File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / INSTALL
Revision 1.1.1.5 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Sun Jun 15 16:12:53 2014 UTC (10 years, 6 months ago) by misho
Branches: sudo, MAIN
CVS tags: v1_8_10p3_0, v1_8_10p3, HEAD
sudo v 1.8.10p3

    1: Sudo installation instructions
    2: ==============================
    3: 
    4: Sudo uses a `configure' script to probe the capabilities and type
    5: of the system in question.  In this release, `configure' takes many
    6: more options than it did before.  Please read this document fully
    7: before configuring and building sudo.  You may also wish to read the
    8: file INSTALL.configure which explains more about the `configure' script.
    9: 
   10: System requirements
   11: ===================
   12: 
   13: To build sudo from the source distribution you need a POSIX-compliant
   14: operating system (any modern version of BSD, Linux or Unix should work),
   15: an ANSI/ISO C compiler that supports the "long long" type, variadic
   16: macros (a C99 feature) as well as the ar, make and ranlib utilities.
   17: 
   18: If you wish to modify the parser then you will need flex version
   19: 2.5.2 or later and either bison or byacc (sudo comes with a
   20: pre-generated parser).  You'll also have to run configure with the
   21: --with-devel option or pass DEVEL=1 to make.  You can get flex from
   22: http://flex.sourceforge.net/.  You can get GNU bison from
   23: ftp://ftp.gnu.org/pub/gnu/bison/ or any GNU mirror.
   24: 
   25: Simple sudo installation
   26: ========================
   27: 
   28: For most systems and configurations it is possible simply to:
   29: 
   30:     0) If you are upgrading from a previous version of sudo
   31:        please read the info in the UPGRADE file before proceeding.
   32: 
   33:     1) Read the `OS dependent notes' section for any particular
   34:        "gotchas" relating to your operating system.
   35: 
   36:     2) `cd' to the source or build directory and type `./configure'
   37:        to generate a Makefile and config.h file suitable for building
   38:        sudo.  Before you actually run configure you should read the
   39:        `Available configure options' section to see if there are
   40:        any special options you may want or need.
   41: 
   42:     4) Type `make' to compile sudo.  If you are building sudo
   43:        in a separate build tree (apart from the sudo source) GNU
   44:        make will probably be required.  If `configure' did its job
   45:        properly (and you have a supported configuration) there won't
   46:        be any problems.  If this doesn't work, take a look at the
   47:        doc/TROUBLESHOOTING file for tips on what might have gone
   48:        wrong.  Please mail us if you have a fix or if you are unable
   49:        to come up with a fix (address at EOF).
   50: 
   51:     5) Type `make install' (as root) to install sudo, visudo, the
   52:        man pages, and a skeleton sudoers file.  Note that the install
   53:        will not overwrite an existing sudoers file.  You can also
   54:        install various pieces the package via the install-binaries,
   55:        install-doc, and install-sudoers make targets.
   56: 
   57:     6) Edit the sudoers file with `visudo' as necessary for your
   58:        site.  You will probably want to refer the sample.sudoers
   59:        file and sudoers man page included with the sudo package.
   60: 
   61:     7) If you want to use syslogd(8) to do the logging, you'll need
   62:        to update your /etc/syslog.conf file.  See the sample.syslog.conf
   63:        file included in the distribution for an example.
   64: 
   65: Available configure options
   66: ===========================
   67: 
   68: This section describes flags accepted by the sudo's `configure' script.
   69: Defaults are listed in brackets after the description.
   70: 
   71: Configuration:
   72:   --cache-file=FILE
   73: 	Cache test results in FILE
   74: 
   75:   --config-cache, -C
   76: 	Alias for `--cache-file=config.cache'
   77: 
   78:   --help, -h
   79: 	Print the usage/help info
   80: 
   81:   --no-create, -n
   82: 	Do not create output files
   83: 
   84:   --quiet, --silent, -q
   85: 	Do not print `checking...' messages
   86: 
   87:   --srcdir=DIR
   88: 	Find the sources in DIR [configure dir or `..']
   89: 
   90: Directory and file names:
   91:   --prefix=PREFIX
   92: 	Install architecture-independent files in PREFIX.  [/usr/local]
   93: 
   94:   --exec-prefix=EPREFIX
   95:         Install architecture-dependent files in EPREFIX.
   96: 	This includes the executables and plugins.  [same as PREFIX]
   97: 
   98:   --bindir=DIR
   99: 	Install `sudo', `sudoedit' and `sudoreplay' in DIR. [EPREFIX/bin]
  100: 
  101:   --sbindir=DIR
  102: 	Install `visudo' in DIR. [EPREFIX/sbin]
  103: 
  104:   --libexecdir=DIR
  105: 	Install plugins and helper programs in DIR/sudo [PREFIX/libexec/sudo]
  106: 
  107:   --sysconfdir=DIR
  108: 	Look for `sudo.conf' and `sudoers' files in DIR. [/etc]
  109: 
  110:   --includedir=DIR
  111: 	Install sudo_plugin.h include file in DIR [PREFIX/include]
  112: 
  113:   --datarootdir=DIR
  114: 	Root directory for platform-independent data files [PREFIX/share]
  115: 
  116:   --localedir=DIR
  117: 	Install sudo and sudoers locale files in DIR [DATAROOTDIR/locale]
  118: 
  119:   --mandir=DIR
  120: 	Install man pages in DIR [PREFIX/man]
  121: 
  122:   --docdir=DIR
  123: 	Install other sudo documentation in DIR [DATAROOTDIR/doc/sudo]
  124: 
  125:   --with-plugindir=DIR
  126: 	Set the directory that sudo looks in to find the policy and I/O
  127: 	logging plugins.  Defaults to the LIBEXEC/sudo.
  128: 
  129:   --with-rundir=DIR
  130:         Set the directory to be used for sudo-specific files that
  131:         do not survive a system reboot.  This is typically where
  132:         the time stamp directory is located.  By default, configure
  133:         will use the first existing directory in the following list:
  134: 	    /var/run, /var/db, /var/lib, /var/adm, /usr/adm
  135: 	This directory should be cleared when the system reboots.
  136: 	On systems that lack /var/run, the default rundir and vardir
  137: 	may be the same.  In this case, only the ts directory inside
  138: 	the rundir needs to be cleared at boot time.
  139: 
  140:   --with-vardir=DIR
  141:         Set the directory to be used for sudo-specific files that
  142:         survive a system reboot.  This is typically where the lecture
  143:         status directory is stored.  By default, configure will use
  144:         the first existing directory in the following list:
  145: 	    /var/db, /var/lib, /var/adm, /usr/adm
  146: 	This directory should not be cleared when the system boots.
  147: 
  148: Compilation options:
  149:   --disable-hardening
  150: 	Disable the use of compiler/linker exploit mitigation options
  151: 	which are enabled by default.  This includes compiling with
  152: 	_FORTIFY_SOURCE defined to 2, building with -fstack-protector
  153: 	and linking with -zrelro, where supported.
  154: 
  155:   --enable-pie
  156:         Build sudo and related programs as as a position independent
  157:         executables (PIE).  This improves the effectiveness of address
  158: 	space layout randomization (ASLR) on systems that support it.
  159: 	Sudo will create PIE binaries by default on Linux systems.
  160: 
  161:   --disable-pie
  162:         Disable the creation of position independent executables (PIE),
  163:         even if the compiler creates PIE binaries by default.  This
  164:         option may be needed on some Linux systems where PIE binaries
  165:         are not fully supported.
  166: 
  167:   --disable-poll
  168:         Use select() instead of poll() in the event loop.  By default,
  169: 	sudo will use poll() on systems that support it.  Some systems
  170: 	have a broken poll() implementation and need to use select instead.
  171: 	On Mac OS X, select() is always used since its poll() doesn't
  172: 	support devices.
  173: 
  174:   --disable-rpath
  175:         By default, configure will use -Rpath in addition to -Lpath
  176:         when passing library paths to the loader.  This option will
  177:         disable the use of -Rpath.
  178: 
  179:   --disable-shared
  180:         Disable dynamic shared object support.  By default, sudo
  181:         is built with a plugin API capable of loading arbitrary
  182:         policy and I/O logging plugins.  If the --disable-shared
  183:         option is specified, this support is disabled and the default
  184:         sudoers policy and I/O plugins are embedded in the sudo
  185:         binary itself.  This will also disable the noexec option
  186:         as it too relies on dynamic shared object support.
  187: 
  188:   --enable-static-sudoers
  189:         By default, the sudoers plugin is built and installed as a
  190:         dynamic shared object.  When the --enable-static-sudoers
  191:         option is specified, the sudoers plugin is compiled directly
  192:         into the sudo binary.  Unlike --disable-shared, this does
  193:         not prevent other plugins from being used and the noexec
  194:         option will continue to function.
  195: 
  196:   --enable-zlib[=location]
  197: 	Enable the use of the zlib compress library when storing
  198: 	I/O log files.  If specified, location is the base directory
  199: 	containing the zlib include and lib directories.  The special
  200: 	values "system" and "builtin" can be used to indicate that
  201: 	the system version of zlib should be used or that the version
  202: 	of zlib shipped with sudo should be used instead.
  203: 	If this option is not specified, configure will use the
  204: 	system zlib if it is present.
  205: 
  206:   --with-incpath=DIR
  207: 	Adds the specified directory (or directories) to CPPFLAGS
  208: 	so configure and the compiler will look there for include
  209: 	files.  Multiple directories may be specified as long as
  210: 	they are space separated.
  211: 	E.g. --with-incpath="/usr/local/include /opt/include"
  212: 
  213:   --with-libpath=DIR
  214: 	Adds the specified directory (or directories) to LDFLAGS
  215: 	so configure and the compiler will look there for libraries.
  216: 	Multiple directories may be specified as with --with-incpath.
  217: 
  218:   --with-libraries=LIBRARY
  219: 	Adds the specified library (or libraries) to SUDO_LIBS and
  220: 	and VISUDO_LIBS so sudo will link against them.  If the
  221: 	library doesn't start with `-l' or end in `.a' or `.o' a
  222: 	`-l' will be pre-pended to it.  Multiple libraries may be
  223: 	specified as long as they are space separated.
  224: 
  225:   --with-libtool=PATH
  226:         By default, sudo will use the included version of libtool
  227:         to build shared libraries.  The --with-libtool option can
  228:         be used to specify a different version of libtool to use.
  229:         The special values "system" and "builtin" can be used in
  230:         place of a path to denote the default system libtool (obtained
  231:         via the user's PATH) and the default libtool that comes
  232:         with sudo.
  233: 
  234: Optional features:
  235:   --disable-root-mailer
  236: 	By default sudo will run the mailer as root when tattling
  237: 	on a user so as to prevent that user from killing the mailer.
  238: 	With this option, sudo will run the mailer as the invoking
  239: 	user which some people consider to be safer.
  240: 
  241:   --enable-nls[=location]
  242:         Enable natural language support using the gettext() family
  243:         of functions.  If specified, location is the base directory
  244:         containing the libintl include and lib directories.  If
  245:         this option is not specified, configure will look for the
  246:         gettext() family of functions in the standard C library
  247:         first, then check for a standalone libintl (linking with
  248:         libiconv as needed).
  249: 
  250:   --disable-nls
  251:         Disable natural language support.  By default, sudo will
  252:         use the gettext() family of functions, if available, to
  253:         implement messages in the invoking user's native language.
  254: 	Note that translations do not exist for all languages.
  255: 
  256:   --with-ldap[=DIR]
  257: 	Enable LDAP support.  If specified, DIR is the base directory
  258: 	containing the LDAP include and lib directories.  Please see
  259: 	README.LDAP for more information.
  260: 
  261:   --with-ldap-conf-file=PATH
  262: 	Path to LDAP configuration file.  If specified, sudo reads
  263: 	this file instead of /etc/ldap.conf to locate the LDAP server.
  264: 
  265:   --with-ldap-secret-file=PATH
  266: 	Path to LDAP secret password file.  If specified, sudo uses
  267: 	this file instead of /etc/ldap.secret to read the secret password
  268: 	when rootbinddn is specified in the ldap config file.
  269: 
  270:   --with-logincap
  271: 	This adds support for login classes specified in /etc/login.conf.
  272: 	It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and
  273: 	NetBSD (where available).  By default, a login class is not applied
  274: 	unless the 'use_loginclass' option is defined in sudoers or the user
  275: 	specifies a class on the command line.
  276: 
  277:   --with-interfaces=no, --without-interfaces
  278: 	This option keeps sudo from trying to glean the ip address
  279: 	from each attached Ethernet interface.  It is only useful
  280: 	on a machine where sudo's interface reading support does
  281: 	not work, which may be the case on some SysV-based OS's
  282: 	using STREAMS.
  283: 
  284:   --with-noexec[=PATH]
  285: 	Enable support for the "noexec" functionality which prevents
  286: 	a dynamically-linked program being run by sudo from executing
  287: 	another program (think shell escapes).  Please see the
  288: 	"PREVENTING SHELL ESCAPES" section in the sudoers man page
  289: 	for details.  If specified, PATH should be a fully qualified
  290: 	path name, e.g. /usr/local/libexec/sudo_noexec.so.  If PATH
  291: 	is "no", noexec support will not be compiled in.  The default
  292: 	is to compile noexec support if libtool supports building
  293: 	shared objects on your OS.
  294: 
  295:   --with-selinux 
  296: 	Enable support for role based access control (RBAC) on
  297: 	systems that support SELinux.
  298: 
  299:   --with-sssd
  300:         Enable support for using the System Security Services Daemon
  301:         (SSSD) as a sudoers data source.  For more information on
  302:         SSD, see http://fedorahosted.org/sssd/
  303: 
  304:   --with-sssd-lib=PATH
  305:         Specify the path to the SSSD shared library, which is loaded
  306:         at run-time.
  307: 
  308: Operating system-specific options:
  309:   --disable-setreuid
  310:         Disable use of the setreuid() function for operating systems
  311:         where it is broken.  For instance, 4.4BSD has setreuid()
  312:         that is not fully functional.
  313: 
  314:   --disable-setresuid
  315: 	Disable use of the setresuid() function for operating systems
  316: 	where it is broken (none currently known).
  317: 
  318:   --enable-admin-flag
  319: 	Enable the creation of an Ubuntu-style admin flag file
  320: 	the first time sudo is run.
  321: 
  322:   --with-bsm-audit
  323:         Enable support for sudo BSM audit logs on systems that support it.
  324: 	This includes recent versions of FreeBSD, Mac OS X and Solaris.
  325: 
  326:   --with-linux-audit
  327: 	Enable audit support for Linux systems.  Audits attempts
  328: 	to run a command as well as SELinux role changes.
  329: 
  330:   --with-man
  331:         Use the "man" macros for manual pages.  By default, mdoc versions
  332: 	of the manuals are installed if supported.  This can be used to
  333: 	override configure's test for "nroff -mdoc" support.
  334: 
  335:   --with-mdoc
  336:         Use the "mdoc" macros for manual pages.  By default, mdoc versions
  337: 	of the manuals are installed if supported.  This can be used to
  338: 	override configure's test for "nroff -mdoc" support.
  339: 
  340:   --with-netsvc[=PATH]
  341:         Path to netsvc.conf or "no" to disable netsvc.conf support.
  342:         If specified, sudo uses this file instead of /etc/netsvc.conf
  343:         on AIX systems.  If netsvc support is disabled but LDAP is
  344:         enabled, sudo will check LDAP first, then the sudoers file.
  345: 
  346:   --with-nsswitch[=PATH]
  347: 	Path to nsswitch.conf or "no" to disable nsswitch support.
  348: 	If specified, sudo uses this file instead of /etc/nsswitch.conf.
  349: 	If nsswitch support is disabled but LDAP is enabled, sudo will
  350: 	check LDAP first, then the sudoers file.
  351: 
  352:   --with-project
  353: 	Enable support for Solaris project resource limits.
  354: 	This option is only available on Solaris 9 and above.
  355: 
  356: Authentication options:
  357:   --with-AFS
  358: 	Enable AFS support with Kerberos authentication.  Should work under
  359: 	AFS 3.3.  If your AFS doesn't have -laudit you should be able to
  360: 	link without it.
  361: 
  362:   --with-aixauth
  363: 	Enable support for the AIX 4.x general authentication function.
  364: 	This will use the authentication scheme specified for the user
  365: 	on the machine.  It is on by default for AIX systems that
  366: 	support it.
  367: 
  368:   --with-bsdauth
  369: 	Enable support for BSD authentication.  This is the default
  370: 	for BSD/OS and OpenBSD systems that support it.
  371: 	It is not possible to mix BSD authentication with other
  372: 	authentication methods (and there really should be no need
  373: 	to do so).  Note that only the newer BSD authentication API
  374: 	is supported.  If you don't have /usr/include/bsd_auth.h
  375: 	then you cannot use this.
  376: 
  377:   --with-DCE
  378: 	Enable DCE support for systems without PAM.  Known to work on
  379: 	HP-UX 9.X, 10.X, and 11.0; other systems may require source
  380: 	code and/or `configure' changes.  On systems with PAM support
  381: 	(such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the
  382: 	DCE PAM module (usually libpam_dce) should be used instead.
  383: 
  384:   --with-fwtk[=DIR]
  385: 	Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified,
  386: 	DIR is the base directory containing the compiled FWTK package
  387: 	(or at least the library and header files).
  388: 
  389:   --with-kerb5[=DIR]
  390: 	Enable Kerberos V support.  If specified, DIR is the base
  391: 	directory containing the Kerberos V include and lib dirs.
  392: 	This uses Kerberos pass phrases for authentication but
  393: 	does not use the Kerberos cookie scheme.  Will not work for
  394: 	Kerberos V older than version 1.1.
  395: 
  396:   --enable-kerb5-instance=string
  397:         By default, the user name is used as the principal name
  398:         when authenticating via Kerberos V.  If this option is
  399:         enabled, the specified instance string will be appended to
  400:         the user name (separated by a slash) when creating the
  401:         principal name.
  402: 
  403:   --with-opie[=DIR]
  404: 	Enable NRL OPIE OTP (One Time Password) support.  If specified,
  405: 	DIR should contain include and lib directories with opie.h
  406: 	and libopie.a respectively.
  407: 
  408:   --with-otp-only
  409: 	This option is now just an alias for --without-passwd.
  410: 
  411:   --with-pam
  412: 	Enable PAM support.  This is on by default for Darwin, FreeBSD,
  413: 	Linux, Solaris and HP-UX (version 11 and higher).
  414: 
  415: 	NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo
  416: 	file install.  You may either use the sample.pam file included with
  417: 	sudo or use /etc/pam.d/su as a reference.  The sample.pam file
  418: 	included with sudo may or may not work with other Linux distributions.
  419: 	On Solaris and HP-UX 11 systems you should check (and understand)
  420: 	the contents of /etc/pam.conf.  Do a "man pam.conf" for more
  421: 	information and consider using the "debug" option, if available,
  422: 	with your PAM libraries in /etc/pam.conf to obtain syslog output
  423: 	for debugging purposes.
  424: 
  425:   --with-pam-login
  426:         Enable a specific PAM session when sudo is given the -i option.
  427: 	This changes the PAM service name when sudo is run with the -i
  428: 	option from "sudo" to "sudo-i", allowing for a separate pam
  429: 	configuration for sudo's initial login mode.
  430: 
  431:   --disable-pam-session
  432:         Disable sudo's PAM session support.  This may be needed on
  433:         older PAM implementations or on operating systems where
  434:         opening a PAM session changes the utmp or wtmp files.  If
  435:         PAM session support is disabled, resource limits may not
  436:         be updated for the command being run.
  437: 
  438:   --with-passwd=no, --without-passwd
  439: 	This option excludes authentication via the passwd (or
  440: 	shadow) file.  It should only be used when another, alternative,
  441: 	authentication scheme is in use.
  442: 
  443:   --with-SecurID[=DIR]
  444: 	Enable SecurID support.  If specified, DIR is directory containing
  445: 	libaceclnt.a, acexport.h, and sdacmvls.h.
  446: 
  447:   --with-skey[=DIR]
  448: 	Enable S/Key OTP (One Time Password) support.  If specified,
  449: 	DIR should contain include and lib directories with skey.h
  450: 	and libskey.a respectively.
  451: 
  452:   --disable-sia
  453: 	Disable SIA support.  This is the "Security Integration
  454: 	Architecture" on Digital UNIX. If you disable SIA sudo will
  455: 	use its own authentication routines.
  456: 
  457:   --disable-shadow
  458: 	Disable shadow password support.  Normally, sudo will compile
  459: 	in shadow password support and use a shadow password if it
  460: 	exists.
  461: 
  462:   --enable-gss-krb5-ccache-name
  463:         Use the gss_krb5_ccache_name() function to set the Kerberos
  464:         V credential cache file name.  By default, sudo will use
  465:         the KRB5CCNAME environment variable to set this.  While
  466:         gss_krb5_ccache_name() provides a better API to do this it
  467:         is not supported by all Kerberos V and SASL combinations.
  468: 
  469: Development options:
  470:   --enable-env-debug
  471:         Enable debugging of the environment setting functions.  This
  472:         enables extra checks to make sure the environment does not
  473:         become corrupted.
  474: 
  475:   --enable-warnings
  476: 	Enable compiler warnings when building sudo with gcc.
  477: 
  478:   --enable-werror
  479: 	Enable the -Werror compiler option when building sudo with gcc.
  480: 
  481:   --with-devel
  482:         Configure development options.  This will enable compiler warnings
  483: 	and set up the Makefile to be able to regenerate the sudoers parser
  484: 	as well as the manual pages.
  485: 
  486:   --with-efence
  487: 	Link with the "electric fence" debugging malloc.
  488: 
  489: Options that set runtime-changeable default values:
  490:   --disable-authentication
  491: 	By default, sudo requires the user to authenticate via a
  492: 	password or similar means.  This options causes sudo to
  493: 	*not* require authentication.  It is possible to turn
  494: 	authentication back on in sudoers via the PASSWD attribute.
  495: 	Sudoers option: !authenticate
  496: 
  497:   --disable-env-reset
  498:         Disable environment resetting.  This sets the default value
  499:         of the "env_reset" Defaults option in sudoers to false.
  500: 	Sudoers option: !env_reset
  501: 
  502:   --disable-path-info
  503: 	Normally, sudo will tell the user when a command could not be found
  504: 	in their $PATH.  Some sites may wish to disable this as it could
  505: 	be used to gather information on the location of executables that
  506: 	the normal user does not have access to.  The disadvantage is that
  507: 	if the executable is simply not in the user's path, sudo will tell
  508: 	the user that they are not allowed to run it, which can be confusing.
  509: 	Sudoers option: path_info
  510: 
  511:   --disable-root-sudo
  512: 	Don't let root run sudo.  This can be used to prevent people from
  513: 	"chaining" sudo commands to get a root shell by doing something
  514: 	like "sudo sudo /bin/sh".
  515: 	Sudoers option: !root_sudo
  516: 
  517:   --disable-zlib
  518:         Disable the use of the zlib compress library when storing
  519:         I/O log files.
  520: 	Sudoers option: !compress_io
  521: 
  522:   --enable-log-host
  523: 	Log the hostname in the log file.
  524: 	Sudoers option: log_host
  525: 
  526:   --enable-noargs-shell
  527: 	If sudo is invoked with no arguments it acts as if the "-s" flag had
  528: 	been given.  That is, it runs a shell as root (the shell is determined
  529: 	by the SHELL environment variable, falling back on the shell listed
  530: 	in the invoking user's /etc/passwd entry).
  531: 	Sudoers option: shell_noargs
  532: 
  533:   --enable-shell-sets-home
  534: 	If sudo is invoked with the "-s" flag the HOME environment variable
  535: 	will be set to the home directory of the target user (which is root
  536: 	unless the "-u" option is used).  This option effectively makes the
  537: 	"-s" flag imply "-H".
  538: 	Sudoers option: set_home
  539: 
  540:   --with-all-insults
  541: 	Include all the insult sets listed below.  You must either specify
  542: 	--with-insults or enable insults in the sudoers file for this to
  543: 	have any effect.
