.
470:
471: --with-umask=MASK
472: Umask to use when running the root command. The default is 0022.
473:
474: --without-umask
475: Preserves the umask of the user invoking sudo.
476:
477: --with-umask-override
478: Use the umask specified in sudoers even if it is less restrictive
479: than the user's. The default is to use the intersection of the
480: user's umask and the umask specified in sudoers.
481:
482: --with-runas-default=USER
483: The default user to run commands as if the -u flag is not specified
484: on the command line. This defaults to "root".
485:
486: --with-exempt=GROUP
487: Users in the specified group don't need to enter a password when
488: running sudo. This may be useful for sites that don't want their
489: "core" sysadmins to have to enter a password but where Jr. sysadmins
490: need to. You should probably use NOPASSWD in sudoers instead.
491:
492: --with-passwd-tries=NUMBER
493: Number of tries a user gets to enter his/her password before sudo logs
494: the failure and exits. The default is 3.
495:
496: --with-timeout=NUMBER
497: Number of minutes that can elapse before sudo will ask for a passwd
498: again. The default is 5, set this to 0 to always prompt for a password.
499:
500: --with-password-timeout=NUMBER
501: Number of minutes before the sudo password prompt times out.
502: The default is 5, set this to 0 for no password timeout.
503:
504: --without-tty-tickets
505: By default, sudo uses a different ticket file for each user/tty combo.
506: With this option disabled, a single ticket will be used for all
507: of a user's login sessions.
508:
509: --with-insults
510: Define this if you want to be insulted for typing an incorrect password
511: just like the original sudo(8). This is off by default.
512:
513: --with-insults=disabled
514: Include support for insults but disable them unless explicitly
515: enabled in sudoers.
516:
517: --with-all-insults
518: Include all the insult sets listed below. You must either specify
519: --with-insults or enable insults in the sudoers file for this to
520: have any effect.
521:
522: --with-classic-insults
523: Uses insults from sudo "classic." If you just specify --with-insults
524: you will get the classic and CSOps insults. This is on by default if
525: --with-insults is given.
526:
527: --with-csops-insults
528: Insults the user with an extra set of insults (some quotes, some
529: original) from a sysadmin group at CU (CSOps). You must specify
530: --with-insults as well for this to have any effect. This is on by
531: default if --with-insults is given.
532:
533: --with-hal-insults
534: Uses 2001-like insults when an incorrect password is entered.
535: You must either specify --with-insults or enable insults in the
536: sudoers file for this to have any effect.
537:
538: --with-goons-insults
539: Insults the user with lines from the "Goon Show" when an incorrect
540: password is entered. You must either specify --with-insults or
541: enable insults in the sudoers file for this to have any effect.
542:
543: --with-pc-insults
544: Replace politically incorrect insults with less objectionable ones.
545:
546: --with-secure-path[=PATH]
547: Path used for every command run from sudo(8). If you don't trust the
548: people running sudo to have a sane PATH environment variable you may
549: want to use this. Another use is if you want to have the "root path"
550: be separate from the "user path." You will need to customize the path
551: for your site. NOTE: this is not applied to users in the group
552: specified by --with-exemptgroup. If you do not specify a path,
553: "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
554:
555: --without-lecture
556: Don't print the lecture the first time a user runs sudo.
557:
558: --with-editor=PATH
559: Specify the default editor path for use by visudo. This may be a
560: single path name or a colon-separated list of editors. In the latter
561: case, visudo will choose the editor that matches the user's VISUAL
562: or EDITOR environment variables or the first editor in the list that
563: exists. The default is the path to vi on your system.
564:
565: --with-env-editor
566: Makes visudo consult the VISUAL and EDITOR environment variables before
567: falling back on the default editor list (as specified by --with-editor).
568: Note that this may create a security hole as it allows the user to
569: run any arbitrary command as root without logging. A safer alternative
570: is to use a colon-separated list of editors with the --with-editor
571: option. visudo will then only use the VISUAL or EDITOR variables
572: if they match a value specified via --with-editor.
573:
574: --with-askpass=PATH
575: Set PATH as the "askpass" program to use when no tty is
576: available. Typically, this is a graphical password prompter,
577: similar to the one used by ssh. The program must take a
578: prompt as an argument and print the received password to
579: the standard output.
580:
581: --with-iologdir[=DIR]
582: By default, sudo stores I/O log files in either /var/log/sudo-io,
583: /var/adm/sudo-io, or /usr/log/sudo-io. If this option is
584: specified, I/O logs will be stored in the indicated directory
585: instead.
586:
587: --disable-authentication
588: By default, sudo requires the user to authenticate via a
589: password or similar means. This options causes sudo to
590: *not* require authentication. It is possible to turn
591: authentication back on in sudoers via the PASSWD attribute.
592:
593: --disable-root-sudo
594: Don't let root run sudo. This can be used to prevent people from
595: "chaining" sudo commands to get a root shell by doing something
596: like "sudo sudo /bin/sh".
