1.2.7
by Bdale Garbee
Import upstream version 1.7.0 |
1 |
Installation instructions for Sudo 1.7
|
2 |
======================================
|
|
1
by Thom May
Import upstream version 1.6.7p5 |
3 |
|
4 |
Sudo uses a `configure' script to probe the capabilities and type |
|
5 |
of the system in question. In this release, `configure' takes many |
|
6 |
more options than it did before. Please read this document fully |
|
7 |
before configuring and building sudo. You may also wish to read the |
|
8 |
file INSTALL.configure which explains more about the `configure' script. |
|
9 |
||
10 |
Simple sudo installation
|
|
11 |
========================
|
|
12 |
||
13 |
For most systems and configurations it is possible simply to: |
|
14 |
||
15 |
0) If you are upgrading from a previous version of sudo
|
|
16 |
please read the info in the UPGRADE file before proceeding. |
|
17 |
||
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
18 |
1) Read the `OS dependent notes' section for any particular
|
1
by Thom May
Import upstream version 1.6.7p5 |
19 |
"gotchas" relating to your operating system. |
20 |
||
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
21 |
2) `cd' to the source or build directory and type `./configure' |
1
by Thom May
Import upstream version 1.6.7p5 |
22 |
to generate a Makefile and config.h file suitable for |
23 |
building sudo. Before you actually run configure you |
|
24 |
should read the `Available configure options' section |
|
25 |
to see if there are any special options you may want |
|
26 |
or need. |
|
27 |
||
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
28 |
3) Edit the configure-generated Makefile if you wish to
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
29 |
change any of the default paths (alternatively, you could |
1
by Thom May
Import upstream version 1.6.7p5 |
30 |
have changed the paths via options to `configure'. |
31 |
||
32 |
5) Type `make' to compile sudo. If you are building sudo
|
|
33 |
in a separate build tree (apart from the sudo source) |
|
34 |
GNU make will probably be required. If `configure' did |
|
35 |
its job properly (and you have a supported configuration) |
|
36 |
there won't be any problems. If this doesn't work, take |
|
37 |
a look at the files TROUBLESHOOTING and PORTING for tips |
|
38 |
on what might have gone wrong. Please mail us if you have a |
|
39 |
fix or if you are unable to come up with a fix (address at EOF). |
|
40 |
||
41 |
6) Type `make install' (as root) to install sudo, visudo, the
|
|
42 |
man pages, and a skeleton sudoers file. Note that the install |
|
43 |
will not overwrite an existing sudoers file. You can also |
|
44 |
install various pieces the package via the install-binaries, |
|
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
45 |
install-doc, and install-sudoers make targets. |
1
by Thom May
Import upstream version 1.6.7p5 |
46 |
|
47 |
7) Edit the sudoers file with `visudo' as necessary for your
|
|
48 |
site. You will probably want to refer the sample.sudoers |
|
49 |
file and sudoers man page included with the sudo package. |
|
50 |
||
51 |
8) If you want to use syslogd(8) to do the logging, you'll need
|
|
52 |
to update your /etc/syslog.conf file. See the sample.syslog.conf |
|
53 |
file included in the distribution for an example. |
|
54 |
||
55 |
Available configure options
|
|
56 |
===========================
|
|
57 |
||
58 |
This section describes flags accepted by the sudo's `configure' script. |
|
59 |
Defaults are listed in brackets after the description. |
|
60 |
||
61 |
Configuration: |
|
62 |
--cache-file=FILE |
|
63 |
Cache test results in FILE |
|
64 |
||
65 |
--config-cache, -C |
|
66 |
Alias for `--cache-file=config.cache' |
|
67 |
||
68 |
--help, -h |
|
69 |
Print the usage/help info |
|
70 |
||
71 |
--no-create, -n |
|
72 |
Do not create output files |
|
73 |
||
74 |
--quiet, --silent, -q |
|
75 |
Do not print `checking...' messages |
|
76 |
||
77 |
Directory and file names: |
|
78 |
--prefix=PREFIX |
|
79 |
Install architecture-independent files in PREFIX This really only |
|
80 |
applies to man pages. [/usr/local] |
|
81 |
||
82 |
--exec-prefix=EPREFIX |
|
83 |
Install architecture-dependent files in EPREFIX This includes the |
|
84 |
sudo and visudo executables. [same as prefix] |
|
85 |
||
86 |
--bindir=DIR |
|
87 |
Install `sudo' in DIR [EPREFIX/bin] |
|
88 |
||
89 |
--sbindir=DIR |
|
90 |
Install `visudo' in DIR [EPREFIX/sbin] |
|
91 |
||
92 |
--sysconfdir=DIR |
|
93 |
Install `sudoers' file in DIR [/etc] |
|
94 |
||
95 |
--mandir=DIR |
|
96 |
Install man pages in DIR [PREFIX/man] |
|
97 |
||
98 |
--srcdir=DIR |
|
99 |
Find the sources in DIR [configure dir or ..] |
|
100 |
||
101 |
Special features/options: |
|
102 |
--with-CC=PATH |
|
103 |
Specifies path to C compiler you wish to use. |
|
104 |
||
105 |
--with-incpath=DIR |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
106 |
Adds the specified directory (or directories) to CPPFLAGS |
107 |
so configure and the compiler will look there for include |
|
108 |
files. Multiple directories may be specified as long as |
|
109 |
they are space separated. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
110 |
Eg: --with-incpath="/usr/local/include /opt/include" |
111 |
||
112 |
--with-libpath=DIR |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
113 |
Adds the specified directory (or directories) to LDFLAGS |
114 |
so configure and the compiler will look there for libraries. |
|
115 |
Multiple directories may be specified as with --with-incpath. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
116 |
|
117 |
--with-rpath |
|
118 |
Tells configure to use -Rpath in addition to -Lpath when |
|
119 |
passing library paths to the loader. This option is on |
|
120 |
by default for Solaris and SVR4. |
|
121 |
||
122 |
--with-blibpath[=PATH] |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
123 |
Tells configure to construct a -blibpath argument to the |
124 |
loader. If a PATH is specified, it will be used as the |
|
125 |
base. Otherwise, "/usr/lib:/lib:/usr/local/lib" will be |
|
126 |
used for gcc and "/usr/lib:/lib" for non-gcc. Additional |
|
127 |
library paths will be appended as needed by configure. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
128 |
This option is only valid for AIX where it is on by default. |
129 |
||
130 |
--with-libraries=LIBRARY |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
131 |
Adds the specified library (or libaries) to SUDO_LIBS and |
132 |
and VISUDO_LIBS so sudo will link against them. If the |
|
133 |
library doesn't start with `-l' or end in `.a' or `.o' a
|
|
134 |
`-l' will be prepended to it. Multiple libraries may be |
|
135 |
specified as long as they are space separated. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
136 |
|
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
137 |
--with-efence |
138 |
Link with the "electric fence" debugging malloc. |
|
139 |
||
140 |
--with-bsm-audit |
|
141 |
Enable support for sudo BSM audit logs on systems that support |
|
142 |
it. Currently only supported under FreeBSD and Mac OS X. |
|
143 |
||
144 |
--with-linux-audit |
|
145 |
Enable audit support for Linux systems. Audits attempts |
|
146 |
to run a command as well as SELinux role changes. |
|
147 |
||
1
by Thom May
Import upstream version 1.6.7p5 |
148 |
--with-csops |
149 |
Add CSOps standard options. You probably aren't interested in this. |
|
150 |
||
151 |
--with-skey[=DIR] |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
152 |
Enable S/Key OTP (One Time Password) support. If specified, |
153 |
DIR should contain include and lib directories with skey.h |
|
154 |
and libskey.a respectively. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
155 |
|
156 |
--with-opie[=DIR] |
|
157 |
Enable NRL OPIE OTP (One Time Password) support. If specified, |
|
158 |
DIR should contain include and lib directories with opie.h |
|
159 |
and libopie.a respectively. |
|
160 |
||
161 |
--with-SecurID[=DIR] |
|
162 |
Enable SecurID support. If specified, DIR is directory containing |
|
163 |
sdiclient.a, sdi_athd.h, sdconf.h, and sdacmvls.h. |
|
164 |
||
165 |
--with-fwtk[=DIR] |
|
166 |
Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified, |
|
167 |
DIR is the base directory containing the compiled FWTK package |
|
168 |
(or at least the library and header files). |
|
169 |
||
170 |
--with-kerb4[=DIR] |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
171 |
Enable Kerberos IV support. If specified, DIR is the base |
172 |
directory containing the Kerberos IV include and lib dirs. |
|
173 |
This uses Kerberos passphrases for authentication but does |
|
174 |
not use the Kerberos cookie scheme. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
175 |
|
176 |
--with-kerb5[=DIR] |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
177 |
Enable Kerberos V support. If specified, DIR is the base |
178 |
directory containing the Kerberos V include and lib dirs. |
|
179 |
This This uses Kerberos passphrases for authentication but |
|
180 |
does not use the Kerberos cookie scheme. Will not work for |
|
181 |
Kerberos V older than version 1.1. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
182 |
|
1.1.1
by Thom May
Import upstream version 1.6.8p5 |
183 |
--with-ldap[=DIR] |
184 |
Enable LDAP support. If specified, DIR is the base directory |
|
185 |
containing the LDAP include and lib directories. Please see |
|
186 |
README.LDAP for more information. |
|
187 |
||
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
188 |
--with-ldap-conf-file=PATH |
1.1.1
by Thom May
Import upstream version 1.6.8p5 |
189 |
Path to LDAP configuration file. If specified, sudo reads |
190 |
this file instead of /etc/ldap.conf to locate the LDAP server. |
|
191 |
||
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
192 |
--with-ldap-secret-file=PATH |
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
193 |
Path to LDAP secret password file. If specified, sudo uses |
194 |
this file instead of /etc/ldap.secret to read the secret password |
|
195 |
when rootbinddn is specified in the ldap config file. |
|
196 |
||
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
197 |
--with-nsswitch[=PATH] |
1.2.7
by Bdale Garbee
Import upstream version 1.7.0 |
198 |
Path to nsswitch.conf or "no" to disable nsswitch support. |
199 |
If specified, sudo uses this file instead of /etc/nsswitch.conf. |
|
200 |
If nsswitch is disabled but LDAP is enabled, sudo will check |
|
201 |
LDAP first, then the sudoers file. |
|
202 |
||
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
203 |
--with-netsvc[=PATH] |
1.2.8
by Bdale Garbee
Import upstream version 1.7.2 |
204 |
Path to netsvc.conf or "no" to disable netsvc.conf support. |
205 |
If specified, sudo uses this file instead of /etc/netsvc.conf |
|
206 |
on AIX systems. |
|
207 |
||
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
208 |
--with-aixauth |
1
by Thom May
Import upstream version 1.6.7p5 |
209 |
Enable support for the AIX 4.x general authentication function. |
210 |
This will use the authentication scheme specified for the user |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
211 |
on the machine. It is on by default for AIX systems that |
212 |
support it. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
213 |
|
214 |
--with-pam |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
215 |
Enable PAM support. This is on by default for Darwin, FreeBSD, |
216 |
Linux, Solaris and HP-UX (version 11 and higher). |
|
217 |
||
218 |
NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo
|
|
1.2.7
by Bdale Garbee
Import upstream version 1.7.0 |
219 |
file install. You may either use the sample.pam file included with |
1.1.1
by Thom May
Import upstream version 1.6.8p5 |
220 |
sudo or use /etc/pam.d/su as a reference. The sample.pam file |
221 |
included with sudo may or may not work with other Linux distributions. |
|
222 |
On Solaris and HP-UX 11 systems you should check (and understand) |
|
223 |
the contents of /etc/pam.conf. Do a "man pam.conf" for more |
|
224 |
information and consider using the "debug" option, if available, |
|
225 |
with your PAM libraries in /etc/pam.conf to obtain syslog output |
|
226 |
for debugging purposes. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
227 |
|
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
228 |
--with-pam-login |
229 |
Enable a specific PAM session when sudo is given the -i option. |
|
230 |
This changes the PAM service name when sudo is run with the -i |
|
231 |
option from "sudo" to "sudo-i", allowing for a separate pam |
|
232 |
configuration for sudo's initial login mode. |
|
233 |
||
1
by Thom May
Import upstream version 1.6.7p5 |
234 |
--with-AFS |
235 |
Enable AFS support with Kerberos authentication. Should work under |
|
236 |
AFS 3.3. If your AFS doesn't have -laudit you should be able to |
|
237 |
link without it. |
|
238 |
||
239 |
--with-DCE |
|
1.1.1
by Thom May
Import upstream version 1.6.8p5 |
240 |
Enable DCE support for systems without PAM. Known to work on |
241 |
HP-UX 9.X, 10.X, and 11.0; other systems may require source |
|
242 |
code and/or `configure' changes. On systems with PAM support |
|
243 |
(such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the |
|
244 |
DCE PAM module (usually libpam_dce) should be used instead. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
245 |
|
246 |
--with-logincap |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
247 |
This adds support for login classes specified in /etc/login.conf. |
248 |
It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and |
|
249 |
NetBSD (where available). By default, a login class is not applied |
|
250 |
unless the 'use_loginclass' option is defined in sudoers or the user |
|
251 |
specifies a class on the command line. |
|
252 |
||
1
by Thom May
Import upstream version 1.6.7p5 |
253 |
--with-bsdauth |
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
254 |
Enable support for BSD authentication. This is the default |
255 |
for BSD/OS and OpenBSD systems that support it. |
|
256 |
It is not possible to mix BSD authentication with other |
|
257 |
authentication methods (and there really should be no need |
|
258 |
to do so). Note that only the newer BSD authentication API |
|
259 |
is supported. If you don't have /usr/include/bsd_auth.h |
|
260 |
then you cannot use this. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
261 |
|
1.2.7
by Bdale Garbee
Import upstream version 1.7.0 |
262 |
--with-project |
263 |
Enable support for Solaris project resource limits. |
|
264 |
This option is only available on Solaris 9 and above. |
|
265 |
||
1.1.1
by Thom May
Import upstream version 1.6.8p5 |
266 |
--with-noexec[=PATH] |
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
267 |
Enable support for the "noexec" functionality which prevents |
268 |
a dynamically-linked program being run by sudo from executing |
|
269 |
another program (think shell escapes). Please see the |
|
270 |
"PREVENTING SHELL ESCAPES" section in the sudoers man page |
|
271 |
for details. If specified, PATH should be a fully qualified |
|
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
272 |
path name, e.g. /usr/local/libexec/sudo_noexec.so. If PATH |
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
273 |
is "no", noexec support will not be compiled in. The default |
274 |
is to compile noexec support if libtool supports building |
|
275 |
shared objects on your OS. |
|
276 |
||
277 |
--disable-pam-session |
|
278 |
Disable sudo's PAM session support. This may be needed on |
|
279 |
older PAM implementations or on operating systems where |
|
280 |
opening a PAM session changes the utmp or wtmp files. If |
|
281 |
PAM session support is disabled, resource limits may not |
|
282 |
be updatedin for command being run. |
|
1.1.1
by Thom May
Import upstream version 1.6.8p5 |
283 |
|
1
by Thom May
Import upstream version 1.6.7p5 |
284 |
--disable-root-mailer |
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
285 |
By default sudo will run the mailer as root when tattling |
286 |
on a user so as to prevent that user from killing the mailer. |
|
287 |
With this option, sudo will run the mailer as the invoking |
|
288 |
user which some people consider to be safer. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
289 |
|
290 |
--disable-setreuid |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
291 |
Disable use of the setreuid() function for operating systems |
292 |
where it is broken. Mac OS X has setreuid() but it doesn't |
|
293 |
really work. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
294 |
|
295 |
--disable-setresuid |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
296 |
Disable use of the setresuid() function for operating systems |
297 |
where it is broken (none currently known). |
|
1
by Thom May
Import upstream version 1.6.7p5 |
298 |
|
299 |
--disable-sia |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
300 |
Disable SIA support. This is the "Security Integration |
301 |
Architecture" on Digital UNIX. If you disable SIA sudo will |
|
302 |
use its own authentication routines. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
303 |
|
304 |
--disable-shadow |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
305 |
Disable shadow password support. Normally, sudo will compile |
306 |
in shadow password support and use a shadow password if it |
|
307 |
exists. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
308 |
|
309 |
--with-sudoers-mode=MODE |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
310 |
File mode for the sudoers file (octal). Note that if you |
311 |
wish to NFS-mount the sudoers file this must be group |
|
312 |
readable. Also note that this is actually set in the |
|
313 |
Makefile. The default mode is 0440. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
314 |
|
315 |
--with-sudoers-uid=UID |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
316 |
User id that "owns" the sudoers file. Note that this is |
317 |
the numeric id, *not* the symbolic name. Also note that
|
|
318 |
this is actually set in the Makefile. The default is 0. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
319 |
|
320 |
--with-sudoers-gid=GID |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
321 |
Group id that "owns" the sudoers file. Note that this is |
322 |
the numeric id, *not* the symbolic name. Also note that
|
|
323 |
this is actually set in the Makefile. The default is 0. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
324 |
|
325 |
--without-interfaces |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
326 |
This option keeps sudo from trying to glean the ip address |
327 |
from each attached ethernet interface. It is only useful |
|
328 |
on a machine where sudo's interface reading support does |
|
329 |
not work, which may be the case on some SysV-based OS's |
|
330 |
using STREAMS. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
331 |
|
332 |
--without-passwd |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
333 |
This option excludes authentication via the passwd (or |
334 |
shadow) file. It should only be used when another, alternative, |
|
335 |
authentication scheme is in use. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
336 |
|
337 |
--with-otp-only |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
338 |
This option is now just an alias for --without-passwd. |
1
by Thom May
Import upstream version 1.6.7p5 |
339 |
|
340 |
--with-stow |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
341 |
Properly handle GNU stow packaging. The sudoers file will |
342 |
physically live in ${prefix}/etc and /etc/sudoers will be |
|
343 |
a symbolic link. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
344 |
|
1.2.5
by Martin Pitt
Import upstream version 1.6.9p15 |
345 |
--with-selinux |
346 |
Enable support for role based access control (RBAC) on |
|
347 |
systems that support SELinux. |
|
348 |
||
1.2.8
by Bdale Garbee
Import upstream version 1.7.2 |
349 |
--with-libvas=[NAME] |
350 |
Enable non-Unix group support using Quest Authentication |
|
351 |
Services. If NAME is specified, it should be the name of |
|
352 |
the shared library providing QAS support (libvas.so by default). |
|
353 |
||
354 |
--with-libvas-rpath=[PATH] |
|
355 |
The path to search when loading libvas.so (or an alternate |
|
356 |
name as specified by --with-libvas). This option only has |
|
357 |
an effect when --with-libvas is specified. |
|
358 |
||
1
by Thom May
Import upstream version 1.6.7p5 |
359 |
The following options are also configurable at runtime: |
360 |
||
361 |
--with-long-otp-prompt |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
362 |
When validating with a One Time Password scheme (S/Key or |
363 |
OPIE), a two-line prompt is used to make it easier to cut |
|
364 |
and paste the challenge to a local window. It's not as |
|
365 |
pretty as the default but some people find it more convenient. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
366 |
|
367 |
--with-logging=TYPE |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
368 |
How you want to do your logging. You may choose "syslog", |
369 |
"file", or "both". Setting this to "syslog" is nice because |
|
370 |
you can keep all of your sudo logs in one place (see the |
|
371 |
sample.syslog.conf file). The default is "syslog". |
|
1
by Thom May
Import upstream version 1.6.7p5 |
372 |
|
373 |
--with-logfac=FACILITY |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
374 |
Determines which syslog facility to log to. This requires |
375 |
a 4.3BSD or later version of syslog. You can still set |
|
376 |
this for ancient syslogs but it will have no effect. The |
|
377 |
following facilities are supported: authpriv (if your OS |
|
378 |
supports it), auth, daemon, user, local0, local1, local2, |
|
379 |
local3, local4, local5, local6, and local7. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
380 |
|
381 |
--with-goodpri=PRIORITY |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
382 |
Determines which syslog priority to log successfully |
383 |
authenticated commands. The following priorities are |
|
384 |
supported: alert, crit, debug, emerg, err, info, notice, |
|
385 |
and warning. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
386 |
|
387 |
--with-badpri=PRIORITY |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
388 |
Determines which syslog priority to log unauthenticated |
389 |
commands and errors. The following priorities are supported: |
|
390 |
alert, crit, debug, emerg, err, info, notice, and warning. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
391 |
|
392 |
--with-logpath=PATH |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
393 |
Override the default location of the sudo log file and use |
394 |
"path" instead. By default will use /var/log/sudo.log if |
|
395 |
there is a /var/log dir, falling back to /var/adm/sudo.log |
|
396 |
or /usr/adm/sudo.log if not. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
397 |
|
398 |
--with-loglen=NUMBER |
|
399 |
Number of characters per line for the file log. This is only used if |
|
400 |
you are to "file" or "both". This value is used to decide when to wrap |
|
401 |
lines for nicer log files. The default is 80. Setting this to 0 |
|
402 |
will disable the wrapping. |
|
403 |
||
404 |
--with-ignore-dot |
|
405 |
If set, sudo will ignore '.' or '' (current dir) in $PATH. |
|
406 |
The $PATH itself is not modified. |
|
407 |
||
408 |
--with-mailto=USER|MAIL_ALIAS |
|
409 |
User (or mail alias) that mail from sudo is sent to. |
|
410 |
This should go to a sysadmin at your site. The default is "root". |
|
411 |
||
412 |
--with-mailsubject="SUBJECT OF MAIL" |
|
413 |
Subject of the mail sent to the "mailto" user. The token "%h" |
|
414 |
will expand to the hostname of the machine. |
|
415 |
Default is "*** SECURITY information for %h ***".
|
|
416 |
||
417 |
--without-mail-if-no-user |
|
418 |
Normally, sudo will mail to the "alertmail" user if the user invoking |
|
419 |
sudo is not in the sudoers file. This option disables that behavior. |
|
420 |
||
421 |
--with-mail-if-no-host |
|
422 |
Send mail to the "alermail" user if the user exists in the sudoers |
|
423 |
file, but is not allowed to run commands on the current host. |
|
424 |
||
425 |
--with-mail-if-noperms |
|
426 |
Send mail to the "alermail" user if the user is allowed to use sudo but |
|
427 |
the command they are trying is not listed in their sudoers file entry. |
|
428 |
||
429 |
--with-passprompt="PASSWORD PROMPT" |
|
430 |
Default prompt to use when asking for a password; can be overridden |
|
431 |
via the -p option and the SUDO_PROMPT environment variable. Supports |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
432 |
the "%H", "%h", "%U" and "%u" escapes as documented in the sudo |
433 |
manual page. The default value is "Password:". |
|
1
by Thom May
Import upstream version 1.6.7p5 |
434 |
|
435 |
--with-badpass-message="BAD PASSWORD MESSAGE" |
|
436 |
Message that is displayed if a user enters an incorrect password. |
|
437 |
The default is "Sorry, try again." unless insults are turned on. |
|
438 |
||
439 |
--with-fqdn |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
440 |
Define this if you want to put fully qualified hostnames in the sudoers |
1
by Thom May
Import upstream version 1.6.7p5 |
441 |
file. Ie: instead of myhost you would use myhost.mydomain.edu. You may |
442 |
still use the short form if you wish (and even mix the two). Beware |
|
443 |
that turning FQDN on requires sudo to make DNS lookups which may make |
|
444 |
sudo unusable if your DNS is totally hosed. Also note that you must |
|
445 |
use the host's official name as DNS knows it. That is, you may not use |
|
446 |
a host alias (CNAME entry) due to performance issues and the fact that |
|
447 |
there is no way to get all aliases from DNS. |
|
448 |
||
449 |
--with-timedir=PATH |
|
450 |
Override the default location of the sudo timestamp directory and |
|
451 |
use "path" instead. |
|
452 |
||
453 |
--with-sendmail=PATH |
|
454 |
Override configure's guess as to the location of sendmail. |
|
455 |
||
456 |
--without-sendmail |
|
457 |
Do not use sendmail to mail messages to the "mailto" user. |
|
458 |
Use only if don't run sendmail or the equivalent. |
|
459 |
||
460 |
--with-umask=MASK |
|
461 |
Umask to use when running the root command. The default is 0022. |
|
462 |
||
463 |
--without-umask |
|
464 |
Preserves the umask of the user invoking sudo. |
|
465 |
||
466 |
--with-runas-default=USER |
|
467 |
The default user to run commands as if the -u flag is not specified |
|
468 |
on the command line. This defaults to "root". |
|
469 |
||
470 |
--with-exempt=GROUP |
|
471 |
Users in the specified group don't need to enter a password when |
|
472 |
running sudo. This may be useful for sites that don't want their |
|
473 |
"core" sysadmins to have to enter a password but where Jr. sysadmins |
|
474 |
need to. You should probably use NOPASSWD in sudoers instead. |
|
475 |
||
476 |
--with-passwd-tries=NUMBER |
|
477 |
Number of tries a user gets to enter his/her password before sudo logs |
|
478 |
the failure and exits. The default is 3. |
|
479 |
||
480 |
--with-timeout=NUMBER |
|
481 |
Number of minutes that can elapse before sudo will ask for a passwd |
|
482 |
again. The default is 5, set this to 0 to always prompt for a password. |
|
483 |
||
484 |
--with-password-timeout=NUMBER |
|
485 |
Number of minutes before the sudo password prompt times out. |
|
486 |
The default is 5, set this to 0 for no password timeout. |
|
487 |
||
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
488 |
--without-tty-tickets |
489 |
By default, sudo uses a different ticket file for each user/tty combo. |
|
490 |
With this option disabled, a single ticket will be used for all |
|
491 |
of a user's login sessions. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
492 |
|
493 |
--with-insults |
|
494 |
Define this if you want to be insulted for typing an incorrect password |
|
495 |
just like the original sudo(8). This is off by default. |
|
496 |
||
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
497 |
--with-insults=disabled |
498 |
Include support for insults but disable them unless explicitly |
|
499 |
enabled in sudoers. |
|
500 |
||
1
by Thom May
Import upstream version 1.6.7p5 |
501 |
--with-all-insults |
502 |
Include all the insult sets listed below. You must either specify |
|
503 |
--with-insults or enable insults in the sudoers file for this to |
|
504 |
have any effect. |
|
505 |
||
506 |
--with-classic-insults |
|
507 |
Uses insults from sudo "classic." If you just specify --with-insults |
|
508 |
you will get the classic and CSOps insults. This is on by default if |
|
509 |
--with-insults is given. |
|
510 |
||
511 |
--with-csops-insults |
|
512 |
Insults the user with an extra set of insults (some quotes, some |
|
513 |
original) from a sysadmin group at CU (CSOps). You must specify |
|
514 |
--with-insults as well for this to have any effect. This is on by |
|
515 |
default if --with-insults is given. |
|
516 |
||
517 |
--with-hal-insults |
|
518 |
Uses 2001-like insults when an incorrect password is entered. |
|
519 |
You must either specify --with-insults or enable insults in the |
|
520 |
sudoers file for this to have any effect. |
|
521 |
||
522 |
--with-goons-insults |
|
523 |
Insults the user with lines from the "Goon Show" when an incorrect |
|
524 |
password is entered. You must either specify --with-insults or |
|
525 |
enable insults in the sudoers file for this to have any effect. |
|
526 |
||
1.1.1
by Thom May
Import upstream version 1.6.8p5 |
527 |
--with-pc-insults |
528 |
Replace politically incorrect insults with less objectionable ones. |
|
529 |
||
1
by Thom May
Import upstream version 1.6.7p5 |
530 |
--with-secure-path[=PATH] |
531 |
Path used for every command run from sudo(8). If you don't trust the |
|
532 |
people running sudo to have a sane PATH environment variable you may |
|
533 |
want to use this. Another use is if you want to have the "root path" |
|
534 |
be separate from the "user path." You will need to customize the path |
|
535 |
for your site. NOTE: this is not applied to users in the group |
|
536 |
specified by --with-exemptgroup. If you do not specify a path, |
|
537 |
"/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used. |
|
538 |
||
539 |
--without-lecture |
|
540 |
Don't print the lecture the first time a user runs sudo. |
|
541 |
||
542 |
--with-editor=PATH |
|
1.1.1
by Thom May
Import upstream version 1.6.8p5 |
543 |
Specify the default editor path for use by visudo. This may be a |
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
544 |
single path name or a colon-separated list of editors. In the latter |
1.1.1
by Thom May
Import upstream version 1.6.8p5 |
545 |
case, visudo will choose the editor that matches the user's VISUAL |
546 |
or EDITOR environment variables or the first editor in the list that |
|
547 |
exists. The default is the path to vi on your system. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
548 |
|
549 |
--with-env-editor |
|
1.1.1
by Thom May
Import upstream version 1.6.8p5 |
550 |
Makes visudo consult the VISUAL and EDITOR environment variables before |
1
by Thom May
Import upstream version 1.6.7p5 |
551 |
falling back on the default editor list (as specified by --with-editor). |
552 |
Note that this may create a security hole as it allows the user to |
|
553 |
run any arbitrary command as root without logging. A safer alternative |
|
1.1.1
by Thom May
Import upstream version 1.6.8p5 |
554 |
is to use a colon-separated list of editors with the --with-editor |
555 |
option. visudo will then only use the VISUAL or EDITOR variables |
|
556 |
if they match a value specified via --with-editor. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
557 |
|
1.2.7
by Bdale Garbee
Import upstream version 1.7.0 |
558 |
--with-askpass=PATH |
559 |
Set PATH as the "askpass" program to use when no tty is |
|
560 |
available. Typically, this is a graphical password prompter, |
|
561 |
similar to the one used by ssh. The program must take a |
|
562 |
prompt as an argument and print the received password to |
|
563 |
the standard output. |
|
564 |
||
1
by Thom May
Import upstream version 1.6.7p5 |
565 |
--disable-authentication |
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
566 |
By default, sudo requires the user to authenticate via a |
567 |
password or similar means. This options causes sudo to |
|
568 |
*not* require authentication. It is possible to turn
|
|
569 |
authentication back on in sudoers via the PASSWD attribute. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
570 |
|
571 |
--disable-root-sudo |
|
572 |
Don't let root run sudo. This can be used to prevent people from |
|
573 |
"chaining" sudo commands to get a root shell by doing something |
|
574 |
like "sudo sudo /bin/sh". |
|
575 |
||
1.2.7
by Bdale Garbee
Import upstream version 1.7.0 |
576 |
--enable-gss-krb5-ccache-name |
577 |
Use the gss_krb5_ccache_name() function to set the Kerberos |
|
578 |
V credential cache file name. By default, sudo will use |
|
579 |
the KRB5CCNAME environment variable to set this. While |
|
580 |
gss_krb5_ccache_name() provides a better API to do this it |
|
581 |
is not supported by all Kerberos V and SASL combinations. |
|
582 |
||
1
by Thom May
Import upstream version 1.6.7p5 |
583 |
--enable-log-host |
584 |
Log the hostname in the log file. |
|
585 |
||
586 |
--enable-noargs-shell |
|
587 |
If sudo is invoked with no arguments it acts as if the "-s" flag had |
|
588 |
been given. That is, it runs a shell as root (the shell is determined |
|
589 |
by the SHELL environment variable, falling back on the shell listed |
|
590 |
in the invoking user's /etc/passwd entry). |
|
591 |
||
592 |
--enable-shell-sets-home |
|
593 |
If sudo is invoked with the "-s" flag the HOME environment variable |
|
594 |
will be set to the home directory of the target user (which is root |
|
595 |
unless the "-u" option is used). This option effectively makes the |
|
596 |
"-s" flag imply "-H". |
|
597 |
||
598 |
--disable-path-info |
|
599 |
Normally, sudo will tell the user when a command could not be found |
|
600 |
in their $PATH. Some sites may wish to disable this as it could |
|
601 |
be used to gather information on the location of executables that |
|
602 |
the normal user does not have access to. The disadvantage is that |
|
603 |
if the executable is simply not in the user's path, sudo will tell |
|
604 |
the user that they are not allowed to run it, which can be confusing. |
|
605 |
||
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
606 |
--disable-iologdir |
607 |
Disable sudo's I/O logging support. This can be used to allow sudo |
|
608 |
to be compiled on systems without pseudo-tty support. |
|
609 |
||
610 |
--enable-iologdir[=DIR] |
|
611 |
By default, sudo stores I/O log files in either /var/log/sudo-io, |
|
612 |
/var/adm/sudo-sudo-io or /usr/log/sudo-io. If DIR is |
|
613 |
specified, I/O logs will be stored in the indicated directory |
|
614 |
instead. |
|
615 |
||
616 |
--enable-zlib[=DIR] |
|
617 |
Enable the use of the zlib compress library when storing |
|
618 |
I/O log files. If specified, DIR is the base directory |
|
619 |
containing the zlib include and lib directories. By default |
|
620 |
zlib is used if it is found on the system and I/O logging |
|
621 |
support is not disabled. |
|
622 |
||
623 |
--disable-zlib |
|
624 |
Disable the use of the zlib compress library when storing |
|
625 |
I/O log files. |
|
626 |
||
627 |
--enable-warnings |
|
628 |
Enable compiler warnings when building sudo with gcc. |
|
629 |
||
630 |
--enable-admin-flag |
|
631 |
Enable the creation of an Ubuntu-style admin flag file |
|
632 |
the first time sudo is run. |
|
633 |
||
1
by Thom May
Import upstream version 1.6.7p5 |
634 |
Shadow password and C2 support
|
635 |
==============================
|
|
636 |
||
637 |
Shadow passwords (also included with most C2 security packages) are |
|
638 |
supported on most major platforms for which they exist. The |
|
639 |
`configure' script will attempt to determine if your system can use |
|
640 |
shadow passwords and include support for them if so. Shadow password |
|
641 |
support is now compiled in by default (it doesn't hurt anything if you |
|
642 |
don't have them configured). To disable the shadow password support, |
|
643 |
use the --disable-shadow option to configure. |
|
644 |
||
645 |
Shadow passwords are known to work on the following platforms: |
|
646 |
||
647 |
SunOS 4.x |
|
648 |
Solaris 2.x |
|
649 |
HP-UX >= 9.x |
|
650 |
Ultrix 4.x |
|
651 |
Digital UNIX |
|
652 |
IRIX >= 5.x |
|
653 |
AIX >= 3.2.x |
|
654 |
Linux |
|
655 |
SCO >= 3.2.2 |
|
656 |
Pyramid DC/OSx |
|
657 |
UnixWare |
|
658 |
SVR4 (and variants using standard SVR4 shadow passwords) |
|
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
659 |
4.4BSD based systems (including OpenBSD, NetBSD, FreeBSD, and Mac OS X) |
660 |
Systems using SecureWare's C2 security. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
661 |
|
662 |
OS dependent notes
|
|
663 |
==================
|
|
664 |
||
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
665 |
Linux: |
666 |
PAM and LDAP headers are not installed by default on most Linux |
|
667 |
systems. You will need to install the "pam-dev" package if |
|
668 |
/usr/include/security/pam_appl.h is not present on your system. |
|
669 |
If you wish to build with LDAP support you will also need the |
|
670 |
openldap-devel package. |
|
671 |
||
672 |
Versions of glibc 2.x previous to 2.0.7 have a broken lsearch(). |
|
673 |
You will need to either upgrade to glibc-2.0.7 or use sudo's |
|
674 |
version of lsearch(). To use sudo's lsearch(), comment out |
|
675 |
the "#define HAVE_LSEARCH 1" line in config.h and add lsearch.o |
|
676 |
to the LIBOBJS line in the Makefile. |
|
677 |
||
678 |
If you are using a Linux kernel older than 2.4 it is not possible |
|
679 |
to access the sudoers file via NFS. This is due to a bug in |
|
680 |
the Linux client-side NFS implementation that has since been |
|
681 |
fixed. There is a workaround on the sudo ftp site, linux_nfs.patch, |
|
682 |
if you need to NFS-mount sudoers on older Linux kernels. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
683 |
|
684 |
Solaris 2.x: |
|
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
685 |
You need to have a C compiler in order to build sudo. Since |
686 |
Solaris 2.x does not come with one by default this means that |
|
687 |
you either need to install the Sun Studio compiler suite, |
|
688 |
available for free from www.sun.com, or have a copy of the GNU |
|
689 |
C compiler (gcc) which is distributed on the Solaris Companion |
|
690 |
CD. You can also get them from various places on the net, |
|
691 |
including http://www.sunfreeware.com/ |
|
1
by Thom May
Import upstream version 1.6.7p5 |
692 |
NOTE: sudo will *not* build with the sun C compiler in BSD
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
693 |
compatibility mode (/usr/ucb/cc). Sudo is designed to |
694 |
compile with the standard C compiler (or gcc) and will |
|
695 |
not build correctly with /usr/ucb/cc. You can use the |
|
696 |
`--with-CC' option to point `configure' to the non-ucb
|
|
697 |
compiler if it is not the first cc in your path. Some |
|
698 |
sites link /usr/ucb/cc to gcc; configure will not notice |
|
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
699 |
this and still refuse to use /usr/ucb/cc, so make sure gcc |
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
700 |
is also in your path if your site is setup this way. |
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
701 |
Also: Older versions of Solaris come with a broken syslogd. |
1
by Thom May
Import upstream version 1.6.7p5 |
702 |
If you have having problems with sudo logging you should |
703 |
make sure you have the latest syslogd patch installed. |
|
704 |
This is a problem for Solaris 2.4 and 2.5 at least. |
|
705 |
||
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
706 |
Mac OS X: |
707 |
The pseudo-tty support in the Mac OS X kernel has bugs related |
|
708 |
to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals. |
|
709 |
It does not restart reads and writes when those signals are |
|
710 |
delivered. This may cause problems for some commands when I/O |
|
711 |
logging is enabled. The issue has been reported to Apple and |
|
712 |
is bug id #7952709. |
|
713 |
||
714 |
HP-UX: |
|
715 |
The default C compiler shipped with HP-UX does not support |
|
716 |
creating position independent code and so is unable to support |
|
717 |
sudo's "noexec" functionality. You must use either the HP ANSI |
|
718 |
C compiler or gcc for noexec to work. Binary packages of gcc |
|
719 |
are available http://hpux.connect.org.uk/. |
|
720 |
||
721 |
To prevent PAM from overriding the value of umask on HP-UX 11, |
|
722 |
you will need to add a line like the following to /etc/pam.conf: |
|
723 |
||
724 |
sudo session required libpam_hpsec.so.1 bypass_umask |
|
1
by Thom May
Import upstream version 1.6.7p5 |
725 |
|
726 |
Digital UNIX: |
|
727 |
By default, sudo will use SIA (Security Integration Architecture) |
|
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
728 |
to validate a user. If you want to use an alternative authentication |
1
by Thom May
Import upstream version 1.6.7p5 |
729 |
method that does not go through SIA, you need to use the |
730 |
--disable-sia option to configure. If you use gcc to compile |
|
731 |
you will get warnings when building interfaces.c. These are |
|
732 |
harmless but if they really bug you, you can edit |
|
733 |
/usr/include/net/if.h around line 123, right after the comment: |
|
734 |
/* forward decls for C++ */
|
|
735 |
change the line: |
|
736 |
#ifdef __cplusplus |
|
737 |
to: |
|
738 |
#if defined(__cplusplus) || defined(__GNUC__) |
|
739 |
If you don't like the idea of editing the system header file |
|
740 |
you can just make a copy in gcc's private include tree and |
|
741 |
edit that. |
|
742 |
||
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
743 |
AIX 3.2.x: |
744 |
I've had various problems with the AIX C compiler producing |
|
745 |
incorrect code when the -O flag was used. When optimization |
|
746 |
is not used, the problems go away. Gcc does not appear |
|
747 |
to have this problem. |
|
1
by Thom May
Import upstream version 1.6.7p5 |
748 |
|
749 |
SCO ODT: |
|
750 |
You'll probably need libcrypt_i.a available via anonymous ftp |
|
751 |
from sosco.sco.com. The necessary files are /SLS/lng225b.Z |
|
752 |
and /SLS/lng225b.ltr.Z. |
|
753 |
||
1.2.1
by Martin Pitt
Import upstream version 1.6.9p6 |
754 |
SunOS 4.x: |
755 |
The /bin/sh shipped with SunOS blows up while running configure. |
|
1.4.5
by Bdale Garbee
Import upstream version 1.7.4p4 |
756 |
You can work around this by installing bash or zsh. If you |
757 |
have bash or zsh in your path, configure will use it instead |
|
758 |
automatically. |
|
759 |
||
760 |
ULTRIX 4.x: |
|
761 |
The /bin/sh shipped with ULTRIX blows up while running configure. |
|
762 |
You can work around this by installing bash or zsh. If you |
|
763 |
have bash or zsh in your path, configure will use it instead |
|
764 |
automatically. |
|
765 |
||
766 |
ULTRIX ships with the 4.2BSD syslog(3) which does not |
|
767 |
allow things like logging different facilities to different |
|
768 |
files, redirecting logs to a single loghost and other niceties. |
|
769 |
You may want to just grab and install: |
|
770 |
ftp://www.sudo.ws/pub/sudo/misc/jtkohl-syslog-complete.tar.gz |
|
771 |
(available via anonymous ftp) which is a port if the 4.3BSD |
|
772 |
syslog/syslogd that is backwards compatible with the Ultrix version. |
|
773 |
I recommend it highly. If you do not do this you probably want |
|
774 |
to run configure with --with-logging=file |