1Sudo installation instructions 2============================== 3 4Sudo uses a `configure' script to probe the capabilities and type 5of the system in question. In this release, `configure' takes many 6more options than it did before. Please read this document fully 7before configuring and building sudo. You may also wish to read the 8file INSTALL.configure which explains more about the `configure' script. 9 10Simple sudo installation 11======================== 12 13For most systems and configurations it is possible simply to: 14 15 0) If you are upgrading from a previous version of sudo 16 please read the info in the UPGRADE file before proceeding. 17 18 1) Read the `OS dependent notes' section for any particular 19 "gotchas" relating to your operating system. 20 21 2) `cd' to the source or build directory and type `./configure' 22 to generate a Makefile and config.h file suitable for 23 building sudo. Before you actually run configure you 24 should read the `Available configure options' section 25 to see if there are any special options you may want 26 or need. 27 28 3) Edit the configure-generated Makefile if you wish to 29 change any of the default paths (alternatively, you could 30 have changed the paths via options to `configure'. 31 32 5) Type `make' to compile sudo. If you are building sudo 33 in a separate build tree (apart from the sudo source) 34 GNU make will probably be required. If `configure' did 35 its job properly (and you have a supported configuration) 36 there won't be any problems. If this doesn't work, take 37 a look at the files TROUBLESHOOTING and PORTING for tips 38 on what might have gone wrong. Please mail us if you have a 39 fix or if you are unable to come up with a fix (address at EOF). 40 41 6) Type `make install' (as root) to install sudo, visudo, the 42 man pages, and a skeleton sudoers file. Note that the install 43 will not overwrite an existing sudoers file. You can also 44 install various pieces the package via the install-binaries, 45 install-doc, and install-sudoers make targets. 46 47 7) Edit the sudoers file with `visudo' as necessary for your 48 site. You will probably want to refer the sample.sudoers 49 file and sudoers man page included with the sudo package. 50 51 8) If you want to use syslogd(8) to do the logging, you'll need 52 to update your /etc/syslog.conf file. See the sample.syslog.conf 53 file included in the distribution for an example. 54 55Available configure options 56=========================== 57 58This section describes flags accepted by the sudo's `configure' script. 59Defaults are listed in brackets after the description. 60 61Configuration: 62 --cache-file=FILE 63 Cache test results in FILE 64 65 --config-cache, -C 66 Alias for `--cache-file=config.cache' 67 68 --help, -h 69 Print the usage/help info 70 71 --no-create, -n 72 Do not create output files 73 74 --quiet, --silent, -q 75 Do not print `checking...' messages 76 77Directory and file names: 78 --prefix=PREFIX 79 Install architecture-independent files in PREFIX This really only 80 applies to man pages. [/usr/local] 81 82 --exec-prefix=EPREFIX 83 Install architecture-dependent files in EPREFIX This includes the 84 sudo and visudo executables. [same as prefix] 85 86 --bindir=DIR 87 Install `sudo' in DIR [EPREFIX/bin] 88 89 --sbindir=DIR 90 Install `visudo' in DIR [EPREFIX/sbin] 91 92 --sysconfdir=DIR 93 Install `sudoers' file in DIR [/etc] 94 95 --mandir=DIR 96 Install man pages in DIR [PREFIX/man] 97 98 --srcdir=DIR 99 Find the sources in DIR [configure dir or ..] 100 101Special features/options: 102 --with-incpath=DIR 103 Adds the specified directory (or directories) to CPPFLAGS 104 so configure and the compiler will look there for include 105 files. Multiple directories may be specified as long as 106 they are space separated. 107 Eg: --with-incpath="/usr/local/include /opt/include" 108 109 --with-libpath=DIR 110 Adds the specified directory (or directories) to LDFLAGS 111 so configure and the compiler will look there for libraries. 112 Multiple directories may be specified as with --with-incpath. 113 114 --with-rpath 115 Tells configure to use -Rpath in addition to -Lpath when 116 passing library paths to the loader. This option is on 117 by default for Solaris and SVR4. 118 119 --with-blibpath[=PATH] 120 Tells configure to construct a -blibpath argument to the 121 loader. If a PATH is specified, it will be used as the 122 base. Otherwise, "/usr/lib:/lib:/usr/local/lib" will be 123 used for gcc and "/usr/lib:/lib" for non-gcc. Additional 124 library paths will be appended as needed by configure. 125 This option is only valid for AIX where it is on by default. 126 127 --with-libraries=LIBRARY 128 Adds the specified library (or libaries) to SUDO_LIBS and 129 and VISUDO_LIBS so sudo will link against them. If the 130 library doesn't start with `-l' or end in `.a' or `.o' a 131 `-l' will be prepended to it. Multiple libraries may be 132 specified as long as they are space separated. 133 134 --with-efence 135 Link with the "electric fence" debugging malloc. 136 137 --with-bsm-audit 138 Enable support for sudo BSM audit logs on systems that support 139 it. Currently only supported under FreeBSD and Mac OS X. 140 141 --with-linux-audit 142 Enable audit support for Linux systems. Audits attempts 143 to run a command as well as SELinux role changes. 144 145 --with-csops 146 Add CSOps standard options. You probably aren't interested in this. 147 148 --with-skey[=DIR] 149 Enable S/Key OTP (One Time Password) support. If specified, 150 DIR should contain include and lib directories with skey.h 151 and libskey.a respectively. 152 153 --with-opie[=DIR] 154 Enable NRL OPIE OTP (One Time Password) support. If specified, 155 DIR should contain include and lib directories with opie.h 156 and libopie.a respectively. 157 158 --with-SecurID[=DIR] 159 Enable SecurID support. If specified, DIR is directory containing 160 sdiclient.a, sdi_athd.h, sdconf.h, and sdacmvls.h. 161 162 --with-fwtk[=DIR] 163 Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified, 164 DIR is the base directory containing the compiled FWTK package 165 (or at least the library and header files). 166 167 --with-kerb4[=DIR] 168 Enable Kerberos IV support. If specified, DIR is the base 169 directory containing the Kerberos IV include and lib dirs. 170 This uses Kerberos passphrases for authentication but does 171 not use the Kerberos cookie scheme. 172 173 --with-kerb5[=DIR] 174 Enable Kerberos V support. If specified, DIR is the base 175 directory containing the Kerberos V include and lib dirs. 176 This This uses Kerberos passphrases for authentication but 177 does not use the Kerberos cookie scheme. Will not work for 178 Kerberos V older than version 1.1. 179 180 --with-ldap[=DIR] 181 Enable LDAP support. If specified, DIR is the base directory 182 containing the LDAP include and lib directories. Please see 183 README.LDAP for more information. 184 185 --with-ldap-conf-file=PATH 186 Path to LDAP configuration file. If specified, sudo reads 187 this file instead of /etc/ldap.conf to locate the LDAP server. 188 189 --with-ldap-secret-file=PATH 190 Path to LDAP secret password file. If specified, sudo uses 191 this file instead of /etc/ldap.secret to read the secret password 192 when rootbinddn is specified in the ldap config file. 193 194 --with-nsswitch[=PATH] 195 Path to nsswitch.conf or "no" to disable nsswitch support. 196 If specified, sudo uses this file instead of /etc/nsswitch.conf. 197 If nsswitch is disabled but LDAP is enabled, sudo will check 198 LDAP first, then the sudoers file. 199 200 --with-netsvc[=PATH] 201 Path to netsvc.conf or "no" to disable netsvc.conf support. 202 If specified, sudo uses this file instead of /etc/netsvc.conf 203 on AIX systems. 204 205 --with-aixauth 206 Enable support for the AIX 4.x general authentication function. 207 This will use the authentication scheme specified for the user 208 on the machine. It is on by default for AIX systems that 209 support it. 210 211 --with-pam 212 Enable PAM support. This is on by default for Darwin, FreeBSD, 213 Linux, Solaris and HP-UX (version 11 and higher). 214 215 NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo 216 file install. You may either use the sample.pam file included with 217 sudo or use /etc/pam.d/su as a reference. The sample.pam file 218 included with sudo may or may not work with other Linux distributions. 219 On Solaris and HP-UX 11 systems you should check (and understand) 220 the contents of /etc/pam.conf. Do a "man pam.conf" for more 221 information and consider using the "debug" option, if available, 222 with your PAM libraries in /etc/pam.conf to obtain syslog output 223 for debugging purposes. 224 225 --with-pam-login 226 Enable a specific PAM session when sudo is given the -i option. 227 This changes the PAM service name when sudo is run with the -i 228 option from "sudo" to "sudo-i", allowing for a separate pam 229 configuration for sudo's initial login mode. 230 231 --with-AFS 232 Enable AFS support with Kerberos authentication. Should work under 233 AFS 3.3. If your AFS doesn't have -laudit you should be able to 234 link without it. 235 236 --with-DCE 237 Enable DCE support for systems without PAM. Known to work on 238 HP-UX 9.X, 10.X, and 11.0; other systems may require source 239 code and/or `configure' changes. On systems with PAM support 240 (such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the 241 DCE PAM module (usually libpam_dce) should be used instead. 242 243 --with-logincap 244 This adds support for login classes specified in /etc/login.conf. 245 It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and 246 NetBSD (where available). By default, a login class is not applied 247 unless the 'use_loginclass' option is defined in sudoers or the user 248 specifies a class on the command line. 249 250 --with-bsdauth 251 Enable support for BSD authentication. This is the default 252 for BSD/OS and OpenBSD systems that support it. 253 It is not possible to mix BSD authentication with other 254 authentication methods (and there really should be no need 255 to do so). Note that only the newer BSD authentication API 256 is supported. If you don't have /usr/include/bsd_auth.h 257 then you cannot use this. 258 259 --with-project 260 Enable support for Solaris project resource limits. 261 This option is only available on Solaris 9 and above. 262 263 --with-noexec[=PATH] 264 Enable support for the "noexec" functionality which prevents 265 a dynamically-linked program being run by sudo from executing 266 another program (think shell escapes). Please see the 267 "PREVENTING SHELL ESCAPES" section in the sudoers man page 268 for details. If specified, PATH should be a fully qualified 269 path name, e.g. /usr/local/libexec/sudo_noexec.so. If PATH 270 is "no", noexec support will not be compiled in. The default 271 is to compile noexec support if libtool supports building 272 shared objects on your OS. 273 274 --disable-pam-session 275 Disable sudo's PAM session support. This may be needed on 276 older PAM implementations or on operating systems where 277 opening a PAM session changes the utmp or wtmp files. If 278 PAM session support is disabled, resource limits may not 279 be updatedin for command being run. 280 281 --disable-root-mailer 282 By default sudo will run the mailer as root when tattling 283 on a user so as to prevent that user from killing the mailer. 284 With this option, sudo will run the mailer as the invoking 285 user which some people consider to be safer. 286 287 --disable-setreuid 288 Disable use of the setreuid() function for operating systems 289 where it is broken. Mac OS X has setreuid() but it doesn't 290 really work. 291 292 --disable-setresuid 293 Disable use of the setresuid() function for operating systems 294 where it is broken (none currently known). 295 296 --disable-sia 297 Disable SIA support. This is the "Security Integration 298 Architecture" on Digital UNIX. If you disable SIA sudo will 299 use its own authentication routines. 300 301 --disable-shadow 302 Disable shadow password support. Normally, sudo will compile 303 in shadow password support and use a shadow password if it 304 exists. 305 306 --with-sudoers-mode=MODE 307 File mode for the sudoers file (octal). Note that if you 308 wish to NFS-mount the sudoers file this must be group 309 readable. Also note that this is actually set in the 310 Makefile. The default mode is 0440. 311 312 --with-sudoers-uid=UID 313 User id that "owns" the sudoers file. Note that this is 314 the numeric id, *not* the symbolic name. Also note that 315 this is actually set in the Makefile. The default is 0. 