597:
598: --enable-gss-krb5-ccache-name
599: Use the gss_krb5_ccache_name() function to set the Kerberos
600: V credential cache file name. By default, sudo will use
601: the KRB5CCNAME environment variable to set this. While
602: gss_krb5_ccache_name() provides a better API to do this it
603: is not supported by all Kerberos V and SASL combinations.
604:
605: --enable-log-host
606: Log the hostname in the log file.
607:
608: --enable-noargs-shell
609: If sudo is invoked with no arguments it acts as if the "-s" flag had
610: been given. That is, it runs a shell as root (the shell is determined
611: by the SHELL environment variable, falling back on the shell listed
612: in the invoking user's /etc/passwd entry).
613:
614: --enable-shell-sets-home
615: If sudo is invoked with the "-s" flag the HOME environment variable
616: will be set to the home directory of the target user (which is root
617: unless the "-u" option is used). This option effectively makes the
618: "-s" flag imply "-H".
619:
620: --disable-path-info
621: Normally, sudo will tell the user when a command could not be found
622: in their $PATH. Some sites may wish to disable this as it could
623: be used to gather information on the location of executables that
624: the normal user does not have access to. The disadvantage is that
625: if the executable is simply not in the user's path, sudo will tell
626: the user that they are not allowed to run it, which can be confusing.
627:
628: --enable-zlib[=location]
629: Enable the use of the zlib compress library when storing
630: I/O log files. If specified, location is the base directory
631: containing the zlib include and lib directories. The special
632: values "system" and "builtin" can be used to indicate that
633: the system version of zlib should be used or that the version
634: of zlib shipped with sudo should be used instead.
635: If this option is not specified, configure will use the
636: system zlib if it is present.
637:
638: --disable-zlib
639: Disable the use of the zlib compress library when storing
640: I/O log files.
641:
642: --enable-warnings
643: Enable compiler warnings when building sudo with gcc.
644:
645: --enable-werror
646: Enable the -Werror compiler option when building sudo with gcc.
647:
1.1.1.3 ! misho 648: --disable-hardening
! 649: Disable the use of compiler/linker exploit mitigation options
! 650: which are enabled by default. This includes compiling with
! 651: _FORTIFY_SOURCE defined to 2, building with -fstack-protector
! 652: and linking with -zrelro, where supported.
! 653:
! 654: --disable-pie
! 655: Disable the creation of position independent executables (PIE)
! 656: even when the compiler and linker support them.
! 657: By default, sudo will be built as a PIE where possible.
! 658:
1.1 misho 659: --enable-admin-flag
660: Enable the creation of an Ubuntu-style admin flag file
661: the first time sudo is run.
662:
663: --disable-env-reset
664: Disable environment resetting. This sets the default value
665: of the "env_reset" Defaults option in sudoers to false.
666:
667: --enable-nls[=location]
668: Enable natural language support using the gettext() family
669: of functions. If specified, location is the base directory
670: containing the libintl include and lib directories. If
671: this option is not specified, configure will look for the
672: gettext() family of functions in the standard C library
673: first, then check for a standalone libintl (linking with
674: libiconv as needed).
675:
676: --disable-nls
677: Disable natural language support. By default, sudo will
678: use the gettext() family of functions, if available, to
679: implement messages in the invoking user's native language.
680: Note that translations do not exist for all languages.
681:
682: Shadow password and C2 support
683: ==============================
684:
685: Shadow passwords (also included with most C2 security packages) are
686: supported on most major platforms for which they exist. The
687: `configure' script will attempt to determine if your system can use
688: shadow passwords and include support for them if so. Shadow password
689: support is now compiled in by default (it doesn't hurt anything if you
690: don't have them configured). To disable the shadow password support,
691: use the --disable-shadow option to configure.
692:
693: Shadow passwords are known to work on the following platforms:
694:
695: SunOS 4.x
696: Solaris 2.x
697: HP-UX >= 9.x
698: Ultrix 4.x
699: Digital UNIX
700: IRIX >= 5.x
701: AIX >= 3.2.x
702: Linux
703: SCO >= 3.2.2
704: Pyramid DC/OSx
705: UnixWare
706: SVR4 (and variants using standard SVR4 shadow passwords)
707: 4.4BSD based systems (including OpenBSD, NetBSD, FreeBSD, and Mac OS X)
708: Systems using SecureWare's C2 security.
709:
710: OS dependent notes
711: ==================
712:
713: Linux:
714: PAM and LDAP headers are not installed by default on most Linux
715: systems. You will need to install the "pam-dev" package if
716: /usr/include/security/pam_appl.h is not present on your system.
717: If you wish to build with LDAP support you will also need the
718: openldap-devel package.
719:
720: Versions of glibc 2.x previous to 2.0.7 have a broken lsearch().
721: You will need to either upgrade to glibc-2.0.7 or use sudo's
722: version of lsearch(). To use sudo's lsearch(), comment out
723: the "#define HAVE_LSEARCH 1" line in config.h and add lsearch.o
724: to the LIBOBJS line in the Makefile.
