| Installation instructions for Sudo 1.7 |
| ====================================== |
| |
| Sudo uses a `configure' script to probe the capabilities and type |
| of the system in question. In this release, `configure' takes many |
| more options than it did before. Please read this document fully |
| before configuring and building sudo. You may also wish to read the |
| file INSTALL.configure which explains more about the `configure' script. |
| |
| Simple sudo installation |
| ======================== |
| |
| For most systems and configurations it is possible simply to: |
| |
| 0) If you are upgrading from a previous version of sudo |
| please read the info in the UPGRADE file before proceeding. |
| |
| 1) Read the `OS dependent notes' section for any particular |
| "gotchas" relating to your operating system. |
| |
| 2) `cd' to the source or build directory and type `./configure' |
| to generate a Makefile and config.h file suitable for |
| building sudo. Before you actually run configure you |
| should read the `Available configure options' section |
| to see if there are any special options you may want |
| or need. |
| |
| 3) Edit the configure-generated Makefile if you wish to |
| change any of the default paths (alternatively, you could |
| have changed the paths via options to `configure'. |
| |
| 5) Type `make' to compile sudo. If you are building sudo |
| in a separate build tree (apart from the sudo source) |
| GNU make will probably be required. If `configure' did |
| its job properly (and you have a supported configuration) |
| there won't be any problems. If this doesn't work, take |
| a look at the files TROUBLESHOOTING and PORTING for tips |
| on what might have gone wrong. Please mail us if you have a |
| fix or if you are unable to come up with a fix (address at EOF). |
| |
| 6) Type `make install' (as root) to install sudo, visudo, the |
| man pages, and a skeleton sudoers file. Note that the install |
| will not overwrite an existing sudoers file. You can also |
| install various pieces the package via the install-binaries, |
| install-doc, and install-sudoers make targets. |
| |
| 7) Edit the sudoers file with `visudo' as necessary for your |
| site. You will probably want to refer the sample.sudoers |
| file and sudoers man page included with the sudo package. |
| |
| 8) If you want to use syslogd(8) to do the logging, you'll need |
| to update your /etc/syslog.conf file. See the sample.syslog.conf |
| file included in the distribution for an example. |
| |
| Available configure options |
| =========================== |
| |
| This section describes flags accepted by the sudo's `configure' script. |
| Defaults are listed in brackets after the description. |
| |
| Configuration: |
| --cache-file=FILE |
| Cache test results in FILE |
| |
| --config-cache, -C |
| Alias for `--cache-file=config.cache' |
| |
| --help, -h |
| Print the usage/help info |
| |
| --no-create, -n |
| Do not create output files |
| |
| --quiet, --silent, -q |
| Do not print `checking...' messages |
| |
| Directory and file names: |
| --prefix=PREFIX |
| Install architecture-independent files in PREFIX This really only |
| applies to man pages. [/usr/local] |
| |
| --exec-prefix=EPREFIX |
| Install architecture-dependent files in EPREFIX This includes the |
| sudo and visudo executables. [same as prefix] |
| |
| --bindir=DIR |
| Install `sudo' in DIR [EPREFIX/bin] |
| |
| --sbindir=DIR |
| Install `visudo' in DIR [EPREFIX/sbin] |
| |
| --sysconfdir=DIR |
| Install `sudoers' file in DIR [/etc] |
| |
| --mandir=DIR |
| Install man pages in DIR [PREFIX/man] |
| |
| --srcdir=DIR |
| Find the sources in DIR [configure dir or ..] |
| |
| Special features/options: |
| --with-CC=PATH |
| Specifies path to C compiler you wish to use. |
| |
| --with-incpath=DIR |
| Adds the specified directory (or directories) to CPPFLAGS |
| so configure and the compiler will look there for include |
| files. Multiple directories may be specified as long as |
| they are space separated. |
| Eg: --with-incpath="/usr/local/include /opt/include" |
| |
| --with-libpath=DIR |
| Adds the specified directory (or directories) to LDFLAGS |
| so configure and the compiler will look there for libraries. |
| Multiple directories may be specified as with --with-incpath. |
| |
| --with-rpath |
| Tells configure to use -Rpath in addition to -Lpath when |
| passing library paths to the loader. This option is on |
| by default for Solaris and SVR4. |
| |
| --with-blibpath[=PATH] |
| Tells configure to construct a -blibpath argument to the |
| loader. If a PATH is specified, it will be used as the |
| base. Otherwise, "/usr/lib:/lib:/usr/local/lib" will be |
| used for gcc and "/usr/lib:/lib" for non-gcc. Additional |
| library paths will be appended as needed by configure. |
| This option is only valid for AIX where it is on by default. |
| |
| --with-libraries=LIBRARY |
| Adds the specified library (or libaries) to SUDO_LIBS and |
| and VISUDO_LIBS so sudo will link against them. If the |
| library doesn't start with `-l' or end in `.a' or `.o' a |
| `-l' will be prepended to it. Multiple libraries may be |
| specified as long as they are space separated. |
| |
| --with-efence |
| Link with the "electric fence" debugging malloc. |
| |
| --with-bsm-audit |
| Enable support for sudo BSM audit logs on systems that support |
| it. Currently only supported under FreeBSD and Mac OS X. |
| |
| --with-linux-audit |
| Enable audit support for Linux systems. Audits attempts |
| to run a command as well as SELinux role changes. |
| |
| --with-csops |
| Add CSOps standard options. You probably aren't interested in this. |
| |
| --with-skey[=DIR] |
| Enable S/Key OTP (One Time Password) support. If specified, |
| DIR should contain include and lib directories with skey.h |
| and libskey.a respectively. |
| |
| --with-opie[=DIR] |
| Enable NRL OPIE OTP (One Time Password) support. If specified, |
| DIR should contain include and lib directories with opie.h |
| and libopie.a respectively. |
| |
| --with-SecurID[=DIR] |
| Enable SecurID support. If specified, DIR is directory containing |
| sdiclient.a, sdi_athd.h, sdconf.h, and sdacmvls.h. |
| |
| --with-fwtk[=DIR] |
| Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified, |
| DIR is the base directory containing the compiled FWTK package |
| (or at least the library and header files). |
| |
| --with-kerb4[=DIR] |
| Enable Kerberos IV support. If specified, DIR is the base |
| directory containing the Kerberos IV include and lib dirs. |
| This uses Kerberos passphrases for authentication but does |
| not use the Kerberos cookie scheme. |
| |
| --with-kerb5[=DIR] |
| Enable Kerberos V support. If specified, DIR is the base |
| directory containing the Kerberos V include and lib dirs. |
| This This uses Kerberos passphrases for authentication but |
| does not use the Kerberos cookie scheme. Will not work for |
| Kerberos V older than version 1.1. |
| |
| --with-ldap[=DIR] |
| Enable LDAP support. If specified, DIR is the base directory |
| containing the LDAP include and lib directories. Please see |
| README.LDAP for more information. |
| |
| --with-ldap-conf-file=PATH |
| Path to LDAP configuration file. If specified, sudo reads |
| this file instead of /etc/ldap.conf to locate the LDAP server. |
| |
| --with-ldap-secret-file=PATH |
| Path to LDAP secret password file. If specified, sudo uses |
| this file instead of /etc/ldap.secret to read the secret password |
| when rootbinddn is specified in the ldap config file. |
| |
| --with-nsswitch[=PATH] |
| Path to nsswitch.conf or "no" to disable nsswitch support. |
| If specified, sudo uses this file instead of /etc/nsswitch.conf. |
| If nsswitch is disabled but LDAP is enabled, sudo will check |
| LDAP first, then the sudoers file. |
| |
| --with-netsvc[=PATH] |
| Path to netsvc.conf or "no" to disable netsvc.conf support. |
| If specified, sudo uses this file instead of /etc/netsvc.conf |
| on AIX systems. |
| |
| --with-aixauth |
| Enable support for the AIX 4.x general authentication function. |
| This will use the authentication scheme specified for the user |
| on the machine. It is on by default for AIX systems that |
| support it. |
| |
| --with-pam |
| Enable PAM support. This is on by default for Darwin, FreeBSD, |
| Linux, Solaris and HP-UX (version 11 and higher). |
| |
| NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo |
| file install. You may either use the sample.pam file included with |
| sudo or use /etc/pam.d/su as a reference. The sample.pam file |
| included with sudo may or may not work with other Linux distributions. |
| On Solaris and HP-UX 11 systems you should check (and understand) |
| the contents of /etc/pam.conf. Do a "man pam.conf" for more |
| information and consider using the "debug" option, if available, |
| with your PAM libraries in /etc/pam.conf to obtain syslog output |
| for debugging purposes. |
| |
| --with-pam-login |
| Enable a specific PAM session when sudo is given the -i option. |
| This changes the PAM service name when sudo is run with the -i |
| option from "sudo" to "sudo-i", allowing for a separate pam |
| configuration for sudo's initial login mode. |
| |
| --with-AFS |
| Enable AFS support with Kerberos authentication. Should work under |
| AFS 3.3. If your AFS doesn't have -laudit you should be able to |
| link without it. |
| |
| --with-DCE |
| Enable DCE support for systems without PAM. Known to work on |
| HP-UX 9.X, 10.X, and 11.0; other systems may require source |
| code and/or `configure' changes. On systems with PAM support |
| (such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the |
| DCE PAM module (usually libpam_dce) should be used instead. |
| |
| --with-logincap |
| This adds support for login classes specified in /etc/login.conf. |
| It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and |
| NetBSD (where available). By default, a login class is not applied |
| unless the 'use_loginclass' option is defined in sudoers or the user |
| specifies a class on the command line. |
| |
| --with-bsdauth |
| Enable support for BSD authentication. This is the default |
| for BSD/OS and OpenBSD systems that support it. |
| It is not possible to mix BSD authentication with other |
| authentication methods (and there really should be no need |
| to do so). Note that only the newer BSD authentication API |
| is supported. If you don't have /usr/include/bsd_auth.h |
| then you cannot use this. |
| |
| --with-project |
| Enable support for Solaris project resource limits. |
| This option is only available on Solaris 9 and above. |
| |
| --with-noexec[=PATH] |
| Enable support for the "noexec" functionality which prevents |
| a dynamically-linked program being run by sudo from executing |
| another program (think shell escapes). Please see the |
| "PREVENTING SHELL ESCAPES" section in the sudoers man page |
| for details. If specified, PATH should be a fully qualified |
| path name, e.g. /usr/local/libexec/sudo_noexec.so. If PATH |
| is "no", noexec support will not be compiled in. The default |
| is to compile noexec support if libtool supports building |
| shared objects on your OS. |
| |
| --disable-pam-session |
| Disable sudo's PAM session support. This may be needed on |
| older PAM implementations or on operating systems where |
| opening a PAM session changes the utmp or wtmp files. If |
| PAM session support is disabled, resource limits may not |
| be updatedin for command being run. |
| |
| --disable-root-mailer |
| By default sudo will run the mailer as root when tattling |
| on a user so as to prevent that user from killing the mailer. |
| With this option, sudo will run the mailer as the invoking |
| user which some people consider to be safer. |
| |
| --disable-setreuid |
| Disable use of the setreuid() function for operating systems |
| where it is broken. Mac OS X has setreuid() but it doesn't |
| really work. |
| |
| --disable-setresuid |
| Disable use of the setresuid() function for operating systems |
| where it is broken (none currently known). |
| |
| --disable-sia |
| Disable SIA support. This is the "Security Integration |
| Architecture" on Digital UNIX. If you disable SIA sudo will |
| use its own authentication routines. |
| |
| --disable-shadow |
| Disable shadow password support. Normally, sudo will compile |
| in shadow password support and use a shadow password if it |
| exists. |
| |
| --with-sudoers-mode=MODE |
| File mode for the sudoers file (octal). Note that if you |
| wish to NFS-mount the sudoers file this must be group |
| readable. Also note that this is actually set in the |
| Makefile. The default mode is 0440. |
| |
| --with-sudoers-uid=UID |
| User id that "owns" the sudoers file. Note that this is |
| the numeric id, *not* the symbolic name. Also note that |
| this is actually set in the Makefile. The default is 0. |
| |
| --with-sudoers-gid=GID |
| Group id that "owns" the sudoers file. Note that this is |
| the numeric id, *not* the symbolic name. Also note that |
| this is actually set in the Makefile. The default is 0. |
| |
| --without-interfaces |
| This option keeps sudo from trying to glean the ip address |
| from each attached ethernet interface. It is only useful |
| on a machine where sudo's interface reading support does |
| not work, which may be the case on some SysV-based OS's |
| using STREAMS. |
| |
| --without-passwd |
| This option excludes authentication via the passwd (or |
| shadow) file. It should only be used when another, alternative, |
| authentication scheme is in use. |
| |
| --with-otp-only |
| This option is now just an alias for --without-passwd. |
| |
| --with-stow |
| Properly handle GNU stow packaging. The sudoers file will |
| physically live in ${prefix}/etc and /etc/sudoers will be |
| a symbolic link. |
| |
| --with-selinux |
| Enable support for role based access control (RBAC) on |
| systems that support SELinux. |
| |
| --with-libvas=[NAME] |
| Enable non-Unix group support using Quest Authentication |
| Services. If NAME is specified, it should be the name of |
| the shared library providing QAS support (libvas.so by default). |
| |
| --with-libvas-rpath=[PATH] |
| The path to search when loading libvas.so (or an alternate |
| name as specified by --with-libvas). This option only has |
| an effect when --with-libvas is specified. |
| |
| The following options are also configurable at runtime: |
| |
| --with-long-otp-prompt |
| When validating with a One Time Password scheme (S/Key or |
| OPIE), a two-line prompt is used to make it easier to cut |
| and paste the challenge to a local window. It's not as |
| pretty as the default but some people find it more convenient. |
| |
| --with-logging=TYPE |
| How you want to do your logging. You may choose "syslog", |
| "file", or "both". Setting this to "syslog" is nice because |
| you can keep all of your sudo logs in one place (see the |
| sample.syslog.conf file). The default is "syslog". |
| |
| --with-logfac=FACILITY |
| Determines which syslog facility to log to. This requires |
| a 4.3BSD or later version of syslog. You can still set |
| this for ancient syslogs but it will have no effect. The |
| following facilities are supported: authpriv (if your OS |
| supports it), auth, daemon, user, local0, local1, local2, |
| local3, local4, local5, local6, and local7. |
| |
| --with-goodpri=PRIORITY |
| Determines which syslog priority to log successfully |
| authenticated commands. The following priorities are |
| supported: alert, crit, debug, emerg, err, info, notice, |
| and warning. |
| |
| --with-badpri=PRIORITY |
| Determines which syslog priority to log unauthenticated |
| commands and errors. The following priorities are supported: |
| alert, crit, debug, emerg, err, info, notice, and warning. |
| |
| --with-logpath=PATH |
| Override the default location of the sudo log file and use |
| "path" instead. By default will use /var/log/sudo.log if |
| there is a /var/log dir, falling back to /var/adm/sudo.log |
| or /usr/adm/sudo.log if not. |
| |
| --with-loglen=NUMBER |
| Number of characters per line for the file log. This is only used if |
| you are to "file" or "both". This value is used to decide when to wrap |
| lines for nicer log files. The default is 80. Setting this to 0 |
| will disable the wrapping. |
| |
| --with-ignore-dot |
| If set, sudo will ignore '.' or '' (current dir) in $PATH. |
| The $PATH itself is not modified. |
| |
| --with-mailto=USER|MAIL_ALIAS |
| User (or mail alias) that mail from sudo is sent to. |
| This should go to a sysadmin at your site. The default is "root". |
| |
| --with-mailsubject="SUBJECT OF MAIL" |
| Subject of the mail sent to the "mailto" user. The token "%h" |
| will expand to the hostname of the machine. |
| Default is "*** SECURITY information for %h ***". |
| |
| --without-mail-if-no-user |
| Normally, sudo will mail to the "alertmail" user if the user invoking |
| sudo is not in the sudoers file. This option disables that behavior. |
| |
| --with-mail-if-no-host |
| Send mail to the "alermail" user if the user exists in the sudoers |
| file, but is not allowed to run commands on the current host. |
| |
| --with-mail-if-noperms |
| Send mail to the "alermail" user if the user is allowed to use sudo but |
| the command they are trying is not listed in their sudoers file entry. |
| |
| --with-passprompt="PASSWORD PROMPT" |
| Default prompt to use when asking for a password; can be overridden |
| via the -p option and the SUDO_PROMPT environment variable. Supports |
| the "%H", "%h", "%U" and "%u" escapes as documented in the sudo |
| manual page. The default value is "Password:". |
| |
| --with-badpass-message="BAD PASSWORD MESSAGE" |
| Message that is displayed if a user enters an incorrect password. |
| The default is "Sorry, try again." unless insults are turned on. |
| |
| --with-fqdn |
| Define this if you want to put fully qualified hostnames in the sudoers |
| file. Ie: instead of myhost you would use myhost.mydomain.edu. You may |
| still use the short form if you wish (and even mix the two). Beware |
| that turning FQDN on requires sudo to make DNS lookups which may make |
| sudo unusable if your DNS is totally hosed. Also note that you must |
| use the host's official name as DNS knows it. That is, you may not use |
| a host alias (CNAME entry) due to performance issues and the fact that |
| there is no way to get all aliases from DNS. |
| |
| --with-timedir=PATH |
| Override the default location of the sudo timestamp directory and |
| use "path" instead. |
| |
| --with-sendmail=PATH |
| Override configure's guess as to the location of sendmail. |
| |
| --without-sendmail |
| Do not use sendmail to mail messages to the "mailto" user. |
| Use only if don't run sendmail or the equivalent. |
| |
| --with-umask=MASK |
| Umask to use when running the root command. The default is 0022. |
| |
| --without-umask |
| Preserves the umask of the user invoking sudo. |
| |
| --with-runas-default=USER |
| The default user to run commands as if the -u flag is not specified |
| on the command line. This defaults to "root". |
| |
| --with-exempt=GROUP |
| Users in the specified group don't need to enter a password when |
| running sudo. This may be useful for sites that don't want their |
| "core" sysadmins to have to enter a password but where Jr. sysadmins |
| need to. You should probably use NOPASSWD in sudoers instead. |
| |
| --with-passwd-tries=NUMBER |
| Number of tries a user gets to enter his/her password before sudo logs |
| the failure and exits. The default is 3. |
| |
| --with-timeout=NUMBER |
| Number of minutes that can elapse before sudo will ask for a passwd |
| again. The default is 5, set this to 0 to always prompt for a password. |
| |
| --with-password-timeout=NUMBER |
| Number of minutes before the sudo password prompt times out. |
| The default is 5, set this to 0 for no password timeout. |
| |
| --without-tty-tickets |
| By default, sudo uses a different ticket file for each user/tty combo. |
| With this option disabled, a single ticket will be used for all |
| of a user's login sessions. |
| |
| --with-insults |
| Define this if you want to be insulted for typing an incorrect password |
| just like the original sudo(8). This is off by default. |
| |
| --with-insults=disabled |
| Include support for insults but disable them unless explicitly |
| enabled in sudoers. |
| |
| --with-all-insults |
| Include all the insult sets listed below. You must either specify |
| --with-insults or enable insults in the sudoers file for this to |
| have any effect. |
| |
| --with-classic-insults |
| Uses insults from sudo "classic." If you just specify --with-insults |
| you will get the classic and CSOps insults. This is on by default if |
| --with-insults is given. |
| |
| --with-csops-insults |
| Insults the user with an extra set of insults (some quotes, some |
| original) from a sysadmin group at CU (CSOps). You must specify |
| --with-insults as well for this to have any effect. This is on by |
| default if --with-insults is given. |
| |
| --with-hal-insults |
| Uses 2001-like insults when an incorrect password is entered. |
| You must either specify --with-insults or enable insults in the |
| sudoers file for this to have any effect. |
| |
| --with-goons-insults |
| Insults the user with lines from the "Goon Show" when an incorrect |
| password is entered. You must either specify --with-insults or |
| enable insults in the sudoers file for this to have any effect. |
| |
| --with-pc-insults |
| Replace politically incorrect insults with less objectionable ones. |
| |
| --with-secure-path[=PATH] |
| Path used for every command run from sudo(8). If you don't trust the |
| people running sudo to have a sane PATH environment variable you may |
| want to use this. Another use is if you want to have the "root path" |
| be separate from the "user path." You will need to customize the path |
| for your site. NOTE: this is not applied to users in the group |
| specified by --with-exemptgroup. If you do not specify a path, |
| "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used. |
| |
| --without-lecture |
| Don't print the lecture the first time a user runs sudo. |
| |
| --with-editor=PATH |
| Specify the default editor path for use by visudo. This may be a |
| single path name or a colon-separated list of editors. In the latter |
| case, visudo will choose the editor that matches the user's VISUAL |
| or EDITOR environment variables or the first editor in the list that |
| exists. The default is the path to vi on your system. |
| |
| --with-env-editor |
| Makes visudo consult the VISUAL and EDITOR environment variables before |
| falling back on the default editor list (as specified by --with-editor). |
| Note that this may create a security hole as it allows the user to |
| run any arbitrary command as root without logging. A safer alternative |
| is to use a colon-separated list of editors with the --with-editor |
| option. visudo will then only use the VISUAL or EDITOR variables |
| if they match a value specified via --with-editor. |
| |
| --with-askpass=PATH |
| Set PATH as the "askpass" program to use when no tty is |
| available. Typically, this is a graphical password prompter, |
| similar to the one used by ssh. The program must take a |
| prompt as an argument and print the received password to |
| the standard output. |
| |
| --disable-authentication |
| By default, sudo requires the user to authenticate via a |
| password or similar means. This options causes sudo to |
| *not* require authentication. It is possible to turn |
| authentication back on in sudoers via the PASSWD attribute. |
| |
| --disable-root-sudo |
| Don't let root run sudo. This can be used to prevent people from |
| "chaining" sudo commands to get a root shell by doing something |
| like "sudo sudo /bin/sh". |
| |
| --enable-gss-krb5-ccache-name |
| Use the gss_krb5_ccache_name() function to set the Kerberos |
| V credential cache file name. By default, sudo will use |
| the KRB5CCNAME environment variable to set this. While |
| gss_krb5_ccache_name() provides a better API to do this it |
| is not supported by all Kerberos V and SASL combinations. |
| |
| --enable-log-host |
| Log the hostname in the log file. |
| |
| --enable-noargs-shell |
| If sudo is invoked with no arguments it acts as if the "-s" flag had |
| been given. That is, it runs a shell as root (the shell is determined |
| by the SHELL environment variable, falling back on the shell listed |
| in the invoking user's /etc/passwd entry). |
| |
| --enable-shell-sets-home |
| If sudo is invoked with the "-s" flag the HOME environment variable |
| will be set to the home directory of the target user (which is root |
| unless the "-u" option is used). This option effectively makes the |
| "-s" flag imply "-H". |
| |
| --disable-path-info |
| Normally, sudo will tell the user when a command could not be found |
| in their $PATH. Some sites may wish to disable this as it could |
| be used to gather information on the location of executables that |
| the normal user does not have access to. The disadvantage is that |
| if the executable is simply not in the user's path, sudo will tell |
| the user that they are not allowed to run it, which can be confusing. |
| |
| --disable-iologdir |
| Disable sudo's I/O logging support. This can be used to allow sudo |
| to be compiled on systems without pseudo-tty support. |
| |
| --enable-iologdir[=DIR] |
| By default, sudo stores I/O log files in either /var/log/sudo-io, |
| /var/adm/sudo-sudo-io or /usr/log/sudo-io. If DIR is |
| specified, I/O logs will be stored in the indicated directory |
| instead. |
| |
| --enable-zlib[=DIR] |
| Enable the use of the zlib compress library when storing |
| I/O log files. If specified, DIR is the base directory |
| containing the zlib include and lib directories. By default |
| zlib is used if it is found on the system and I/O logging |
| support is not disabled. |
| |
| --disable-zlib |
| Disable the use of the zlib compress library when storing |
| I/O log files. |
| |
| --enable-warnings |
| Enable compiler warnings when building sudo with gcc. |
| |
| --enable-admin-flag |
| Enable the creation of an Ubuntu-style admin flag file |
| the first time sudo is run. |
| |
| Shadow password and C2 support |
| ============================== |
| |
| Shadow passwords (also included with most C2 security packages) are |
| supported on most major platforms for which they exist. The |
| `configure' script will attempt to determine if your system can use |
| shadow passwords and include support for them if so. Shadow password |
| support is now compiled in by default (it doesn't hurt anything if you |
| don't have them configured). To disable the shadow password support, |
| use the --disable-shadow option to configure. |
| |
| Shadow passwords are known to work on the following platforms: |
| |
| SunOS 4.x |
| Solaris 2.x |
| HP-UX >= 9.x |
| Ultrix 4.x |
| Digital UNIX |
| IRIX >= 5.x |
| AIX >= 3.2.x |
| Linux |
| SCO >= 3.2.2 |
| Pyramid DC/OSx |
| UnixWare |
| SVR4 (and variants using standard SVR4 shadow passwords) |
| 4.4BSD based systems (including OpenBSD, NetBSD, FreeBSD, and Mac OS X) |
| Systems using SecureWare's C2 security. |
| |
| OS dependent notes |
| ================== |
| |
| Linux: |
| PAM and LDAP headers are not installed by default on most Linux |
| systems. You will need to install the "pam-dev" package if |
| /usr/include/security/pam_appl.h is not present on your system. |
| If you wish to build with LDAP support you will also need the |
| openldap-devel package. |
| |
| Versions of glibc 2.x previous to 2.0.7 have a broken lsearch(). |
| You will need to either upgrade to glibc-2.0.7 or use sudo's |
| version of lsearch(). To use sudo's lsearch(), comment out |
| the "#define HAVE_LSEARCH 1" line in config.h and add lsearch.o |
| to the LIBOBJS line in the Makefile. |
| |
| If you are using a Linux kernel older than 2.4 it is not possible |
| to access the sudoers file via NFS. This is due to a bug in |
| the Linux client-side NFS implementation that has since been |
| fixed. There is a workaround on the sudo ftp site, linux_nfs.patch, |
| if you need to NFS-mount sudoers on older Linux kernels. |
| |
| Solaris 2.x: |
| You need to have a C compiler in order to build sudo. Since |
| Solaris 2.x does not come with one by default this means that |
| you either need to install the Sun Studio compiler suite, |
| available for free from www.sun.com, or have a copy of the GNU |
| C compiler (gcc) which is distributed on the Solaris Companion |
| CD. You can also get them from various places on the net, |
| including http://www.sunfreeware.com/ |
| NOTE: sudo will *not* build with the sun C compiler in BSD |
| compatibility mode (/usr/ucb/cc). Sudo is designed to |
| compile with the standard C compiler (or gcc) and will |
| not build correctly with /usr/ucb/cc. You can use the |
| `--with-CC' option to point `configure' to the non-ucb |
| compiler if it is not the first cc in your path. Some |
| sites link /usr/ucb/cc to gcc; configure will not notice |
| this and still refuse to use /usr/ucb/cc, so make sure gcc |
| is also in your path if your site is setup this way. |
| Also: Older versions of Solaris come with a broken syslogd. |
| If you have having problems with sudo logging you should |
| make sure you have the latest syslogd patch installed. |
| This is a problem for Solaris 2.4 and 2.5 at least. |
| |
| Mac OS X: |
| The pseudo-tty support in the Mac OS X kernel has bugs related |
| to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals. |
| It does not restart reads and writes when those signals are |
| delivered. This may cause problems for some commands when I/O |
| logging is enabled. The issue has been reported to Apple and |
| is bug id #7952709. |
| |
| HP-UX: |
| The default C compiler shipped with HP-UX does not support |
| creating position independent code and so is unable to support |
| sudo's "noexec" functionality. You must use either the HP ANSI |
| C compiler or gcc for noexec to work. Binary packages of gcc |
| are available http://hpux.connect.org.uk/. |
| |
| To prevent PAM from overriding the value of umask on HP-UX 11, |
| you will need to add a line like the following to /etc/pam.conf: |
| |
| sudo session required libpam_hpsec.so.1 bypass_umask |
| |
| Digital UNIX: |
| By default, sudo will use SIA (Security Integration Architecture) |
| to validate a user. If you want to use an alternative authentication |
| method that does not go through SIA, you need to use the |
| --disable-sia option to configure. If you use gcc to compile |
| you will get warnings when building interfaces.c. These are |
| harmless but if they really bug you, you can edit |
| /usr/include/net/if.h around line 123, right after the comment: |
| /* forward decls for C++ */ |
| change the line: |
| #ifdef __cplusplus |
| to: |
| #if defined(__cplusplus) || defined(__GNUC__) |
| If you don't like the idea of editing the system header file |
| you can just make a copy in gcc's private include tree and |
| edit that. |
| |
| AIX 3.2.x: |
| I've had various problems with the AIX C compiler producing |
| incorrect code when the -O flag was used. When optimization |
| is not used, the problems go away. Gcc does not appear |
| to have this problem. |
| |
| SCO ODT: |
| You'll probably need libcrypt_i.a available via anonymous ftp |
| from sosco.sco.com. The necessary files are /SLS/lng225b.Z |
| and /SLS/lng225b.ltr.Z. |
| |
| SunOS 4.x: |
| The /bin/sh shipped with SunOS blows up while running configure. |
| You can work around this by installing bash or zsh. If you |
| have bash or zsh in your path, configure will use it instead |
| automatically. |
| |
| ULTRIX 4.x: |
| The /bin/sh shipped with ULTRIX blows up while running configure. |
| You can work around this by installing bash or zsh. If you |
| have bash or zsh in your path, configure will use it instead |
| automatically. |
| |
| ULTRIX ships with the 4.2BSD syslog(3) which does not |
| allow things like logging different facilities to different |
| files, redirecting logs to a single loghost and other niceties. |
| You may want to just grab and install: |
| ftp://www.sudo.ws/pub/sudo/misc/jtkohl-syslog-complete.tar.gz |
| (available via anonymous ftp) which is a port if the 4.3BSD |
| syslog/syslogd that is backwards compatible with the Ultrix version. |
| I recommend it highly. If you do not do this you probably want |
| to run configure with --with-logging=file |