1: Sudo installation instructions
2: ==============================
3:
4: Sudo uses a `configure' script to probe the capabilities and type
5: of the system in question. In this release, `configure' takes many
6: more options than it did before. Please read this document fully
7: before configuring and building sudo. You may also wish to read the
8: file INSTALL.configure which explains more about the `configure' script.
9:
10: System requirements
11: ===================
12:
13: To build sudo from the source distribution you need a POSIX-compliant
14: operating system (any modern version of BSD, Linux or Unix should work),
15: an ANSI/ISO C compiler that supports the "long long" type, variadic
16: macros (a C99 feature) as well as the ar, make and ranlib utilities.
17:
18: If you wish to modify the parser then you will need flex version
19: 2.5.2 or later and either bison or byacc (sudo comes with a
20: pre-generated parser). You'll also have to run configure with the
21: --with-devel option or pass DEVEL=1 to make. You can get flex from
22: http://flex.sourceforge.net/. You can get GNU bison from
23: ftp://ftp.gnu.org/pub/gnu/bison/ or any GNU mirror.
24:
25: Simple sudo installation
26: ========================
27:
28: For most systems and configurations it is possible simply to:
29:
30: 0) If you are upgrading from a previous version of sudo
31: please read the info in the UPGRADE file before proceeding.
32:
33: 1) Read the `OS dependent notes' section for any particular
34: "gotchas" relating to your operating system.
35:
36: 2) `cd' to the source or build directory and type `./configure'
37: to generate a Makefile and config.h file suitable for building
38: sudo. Before you actually run configure you should read the
39: `Available configure options' section to see if there are
40: any special options you may want or need.
41:
42: 4) Type `make' to compile sudo. If you are building sudo
43: in a separate build tree (apart from the sudo source) GNU
44: make will probably be required. If `configure' did its job
45: properly (and you have a supported configuration) there won't
46: be any problems. If this doesn't work, take a look at the
47: doc/TROUBLESHOOTING file for tips on what might have gone
48: wrong. Please mail us if you have a fix or if you are unable
49: to come up with a fix (address at EOF).
50:
51: 5) Type `make install' (as root) to install sudo, visudo, the
52: man pages, and a skeleton sudoers file. Note that the install
53: will not overwrite an existing sudoers file. You can also
54: install various pieces the package via the install-binaries,
55: install-doc, and install-sudoers make targets.
56:
57: 6) Edit the sudoers file with `visudo' as necessary for your
58: site. You will probably want to refer the sample.sudoers
59: file and sudoers man page included with the sudo package.
60:
61: 7) If you want to use syslogd(8) to do the logging, you'll need
62: to update your /etc/syslog.conf file. See the sample.syslog.conf
63: file included in the distribution for an example.
64:
65: Available configure options
66: ===========================
67:
68: This section describes flags accepted by the sudo's `configure' script.
69: Defaults are listed in brackets after the description.
70:
71: Configuration:
72: --cache-file=FILE
73: Cache test results in FILE
74:
75: --config-cache, -C
76: Alias for `--cache-file=config.cache'
77:
78: --help, -h
79: Print the usage/help info
80:
81: --no-create, -n
82: Do not create output files
83:
84: --quiet, --silent, -q
85: Do not print `checking...' messages
86:
87: --srcdir=DIR
88: Find the sources in DIR [configure dir or `..']
89:
90: Directory and file names:
91: --prefix=PREFIX
92: Install architecture-independent files in PREFIX. [/usr/local]
93:
94: --exec-prefix=EPREFIX
95: Install architecture-dependent files in EPREFIX.
96: This includes the executables and plugins. [same as PREFIX]
97:
98: --bindir=DIR
99: Install `sudo', `sudoedit' and `sudoreplay' in DIR. [EPREFIX/bin]
100:
101: --sbindir=DIR
102: Install `visudo' in DIR. [EPREFIX/sbin]
103:
104: --libexecdir=DIR
105: Install plugins and helper programs in DIR/sudo [PREFIX/libexec/sudo]
106:
107: --sysconfdir=DIR
108: Look for `sudo.conf' and `sudoers' files in DIR. [/etc]
109:
110: --includedir=DIR
111: Install sudo_plugin.h include file in DIR [PREFIX/include]
112:
113: --datarootdir=DIR
114: Root directory for platform-independent data files [PREFIX/share]
115:
116: --localedir=DIR
117: Install sudo and sudoers locale files in DIR [DATAROOTDIR/locale]
118:
119: --mandir=DIR
120: Install man pages in DIR [PREFIX/man]
121:
122: --docdir=DIR
123: Install other sudo documentation in DIR [DATAROOTDIR/doc/sudo]
124:
125: --with-plugindir=DIR
126: Set the directory that sudo looks in to find the policy and I/O
127: logging plugins. Defaults to the LIBEXEC/sudo.
128:
129: --with-rundir=DIR
130: Set the directory to be used for sudo-specific files that
131: do not survive a system reboot. This is typically where
132: the time stamp directory is located. By default, configure
133: will use the first existing directory in the following list:
134: /var/run, /var/db, /var/lib, /var/adm, /usr/adm
135: This directory should be cleared when the system reboots.
136: On systems that lack /var/run, the default rundir and vardir
137: may be the same. In this case, only the ts directory inside
138: the rundir needs to be cleared at boot time.
139:
140: --with-vardir=DIR
141: Set the directory to be used for sudo-specific files that
142: survive a system reboot. This is typically where the lecture
143: status directory is stored. By default, configure will use
144: the first existing directory in the following list:
145: /var/db, /var/lib, /var/adm, /usr/adm
146: This directory should not be cleared when the system boots.
147:
148: Compilation options:
149: --disable-hardening
150: Disable the use of compiler/linker exploit mitigation options
151: which are enabled by default. This includes compiling with
152: _FORTIFY_SOURCE defined to 2, building with -fstack-protector
153: and linking with -zrelro, where supported.
154:
155: --enable-pie
156: Build sudo and related programs as as a position independent
157: executables (PIE). This improves the effectiveness of address
158: space layout randomization (ASLR) on systems that support it.
159: Sudo will create PIE binaries by default on Linux systems.
160:
161: --disable-pie
162: Disable the creation of position independent executables (PIE),
163: even if the compiler creates PIE binaries by default. This
164: option may be needed on some Linux systems where PIE binaries
165: are not fully supported.
166:
167: --disable-poll
168: Use select() instead of poll() in the event loop. By default,
169: sudo will use poll() on systems that support it. Some systems
170: have a broken poll() implementation and need to use select instead.
171: On Mac OS X, select() is always used since its poll() doesn't
172: support devices.
173:
174: --disable-rpath
175: By default, configure will use -Rpath in addition to -Lpath
176: when passing library paths to the loader. This option will
177: disable the use of -Rpath.
178:
179: --disable-shared
180: Disable dynamic shared object support. By default, sudo
181: is built with a plugin API capable of loading arbitrary
182: policy and I/O logging plugins. If the --disable-shared
183: option is specified, this support is disabled and the default
184: sudoers policy and I/O plugins are embedded in the sudo
185: binary itself. This will also disable the noexec option
186: as it too relies on dynamic shared object support.
187:
188: --enable-static-sudoers
189: By default, the sudoers plugin is built and installed as a
190: dynamic shared object. When the --enable-static-sudoers
191: option is specified, the sudoers plugin is compiled directly
192: into the sudo binary. Unlike --disable-shared, this does
193: not prevent other plugins from being used and the noexec
194: option will continue to function.
195:
196: --enable-zlib[=location]
197: Enable the use of the zlib compress library when storing
198: I/O log files. If specified, location is the base directory
199: containing the zlib include and lib directories. The special
200: values "system" and "builtin" can be used to indicate that
201: the system version of zlib should be used or that the version
202: of zlib shipped with sudo should be used instead.
203: If this option is not specified, configure will use the
204: system zlib if it is present.
205:
206: --with-incpath=DIR
207: Adds the specified directory (or directories) to CPPFLAGS
208: so configure and the compiler will look there for include
209: files. Multiple directories may be specified as long as
210: they are space separated.
211: E.g. --with-incpath="/usr/local/include /opt/include"
212:
213: --with-libpath=DIR
214: Adds the specified directory (or directories) to LDFLAGS
215: so configure and the compiler will look there for libraries.
216: Multiple directories may be specified as with --with-incpath.
217:
218: --with-libraries=LIBRARY
219: Adds the specified library (or libraries) to SUDO_LIBS and
220: and VISUDO_LIBS so sudo will link against them. If the
221: library doesn't start with `-l' or end in `.a' or `.o' a
222: `-l' will be pre-pended to it. Multiple libraries may be
223: specified as long as they are space separated.
224:
225: --with-libtool=PATH
226: By default, sudo will use the included version of libtool
227: to build shared libraries. The --with-libtool option can
228: be used to specify a different version of libtool to use.
229: The special values "system" and "builtin" can be used in
230: place of a path to denote the default system libtool (obtained
231: via the user's PATH) and the default libtool that comes
232: with sudo.
233:
234: Optional features:
235: --disable-root-mailer
236: By default sudo will run the mailer as root when tattling
237: on a user so as to prevent that user from killing the mailer.
238: With this option, sudo will run the mailer as the invoking
239: user which some people consider to be safer.
240:
241: --enable-nls[=location]
242: Enable natural language support using the gettext() family
243: of functions. If specified, location is the base directory
244: containing the libintl include and lib directories. If
245: this option is not specified, configure will look for the
246: gettext() family of functions in the standard C library
247: first, then check for a standalone libintl (linking with
248: libiconv as needed).
249:
250: --disable-nls
251: Disable natural language support. By default, sudo will
252: use the gettext() family of functions, if available, to
253: implement messages in the invoking user's native language.
254: Note that translations do not exist for all languages.
255:
256: --with-ldap[=DIR]
257: Enable LDAP support. If specified, DIR is the base directory
258: containing the LDAP include and lib directories. Please see
259: README.LDAP for more information.
260:
261: --with-ldap-conf-file=PATH
262: Path to LDAP configuration file. If specified, sudo reads
263: this file instead of /etc/ldap.conf to locate the LDAP server.
264:
265: --with-ldap-secret-file=PATH
266: Path to LDAP secret password file. If specified, sudo uses
267: this file instead of /etc/ldap.secret to read the secret password
268: when rootbinddn is specified in the ldap config file.
269:
270: --with-logincap
271: This adds support for login classes specified in /etc/login.conf.
272: It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and
273: NetBSD (where available). By default, a login class is not applied
274: unless the 'use_loginclass' option is defined in sudoers or the user
275: specifies a class on the command line.
276:
277: --with-interfaces=no, --without-interfaces
278: This option keeps sudo from trying to glean the ip address
279: from each attached Ethernet interface. It is only useful
280: on a machine where sudo's interface reading support does
281: not work, which may be the case on some SysV-based OS's
282: using STREAMS.
283:
284: --with-noexec[=PATH]
285: Enable support for the "noexec" functionality which prevents
286: a dynamically-linked program being run by sudo from executing
287: another program (think shell escapes). Please see the
288: "PREVENTING SHELL ESCAPES" section in the sudoers man page
289: for details. If specified, PATH should be a fully qualified
290: path name, e.g. /usr/local/libexec/sudo_noexec.so. If PATH
291: is "no", noexec support will not be compiled in. The default
292: is to compile noexec support if libtool supports building
293: shared objects on your OS.
294:
295: --with-selinux
296: Enable support for role based access control (RBAC) on
297: systems that support SELinux.
298:
299: --with-sssd
300: Enable support for using the System Security Services Daemon
301: (SSSD) as a sudoers data source. For more information on
302: SSD, see http://fedorahosted.org/sssd/
303:
304: --with-sssd-lib=PATH
305: Specify the path to the SSSD shared library, which is loaded
306: at run-time.
307:
308: Operating system-specific options:
309: --disable-setreuid
310: Disable use of the setreuid() function for operating systems
311: where it is broken. For instance, 4.4BSD has setreuid()
312: that is not fully functional.
313:
314: --disable-setresuid
315: Disable use of the setresuid() function for operating systems
316: where it is broken (none currently known).
317:
318: --enable-admin-flag
319: Enable the creation of an Ubuntu-style admin flag file
320: the first time sudo is run.
321:
322: --with-bsm-audit
323: Enable support for sudo BSM audit logs on systems that support it.
324: This includes recent versions of FreeBSD, Mac OS X and Solaris.
325:
326: --with-linux-audit
327: Enable audit support for Linux systems. Audits attempts
328: to run a command as well as SELinux role changes.
329:
330: --with-man
331: Use the "man" macros for manual pages. By default, mdoc versions
332: of the manuals are installed if supported. This can be used to
333: override configure's test for "nroff -mdoc" support.
334:
335: --with-mdoc
336: Use the "mdoc" macros for manual pages. By default, mdoc versions
337: of the manuals are installed if supported. This can be used to
338: override configure's test for "nroff -mdoc" support.
339:
340: --with-netsvc[=PATH]
341: Path to netsvc.conf or "no" to disable netsvc.conf support.
342: If specified, sudo uses this file instead of /etc/netsvc.conf
343: on AIX systems. If netsvc support is disabled but LDAP is
344: enabled, sudo will check LDAP first, then the sudoers file.
345:
346: --with-nsswitch[=PATH]
347: Path to nsswitch.conf or "no" to disable nsswitch support.
348: If specified, sudo uses this file instead of /etc/nsswitch.conf.
349: If nsswitch support is disabled but LDAP is enabled, sudo will
350: check LDAP first, then the sudoers file.
351:
352: --with-project
353: Enable support for Solaris project resource limits.
354: This option is only available on Solaris 9 and above.
355:
356: Authentication options:
357: --with-AFS
358: Enable AFS support with Kerberos authentication. Should work under
359: AFS 3.3. If your AFS doesn't have -laudit you should be able to
360: link without it.
361:
362: --with-aixauth
363: Enable support for the AIX 4.x general authentication function.
364: This will use the authentication scheme specified for the user
365: on the machine. It is on by default for AIX systems that
366: support it.
367:
368: --with-bsdauth
369: Enable support for BSD authentication. This is the default
370: for BSD/OS and OpenBSD systems that support it.
371: It is not possible to mix BSD authentication with other
372: authentication methods (and there really should be no need
373: to do so). Note that only the newer BSD authentication API
374: is supported. If you don't have /usr/include/bsd_auth.h
375: then you cannot use this.
376:
377: --with-DCE
378: Enable DCE support for systems without PAM. Known to work on
379: HP-UX 9.X, 10.X, and 11.0; other systems may require source
380: code and/or `configure' changes. On systems with PAM support
381: (such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the
382: DCE PAM module (usually libpam_dce) should be used instead.
383:
384: --with-fwtk[=DIR]
385: Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified,
386: DIR is the base directory containing the compiled FWTK package
387: (or at least the library and header files).
388:
389: --with-kerb5[=DIR]
390: Enable Kerberos V support. If specified, DIR is the base
391: directory containing the Kerberos V include and lib dirs.
392: This uses Kerberos pass phrases for authentication but
393: does not use the Kerberos cookie scheme. Will not work for
394: Kerberos V older than version 1.1.
395:
396: --enable-kerb5-instance=string
397: By default, the user name is used as the principal name
398: when authenticating via Kerberos V. If this option is
399: enabled, the specified instance string will be appended to
400: the user name (separated by a slash) when creating the
401: principal name.
402:
403: --with-opie[=DIR]
404: Enable NRL OPIE OTP (One Time Password) support. If specified,
405: DIR should contain include and lib directories with opie.h
406: and libopie.a respectively.
407:
408: --with-otp-only
409: This option is now just an alias for --without-passwd.
410:
411: --with-pam
412: Enable PAM support. This is on by default for Darwin, FreeBSD,
413: Linux, Solaris and HP-UX (version 11 and higher).
414:
415: NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo
416: file install. You may either use the sample.pam file included with
417: sudo or use /etc/pam.d/su as a reference. The sample.pam file
418: included with sudo may or may not work with other Linux distributions.
419: On Solaris and HP-UX 11 systems you should check (and understand)
420: the contents of /etc/pam.conf. Do a "man pam.conf" for more
421: information and consider using the "debug" option, if available,
422: with your PAM libraries in /etc/pam.conf to obtain syslog output
423: for debugging purposes.
424:
425: --with-pam-login
426: Enable a specific PAM session when sudo is given the -i option.
427: This changes the PAM service name when sudo is run with the -i
428: option from "sudo" to "sudo-i", allowing for a separate pam
429: configuration for sudo's initial login mode.
430:
431: --disable-pam-session
432: Disable sudo's PAM session support. This may be needed on
433: older PAM implementations or on operating systems where
434: opening a PAM session changes the utmp or wtmp files. If
435: PAM session support is disabled, resource limits may not
436: be updated for the command being run.
437:
438: --with-passwd=no, --without-passwd
439: This option excludes authentication via the passwd (or
440: shadow) file. It should only be used when another, alternative,
441: authentication scheme is in use.
442:
443: --with-SecurID[=DIR]
444: Enable SecurID support. If specified, DIR is directory containing
445: libaceclnt.a, acexport.h, and sdacmvls.h.
446:
447: --with-skey[=DIR]
448: Enable S/Key OTP (One Time Password) support. If specified,
449: DIR should contain include and lib directories with skey.h
450: and libskey.a respectively.
451:
452: --disable-sia
453: Disable SIA support. This is the "Security Integration
454: Architecture" on Digital UNIX. If you disable SIA sudo will
455: use its own authentication routines.
456:
457: --disable-shadow
458: Disable shadow password support. Normally, sudo will compile
459: in shadow password support and use a shadow password if it
460: exists.
461:
462: --enable-gss-krb5-ccache-name
463: Use the gss_krb5_ccache_name() function to set the Kerberos
464: V credential cache file name. By default, sudo will use
465: the KRB5CCNAME environment variable to set this. While
466: gss_krb5_ccache_name() provides a better API to do this it
467: is not supported by all Kerberos V and SASL combinations.
468:
469: Development options:
470: --enable-env-debug
471: Enable debugging of the environment setting functions. This
472: enables extra checks to make sure the environment does not
473: become corrupted.
474:
475: --enable-warnings
476: Enable compiler warnings when building sudo with gcc.
477:
478: --enable-werror
479: Enable the -Werror compiler option when building sudo with gcc.
480:
481: --with-devel
482: Configure development options. This will enable compiler warnings
483: and set up the Makefile to be able to regenerate the sudoers parser
484: as well as the manual pages.
485:
486: --with-efence
487: Link with the "electric fence" debugging malloc.
488:
489: Options that set runtime-changeable default values:
490: --disable-authentication
491: By default, sudo requires the user to authenticate via a
492: password or similar means. This options causes sudo to
493: *not* require authentication. It is possible to turn
494: authentication back on in sudoers via the PASSWD attribute.
495: Sudoers option: !authenticate
496:
497: --disable-env-reset
498: Disable environment resetting. This sets the default value
499: of the "env_reset" Defaults option in sudoers to false.
500: Sudoers option: !env_reset
501:
502: --disable-path-info
503: Normally, sudo will tell the user when a command could not be found
504: in their $PATH. Some sites may wish to disable this as it could
505: be used to gather information on the location of executables that
506: the normal user does not have access to. The disadvantage is that
507: if the executable is simply not in the user's path, sudo will tell
508: the user that they are not allowed to run it, which can be confusing.
509: Sudoers option: path_info
510:
511: --disable-root-sudo
512: Don't let root run sudo. This can be used to prevent people from
513: "chaining" sudo commands to get a root shell by doing something
514: like "sudo sudo /bin/sh".
515: Sudoers option: !root_sudo
516:
517: --disable-zlib
518: Disable the use of the zlib compress library when storing
519: I/O log files.
520: Sudoers option: !compress_io
521:
522: --enable-log-host
523: Log the hostname in the log file.
524: Sudoers option: log_host
525:
526: --enable-noargs-shell
527: If sudo is invoked with no arguments it acts as if the "-s" flag had
528: been given. That is, it runs a shell as root (the shell is determined
529: by the SHELL environment variable, falling back on the shell listed
530: in the invoking user's /etc/passwd entry).
531: Sudoers option: shell_noargs
532:
533: --enable-shell-sets-home
534: If sudo is invoked with the "-s" flag the HOME environment variable
535: will be set to the home directory of the target user (which is root
536: unless the "-u" option is used). This option effectively makes the
537: "-s" flag imply "-H".
538: Sudoers option: set_home
539:
540: --with-all-insults
541: Include all the insult sets listed below. You must either specify
542: --with-insults or enable insults in the sudoers file for this to
543: have any effect.
544:
545: --with-askpass=PATH
546: Set PATH as the "askpass" program to use when no tty is
547: available. Typically, this is a graphical password prompter,
548: similar to the one used by ssh. The program must take a
549: prompt as an argument and print the received password to
550: the standard output. This value may overridden at run-time
551: in the sudo.conf file.
552:
553: --with-badpass-message="BAD PASSWORD MESSAGE"
554: Message that is displayed if a user enters an incorrect password.
555: The default is "Sorry, try again." unless insults are turned on.
556: Sudoers option: badpass_message
557:
558: --with-badpri=PRIORITY
559: Determines which syslog priority to log unauthenticated
560: commands and errors. The following priorities are supported:
561: alert, crit, debug, emerg, err, info, notice, and warning.
562: Sudoers option: syslog_badpri
563:
564: --with-classic-insults
565: Uses insults from sudo "classic." If you just specify --with-insults
566: you will get the classic and CSOps insults. This is on by default if
567: --with-insults is given.
568:
569: --with-csops-insults
570: Insults the user with an extra set of insults (some quotes, some
571: original) from a sysadmin group at CU (CSOps). You must specify
572: --with-insults as well for this to have any effect. This is on by
573: default if --with-insults is given.
574:
575: --with-editor=PATH
576: Specify the default editor path for use by visudo. This may be a
577: single path name or a colon-separated list of editors. In the latter
578: case, visudo will choose the editor that matches the user's VISUAL
579: or EDITOR environment variables or the first editor in the list that
580: exists. The default is the path to vi on your system.
581: Sudoers option: editor
582:
583: --with-env-editor
584: Makes visudo consult the VISUAL and EDITOR environment variables before
585: falling back on the default editor list (as specified by --with-editor).
586: Note that this may create a security hole as it allows the user to
587: run any arbitrary command as root without logging. A safer alternative
588: is to use a colon-separated list of editors with the --with-editor
589: option. visudo will then only use the VISUAL or EDITOR variables
590: if they match a value specified via --with-editor.
591: Sudoers option: env_editor
592:
593: --with-exempt=GROUP
594: Users in the specified group don't need to enter a password when
595: running sudo. This may be useful for sites that don't want their
596: "core" sysadmins to have to enter a password but where Jr. sysadmins
597: need to. You should probably use NOPASSWD in sudoers instead.
598: Sudoers option: exempt_group
599:
600: --with-fqdn
601: Define this if you want to put fully qualified host names in the sudoers
602: file. Ie: instead of myhost you would use myhost.mydomain.edu. You may
603: still use the short form if you wish (and even mix the two). Beware
604: that turning FQDN on requires sudo to make DNS lookups which may make
605: sudo unusable if your DNS is totally hosed. Also note that you must
606: use the host's official name as DNS knows it. That is, you may not use
607: a host alias (CNAME entry) due to performance issues and the fact that
608: there is no way to get all aliases from DNS.
609: Sudoers option: fqdn
610:
611: --with-goodpri=PRIORITY
612: Determines which syslog priority to log successfully
613: authenticated commands. The following priorities are
614: supported: alert, crit, debug, emerg, err, info, notice,
615: and warning.
616: Sudoers option: syslog_goodpri
617:
618: --with-goons-insults
619: Insults the user with lines from the "Goon Show" when an incorrect
620: password is entered. You must either specify --with-insults or
621: enable insults in the sudoers file for this to have any effect.
622:
623: --with-hal-insults
624: Uses 2001-like insults when an incorrect password is entered.
625: You must either specify --with-insults or enable insults in the
626: sudoers file for this to have any effect.
627:
628: --with-ignore-dot
629: If set, sudo will ignore '.' or '' (current dir) in $PATH.
630: The $PATH itself is not modified.
631: Sudoers option: ignore_dot
632:
633: --with-insults
634: Define this if you want to be insulted for typing an incorrect password
635: just like the original sudo(8). This is off by default.
636: Sudoers option: insults
637:
638: --with-insults=disabled
639: Include support for insults but disable them unless explicitly
640: enabled in sudoers.
641: Sudoers option: !insults
642:
643: --with-iologdir[=DIR]
644: By default, sudo stores I/O log files in either /var/log/sudo-io,
645: /var/adm/sudo-io, or /usr/log/sudo-io. If this option is
646: specified, I/O logs will be stored in the indicated directory
647: instead.
648: Sudoers option: iolog_dir
649:
650: --with-lecture=no, --without-lecture
651: Don't print the lecture the first time a user runs sudo.
652: Sudoers option: !lecture
653:
654: --with-logfac=FACILITY
655: Determines which syslog facility to log to. This requires
656: a 4.3BSD or later version of syslog. You can still set
657: this for ancient syslogs but it will have no effect. The
658: following facilities are supported: authpriv (if your OS
659: supports it), auth, daemon, user, local0, local1, local2,
660: local3, local4, local5, local6, and local7.
661: Sudoers option: syslog
662:
663: --with-logging=TYPE
664: How you want to do your logging. You may choose "syslog",
665: "file", or "both". Setting this to "syslog" is nice because
666: you can keep all of your sudo logs in one place (see the
667: sample.syslog.conf file). The default is "syslog".
668: Sudoers options: syslog and logfile
669:
670: --with-loglen=NUMBER
671: Number of characters per line for the file log. This is only used if
672: you are to "file" or "both". This value is used to decide when to wrap
673: lines for nicer log files. The default is 80. Setting this to 0
674: will disable the wrapping.
675: Sudoers options: loglinelen
676:
677: --with-logpath=PATH
678: Override the default location of the sudo log file and use
679: "path" instead. By default will use /var/log/sudo.log if
680: there is a /var/log dir, falling back to /var/adm/sudo.log
681: or /usr/adm/sudo.log if not.
682: Sudoers option: logfile
683:
684: --with-long-otp-prompt
685: When validating with a One Time Password scheme (S/Key or
686: OPIE), a two-line prompt is used to make it easier to cut
687: and paste the challenge to a local window. It's not as
688: pretty as the default but some people find it more convenient.
689: Sudoers option: long_otp_prompt
690:
691: --with-mail-if-no-user=no, --without-mail-if-no-user
692: Normally, sudo will mail to the "alertmail" user if the user invoking
693: sudo is not in the sudoers file. This option disables that behavior.
694: Sudoers option: mail_no_user
695:
696: --with-mail-if-no-host
697: Send mail to the "alermail" user if the user exists in the sudoers
698: file, but is not allowed to run commands on the current host.
699: Sudoers option: mail_no_host
700:
701: --with-mail-if-noperms
702: Send mail to the "alermail" user if the user is allowed to use sudo but
703: the command they are trying is not listed in their sudoers file entry.
704: Sudoers option: mail_no_perms
705:
706: --with-mailsubject="SUBJECT OF MAIL"
707: Subject of the mail sent to the "mailto" user. The token "%h"
708: will expand to the hostname of the machine.
709: Default is "*** SECURITY information for %h ***".
710: Sudoers option: mailsub
711:
712: --with-mailto=USER|MAIL_ALIAS
713: User (or mail alias) that mail from sudo is sent to.
714: This should go to a sysadmin at your site. The default is "root".
715: Sudoers option: mailto
716:
717: --with-passprompt="PASSWORD PROMPT"
718: Default prompt to use when asking for a password; can be overridden
719: via the -p option and the SUDO_PROMPT environment variable. Supports
720: the "%H", "%h", "%U" and "%u" escapes as documented in the sudo
721: manual page. The default value is "Password:".
722: Sudoers option: passprompt
723:
724: --with-password-timeout=NUMBER
725: Number of minutes before the sudo password prompt times out.
726: The default is 5, set this to 0 for no password timeout.
727: Sudoers option: passwd_timeout
728:
729: --with-passwd-tries=NUMBER
730: Number of tries a user gets to enter his/her password before sudo logs
731: the failure and exits. The default is 3.
732: Sudoers option: passwd_tries
733:
734: --with-pc-insults
735: Replace politically incorrect insults with less objectionable ones.
736:
737: --with-runas-default=USER
738: The default user to run commands as if the -u flag is not specified
739: on the command line. This defaults to "root".
740: Sudoers option: runas_default
741:
742: --with-secure-path[=PATH]
743: Path used for every command run from sudo(8). If you don't trust the
744: people running sudo to have a sane PATH environment variable you may
745: want to use this. Another use is if you want to have the "root path"
746: be separate from the "user path." You will need to customize the path
747: for your site. NOTE: this is not applied to users in the group
748: specified by --with-exemptgroup. If you do not specify a path,
749: "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
750: Sudoers option: secure_path
751:
752: --with-sendmail=PATH
753: Override configure's guess as to the location of sendmail.