725:
726: If you are using a Linux kernel older than 2.4 it is not possible
727: to access the sudoers file via NFS. This is due to a bug in
728: the Linux client-side NFS implementation that has since been
729: fixed. There is a workaround on the sudo ftp site, linux_nfs.patch,
730: if you need to NFS-mount sudoers on older Linux kernels.
731:
732: Solaris 2.x:
733: You need to have a C compiler in order to build sudo. Since
734: Solaris 2.x does not come with one by default this means that
735: you either need to install the Sun Studio compiler suite,
736: available for free from www.sun.com, or have a copy of the GNU
737: C compiler (gcc) which is distributed on the Solaris Companion
738: CD. You can also get them from various places on the net,
739: including http://www.sunfreeware.com/
740: NOTE: sudo will *not* build with the sun C compiler in BSD
741: compatibility mode (/usr/ucb/cc). Sudo is designed to
742: compile with the standard C compiler (or gcc) and will
743: not build correctly with /usr/ucb/cc. You can set the
744: CC environment variable to the non-ucb compiler when
745: running `configure' if it is not the first cc in your
746: path. Some sites link /usr/ucb/cc to gcc; configure will
747: not notice this and still refuse to use /usr/ucb/cc, so
748: make sure gcc is also in your path if your site is setup
749: this way.
750: Also: Older versions of Solaris come with a broken syslogd.
751: If you have having problems with sudo logging you should
752: make sure you have the latest syslogd patch installed.
753: This is a problem for Solaris 2.4 and 2.5 at least.
754:
755: Mac OS X:
756: The pseudo-tty support in the Mac OS X kernel has bugs related
757: to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals.
758: It does not restart reads and writes when those signals are
759: delivered. This may cause problems for some commands when I/O
760: logging is enabled. The issue has been reported to Apple and
761: is bug id #7952709.
762:
763: HP-UX:
764: The default C compiler shipped with HP-UX is not an ANSI compiler.
765: You must use either the HP ANSI C compiler or gcc to build sudo.
766: Binary packages of gcc are available from http://hpux.connect.org.uk/.
767:
768: To prevent PAM from overriding the value of umask on HP-UX 11,
769: you will need to add a line like the following to /etc/pam.conf:
770:
771: sudo session required libpam_hpsec.so.1 bypass_umask
772:
1.1.1.2 misho 773: If every command run via sudo displays information about the last
774: successful login and the last authentication failure you should
775: make use an /etc/pam.conf line like:
776:
777: sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login
778:
1.1 misho 779: Digital UNIX:
780: By default, sudo will use SIA (Security Integration Architecture)
781: to validate a user. If you want to use an alternative authentication
782: method that does not go through SIA, you need to use the
783: --disable-sia option to configure. If you use gcc to compile
784: you will get warnings when building interfaces.c. These are
785: harmless but if they really bug you, you can edit
786: /usr/include/net/if.h around line 123, right after the comment:
787: /* forward decls for C++ */
788: change the line:
789: #ifdef __cplusplus
790: to:
791: #if defined(__cplusplus) || defined(__GNUC__)
792: If you don't like the idea of editing the system header file
793: you can just make a copy in gcc's private include tree and
794: edit that.
795:
796: AIX 3.2.x:
797: I've had various problems with the AIX C compiler producing
798: incorrect code when the -O flag was used. When optimization
799: is not used, the problems go away. Gcc does not appear
800: to have this problem.
801:
802: SCO ODT:
803: You'll probably need libcrypt_i.a available via anonymous ftp
804: from sosco.sco.com. The necessary files are /SLS/lng225b.Z
805: and /SLS/lng225b.ltr.Z.
806:
807: SunOS 4.x:
808: SunOS does not ship with an ANSI C compiler. You will need to
809: install an ANSI compiler such as gcc to build sudo.
810:
811: The /bin/sh shipped with SunOS blows up while running configure.
812: You can work around this by installing bash or zsh. If you
813: have bash or zsh in your path, configure will use it instead
814: automatically.
815:
816: ULTRIX 4.x:
817: ULTRIX does not ship with an ANSI C compiler. You will need to
818: install an ANSI compiler such as gcc to build sudo.
819:
820: The /bin/sh shipped with ULTRIX blows up while running configure.
821: You can work around this by installing bash or zsh. If you
822: have bash or zsh in your path, configure will use it instead
823: automatically.
824:
825: ULTRIX ships with the 4.2BSD syslog(3) which does not
826: allow things like logging different facilities to different
827: files, redirecting logs to a single loghost and other niceties.
828: You may want to just grab and install:
829: ftp://www.sudo.ws/pub/sudo/misc/jtkohl-syslog-complete.tar.gz
830: (available via anonymous ftp) which is a port if the 4.3BSD
831: syslog/syslogd that is backwards compatible with the Ultrix version.
832: I recommend it highly. If you do not do this you probably want
833: to run configure with --with-logging=file
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to INSTALL CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo