summaryrefslogtreecommitdiffstats
path: root/INSTALL
diff options
context:
space:
mode:
Diffstat (limited to 'INSTALL')
-rw-r--r--INSTALL937
1 files changed, 937 insertions, 0 deletions
diff --git a/INSTALL b/INSTALL
new file mode 100644
index 0000000..b8f9be6
--- /dev/null
+++ b/INSTALL
@@ -0,0 +1,937 @@
+Sudo installation instructions
+==============================
+
+Sudo uses a `configure' script to probe the capabilities and type
+of the system in question. In this release, `configure' takes many
+more options than it did before. Please read this document fully
+before configuring and building sudo. You may also wish to read the
+file INSTALL.configure which explains more about the `configure' script.
+
+System requirements
+===================
+
+To build sudo from the source distribution you need a POSIX-compliant
+operating system (any modern version of BSD, Linux or Unix should work),
+an ANSI/ISO C compiler that supports the "long long" type, variadic
+macros (a C99 feature) as well as the ar, make and ranlib utilities.
+
+If you wish to modify the parser then you will need flex version
+2.5.2 or later and either bison or byacc (sudo comes with a
+pre-generated parser). You'll also have to run configure with the
+--with-devel option or pass DEVEL=1 to make. You can get flex from
+http://flex.sourceforge.net/. You can get GNU bison from
+ftp://ftp.gnu.org/pub/gnu/bison/ or any GNU mirror.
+
+Simple sudo installation
+========================
+
+For most systems and configurations it is possible simply to:
+
+ 0) If you are upgrading from a previous version of sudo
+ please read the info in the UPGRADE file before proceeding.
+
+ 1) Read the `OS dependent notes' section for any particular
+ "gotchas" relating to your operating system.
+
+ 2) `cd' to the source or build directory and type `./configure'
+ to generate a Makefile and config.h file suitable for building
+ sudo. Before you actually run configure you should read the
+ `Available configure options' section to see if there are
+ any special options you may want or need.
+
+ 4) Type `make' to compile sudo. If you are building sudo
+ in a separate build tree (apart from the sudo source) GNU
+ make will probably be required. If `configure' did its job
+ properly (and you have a supported configuration) there won't
+ be any problems. If this doesn't work, take a look at the
+ doc/TROUBLESHOOTING file for tips on what might have gone
+ wrong. Please mail us if you have a fix or if you are unable
+ to come up with a fix (address at EOF).
+
+ 5) Type `make install' (as root) to install sudo, visudo, the
+ man pages, and a skeleton sudoers file. Note that the install
+ will not overwrite an existing sudoers file. You can also
+ install various pieces the package via the install-binaries,
+ install-doc, and install-sudoers make targets.
+
+ 6) Edit the sudoers file with `visudo' as necessary for your
+ site. You will probably want to refer the example sudoers
+ file and sudoers man page included with the sudo package.
+
+ 7) If you want to use syslogd(8) to do the logging, you'll need
+ to update your /etc/syslog.conf file. See the example syslog.conf
+ file included in the distribution for an example.
+
+Available configure options
+===========================
+
+This section describes flags accepted by the sudo's `configure' script.
+Defaults are listed in brackets after the description.
+
+Configuration:
+ --cache-file=FILE
+ Cache test results in FILE
+
+ --config-cache, -C
+ Alias for `--cache-file=config.cache'
+
+ --help, -h
+ Print the usage/help info
+
+ --no-create, -n
+ Do not create output files
+
+ --quiet, --silent, -q
+ Do not print `checking...' messages
+
+ --srcdir=DIR
+ Find the sources in DIR [configure dir or `..']
+
+Directory and file names:
+ --prefix=PREFIX
+ Install architecture-independent files in PREFIX. [/usr/local]
+
+ --exec-prefix=EPREFIX
+ Install architecture-dependent files in EPREFIX.
+ This includes the executables and plugins. [same as PREFIX]
+
+ --bindir=DIR
+ Install `sudo', `sudoedit' and `sudoreplay' in DIR. [EPREFIX/bin]
+
+ --sbindir=DIR
+ Install `visudo' in DIR. [EPREFIX/sbin]
+
+ --libexecdir=DIR
+ Install plugins and helper programs in DIR/sudo [PREFIX/libexec/sudo]
+
+ --sysconfdir=DIR
+ Look for `sudo.conf' and `sudoers' files in DIR. [/etc]
+
+ --includedir=DIR
+ Install sudo_plugin.h include file in DIR [PREFIX/include]
+
+ --datarootdir=DIR
+ Root directory for platform-independent data files [PREFIX/share]
+
+ --localedir=DIR
+ Install sudo and sudoers locale files in DIR [DATAROOTDIR/locale]
+
+ --mandir=DIR
+ Install man pages in DIR [PREFIX/man]
+
+ --docdir=DIR
+ Install other sudo documentation in DIR [DATAROOTDIR/doc/sudo]
+
+ --with-exampledir=DIR
+ Install sudo example files in DIR [DATAROOTDIR/doc/sudo/examples]
+
+ --with-plugindir=DIR
+ The directory that sudo looks in to find the policy and I/O
+ logging plugins. Defaults to the LIBEXEC/sudo.
