isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

change option formatter and flesh out someentries

Browse Source
This commit is contained in:
Todd C. Miller
1998-10-17 20:39:25 +00:00
parent 5f41948de9
commit 56954cf32f
1 changed files with 264 additions and 237 deletions
Download Patch File Download Diff File Expand all files Collapse all files

501
INSTALL
View File

@@ -2,9 +2,10 @@ Installation instructions for CU sudo 1.5.7
=========================================== ===========================================
Sudo uses a `configure' script to probe the capabilities and type Sudo uses a `configure' script to probe the capabilities and type
of the system in question. Please read this document fully before of the system in question. In this release, `configure' takes many
configuring and building sudo. You may also wish to read the file more options than it did before. Please read this document fully
INSTALL.configure which explains more about the `configure' script. before configuring and building sudo. You may also wish to read the
file INSTALL.configure which explains more about the `configure' script.
Simple sudo installation Simple sudo installation
======================== ========================
@@ -56,6 +57,7 @@ For most systems and configurations it is possible simply to:
Notes on upgrading from an older release Notes on upgrading from an older release
======================================== ========================================
By default, sudo 1.5.7 expects the sudoers file to be mode 0440 and By default, sudo 1.5.7 expects the sudoers file to be mode 0440 and
to be owned by user and group 0. This differs from version 1.4 and to be owned by user and group 0. This differs from version 1.4 and
below which expected the sudoers file to be mode 0400 and to be below which expected the sudoers file to be mode 0400 and to be
@@ -76,311 +78,336 @@ This section describes flags accepted by the sudo's `configure' script.
Defaults are listed in brackets after the description. Defaults are listed in brackets after the description.
Configuration: Configuration:
--cache-file=FILE Cache test results in FILE --cache-file=FILE
Cache test results in FILE
--help Print the usage/help info --help
Print the usage/help info
--no-create Do not create output files --no-create
Do not create output files
--quiet, --silent Do not print `checking...' messages --quiet, --silent
Do not print `checking...' messages
Directory and file names: Directory and file names:
--prefix=PREFIX Install architecture-independent files in PREFIX --prefix=PREFIX
This really only applies to man pages. Install architecture-independent files in PREFIX This really only
[/usr/local] applies to man pages. [/usr/local]
--exec-prefix=EPREFIX Install architecture-dependent files in EPREFIX --exec-prefix=EPREFIX
This includes the sudo and visudo executables. Install architecture-dependent files in EPREFIX This includes the
[same as prefix] sudo and visudo executables. [same as prefix]
--bindir=DIR Install `sudo' in DIR [EPREFIX/bin] --bindir=DIR
Install `sudo' in DIR [EPREFIX/bin]
--sbindir=DIR Install `visudo' in DIR --sbindir=DIR
[EPREFIX/etc for historical reasons] Install `visudo' in DIR [EPREFIX/sbin]
--sysconfdir=DIR Install `sudoers' file in DIR [/etc] --sysconfdir=DIR
Install `sudoers' file in DIR [/etc]
--mandir=DIR Install man pages in DIR [PREFIX/man] --mandir=DIR
Install man pages in DIR [PREFIX/man]
--srcdir=DIR Find the sources in DIR [configure dir or ..] --srcdir=DIR
Find the sources in DIR [configure dir or ..]
Special features/options: Special features/options:
--with-CC Specifies path to C compiler you wish to use. --with-CC=path
Specifies path to C compiler you wish to use.
--with-skey Enable S/Key OTP support. --with-skey
Enable S/Key OTP (One Time Password) support.
--with-opie Enable NRL OPIE OTP support. --with-opie
Enable NRL OPIE OTP (One Time Password) support.
--with-otp-only When validating the user, only allow a One Time --with-otp-only
Password (OTP) passkey via S/Key or OPIE. Do not When validating the user, only allow a One Time Password (OTP)
compare against the passwd file or use any other passkey via S/Key or OPIE. Do not compare against the passwd
authentication scheme. file or use any other authentication scheme.
