PAM, AIX auth, BSD auth and login_cap are now on by default if the OS
supports them.
This commit is contained in:
Todd C. Miller
263
INSTALL
263
INSTALL
@@ -109,16 +109,16 @@ Special features/options:
|
||||
Specifies path to C compiler you wish to use.
|
||||
|
||||
--with-incpath=DIR
|
||||
Adds the specified directory (or directories) to CPPFLAGS
|
||||
so configure and the compiler will look there for include
|
||||
files. Multiple directories may be specified as long as
|
||||
they are space separated.
|
||||
Adds the specified directory (or directories) to CPPFLAGS
|
||||
so configure and the compiler will look there for include
|
||||
files. Multiple directories may be specified as long as
|
||||
they are space separated.
|
||||
Eg: --with-incpath="/usr/local/include /opt/include"
|
||||
|
||||
--with-libpath=DIR
|
||||
Adds the specified directory (or directories) to LDFLAGS
|
||||
so configure and the compiler will look there for libraries.
|
||||
Multiple directories may be specified as with --with-incpath.
|
||||
Adds the specified directory (or directories) to LDFLAGS
|
||||
so configure and the compiler will look there for libraries.
|
||||
Multiple directories may be specified as with --with-incpath.
|
||||
|
||||
--with-rpath
|
||||
Tells configure to use -Rpath in addition to -Lpath when
|
||||
@@ -126,27 +126,27 @@ Special features/options:
|
||||
by default for Solaris and SVR4.
|
||||
|
||||
--with-blibpath[=PATH]
|
||||
Tells configure to construct a -blibpath argument to the
|
||||
loader. If a PATH is specified, it will be used as the
|
||||
base. Otherwise, "/usr/lib:/lib:/usr/local/lib" will be
|
||||
used for gcc and "/usr/lib:/lib" for non-gcc. Additional
|
||||
library paths will be appended as needed by configure.
|
||||
Tells configure to construct a -blibpath argument to the
|
||||
loader. If a PATH is specified, it will be used as the
|
||||
base. Otherwise, "/usr/lib:/lib:/usr/local/lib" will be
|
||||
used for gcc and "/usr/lib:/lib" for non-gcc. Additional
|
||||
library paths will be appended as needed by configure.
|
||||
This option is only valid for AIX where it is on by default.
|
||||
|
||||
--with-libraries=LIBRARY
|
||||
Adds the specified library (or libaries) to SUDO_LIBS and
|
||||
and VISUDO_LIBS so sudo will link against them. If the
|
||||
library doesn't start with `-l' or end in `.a' or `.o' a
|
||||
`-l' will be prepended to it. Multiple libraries may be
|
||||
specified as long as they are space separated.
|
||||
Adds the specified library (or libaries) to SUDO_LIBS and
|
||||
and VISUDO_LIBS so sudo will link against them. If the
|
||||
library doesn't start with `-l' or end in `.a' or `.o' a
|
||||
`-l' will be prepended to it. Multiple libraries may be
|
||||
specified as long as they are space separated.
|
||||
|
||||
--with-csops
|
||||
Add CSOps standard options. You probably aren't interested in this.
|
||||
|
||||
--with-skey[=DIR]
|
||||
Enable S/Key OTP (One Time Password) support. If specified,
|
||||
DIR should contain include and lib directories with skey.h
|
||||
and libskey.a respectively.
|
||||
Enable S/Key OTP (One Time Password) support. If specified,
|
||||
DIR should contain include and lib directories with skey.h
|
||||
and libskey.a respectively.
|
||||
|
||||
--with-opie[=DIR]
|
||||
Enable NRL OPIE OTP (One Time Password) support. If specified,
|
||||
@@ -163,17 +163,17 @@ Special features/options:
|
||||
(or at least the library and header files).
|
||||
|
||||
--with-kerb4[=DIR]
|
||||
Enable Kerberos IV support. If specified, DIR is the base
|
||||
directory containing the Kerberos IV include and lib dirs.
|
||||
This uses Kerberos passphrases for authentication but does
|
||||
not use the Kerberos cookie scheme.
|
||||
Enable Kerberos IV support. If specified, DIR is the base
|
||||
directory containing the Kerberos IV include and lib dirs.
|
||||
This uses Kerberos passphrases for authentication but does
|
||||
not use the Kerberos cookie scheme.
|
||||
|
||||
--with-kerb5[=DIR]
|
||||
Enable Kerberos V support. If specified, DIR is the base
|
||||
directory containing the Kerberos V include and lib dirs.
|
||||
This This uses Kerberos passphrases for authentication but
|
||||
does not use the Kerberos cookie scheme. Will not work for
|
||||
Kerberos V older than version 1.1.
|
||||
Enable Kerberos V support. If specified, DIR is the base
|
||||
directory containing the Kerberos V include and lib dirs.
|
||||
This This uses Kerberos passphrases for authentication but
|
||||
does not use the Kerberos cookie scheme. Will not work for
|
||||
Kerberos V older than version 1.1.
|
||||
|
||||
--with-ldap[=DIR]
|
||||
Enable LDAP support. If specified, DIR is the base directory
|
||||
@@ -184,17 +184,17 @@ Special features/options:
|
||||
Path to LDAP configuration file. If specified, sudo reads
|
||||
this file instead of /etc/ldap.conf to locate the LDAP server.
|
||||
|
||||
--with-authenticate
|
||||
--with-aixauth
|
||||
Enable support for the AIX 4.x general authentication function.
|
||||
This will use the authentication scheme specified for the user
|
||||
on the machine.
|
||||
on the machine. It is on by default for AIX systems that
|
||||
support it.
|
||||
|
||||
--with-pam
|
||||
Enable PAM support. Tested on:
|
||||
Redhat Linux >= 5.x
|
||||
Solaris >= 2.6
|
||||
HP-UX >= 11.0
|
||||
NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo
|
||||
Enable PAM support. This is on by default for Darwin, FreeBSD,
|
||||
Linux, Solaris and HP-UX (version 11 and higher).
|
||||
|
||||
NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo
|
||||
file install. You may either use the sample.pam file included with
|
||||
sudo or use /etc/pam.d/su as a reference. The sample.pam file
|
||||
included with sudo may or may not work with other Linux distributions.
|
||||
@@ -217,30 +217,31 @@ Special features/options:
|
||||
DCE PAM module (usually libpam_dce) should be used instead.
|
||||
|
||||
--with-logincap
|
||||
Enable support for BSD login classes where available (OS-dependent).
|
||||
This adds support for the login classes specified in /etc/login.conf.
|
||||
By default, a login class is not applied unless the 'use_loginclass'
|
||||
option is defined in sudoers or the user specifies a class on the
|
||||
command line.
|
||||
This adds support for login classes specified in /etc/login.conf.
|
||||
It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and
|
||||
NetBSD (where available). By default, a login class is not applied
|
||||
unless the 'use_loginclass' option is defined in sudoers or the user
|
||||
specifies a class on the command line.
|
||||
|
||||
--with-bsdauth
|
||||
Enable support for BSD authentication on BSD/OS and OpenBSD.
|
||||
This option implies --with-logincap. It is not possible
|
||||
to mix BSD authentication with other authentication methods
|
||||
(and there really should be no need to do so). Note that
|
||||
only the newer BSD authentication API is supported. If you
|
||||
don't have /usr/include/bsd_auth.h then you cannot use this.
|
||||
Enable support for BSD authentication. This is the default
|
||||
for BSD/OS and OpenBSD systems that support it.
|
||||
It is not possible to mix BSD authentication with other
|
||||
authentication methods (and there really should be no need
|
||||
to do so). Note that only the newer BSD authentication API
|
||||
is supported. If you don't have /usr/include/bsd_auth.h
|
||||
then you cannot use this.
|
||||
|
||||
--with-noexec[=PATH]
|
||||
Enable support for the "noexec" functionality which prevents
|
||||
a dynamically-linked program being run by sudo from executing
|
||||
another program (think shell escapes). Please see the
|
||||
"PREVENTING SHELL ESCAPES" section in the sudoers man page
|
||||
for details. If specified, PATH should be a fully qualified
|
||||
pathname, e.g. /usr/local/libexec/sudo_noexec.so. If PATH
|
||||
is "no", noexec support will not be compiled in. The default
|
||||
is to compile noexec support if libtool supports building
|
||||
shared objects on your OS.