+
+ --with-rundir=DIR
+ The directory to be used for sudo-specific files that do
+ not survive a system reboot. This is typically where the
+ time stamp directory is located. By default, configure
+ will choose from the following list:
+ /run/sudo /var/run/sudo, /var/db/sudo, /var/lib/sudo,
+ /var/adm/sudo, /usr/adm/sudo
+ This directory should be cleared when the system reboots.
+ On systems that lack /run or /var/run, the default rundir and
+ vardir may be the same. In this case, only the ts directory
+ inside the rundir needs to be cleared at boot time.
+
+ --with-vardir=DIR
+ The directory to be used for sudo-specific files that survive
+ a system reboot. This is typically where the lecture status
+ directory is stored. By default, configure will choose
+ from the following list:
+ /var/db/sudo, /var/lib/sudo, /var/adm/sudo, /usr/adm/sudo
+ This directory should *not* be cleared when the system boots.
+
+ --with-tzdir=DIR
+ The directory to the system's time zone data files. This
+ is only used when sanitizing the TZ environment variable
+ to allow for fully-qualified paths in TZ. By default,
+ configure will look for an existing "zoneinfo" directory
+ in the following locations:
+ /usr/share /usr/share/lib /usr/lib /etc
+ If no zoneinfo directory is found, the TZ variable may not
+ contain a fully-qualified path.
+
+Compilation options:
+ --disable-hardening
+ Disable the use of compiler/linker exploit mitigation options
+ which are enabled by default. This includes compiling with
+ _FORTIFY_SOURCE defined to 2, building with -fstack-protector
+ and linking with -zrelro, where supported.
+
+ --enable-asan
+ Enable the use of AddressSanitizer if supported by the
+ compiler. This can help detect common problems such as
+ buffer overflows and user after free bugs as well as behavior
+ undefined by the C standard. For more information see
+ https://github.com/google/sanitizers/wiki/AddressSanitizer
+ The following compiler flag is used: -fsanitize=address,undefined
+
+ This option should only be used for testing and not in a
+ production environment. Due to AddressSanitizer's unchecked
+ use of environment variables, it is trivial to exploit a
+ setuid root executable such as sudo.
+
+ --enable-pie
+ Build sudo and related programs as as a position independent
+ executables (PIE). This improves the effectiveness of address
+ space layout randomization (ASLR) on systems that support it.
+ Sudo will create PIE binaries by default on Linux systems.
+
+ --disable-pie
+ Disable the creation of position independent executables (PIE),
+ even if the compiler creates PIE binaries by default. This
+ option may be needed on some Linux systems where PIE binaries
+ are not fully supported.
+
+ --disable-poll
+ Use select() instead of poll() in the event loop. By default,
+ sudo will use poll() on systems that support it. Some systems
+ have a broken poll() implementation and need to use select instead.
+ On Mac OS X, select() is always used since its poll() doesn't
+ support devices.
+
+ --disable-rpath
+ By default, configure will use -Rpath in addition to -Lpath
+ when passing library paths to the loader. This option will
+ disable the use of -Rpath.
+
+ --disable-shared
+ Disable dynamic shared object support. By default, sudo
+ is built with a plugin API capable of loading arbitrary
+ policy and I/O logging plugins. If the --disable-shared
+ option is specified, this support is disabled and the default
+ sudoers policy and I/O plugins are embedded in the sudo
+ binary itself. This will also disable the noexec option
+ as it too relies on dynamic shared object support.
+
+ --disable-shared-libutil
+ Disable the use of the dynamic libsudo_util library. By
+ default, sudo, the sudoers plugin and the associated sudo
+ utilities are linked against a shared version of libsudo_util.
+ If the --disable-shared-libutil option is specified, a
+ static version of the libsudo_util library will be used
+ instead. This option may only be used in conjunction with
+ the --enable-static-sudoers option.
+
+ --enable-static-sudoers
+ By default, the sudoers plugin is built and installed as a
+ dynamic shared object. When the --enable-static-sudoers
+ option is specified, the sudoers plugin is compiled directly
+ into the sudo binary. Unlike --disable-shared, this does
+ not prevent other plugins from being used and the noexec
+ option will continue to function.
+
+ --enable-tmpfiles.d=DIR
+ Set the directory to be used when installing the sudo
+ tmpfiles.d file. This is used to create (or clear) the
+ sudo time stamp directory on operating systems that use
+ systemd. If this option is not specified, configure will
+ use the /usr/lib/tmpfiles.d directory if the file
+ /usr/lib/tmpfiles.d/systemd.conf exists.
+
+ --enable-zlib[=location]
+ Enable the use of the zlib compress library when storing
+ I/O log files. If specified, location is the base directory
+ containing the zlib include and lib directories. The special
+ values "system", "builtin", "shared" and "static" can be
+ used to indicate that the system version of zlib should be
+ used or that the version of zlib shipped with sudo should
+ be used instead. If "static" is specified, sudo will
+ statically link the builtin zlib and not install it. If
+ this option is not specified, configure will use the system
+ zlib if it is present, falling back on the sudo version.
+
+ --with-incpath=DIR
+ Adds the specified directory (or directories) to CPPFLAGS
+ so configure and the compiler will look there for include
+ files. Multiple directories may be specified as long as
+ they are space separated.
+ E.g. --with-incpath="/usr/local/include /opt/include"
+
+ --with-libpath=DIR
+ Adds the specified directory (or directories) to LDFLAGS
+ so configure and the compiler will look there for libraries.
+ Multiple directories may be specified as with --with-incpath.
+
+ --with-libraries=LIBRARY
+ Adds the specified library (or libraries) to SUDO_LIBS and
+ and VISUDO_LIBS so sudo will link against them. If the
+ library doesn't start with `-l' or end in `.a' or `.o' a
+ `-l' will be pre-pended to it. Multiple libraries may be
+ specified as long as they are space separated.
+
+ --with-libtool=PATH
+ By default, sudo will use the included version of libtool
+ to build shared libraries. The --with-libtool option can
+ be used to specify a different version of libtool to use.
+ The special values "system" and "builtin" can be used in
+ place of a path to denote the default system libtool (obtained
+ via the user's PATH) and the default libtool that comes
+ with sudo.
+
+Optional features:
+ --disable-root-mailer
+ By default sudo will run the mailer as root when tattling
+ on a user so as to prevent that user from killing the mailer.
+ With this option, sudo will run the mailer as the invoking
+ user which some people consider to be safer.
+
+ --enable-nls[=location]
+ Enable natural language support using the gettext() family
+ of functions. If specified, location is the base directory
+ containing the libintl include and lib directories. If
+ this option is not specified, configure will look for the
+ gettext() family of functions in the standard C library
+ first, then check for a standalone libintl (linking with
+ libiconv as needed).
+
+ --disable-nls
+ Disable natural language support. By default, sudo will
+ use the gettext() family of functions, if available, to
+ implement messages in the invoking user's native language.
+ Note that translations do not exist for all languages.
+
+ --with-ldap[=DIR]
+ Enable LDAP support. If specified, DIR is the base directory
+ containing the LDAP include and lib directories. Please see
+ README.LDAP for more information.
+
+ --with-ldap-conf-file=PATH
+ Path to LDAP configuration file. If specified, sudo reads
+ this file instead of /etc/ldap.conf to locate the LDAP server.
+
+ --with-ldap-secret-file=PATH
+ Path to LDAP secret password file. If specified, sudo uses
+ this file instead of /etc/ldap.secret to read the secret password
+ when rootbinddn is specified in the ldap config file.
+
+ --disable-sasl
+ Disable SASL authentication for LDAP. By default, sudo
+ will compile in support for SASL authentication if the
+ ldap_sasl_interactive_bind_s() function is present in the
+ LDAP libraries.
+
+ --with-logincap
+ This adds support for login classes specified in /etc/login.conf.
+ It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and
+ NetBSD (where available). By default, a login class is not applied
+ unless the 'use_loginclass' option is defined in sudoers or the user
+ specifies a class on the command line.
+
+ --with-interfaces=no, --without-interfaces
+ This option keeps sudo from trying to glean the ip address
+ from each attached Ethernet interface. It is only useful
+ on a machine where sudo's interface reading support does
+ not work, which may be the case on some SysV-based OS's
+ using STREAMS.
+
+ --with-noexec[=PATH]
+ Enable support for the "noexec" functionality which prevents
+ a dynamically-linked program being run by sudo from executing
+ another program (think shell escapes). Please see the
+ "PREVENTING SHELL ESCAPES" section in the sudoers man page
+ for details. If specified, PATH should be a fully qualified
+ path name, e.g. /usr/local/libexec/sudo/sudo_noexec.so. If PATH
+ is "no", noexec support will not be compiled in. The default
+ is to compile noexec support if libtool supports building
+ shared objects on your OS.
+
+ --with-selinux
+ Enable support for role based access control (RBAC) on
+ systems that support SELinux.
+
+ --with-sssd
+ Enable support for using the System Security Services Daemon
+ (SSSD) as a sudoers data source. For more information on
+ SSD, see http://fedorahosted.org/sssd/
+
+ --with-sssd-conf=PATH
+ Specify the path to the SSSD configuration file, if different
+ from the default value of /etc/sssd/sssd.conf.
+
+ --with-sssd-lib=PATH
+ Specify the path to the SSSD shared library, which is loaded
+ at run-time.
+
+ --enable-offensive-insults
+ Enable potentially offensive sudo insults from the classic
+ version of sudo.
+
+ --enable-pvs-studio
+ Generate a sample PVS-Studio.cfg file based on the compiler and
+ platform type. The "pvs-studio" Makefile target can then be
+ used if PVS-Studio is installed.
+
+Operating system-specific options:
+ --disable-setreuid
+ Disable use of the setreuid() function for operating systems
+ where it is broken. For instance, 4.4BSD has setreuid() that
+ is not fully functional.
+
+ --disable-setresuid
+ Disable use of the setresuid() function for operating systems
+ where it is broken (none currently known).
+
+ --enable-admin-flag
+ Enable the creation of an Ubuntu-style admin flag file
+ the first time sudo is run.
+
+ --enable-devsearch=PATH
+ Set a system-specific search path of directories to look in
+ for device nodes. Sudo uses this when mapping the process's
+ tty device number to a device name. The default value is:
+ /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
+
+ --with-bsm-audit
+ Enable support for sudo BSM audit logs on systems that support it.
+ This includes recent versions of FreeBSD, Mac OS X and Solaris.
+
+ --with-linux-audit
+ Enable audit support for Linux systems. Audits attempts
+ to run a command as well as SELinux role changes.
+
+ --with-man
+ Use the "man" macros for manual pages. By default, mdoc versions
+ of the manuals are installed if supported. This can be used to
+ override configure's test for "nroff -mdoc" support.
+
+ --with-mdoc
+ Use the "mdoc" macros for manual pages. By default, mdoc versions
+ of the manuals are installed if supported. This can be used to
+ override configure's test for "nroff -mdoc" support.
+
+ --with-netsvc[=PATH]
+ Path to netsvc.conf or "no" to disable netsvc.conf support.
+ If specified, sudo uses this file instead of /etc/netsvc.conf
+ on AIX systems. If netsvc support is disabled but LDAP is
+ enabled, sudo will check LDAP first, then the sudoers file.
+
+ --with-nsswitch[=PATH]
+ Path to nsswitch.conf or "no" to disable nsswitch support.
+ If specified, sudo uses this file instead of /etc/nsswitch.conf.
+ If nsswitch support is disabled but LDAP is enabled, sudo will
+ check LDAP first, then the sudoers file.
+
+ --with-project
+ Enable support for Solaris project resource limits.
+ This option is only available on Solaris 9 and above.
+
+Authentication options:
+ --with-AFS
+ Enable AFS support with Kerberos authentication. Should work under
+ AFS 3.3. If your AFS doesn't have -laudit you should be able to
+ link without it.
+
+ --with-aixauth
+ Enable support for the AIX general authentication function.
+ This will use the authentication scheme specified for the
+ user on the machine. By default, sudo will use either AIX
+ authentication or PAM depending on the value of the auth_type
+ setting in the /etc/security/login.cfg file.
+
+ --with-bsdauth
+ Enable support for BSD authentication. This is the default
+ for BSD/OS and OpenBSD systems that support it.
+ It is not possible to mix BSD authentication with other
+ authentication methods (and there really should be no need
+ to do so). Note that only the newer BSD authentication API
+ is supported. If you don't have /usr/include/bsd_auth.h
+ then you cannot use this.
+
+ --with-DCE
+ Enable DCE support for systems without PAM. Known to work on
+ HP-UX 9.X, 10.X, and 11.0; other systems may require source
+ code and/or `configure' changes. On systems with PAM support
+ (such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the
+ DCE PAM module (usually libpam_dce) should be used instead.
+
+ --with-fwtk[=DIR]
+ Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified,
+ DIR is the base directory containing the compiled FWTK package
+ (or at least the library and header files).
+
+ --with-kerb5[=DIR]
+ Enable Kerberos V support. If specified, DIR is the base
+ directory containing the Kerberos V include and lib dirs.
+ This uses Kerberos pass phrases for authentication but
+ does not use the Kerberos cookie scheme. Will not work for
+ Kerberos V older than version 1.1.