--with-long-otp-prompt When validating with a One Time Password scheme --with-long-otp-prompt
(S/Key or OPIE), a two-line prompt is used to make When validating with a One Time Password scheme (S/Key or OPIE), a
it easier to cut and paste the challenge to a local two-line prompt is used to make it easier to cut and paste the
window. It's not as pretty as the default but some challenge to a local window. It's not as pretty as the default but
people find it more convenient. some people find it more convenient.
--with-SecurID Enable SecurID support. --with-SecurID
Enable SecurID support.
--with-kerb4 Enable kerberos v4 support --with-kerb4
Tested only with the Cygnus Network Security Enable kerberos v4 support Tested only with the Cygnus Network
package (CNS). Security package (CNS). This uses kerberos passphrases for
authentication but does not use the kerberos cookie scheme.
--with-kerb5 Enable kerberos v5 support. --with-kerb5
This enables with kerberos v4 support and Enable kerberos v5 support. This enables with kerberos v4 support
links with the standard kerberos v5 libraries and links with the standard kerberos v5 libraries as well as the v4
as well as the v4 compatibility libraries. compatibility libraries. This uses kerberos passphrases for
authentication but does not use the kerberos cookie scheme.
--with-pam Enable PAM support. Tested on Redhat Linux 5.x --with-pam
but should work on earlier versions too. Not tested Enable PAM support. Tested on Redhat Linux 5.x but should work on
on Solaris 2.X but it is expected to work. earlier versions too. Not tested on Solaris 2.X but it is expected
to work.
--with-AFS Enable AFS support with kerberos authentication. --with-AFS
Should work under AFS 3.3. If your AFS Enable AFS support with kerberos authentication. Should work under
doesn't have -laudit you should be able to AFS 3.3. If your AFS doesn't have -laudit you should be able to
link without it. link without it.
--with-authenticate Enable support for the AIX 4.x general authentication --with-authenticate
function. This will use the authentication Enable support for the AIX 4.x general authentication function.
scheme specified for the user on the machine. This will use the authentication scheme specified for the user
on the machine.
--with-DCE Enable DCE support. --with-DCE
Known to work on HP-UX 9.X and 10.0. Enable DCE support. Known to work on HP-UX 9.X and 10.0. Other
Other platforms may require source code platforms may require source code and/or `configure' changes.
and/or `configure' changes.
--with-message=TYPE Set message for first time sudo to be "short", --with-message=TYPE
"full", or "none". Default is "short. Set message for first time sudo to be "short", "full", or "none".
Default is "short.
--with-logging=TYPE How you want to do your logging. You may choose --with-logging=TYPE
"syslog", "file", or "both". Setting this to How you want to do your logging. You may choose "syslog", "file",
"syslog" is nice because you can keep all of your or "both". Setting this to "syslog" is nice because you can keep all
sudo logs in one place. If you don't have syslog of your sudo logs in one place. If you don't have syslog or if your
or if your syslog is of an ancient vintage (4.2BSD, syslog is of an ancient vintage (4.2BSD, SunOS 3.x and all versions
SunOS 3.x and all versions of Ultrix) you should of Ultrix) you should probably use "file" logging.
probably use "file" logging. The default is "syslog". The default is "syslog".
--with-logfac=FACILITY Determines which syslog facility to log to. This --with-logfac=FACILITY
This requires a 4.3BSD or later version of syslog. Determines which syslog facility to log to. This This requires a
You can still set this for ancient syslogs but it 4.3BSD or later version of syslog. You can still set this for ancient
will have no effect. A list of possible values may syslogs but it will have no effect. A list of possible values may be
be found in /usr/include/syslog.h. The default is to found in /usr/include/syslog.h. The default is to use LOG_LOCAL2 but
use LOG_LOCAL2 but you may want to use LOG_AUTH. some sites may wish to use LOG_AUTH instead.
