Annotation of embedaddon/sudo/INSTALL, revision 1.1.1.4
1.1 misho 1: Sudo installation instructions
2: ==============================
3:
4: Sudo uses a `configure' script to probe the capabilities and type
5: of the system in question. In this release, `configure' takes many
6: more options than it did before. Please read this document fully
7: before configuring and building sudo. You may also wish to read the
8: file INSTALL.configure which explains more about the `configure' script.
9:
1.1.1.4 ! misho 10: System requirements
! 11: ===================
! 12:
! 13: To build sudo from the source distribution you need a POSIX-compliant
! 14: operating system (any modern version of BSD, Linux or Unix should work),
! 15: an ANSI/ISO C compiler that supports the "long long" type, variadic
! 16: macros (a C99 feature) as well as the ar, make and ranlib utilities.
! 17:
! 18: If you wish to modify the parser then you will need flex version
! 19: 2.5.2 or later and either bison or byacc (sudo comes with a
! 20: pre-generated parser). You'll also have to run configure with the
! 21: --with-devel option or pass DEVEL=1 to make. You can get flex from
! 22: http://flex.sourceforge.net/. You can get GNU bison from
! 23: ftp://ftp.gnu.org/pub/gnu/bison/ or any GNU mirror.
! 24:
1.1 misho 25: Simple sudo installation
26: ========================
27:
28: For most systems and configurations it is possible simply to:
29:
30: 0) If you are upgrading from a previous version of sudo
31: please read the info in the UPGRADE file before proceeding.
32:
33: 1) Read the `OS dependent notes' section for any particular
34: "gotchas" relating to your operating system.
35:
36: 2) `cd' to the source or build directory and type `./configure'
1.1.1.4 ! misho 37: to generate a Makefile and config.h file suitable for building
! 38: sudo. Before you actually run configure you should read the
! 39: `Available configure options' section to see if there are
! 40: any special options you may want or need.
1.1 misho 41:
1.1.1.4 ! misho 42: 4) Type `make' to compile sudo. If you are building sudo
1.1 misho 43: in a separate build tree (apart from the sudo source) GNU
44: make will probably be required. If `configure' did its job
45: properly (and you have a supported configuration) there won't
46: be any problems. If this doesn't work, take a look at the
1.1.1.4 ! misho 47: doc/TROUBLESHOOTING file for tips on what might have gone
! 48: wrong. Please mail us if you have a fix or if you are unable
! 49: to come up with a fix (address at EOF).
1.1 misho 50:
1.1.1.4 ! misho 51: 5) Type `make install' (as root) to install sudo, visudo, the
1.1 misho 52: man pages, and a skeleton sudoers file. Note that the install
53: will not overwrite an existing sudoers file. You can also
54: install various pieces the package via the install-binaries,
55: install-doc, and install-sudoers make targets.
56:
1.1.1.4 ! misho 57: 6) Edit the sudoers file with `visudo' as necessary for your
1.1 misho 58: site. You will probably want to refer the sample.sudoers
59: file and sudoers man page included with the sudo package.
60:
1.1.1.4 ! misho 61: 7) If you want to use syslogd(8) to do the logging, you'll need
1.1 misho 62: to update your /etc/syslog.conf file. See the sample.syslog.conf
63: file included in the distribution for an example.
64:
65: Available configure options
66: ===========================
67:
68: This section describes flags accepted by the sudo's `configure' script.
69: Defaults are listed in brackets after the description.
70:
71: Configuration:
72: --cache-file=FILE
73: Cache test results in FILE
74:
75: --config-cache, -C
76: Alias for `--cache-file=config.cache'
77:
78: --help, -h
79: Print the usage/help info
80:
81: --no-create, -n
82: Do not create output files
83:
84: --quiet, --silent, -q
85: Do not print `checking...' messages
86:
1.1.1.4 ! misho 87: --srcdir=DIR
! 88: Find the sources in DIR [configure dir or `..']
! 89:
1.1 misho 90: Directory and file names:
91: --prefix=PREFIX
1.1.1.4 ! misho 92: Install architecture-independent files in PREFIX. [/usr/local]
1.1 misho 93:
94: --exec-prefix=EPREFIX
1.1.1.4 ! misho 95: Install architecture-dependent files in EPREFIX.
! 96: This includes the executables and plugins. [same as PREFIX]
1.1 misho 97:
98: --bindir=DIR
1.1.1.4 ! misho 99: Install `sudo', `sudoedit' and `sudoreplay' in DIR. [EPREFIX/bin]
1.1 misho 100:
101: --sbindir=DIR
1.1.1.4 ! misho 102: Install `visudo' in DIR. [EPREFIX/sbin]
! 103:
! 104: --libexecdir=DIR
! 105: Install plugins and helper programs in DIR/sudo [PREFIX/libexec/sudo]
1.1 misho 106:
107: --sysconfdir=DIR
1.1.1.4 ! misho 108: Look for `sudo.conf' and `sudoers' files in DIR. [/etc]
! 109:
! 110: --includedir=DIR
! 111: Install sudo_plugin.h include file in DIR [PREFIX/include]
! 112:
! 113: --datarootdir=DIR
! 114: Root directory for platform-independent data files [PREFIX/share]
! 115:
! 116: --localedir=DIR
! 117: Install sudo and sudoers locale files in DIR [DATAROOTDIR/locale]
1.1 misho 118:
119: --mandir=DIR
120: Install man pages in DIR [PREFIX/man]
121:
1.1.1.4 ! misho 122: --docdir=DIR
! 123: Install other sudo documentation in DIR [DATAROOTDIR/doc/sudo]
! 124:
! 125: --with-plugindir=PATH
! 126: Set the directory that sudo looks in to find the policy and I/O
! 127: logging plugins. Defaults to the LIBEXEC/sudo.
! 128:
! 129: --with-timedir=PATH
! 130: Use PATH to store the sudo time stamp files. By default,
! 131: the first existing directory in the following list is used:
! 132: /var/db, /var/lib, /var/adm, /usr/adm.
! 133:
! 134: Compilation options:
! 135: --disable-hardening
! 136: Disable the use of compiler/linker exploit mitigation options
! 137: which are enabled by default. This includes compiling with
! 138: _FORTIFY_SOURCE defined to 2, building with -fstack-protector
! 139: and linking with -zrelro, where supported.
! 140:
! 141: --enable-pie
! 142: Build sudo and related programs as as a position independent
! 143: executables (PIE). This improves the effectiveness of address
! 144: space layout randomization (ASLR) on systems that support it.
! 145: Sudo will create PIE binaries by default on Linux systems.
! 146:
! 147: --disable-pie
! 148: Disable the creation of position independent executables (PIE),
! 149: even if the compiler creates PIE binaries by default. This
! 150: option may be needed on some Linux systems where PIE binaries
! 151: are not fully supported.
! 152:
! 153: --disable-rpath
! 154: By default, configure will use -Rpath in addition to -Lpath
! 155: when passing library paths to the loader. This option will
! 156: disable the use of -Rpath.
! 157:
! 158: --disable-shared
! 159: Disable dynamic shared object support. By default, sudo
! 160: is built with a plugin API capable of loading arbitrary
! 161: policy and I/O logging plugins. If the --disable-shared
! 162: option is specified, this support is disabled and the default
! 163: sudoers policy and I/O plugins are embedded in the sudo
! 164: binary itself. This will also disable the noexec option
! 165: as it too relies on dynamic shared object support.
! 166:
! 167: --enable-zlib[=location]
! 168: Enable the use of the zlib compress library when storing
! 169: I/O log files. If specified, location is the base directory
! 170: containing the zlib include and lib directories. The special
! 171: values "system" and "builtin" can be used to indicate that
! 172: the system version of zlib should be used or that the version
! 173: of zlib shipped with sudo should be used instead.
! 174: If this option is not specified, configure will use the
! 175: system zlib if it is present.
1.1 misho 176:
177: --with-incpath=DIR
178: Adds the specified directory (or directories) to CPPFLAGS
179: so configure and the compiler will look there for include
180: files. Multiple directories may be specified as long as
181: they are space separated.
1.1.1.4 ! misho 182: E.g. --with-incpath="/usr/local/include /opt/include"
1.1 misho 183:
184: --with-libpath=DIR
185: Adds the specified directory (or directories) to LDFLAGS
186: so configure and the compiler will look there for libraries.
187: Multiple directories may be specified as with --with-incpath.
188:
189: --with-libraries=LIBRARY
1.1.1.4 ! misho 190: Adds the specified library (or libraries) to SUDO_LIBS and
1.1 misho 191: and VISUDO_LIBS so sudo will link against them. If the
192: library doesn't start with `-l' or end in `.a' or `.o' a
1.1.1.4 ! misho 193: `-l' will be pre-pended to it. Multiple libraries may be
1.1 misho 194: specified as long as they are space separated.
195:
1.1.1.4 ! misho 196: --with-libtool=PATH
! 197: By default, sudo will use the included version of libtool
! 198: to build shared libraries. The --with-libtool option can
! 199: be used to specify a different version of libtool to use.
! 200: The special values "system" and "builtin" can be used in
! 201: place of a path to denote the default system libtool (obtained
! 202: via the user's PATH) and the default libtool that comes
! 203: with sudo.
1.1 misho 204:
1.1.1.4 ! misho 205: Optional features:
! 206: --disable-root-mailer
! 207: By default sudo will run the mailer as root when tattling
! 208: on a user so as to prevent that user from killing the mailer.
! 209: With this option, sudo will run the mailer as the invoking
! 210: user which some people consider to be safer.
