diff options
Diffstat (limited to '')
| -rw-r--r-- | INSTALL | 937 | ||||
| -rw-r--r-- | INSTALL.configure | 365 |
2 files changed, 1302 insertions, 0 deletions
@@ -0,0 +1,937 @@ +Sudo installation instructions +============================== + +Sudo uses a `configure' script to probe the capabilities and type +of the system in question. In this release, `configure' takes many +more options than it did before. Please read this document fully +before configuring and building sudo. You may also wish to read the +file INSTALL.configure which explains more about the `configure' script. + +System requirements +=================== + +To build sudo from the source distribution you need a POSIX-compliant +operating system (any modern version of BSD, Linux or Unix should work), +an ANSI/ISO C compiler that supports the "long long" type, variadic +macros (a C99 feature) as well as the ar, make and ranlib utilities. + +If you wish to modify the parser then you will need flex version +2.5.2 or later and either bison or byacc (sudo comes with a +pre-generated parser). You'll also have to run configure with the +--with-devel option or pass DEVEL=1 to make. You can get flex from +http://flex.sourceforge.net/. You can get GNU bison from +ftp://ftp.gnu.org/pub/gnu/bison/ or any GNU mirror. + +Simple sudo installation +======================== + +For most systems and configurations it is possible simply to: + + 0) If you are upgrading from a previous version of sudo + please read the info in the UPGRADE file before proceeding. + + 1) Read the `OS dependent notes' section for any particular + "gotchas" relating to your operating system. + + 2) `cd' to the source or build directory and type `./configure' + to generate a Makefile and config.h file suitable for building + sudo. Before you actually run configure you should read the + `Available configure options' section to see if there are + any special options you may want or need. + + 4) Type `make' to compile sudo. If you are building sudo + in a separate build tree (apart from the sudo source) GNU + make will probably be required. If `configure' did its job + properly (and you have a supported configuration) there won't + be any problems. If this doesn't work, take a look at the + doc/TROUBLESHOOTING file for tips on what might have gone + wrong. Please mail us if you have a fix or if you are unable + to come up with a fix (address at EOF). + + 5) Type `make install' (as root) to install sudo, visudo, the + man pages, and a skeleton sudoers file. Note that the install + will not overwrite an existing sudoers file. You can also + install various pieces the package via the install-binaries, + install-doc, and install-sudoers make targets. + + 6) Edit the sudoers file with `visudo' as necessary for your + site. You will probably want to refer the example sudoers + file and sudoers man page included with the sudo package. + + 7) If you want to use syslogd(8) to do the logging, you'll need + to update your /etc/syslog.conf file. See the example syslog.conf + file included in the distribution for an example. + +Available configure options +=========================== + +This section describes flags accepted by the sudo's `configure' script. +Defaults are listed in brackets after the description. + +Configuration: + --cache-file=FILE + Cache test results in FILE + + --config-cache, -C + Alias for `--cache-file=config.cache' + + --help, -h + Print the usage/help info + + --no-create, -n + Do not create output files + + --quiet, --silent, -q + Do not print `checking...' messages + + --srcdir=DIR + Find the sources in DIR [configure dir or `..'] + +Directory and file names: + --prefix=PREFIX + Install architecture-independent files in PREFIX. [/usr/local] + + --exec-prefix=EPREFIX + Install architecture-dependent files in EPREFIX. + This includes the executables and plugins. [same as PREFIX] + + --bindir=DIR + Install `sudo', `sudoedit' and `sudoreplay' in DIR. [EPREFIX/bin] + + --sbindir=DIR + Install `visudo' in DIR. [EPREFIX/sbin] + + --libexecdir=DIR + Install plugins and helper programs in DIR/sudo [PREFIX/libexec/sudo] + + --sysconfdir=DIR + Look for `sudo.conf' and `sudoers' files in DIR. [/etc] + + --includedir=DIR + Install sudo_plugin.h include file in DIR [PREFIX/include] + + --datarootdir=DIR + Root directory for platform-independent data files [PREFIX/share] + + --localedir=DIR + Install sudo and sudoers locale files in DIR [DATAROOTDIR/locale] + + --mandir=DIR + Install man pages in DIR [PREFIX/man] + + --docdir=DIR + Install other sudo documentation in DIR [DATAROOTDIR/doc/sudo] + + --with-exampledir=DIR + Install sudo example files in DIR [DATAROOTDIR/doc/sudo/examples] + + --with-plugindir=DIR + The directory that sudo looks in to find the policy and I/O + logging plugins. Defaults to the LIBEXEC/sudo. + + --with-rundir=DIR + The directory to be used for sudo-specific files that do + not survive a system reboot. This is typically where the + time stamp directory is located. By default, configure + will choose from the following list: + /run/sudo /var/run/sudo, /var/db/sudo, /var/lib/sudo, + /var/adm/sudo, /usr/adm/sudo + This directory should be cleared when the system reboots. + On systems that lack /run or /var/run, the default rundir and + vardir may be the same. In this case, only the ts directory + inside the rundir needs to be cleared at boot time. + + --with-vardir=DIR + The directory to be used for sudo-specific files that survive + a system reboot. This is typically where the lecture status + directory is stored. By default, configure will choose + from the following list: + /var/db/sudo, /var/lib/sudo, /var/adm/sudo, /usr/adm/sudo + This directory should *not* be cleared when the system boots. + + --with-tzdir=DIR + The directory to the system's time zone data files. This + is only used when sanitizing the TZ environment variable + to allow for fully-qualified paths in TZ. By default, + configure will look for an existing "zoneinfo" directory + in the following locations: + /usr/share /usr/share/lib /usr/lib /etc + If no zoneinfo directory is found, the TZ variable may not + contain a fully-qualified path. + +Compilation options: + --disable-hardening + Disable the use of compiler/linker exploit mitigation options + which are enabled by default. This includes compiling with + _FORTIFY_SOURCE defined to 2, building with -fstack-protector + and linking with -zrelro, where supported. + + --enable-asan + Enable the use of AddressSanitizer if supported by the + compiler. This can help detect common problems such as + buffer overflows and user after free bugs as well as behavior + undefined by the C standard. For more information see + https://github.com/google/sanitizers/wiki/AddressSanitizer + The following compiler flag is used: -fsanitize=address,undefined + + This option should only be used for testing and not in a + production environment. Due to AddressSanitizer's unchecked + use of environment variables, it is trivial to exploit a + setuid root executable such as sudo. + + --enable-pie + Build sudo and related programs as as a position independent + executables (PIE). This improves the effectiveness of address + space layout randomization (ASLR) on systems that support it. + Sudo will create PIE binaries by default on Linux systems. + + --disable-pie + Disable the creation of position independent executables (PIE), + even if the compiler creates PIE binaries by default. This + option may be needed on some Linux systems where PIE binaries + are not fully supported. + + --disable-poll + Use select() instead of poll() in the event loop. By default, + sudo will use poll() on systems that support it. Some systems + have a broken poll() implementation and need to use select instead. + On Mac OS X, select() is always used since its poll() doesn't + support devices. + + --disable-rpath + By default, configure will use -Rpath in addition to -Lpath + when passing library paths to the loader. This option will + disable the use of -Rpath. + + --disable-shared + Disable dynamic shared object support. By default, sudo + is built with a plugin API capable of loading arbitrary + policy and I/O logging plugins. If the --disable-shared + option is specified, this support is disabled and the default + sudoers policy and I/O plugins are embedded in the sudo + binary itself. This will also disable the noexec option + as it too relies on dynamic shared object support. + + --disable-shared-libutil + Disable the use of the dynamic libsudo_util library. By + default, sudo, the sudoers plugin and the associated sudo + utilities are linked against a shared version of libsudo_util. + If the --disable-shared-libutil option is specified, a + static version of the libsudo_util library will be used + instead. This option may only be used in conjunction with + the --enable-static-sudoers option. + + --enable-static-sudoers + By default, the sudoers plugin is built and installed as a + dynamic shared object. When the --enable-static-sudoers + option is specified, the sudoers plugin is compiled directly + into the sudo binary. Unlike --disable-shared, this does + not prevent other plugins from being used and the noexec + option will continue to function. + + --enable-tmpfiles.d=DIR + Set the directory to be used when installing the sudo + tmpfiles.d file. This is used to create (or clear) the + sudo time stamp directory on operating systems that use + systemd. If this option is not specified, configure will + use the /usr/lib/tmpfiles.d directory if the file + /usr/lib/tmpfiles.d/systemd.conf exists. + + --enable-zlib[=location] + Enable the use of the zlib compress library when storing + I/O log files. If specified, location is the base directory + containing the zlib include and lib directories. The special + values "system", "builtin", "shared" and "static" can be + used to indicate that the system version of zlib should be + used or that the version of zlib shipped with sudo should + be used instead. If "static" is specified, sudo will + statically link the builtin zlib and not install it. If + this option is not specified, configure will use the system + zlib if it is present, falling back on the sudo version. + + --with-incpath=DIR + Adds the specified directory (or directories) to CPPFLAGS + so configure and the compiler will look there for include + files. Multiple directories may be specified as long as + they are space separated. + E.g. --with-incpath="/usr/local/include /opt/include" + + --with-libpath=DIR + Adds the specified directory (or directories) to LDFLAGS + so configure and the compiler will look there for libraries. + Multiple directories may be specified as with --with-incpath. + + --with-libraries=LIBRARY + Adds the specified library (or libraries) to SUDO_LIBS and + and VISUDO_LIBS so sudo will link against them. If the + library doesn't start with `-l' or end in `.a' or `.o' a + `-l' will be pre-pended to it. Multiple libraries may be + specified as long as they are space separated. + + --with-libtool=PATH + By default, sudo will use the included version of libtool + to build shared libraries. The --with-libtool option can + be used to specify a different version of libtool to use. + The special values "system" and "builtin" can be used in + place of a path to denote the default system libtool (obtained + via the user's PATH) and the default libtool that comes + with sudo. + +Optional features: + --disable-root-mailer + By default sudo will run the mailer as root when tattling + on a user so as to prevent that user from killing the mailer. + With this option, sudo will run the mailer as the invoking + user which some people consider to be safer. + + --enable-nls[=location] + Enable natural language support using the gettext() family + of functions. If specified, location is the base directory + containing the libintl include and lib directories. If + this option is not specified, configure will look for the + gettext() family of functions in the standard C library + first, then check for a standalone libintl (linking with + libiconv as needed). + + --disable-nls + Disable natural language support. By default, sudo will + use the gettext() family of functions, if available, to + implement messages in the invoking user's native language. + Note that translations do not exist for all languages. + + --with-ldap[=DIR] + Enable LDAP support. If specified, DIR is the base directory + containing the LDAP include and lib directories. Please see + README.LDAP for more information. + + --with-ldap-conf-file=PATH + Path to LDAP configuration file. If specified, sudo reads + this file instead of /etc/ldap.conf to locate the LDAP server. + + --with-ldap-secret-file=PATH + Path to LDAP secret password file. If specified, sudo uses + this file instead of /etc/ldap.secret to read the secret password + when rootbinddn is specified in the ldap config file. + + --disable-sasl + Disable SASL authentication for LDAP. By default, sudo + will compile in support for SASL authentication if the + ldap_sasl_interactive_bind_s() function is present in the + LDAP libraries. + + --with-logincap + This adds support for login classes specified in /etc/login.conf. + It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and + NetBSD (where available). By default, a login class is not applied + unless the 'use_loginclass' option is defined in sudoers or the user + specifies a class on the command line. + + --with-interfaces=no, --without-interfaces + This option keeps sudo from trying to glean the ip address + from each attached Ethernet interface. It is only useful + on a machine where sudo's interface reading support does + not work, which may be the case on some SysV-based OS's + using STREAMS. + + --with-noexec[=PATH] + Enable support for the "noexec" functionality which prevents + a dynamically-linked program being run by sudo from executing + another program (think shell escapes). Please see the + "PREVENTING SHELL ESCAPES" section in the sudoers man page + for details. If specified, PATH should be a fully qualified + path name, e.g. /usr/local/libexec/sudo/sudo_noexec.so. If PATH + is "no", noexec support will not be compiled in. The default + is to compile noexec support if libtool supports building + shared objects on your OS. + + --with-selinux + Enable support for role based access control (RBAC) on + systems that support SELinux. + + --with-sssd + Enable support for using the System Security Services Daemon + (SSSD) as a sudoers data source. For more information on + SSD, see http://fedorahosted.org/sssd/ + + --with-sssd-conf=PATH + Specify the path to the SSSD configuration file, if different + from the default value of /etc/sssd/sssd.conf. + + --with-sssd-lib=PATH + Specify the path to the SSSD shared library, which is loaded + at run-time. + + --enable-offensive-insults + Enable potentially offensive sudo insults from the classic + version of sudo. + + --enable-pvs-studio + Generate a sample PVS-Studio.cfg file based on the compiler and + platform type. The "pvs-studio" Makefile target can then be + used if PVS-Studio is installed. + +Operating system-specific options: + --disable-setreuid + Disable use of the setreuid() function for operating systems + where it is broken. For instance, 4.4BSD has setreuid() that + is not fully functional. + + --disable-setresuid + Disable use of the setresuid() function for operating systems + where it is broken (none currently known). + + --enable-admin-flag + Enable the creation of an Ubuntu-style admin flag file + the first time sudo is run. + + --enable-devsearch=PATH + Set a system-specific search path of directories to look in + for device nodes. Sudo uses this when mapping the process's + tty device number to a device name. The default value is: + /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + + --with-bsm-audit + Enable support for sudo BSM audit logs on systems that support it. + This includes recent versions of FreeBSD, Mac OS X and Solaris. + + --with-linux-audit + Enable audit support for Linux systems. Audits attempts + to run a command as well as SELinux role changes. + + --with-man + Use the "man" macros for manual pages. By default, mdoc versions + of the manuals are installed if supported. This can be used to + override configure's test for "nroff -mdoc" support. + + --with-mdoc + Use the "mdoc" macros for manual pages. By default, mdoc versions + of the manuals are installed if supported. This can be used to + override configure's test for "nroff -mdoc" support. + + --with-netsvc[=PATH] + Path to netsvc.conf or "no" to disable netsvc.conf support. + If specified, sudo uses this file instead of /etc/netsvc.conf + on AIX systems. If netsvc support is disabled but LDAP is + enabled, sudo will check LDAP first, then the sudoers file. + + --with-nsswitch[=PATH] + Path to nsswitch.conf or "no" to disable nsswitch support. + If specified, sudo uses this file instead of /etc/nsswitch.conf. + If nsswitch support is disabled but LDAP is enabled, sudo will + check LDAP first, then the sudoers file. + + --with-project + Enable support for Solaris project resource limits. + This option is only available on Solaris 9 and above. + +Authentication options: + --with-AFS + Enable AFS support with Kerberos authentication. Should work under + AFS 3.3. If your AFS doesn't have -laudit you should be able to + link without it. + + --with-aixauth + Enable support for the AIX general authentication function. + This will use the authentication scheme specified for the + user on the machine. By default, sudo will use either AIX + authentication or PAM depending on the value of the auth_type + setting in the /etc/security/login.cfg file. + + --with-bsdauth + Enable support for BSD authentication. This is the default + for BSD/OS and OpenBSD systems that support it. + It is not possible to mix BSD authentication with other + authentication methods (and there really should be no need + to do so). Note that only the newer BSD authentication API + is supported. If you don't have /usr/include/bsd_auth.h + then you cannot use this. + + --with-DCE + Enable DCE support for systems without PAM. Known to work on + HP-UX 9.X, 10.X, and 11.0; other systems may require source + code and/or `configure' changes. On systems with PAM support + (such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the + DCE PAM module (usually libpam_dce) should be used instead. + + --with-fwtk[=DIR] + Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified, + DIR is the base directory containing the compiled FWTK package + (or at least the library and header files). + + --with-kerb5[=DIR] + Enable Kerberos V support. If specified, DIR is the base + directory containing the Kerberos V include and lib dirs. + This uses Kerberos pass phrases for authentication but + does not use the Kerberos cookie scheme. Will not work for + Kerberos V older than version 1.1. + + --enable-kerb5-instance=string + By default, the user name is used as the principal name + when authenticating via Kerberos V. If this option is + enabled, the specified instance string will be appended to + the user name (separated by a slash) when creating the + principal name. + + --with-solaris-audit + Enable audit support for Solaris 11 and above. + For older versions of Solaris, use --with-bsm-audit + + --with-opie[=DIR] + Enable NRL OPIE OTP (One Time Password) support. If specified, + DIR should contain include and lib directories with opie.h + and libopie.a respectively. + + --with-otp-only + This option is now just an alias for --without-passwd. + + --with-pam + Enable PAM support. This is on by default for Darwin, FreeBSD, + Linux, Solaris and HP-UX (version 11 and higher). + + NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo + file install. You may either use the example pam.conf file included + with sudo or use /etc/pam.d/su as a reference. The pam.conf file + included with sudo may or may not work with other Linux distributions. + On Solaris and HP-UX 11 systems you should check (and understand) + the contents of /etc/pam.conf. Do a "man pam.conf" for more + information and consider using the "debug" option, if available, + with your PAM libraries in /etc/pam.conf to obtain syslog output + for debugging purposes. + + --with-pam-login + Enable a specific PAM session when sudo is given the -i option. + This changes the PAM service name when sudo is run with the -i + option from "sudo" to "sudo-i", allowing for a separate pam + configuration for sudo's initial login mode. + + --disable-pam-session + Disable sudo's PAM session support. This may be needed on + older PAM implementations or on operating systems where + opening a PAM session changes the utmp or wtmp files. If + PAM session support is disabled, resource limits may not + be updated for the command being run. + + --with-passwd=no, --without-passwd + This option excludes authentication via the passwd (or + shadow) file. It should only be used when another, alternative, + authentication scheme is in use. + + --with-SecurID[=DIR] + Enable SecurID support. If specified, DIR is directory containing + libaceclnt.a, acexport.h, and sdacmvls.h. + + --with-skey[=DIR] + Enable S/Key OTP (One Time Password) support. If specified, + DIR should contain include and lib directories with skey.h + and libskey.a respectively. + + --disable-sia + Disable SIA support. This is the "Security Integration + Architecture" on Digital UNIX. If you disable SIA sudo will + use its own authentication routines. + + --disable-shadow + Disable shadow password support. Normally, sudo will compile + in shadow password support and use a shadow password if it + exists. + + --enable-gss-krb5-ccache-name + Use the gss_krb5_ccache_name() function to set the Kerberos + V credential cache file name. By default, sudo will use + the KRB5CCNAME environment variable to set this. While + gss_krb5_ccache_name() provides a better API to do this it + is not supported by all Kerberos V and SASL combinations. + + --enable-gcrypt[=DIR] + Use GNU crypt's SHA-2 message digest functions instead of the + ones bundled with sudo (or in the system's C library). + If specified, DIR should contain include and lib directories + with gcrypt.h and libgcrypt respectively. + + --enable-openssl[=DIR] + Use OpenSSL's SHA-2 message digest functions instead of the + ones bundled with sudo (or in the system's C library). + If specified, DIR should contain include and lib directories + with openssl/sha.h and libcrypto respectively. + +Development options: + --enable-env-debug + Enable debugging of the environment setting functions. This + enables extra checks to make sure the environment does not + become corrupted. + + --enable-warnings + Enable compiler warnings when building sudo with gcc. + + --enable-werror + Enable the -Werror compiler option when building sudo with gcc. + + --with-devel + Configure development options. This will enable compiler warnings + and set up the Makefile to be able to regenerate the sudoers parser + as well as the manual pages. + + --with-efence + Link with the "electric fence" debugging malloc. + +Options that set runtime-changeable default values: + --disable-authentication + By default, sudo requires the user to authenticate via a + password or similar means. This options causes sudo to + *not* require authentication. It is possible to turn + authentication back on in sudoers via the PASSWD attribute. + Sudoers option: !authenticate + + --disable-env-reset + Disable environment resetting. This sets the default value + of the "env_reset" Defaults option in sudoers to false. + Sudoers option: !env_reset + + --disable-path-info + Normally, sudo will tell the user when a command could not be found + in their $PATH. Some sites may wish to disable this as it could + be used to gather information on the location of executables that + the normal user does not have access to. The disadvantage is that + if the executable is simply not in the user's path, sudo will tell + the user that they are not allowed to run it, which can be confusing. + Sudoers option: path_info + + --disable-root-sudo + Don't let root run sudo. This can be used to prevent people from + "chaining" sudo commands to get a root shell by doing something + like "sudo sudo /bin/sh". + Sudoers option: !root_sudo + + --disable-zlib + Disable the use of the zlib compress library when storing + I/O log files. + Sudoers option: !compress_io + + --enable-log-host + Log the hostname in the log file. + Sudoers option: log_host + + --enable-noargs-shell + If sudo is invoked with no arguments it acts as if the "-s" flag had + been given. That is, it runs a shell as root (the shell is determined + by the SHELL environment variable, falling back on the shell listed + in the invoking user's /etc/passwd entry). + Sudoers option: shell_noargs + + --enable-shell-sets-home + If sudo is invoked with the "-s" flag the HOME environment variable + will be set to the home directory of the target user (which is root + unless the "-u" option is used). This option effectively makes the + "-s" flag imply "-H". + Sudoers option: set_home + + --enable-timestamp-type=TYPE + Set the default time stamp record type. The TYPE may be "global" + (a single record per user), "ppid" (a single record for process + with the same parent process), or "tty" (a separate record for + each login session). The default is "tty". + Sudoers option: timestamp_type + + --with-all-insults + Include all the insult sets listed below. You must either specify + --with-insults or enable insults in the sudoers file for this to + have any effect. + + --with-askpass=PATH + Set PATH as the "askpass" program to use when no tty is + available. Typically, this is a graphical password prompter, + similar to the one used by ssh. The program must take a + prompt as an argument and print the received password to + the standard output. This value may overridden at run-time + in the sudo.conf file. + + --with-badpass-message="BAD PASSWORD MESSAGE" + Message that is displayed if a user enters an incorrect password. + The default is "Sorry, try again." unless insults are turned on. + Sudoers option: badpass_message + + --with-badpri=PRIORITY + Determines which syslog priority to log unauthenticated + commands and errors. The following priorities are supported: + alert, crit, debug, emerg, err, info, notice, and warning. + Sudoers option: syslog_badpri + + --with-classic-insults + Uses insults from sudo "classic." If you just specify --with-insults + you will get the classic and CSOps insults. This is on by default if + --with-insults is given. + + --with-csops-insults + Insults the user with an extra set of insults (some quotes, some + original) from a sysadmin group at CU (CSOps). You must specify + --with-insults as well for this to have any effect. This is on by + default if --with-insults is given. + + --with-editor=PATH + Specify the default editor path for use by visudo. This may be a + single path name or a colon-separated list of editors. In the latter + case, visudo will choose the editor that matches the user's VISUAL + or EDITOR environment variables or the first editor in the list that + exists. The default is the path to vi on your system. + Sudoers option: editor + + --with-env-editor + Makes visudo consult the VISUAL and EDITOR environment variables before + falling back on the default editor list (as specified by --with-editor). + Note that this may create a security hole as it allows the user to + run any arbitrary command as root without logging. A safer alternative + is to use a colon-separated list of editors with the --with-editor + option. visudo will then only use the VISUAL or EDITOR variables + if they match a value specified via --with-editor. + Sudoers option: env_editor + + --with-exempt=GROUP + Users in the specified group don't need to enter a password when + running sudo. This may be useful for sites that don't want their + "core" sysadmins to have to enter a password but where Jr. sysadmins + need to. You should probably use NOPASSWD in sudoers instead. + Sudoers option: exempt_group + + --with-fqdn + Define this if you want to put fully qualified host names in the sudoers + file. Ie: instead of myhost you would use myhost.mydomain.edu. You may + still use the short form if you wish (and even mix the two). Beware + that turning FQDN on requires sudo to make DNS lookups which may make + sudo unusable if your DNS is totally hosed. Also note that you must + use the host's official name as DNS knows it. That is, you may not use + a host alias (CNAME entry) due to performance issues and the fact that + there is no way to get all aliases from DNS. + Sudoers option: fqdn + + --with-goodpri=PRIORITY + Determines which syslog priority to log successfully + authenticated commands. The following priorities are + supported: alert, crit, debug, emerg, err, info, notice, + and warning. + Sudoers option: syslog_goodpri + + --with-python-insults + Insults the user with lines from "Monty Python's Flying Circus" when an + incorrect password is entered. You must either specify --with-insults or + enable insults in the sudoers file for this to have any effect. + + --with-goons-insults + Insults the user with lines from the "Goon Show" when an incorrect + password is entered. You must either specify --with-insults or + enable insults in the sudoers file for this to have any effect. + + --with-hal-insults + Uses 2001-like insults when an incorrect password is entered. + You must either specify --with-insults or enable insults in the + sudoers file for this to have any effect. + + --with-ignore-dot + If set, sudo will ignore '.' or '' (current dir) in $PATH. + The $PATH itself is not modified. + Sudoers option: ignore_dot + + --with-insults + Define this if you want to be insulted for typing an incorrect password + just like the original sudo(8). This is off by default. + Sudoers option: insults + + --with-insults=disabled + Include support for insults but disable them unless explicitly + enabled in sudoers. + Sudoers option: !insults + + --with-iologdir[=DIR] + By default, sudo stores I/O log files in either /var/log/sudo-io, + /var/adm/sudo-io, or /usr/log/sudo-io. If this option is + specified, I/O logs will be stored in the indicated directory + instead. + Sudoers option: iolog_dir + + --with-lecture=no, --without-lecture + Don't print the lecture the first time a user runs sudo. + Sudoers option: !lecture + + --with-logfac=FACILITY + Determines which syslog facility to log to. This requires + a 4.3BSD or later version of syslog. You can still set + this for ancient syslogs but it will have no effect. The + following facilities are supported: authpriv (if your OS + supports it), auth, daemon, user, local0, local1, local2, + local3, local4, local5, local6, and local7. + Sudoers option: syslog + + --with-logging=TYPE + How you want to do your logging. You may choose "syslog", + "file", or "both". Setting this to "syslog" is nice because + you can keep all of your sudo logs in one place (see the + example syslog.conf file). The default is "syslog". + Sudoers options: syslog and logfile + + --with-loglen=NUMBER + Number of characters per line for the file log. This is only used if + you are to "file" or "both". This value is used to decide when to wrap + lines for nicer log files. The default is 80. Setting this to 0 + will disable the wrapping. + Sudoers options: loglinelen + + --with-logpath=PATH + Override the default location of the sudo log file and use + "path" instead. By default will use /var/log/sudo.log if + there is a /var/log dir, falling back to /var/adm/sudo.log + or /usr/adm/sudo.log if not. + Sudoers option: logfile + + --with-long-otp-prompt + When validating with a One Time Password scheme (S/Key or + OPIE), a two-line prompt is used to make it easier to cut + and paste the challenge to a local window. It's not as + pretty as the default but some people find it more convenient. + Sudoers option: long_otp_prompt + + --with-mail-if-no-user=no, --without-mail-if-no-user + Normally, sudo will mail to the "alertmail" user if the user invoking + sudo is not in the sudoers file. This option disables that behavior. + Sudoers option: mail_no_user + + --with-mail-if-no-host + Send mail to the "alermail" user if the user exists in the sudoers + file, but is not allowed to run commands on the current host. + Sudoers option: mail_no_host + + --with-mail-if-noperms + Send mail to the "alermail" user if the user is allowed to use sudo but + the command they are trying is not listed in their sudoers file entry. + Sudoers option: mail_no_perms + + --with-mailsubject="SUBJECT OF MAIL" + Subject of the mail sent to the "mailto" user. The token "%h" + will expand to the hostname of the machine. + Default is "*** SECURITY information for %h ***". + Sudoers option: mailsub + + --with-mailto=USER|MAIL_ALIAS + User (or mail alias) that mail from sudo is sent to. + This should go to a sysadmin at your site. The default is "root". + Sudoers option: mailto + + --with-passprompt="PASSWORD PROMPT" + Default prompt to use when asking for a password; can be overridden + via the -p option and the SUDO_PROMPT environment variable. Supports + the "%H", "%h", "%U" and "%u" escapes as documented in the sudo + manual page. The default value is "Password:". + Sudoers option: passprompt + + --with-password-timeout=NUMBER + Number of minutes before the sudo password prompt times out. + The default is 5, set this to 0 for no password timeout. + Sudoers option: passwd_timeout + + --with-passwd-tries=NUMBER + Number of tries a user gets to enter his/her password before sudo logs + the failure and exits. The default is 3. + Sudoers option: passwd_tries + + --with-runas-default=USER + The default user to run commands as if the -u flag is not specified + on the command line. This defaults to "root". + Sudoers option: runas_default + + --with-secure-path[=PATH] + Path used for every command run from sudo(8). If you don't trust the + people running sudo to have a sane PATH environment variable you may + want to use this. Another use is if you want to have the "root path" + be separate from the "user path." You will need to customize the path + for your site. NOTE: this is not applied to users in the group + specified by --with-exemptgroup. If you do not specify a path, + "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used. + Sudoers option: secure_path + + --with-sendmail=PATH + Override configure's guess as to the location of sendmail. + Sudoers option: mailerpath + + --with-sendmail=no, --without-sendmail + Do not use sendmail to mail messages to the "mailto" user. + Use only if you don't run sendmail or the equivalent. + Sudoers options: !mailerpath or !mailto + + --with-sudoers-mode=MODE + File mode for the sudoers file (octal). Note that if you + wish to NFS-mount the sudoers file this must be group + readable. This value may overridden at run-time in the + sudo.conf file. The default mode is 0440. + + --with-sudoers-uid=UID + User id that "owns" the sudoers file. Note that this is + the numeric id, *not* the symbolic name. This value may + overridden at run-time in the sudo.conf file. The default + is 0. + + --with-sudoers-gid=GID + Group id that "owns" the sudoers file. Note that this is + the numeric id, *not* the symbolic name. This value may + overridden at run-time in the sudo.conf file. The default + is 0. + + --with-timeout=NUMBER + Number of minutes that can elapse before sudo will ask for a passwd + again. The default is 5, set this to 0 to always prompt for a password. + Sudoers option: timestamp_timeout + + --with-umask=MASK + Umask to use when running the root command. The default is 0022. + Sudoers option: umask + + --with-umask=no, --without-umask + Preserves the umask of the user invoking sudo. + Sudoers option: !umask + + --with-umask-override + Use the umask specified in sudoers even if it is less restrictive + than the user's. The default is to use the intersection of the + user's umask and the umask specified in sudoers. + Sudoers option: umask_override + +OS dependent notes +================== + +HP-UX: + The default C compiler shipped with HP-UX is not an ANSI compiler. + You must use either the HP ANSI C compiler or gcc to build sudo. + Binary packages of gcc are available from http://hpux.connect.org.uk/. + + To prevent PAM from overriding the value of umask on HP-UX 11, + you will need to add a line like the following to /etc/pam.conf: + + sudo session required libpam_hpsec.so.1 bypass_umask + + If every command run via sudo displays information about the last + successful login and the last authentication failure you should + make use an /etc/pam.conf line like: + + sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login + +Linux: + PAM and LDAP headers are not installed by default on most Linux + systems. You will need to install the "pam-dev" package if + /usr/include/security/pam_appl.h is not present on your system. + If you wish to build with LDAP support you will also need the + openldap-devel package. + +Mac OS X: + The pseudo-tty support in the Mac OS X kernel has bugs related + to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals. + It does not restart reads and writes when those signals are + delivered. This may cause problems for some commands when I/O + logging is enabled. The issue has been reported to Apple and + is bug id #7952709. + +Solaris: + You need to have a C compiler in order to build sudo. Since + Solaris does not come with one by default this means that you + either need to either install the Solaris Studio compiler suite, + available for free from www.oracle.com, or install the GNU C + compiler (gcc) which is can be installed via the pkg utility + on Solaris 11 and higher and is distributed on the Solaris + Companion CD for older Solaris releases. You can also download + gcc packages from http://www.opencsw.org/packages/CSWgcc4core/ diff --git a/INSTALL.configure b/INSTALL.configure new file mode 100644 index 0000000..a1b253c --- /dev/null +++ b/INSTALL.configure @@ -0,0 +1,365 @@ +Installation Instructions +************************* + +Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005, +2006, 2007, 2008, 2009, 2010 Free Software Foundation, Inc. + + Copying and distribution of this file, with or without modification, +are permitted in any medium without royalty provided the copyright +notice and this notice are preserved. This file is offered as-is, +without warranty of any kind. + +Basic Installation +================== + + Briefly, the shell commands `./configure; make; make install' should +configure, build, and install this package. The following +more-detailed instructions are generic; see the `README' file for +instructions specific to this package. Some packages provide this +`INSTALL' file but do not implement all of the features documented +below. The lack of an optional feature in a given package is not +necessarily a bug. More recommendations for GNU packages can be found +in *note Makefile Conventions: (standards)Makefile Conventions. + + The `configure' shell script attempts to guess correct values for +various system-dependent variables used during compilation. It uses +those values to create a `Makefile' in each directory of the package. +It may also create one or more `.h' files containing system-dependent +definitions. Finally, it creates a shell script `config.status' that +you can run in the future to recreate the current configuration, and a +file `config.log' containing compiler output (useful mainly for +debugging `configure'). + + It can also use an optional file (typically called `config.cache' +and enabled with `--cache-file=config.cache' or simply `-C') that saves +the results of its tests to speed up reconfiguring. Caching is +disabled by default to prevent problems with accidental use of stale +cache files. + + If you need to do unusual things to compile the package, please try +to figure out how `configure' could check whether to do them, and mail +diffs or instructions to the address given in the `README' so they can +be considered for the next release. If you are using the cache, and at +some point `config.cache' contains results you don't want to keep, you +may remove or edit it. + + The file `configure.ac' (or `configure.in') is used to create +`configure' by a program called `autoconf'. You need `configure.ac' if +you want to change it or regenerate `configure' using a newer version +of `autoconf'. + + The simplest way to compile this package is: + + 1. `cd' to the directory containing the package's source code and type + `./configure' to configure the package for your system. + + Running `configure' might take a while. While running, it prints + some messages telling which features it is checking for. + + 2. Type `make' to compile the package. + + 3. Optionally, type `make check' to run any self-tests that come with + the package, generally using the just-built uninstalled binaries. + + 4. Type `make install' to install the programs and any data files and + documentation. When installing into a prefix owned by root, it is + recommended that the package be configured and built as a regular + user, and only the `make install' phase executed with root + privileges. + + 5. Optionally, type `make installcheck' to repeat any self-tests, but + this time using the binaries in their final installed location. + This target does not install anything. Running this target as a + regular user, particularly if the prior `make install' required + root privileges, verifies that the installation completed + correctly. + + 6. You can remove the program binaries and object files from the + source code directory by typing `make clean'. To also remove the + files that `configure' created (so you can compile the package for + a different kind of computer), type `make distclean'. There is + also a `make maintainer-clean' target, but that is intended mainly + for the package's developers. If you use it, you may have to get + all sorts of other programs in order to regenerate files that came + with the distribution. + + 7. Often, you can also type `make uninstall' to remove the installed + files again. In practice, not all packages have tested that + uninstallation works correctly, even though it is required by the + GNU Coding Standards. + + 8. Some packages, particularly those that use Automake, provide `make + distcheck', which can by used by developers to test that all other + targets like `make install' and `make uninstall' work correctly. + This target is generally not run by end users. + +Compilers and Options +===================== + + Some systems require unusual options for compilation or linking that +the `configure' script does not know about. Run `./configure --help' +for details on some of the pertinent environment variables. + + You can give `configure' initial values for configuration parameters +by setting variables in the command line or in the environment. Here +is an example: + + ./configure CC=c99 CFLAGS=-g LIBS=-lposix + + *Note Defining Variables::, for more details. + +Compiling For Multiple Architectures +==================================== + + You can compile the package for more than one kind of computer at the +same time, by placing the object files for each architecture in their +own directory. To do this, you can use GNU `make'. `cd' to the +directory where you want the object files and executables to go and run +the `configure' script. `configure' automatically checks for the +source code in the directory that `configure' is in and in `..'. This +is known as a "VPATH" build. + + With a non-GNU `make', it is safer to compile the package for one +architecture at a time in the source code directory. After you have +installed the package for one architecture, use `make distclean' before +reconfiguring for another architecture. + + On macOS 10.5 and later systems, you can create libraries and +executables that work on multiple system types--known as "fat" or +"universal" binaries--by specifying multiple `-arch' options to the +compiler but only a single `-arch' option to the preprocessor. Like +this: + + ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ + CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ + CPP="gcc -E" CXXCPP="g++ -E" + + This is not guaranteed to produce working output in all cases, you +may have to build one architecture at a time and combine the results +using the `lipo' tool if you have problems. + +Installation Names +================== + + By default, `make install' installs the package's commands under +`/usr/local/bin', include files under `/usr/local/include', etc. You +can specify an installation prefix other than `/usr/local' by giving +`configure' the option `--prefix=PREFIX', where PREFIX must be an +absolute file name. + + You can specify separate installation prefixes for +architecture-specific files and architecture-independent files. If you +pass the option `--exec-prefix=PREFIX' to `configure', the package uses +PREFIX as the prefix for installing programs and libraries. +Documentation and other data files still use the regular prefix. + + In addition, if you use an unusual directory layout you can give +options like `--bindir=DIR' to specify different values for particular +kinds of files. Run `configure --help' for a list of the directories +you can set and what kinds of files go in them. In general, the +default for these options is expressed in terms of `${prefix}', so that +specifying just `--prefix' will affect all of the other directory +specifications that were not explicitly provided. + + The most portable way to affect installation locations is to pass the +correct locations to `configure'; however, many packages provide one or +both of the following shortcuts of passing variable assignments to the +`make install' command line to change installation locations without +having to reconfigure or recompile. + + The first method involves providing an override variable for each +affected directory. For example, `make install +prefix=/alternate/directory' will choose an alternate location for all +directory configuration variables that were expressed in terms of +`${prefix}'. Any directories that were specified during `configure', +but not in terms of `${prefix}', must each be overridden at install +time for the entire installation to be relocated. The approach of +makefile variable overrides for each directory variable is required by +the GNU Coding Standards, and ideally causes no recompilation. +However, some platforms have known limitations with the semantics of +shared libraries that end up requiring recompilation when using this +method, particularly noticeable in packages that use GNU Libtool. + + The second method involves providing the `DESTDIR' variable. For +example, `make install DESTDIR=/alternate/directory' will prepend +`/alternate/directory' before all installation names. The approach of +`DESTDIR' overrides is not required by the GNU Coding Standards, and +does not work on platforms that have drive letters. On the other hand, +it does better at avoiding recompilation issues, and works well even +when some directory options were not specified in terms of `${prefix}' +at `configure' time. + +Optional Features +================= + + If the package supports it, you can cause programs to be installed +with an extra prefix or suffix on their names by giving `configure' the +option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. + + Some packages pay attention to `--enable-FEATURE' options to +`configure', where FEATURE indicates an optional part of the package. +They may also pay attention to `--with-PACKAGE' options, where PACKAGE +is something like `gnu-as' or `x' (for the X Window System). The +`README' should mention any `--enable-' and `--with-' options that the +package recognizes. + + For packages that use the X Window System, `configure' can usually +find the X include and library files automatically, but if it doesn't, +you can use the `configure' options `--x-includes=DIR' and +`--x-libraries=DIR' to specify their locations. + + Some packages offer the ability to configure how verbose the +execution of `make' will be. For these packages, running `./configure +--enable-silent-rules' sets the default to minimal output, which can be +overridden with `make V=1'; while running `./configure +--disable-silent-rules' sets the default to verbose, which can be +overridden with `make V=0'. + +Particular systems +================== + + On HP-UX, the default C compiler is not ANSI C compatible. If GNU +CC is not installed, it is recommended to use the following options in +order to use an ANSI C compiler: + + ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" + +and if that doesn't work, install pre-built binaries of GCC for HP-UX. + + On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot +parse its `<wchar.h>' header file. The option `-nodtk' can be used as +a workaround. If GNU CC is not installed, it is therefore recommended +to try + + ./configure CC="cc" + +and if that doesn't work, try + + ./configure CC="cc -nodtk" + + On Solaris, don't put `/usr/ucb' early in your `PATH'. This +directory contains several dysfunctional programs; working variants of +these programs are available in `/usr/bin'. So, if you need `/usr/ucb' +in your `PATH', put it _after_ `/usr/bin'. + + On Haiku, software installed for all users goes in `/boot/common', +not `/usr/local'. It is recommended to use the following options: + + ./configure --prefix=/boot/common + +Specifying the System Type +========================== + + There may be some features `configure' cannot figure out +automatically, but needs to determine by the type of machine the package +will run on. Usually, assuming the package is built to be run on the +_same_ architectures, `configure' can figure that out, but if it prints +a message saying it cannot guess the machine type, give it the +`--build=TYPE' option. TYPE can either be a short name for the system +type, such as `sun4', or a canonical name which has the form: + + CPU-COMPANY-SYSTEM + +where SYSTEM can have one of these forms: + + OS + KERNEL-OS + + See the file `config.sub' for the possible values of each field. If +`config.sub' isn't included in this package, then this package doesn't +need to know the machine type. + + If you are _building_ compiler tools for cross-compiling, you should +use the option `--target=TYPE' to select the type of system they will +produce code for. + + If you want to _use_ a cross compiler, that generates code for a +platform different from the build platform, you should specify the +"host" platform (i.e., that on which the generated programs will +eventually be run) with `--host=TYPE'. + +Sharing Defaults +================ + + If you want to set default values for `configure' scripts to share, +you can create a site shell script called `config.site' that gives +default values for variables like `CC', `cache_file', and `prefix'. +`configure' looks for `PREFIX/share/config.site' if it exists, then +`PREFIX/etc/config.site' if it exists. Or, you can set the +`CONFIG_SITE' environment variable to the location of the site script. +A warning: not all `configure' scripts look for a site script. + +Defining Variables +================== + + Variables not defined in a site shell script can be set in the +environment passed to `configure'. However, some packages may run +configure again during the build, and the customized values of these +variables may be lost. In order to avoid this problem, you should set +them in the `configure' command line, using `VAR=value'. For example: + + ./configure CC=/usr/local2/bin/gcc + +causes the specified `gcc' to be used as the C compiler (unless it is +overridden in the site shell script). + +Unfortunately, this technique does not work for `CONFIG_SHELL' due to +an Autoconf bug. Until the bug is fixed you can use this workaround: + + CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash + +`configure' Invocation +====================== + + `configure' recognizes the following options to control how it +operates. + +`--help' +`-h' + Print a summary of all of the options to `configure', and exit. + +`--help=short' +`--help=recursive' + Print a summary of the options unique to this package's + `configure', and exit. The `short' variant lists options used + only in the top level, while the `recursive' variant lists options + also present in any nested packages. + +`--version' +`-V' + Print the version of Autoconf used to generate the `configure' + script, and exit. + +`--cache-file=FILE' + Enable the cache: use and save the results of the tests in FILE, + traditionally `config.cache'. FILE defaults to `/dev/null' to + disable caching. + +`--config-cache' +`-C' + Alias for `--cache-file=config.cache'. + +`--quiet' +`--silent' +`-q' + Do not print messages saying which checks are being made. To + suppress all normal output, redirect it to `/dev/null' (any error + messages will still be shown). + +`--srcdir=DIR' + Look for the package's source code in directory DIR. Usually + `configure' can determine that directory automatically. + +`--prefix=DIR' + Use DIR as the installation prefix. *note Installation Names:: + for more details, including other options available for fine-tuning + the installation locations. + +`--no-create' +`-n' + Run the configure checks, but stop before creating any output + files. + +`configure' also accepts some other, not widely useful, options. Run +`configure --help' for more details. + |