--with-logpath=path Override the default location of the sudo --with-logpath=path
log file and use "path" instead. Override the default location of the sudo log file and use "path"
instead. By default will use /var/log/sudo.log if there is a /var/log
dir, falling back to /var/adm/sudo.log or /usr/adm/sudo.log if not.
--with-loglen Number of characters per line for the file log. --with-loglen
This is only used if you are to "file" or "both". Number of characters per line for the file log. This is only used if
This value is used to decide when to wrap lines you are to "file" or "both". This value is used to decide when to wrap
for nicer log files. The default is 80. lines for nicer log files. The default is 80.
--without-root-sudo Don't let root run sudo. This can be used to prevent --without-root-sudo
people from "chaining" sudo commands to get a root Don't let root run sudo. This can be used to prevent people from
shell by doing something like "sudo sudo /bin/sh". "chaining" sudo commands to get a root shell by doing something
like "sudo sudo /bin/sh".
--with-ignore-dot If set, sudo will ignore '.' or '' (current dir) in --with-ignore-dot
$PATH. The $PATH itself is not modified. If set, sudo will ignore '.' or '' (current dir) in $PATH.
The $PATH itself is not modified.
--with-alertmail User that mail from sudo is sent to. This should go --with-alertmail
to a sysadmin at your site. The default is "root". User that mail from sudo is sent to. This should go to a sysadmin at
your site. The default is "root".
--with-mailsubject Subject of the mail sent to the "alertmail" user. The --with-mailsubject
token "%h" will expand to the hostname of the machine. Subject of the mail sent to the "alertmail" user. The token "%h"
Default is "*** SECURITY information for %h ***". will expand to the hostname of the machine.
Default is "*** SECURITY information for %h ***".
--without-mail-if-no-user Normally, sudo will mail to the "alermail" user if --without-mail-if-no-user
the user invoking sudo is not in the sudoers file. Normally, sudo will mail to the "alermail" user if the user invoking
This option disables that behavior. sudo is not in the sudoers file. This option disables that behavior.
--with-mail-if-noperms Send mail to the "alermail" user if the user is --with-mail-if-noperms
allowed to use sudo but the command they are trying Send mail to the "alermail" user if the user is allowed to use sudo but
is not listed in their sudoers file entry. the command they are trying is not listed in their sudoers file entry.
--with-passprompt Default prompt to use when asking for a password; can --with-passprompt
be overridden via the -p option. Supports two escapes: Default prompt to use when asking for a password; can be overridden
"%u" expands to the user's login name and "%h" expands via the -p option and the SUDO_PROMPT environment variable. Supports
to the local hostname. Default is "Password:". two escapes: "%u" expands to the user's login name and "%h" expands
to the local hostname. Default is "Password:".
--with-badpass-message Message that is displayed if a user enters an --with-badpass-message
incorrect password. The default is Message that is displayed if a user enters an incorrect password.
"Sorry, try again." unless insults are turned on. The default is "Sorry, try again." unless insults are turned on.
--with-fqdn Define this if you want to put fully qualified --with-fqdn
hostnames in the sudoers file. Ie: instead of myhost Define this if you want to put fully qualified hostnames in the sudoers
you would use myhost.mydomain.edu. You may still use file. Ie: instead of myhost you would use myhost.mydomain.edu. You may
the short form if you wish (and even mix the two). still use the short form if you wish (and even mix the two). Beware
Beware that turning FQDN on requires sudo to make DNS that turning FQDN on requires sudo to make DNS lookups which may make
lookups which may make sudo unusable if your DNS is sudo unusable if your DNS is totally hosed. Also note that you must
totally hosed. Also note that you must use the host's use the host's official name as DNS knows it. That is, you may not use
official name as DNS knows it. That is, you may not a host alias (CNAME entry) due to performance issues and the fact that
use a host alias (CNAME entry) due to performance there is no way to get all aliases from DNS.
issues and the fact that there is no way to get all
aliases from DNS.