316 317 --with-sudoers-gid=GID 318 Group id that "owns" the sudoers file. Note that this is 319 the numeric id, *not* the symbolic name. Also note that 320 this is actually set in the Makefile. The default is 0. 321 322 --without-interfaces 323 This option keeps sudo from trying to glean the ip address 324 from each attached ethernet interface. It is only useful 325 on a machine where sudo's interface reading support does 326 not work, which may be the case on some SysV-based OS's 327 using STREAMS. 328 329 --without-passwd 330 This option excludes authentication via the passwd (or 331 shadow) file. It should only be used when another, alternative, 332 authentication scheme is in use. 333 334 --with-otp-only 335 This option is now just an alias for --without-passwd. 336 337 --with-selinux 338 Enable support for role based access control (RBAC) on 339 systems that support SELinux. 340 341 --with-libvas=[NAME] 342 Enable non-Unix group support using Quest Authentication 343 Services. If NAME is specified, it should be the name of 344 the shared library providing QAS support (libvas.so by default). 345 346 --with-libvas-rpath=[PATH] 347 The path to search when loading libvas.so (or an alternate 348 name as specified by --with-libvas). This option only has 349 an effect when --with-libvas is specified. 350 351 --with-man 352 Use the "man" macros for manual pages. By default, mdoc 353 versions of the manuals are installed. This can be used 354 to override configure's test for "nroff -mdoc" support. 355 356 --with-mdoc 357 Use the "mdoc" macros for manual pages. By default, mdoc 358 versions of the manuals are installed. This can be used 359 to override configure's test for "nroff -mdoc" support. 360 361The following options are also configurable at runtime: 362 363 --with-long-otp-prompt 364 When validating with a One Time Password scheme (S/Key or 365 OPIE), a two-line prompt is used to make it easier to cut 366 and paste the challenge to a local window. It's not as 367 pretty as the default but some people find it more convenient. 368 369 --with-logging=TYPE 370 How you want to do your logging. You may choose "syslog", 371 "file", or "both". Setting this to "syslog" is nice because 372 you can keep all of your sudo logs in one place (see the 373 sample.syslog.conf file). The default is "syslog". 374 375 --with-logfac=FACILITY 376 Determines which syslog facility to log to. This requires 377 a 4.3BSD or later version of syslog. You can still set 378 this for ancient syslogs but it will have no effect. The 379 following facilities are supported: authpriv (if your OS 380 supports it), auth, daemon, user, local0, local1, local2, 381 local3, local4, local5, local6, and local7. 382 383 --with-goodpri=PRIORITY 384 Determines which syslog priority to log successfully 385 authenticated commands. The following priorities are 386 supported: alert, crit, debug, emerg, err, info, notice, 387 and warning. 388 389 --with-badpri=PRIORITY 390 Determines which syslog priority to log unauthenticated 391 commands and errors. The following priorities are supported: 392 alert, crit, debug, emerg, err, info, notice, and warning. 393 394 --with-logpath=PATH 395 Override the default location of the sudo log file and use 396 "path" instead. By default will use /var/log/sudo.log if 397 there is a /var/log dir, falling back to /var/adm/sudo.log 398 or /usr/adm/sudo.log if not. 399 400 --with-loglen=NUMBER 401 Number of characters per line for the file log. This is only used if 402 you are to "file" or "both". This value is used to decide when to wrap 403 lines for nicer log files. The default is 80. Setting this to 0 404 will disable the wrapping. 405 406 --with-ignore-dot 407 If set, sudo will ignore '.' or '' (current dir) in $PATH. 408 The $PATH itself is not modified. 409 410 --with-mailto=USER|MAIL_ALIAS 411 User (or mail alias) that mail from sudo is sent to. 412 This should go to a sysadmin at your site. The default is "root". 413 414 --with-mailsubject="SUBJECT OF MAIL" 415 Subject of the mail sent to the "mailto" user. The token "%h" 416 will expand to the hostname of the machine. 417 Default is "*** SECURITY information for %h ***". 418 419 --without-mail-if-no-user 420 Normally, sudo will mail to the "alertmail" user if the user invoking 421 sudo is not in the sudoers file. This option disables that behavior. 