754: Sudoers option: mailerpath
755:
756: --with-sendmail=no, --without-sendmail
757: Do not use sendmail to mail messages to the "mailto" user.
758: Use only if you don't run sendmail or the equivalent.
759: Sudoers options: !mailerpath or !mailto
760:
761: --with-sudoers-mode=MODE
762: File mode for the sudoers file (octal). Note that if you
763: wish to NFS-mount the sudoers file this must be group
764: readable. This value may overridden at run-time in the
765: sudo.conf file. The default mode is 0440.
766:
767: --with-sudoers-uid=UID
768: User id that "owns" the sudoers file. Note that this is
769: the numeric id, *not* the symbolic name. This value may
770: overridden at run-time in the sudo.conf file. The default
771: is 0.
772:
773: --with-sudoers-gid=GID
774: Group id that "owns" the sudoers file. Note that this is
775: the numeric id, *not* the symbolic name. This value may
776: overridden at run-time in the sudo.conf file. The default
777: is 0.
778:
779: --with-timeout=NUMBER
780: Number of minutes that can elapse before sudo will ask for a passwd
781: again. The default is 5, set this to 0 to always prompt for a password.
782: Sudoers option: timestamp_timeout
783:
784: --with-tty-tickets=no, --without-tty-tickets
785: By default, sudo uses a different ticket file for each user/tty combo.
786: With this option disabled, a single ticket will be used for all
787: of a user's login sessions.
788: Sudoers option: tty_tickets
789:
790: --with-umask=MASK
791: Umask to use when running the root command. The default is 0022.
792: Sudoers option: umask
793:
794: --with-umask=no, --without-umask
795: Preserves the umask of the user invoking sudo.
796: Sudoers option: !umask
797:
798: --with-umask-override
799: Use the umask specified in sudoers even if it is less restrictive
800: than the user's. The default is to use the intersection of the
801: user's umask and the umask specified in sudoers.
802: Sudoers option: umask_override
803:
804: OS dependent notes
805: ==================
806:
807: HP-UX:
808: The default C compiler shipped with HP-UX is not an ANSI compiler.
809: You must use either the HP ANSI C compiler or gcc to build sudo.
810: Binary packages of gcc are available from http://hpux.connect.org.uk/.
811:
812: To prevent PAM from overriding the value of umask on HP-UX 11,
813: you will need to add a line like the following to /etc/pam.conf:
814:
815: sudo session required libpam_hpsec.so.1 bypass_umask
816:
817: If every command run via sudo displays information about the last
818: successful login and the last authentication failure you should
819: make use an /etc/pam.conf line like:
820:
821: sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login
822:
823: Linux:
824: PAM and LDAP headers are not installed by default on most Linux
825: systems. You will need to install the "pam-dev" package if
826: /usr/include/security/pam_appl.h is not present on your system.
827: If you wish to build with LDAP support you will also need the
828: openldap-devel package.
829:
830: Mac OS X:
831: The pseudo-tty support in the Mac OS X kernel has bugs related
832: to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals.
833: It does not restart reads and writes when those signals are
834: delivered. This may cause problems for some commands when I/O
835: logging is enabled. The issue has been reported to Apple and
836: is bug id #7952709.
837:
838: Solaris:
839: You need to have a C compiler in order to build sudo. Since
840: Solaris does not come with one by default this means that you
841: either need to either install the Solaris Studio compiler suite,
842: available for free from www.oracle.com, or install the GNU C
843: compiler (gcc) which is can be installed via the pkg utility
844: on Solaris 11 and higher and is distributed on the Solaris
845: Companion CD for older Solaris releases. You can also download
846: gcc packages from http://www.opencsw.org/packages/CSWgcc4core/
847:
848: SunOS 4.x:
849: SunOS does not ship with an ANSI C compiler. You will need to
850: install an ANSI compiler such as gcc to build sudo.
851:
852: The /bin/sh shipped with SunOS blows up while running configure.
853: You can work around this by installing bash or zsh. If you
854: have bash or zsh in your path, configure will use it automatically.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>