--with-timedir=path Override the default location of the sudo --with-timedir=path
timestamp directory and use "path" instead. Override the default location of the sudo timestamp directory and
use "path" instead.
--with-sendmail=path Override configure's guess as to the location --with-sendmail=path
of sendmail. Override configure's guess as to the location of sendmail.
--without-sendmail Do not use sendmail to mail messages to the --without-sendmail
"alertmail" user. Use only if you have no mailers. Do not use sendmail to mail messages to the "alertmail" user.
Use only if don't run sendmail or the equivalent.
--with-sudoers-mode=mode File mode for the sudoers file (octal). Note that --with-sudoers-mode=mode
if you wish to NFS-mount the sudoers file this must File mode for the sudoers file (octal). Note that if you wish to
be group readable. Also note that this is actually NFS-mount the sudoers file this must be group readable. Also note
set in the Makefile. The default mode is 0440. that this is actually set in the Makefile. The default mode is 0440.
--with-sudoers-uid User id that "owns" the sudoers file. Note that this --with-sudoers-uid
is the numeric id, *not* the symbolic name. Also User id that "owns" the sudoers file. Note that this is the numeric
note that this is actually set in the Makefile. id, *not* the symbolic name. Also note that this is actually set in
The default is 0. the Makefile. The default is 0.
--with-sudoers-gid Group id that "owns" the sudoers file. Note that this --with-sudoers-gid
is the numeric id, *not* the symbolic name. Also Group id that "owns" the sudoers file. Note that this is the numeric
note that this is actually set in the Makefile. id, *not* the symbolic name. Also note that this is actually set in
The default is 0. the Makefile. The default is 0.
--with-sudo-umask Umask to use when running the root command. --with-sudo-umask
The default is 0022. Umask to use when running the root command. The default is 0022.
--without-sudo-umask Preserves the umask of the user invoking sudo. --without-sudo-umask
Preserves the umask of the user invoking sudo.
--with-runas-default The default user to run commands as if the -u --with-runas-default=user
flag is not specified on the command line. The default user to run commands as if the -u flag is not specified
This defaults to "root". on the command line. This defaults to "root".
--with-exempt=group Users in the specified group don't need to enter a --with-exempt=group
password when running sudo. This may be useful for Users in the specified group don't need to enter a password when
sites that don't want their "core" sysadmins to have running sudo. This may be useful for sites that don't want their
to enter a password but where Jr. sysadmins need to. "core" sysadmins to have to enter a password but where Jr. sysadmins
You should probably use NOPASSWD in sudoers instead. need to. You should probably use NOPASSWD in sudoers instead.
--with-editor Specify the default editor used by visudo (and the --with-editor
only editor used unless --with-env-editor is Specify the default editor used by visudo (and the only editor used
specified). The default is vi. unless --with-env-editor is specified). The default is vi.
--with-env-editor Makes visudo consult the EDITOR and VISUAL environment --with-env-editor
variables before falling back on the default editor. Makes visudo consult the EDITOR and VISUAL environment variables before
Note that this may create a security hole as most falling back on the default editor. Note that this may create a
editors allow a user to get a shell (which would be a security hole as most editors allow a user to get a shell (which would
root shell and hence, no logging). be a root shell and hence, no logging).
--with-passwd-tries Number of tries a user gets to enter his/her password --with-passwd-tries=tries
before sudo logs the failure and exits. Number of tries a user gets to enter his/her password before sudo logs
The default is 3. the failure and exits. The default is 3.
--with-timeout Number of minutes that can elapse before sudo will --with-timeout=minutes
ask for a passwd again. The default is 5, set this Number of minutes that can elapse before sudo will ask for a passwd
to 0 to always prompt for a password. again. The default is 5, set this to 0 to always prompt for a password.
--with-password-timeout Number of minutes before the sudo password prompt --with-password-timeout=minutes
times out. The default is 5, set this to 0 for no Number of minutes before the sudo password prompt times out.
password timeout. The default is 5, set this to 0 for no password timeout.