+
+ --enable-kerb5-instance=string
+ By default, the user name is used as the principal name
+ when authenticating via Kerberos V. If this option is
+ enabled, the specified instance string will be appended to
+ the user name (separated by a slash) when creating the
+ principal name.
+
+ --with-solaris-audit
+ Enable audit support for Solaris 11 and above.
+ For older versions of Solaris, use --with-bsm-audit
+
+ --with-opie[=DIR]
+ Enable NRL OPIE OTP (One Time Password) support. If specified,
+ DIR should contain include and lib directories with opie.h
+ and libopie.a respectively.
+
+ --with-otp-only
+ This option is now just an alias for --without-passwd.
+
+ --with-pam
+ Enable PAM support. This is on by default for Darwin, FreeBSD,
+ Linux, Solaris and HP-UX (version 11 and higher).
+
+ NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo
+ file install. You may either use the example pam.conf file included
+ with sudo or use /etc/pam.d/su as a reference. The pam.conf file
+ included with sudo may or may not work with other Linux distributions.
+ On Solaris and HP-UX 11 systems you should check (and understand)
+ the contents of /etc/pam.conf. Do a "man pam.conf" for more
+ information and consider using the "debug" option, if available,
+ with your PAM libraries in /etc/pam.conf to obtain syslog output
+ for debugging purposes.
+
+ --with-pam-login
+ Enable a specific PAM session when sudo is given the -i option.
+ This changes the PAM service name when sudo is run with the -i
+ option from "sudo" to "sudo-i", allowing for a separate pam
+ configuration for sudo's initial login mode.
+
+ --disable-pam-session
+ Disable sudo's PAM session support. This may be needed on
+ older PAM implementations or on operating systems where
+ opening a PAM session changes the utmp or wtmp files. If
+ PAM session support is disabled, resource limits may not
+ be updated for the command being run.
+
+ --with-passwd=no, --without-passwd
+ This option excludes authentication via the passwd (or
+ shadow) file. It should only be used when another, alternative,
+ authentication scheme is in use.
+
+ --with-SecurID[=DIR]
+ Enable SecurID support. If specified, DIR is directory containing
+ libaceclnt.a, acexport.h, and sdacmvls.h.
+
+ --with-skey[=DIR]
+ Enable S/Key OTP (One Time Password) support. If specified,
+ DIR should contain include and lib directories with skey.h
+ and libskey.a respectively.
+
+ --disable-sia
+ Disable SIA support. This is the "Security Integration
+ Architecture" on Digital UNIX. If you disable SIA sudo will
+ use its own authentication routines.
+
+ --disable-shadow
+ Disable shadow password support. Normally, sudo will compile
+ in shadow password support and use a shadow password if it
+ exists.
+
+ --enable-gss-krb5-ccache-name
+ Use the gss_krb5_ccache_name() function to set the Kerberos
+ V credential cache file name. By default, sudo will use
+ the KRB5CCNAME environment variable to set this. While
+ gss_krb5_ccache_name() provides a better API to do this it
+ is not supported by all Kerberos V and SASL combinations.
+
+ --enable-gcrypt[=DIR]
+ Use GNU crypt's SHA-2 message digest functions instead of the
+ ones bundled with sudo (or in the system's C library).
+ If specified, DIR should contain include and lib directories
+ with gcrypt.h and libgcrypt respectively.
+
+ --enable-openssl[=DIR]
+ Use OpenSSL's SHA-2 message digest functions instead of the
+ ones bundled with sudo (or in the system's C library).
+ If specified, DIR should contain include and lib directories
+ with openssl/sha.h and libcrypto respectively.
+
+Development options:
+ --enable-env-debug
+ Enable debugging of the environment setting functions. This
+ enables extra checks to make sure the environment does not
+ become corrupted.
+
+ --enable-warnings
+ Enable compiler warnings when building sudo with gcc.
+
+ --enable-werror
+ Enable the -Werror compiler option when building sudo with gcc.
+
+ --with-devel
+ Configure development options. This will enable compiler warnings
+ and set up the Makefile to be able to regenerate the sudoers parser
+ as well as the manual pages.
+
+ --with-efence
+ Link with the "electric fence" debugging malloc.
+
+Options that set runtime-changeable default values:
+ --disable-authentication
+ By default, sudo requires the user to authenticate via a
+ password or similar means. This options causes sudo to
+ *not* require authentication. It is possible to turn
+ authentication back on in sudoers via the PASSWD attribute.
+ Sudoers option: !authenticate
+
+ --disable-env-reset
+ Disable environment resetting. This sets the default value
+ of the "env_reset" Defaults option in sudoers to false.
+ Sudoers option: !env_reset
+
+ --disable-path-info
+ Normally, sudo will tell the user when a command could not be found
+ in their $PATH. Some sites may wish to disable this as it could
+ be used to gather information on the location of executables that
+ the normal user does not have access to. The disadvantage is that
+ if the executable is simply not in the user's path, sudo will tell
+ the user that they are not allowed to run it, which can be confusing.
+ Sudoers option: path_info
+
+ --disable-root-sudo
+ Don't let root run sudo. This can be used to prevent people from
+ "chaining" sudo commands to get a root shell by doing something
+ like "sudo sudo /bin/sh".
+ Sudoers option: !root_sudo
+
+ --disable-zlib
+ Disable the use of the zlib compress library when storing
+ I/O log files.
+ Sudoers option: !compress_io
+
+ --enable-log-host
+ Log the hostname in the log file.
+ Sudoers option: log_host
+
+ --enable-noargs-shell
+ If sudo is invoked with no arguments it acts as if the "-s" flag had
+ been given. That is, it runs a shell as root (the shell is determined
+ by the SHELL environment variable, falling back on the shell listed
+ in the invoking user's /etc/passwd entry).
+ Sudoers option: shell_noargs
+
+ --enable-shell-sets-home
+ If sudo is invoked with the "-s" flag the HOME environment variable
+ will be set to the home directory of the target user (which is root
+ unless the "-u" option is used). This option effectively makes the
+ "-s" flag imply "-H".
+ Sudoers option: set_home
+
+ --enable-timestamp-type=TYPE
+ Set the default time stamp record type. The TYPE may be "global"
+ (a single record per user), "ppid" (a single record for process
+ with the same parent process), or "tty" (a separate record for
+ each login session). The default is "tty".
+ Sudoers option: timestamp_type
+
+ --with-all-insults
+ Include all the insult sets listed below. You must either specify
+ --with-insults or enable insults in the sudoers file for this to
+ have any effect.
+
+ --with-askpass=PATH
+ Set PATH as the "askpass" program to use when no tty is
+ available. Typically, this is a graphical password prompter,
+ similar to the one used by ssh. The program must take a
+ prompt as an argument and print the received password to
+ the standard output. This value may overridden at run-time
+ in the sudo.conf file.
+
+ --with-badpass-message="BAD PASSWORD MESSAGE"
+ Message that is displayed if a user enters an incorrect password.
+ The default is "Sorry, try again." unless insults are turned on.
+ Sudoers option: badpass_message
+
+ --with-badpri=PRIORITY
+ Determines which syslog priority to log unauthenticated
+ commands and errors. The following priorities are supported:
+ alert, crit, debug, emerg, err, info, notice, and warning.
+ Sudoers option: syslog_badpri
+
+ --with-classic-insults
+ Uses insults from sudo "classic." If you just specify --with-insults
+ you will get the classic and CSOps insults. This is on by default if
+ --with-insults is given.
+
+ --with-csops-insults
+ Insults the user with an extra set of insults (some quotes, some
+ original) from a sysadmin group at CU (CSOps). You must specify
+ --with-insults as well for this to have any effect. This is on by
+ default if --with-insults is given.
+
+ --with-editor=PATH
+ Specify the default editor path for use by visudo. This may be a
+ single path name or a colon-separated list of editors. In the latter
+ case, visudo will choose the editor that matches the user's VISUAL
+ or EDITOR environment variables or the first editor in the list that
+ exists. The default is the path to vi on your system.
+ Sudoers option: editor
+
+ --with-env-editor
+ Makes visudo consult the VISUAL and EDITOR environment variables before
+ falling back on the default editor list (as specified by --with-editor).
+ Note that this may create a security hole as it allows the user to
+ run any arbitrary command as root without logging. A safer alternative
+ is to use a colon-separated list of editors with the --with-editor
+ option. visudo will then only use the VISUAL or EDITOR variables
+ if they match a value specified via --with-editor.
+ Sudoers option: env_editor
+
+ --with-exempt=GROUP
+ Users in the specified group don't need to enter a password when
+ running sudo. This may be useful for sites that don't want their
+ "core" sysadmins to have to enter a password but where Jr. sysadmins
+ need to. You should probably use NOPASSWD in sudoers instead.
+ Sudoers option: exempt_group
+
+ --with-fqdn
+ Define this if you want to put fully qualified host names in the sudoers
+ file. Ie: instead of myhost you would use myhost.mydomain.edu. You may
+ still use the short form if you wish (and even mix the two). Beware
+ that turning FQDN on requires sudo to make DNS lookups which may make
+ sudo unusable if your DNS is totally hosed. Also note that you must
+ use the host's official name as DNS knows it. That is, you may not use
+ a host alias (CNAME entry) due to performance issues and the fact that
+ there is no way to get all aliases from DNS.
