diff options
Diffstat (limited to 'INSTALL')
| -rw-r--r-- | INSTALL | 937 |
1 files changed, 937 insertions, 0 deletions
@@ -0,0 +1,937 @@ +Sudo installation instructions +============================== + +Sudo uses a `configure' script to probe the capabilities and type +of the system in question. In this release, `configure' takes many +more options than it did before. Please read this document fully +before configuring and building sudo. You may also wish to read the +file INSTALL.configure which explains more about the `configure' script. + +System requirements +=================== + +To build sudo from the source distribution you need a POSIX-compliant +operating system (any modern version of BSD, Linux or Unix should work), +an ANSI/ISO C compiler that supports the "long long" type, variadic +macros (a C99 feature) as well as the ar, make and ranlib utilities. + +If you wish to modify the parser then you will need flex version +2.5.2 or later and either bison or byacc (sudo comes with a +pre-generated parser). You'll also have to run configure with the +--with-devel option or pass DEVEL=1 to make. You can get flex from +http://flex.sourceforge.net/. You can get GNU bison from +ftp://ftp.gnu.org/pub/gnu/bison/ or any GNU mirror. + +Simple sudo installation +======================== + +For most systems and configurations it is possible simply to: + + 0) If you are upgrading from a previous version of sudo + please read the info in the UPGRADE file before proceeding. + + 1) Read the `OS dependent notes' section for any particular + "gotchas" relating to your operating system. + + 2) `cd' to the source or build directory and type `./configure' + to generate a Makefile and config.h file suitable for building + sudo. Before you actually run configure you should read the + `Available configure options' section to see if there are + any special options you may want or need. + + 4) Type `make' to compile sudo. If you are building sudo + in a separate build tree (apart from the sudo source) GNU + make will probably be required. If `configure' did its job + properly (and you have a supported configuration) there won't + be any problems. If this doesn't work, take a look at the + doc/TROUBLESHOOTING file for tips on what might have gone + wrong. Please mail us if you have a fix or if you are unable + to come up with a fix (address at EOF). + + 5) Type `make install' (as root) to install sudo, visudo, the + man pages, and a skeleton sudoers file. Note that the install + will not overwrite an existing sudoers file. You can also + install various pieces the package via the install-binaries, + install-doc, and install-sudoers make targets. + + 6) Edit the sudoers file with `visudo' as necessary for your + site. You will probably want to refer the example sudoers + file and sudoers man page included with the sudo package. + + 7) If you want to use syslogd(8) to do the logging, you'll need + to update your /etc/syslog.conf file. See the example syslog.conf + file included in the distribution for an example. + +Available configure options +=========================== + +This section describes flags accepted by the sudo's `configure' script. +Defaults are listed in brackets after the description. + +Configuration: + --cache-file=FILE + Cache test results in FILE + + --config-cache, -C + Alias for `--cache-file=config.cache' + + --help, -h + Print the usage/help info + + --no-create, -n + Do not create output files + + --quiet, --silent, -q + Do not print `checking...' messages + + --srcdir=DIR + Find the sources in DIR [configure dir or `..'] + +Directory and file names: + --prefix=PREFIX + Install architecture-independent files in PREFIX. [/usr/local] + + --exec-prefix=EPREFIX + Install architecture-dependent files in EPREFIX. + This includes the executables and plugins. [same as PREFIX] + + --bindir=DIR + Install `sudo', `sudoedit' and `sudoreplay' in DIR. [EPREFIX/bin] + + --sbindir=DIR + Install `visudo' in DIR. [EPREFIX/sbin] + + --libexecdir=DIR + Install plugins and helper programs in DIR/sudo [PREFIX/libexec/sudo] + + --sysconfdir=DIR + Look for `sudo.conf' and `sudoers' files in DIR. [/etc] + + --includedir=DIR + Install sudo_plugin.h include file in DIR [PREFIX/include] + + --datarootdir=DIR + Root directory for platform-independent data files [PREFIX/share] + + --localedir=DIR + Install sudo and sudoers locale files in DIR [DATAROOTDIR/locale] + + --mandir=DIR + Install man pages in DIR [PREFIX/man] + + --docdir=DIR + Install other sudo documentation in DIR [DATAROOTDIR/doc/sudo] + + --with-exampledir=DIR + Install sudo example files in DIR [DATAROOTDIR/doc/sudo/examples] + + --with-plugindir=DIR + The directory that sudo looks in to find the policy and I/O + logging plugins. Defaults to the LIBEXEC/sudo. + + --with-rundir=DIR + The directory to be used for sudo-specific files that do + not survive a system reboot. This is typically where the + time stamp directory is located. By default, configure + will choose from the following list: + /run/sudo /var/run/sudo, /var/db/sudo, /var/lib/sudo, + /var/adm/sudo, /usr/adm/sudo + This directory should be cleared when the system reboots. + On systems that lack /run or /var/run, the default rundir and + vardir may be the same. In this case, only the ts directory + inside the rundir needs to be cleared at boot time. + + --with-vardir=DIR + The directory to be used for sudo-specific files that survive + a system reboot. This is typically where the lecture status + directory is stored. By default, configure will choose + from the following list: + /var/db/sudo, /var/lib/sudo, /var/adm/sudo, /usr/adm/sudo + This directory should *not* be cleared when the system boots. + + --with-tzdir=DIR + The directory to the system's time zone data files. This + is only used when sanitizing the TZ environment variable + to allow for fully-qualified paths in TZ. By default, + configure will look for an existing "zoneinfo" directory + in the following locations: + /usr/share /usr/share/lib /usr/lib /etc + If no zoneinfo directory is found, the TZ variable may not + contain a fully-qualified path. + +Compilation options: + --disable-hardening + Disable the use of compiler/linker exploit mitigation options + which are enabled by default. This includes compiling with + _FORTIFY_SOURCE defined to 2, building with -fstack-protector + and linking with -zrelro, where supported. + + --enable-asan + Enable the use of AddressSanitizer if supported by the + compiler. This can help detect common problems such as + buffer overflows and user after free bugs as well as behavior + undefined by the C standard. For more information see + https://github.com/google/sanitizers/wiki/AddressSanitizer + The following compiler flag is used: -fsanitize=address,undefined + + This option should only be used for testing and not in a + production environment. Due to AddressSanitizer's unchecked + use of environment variables, it is trivial to exploit a + setuid root executable such as sudo. + + --enable-pie + Build sudo and related programs as as a position independent + executables (PIE). This improves the effectiveness of address + space layout randomization (ASLR) on systems that support it. + Sudo will create PIE binaries by default on Linux systems. + + --disable-pie + Disable the creation of position independent executables (PIE), + even if the compiler creates PIE binaries by default. This + option may be needed on some Linux systems where PIE binaries + are not fully supported. + + --disable-poll + Use select() instead of poll() in the event loop. By default, + sudo will use poll() on systems that support it. Some systems + have a broken poll() implementation and need to use select instead. + On Mac OS X, select() is always used since its poll() doesn't + support devices. + + --disable-rpath + By default, configure will use -Rpath in addition to -Lpath + when passing library paths to the loader. This option will + disable the use of -Rpath. + + --disable-shared + Disable dynamic shared object support. By default, sudo + is built with a plugin API capable of loading arbitrary + policy and I/O logging plugins. If the --disable-shared + option is specified, this support is disabled and the default + sudoers policy and I/O plugins are embedded in the sudo + binary itself. This will also disable the noexec option + as it too relies on dynamic shared object support. + + --disable-shared-libutil + Disable the use of the dynamic libsudo_util library. By + default, sudo, the sudoers plugin and the associated sudo + utilities are linked against a shared version of libsudo_util. + If the --disable-shared-libutil option is specified, a + static version of the libsudo_util library will be used + instead. This option may only be used in conjunction with + the --enable-static-sudoers option. + + --enable-static-sudoers + By default, the sudoers plugin is built and installed as a + dynamic shared object. When the --enable-static-sudoers + option is specified, the sudoers plugin is compiled directly + into the sudo binary. Unlike --disable-shared, this does + not prevent other plugins from being used and the noexec + option will continue to function. + + --enable-tmpfiles.d=DIR + Set the directory to be used when installing the sudo + tmpfiles.d file. This is used to create (or clear) the + sudo time stamp directory on operating systems that use + systemd. If this option is not specified, configure will + use the /usr/lib/tmpfiles.d