--with-execv Use execv() to exec the command instead of execvp(). --with-execv
I can't think of a reason to actually do this since Use execv() to exec the command instead of execvp(). I can't think of
execvp() is passed a fully qualified pathname but a reason to actually do this since execvp() is passed a fully qualified
someone might thoroughly distrust execvp(). Note that pathname but someone might thoroughly distrust execvp(). Note that if
if you define this you lose the ability to exec you define this you lose the ability to exec scripts that are missing
scripts that are missing the '#!/bin/sh' cookie the '#!/bin/sh' cookie (like /bin/kill on SunOS and /etc/fastboot on
(like /bin/kill on SunOS and /etc/fastboot on 4.3BSD). 4.3BSD). This is off by default.
This is off by default.
--with-tty-tickets This makes sudo use a different ticket file for each --with-tty-tickets
tty (per user). Ie: instead of the ticket file being This makes sudo use a different ticket file for each tty (per user).
"username" it is "username.tty". This offers Ie: instead of the ticket file being "username" it is "username.tty".
increased security in an open lab or with "shared" This offers increased security in an open lab or with "shared" accounts
accounts like "operator." Note that this means that like "operator." Note that this means that there will be more files in
there will be more files in the timestamp dir. This the timestamp dir. This is not a problem if your system has a cron job
is not a problem if your system has a cron job to to remove of files from /tmp (or wherever you specified the timestamp
remove of files from /tmp (or wherever you specified dir to be).
the timestamp dir to be).
--with-insults Define this if you want to be insulted for typing an --with-insults
incorrect password just like the original sudo(8). Define this if you want to be insulted for typing an incorrect password
This is off by default. just like the original sudo(8). This is off by default.
--with-classic-insults Uses insults from sudo "classic." If you just --with-classic-insults
specify --with-insults you will get the classic and Uses insults from sudo "classic." If you just specify --with-insults
CSOps insults. This is on by default if you will get the classic and CSOps insults. This is on by default if
--with-insults is given. --with-insults is given.
--with-csops-insults Insults the user with an extra set of insults (some --with-csops-insults
quotes, some original) from a sysadmin group at CU Insults the user with an extra set of insults (some quotes, some
(CSOps). You must specify --with-insults as well for original) from a sysadmin group at CU (CSOps). You must specify
this to have any effect. This is on by default if --with-insults as well for this to have any effect. This is on by
--with-insults is given. default if --with-insults is given.
--with-hal-insults Uses 2001-like insults when an incorrect password is --with-hal-insults
entered. You must specify --with-insults as well for Uses 2001-like insults when an incorrect password is entered.
this to have any effect. You must specify --with-insults as well for this to have any effect.
--with-goons-insults Insults the user with lines from the "Goon Show" when --with-goons-insults
an incorrect password is entered. You must specify Insults the user with lines from the "Goon Show" when an incorrect
--with-insults as well for this to have any effect. password is entered. You must specify --with-insults as well for
this to have any effect.
--with-secure-path[=path] Path used for every command run from sudo(8). If --with-secure-path[=path]
you don't trust the people running sudo to have a Path used for every command run from sudo(8). If you don't trust the
sane PATH environmental variable you may want to use people running sudo to have a sane PATH environment variable you may
this. Another use is if you want to have the want to use this. Another use is if you want to have the "root path"
"root path" be separate from the "user path." You be separate from the "user path." You will need to customize the path
will need to customize the path for your site. for your site. NOTE: this is not applied to users in the group
NOTE: this is not applied to users in the group specified by --with-exemptgroup. If you do not specify a path,
specified by --with-exemptgroup. If you do not "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
specify a path, "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
--with-incpath Adds the specified directories to CPPFLAGS --with-incpath
so configure and the compiler will look there Adds the specified directories to CPPFLAGS so configure and the
for include files. Multiple directories may compiler will look there for include files. Multiple directories
be specified as long as they are space separated. may be specified as long as they are space separated.
Eg: --with-incpath="/usr/local/include /opt/include" Eg: --with-incpath="/usr/local/include /opt/include"
--with-libpath Adds the specified directories to SUDO_LDFLAGS --with-libpath
and VISUDO_LDFLAGS so configure and the compiler Adds the specified directories to SUDO_LDFLAGS and VISUDO_LDFLAGS so
will look there for libraries. Multiple directories configure and the compiler will look there for libraries. Multiple
may be specified as with --with-incpath. directories may be specified as with --with-incpath.
--with-libraries Adds the specified libaries to SUDO_LIBS and --with-libraries
and VISUDO_LIBS so sudo will link against them. Adds the specified libaries to SUDO_LIBS and and VISUDO_LIBS so sudo
If the library doesn't start with `-l' or end will link against them. If the library doesn't start with `-l' or end
in `.a' or `.o' a `-l' will be prepended to it. in `.a' or `.o' a `-l' will be prepended to it. Multiple libraries may
Multiple libraries may be specified as long be specified as long as they are space separated.
as they are space separated.
--with-csops Add CSOps standard options. --with-csops
Add CSOps standard options. You probably aren't interested in this.
--without-interfaces This option keeps sudo from trying to glean the ip --without-interfaces
address from each attached ethernet interface. It is This option keeps sudo from trying to glean the ip address from each
only useful on a machine where sudo's interface attached ethernet interface. It is only useful on a machine where
reading support does not work, which may be the case sudo's interface reading support does not work, which may be the case
on some SysV-based OS's using STREAMS. on some SysV-based OS's using STREAMS.
--disable-shadow Disable shadow password support. Normally, sudo --disable-shadow
will compile in shadow password support and use Disable shadow password support. Normally, sudo will compile in shadow
a shadow password if it exists. password support and use a shadow password if it exists.
--disable-tgetpass Use system getpass(3) instead of sudo-supplied --disable-tgetpass
tgetpass(). For systems where tgetpass() is broken. Use system getpass(3) instead of sudo-supplied tgetpass(). For systems
where tgetpass() is broken.
--enable-log-host Log the hostname in the log file. --enable-log-host
Log the hostname in the log file.
--disable-log-wrap Do not wrap long lines in the log file. --disable-log-wrap
Do not wrap long lines in the log file.
--enable-noargs-shell If sudo is invoked with no arguments it acts as if --enable-noargs-shell
the "-s" flag had been given. Namely, it runs a shell If sudo is invoked with no arguments it acts as if the "-s" flag had
as root (the shell is determined by the SHELL been given. That is, it runs a shell as root (the shell is determined
envariable, falling back on the shell listed in the by the SHELL environment variable, falling back on the shell listed
invoking user's /etc/passwd entry). in the invoking user's /etc/passwd entry).
--enable-shell-sets-home If sudo is invoked with the "-s" flag the HOME --enable-shell-sets-home
environmental variable will be set to the home If sudo is invoked with the "-s" flag the HOME environment variable
directory of the target user (which is root unless will be set to the home directory of the target user (which is root
the "-u" option is used). This option effectively unless the "-u" option is used). This option effectively makes the
makes the "-s" flag imply "-H". "-s" flag imply "-H".
Shadow password and C2 support Shadow password and C2 support
============================== ==============================
@@ -400,7 +427,7 @@ Shadow passwords are supported on the following platforms:
HP-UX >= 9.x HP-UX >= 9.x
Ultrix 4.x Ultrix 4.x
Digital UNIX 3.x and 4.x Digital UNIX 3.x and 4.x
Irix 5.x and 6.x IRIX 5.x and 6.x
AIX 3.2.x ad 4.x AIX 3.2.x ad 4.x
ConvexOS with C2 security (not tested recently) ConvexOS with C2 security (not tested recently)
Linux Linux