  544: 
  545:   --with-askpass=PATH
  546:         Set PATH as the "askpass" program to use when no tty is
  547:         available.  Typically, this is a graphical password prompter,
  548:         similar to the one used by ssh.  The program must take a
  549:         prompt as an argument and print the received password to
  550:         the standard output.  This value may overridden at run-time
  551:         in the sudo.conf file.
  552: 
  553:   --with-badpass-message="BAD PASSWORD MESSAGE"
  554: 	Message that is displayed if a user enters an incorrect password.
  555: 	The default is "Sorry, try again." unless insults are turned on.
  556: 	Sudoers option: badpass_message
  557: 
  558:   --with-badpri=PRIORITY
  559: 	Determines which syslog priority to log unauthenticated
  560: 	commands and errors.  The following priorities are supported:
  561: 	alert, crit, debug, emerg, err, info, notice, and warning.
  562: 	Sudoers option: syslog_badpri
  563: 
  564:   --with-classic-insults
  565: 	Uses insults from sudo "classic."  If you just specify --with-insults
  566: 	you will get the classic and CSOps insults.  This is on by default if
  567: 	--with-insults is given.
  568: 
  569:   --with-csops-insults
  570: 	Insults the user with an extra set of insults (some quotes, some
  571: 	original) from a sysadmin group at CU (CSOps).  You must specify
  572: 	--with-insults as well for this to have any effect.  This is on by
  573: 	default if --with-insults is given.
  574: 
  575:   --with-editor=PATH
  576: 	Specify the default editor path for use by visudo.  This may be a
  577: 	single path name or a colon-separated list of editors.  In the latter
  578: 	case, visudo will choose the editor that matches the user's VISUAL
  579: 	or EDITOR environment variables or the first editor in the list that
  580: 	exists.  The default is the path to vi on your system.
  581: 	Sudoers option: editor
  582: 
  583:   --with-env-editor
  584: 	Makes visudo consult the VISUAL and EDITOR environment variables before
  585: 	falling back on the default editor list (as specified by --with-editor).
  586: 	Note that this may create a security hole as it allows the user to
  587: 	run any arbitrary command as root without logging.  A safer alternative
  588: 	is to use a colon-separated list of editors with the --with-editor
  589: 	option.  visudo will then only use the VISUAL or EDITOR variables
  590: 	if they match a value specified via --with-editor.
  591: 	Sudoers option: env_editor
  592: 
  593:   --with-exempt=GROUP
  594: 	Users in the specified group don't need to enter a password when
  595: 	running sudo.  This may be useful for sites that don't want their
  596: 	"core" sysadmins to have to enter a password but where Jr. sysadmins
  597: 	need to.  You should probably use NOPASSWD in sudoers instead.
  598: 	Sudoers option: exempt_group
  599: 
  600:   --with-fqdn
  601: 	Define this if you want to put fully qualified host names in the sudoers
  602: 	file.  Ie: instead of myhost you would use myhost.mydomain.edu.  You may
  603: 	still use the short form if you wish (and even mix the two).  Beware
  604: 	that turning FQDN on requires sudo to make DNS lookups which may make
  605: 	sudo unusable if your DNS is totally hosed.  Also note that you must
  606: 	use the host's official name as DNS knows it.  That is, you may not use
  607: 	a host alias (CNAME entry) due to performance issues and the fact that
  608: 	there is no way to get all aliases from DNS.
  609: 	Sudoers option: fqdn
  610: 
  611:   --with-goodpri=PRIORITY
  612: 	Determines which syslog priority to log successfully
  613: 	authenticated commands.  The following priorities are
  614: 	supported: alert, crit, debug, emerg, err, info, notice,
  615: 	and warning.
  616: 	Sudoers option: syslog_goodpri
  617: 
  618:   --with-goons-insults
  619: 	Insults the user with lines from the "Goon Show" when an incorrect
  620: 	password is entered.  You must either specify --with-insults or
  621: 	enable insults in the sudoers file for this to have any effect.
  622: 
  623:   --with-hal-insults
  624: 	Uses 2001-like insults when an incorrect password is entered.
  625: 	You must either specify --with-insults or enable insults in the
  626: 	sudoers file for this to have any effect.
  627: 
  628:   --with-ignore-dot
  629: 	If set, sudo will ignore '.' or '' (current dir) in $PATH.
  630: 	The $PATH itself is not modified.
  631: 	Sudoers option: ignore_dot
  632: 
  633:   --with-insults
  634: 	Define this if you want to be insulted for typing an incorrect password
  635: 	just like the original sudo(8).  This is off by default.
  636: 	Sudoers option: insults
  637: 
  638:   --with-insults=disabled
  639:         Include support for insults but disable them unless explicitly
  640:         enabled in sudoers.
  641: 	Sudoers option: !insults
  642: 
  643:   --with-iologdir[=DIR]
  644:         By default, sudo stores I/O log files in either /var/log/sudo-io,
  645:         /var/adm/sudo-io, or /usr/log/sudo-io.  If this option is
  646:         specified, I/O logs will be stored in the indicated directory
  647:         instead.