1.1 misho 211:
1.1.1.4 ! misho 212: --enable-nls[=location]
! 213: Enable natural language support using the gettext() family
! 214: of functions. If specified, location is the base directory
! 215: containing the libintl include and lib directories. If
! 216: this option is not specified, configure will look for the
! 217: gettext() family of functions in the standard C library
! 218: first, then check for a standalone libintl (linking with
! 219: libiconv as needed).
1.1 misho 220:
1.1.1.4 ! misho 221: --disable-nls
! 222: Disable natural language support. By default, sudo will
! 223: use the gettext() family of functions, if available, to
! 224: implement messages in the invoking user's native language.
! 225: Note that translations do not exist for all languages.
1.1.1.2 misho 226:
1.1 misho 227: --with-ldap[=DIR]
228: Enable LDAP support. If specified, DIR is the base directory
229: containing the LDAP include and lib directories. Please see
230: README.LDAP for more information.
231:
232: --with-ldap-conf-file=PATH
233: Path to LDAP configuration file. If specified, sudo reads
234: this file instead of /etc/ldap.conf to locate the LDAP server.
235:
236: --with-ldap-secret-file=PATH
237: Path to LDAP secret password file. If specified, sudo uses
238: this file instead of /etc/ldap.secret to read the secret password
239: when rootbinddn is specified in the ldap config file.
240:
1.1.1.4 ! misho 241: --with-logincap
! 242: This adds support for login classes specified in /etc/login.conf.
! 243: It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and
! 244: NetBSD (where available). By default, a login class is not applied
! 245: unless the 'use_loginclass' option is defined in sudoers or the user
! 246: specifies a class on the command line.
! 247:
! 248: --with-interfaces=no, --without-interfaces
! 249: This option keeps sudo from trying to glean the ip address
! 250: from each attached Ethernet interface. It is only useful
! 251: on a machine where sudo's interface reading support does
! 252: not work, which may be the case on some SysV-based OS's
! 253: using STREAMS.
! 254:
! 255: --with-noexec[=PATH]
! 256: Enable support for the "noexec" functionality which prevents
! 257: a dynamically-linked program being run by sudo from executing
! 258: another program (think shell escapes). Please see the
! 259: "PREVENTING SHELL ESCAPES" section in the sudoers man page
! 260: for details. If specified, PATH should be a fully qualified
! 261: path name, e.g. /usr/local/libexec/sudo_noexec.so. If PATH
! 262: is "no", noexec support will not be compiled in. The default
! 263: is to compile noexec support if libtool supports building
! 264: shared objects on your OS.
! 265:
! 266: --with-selinux
! 267: Enable support for role based access control (RBAC) on
! 268: systems that support SELinux.
! 269:
1.1.1.3 misho 270: --with-sssd
271: Enable support for using the System Security Services Daemon
1.1.1.4 ! misho 272: (SSSD) as a sudoers data source. For more information on
1.1.1.3 misho 273: SSD, see http://fedorahosted.org/sssd/
274:
275: --with-sssd-lib=PATH
276: Specify the path to the SSSD shared library, which is loaded
277: at run-time.
278:
1.1.1.4 ! misho 279: Operating system-specific options:
! 280: --disable-setreuid
! 281: Disable use of the setreuid() function for operating systems
! 282: where it is broken. For instance, 4.4BSD has setreuid()
! 283: that is not fully functional.
! 284:
! 285: --disable-setresuid
! 286: Disable use of the setresuid() function for operating systems
! 287: where it is broken (none currently known).
! 288:
! 289: --enable-admin-flag
! 290: Enable the creation of an Ubuntu-style admin flag file
! 291: the first time sudo is run.
! 292:
! 293: --with-bsm-audit
! 294: Enable support for sudo BSM audit logs on systems that support it.
! 295: This includes recent versions of FreeBSD, Mac OS X and Solaris.
! 296:
! 297: --with-linux-audit
! 298: Enable audit support for Linux systems. Audits attempts
! 299: to run a command as well as SELinux role changes.
! 300:
! 301: --with-man
! 302: Use the "man" macros for manual pages. By default, mdoc versions
! 303: of the manuals are installed if supported. This can be used to
! 304: override configure's test for "nroff -mdoc" support.
! 305:
! 306: --with-mdoc
! 307: Use the "mdoc" macros for manual pages. By default, mdoc versions
! 308: of the manuals are installed if supported. This can be used to
! 309: override configure's test for "nroff -mdoc" support.
1.1 misho 310:
311: --with-netsvc[=PATH]
312: Path to netsvc.conf or "no" to disable netsvc.conf support.
313: If specified, sudo uses this file instead of /etc/netsvc.conf
1.1.1.4 ! misho 314: on AIX systems. If netsvc support is disabled but LDAP is
! 315: enabled, sudo will check LDAP first, then the sudoers file.
! 316:
! 317: --with-nsswitch[=PATH]
! 318: Path to nsswitch.conf or "no" to disable nsswitch support.
! 319: If specified, sudo uses this file instead of /etc/nsswitch.conf.
! 320: If nsswitch support is disabled but LDAP is enabled, sudo will
! 321: check LDAP first, then the sudoers file.
! 322:
! 323: --with-project
! 324: Enable support for Solaris project resource limits.
! 325: This option is only available on Solaris 9 and above.
! 326:
! 327: Authentication options:
! 328: --with-AFS
! 329: Enable AFS support with Kerberos authentication. Should work under
! 330: AFS 3.3. If your AFS doesn't have -laudit you should be able to
! 331: link without it.
1.1 misho 332:
333: --with-aixauth
334: Enable support for the AIX 4.x general authentication function.
335: This will use the authentication scheme specified for the user
336: on the machine. It is on by default for AIX systems that
337: support it.
338:
1.1.1.4 ! misho 339: --with-bsdauth
! 340: Enable support for BSD authentication. This is the default
! 341: for BSD/OS and OpenBSD systems that support it.
! 342: It is not possible to mix BSD authentication with other
! 343: authentication methods (and there really should be no need
! 344: to do so). Note that only the newer BSD authentication API
! 345: is supported. If you don't have /usr/include/bsd_auth.h
! 346: then you cannot use this.
! 347:
! 348: --with-DCE
! 349: Enable DCE support for systems without PAM. Known to work on
! 350: HP-UX 9.X, 10.X, and 11.0; other systems may require source
! 351: code and/or `configure' changes. On systems with PAM support
! 352: (such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the
! 353: DCE PAM module (usually libpam_dce) should be used instead.
! 354:
! 355: --with-fwtk[=DIR]
! 356: Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified,
! 357: DIR is the base directory containing the compiled FWTK package
! 358: (or at least the library and header files).
! 359:
! 360: --with-kerb5[=DIR]
! 361: Enable Kerberos V support. If specified, DIR is the base
! 362: directory containing the Kerberos V include and lib dirs.
! 363: This uses Kerberos pass phrases for authentication but
! 364: does not use the Kerberos cookie scheme. Will not work for
! 365: Kerberos V older than version 1.1.
! 366:
! 367: --enable-kerb5-instance=string
! 368: By default, the user name is used as the principal name
! 369: when authenticating via Kerberos V. If this option is
! 370: enabled, the specified instance string will be appended to
! 371: the user name (separated by a slash) when creating the
! 372: principal name.
! 373:
! 374: --with-opie[=DIR]
! 375: Enable NRL OPIE OTP (One Time Password) support. If specified,
! 376: DIR should contain include and lib directories with opie.h
! 377: and libopie.a respectively.
! 378:
! 379: --with-otp-only
! 380: This option is now just an alias for --without-passwd.
! 381:
1.1 misho 382: --with-pam
383: Enable PAM support. This is on by default for Darwin, FreeBSD,
384: Linux, Solaris and HP-UX (version 11 and higher).
385:
386: NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo
387: file install. You may either use the sample.pam file included with
388: sudo or use /etc/pam.d/su as a reference. The sample.pam file
389: included with sudo may or may not work with other Linux distributions.
390: On Solaris and HP-UX 11 systems you should check (and understand)
391: the contents of /etc/pam.conf. Do a "man pam.conf" for more
392: information and consider using the "debug" option, if available,
393: with your PAM libraries in /etc/pam.conf to obtain syslog output
394: for debugging purposes.
395:
396: --with-pam-login
397: Enable a specific PAM session when sudo is given the -i option.
398: This changes the PAM service name when sudo is run with the -i
399: option from "sudo" to "sudo-i", allowing for a separate pam
400: configuration for sudo's initial login mode.
401:
402: --disable-pam-session
403: Disable sudo's PAM session support. This may be needed on
404: older PAM implementations or on operating systems where
405: opening a PAM session changes the utmp or wtmp files. If
406: PAM session support is disabled, resource limits may not
1.1.1.2 misho 407: be updated for the command being run.
1.1 misho 408:
1.1.1.4 ! misho 409: --with-passwd=no, --without-passwd
! 410: This option excludes authentication via the passwd (or
! 411: shadow) file. It should only be used when another, alternative,
! 412: authentication scheme is in use.
1.1 misho 413:
1.1.1.4 ! misho 414: --with-SecurID[=DIR]
! 415: Enable SecurID support. If specified, DIR is directory containing
! 416: libaceclnt.a, acexport.h, and sdacmvls.h.
1.1 misho 417:
1.1.1.4 ! misho 418: --with-skey[=DIR]
! 419: Enable S/Key OTP (One Time Password) support. If specified,
! 420: DIR should contain include and lib directories with skey.h
! 421: and libskey.a respectively.
1.1 misho 422:
423: --disable-sia
424: Disable SIA support. This is the "Security Integration
425: Architecture" on Digital UNIX. If you disable SIA sudo will
426: use its own authentication routines.
427:
428: --disable-shadow
429: Disable shadow password support. Normally, sudo will compile
430: in shadow password support and use a shadow password if it
431: exists.
432:
1.1.1.4 ! misho 433: --enable-gss-krb5-ccache-name
! 434: Use the gss_krb5_ccache_name() function to set the Kerberos
! 435: V credential cache file name. By default, sudo will use
! 436: the KRB5CCNAME environment variable to set this. While
! 437: gss_krb5_ccache_name() provides a better API to do this it
! 438: is not supported by all Kerberos V and SASL combinations.
1.1.1.3 misho 439:
1.1.1.4 ! misho 440: Development options:
! 441: --enable-env-debug
! 442: Enable debugging of the environment setting functions. This
! 443: enables extra checks to make sure the environment does not
! 444: become corrupted.
1.1 misho 445:
1.1.1.4 ! misho 446: --enable-warnings
! 447: Enable compiler warnings when building sudo with gcc.
1.1 misho 448:
1.1.1.4 ! misho 449: --enable-werror
! 450: Enable the -Werror compiler option when building sudo with gcc.
1.1 misho 451:
1.1.1.4 ! misho 452: --with-devel
! 453: Configure development options. This will enable compiler warnings
! 454: and set up the Makefile to be able to regenerate the sudoers parser
! 455: as well as the manual pages.
1.1 misho 456:
1.1.1.4 ! misho 457: --with-efence
! 458: Link with the "electric fence" debugging malloc.
1.1 misho 459:
1.1.1.4 ! misho 460: Options that set runtime-changeable default values:
! 461: --disable-authentication
! 462: By default, sudo requires the user to authenticate via a
! 463: password or similar means. This options causes sudo to
! 464: *not* require authentication. It is possible to turn
! 465: authentication back on in sudoers via the PASSWD attribute.
! 466: Sudoers option: !authenticate
1.1 misho 467:
1.1.1.4 ! misho 468: --disable-env-reset
! 469: Disable environment resetting. This sets the default value
! 470: of the "env_reset" Defaults option in sudoers to false.
! 471: Sudoers option: !env_reset
1.1 misho 472:
1.1.1.4 ! misho 473: --disable-path-info
! 474: Normally, sudo will tell the user when a command could not be found
! 475: in their $PATH. Some sites may wish to disable this as it could
! 476: be used to gather information on the location of executables that
! 477: the normal user does not have access to. The disadvantage is that
! 478: if the executable is simply not in the user's path, sudo will tell
! 479: the user that they are not allowed to run it, which can be confusing.
! 480: Sudoers option: path_info
1.1 misho 481:
1.1.1.4 ! misho 482: --disable-root-sudo
! 483: Don't let root run sudo. This can be used to prevent people from
! 484: "chaining" sudo commands to get a root shell by doing something
! 485: like "sudo sudo /bin/sh".
! 486: Sudoers option: !root_sudo
1.1 misho 487:
1.1.1.4 ! misho 488: --disable-zlib
! 489: Disable the use of the zlib compress library when storing
! 490: I/O log files.
! 491: Sudoers option: !compress_io
1.1 misho 492:
1.1.1.4 ! misho 493: --enable-log-host
! 494: Log the hostname in the log file.
! 495: Sudoers option: log_host
1.1 misho 496:
1.1.1.4 ! misho 497: --enable-noargs-shell
! 498: If sudo is invoked with no arguments it acts as if the "-s" flag had
! 499: been given. That is, it runs a shell as root (the shell is determined
! 500: by the SHELL environment variable, falling back on the shell listed
! 501: in the invoking user's /etc/passwd entry).
! 502: Sudoers option: shell_noargs
1.1 misho 503:
1.1.1.4 ! misho 504: --enable-shell-sets-home
! 505: If sudo is invoked with the "-s" flag the HOME environment variable
! 506: will be set to the home directory of the target user (which is root
! 507: unless the "-u" option is used). This option effectively makes the
! 508: "-s" flag imply "-H".
! 509: Sudoers option: set_home
1.1 misho 510:
1.1.1.4 ! misho 511: --with-all-insults
! 512: Include all the insult sets listed below. You must either specify
! 513: --with-insults or enable insults in the sudoers file for this to
! 514: have any effect.
1.1 misho 515:
1.1.1.4 ! misho 516: --with-askpass=PATH
! 517: Set PATH as the "askpass" program to use when no tty is
! 518: available. Typically, this is a graphical password prompter,
! 519: similar to the one used by ssh. The program must take a
! 520: prompt as an argument and print the received password to
! 521: the standard output. This value may overridden at run-time
! 522: in the sudo.conf file.
1.1 misho 523:
524: --with-badpass-message="BAD PASSWORD MESSAGE"
525: Message that is displayed if a user enters an incorrect password.
526: The default is "Sorry, try again." unless insults are turned on.
1.1.1.4 ! misho 527: Sudoers option: badpass_message
1.1 misho 528:
1.1.1.4 ! misho 529: --with-badpri=PRIORITY
! 530: Determines which syslog priority to log unauthenticated
! 531: commands and errors. The following priorities are supported:
! 532: alert, crit, debug, emerg, err, info, notice, and warning.
! 533: Sudoers option: syslog_badpri
1.1 misho 534:
535: --with-classic-insults
536: Uses insults from sudo "classic." If you just specify --with-insults
537: you will get the classic and CSOps insults. This is on by default if
538: --with-insults is given.
539:
540: --with-csops-insults
541: Insults the user with an extra set of insults (some quotes, some
542: original) from a sysadmin group at CU (CSOps). You must specify
543: --with-insults as well for this to have any effect. This is on by
544: default if --with-insults is given.
545:
546: --with-editor=PATH
547: Specify the default editor path for use by visudo. This may be a
548: single path name or a colon-separated list of editors. In the latter
549: case, visudo will choose the editor that matches the user's VISUAL
550: or EDITOR environment variables or the first editor in the list that
551: exists. The default is the path to vi on your system.
1.1.1.4 ! misho 552: Sudoers option: editor
1.1 misho 553:
554: --with-env-editor
555: Makes visudo consult the VISUAL and EDITOR environment variables before
556: falling back on the default editor list (as specified by --with-editor).
557: Note that this may create a security hole as it allows the user to
558: run any arbitrary command as root without logging. A safer alternative
559: is to use a colon-separated list of editors with the --with-editor
560: option. visudo will then only use the VISUAL or EDITOR variables
561: if they match a value specified via --with-editor.
1.1.1.4 ! misho 562: Sudoers option: env_editor
1.1 misho 563:
1.1.1.4 ! misho 564: --with-exempt=GROUP
! 565: Users in the specified group don't need to enter a password when
! 566: running sudo. This may be useful for sites that don't want their
! 567: "core" sysadmins to have to enter a password but where Jr. sysadmins
! 568: need to. You should probably use NOPASSWD in sudoers instead.
! 569: Sudoers option: exempt_group
! 570:
! 571: --with-fqdn
! 572: Define this if you want to put fully qualified host names in the sudoers
! 573: file. Ie: instead of myhost you would use myhost.mydomain.edu. You may
! 574: still use the short form if you wish (and even mix the two). Beware
! 575: that turning FQDN on requires sudo to make DNS lookups which may make
! 576: sudo unusable if your DNS is totally hosed. Also note that you must
! 577: use the host's official name as DNS knows it. That is, you may not use
! 578: a host alias (CNAME entry) due to performance issues and the fact that
! 579: there is no way to get all aliases from DNS.
! 580: Sudoers option: fqdn
! 581:
! 582: --with-goodpri=PRIORITY
! 583: Determines which syslog priority to log successfully
! 584: authenticated commands. The following priorities are
! 585: supported: alert, crit, debug, emerg, err, info, notice,
! 586: and warning.
! 587: Sudoers option: syslog_goodpri
! 588:
! 589: --with-goons-insults
! 590: Insults the user with lines from the "Goon Show" when an incorrect
! 591: password is entered. You must either specify --with-insults or
! 592: enable insults in the sudoers file for this to have any effect.
! 593:
! 594: --with-hal-insults
! 595: Uses 2001-like insults when an incorrect password is entered.
! 596: You must either specify --with-insults or enable insults in the
! 597: sudoers file for this to have any effect.
! 598:
! 599: --with-ignore-dot
! 600: If set, sudo will ignore '.' or '' (current dir) in $PATH.
! 601: The $PATH itself is not modified.
! 602: Sudoers option: ignore_dot
! 603:
! 604: --with-insults
! 605: Define this if you want to be insulted for typing an incorrect password
! 606: just like the original sudo(8). This is off by default.
! 607: Sudoers option: insults
! 608:
! 609: --with-insults=disabled
! 610: Include support for insults but disable them unless explicitly
! 611: enabled in sudoers.
! 612: Sudoers option: !insults
1.1 misho 613:
614: --with-iologdir[=DIR]
615: By default, sudo stores I/O log files in either /var/log/sudo-io,
616: /var/adm/sudo-io, or /usr/log/sudo-io. If this option is
617: specified, I/O logs will be stored in the indicated directory
618: instead.
1.1.1.4 ! misho 619: Sudoers option: iolog_dir
1.1 misho 620:
1.1.1.4 ! misho 621: --with-lecture=no, --without-lecture
! 622: Don't print the lecture the first time a user runs sudo.
! 623: Sudoers option: !lecture
1.1 misho 624:
1.1.1.4 ! misho 625: --with-logfac=FACILITY
! 626: Determines which syslog facility to log to. This requires
! 627: a 4.3BSD or later version of syslog. You can still set
! 628: this for ancient syslogs but it will have no effect. The
! 629: following facilities are supported: authpriv (if your OS
! 630: supports it), auth, daemon, user, local0, local1, local2,
! 631: local3, local4, local5, local6, and local7.