422 423 --with-mail-if-no-host 424 Send mail to the "alermail" user if the user exists in the sudoers 425 file, but is not allowed to run commands on the current host. 426 427 --with-mail-if-noperms 428 Send mail to the "alermail" user if the user is allowed to use sudo but 429 the command they are trying is not listed in their sudoers file entry. 430 431 --with-passprompt="PASSWORD PROMPT" 432 Default prompt to use when asking for a password; can be overridden 433 via the -p option and the SUDO_PROMPT environment variable. Supports 434 the "%H", "%h", "%U" and "%u" escapes as documented in the sudo 435 manual page. The default value is "Password:". 436 437 --with-badpass-message="BAD PASSWORD MESSAGE" 438 Message that is displayed if a user enters an incorrect password. 439 The default is "Sorry, try again." unless insults are turned on. 440 441 --with-fqdn 442 Define this if you want to put fully qualified hostnames in the sudoers 443 file. Ie: instead of myhost you would use myhost.mydomain.edu. You may 444 still use the short form if you wish (and even mix the two). Beware 445 that turning FQDN on requires sudo to make DNS lookups which may make 446 sudo unusable if your DNS is totally hosed. Also note that you must 447 use the host's official name as DNS knows it. That is, you may not use 448 a host alias (CNAME entry) due to performance issues and the fact that 449 there is no way to get all aliases from DNS. 450 451 --with-timedir=PATH 452 Override the default location of the sudo timestamp directory and 453 use "path" instead. 454 455 --with-sendmail=PATH 456 Override configure's guess as to the location of sendmail. 457 458 --without-sendmail 459 Do not use sendmail to mail messages to the "mailto" user. 460 Use only if don't run sendmail or the equivalent. 461 462 --with-umask=MASK 463 Umask to use when running the root command. The default is 0022. 464 465 --without-umask 466 Preserves the umask of the user invoking sudo. 467 468 --with-umask-override 469 Use the umask specified in sudoers even if it is less restrictive 470 than the user's. The default is to use the intersection of the 471 user's umask and the umask specified in sudoers. 472 473 --with-runas-default=USER 474 The default user to run commands as if the -u flag is not specified 475 on the command line. This defaults to "root". 476 477 --with-exempt=GROUP 478 Users in the specified group don't need to enter a password when 479 running sudo. This may be useful for sites that don't want their 480 "core" sysadmins to have to enter a password but where Jr. sysadmins 481 need to. You should probably use NOPASSWD in sudoers instead. 482 483 --with-passwd-tries=NUMBER 484 Number of tries a user gets to enter his/her password before sudo logs 485 the failure and exits. The default is 3. 486 487 --with-timeout=NUMBER 488 Number of minutes that can elapse before sudo will ask for a passwd 489 again. The default is 5, set this to 0 to always prompt for a password. 490 491 --with-password-timeout=NUMBER 492 Number of minutes before the sudo password prompt times out. 493 The default is 5, set this to 0 for no password timeout. 494 495 --without-tty-tickets 496 By default, sudo uses a different ticket file for each user/tty combo. 497 With this option disabled, a single ticket will be used for all 498 of a user's login sessions. 499 500 --with-insults 501 Define this if you want to be insulted for typing an incorrect password 502 just like the original sudo(8). This is off by default. 503 504 --with-insults=disabled 505 Include support for insults but disable them unless explicitly 506 enabled in sudoers. 507 508 --with-all-insults 509 Include all the insult sets listed below. You must either specify 510 --with-insults or enable insults in the sudoers file for this to 511 have any effect. 512 513 --with-classic-insults 514 Uses insults from sudo "classic." If you just specify --with-insults 515 you will get the classic and CSOps insults. This is on by default if 516 --with-insults is given. 517 518 --with-csops-insults 519 Insults the user with an extra set of insults (some quotes, some 520 original) from a sysadmin group at CU (CSOps). You must specify 521 --with-insults as well for this to have any effect. This is on by 522 default if --with-insults is given. 523 524 --with-hal-insults 525 Uses 2001-like insults when an incorrect password is entered. 526 You must either specify --with-insults or enable insults in the 527 sudoers file for this to have any effect. 528 529 --with-goons-insults 530 Insults the user with lines from the "Goon Show" when an incorrect 531 password is entered. You must either specify --with-insults or 532 enable insults in the sudoers file for this to have any effect. 533 534 --with-pc-insults 535 Replace politically incorrect insults with less objectionable ones. 536 537 --with-secure-path[=PATH] 538 Path used for every command run from sudo(8). If you don't trust the 539 people running sudo to have a sane PATH environment variable you may 540 want to use this. Another use is if you want to have the "root path" 541 be separate from the "user path." You will need to customize the path 542 for your site. NOTE: this is not applied to users in the group 543 specified by --with-exemptgroup. If you do not specify a path, 544 "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used. 545 546 --without-lecture 547 Don't print the lecture the first time a user runs sudo. 548 549 --with-editor=PATH 550 Specify the default editor path for use by visudo. This may be a 551 single path name or a colon-separated list of editors. In the latter 552 case, visudo will choose the editor that matches the user's VISUAL 553 or EDITOR environment variables or the first editor in the list that 554 exists. The default is the path to vi on your system. 555 556 --with-env-editor 557 Makes visudo consult the VISUAL and EDITOR environment variables before 558 falling back on the default editor list (as specified by --with-editor). 559 Note that this may create a security hole as it allows the user to 560 run any arbitrary command as root without logging. A safer alternative 561 is to use a colon-separated list of editors with the --with-editor 562 option. visudo will then only use the VISUAL or EDITOR variables 563 if they match a value specified via --with-editor. 564 565 --with-askpass=PATH 566 Set PATH as the "askpass" program to use when no tty is 567 available. Typically, this is a graphical password prompter, 568 similar to the one used by ssh. The program must take a 569 prompt as an argument and print the received password to 570 the standard output. 571 572 --without-iologdir 573 Disable sudo's I/O logging support. This can be used to allow sudo 574 to be compiled on systems without pseudo-tty support. 575 576 --with-iologdir[=DIR] 577 By default, sudo stores I/O log files in either /var/log/sudo-io, 578 /var/adm/sudo-sudo-io or /usr/log/sudo-io. If DIR is 579 specified, I/O logs will be stored in the indicated directory 580 instead. 581 582 --disable-authentication 583 By default, sudo requires the user to authenticate via a 584 password or similar means. This options causes sudo to 585 *not* require authentication. It is possible to turn 586 authentication back on in sudoers via the PASSWD attribute. 587 588 --disable-root-sudo 589 Don't let root run sudo. This can be used to prevent people from 590 "chaining" sudo commands to get a root shell by doing something 591 like "sudo sudo /bin/sh". 592 593 --enable-gss-krb5-ccache-name 594 Use the gss_krb5_ccache_name() function to set the Kerberos 595 V credential cache file name. By default, sudo will use 596 the KRB5CCNAME environment variable to set this. While 597 gss_krb5_ccache_name() provides a better API to do this it 598 is not supported by all Kerberos V and SASL combinations. 599 600 --enable-log-host 601 Log the hostname in the log file. 602 603 --enable-noargs-shell 604 If sudo is invoked with no arguments it acts as if the "-s" flag had 605 been given. That is, it runs a shell as root (the shell is determined 606 by the SHELL environment variable, falling back on the shell listed 607 in the invoking user's /etc/passwd entry). 608 609 --enable-shell-sets-home 610 If sudo is invoked with the "-s" flag the HOME environment variable 611 will be set to the home directory of the target user (which is root 612 unless the "-u" option is used). This option effectively makes the 613 "-s" flag imply "-H". 614 615 --disable-path-info 616 Normally, sudo will tell the user when a command could not be found 617 in their $PATH. Some sites may wish to disable this as it could 618 be used to gather information on the location of executables that 619 the normal user does not have access to. The disadvantage is that 620 if the executable is simply not in the user's path, sudo will tell 621 the user that they are not allowed to run it, which can be confusing. 622 623 --enable-zlib[=location] 624 Enable the use of the zlib compress library when storing 625 I/O log files. If specified, location is the base directory 626 containing the zlib include and lib directories. The special 627 values "system" and "builtin" can be used to indicate that 628 the system version of zlib should be used or that the version 629 of zlib shipped with sudo should be used instead. 630 If this option is not specified, configure will use the 631 system zlib if it is present and I/O logging support has 632 not been disabled. 633 634 --disable-zlib 635 Disable the use of the zlib compress library when storing 636 I/O log files. 637 638 --enable-warnings 639 Enable compiler warnings when building sudo with gcc. 640 641 --enable-werror 642 Enable the -Werror compiler option when building sudo with gcc. 643 644 --disable-hardening 645 Disable the use of compiler/linker exploit mitigation options 646 which are enabled by default. This includes compiling with 647 _FORTIFY_SOURCE defined to 2, building with -fstack-protector 648 and linking with -zrelro, where supported. 649 650 --disable-pie 651 Disable the creation of position independent executables (PIE) 652 even when the compiler and linker support them. 653 By default, sudo will be built as a PIE where possible. 654 655 --enable-admin-flag 656 Enable the creation of an Ubuntu-style admin flag file 657 the first time sudo is run. 658 659 --disable-env-reset 660 Disable environment resetting. This sets the default value 661 of the "env_reset" Defaults option in sudoers to false. 662 663Shadow password and C2 support 664============================== 665 666Shadow passwords (also included with most C2 security packages) are 667supported on most major platforms for which they exist. The 668`configure' script will attempt to determine if your system can use 669shadow passwords and include support for them if so. Shadow password 670support is now compiled in by default (it doesn't hurt anything if you 671don't have them configured). To disable the shadow password support, 672use the --disable-shadow option to configure. 673 674Shadow passwords are known to work on the following platforms: 675 676 SunOS 4.x 677 Solaris 2.x 678 HP-UX >= 9.x 679 Ultrix 4.x 680 Digital UNIX 681 IRIX >= 5.x 682 AIX >= 3.2.x 683 Linux 684 SCO >= 3.2.2 685 Pyramid DC/OSx 686 UnixWare 687 SVR4 (and variants using standard SVR4 shadow passwords) 688 4.4BSD based systems (including OpenBSD, NetBSD, FreeBSD, and Mac OS X) 689 Systems using SecureWare's C2 security. 690 691OS dependent notes 692================== 693 694Linux: 695 PAM and LDAP headers are not installed by default on most Linux 696 systems. You will need to install the "pam-dev" package if 697 /usr/include/security/pam_appl.h is not present on your system. 698 If you wish to build with LDAP support you will also need the 699 openldap-devel package. 700 701 Versions of glibc 2.x previous to 2.0.7 have a broken lsearch(). 702 You will need to either upgrade to glibc-2.0.7 or use sudo's 703 version of lsearch(). To use sudo's lsearch(), comment out 704 the "#define HAVE_LSEARCH 1" line in config.h and add lsearch.o 705 to the LIBOBJS line in the Makefile. 706 707 If you are using a Linux kernel older than 2.4 it is not possible 708 to access the sudoers file via NFS. This is due to a bug in 709 the Linux client-side NFS implementation that has since been 710 fixed. There is a workaround on the sudo ftp site, linux_nfs.patch, 711 if you need to NFS-mount sudoers on older Linux kernels. 712 713Solaris 2.x: 714 You need to have a C compiler in order to build sudo. Since 715 Solaris 2.x does not come with one by default this means that 716 you either need to install the Sun Studio compiler suite, 717 available for free from www.sun.com, or have a copy of the GNU 718 C compiler (gcc) which is distributed on the Solaris Companion 719 CD. You can also get them from various places on the net, 720 including http://www.sunfreeware.com/ 721 NOTE: sudo will *not* build with the sun C compiler in BSD 722 compatibility mode (/usr/ucb/cc). Sudo is designed to 723 compile with the standard C compiler (or gcc) and will 724 not build correctly with /usr/ucb/cc. You can set the 725 CC environment variable to the non-ucb compiler when 726 running `configure' if it is not the first cc in your 727 path. Some sites link /usr/ucb/cc to gcc; configure will 728 not notice this and still refuse to use /usr/ucb/cc, so 729 make sure gcc is also in your path if your site is setup 730 this way. 731 Also: Older versions of Solaris come with a broken syslogd. 732 If you have having problems with sudo logging you should 733 make sure you have the latest syslogd patch installed. 734 This is a problem for Solaris 2.4 and 2.5 at least. 735 736Mac OS X: 737 The pseudo-tty support in the Mac OS X kernel has bugs related 738 to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals. 739 It does not restart reads and writes when those signals are 740 delivered. This may cause problems for some commands when I/O 741 logging is enabled. The issue has been reported to Apple and 742 is bug id #7952709. 743 744HP-UX: 745 The default C compiler shipped with HP-UX does not support 746 creating position independent code and so is unable to support 747 sudo's "noexec" functionality. You must use either the HP ANSI 748 C compiler or gcc for noexec to work. Binary packages of gcc 749 are available http://hpux.connect.org.uk/. 750 751 To prevent PAM from overriding the value of umask on HP-UX 11, 752 you will need to add a line like the following to /etc/pam.conf: 753 754 sudo session required libpam_hpsec.so.1 bypass_umask 755 756 If every command run via sudo displays information about the last 757 successful login and the last authentication failure you should 758 make use an /etc/pam.conf line like: 759 760 sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login 761 762Digital UNIX: 763 By default, sudo will use SIA (Security Integration Architecture) 764 to validate a user. If you want to use an alternative authentication 765 method that does not go through SIA, you need to use the 766 --disable-sia option to configure. If you use gcc to compile 767 you will get warnings when building interfaces.c. These are 768 harmless but if they really bug you, you can edit 769 /usr/include/net/if.h around line 123, right after the comment: 770 /* forward decls for C++ */ 771 change the line: 772 #ifdef __cplusplus 773 to: 774 #if defined(__cplusplus) || defined(__GNUC__) 775 If you don't like the idea of editing the system header file 776 you can just make a copy in gcc's private include tree and 777 edit that. 778 779AIX 3.2.x: 780 I've had various problems with the AIX C compiler producing 781 incorrect code when the -O flag was used. When optimization 782 is not used, the problems go away. Gcc does not appear 783 to have this problem. 784 785SCO ODT: 786 You'll probably need libcrypt_i.a available via anonymous ftp 787 from sosco.sco.com. The necessary files are /SLS/lng225b.Z 788 and /SLS/lng225b.ltr.Z. 789 790SunOS 4.x: 791 The /bin/sh shipped with SunOS blows up while running configure. 792 You can work around this by installing bash or zsh. If you 793 have bash or zsh in your path, configure will use it instead 794 automatically. 795 796ULTRIX 4.x: 797 The /bin/sh shipped with ULTRIX blows up while running configure. 798 You can work around this by installing bash or zsh. If you 799 have bash or zsh in your path, configure will use it instead 800 automatically. 801 802 ULTRIX ships with the 4.2BSD syslog(3) which does not 803 allow things like logging different facilities to different 804 files, redirecting logs to a single loghost and other niceties. 805 You may want to just grab and install: 806 ftp://www.sudo.ws/pub/sudo/misc/jtkohl-syslog-complete.tar.gz 807 (available via anonymous ftp) which is a port if the 4.3BSD 808 syslog/syslogd that is backwards compatible with the Ultrix version. 809 I recommend it highly. If you do not do this you probably want 810 to run configure with --with-logging=file 811