  648: 	Sudoers option: iolog_dir
  649: 
  650:   --with-lecture=no, --without-lecture
  651: 	Don't print the lecture the first time a user runs sudo.
  652: 	Sudoers option: !lecture
  653: 
  654:   --with-logfac=FACILITY
  655: 	Determines which syslog facility to log to.  This requires
  656: 	a 4.3BSD or later version of syslog.  You can still set
  657: 	this for ancient syslogs but it will have no effect.  The
  658: 	following facilities are supported: authpriv (if your OS
  659: 	supports it), auth, daemon, user, local0, local1, local2,
  660: 	local3, local4, local5, local6, and local7.
  661: 	Sudoers option: syslog
  662: 
  663:   --with-logging=TYPE
  664: 	How you want to do your logging.  You may choose "syslog",
  665: 	"file", or "both".  Setting this to "syslog" is nice because
  666: 	you can keep all of your sudo logs in one place (see the
  667: 	sample.syslog.conf file).  The default is "syslog".
  668: 	Sudoers options: syslog and logfile
  669: 
  670:   --with-loglen=NUMBER
  671: 	Number of characters per line for the file log.  This is only used if
  672: 	you are to "file" or "both".  This value is used to decide when to wrap
  673: 	lines for nicer log files.  The default is 80.  Setting this to 0
  674: 	will disable the wrapping.
  675: 	Sudoers options: loglinelen
  676: 
  677:   --with-logpath=PATH
  678: 	Override the default location of the sudo log file and use
  679: 	"path" instead.  By default will use /var/log/sudo.log if
  680: 	there is a /var/log dir, falling back to /var/adm/sudo.log
  681: 	or /usr/adm/sudo.log if not.
  682: 	Sudoers option: logfile
  683: 
  684:   --with-long-otp-prompt
  685: 	When validating with a One Time Password scheme (S/Key or
  686: 	OPIE), a two-line prompt is used to make it easier to cut
  687: 	and paste the challenge to a local window.  It's not as
  688: 	pretty as the default but some people find it more convenient.
  689: 	Sudoers option: long_otp_prompt
  690: 
  691:   --with-mail-if-no-user=no, --without-mail-if-no-user
  692: 	Normally, sudo will mail to the "alertmail" user if the user invoking
  693: 	sudo is not in the sudoers file.  This option disables that behavior.
  694: 	Sudoers option: mail_no_user
  695: 
  696:   --with-mail-if-no-host
  697: 	Send mail to the "alermail" user if the user exists in the sudoers
  698: 	file, but is not allowed to run commands on the current host.
  699: 	Sudoers option: mail_no_host
  700: 
  701:   --with-mail-if-noperms
  702: 	Send mail to the "alermail" user if the user is allowed to use sudo but
  703: 	the command they are trying is not listed in their sudoers file entry.
  704: 	Sudoers option: mail_no_perms
  705: 
  706:   --with-mailsubject="SUBJECT OF MAIL"
  707: 	Subject of the mail sent to the "mailto" user. The token "%h"
  708: 	will expand to the hostname of the machine.
  709: 	Default is "*** SECURITY information for %h ***".
  710: 	Sudoers option: mailsub
  711: 
  712:   --with-mailto=USER|MAIL_ALIAS
  713: 	User (or mail alias) that mail from sudo is sent to.
  714: 	This should go to a sysadmin at your site.  The default is "root".
  715: 	Sudoers option: mailto
  716: 
  717:   --with-passprompt="PASSWORD PROMPT"
  718: 	Default prompt to use when asking for a password; can be overridden
  719: 	via the -p option and the SUDO_PROMPT environment variable. Supports
  720: 	the "%H", "%h", "%U" and "%u" escapes as documented in the sudo
  721: 	manual page.  The default value is "Password:".
  722: 	Sudoers option: passprompt
  723: 
  724:   --with-password-timeout=NUMBER
  725: 	Number of minutes before the sudo password prompt times out.
  726: 	The default is 5, set this to 0 for no password timeout.
  727: 	Sudoers option: passwd_timeout
  728: 
  729:   --with-passwd-tries=NUMBER
  730: 	Number of tries a user gets to enter his/her password before sudo logs
  731: 	the failure and exits.  The default is 3.
  732: 	Sudoers option: passwd_tries
  733: 
  734:   --with-pc-insults
  735: 	Replace politically incorrect insults with less objectionable ones.
  736: 
  737:   --with-runas-default=USER
  738: 	The default user to run commands as if the -u flag is not specified
  739: 	on the command line.  This defaults to "root".
  740: 	Sudoers option: runas_default
  741: 
  742:   --with-secure-path[=PATH]
  743: 	Path used for every command run from sudo(8).  If you don't trust the
  744: 	people running sudo to have a sane PATH environment variable you may
  745: 	want to use this.  Another use is if you want to have the "root path"
  746: 	be separate from the "user path."  You will need to customize the path
  747: 	for your site.  NOTE: this is not applied to users in the group
  748: 	specified by --with-exemptgroup.  If you do not specify a path,
  749: 	"/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
  750: 	Sudoers option: secure_path
  751: 
  752:   --with-sendmail=PATH
  753: 	Override configure's guess as to the location of sendmail.
  754: 	Sudoers option: mailerpath
  755: 
  756:   --with-sendmail=no, --without-sendmail
  757: 	Do not use sendmail to mail messages to the "mailto" user.
  758: 	Use only if you don't run sendmail or the equivalent.
  759: 	Sudoers options: !mailerpath or !mailto
  760: 
  761:   --with-sudoers-mode=MODE
  762:         File mode for the sudoers file (octal).  Note that if you
  763:         wish to NFS-mount the sudoers file this must be group
  764:         readable.  This value may overridden at run-time in the
  765:         sudo.conf file.  The default mode is 0440.
  766: 
  767:   --with-sudoers-uid=UID
  768:         User id that "owns" the sudoers file.  Note that this is
  769:         the numeric id, *not* the symbolic name.  This value may
  770:         overridden at run-time in the sudo.conf file.  The default
  771:         is 0.
  772: 
  773:   --with-sudoers-gid=GID
  774:         Group id that "owns" the sudoers file.  Note that this is
  775:         the numeric id, *not* the symbolic name.  This value may
  776:         overridden at run-time in the sudo.conf file.  The default
  777:         is 0.
  778: 
  779:   --with-timeout=NUMBER
  780: 	Number of minutes that can elapse before sudo will ask for a passwd
  781: 	again.  The default is 5, set this to 0 to always prompt for a password.
  782: 	Sudoers option: timestamp_timeout
  783: 
  784:   --with-tty-tickets=no, --without-tty-tickets
  785: 	By default, sudo uses a different ticket file for each user/tty combo.
  786: 	With this option disabled, a single ticket will be used for all
  787: 	of a user's login sessions.
  788: 	Sudoers option: tty_tickets
  789: 
  790:   --with-umask=MASK
  791: 	Umask to use when running the root command.  The default is 0022.
  792: 	Sudoers option: umask
  793: 
  794:   --with-umask=no, --without-umask
  795: 	Preserves the umask of the user invoking sudo.
  796: 	Sudoers option: !umask
  797: 
  798:   --with-umask-override
  799:         Use the umask specified in sudoers even if it is less restrictive
  800: 	than the user's.  The default is to use the intersection of the
  801: 	user's umask and the umask specified in sudoers.
  802: 	Sudoers option: umask_override
  803: 
  804: OS dependent notes
  805: ==================
  806: 
  807: HP-UX:
  808:     The default C compiler shipped with HP-UX is not an ANSI compiler.
  809:     You must use either the HP ANSI C compiler or gcc to build sudo.
  810:     Binary packages of gcc are available from http://hpux.connect.org.uk/.
  811: 
  812:     To prevent PAM from overriding the value of umask on HP-UX 11,
  813:     you will need to add a line like the following to /etc/pam.conf:
  814: 
  815:     sudo	session	required	libpam_hpsec.so.1 bypass_umask
  816: 
  817:     If every command run via sudo displays information about the last
  818:     successful login and the last authentication failure you should
  819:     make use an /etc/pam.conf line like:
  820: 
  821:     sudo	session	required	libpam_hpsec.so.1 bypass_umask bypass_last_login
  822: 
  823: Linux:
  824:     PAM and LDAP headers are not installed by default on most Linux
  825:     systems.  You will need to install the "pam-dev" package if
  826:     /usr/include/security/pam_appl.h is not present on your system.
  827:     If you wish to build with LDAP support you will also need the
  828:     openldap-devel package.
  829: 
  830: Mac OS X:
  831:     The pseudo-tty support in the Mac OS X kernel has bugs related
  832:     to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals.
  833:     It does not restart reads and writes when those signals are
  834:     delivered.  This may cause problems for some commands when I/O
  835:     logging is enabled.  The issue has been reported to Apple and
  836:     is bug id #7952709.
  837: 
  838: Solaris:
  839:     You need to have a C compiler in order to build sudo.  Since
  840:     Solaris does not come with one by default this means that you
  841:     either need to either install the Solaris Studio compiler suite,
  842:     available for free from www.oracle.com, or install the GNU C
  843:     compiler (gcc) which is can be installed via the pkg utility
  844:     on Solaris 11 and higher and is distributed on the Solaris
  845:     Companion CD for older Solaris releases.  You can also download
  846:     gcc packages from http://www.opencsw.org/packages/CSWgcc4core/
  847: 
  848: SunOS 4.x:
  849:     SunOS does not ship with an ANSI C compiler.  You will need to
  850:     install an ANSI compiler such as gcc to build sudo.
  851: 
  852:     The /bin/sh shipped with SunOS blows up while running configure.
  853:     You can work around this by installing bash or zsh.  If you
  854:     have bash or zsh in your path, configure will use it automatically.

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>