+ Sudoers option: fqdn
+
+ --with-goodpri=PRIORITY
+ Determines which syslog priority to log successfully
+ authenticated commands. The following priorities are
+ supported: alert, crit, debug, emerg, err, info, notice,
+ and warning.
+ Sudoers option: syslog_goodpri
+
+ --with-python-insults
+ Insults the user with lines from "Monty Python's Flying Circus" when an
+ incorrect password is entered. You must either specify --with-insults or
+ enable insults in the sudoers file for this to have any effect.
+
+ --with-goons-insults
+ Insults the user with lines from the "Goon Show" when an incorrect
+ password is entered. You must either specify --with-insults or
+ enable insults in the sudoers file for this to have any effect.
+
+ --with-hal-insults
+ Uses 2001-like insults when an incorrect password is entered.
+ You must either specify --with-insults or enable insults in the
+ sudoers file for this to have any effect.
+
+ --with-ignore-dot
+ If set, sudo will ignore '.' or '' (current dir) in $PATH.
+ The $PATH itself is not modified.
+ Sudoers option: ignore_dot
+
+ --with-insults
+ Define this if you want to be insulted for typing an incorrect password
+ just like the original sudo(8). This is off by default.
+ Sudoers option: insults
+
+ --with-insults=disabled
+ Include support for insults but disable them unless explicitly
+ enabled in sudoers.
+ Sudoers option: !insults
+
+ --with-iologdir[=DIR]
+ By default, sudo stores I/O log files in either /var/log/sudo-io,
+ /var/adm/sudo-io, or /usr/log/sudo-io. If this option is
+ specified, I/O logs will be stored in the indicated directory
+ instead.
+ Sudoers option: iolog_dir
+
+ --with-lecture=no, --without-lecture
+ Don't print the lecture the first time a user runs sudo.
+ Sudoers option: !lecture
+
+ --with-logfac=FACILITY
+ Determines which syslog facility to log to. This requires
+ a 4.3BSD or later version of syslog. You can still set
+ this for ancient syslogs but it will have no effect. The
+ following facilities are supported: authpriv (if your OS
+ supports it), auth, daemon, user, local0, local1, local2,
+ local3, local4, local5, local6, and local7.
+ Sudoers option: syslog
+
+ --with-logging=TYPE
+ How you want to do your logging. You may choose "syslog",
+ "file", or "both". Setting this to "syslog" is nice because
+ you can keep all of your sudo logs in one place (see the
+ example syslog.conf file). The default is "syslog".
+ Sudoers options: syslog and logfile
+
+ --with-loglen=NUMBER
+ Number of characters per line for the file log. This is only used if
+ you are to "file" or "both". This value is used to decide when to wrap
+ lines for nicer log files. The default is 80. Setting this to 0
+ will disable the wrapping.
+ Sudoers options: loglinelen
+
+ --with-logpath=PATH
+ Override the default location of the sudo log file and use
+ "path" instead. By default will use /var/log/sudo.log if
+ there is a /var/log dir, falling back to /var/adm/sudo.log
+ or /usr/adm/sudo.log if not.
+ Sudoers option: logfile
+
+ --with-long-otp-prompt
+ When validating with a One Time Password scheme (S/Key or
+ OPIE), a two-line prompt is used to make it easier to cut
+ and paste the challenge to a local window. It's not as
+ pretty as the default but some people find it more convenient.
+ Sudoers option: long_otp_prompt
+
+ --with-mail-if-no-user=no, --without-mail-if-no-user
+ Normally, sudo will mail to the "alertmail" user if the user invoking
+ sudo is not in the sudoers file. This option disables that behavior.
+ Sudoers option: mail_no_user
+
+ --with-mail-if-no-host
+ Send mail to the "alermail" user if the user exists in the sudoers
+ file, but is not allowed to run commands on the current host.
+ Sudoers option: mail_no_host
+
+ --with-mail-if-noperms
+ Send mail to the "alermail" user if the user is allowed to use sudo but
+ the command they are trying is not listed in their sudoers file entry.
+ Sudoers option: mail_no_perms
+
+ --with-mailsubject="SUBJECT OF MAIL"
+ Subject of the mail sent to the "mailto" user. The token "%h"
+ will expand to the hostname of the machine.
+ Default is "*** SECURITY information for %h ***".
+ Sudoers option: mailsub
+
+ --with-mailto=USER|MAIL_ALIAS
+ User (or mail alias) that mail from sudo is sent to.
+ This should go to a sysadmin at your site. The default is "root".