! 632: Sudoers option: syslog
1.1 misho 633:
1.1.1.4 ! misho 634: --with-logging=TYPE
! 635: How you want to do your logging. You may choose "syslog",
! 636: "file", or "both". Setting this to "syslog" is nice because
! 637: you can keep all of your sudo logs in one place (see the
! 638: sample.syslog.conf file). The default is "syslog".
! 639: Sudoers options: syslog and logfile
1.1 misho 640:
1.1.1.4 ! misho 641: --with-loglen=NUMBER
! 642: Number of characters per line for the file log. This is only used if
! 643: you are to "file" or "both". This value is used to decide when to wrap
! 644: lines for nicer log files. The default is 80. Setting this to 0
! 645: will disable the wrapping.
! 646: Sudoers options: loglinelen
1.1 misho 647:
1.1.1.4 ! misho 648: --with-logpath=PATH
! 649: Override the default location of the sudo log file and use
! 650: "path" instead. By default will use /var/log/sudo.log if
! 651: there is a /var/log dir, falling back to /var/adm/sudo.log
! 652: or /usr/adm/sudo.log if not.
! 653: Sudoers option: logfile
1.1 misho 654:
1.1.1.4 ! misho 655: --with-long-otp-prompt
! 656: When validating with a One Time Password scheme (S/Key or
! 657: OPIE), a two-line prompt is used to make it easier to cut
! 658: and paste the challenge to a local window. It's not as
! 659: pretty as the default but some people find it more convenient.
! 660: Sudoers option: long_otp_prompt
1.1 misho 661:
1.1.1.4 ! misho 662: --with-mail-if-no-user=no, --without-mail-if-no-user
! 663: Normally, sudo will mail to the "alertmail" user if the user invoking
! 664: sudo is not in the sudoers file. This option disables that behavior.
! 665: Sudoers option: mail_no_user
1.1 misho 666:
1.1.1.4 ! misho 667: --with-mail-if-no-host
! 668: Send mail to the "alermail" user if the user exists in the sudoers
! 669: file, but is not allowed to run commands on the current host.
! 670: Sudoers option: mail_no_host
1.1 misho 671:
1.1.1.4 ! misho 672: --with-mail-if-noperms
! 673: Send mail to the "alermail" user if the user is allowed to use sudo but
! 674: the command they are trying is not listed in their sudoers file entry.
! 675: Sudoers option: mail_no_perms
1.1 misho 676:
1.1.1.4 ! misho 677: --with-mailsubject="SUBJECT OF MAIL"
! 678: Subject of the mail sent to the "mailto" user. The token "%h"
! 679: will expand to the hostname of the machine.
! 680: Default is "*** SECURITY information for %h ***".
! 681: Sudoers option: mailsub
1.1 misho 682:
1.1.1.4 ! misho 683: --with-mailto=USER|MAIL_ALIAS
! 684: User (or mail alias) that mail from sudo is sent to.
! 685: This should go to a sysadmin at your site. The default is "root".
! 686: Sudoers option: mailto
1.1 misho 687:
1.1.1.4 ! misho 688: --with-passprompt="PASSWORD PROMPT"
! 689: Default prompt to use when asking for a password; can be overridden
! 690: via the -p option and the SUDO_PROMPT environment variable. Supports
! 691: the "%H", "%h", "%U" and "%u" escapes as documented in the sudo
! 692: manual page. The default value is "Password:".
! 693: Sudoers option: passprompt
1.1.1.3 misho 694:
1.1.1.4 ! misho 695: --with-password-timeout=NUMBER
! 696: Number of minutes before the sudo password prompt times out.
! 697: The default is 5, set this to 0 for no password timeout.
! 698: Sudoers option: passwd_timeout
1.1.1.3 misho 699:
1.1.1.4 ! misho 700: --with-passwd-tries=NUMBER
! 701: Number of tries a user gets to enter his/her password before sudo logs
! 702: the failure and exits. The default is 3.
! 703: Sudoers option: passwd_tries
1.1 misho 704:
1.1.1.4 ! misho 705: --with-pc-insults
! 706: Replace politically incorrect insults with less objectionable ones.
1.1 misho 707:
1.1.1.4 ! misho 708: --with-runas-default=USER
! 709: The default user to run commands as if the -u flag is not specified
! 710: on the command line. This defaults to "root".
! 711: Sudoers option: runas_default
1.1 misho 712:
1.1.1.4 ! misho 713: --with-secure-path[=PATH]
! 714: Path used for every command run from sudo(8). If you don't trust the
! 715: people running sudo to have a sane PATH environment variable you may
! 716: want to use this. Another use is if you want to have the "root path"
! 717: be separate from the "user path." You will need to customize the path
! 718: for your site. NOTE: this is not applied to users in the group
! 719: specified by --with-exemptgroup. If you do not specify a path,
! 720: "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
! 721: Sudoers option: secure_path
1.1 misho 722:
1.1.1.4 ! misho 723: --with-sendmail=PATH
! 724: Override configure's guess as to the location of sendmail.