directory if the file + /usr/lib/tmpfiles.d/systemd.conf exists. + + --enable-zlib[=location] + Enable the use of the zlib compress library when storing + I/O log files. If specified, location is the base directory + containing the zlib include and lib directories. The special + values "system", "builtin", "shared" and "static" can be + used to indicate that the system version of zlib should be + used or that the version of zlib shipped with sudo should + be used instead. If "static" is specified, sudo will + statically link the builtin zlib and not install it. If + this option is not specified, configure will use the system + zlib if it is present, falling back on the sudo version. + + --with-incpath=DIR + Adds the specified directory (or directories) to CPPFLAGS + so configure and the compiler will look there for include + files. Multiple directories may be specified as long as + they are space separated. + E.g. --with-incpath="/usr/local/include /opt/include" + + --with-libpath=DIR + Adds the specified directory (or directories) to LDFLAGS + so configure and the compiler will look there for libraries. + Multiple directories may be specified as with --with-incpath. + + --with-libraries=LIBRARY + Adds the specified library (or libraries) to SUDO_LIBS and + and VISUDO_LIBS so sudo will link against them. If the + library doesn't start with `-l' or end in `.a' or `.o' a + `-l' will be pre-pended to it. Multiple libraries may be + specified as long as they are space separated. + + --with-libtool=PATH + By default, sudo will use the included version of libtool + to build shared libraries. The --with-libtool option can + be used to specify a different version of libtool to use. + The special values "system" and "builtin" can be used in + place of a path to denote the default system libtool (obtained + via the user's PATH) and the default libtool that comes + with sudo. + +Optional features: + --disable-root-mailer + By default sudo will run the mailer as root when tattling + on a user so as to prevent that user from killing the mailer. + With this option, sudo will run the mailer as the invoking + user which some people consider to be safer. + + --enable-nls[=location] + Enable natural language support using the gettext() family + of functions. If specified, location is the base directory + containing the libintl include and lib directories. If + this option is not specified, configure will look for the + gettext() family of functions in the standard C library + first, then check for a standalone libintl (linking with + libiconv as needed). + + --disable-nls + Disable natural language support. By default, sudo will + use the gettext() family of functions, if available, to + implement messages in the invoking user's native language. + Note that translations do not exist for all languages. + + --with-ldap[=DIR] + Enable LDAP support. If specified, DIR is the base directory + containing the LDAP include and lib directories. Please see + README.LDAP for more information. + + --with-ldap-conf-file=PATH + Path to LDAP configuration file. If specified, sudo reads + this file instead of /etc/ldap.conf to locate the LDAP server. + + --with-ldap-secret-file=PATH + Path to LDAP secret password file. If specified, sudo uses + this file instead of /etc/ldap.secret to read the secret password + when rootbinddn is specified in the ldap config file. + + --disable-sasl + Disable SASL authentication for LDAP. By default, sudo + will compile in support for SASL authentication if the + ldap_sasl_interactive_bind_s() function is present in the + LDAP libraries. + + --with-logincap + This adds support for login classes specified in /etc/login.conf. + It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and + NetBSD (where available). By default, a login class is not applied + unless the 'use_loginclass' option is defined in sudoers or the user + specifies a class on the command line. + + --with-interfaces=no, --without-interfaces + This option keeps sudo from trying to glean the ip address + from each attached Ethernet interface. It is only useful + on a machine where sudo's interface reading support does + not work, which may be the case on some SysV-based OS's + using STREAMS. + + --with-noexec[=PATH] + Enable support for the "noexec" functionality which prevents + a dynamically-linked program being run by sudo from executing + another program (think shell escapes). Please see the + "PREVENTING SHELL ESCAPES" section in the sudoers man page + for details. If specified, PATH should be a fully qualified + path name, e.g. /usr/local/libexec/sudo/sudo_noexec.so. If PATH + is "no", noexec support will not be compiled in. The default + is to compile noexec support if libtool supports building + shared objects on your OS. + + --with-selinux + Enable support for role based access control (RBAC) on + systems that support SELinux. + + --with-sssd + Enable support for using the System Security Services Daemon + (SSSD) as a sudoers data source. For more information on + SSD, see http://fedorahosted.org/sssd/ + + --with-sssd-conf=PATH + Specify the path to the SSSD configuration file, if different + from the default value of /etc/sssd/sssd.conf. + + --with-sssd-lib=PATH + Specify the path to the SSSD shared library, which is loaded + at run-time. + + --enable-offensive-insults + Enable potentially offensive sudo insults from the classic + version of sudo. + + --enable-pvs-studio + Generate a sample PVS-Studio.cfg file based on the compiler and + platform type. The "pvs-studio" Makefile target can then be + used if PVS-Studio is installed. + +Operating system-specific options: + --disable-setreuid + Disable use of the setreuid() function for operating systems + where it is broken. For instance, 4.4BSD has setreuid() that + is not fully functional. + + --disable-setresuid + Disable use of the setresuid() function for operating systems + where it is broken (none currently known). + + --enable-admin-flag + Enable the creation of an Ubuntu-style admin flag file + the first time sudo is run. + + --enable-devsearch=PATH + Set a system-specific search path of directories to look in + for device nodes. Sudo uses this when mapping the process's + tty device number to a device name. The default value is: + /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + + --with-bsm-audit + Enable support for sudo BSM audit logs on systems that support it. + This includes recent versions of FreeBSD, Mac OS X and Solaris. + + --with-linux-audit + Enable audit support for Linux systems. Audits attempts + to run a command as well as SELinux role changes. + + --with-man + Use the "man" macros for manual pages. By default, mdoc versions + of the manuals are installed if supported. This can be used to + override configure's test for "nroff -mdoc" support. + + --with-mdoc + Use the "mdoc" macros for manual pages. By default, mdoc versions + of the manuals are installed if supported. This can be used to + override configure's test for "nroff -mdoc" support. + + --with-netsvc[=PATH] + Path to netsvc.conf or "no" to disable netsvc.conf support. + If specified, sudo uses this file instead of /etc/netsvc.conf + on AIX systems. If netsvc support is disabled but LDAP is + enabled, sudo will check LDAP first, then the sudoers file. + + --with-nsswitch[=PATH] + Path to nsswitch.conf or "no" to disable nsswitch support. + If specified, sudo uses this file instead of /etc/nsswitch.conf. + If nsswitch support is disabled but LDAP is enabled, sudo will + check LDAP first, then the sudoers file. + + --with-project + Enable support for Solaris project resource limits. + This option is only available on Solaris 9 and above. + +Authentication options: + --with-AFS + Enable AFS support with Kerberos authentication. Should work under + AFS 3.3. If your AFS doesn't have -laudit you should be able to + link without it. + + --with-aixauth + Enable support for the AIX general authentication function. + This will use the authentication scheme specified for the + user on the machine. By default, sudo will use either AIX + authentication or PAM depending on the value of the auth_type + setting in the /etc/security/login.cfg file. + + --with-bsdauth + Enable support for BSD authentication. This is the default + for BSD/OS and OpenBSD systems that support it. + It is not possible to mix BSD authentication with other + authentication methods (and there really should be no need + to do so). Note that only the newer BSD authentication API + is supported. If you don't have /usr/include/bsd_auth.h + then you cannot use this. + + --with-DCE + Enable DCE support for systems without PAM. Known to work on + HP-UX 9.X, 10.X, and 11.0; other systems may require source + code and/or `configure' changes. On systems with PAM support + (such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the + DCE PAM module (usually libpam_dce) should be used instead. + + --with-fwtk[=DIR] + Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified, + DIR is the base directory containing the compiled FWTK package + (or at least the library and header files). + + --with-kerb5[=DIR] + Enable Kerberos V support. If specified, DIR is the base + directory containing the Kerberos V include and lib dirs. + This uses Kerberos pass phrases for authentication but + does not use the Kerberos cookie scheme. Will not work for + Kerberos V older than version 1.1. + + --enable-kerb5-instance=string + By default, the user name is used as the principal name + when authenticating via Kerberos V. If this option is + enabled, the specified instance string will be appended to + the user name (separated by a slash) when creating the + principal name. + + --with-solaris-audit + Enable audit support for Solaris 11 and above. + For older versions of Solaris, use --with-bsm-audit + + --with-opie[=DIR] + Enable NRL OPIE OTP (One Time Password) support. If specified, + DIR should contain include and lib directories with opie.h + and libopie.a respectively. + + --with-otp-only + This option is now just an alias for --without-passwd. + + --with-pam + Enable PAM support. This is on by default for Darwin, FreeBSD, + Linux, Solaris and HP-UX (version 11 and higher). + + NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo + file install. You may either use the example pam.conf file included + with sudo or use /etc/pam.d/su as a reference. The pam.conf file + included with sudo may or may not work with other Linux distributions. + On Solaris and HP-UX 11 systems you should check (and understand) + the contents of /etc/pam.conf. Do a "man pam.conf" for more + information and consider using the "debug" option, if available, + with your PAM libraries in /etc/pam.conf to obtain syslog output + for debugging purposes. + + --with-pam-login + Enable a specific PAM session when sudo is given the -i option. + This changes the PAM service name when sudo is run with the -i + option from "sudo" to "sudo-i", allowing for a separate pam + configuration for sudo's initial login mode. + + --disable-pam-session + Disable sudo's PAM session support. This may be needed on + older PAM implementations or on operating systems where + opening a PAM session changes the utmp or wtmp files. If + PAM session support is disabled, resource limits may not + be updated for the command being run. + + --with-passwd=no, --without-passwd + This option excludes authentication via the passwd (or + shadow) file. It should only be used when another, alternative, + authentication scheme is in use. + + --with-SecurID[=DIR] + Enable SecurID support. If specified, DIR is directory containing + libaceclnt.a, acexport.h, and sdacmvls.h. + + --with-skey[=DIR] + Enable S/Key OTP (One Time Password) support. If specified, + DIR should contain include and lib directories with skey.h + and libskey.a respectively. + + --disable-sia + Disable SIA support. This is the "Security Integration + Architecture" on Digital UNIX. If you disable SIA sudo will + use its own authentication routines. + + --disable-shadow + Disable shadow password support. Normally, sudo will compile + in shadow password support and use a shadow password if it + exists. + + --enable-gss-krb5-ccache-name + Use the gss_krb5_ccache_name() function to set the Kerberos + V credential cache file name. By default, sudo will use + the KRB5CCNAME environment variable to set this. While + gss_krb5_ccache_name() provides a better API to do this it + is not supported by all Kerberos V and SASL combinations. + + --enable-gcrypt[=DIR] + Use GNU crypt's SHA-2 message digest functions instead of the + ones bundled with sudo (or in the system's C library). + If specified, DIR should contain include and lib directories + with gcrypt.h and libgcrypt respectively. + + --enable-openssl[=DIR] + Use OpenSSL's SHA-2 message digest functions instead of the + ones bundled with sudo (or in the system's C library). + If specified, DIR should contain include and lib directories + with openssl/sha.h and libcrypto respectively. + +Development options: + --enable-env-debug + Enable debugging of the environment setting functions. This + enables extra checks to make sure the environment does not + become corrupted. + + --enable-warnings + Enable compiler warnings when building sudo with gcc. + + --enable-werror + Enable the -Werror compiler option when building sudo with gcc. + + --with-devel + Configure development options. This will enable compiler warnings + and set up the Makefile to be able to regenerate the sudoers parser + as well as the manual pages. + + --with-efence + Link with the "electric fence" debugging malloc. + +Options that set runtime-changeable default values: + --disable-authentication + By default, sudo requires the user to authenticate via a + password or similar means. This options causes sudo to + *not* require authentication. It is possible to turn + authentication back on in sudoers via the PASSWD attribute. + Sudoers option: !authenticate + + --disable-env-reset + Disable environment resetting. This sets the default value + of the "env_reset" Defaults option in sudoers to false. + Sudoers option: !env_reset + + --disable-path-info + Normally, sudo will tell the user when a command could not be found + in their $PATH. Some sites may wish to disable this as it could + be used to gather information on the location of executables that + the normal user does not have access to. The disadvantage is that + if the executable is simply not in the user's path, sudo will tell + the user that they are not allowed to run it, which can be confusing. + Sudoers option: path_info + + --disable-root-sudo + Don't let root run sudo. This can be used to prevent people from + "chaining" sudo commands to get a root shell by doing something + like "sudo sudo /bin/sh". + Sudoers option: !root_sudo + + --disable-zlib + Disable the use of the zlib compress library when storing + I/O log files. + Sudoers option: !compress_io + + --enable-log-host + Log the hostname in the log file. + Sudoers option: log_host + + --enable-noargs-shell + If sudo is invoked with no arguments it acts as if the "-s" flag had + been given. That is, it runs a shell as root (the shell is determined + by the SHELL environment variable, falling back on the shell listed + in the invoking user's /etc/passwd entry). + Sudoers option: shell_noargs + + --enable-shell-sets-home + If sudo is invoked with the "-s" flag the HOME environment variable + will be set to the home directory of the target user (which is root + unless the "-u" option is used). This option effectively makes the + "-s" flag imply "-H". + Sudoers option: set_home + + --enable-timestamp-type=TYPE + Set the default time stamp record type. The TYPE may be "global" + (a single record per user), "ppid" (a single record for process + with the same parent process), or "tty" (a separate record for + each login session). The default is "tty". + Sudoers option: timestamp_type + + --with-all-insults + Include all the insult sets listed below. You must either specify + --with-insults or enable insults in the sudoers file for this to + have any effect. + + --with-askpass=PATH + Set PATH as the "askpass" program to use when no tty is + available. Typically, this is a graphical password prompter, + similar to the one used by ssh. The program must take a + prompt as an argument and print the received password to + the standard output. This value may overridden at run-time + in the sudo.conf file. + + --with-badpass-message="BAD PASSWORD MESSAGE" + Message that is displayed if a user enters an incorrect password. + The default is "Sorry, try again." unless insults are turned on. + Sudoers option: badpass_message + + --with-badpri=PRIORITY + Determines which syslog priority to log unauthenticated + commands and errors. The following priorities are supported: + alert, crit, debug, emerg, err, info, notice, and warning. + Sudoers option: syslog_badpri + + --with-classic-insults + Uses insults from sudo "classic." If you just specify --with-insults + you will get the classic and CSOps insults. This is on by default if + --with-insults is given. + + --with-csops-insults + Insults the user with an extra set of insults (some quotes, some + original) from a sysadmin group at CU (CSOps). You must specify + --with-insults as well for this to have any effect. This is on by + default if --with-insults is given. + + --with-editor=PATH + Specify the default editor path for use by visudo. This may be a + single path name or a colon-separated list of editors. In the latter + case, visudo will choose the editor that matches the user's VISUAL + or EDITOR environment variables or the first editor in the list that + exists. The default is the path to vi on your system. + Sudoers option: editor + + --with-env-editor + Makes visudo consult the VISUAL and EDITOR environment variables before + falling back on the default editor list (as specified by --with-editor). + Note that this may create a security hole as it allows the user to + run any arbitrary command as root without logging. A safer alternative + is to use a colon-separated list of editors with the --with-editor + option. visudo will then only use the VISUAL or EDITOR variables + if they match a value specified via --with-editor. + Sudoers option: env_editor + + --with-exempt=GROUP + Users in the specified group don't need to enter a password when + running sudo. This may be useful for sites that don't want their + "core" sysadmins to have to enter a password but where Jr. sysadmins + need to. You should probably use NOPASSWD in sudoers instead. + Sudoers option: exempt_group + + --with-fqdn + Define this if you want to put fully qualified host names in the sudoers + file. Ie: instead of myhost you would use myhost.mydomain.edu. You may + still use the short form if you wish (and even mix the two). Beware + that turning FQDN on requires sudo to make DNS lookups which may make + sudo unusable if your DNS is totally hosed. Also note that you must + use the host's official name as DNS knows it. That is, you may not use + a host alias (CNAME entry) due to performance issues and the fact that + there is no way to get all aliases from DNS. + Sudoers option: fqdn + + --with-goodpri=PRIORITY + Determines which syslog priority to log successfully + authenticated commands. The following priorities are + supported: alert, crit, debug, emerg, err, info, notice, + and warning. + Sudoers option: syslog_goodpri + + --with-python-insults + Insults the user with lines from "Monty Python's Flying Circus" when an + incorrect password is entered. You must either specify --with-insults or + enable insults in the sudoers file for this to have any effect. + + --with-goons-insults + Insults the user with lines from the "Goon Show" when an incorrect + password is entered. You must either specify --with-insults or + enable insults in the sudoers file for this to have any effect. + + --with-hal-insults + Uses 2001-like insults when an incorrect password is entered. + You must either specify --with-insults or enable insults in the + sudoers file for this to have any effect. + + --with-ignore-dot + If set, sudo will ignore '.' or '' (current dir) in $PATH. + The $PATH itself is not modified. + Sudoers option: ignore_dot + + --with-insults + Define this if you want to be insulted for typing an incorrect password + just like the original sudo(8). This is off by default. + Sudoers option: insults + + --with-insults=disabled + Include support for insults but disable them unless explicitly + enabled in sudoers. + Sudoers option: !insults + + --with-iologdir[=DIR] + By default, sudo stores I/O log files in either /var/log/sudo-io, + /var/adm/sudo-io, or /usr/log/sudo-io. If this option is + specified, I/O logs will be stored in the indicated directory + instead. + Sudoers option: iolog_dir + + --with-lecture=no, --without-lecture + Don't print the lecture the first time a user runs sudo. + Sudoers option: !lecture + + --with-logfac=FACILITY + Determines which syslog facility to log to. This requires + a 4.3BSD or later version of syslog. You can still set + this for ancient syslogs but it will have no effect. The + following facilities are supported: authpriv (if your OS + supports it), auth, daemon, user, local0, local1, local2, + local3, local4, local5, local6, and local7. + Sudoers option: syslog + + --with-logging=TYPE + How you want to do your logging. You may choose "syslog", + "file", or "both". Setting this to "syslog" is nice because + you can keep all of your sudo logs in one place (see the + example syslog.conf file). The default is "syslog". + Sudoers options: syslog and logfile + + --with-loglen=NUMBER + Number of characters per line for the file log. This is only used if + you are to "file" or "both". This value is used to decide when to wrap + lines for nicer log files. The default is 80. Setting this to 0 + will disable the wrapping. + Sudoers options: loglinelen + + --with-logpath=PATH + Override the default location of the sudo log file and use + "path" instead. By default will use /var/log/sudo.log if + there is a /var/log dir, falling back to /var/adm/sudo.log + or /usr/adm/sudo.log if not. + Sudoers option: logfile + + --with-long-otp-prompt + When validating with a One Time Password scheme (S/Key or + OPIE), a two-line prompt is used to make it easier to cut + and paste the challenge to a local window. It's not as + pretty as the default but some people find it more convenient. + Sudoers option: long_otp_prompt + + --with-mail-if-no-user=no, --without-mail-if-no-user + Normally, sudo will mail to the "alertmail" user if the user invoking + sudo is not in the sudoers file. This option disables that behavior. + Sudoers option: mail_no_user + + --with-mail-if-no-host + Send mail to the "alermail" user if the user exists in the sudoers + file, but is not allowed to run commands on the current host. + Sudoers option: mail_no_host + + --with-mail-if-noperms + Send mail to the "alermail" user if the user is allowed to use sudo but + the command they are trying is not listed in their sudoers file entry. + Sudoers option: mail_no_perms + + --with-mailsubject="SUBJECT OF MAIL" + Subject of the mail sent to the "mailto" user. The token "%h" + will expand to the hostname of the machine. + Default is "*** SECURITY information for %h ***". + Sudoers option: mailsub + + --with-mailto=USER|MAIL_ALIAS + User (or mail alias) that mail from sudo is sent to. + This should go to a sysadmin at your site. The default is "root". + Sudoers option: mailto + + --with-passprompt="PASSWORD PROMPT" + Default prompt to use when asking for a password; can be overridden + via the -p option and the SUDO_PROMPT environment variable. Supports + the "%H", "%h", "%U" and "%u" escapes as documented in the sudo + manual page. The default value is "Password:". + Sudoers option: passprompt + + --with-password-timeout=NUMBER + Number of minutes before the sudo password prompt times out. + The default is 5, set this to 0 for no password timeout. + Sudoers option: passwd_timeout + + --with-passwd-tries=NUMBER + Number of tries a user gets to enter his/her password before sudo logs + the failure and exits. The default is 3. + Sudoers option: passwd_tries + + --with-runas-default=USER + The default user to run commands as if the -u flag is not specified + on the command line. This defaults to "root". + Sudoers option: runas_default + + --with-secure-path[=PATH] + Path used for every command run from sudo(8). If you don't trust the + people running sudo to have a sane PATH environment variable you may + want to use this. Another use is if you want to have the "root path" + be separate from the "user path." You will need to customize the path + for your site. NOTE: this is not applied to users in the group + specified by --with-exemptgroup. If you do not specify a path, + "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used. + Sudoers option: secure_path + + --with-sendmail=PATH + Override configure's guess as to the location of sendmail. + Sudoers option: mailerpath + + --with-sendmail=no, --without-sendmail + Do not use sendmail to mail messages to the "mailto" user. + Use only if you don't run sendmail or the equivalent. + Sudoers options: !mailerpath or !mailto + + --with-sudoers-mode=MODE + File mode for the sudoers file (octal). Note that if you + wish to NFS-mount the sudoers file this must be group + readable. This value may overridden at run-time in the + sudo.conf file. The default mode is 0440. + + --with-sudoers-uid=UID + User id that "owns" the sudoers file. Note that this is + the numeric id, *not* the symbolic name. This value may + overridden at run-time in the sudo.conf file. The default + is 0. + + --with-sudoers-gid=GID + Group id that "owns" the sudoers file. Note that this is + the numeric id, *not* the symbolic name. This value may + overridden at run-time in the sudo.conf file. The default + is 0. + + --with-timeout=NUMBER + Number of minutes that can elapse before sudo will ask for a passwd + again. The default is 5, set this to 0 to always prompt for a password. + Sudoers option: timestamp_timeout + + --with-umask=MASK + Umask to use when running the root command. The default is 0022. + Sudoers option: umask + + --with-umask=no, --without-umask + Preserves the umask of the user invoking sudo. + Sudoers option: !umask + + --with-umask-override + Use the umask specified in sudoers even if it is less restrictive + than the user's. The default is to use the intersection of the + user's umask and the umask specified in sudoers. + Sudoers option: umask_override + +OS dependent notes +================== + +HP-UX: + The default C compiler shipped with HP-UX is not an ANSI compiler. + You must use either the HP ANSI C compiler or gcc to build sudo. + Binary packages of gcc are available from http://hpux.connect.org.uk/. + + To prevent PAM from overriding the value of umask on HP-UX 11, + you will need to add a line like the following to /etc/pam.conf: + + sudo session required libpam_hpsec.so.1 bypass_umask + + If every command run via sudo displays information about the last + successful login and the last authentication failure you should + make use an /etc/pam.conf line like: + + sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login + +Linux: + PAM and LDAP headers are not installed by default on most Linux + systems. You will need to install the "pam-dev" package if + /usr/include/security/pam_appl.h is not present on your system. + If you wish to build with LDAP support you will also need the + openldap-devel package. + +Mac OS X: + The pseudo-tty support in the Mac OS X kernel has bugs related + to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals. + It does not restart reads and writes when those signals are + delivered. This may cause problems for some commands when I/O + logging is enabled. The issue has been reported to Apple and + is bug id #7952709. + +Solaris: + You need to have a C compiler in order to build sudo. Since + Solaris does not come with one by default this means that you + either need to either install the Solaris Studio compiler suite, + available for free from www.oracle.com, or install the GNU C + compiler (gcc) which is can be installed via the pkg utility + on Solaris 11 and higher and is distributed on the Solaris + Companion CD for older Solaris releases. You can also download + gcc packages from http://www.opencsw.org/packages/CSWgcc4core/ |