+ Sudoers option: mailto
+
+ --with-passprompt="PASSWORD PROMPT"
+ Default prompt to use when asking for a password; can be overridden
+ via the -p option and the SUDO_PROMPT environment variable. Supports
+ the "%H", "%h", "%U" and "%u" escapes as documented in the sudo
+ manual page. The default value is "Password:".
+ Sudoers option: passprompt
+
+ --with-password-timeout=NUMBER
+ Number of minutes before the sudo password prompt times out.
+ The default is 5, set this to 0 for no password timeout.
+ Sudoers option: passwd_timeout
+
+ --with-passwd-tries=NUMBER
+ Number of tries a user gets to enter his/her password before sudo logs
+ the failure and exits. The default is 3.
+ Sudoers option: passwd_tries
+
+ --with-runas-default=USER
+ The default user to run commands as if the -u flag is not specified
+ on the command line. This defaults to "root".
+ Sudoers option: runas_default
+
+ --with-secure-path[=PATH]
+ Path used for every command run from sudo(8). If you don't trust the
+ people running sudo to have a sane PATH environment variable you may
+ want to use this. Another use is if you want to have the "root path"
+ be separate from the "user path." You will need to customize the path
+ for your site. NOTE: this is not applied to users in the group
+ specified by --with-exemptgroup. If you do not specify a path,
+ "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
+ Sudoers option: secure_path
+
+ --with-sendmail=PATH
+ Override configure's guess as to the location of sendmail.
+ Sudoers option: mailerpath
+
+ --with-sendmail=no, --without-sendmail
+ Do not use sendmail to mail messages to the "mailto" user.
+ Use only if you don't run sendmail or the equivalent.
+ Sudoers options: !mailerpath or !mailto
+
+ --with-sudoers-mode=MODE
+ File mode for the sudoers file (octal). Note that if you
+ wish to NFS-mount the sudoers file this must be group
+ readable. This value may overridden at run-time in the
+ sudo.conf file. The default mode is 0440.
+
+ --with-sudoers-uid=UID
+ User id that "owns" the sudoers file. Note that this is
+ the numeric id, *not* the symbolic name. This value may
+ overridden at run-time in the sudo.conf file. The default
+ is 0.
+
+ --with-sudoers-gid=GID
+ Group id that "owns" the sudoers file. Note that this is
+ the numeric id, *not* the symbolic name. This value may
+ overridden at run-time in the sudo.conf file. The default
+ is 0.
+
+ --with-timeout=NUMBER
+ Number of minutes that can elapse before sudo will ask for a passwd
+ again. The default is 5, set this to 0 to always prompt for a password.
+ Sudoers option: timestamp_timeout
+
+ --with-umask=MASK
+ Umask to use when running the root command. The default is 0022.
+ Sudoers option: umask
+
+ --with-umask=no, --without-umask
+ Preserves the umask of the user invoking sudo.
+ Sudoers option: !umask
+
+ --with-umask-override
+ Use the umask specified in sudoers even if it is less restrictive
+ than the user's. The default is to use the intersection of the
+ user's umask and the umask specified in sudoers.
+ Sudoers option: umask_override
+
+OS dependent notes
+==================
+
+HP-UX:
+ The default C compiler shipped with HP-UX is not an ANSI compiler.
+ You must use either the HP ANSI C compiler or gcc to build sudo.
+ Binary packages of gcc are available from http://hpux.connect.org.uk/.
+
+ To prevent PAM from overriding the value of umask on HP-UX 11,
+ you will need to add a line like the following to /etc/pam.conf:
+
+ sudo session required libpam_hpsec.so.1 bypass_umask
+
+ If every command run via sudo displays information about the last
+ successful login and the last authentication failure you should
+ make use an /etc/pam.conf line like:
+
+ sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login
+
+Linux:
+ PAM and LDAP headers are not installed by default on most Linux
+ systems. You will need to install the "pam-dev" package if
+ /usr/include/security/pam_appl.h is not present on your system.
+ If you wish to build with LDAP support you will also need the
+ openldap-devel package.
+
+Mac OS X:
+ The pseudo-tty support in the Mac OS X kernel has bugs related
+ to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals.
+ It does not restart reads and writes when those signals are
+ delivered. This may cause problems for some commands when I/O
+ logging is enabled. The issue has been reported to Apple and
+ is bug id #7952709.
+
+Solaris:
+ You need to have a C compiler in order to build sudo. Since
+ Solaris does not come with one by default this means that you
+ either need to either install the Solaris Studio compiler suite,
+ available for free from www.oracle.com, or install the GNU C
+ compiler (gcc) which is can be installed via the pkg utility
+ on Solaris 11 and higher and is distributed on the Solaris
+ Companion CD for older Solaris releases. You can also download
+ gcc packages from http://www.opencsw.org/packages/CSWgcc4core/