! 725: Sudoers option: mailerpath
1.1 misho 726:
1.1.1.4 ! misho 727: --with-sendmail=no, --without-sendmail
! 728: Do not use sendmail to mail messages to the "mailto" user.
! 729: Use only if you don't run sendmail or the equivalent.
! 730: Sudoers options: !mailerpath or !mailto
1.1 misho 731:
1.1.1.4 ! misho 732: --with-sudoers-mode=MODE
! 733: File mode for the sudoers file (octal). Note that if you
! 734: wish to NFS-mount the sudoers file this must be group
! 735: readable. This value may overridden at run-time in the
! 736: sudo.conf file. The default mode is 0440.
1.1 misho 737:
1.1.1.4 ! misho 738: --with-sudoers-uid=UID
! 739: User id that "owns" the sudoers file. Note that this is
! 740: the numeric id, *not* the symbolic name. This value may
! 741: overridden at run-time in the sudo.conf file. The default
! 742: is 0.
1.1 misho 743:
1.1.1.4 ! misho 744: --with-sudoers-gid=GID
! 745: Group id that "owns" the sudoers file. Note that this is
! 746: the numeric id, *not* the symbolic name. This value may
! 747: overridden at run-time in the sudo.conf file. The default
! 748: is 0.
1.1 misho 749:
1.1.1.4 ! misho 750: --with-timeout=NUMBER
! 751: Number of minutes that can elapse before sudo will ask for a passwd
! 752: again. The default is 5, set this to 0 to always prompt for a password.
! 753: Sudoers option: timestamp_timeout
1.1 misho 754:
1.1.1.4 ! misho 755: --with-tty-tickets=no, --without-tty-tickets
! 756: By default, sudo uses a different ticket file for each user/tty combo.
! 757: With this option disabled, a single ticket will be used for all
! 758: of a user's login sessions.
! 759: Sudoers option: tty_tickets
! 760:
! 761: --with-umask=MASK
! 762: Umask to use when running the root command. The default is 0022.
! 763: Sudoers option: umask
! 764:
! 765: --with-umask=no, --without-umask
! 766: Preserves the umask of the user invoking sudo.
! 767: Sudoers option: !umask
! 768:
! 769: --with-umask-override
! 770: Use the umask specified in sudoers even if it is less restrictive
! 771: than the user's. The default is to use the intersection of the
! 772: user's umask and the umask specified in sudoers.
! 773: Sudoers option: umask_override
! 774:
! 775: OS dependent notes
! 776: ==================
1.1 misho 777:
778: HP-UX:
779: The default C compiler shipped with HP-UX is not an ANSI compiler.
780: You must use either the HP ANSI C compiler or gcc to build sudo.
781: Binary packages of gcc are available from http://hpux.connect.org.uk/.
782:
783: To prevent PAM from overriding the value of umask on HP-UX 11,
784: you will need to add a line like the following to /etc/pam.conf:
785:
786: sudo session required libpam_hpsec.so.1 bypass_umask
787:
1.1.1.2 misho 788: If every command run via sudo displays information about the last
789: successful login and the last authentication failure you should
790: make use an /etc/pam.conf line like:
791:
792: sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login
793:
1.1.1.4 ! misho 794: Linux:
! 795: PAM and LDAP headers are not installed by default on most Linux
! 796: systems. You will need to install the "pam-dev" package if
! 797: /usr/include/security/pam_appl.h is not present on your system.
! 798: If you wish to build with LDAP support you will also need the
! 799: openldap-devel package.
! 800:
! 801: Mac OS X:
! 802: The pseudo-tty support in the Mac OS X kernel has bugs related
! 803: to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals.
! 804: It does not restart reads and writes when those signals are
! 805: delivered. This may cause problems for some commands when I/O
! 806: logging is enabled. The issue has been reported to Apple and
! 807: is bug id #7952709.
! 808:
! 809: Solaris:
! 810: You need to have a C compiler in order to build sudo. Since
! 811: Solaris does not come with one by default this means that you
! 812: either need to either install the Solaris Studio compiler suite,
! 813: available for free from www.oracle.com, or install the GNU C
! 814: compiler (gcc) which is can be installed via the pkg utility
! 815: on Solaris 11 and higher and is distributed on the Solaris
! 816: Companion CD for older Solaris releases. You can also download
! 817: gcc packages from http://www.opencsw.org/packages/CSWgcc4core/
1.1 misho 818:
819: SunOS 4.x:
820: SunOS does not ship with an ANSI C compiler. You will need to
821: install an ANSI compiler such as gcc to build sudo.
822:
823: The /bin/sh shipped with SunOS blows up while running configure.
824: You can work around this by installing bash or zsh. If you
1.1.1.4 ! misho 825: have bash or zsh in your path, configure will use it automatically.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to INSTALL CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo