diff options
Diffstat (limited to 'INSTALL.md')
-rw-r--r-- | INSTALL.md | 1051 |
1 files changed, 1051 insertions, 0 deletions
diff --git a/INSTALL.md b/INSTALL.md new file mode 100644 index 0000000..34f60f6 --- /dev/null +++ b/INSTALL.md @@ -0,0 +1,1051 @@ +Sudo installation instructions +============================== + +Sudo uses a `configure` script to probe the capabilities and type of the +system in question. Sudo's `configure` script has a large number of options +that control its behavior and enable or disable optional functionality. +Be sure to read this document fully before configuring and building sudo. +You may also wish to read the file INSTALL.configure which explains more +about the `configure` script itself. + +## System requirements + +To build sudo from the source distribution you need a POSIX-compliant +operating system (any modern version of BSD, Linux, or Unix should work), +an ANSI/ISO C compiler that supports the "long long" type, variadic +macros (a C99 feature) as well as the ar, make, and ranlib utilities. + +If you wish to modify the parser then you will need flex version +2.5.2 or later and either bison or byacc (sudo comes with a +pre-generated parser). You'll also have to run configure with the +--with-devel option or pass DEVEL=1 to make. You can get flex from +https://github.com/westes/flex/. You can get GNU bison from +https://ftp.gnu.org/pub/gnu/bison/ or any GNU mirror. + +Some systems will also require that development library packages be +installed. The sudo source distribution includes docker configurations +for common Linux distributions that are used for continuous integration +in the `docker` directory. See the appropriate OS-specific Dockerfile +for a list of packages required to build sudo. + +## Simple sudo installation + +1. If you are upgrading from a previous version of sudo, read + [docs/UPGRADE.md](docs/UPGRADE.md) before proceeding. + +2. Read the "OS dependent notes" section for any particular + "gotchas" relating to your operating system. + +3. `cd` to the source or build directory and type `./configure` + to generate a Makefile and config.h file suitable for building + sudo. Before you actually run configure you should read the + "Available configure options" section to see if there are + any special options you may want or need. + +4. Type `make` to compile sudo. If `configure` did its job properly (and + you have a supported configuration) there won't be any problems. If you + have a problem, check [docs/TROUBLESHOOTING.md](docs/TROUBLESHOOTING.md) + for tips on what might have gone wrong. If your problem is not covered, + you may file a bug report at https://bugzilla.sudo.ws/ or an issue at + https://github.com/sudo-project/sudo/issues/ (not both). + +5. Optionally, type `make check` to build and run the sudo unit and + regression tests. For more verbose output, use `make check-verbose`. + +6. Type `make install` (as root) to install sudo, visudo, the man + pages, and a skeleton sudoers file. The install will not overwrite + an existing sudoers file. You can also install various pieces of + the package via the install-binaries, install-doc, and install-sudoers + make targets. + +7. Edit the sudoers file with `visudo` as necessary for your + site. You will probably want to refer the example sudoers + file and sudoers man page included with the sudo package. + +8. If you want to use syslogd(8) to do the logging, you'll need to + update your `/etc/syslog.conf` file. See the examples/syslog.conf + file included in the distribution for an example. + +## Available configure options + +This section describes flags accepted by the sudo's `configure` script. +Defaults are listed in brackets after the description. + +### Configuration: + + --cache-file=FILE + Cache test results in FILE + + --config-cache, -C + Alias for --cache-file=config.cache + + --help, -h + Print the usage/help info + + --no-create, -n + Do not create output files + + --quiet, --silent, -q + Do not print "checking..." messages + + --srcdir=DIR + Find the sources in DIR [configure dir or ".."] + +### Directory and file names: + + --prefix=PREFIX + Install architecture-independent files in PREFIX. [/usr/local] + + --exec-prefix=EPREFIX + Install architecture-dependent files in EPREFIX. + This includes the executables and plugins. [same as PREFIX] + + --bindir=DIR + Install cvtsudoers, sudo, sudoedit, and sudoreplay in DIR. [EPREFIX/bin] + + --sbindir=DIR + Install sudo_logsrvd, sudo_sendlog, and visudo in DIR. [EPREFIX/sbin] + + --libexecdir=DIR + Install plugins and helper programs in DIR/sudo [PREFIX/libexec/sudo] + + --sysconfdir=DIR + Look for `sudo.conf` and `sudoers` files in DIR. [/etc] + + --includedir=DIR + Install sudo_plugin.h include file in DIR [PREFIX/include] + + --datarootdir=DIR + Root directory for platform-independent data files [PREFIX/share] + + --localedir=DIR + Install sudo and sudoers locale files in DIR [DATAROOTDIR/locale] + + --mandir=DIR + Install man pages in DIR [PREFIX/man] + + --docdir=DIR + Install other sudo documentation in DIR [DATAROOTDIR/doc/sudo] + + --with-exampledir=DIR + Install sudo example files in DIR [DATAROOTDIR/doc/sudo/examples] + + --with-plugindir=DIR + The directory that sudo looks in to find the policy and I/O + logging plugins. Defaults to the LIBEXEC/sudo. + + --with-rundir=DIR + The directory to be used for sudo-specific files that do + not survive a system reboot. This is typically where the + time stamp directory is located. By default, configure + will choose from the following list: /run/sudo /var/run/sudo, + /var/db/sudo, /var/lib/sudo, /var/adm/sudo, /usr/adm/sudo. + + This directory should be cleared when the system reboots. + On systems that lack /run or /var/run, the default rundir and + vardir may be the same. In this case, only the ts directory + inside the rundir needs to be cleared at boot time. + + --with-vardir=DIR + The directory to be used for sudo-specific files that survive + a system reboot. This is typically where the lecture status + directory is stored. By default, configure will choose + from the following list: /var/db/sudo, /var/lib/sudo, + /var/adm/sudo, /usr/adm/sudo. + + This directory should **not** be cleared when the system boots. + + --with-relaydir=DIR + The directory to be used for sudo_logsrvd relay temporary files. + When sudo_logsrvd is configured as a store-and-forward relay, + the journaled data is written to this directory before it is + forwarded to a relay server. + + --with-tzdir=DIR + The directory to the system's time zone data files. This + is only used when sanitizing the TZ environment variable + to allow for fully-qualified paths in TZ. By default, + configure will look for an existing "zoneinfo" directory + in the following locations: /usr/share, /usr/share/lib, + /usr/lib, /etc. + + If no zoneinfo directory is found, the TZ variable may not + contain a fully-qualified path. + +### Compilation options: + + --enable-sanitizer=[flags] + Enable the use of sanitizers such as AddressSanitizer and + UndefinedBehaviorSanitizer if supported by the compiler. + This can help detect common problems such as buffer overflows + and use after free bugs as well as behavior not defined by + the C standard. For more information see: + https://github.com/google/sanitizers/wiki + + If no flags are specified by the user, a default value of + "-fsanitize=address,undefined" will be used. + + This option should only be used for testing and not in a + production environment. Due to some sanitizers' unchecked + use of environment variables, it is trivial to exploit a + set-user-ID root executable such as sudo. + + --enable-fuzzer + Enable building sudo with the LLVM libFuzzer, see + https://www.llvm.org/docs/LibFuzzer.html for details. + The resulting binaries, beginning with "fuzz_" can be used + to test sudo. To run all the fuzzers for 8192 iterations, + "make fuzz" can be used. This option is generally used in + conjunction with --enable-sanitizer. + + Fuzzing currently requires the clang C compiler--it is not + supported by gcc. For best results, it is suggested to use + clang 11 or higher. Some of the fuzzers are known to hang + when used with earlier versions. + + This option should only be used for testing and not in a + production environment. + + --enable-fuzzer-engine=library + The library to use when linking fuzz targets instead of + LLVM's libFuzzer. It is intended to be set to the path to + an alternate fuzzing library, such as AFL++ or Honggfuzz. + + --enable-fuzzer-linker=command + An alternate linker command to use when building fuzz + targets, instead of clang. It may be necessary to set this + when using the --enable-fuzzer-engine option to link with + a fuzzer engine that requires C++ libraries. For oss-fuzz, + this option is used to cause fuzz targets to be linked with + clang++. + + --disable-hardening + Disable the use of compiler/linker exploit mitigation options + which are enabled by default. This includes compiling with + _FORTIFY_SOURCE defined to 2, building with -fstack-protector, + -fstack-clash-protection, -fcf-protection and linking with + -zrelro, -znow, and -znoexecstack where supported. + + --disable-ssp + Disable use of the -fstack-protector compiler option. + This does not affect the other hardening options. + + --disable-leaks + Avoid leaking memory even when we are headed for exit, + which helps reduce the noise from static and active analyzers. + This option should only be used for testing and not in a + production environment. + + --enable-pie + Build sudo and related programs as as a position independent + executables (PIE). This improves the effectiveness of address + space layout randomization (ASLR) on systems that support it. + Sudo will create PIE binaries by default on Linux systems. + + --disable-pie + Disable the creation of position independent executables (PIE), + even if the compiler creates PIE binaries by default. This + option may be needed on some Linux systems where PIE binaries + are not fully supported. + + --disable-poll + Use select() instead of poll() in the event loop. By default, + sudo will use poll() on systems that support it. Some systems + have a broken poll() implementation and need to use select instead. + On macOS, select() is always used since its poll() doesn't + support character devices. + + --disable-rpath + By default, configure will use -Rpath in addition to -Lpath + when passing library paths to the loader. This option will + disable the use of -Rpath. + + --disable-shared + Disable dynamic shared object support. By default, sudo + is built with a plugin API capable of loading arbitrary + policy and I/O logging plugins. If the --disable-shared + option is specified, this support is disabled and the default + sudoers policy and I/O plugins are embedded in the sudo + binary itself. This will also disable the intercept and noexec + options as they also rely on dynamic shared object support. + + --disable-shared-libutil + Disable the use of the dynamic libsudo_util library. By + default, sudo, the sudoers plugin and the associated sudo + utilities are linked against a shared version of libsudo_util. + If the --disable-shared-libutil option is specified, a + static version of the libsudo_util library will be used + instead. This option may only be used in conjunction with + the --enable-static-sudoers option. + + --enable-static-sudoers + By default, the sudoers plugin is built and installed as a + dynamic shared object. When the --enable-static-sudoers + option is specified, the sudoers plugin is compiled directly + into the sudo binary. Unlike --disable-shared, this does + not prevent other plugins from being used and the intercept + and noexec options will continue to function. + + --enable-tmpfiles.d=DIR + Set the directory to be used when installing the sudo + tmpfiles.d file. This is used to create (or clear) the + sudo time stamp directory on operating systems that use + systemd. If this option is not specified, configure will + use the /usr/lib/tmpfiles.d directory if the file + /usr/lib/tmpfiles.d/systemd.conf exists. + + --enable-zlib[=location] + Enable the use of the zlib compress library when storing + I/O log files. If specified, location is the base directory + containing the zlib include and lib directories. The special + values "system", "builtin", "shared", and "static" can be + used to indicate that the system version of zlib should be + used or that the version of zlib shipped with sudo should + be used instead. If "static" is specified, sudo will + statically link the builtin zlib and not install it. If + this option is not specified, configure will use the system + zlib if it is present, falling back on the sudo version. + + --with-incpath=DIR + Adds the specified directory (or directories) to CPPFLAGS + so configure and the compiler will look there for include + files. Multiple directories may be specified as long as + they are space separated. + E.g. --with-incpath="/usr/local/include /opt/include" + + --with-libpath=DIR + Adds the specified directory (or directories) to LDFLAGS + so configure and the compiler will look there for libraries. + Multiple directories may be specified as with --with-incpath. + + --with-libraries=LIBRARY + Adds the specified library (or libraries) to SUDO_LIBS and + and VISUDO_LIBS so sudo will link against them. If the + library doesn't start with "-l" or end in ".a" or ".o" a + "-l" will be prepended to it. Multiple libraries may be + specified as long as they are space separated. + + --with-libtool=PATH + By default, sudo will use the included version of libtool + to build shared libraries. The --with-libtool option can + be used to specify a different version of libtool to use. + The special values "system" and "builtin" can be used in + place of a path to denote the default system libtool (obtained + via the user's PATH) and the default libtool that comes + with sudo. + + --with-aix-soname=svr4 + Starting with version 1.9.13, sudo will build AIX-style + shared libraries and dynamic shared objects by default + instead of svr4-style.. This means that the default sudo + plugins are now .a (archive) files that contain a .so shared + object file instead of bare .so files. This was done to + improve compatibility with the AIX Freeware ecosystem, + specifically, the AIX Freeware build of OpenSSL. To restore + the old, pre-1.9.13 behavior, run configure using the + --with-aix-soname=svr4 option. + +### Optional features: + + --disable-root-mailer + By default sudo will run the mailer as root when tattling + on a user so as to prevent that user from killing the mailer. + With this option, sudo will run the mailer as the invoking + user which some people consider to be safer. + + --enable-nls[=location] + Enable natural language support using the gettext() family + of functions. If specified, location is the base directory + containing the libintl include and lib directories. If + this option is not specified, configure will look for the + gettext() family of functions in the standard C library + first, then check for a standalone libintl (linking with + libiconv as needed). + + --disable-nls + Disable natural language support. By default, sudo will + use the gettext() family of functions, if available, to + implement messages in the invoking user's native language. + Translations do not exist for all languages. + + --with-ldap[=DIR] + Enable LDAP support. If specified, DIR is the base directory + containing the LDAP include and lib directories. See + [README.LDAP.md](README.LDAP.md) for more information. + + --with-ldap-conf-file=PATH + Path to LDAP configuration file. If specified, sudo reads + this file instead of `/etc/ldap.conf` to locate the LDAP server. + + --with-ldap-secret-file=PATH + Path to LDAP secret password file. If specified, sudo uses + this file instead of `/etc/ldap.secret` to read the secret password + when rootbinddn is specified in the ldap config file. + + --disable-sasl + Disable SASL authentication for LDAP. By default, sudo + will compile in support for SASL authentication if the + ldap_sasl_interactive_bind_s() function is present in the + LDAP libraries. + + --with-apparmor + Enable support for the AppArmor Linux Security Module (LSM) on + supported systems. + + --with-logincap + This adds support for login classes specified in `/etc/login.conf`. + It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD, and + NetBSD (where available). By default, a login class is not applied + unless the "use_loginclass" option is defined in sudoers or the user + specifies a class on the command line. + + --with-interfaces=no, --without-interfaces + This option keeps sudo from trying to glean the ip address + from each attached network interface. It is only useful + on a machine where sudo's interface reading support does + not work, which may be the case on some SysV-based OS's + using STREAMS. + + --enable-intercept[=PATH] + Enable support for the "intercept" functionality which + allows sudo to perform a policy check when a dynamically-linked + program run by sudo attempts to execute another program. + This is also used to support the "log_subcmds" sudoers + setting. For example, this means that for a shell run + through sudo, the individual commands run by the shell are + also subject to rules in the sudoers file. See the + "Preventing Shell Escapes" section in the sudoers man page + for details. If specified, PATH should be a fully qualified + path name, e.g. /usr/local/libexec/sudo/sudo_intercept.so. + If PATH is "no", intercept support will not be compiled in. + The default is to compile intercept support if libtool + supports building shared objects on your system. + + --with-noexec[=PATH] + Enable support for the "noexec" functionality which prevents + a dynamically-linked program being run by sudo from executing + another program (think shell escapes). See the "Preventing + Shell Escapes" section in the sudoers man page for details. + If specified, PATH should be a fully qualified path name, + e.g. /usr/local/libexec/sudo/sudo_noexec.so. If PATH is + "no", noexec support will not be compiled in. The default + is to compile noexec support if libtool supports building + shared objects on your system. + + --with-selinux + Enable support for role based access control (RBAC) on systems + that support SELinux. + + --with-sssd + Enable support for using the System Security Services Daemon + (SSSD) as a sudoers data source. For more information on + SSD, see https://fedoraproject.org/wiki/Features/SSSD. + + --with-sssd-conf=PATH + Specify the path to the SSSD configuration file, if different + from the default value of `/etc/sssd/sssd.conf`. + + --with-sssd-lib=PATH + Specify the path to the SSSD shared library, which is loaded + at run-time. + + --enable-offensive-insults + Enable potentially offensive sudo insults from the classic + version of sudo. + + --enable-pvs-studio + Generate a sample PVS-Studio.cfg file based on the compiler and + platform type. The "pvs-studio" Makefile target can then be + used if PVS-Studio is installed. + + --enable-python + Enable support for sudo plugins written in Python 3. + This requires a Python 3 development environment (including + Python 3 header files). + + --disable-log-server + Disable building the sudo_logsrvd log server. + + --disable-log-client + Disable sudoers support for using the sudo_logsrvd log server. + +### Operating system-specific options: + + --disable-setreuid + Disable use of the setreuid() function for operating systems + where it is broken. For instance, 4.4BSD has setreuid() that + is not fully functional. + + --disable-setresuid + Disable use of the setresuid() function for operating systems + where it is broken (none currently known). + + --enable-admin-flag[=PATH] + Enable the creation of an Ubuntu-style admin flag file the + first time sudo is run. If PATH is not specified, the + default value is: + ~/.sudo_as_admin_successful + + --enable-devsearch=PATH + Set a system-specific search path of directories to look in + for device nodes. Sudo uses this when mapping the process's + tty device number to a device name. The default value is: + /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + + --with-bsm-audit + Enable support for sudo BSM audit logs on systems that support it. + This includes recent versions of FreeBSD, macOS and Solaris. + + --with-linux-audit + Enable audit support for Linux systems. Audits attempts + to run a command as well as SELinux role changes. + + --with-man + Use the "man" macros for manual pages. By default, mdoc versions + of the manuals are installed if supported. This can be used to + override configure's test for "nroff -mdoc" support. + + --with-mdoc + Use the "mdoc" macros for manual pages. By default, mdoc versions + of the manuals are installed if supported. This can be used to + override configure's test for "nroff -mdoc" support. + + --with-netsvc[=PATH] + Path to netsvc.conf or "no" to disable netsvc.conf support. + If specified, sudo uses this file instead of /etc/netsvc.conf + on AIX systems. If netsvc support is disabled but LDAP is + enabled, sudo will check LDAP first, then the sudoers file. + + --with-nsswitch[=PATH] + Path to nsswitch.conf or "no" to disable nsswitch support. + If specified, sudo uses this file instead of /etc/nsswitch.conf. + If nsswitch support is disabled but LDAP is enabled, sudo will + check LDAP first, then the sudoers file. + + --with-project + Enable support for Solaris project resource limits. + This option is only available on Solaris 9 and above. + +### Authentication options: + + --with-AFS + Enable AFS support with Kerberos authentication. Should work under + AFS 3.3. If your AFS doesn't have -laudit you should be able to + link without it. + + --with-aixauth + Enable support for the AIX general authentication function. + This will use the authentication scheme specified for the + user on the machine. By default, sudo will use either AIX + authentication or PAM depending on the value of the auth_type + setting in the `/etc/security/login.cfg` file. + + --with-bsdauth + Enable support for BSD authentication. This is the default + for BSD/OS and OpenBSD systems that support it. + It is not possible to mix BSD authentication with other + authentication methods (and there really should be no need + to do so). Only the newer BSD authentication API is + supported. If you don't have /usr/include/bsd_auth.h then + you cannot use this. + + --with-DCE + Enable DCE support for systems without PAM. Known to work on + HP-UX 9.X, 10.X, and 11.0; other systems may require source + code and/or `configure` changes. On systems with PAM support + (such as HP-UX 11.0 and higher, Solaris, FreeBSD, and Linux), the + DCE PAM module (usually libpam_dce) should be used instead. + + --with-fwtk[=DIR] + Enable TIS Firewall Toolkit (FWTK) "authsrv" support. If specified, + DIR is the base directory containing the compiled FWTK package + (or at least the library and header files). + + --with-kerb5[=DIR] + Enable Kerberos V support. If specified, DIR is the base + directory containing the Kerberos V include and lib dirs. + This uses Kerberos pass phrases for authentication but + does not use the Kerberos cookie scheme. Will not work for + Kerberos V older than version 1.1. + + --enable-kerb5-instance=string + By default, the user name is used as the principal name + when authenticating via Kerberos V. If this option is + enabled, the specified instance string will be appended to + the user name (separated by a slash) when creating the + principal name. + + --with-solaris-audit + Enable audit support for Solaris 11 and above. + For older versions of Solaris, use --with-bsm-audit + + --with-opie[=DIR] + Enable NRL OPIE OTP (One Time Password) support. If specified, + DIR should contain include and lib directories with opie.h + and libopie.a respectively. + + --with-otp-only + This option is now just an alias for --without-passwd. + + --with-pam + Enable PAM support. This is on by default for Darwin, FreeBSD, + Linux, NetBSD, Solaris, and HP-UX (version 11 and higher). + + On RedHat Linux and Fedora you **must** have an `/etc/pam.d/sudo` + file installed. You may either use the example pam.conf file included + with sudo or use `/etc/pam.d/su` as a reference. The pam.conf file + included with sudo may or may not work with other Linux distributions. + On Solaris and HP-UX 11 systems you should check (and understand) + the contents of `/etc/pam.conf`. Do a `man pam.conf` for more + information and consider using the "debug" option, if available, + with your PAM libraries in `/etc/pam.conf` to obtain syslog output + for debugging purposes. + + --with-pam-login + Enable a specific PAM session when sudo is given the -i option. + This changes the PAM service name when sudo is run with the -i + option from "sudo" to "sudo-i", allowing for a separate pam + configuration for sudo's initial login mode. + + --disable-pam-session + Disable sudo's PAM session support. This may be needed on + older PAM implementations or on operating systems where + opening a PAM session changes the utmp or wtmp files. If + PAM session support is disabled, resource limits may not + be updated for the command being run. + + --with-passwd=no, --without-passwd + This option excludes authentication via the passwd (or + shadow) file. It should only be used when another, alternative, + authentication scheme is in use. + + --with-SecurID[=DIR] + Enable SecurID support. If specified, DIR is directory containing + libaceclnt.a, acexport.h, and sdacmvls.h. + + --with-skey[=DIR] + Enable S/Key OTP (One Time Password) support. If specified, + DIR should contain include and lib directories with skey.h + and libskey.a respectively. + + --disable-sia + Disable SIA support. This is the "Security Integration + Architecture" on Digital UNIX. If you disable SIA sudo will + use its own authentication routines. + + --disable-shadow + Disable shadow password support. Normally, sudo will compile + in shadow password support and use a shadow password if it + exists. + + --enable-gss-krb5-ccache-name + Use the gss_krb5_ccache_name() function to set the Kerberos + V credential cache file name. By default, sudo will use + the KRB5CCNAME environment variable to set this. While + gss_krb5_ccache_name() provides a better API to do this it + is not supported by all Kerberos V and SASL combinations. + + --enable-gcrypt[=DIR] + Use GNU crypt's SHA-2 message digest functions instead of + OpenSSL or the ones bundled with sudo (or in the system's + C library). If specified, DIR should contain the GNU crypt + include and lib directories. This option only has an effect + when OpenSSL 1.0.1 or higher is not present on the system + or the --disable-openssl option is also specified. + + --enable-openssl[=DIR] + Use OpenSSL's TLS and SHA-2 message digest functions. If + it is detected, OpenSSL will be used by default unless the + sudo log client and server are disabled via the + --disable-log-client and --disable-log-server options. To + explicitly disable the use of OpenSSL, the --disable-openssl + option can be used. OpenSSL versions prior to 1.0.1 will + not be used as they do not support TLS 1.2. If specified, + DIR should contain the OpenSSL include and lib directories. + + --enable-openssl-pkgconfig-template=template + A printf-style template used to construct the name of the + openssl and libcrypto pkg-config files. For example, a + template of "e%s30" would cause "eopenssl30" and "libecrypto30" + to be used instead. This makes it possible to link with + the OpenSSL 3.0 package on OpenBSD. Defaults to "%s". + + --enable-wolfssl[=DIR] + Use wolfSSL's TLS and SHA-2 message digest functions. If + specified, DIR should contain the OpenSSL include and lib + directories. + +### Development options: + + --enable-env-debug + Enable debugging of the environment setting functions. This + enables extra checks to make sure the environment does not + become corrupted. + + --enable-warnings + Enable compiler warnings when building sudo with gcc or clang. + + --enable-werror + Enable the -Werror compiler option when building sudo with + gcc or clang. + + --with-devel + Configure development options. This will enable compiler warnings + and set up the Makefile to be able to regenerate the sudoers parser + as well as the manual pages. + +### Options that set runtime-changeable default values: + + --disable-authentication + By default, sudo requires the user to authenticate via a + password or similar means. This options causes sudo to + **not** require authentication. It is possible to turn + authentication back on in sudoers via the PASSWD attribute. + Sudoers option: !authenticate + + --disable-env-reset + Disable environment resetting. This sets the default value + of the "env_reset" Defaults option in sudoers to false. + Sudoers option: !env_reset + + --disable-path-info + Normally, sudo will tell the user when a command could not be found + in their $PATH. Some sites may wish to disable this as it could + be used to gather information on the location of executables that + the normal user does not have access to. The disadvantage is that + if the executable is simply not in the user's path, sudo will tell + the user that they are not allowed to run it, which can be confusing. + Sudoers option: path_info + + --disable-root-sudo + Don't let root run sudo. This can be used to prevent people from + "chaining" sudo commands to get a root shell by doing something + like `sudo sudo /bin/sh`. + Sudoers option: !root_sudo + + --disable-zlib + Disable the use of the zlib compress library when storing + I/O log files. + Sudoers option: !compress_io + + --enable-log-host + Log the hostname in the log file. + Sudoers option: log_host + + --enable-noargs-shell + If sudo is invoked with no arguments it acts as if the "-s" flag had + been given. That is, it runs a shell as root (the shell is determined + by the SHELL environment variable, falling back on the shell listed + in the invoking user's `/etc/passwd` entry). + Sudoers option: shell_noargs + + --enable-shell-sets-home + If sudo is invoked with the "-s" flag the HOME environment variable + will be set to the home directory of the target user (which is root + unless the "-u" option is used). This option effectively makes the + "-s" flag imply "-H". + Sudoers option: set_home + + --enable-timestamp-type=TYPE + Set the default time stamp record type. The TYPE may be "global" + (a single record per user), "ppid" (a single record for process + with the same parent process), or "tty" (a separate record for + each login session). The default is "tty". + Sudoers option: timestamp_type + + --with-all-insults + Include all the insult sets listed below. You must either specify + --with-insults or enable insults in the sudoers file for this to + have any effect. + + --with-askpass=PATH + Set PATH as the "askpass" program to use when no tty is + available. Typically, this is a graphical password prompter, + similar to the one used by ssh. The program must take a + prompt as an argument and print the received password to + the standard output. This value may overridden at run-time + in the sudo.conf file. + + --with-badpass-message="MESSAGE" + Message that is displayed if a user enters an incorrect password. + The default is "Sorry, try again." unless insults are turned on. + Sudoers option: badpass_message + + --with-badpri=PRIORITY + Determines which syslog priority to log unauthenticated + commands and errors. The following priorities are supported: + alert, crit, debug, emerg, err, info, notice, and warning. + Sudoers option: syslog_badpri + + --with-classic-insults + Uses insults from sudo "classic." If you just specify --with-insults + you will get the classic and CSOps insults. This is on by default if + --with-insults is given. + + --with-csops-insults + Insults the user with an extra set of insults (some quotes, some + original) from a sysadmin group at CU (CSOps). You must specify + --with-insults as well for this to have any effect. This is on by + default if --with-insults is given. + + --with-editor=PATH + Specify the default editor path for use by visudo. This may be a + single path name or a colon-separated list of editors. In the latter + case, visudo will choose the editor that matches the user's SUDO_EDITOR, + VISUAL or EDITOR environment variable, or the first editor in the list + that exists. The default is the path to vi on your system. + Sudoers option: editor + + --with-env-editor=no, --without-env-editor + By default, visudo will consult the SUDO_EDITOR, VISUAL, and EDITOR + environment variables before falling back on the default editor list + (as specified by --with-editor). visudo is typically run as root so + this option may allow a user with visudo privileges to run arbitrary + commands as root without logging. Some sites may with to disable this + and use a colon-separated list of "safe" editors with the --with-editor + option. visudo will then only use the SUDO_EDITOR, VISUAL, or EDITOR + variables if they match a value specified via --with-editor. + Sudoers option: env_editor + + --with-exempt=GROUP + Users in the specified group don't need to enter a password when + running sudo. This may be useful for sites that don't want their + "core" sysadmins to have to enter a password but where Jr. sysadmins + need to. You should probably use NOPASSWD in sudoers instead. + Sudoers option: exempt_group + + --with-fqdn + Define this if you want to put fully qualified host names in the sudoers + file. Ie: instead of myhost you would use myhost.mydomain.edu. You may + still use the short form if you wish (and even mix the two). Beware + that turning FQDN on requires sudo to make DNS lookups which may make + sudo unusable if your DNS is totally hosed. You must use the host's + official name as DNS knows it. That is, you may not use a host alias + (CNAME entry) due to performance issues and the fact that there is no + way to get all aliases from DNS. + Sudoers option: fqdn + + --with-goodpri=PRIORITY + Determines which syslog priority to log successfully authenticated + commands. The following priorities are supported: alert, crit, debug, + emerg, err, info, notice, and warning. + Sudoers option: syslog_goodpri + + --with-python-insults + Insults the user with lines from "Monty Python's Flying Circus" when an + incorrect password is entered. You must either specify --with-insults or + enable insults in the sudoers file for this to have any effect. + + --with-goons-insults + Insults the user with lines from the "Goon Show" when an incorrect + password is entered. You must either specify --with-insults or + enable insults in the sudoers file for this to have any effect. + + --with-hal-insults + Uses 2001-like insults when an incorrect password is entered. + You must either specify --with-insults or enable insults in the + sudoers file for this to have any effect. + + --with-ignore-dot + If set, sudo will ignore "." or "" (current dir) in $PATH. + The $PATH itself is not modified. + Sudoers option: ignore_dot + + --with-insults + Define this if you want to be insulted for typing an incorrect password + just like the original sudo(8). This is off by default. + Sudoers option: insults + + --with-insults=disabled + Include support for insults but disable them unless explicitly + enabled in sudoers. + Sudoers option: !insults + + --with-iologdir[=DIR] + By default, sudo stores I/O log files in either /var/log/sudo-io, + /var/adm/sudo-io, or /usr/log/sudo-io. If this option is specified, + I/O logs will be stored in the indicated directory instead. + Sudoers option: iolog_dir + + --with-lecture=no, --without-lecture + Don't print the lecture the first time a user runs sudo. + Sudoers option: !lecture + + --with-logfac=FACILITY + Determines which syslog facility to log to. This requires + a 4.3BSD or later version of syslog. You can still set + this for ancient syslogs but it will have no effect. The + following facilities are supported: authpriv (if your OS + supports it), auth, daemon, user, local0, local1, local2, + local3, local4, local5, local6, and local7. + Sudoers option: syslog + + --with-logging=TYPE + How you want to do your logging. You may choose "syslog", + "file", or "both". Setting this to "syslog" is nice because + you can keep all of your sudo logs in one place (see the + example syslog.conf file). The default is "syslog". + Sudoers options: syslog and logfile + + --with-loglen=NUMBER + Number of characters per line for the file log. This is only used if + you are to "file" or "both". This value is used to decide when to wrap + lines for nicer log files. The default is 80. Setting this to 0 + will disable the wrapping. + Sudoers options: loglinelen + + --with-logpath=PATH + Override the default location of the sudo log file and use + "path" instead. By default will use /var/log/sudo.log if + there is a /var/log dir, falling back to /var/adm/sudo.log + or /usr/adm/sudo.log if not. + Sudoers option: logfile + + --with-long-otp-prompt + When validating with a One Time Password scheme (S/Key or + OPIE), a two-line prompt is used to make it easier to cut + and paste the challenge to a local window. It's not as + pretty as the default but some people find it more convenient. + Sudoers option: long_otp_prompt + + --with-mail-if-no-user=no, --without-mail-if-no-user + Normally, sudo will mail to the "alertmail" user if the user invoking + sudo is not in the sudoers file. This option disables that behavior. + Sudoers option: mail_no_user + + --with-mail-if-no-host + Send mail to the "alermail" user if the user exists in the sudoers + file, but is not allowed to run commands on the current host. + Sudoers option: mail_no_host + + --with-mail-if-noperms + Send mail to the "alermail" user if the user is allowed to use sudo but + the command they are trying is not listed in their sudoers file entry. + Sudoers option: mail_no_perms + + --with-mailsubject="SUBJECT" + Subject of the mail sent to the "mailto" user. The token "%h" + will expand to the hostname of the machine. + The default value is "*** SECURITY information for %h ***". + Sudoers option: mailsub + + --with-mailto=USER|MAIL_ALIAS + User (or mail alias) that mail from sudo is sent to. + This should go to a sysadmin at your site. The default value is "root". + Sudoers option: mailto + + --with-passprompt="PROMPT" + Default prompt to use when asking for a password; can be overridden + via the -p option and the SUDO_PROMPT environment variable. Supports + the "%H", "%h", "%U", and "%u" escapes as documented in the sudo + manual page. The default value is "Password:". + Sudoers option: passprompt + + --with-password-timeout=NUMBER + Number of minutes before the sudo password prompt times out. + The default is 5, set this to 0 for no password timeout. + Sudoers option: passwd_timeout + + --with-passwd-tries=NUMBER + Number of tries a user gets to enter his/her password before sudo logs + the failure and exits. The default is 3. + Sudoers option: passwd_tries + + --with-runas-default=USER + The default user to run commands as if the -u flag is not specified + on the command line. This defaults to "root". + Sudoers option: runas_default + + --with-secure-path[=PATH] + Path used for every command run from sudo(8). If you don't trust + users to have a reasonable PATH environment variable you may want + to use this. Another use is if you want to have the "root path" + be separate from the "user path." You will need to customize the + path for your site. This is not applied to users in the group + specified by --with-exemptgroup. If you do not specify a path, + "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used. + Sudoers option: secure_path + + --with-sendmail=PATH + Override configure's guess as to the location of sendmail. + Sudoers option: mailerpath + + --with-sendmail=no, --without-sendmail + Do not use sendmail to mail messages to the "mailto" user. + Use only if you don't run sendmail or the equivalent. + Sudoers options: !mailerpath or !mailto + + --with-sudoers-mode=MODE + File mode for the sudoers file (octal). If you wish to + NFS-mount the sudoers file this must be group readable. + This value may overridden at run-time in the sudo.conf file. + The default mode is 0440. + + --with-sudoers-uid=UID + User id that "owns" the sudoers file. This is the numeric + id, **not** the symbolic name. This value may overridden + at run-time in the sudo.conf file. The default is 0. + + --with-sudoers-gid=GID + Group id that "owns" the sudoers file. This is the numeric + id, **not** the symbolic name. This value may overridden + at run-time in the sudo.conf file. The default is 0. + + --with-timeout=NUMBER + Number of minutes that can elapse before sudo will ask for a passwd + again. The default is 5, set it to 0 to always prompt for a password. + Sudoers option: timestamp_timeout + + --with-umask=MASK + Umask to use when running the root command. The default is 0022. + Sudoers option: umask + + --with-umask=no, --without-umask + Preserves the umask of the user invoking sudo. + Sudoers option: !umask + + --with-umask-override + Use the umask specified in sudoers even if it is less restrictive + than the user's. The default is to use the intersection of the + user's umask and the umask specified in sudoers. + Sudoers option: umask_override + +## OS dependent notes + +#### HP-UX + +The default C compiler shipped with HP-UX is not an ANSI compiler. +You must use either the HP ANSI C compiler or gcc to build sudo. +Binary packages of gcc are available from http://hpux.connect.org.uk/. + +To prevent PAM from overriding the value of umask on HP-UX 11, +you will need to add a line like the following to /etc/pam.conf: + + sudo session required libpam_hpsec.so.1 bypass_umask + +#### Linux + +PAM and LDAP headers are not installed by default on most Linux +systems. You will need to install the "pam-dev" (rpm) or libpam0g-dev +(deb) package if `/usr/include/security/pam_appl.h` is not present +on your system. If you wish to build with LDAP support you will +also need the "openldap-devel" (rpm) or "libldap2-dev" (deb) package. + +#### macOS + +The pseudo-tty support in the Darwin kernel has bugs related to +its handling of the SIGTSTP, SIGTTIN, and SIGTTOU signals. It does +not restart reads and writes when those signals are delivered. This +may cause problems for some commands when I/O logging is enabled. +The issue has been reported to Apple and is bug id #7952709. + +#### Solaris + +You need to have a C compiler in order to build sudo. Since Solaris +does not come with one by default this means that you either need +to either install the Solaris Studio compiler suite, available for +free from www.oracle.com, or install the GNU C compiler (gcc) which +is can be installed via the pkg utility on Solaris 11 and higher +and is distributed on the Solaris Companion CD for older Solaris +releases. You can also download gcc packages from +https://www.opencsw.org/packages/CSWgcc4core/. |