|
||||
Enable support for the "noexec" functionality which prevents
|
||||
a dynamically-linked program being run by sudo from executing
|
||||
another program (think shell escapes). Please see the
|
||||
"PREVENTING SHELL ESCAPES" section in the sudoers man page
|
||||
for details. If specified, PATH should be a fully qualified
|
||||
pathname, e.g. /usr/local/libexec/sudo_noexec.so. If PATH
|
||||
is "no", noexec support will not be compiled in. The default
|
||||
is to compile noexec support if libtool supports building
|
||||
shared objects on your OS.
|
||||
|
||||
--with-systrace[=DIR]
|
||||
Enable support for the systrace(4) tracing facility. This
|
||||
@@ -251,45 +252,45 @@ Special features/options:
|
||||
directory in which to find the systrace.h include file.
|
||||
|
||||
--disable-root-mailer
|
||||
By default sudo will run the mailer as root when tattling
|
||||
on a user so as to prevent that user from killing the mailer.
|
||||
With this option, sudo will run the mailer as the invoking
|
||||
user which some people consider to be safer.
|
||||
By default sudo will run the mailer as root when tattling
|
||||
on a user so as to prevent that user from killing the mailer.
|
||||
With this option, sudo will run the mailer as the invoking
|
||||
user which some people consider to be safer.
|
||||
|
||||
--disable-setreuid
|
||||
Disable use of the setreuid() function for operating systems
|
||||
where it is broken. 4.4BSD has setreuid() but it doesn't
|
||||
really work.
|
||||
Disable use of the setreuid() function for operating systems
|
||||
where it is broken. 4.4BSD has setreuid() but it doesn't
|
||||
really work.
|
||||
|
||||
--disable-setresuid
|
||||
Disable use of the setresuid() function for operating systems
|
||||
where it is broken (none currently known).
|
||||
Disable use of the setresuid() function for operating systems
|
||||
where it is broken (none currently known).
|
||||
|
||||
--disable-sia
|
||||
Disable SIA support. This is the "Security Integration
|
||||
Architecture" on Digital UNIX. If you disable SIA sudo will
|
||||
use its own authentication routines.
|
||||
Disable SIA support. This is the "Security Integration
|
||||
Architecture" on Digital UNIX. If you disable SIA sudo will
|
||||
use its own authentication routines.
|
||||
|
||||
--disable-shadow
|
||||
Disable shadow password support. Normally, sudo will compile
|
||||
in shadow password support and use a shadow password if it
|
||||
exists.
|
||||
Disable shadow password support. Normally, sudo will compile
|
||||
in shadow password support and use a shadow password if it
|
||||
exists.
|
||||
|
||||
--with-sudoers-mode=MODE
|
||||
File mode for the sudoers file (octal). Note that if you
|
||||
wish to NFS-mount the sudoers file this must be group
|
||||
readable. Also note that this is actually set in the
|
||||
Makefile. The default mode is 0440.
|
||||
File mode for the sudoers file (octal). Note that if you
|
||||
wish to NFS-mount the sudoers file this must be group
|
||||
readable. Also note that this is actually set in the
|
||||
Makefile. The default mode is 0440.
|
||||
|
||||
--with-sudoers-uid=UID
|
||||
User id that "owns" the sudoers file. Note that this is
|
||||
the numeric id, *not* the symbolic name. Also note that
|
||||
this is actually set in the Makefile. The default is 0.
|
||||
User id that "owns" the sudoers file. Note that this is
|
||||
the numeric id, *not* the symbolic name. Also note that
|
||||
this is actually set in the Makefile. The default is 0.
|
||||
|
||||
--with-sudoers-gid=GID
|
||||
Group id that "owns" the sudoers file. Note that this is
|
||||
the numeric id, *not* the symbolic name. Also note that
|
||||
this is actually set in the Makefile. The default is 0.
|
||||
Group id that "owns" the sudoers file. Note that this is
|
||||
the numeric id, *not* the symbolic name. Also note that
|
||||
this is actually set in the Makefile. The default is 0.
|
||||
|
||||
--with-execv
|
||||
Use execv() to exec the command instead of execvp(). I can't think of
|
||||
@@ -300,63 +301,63 @@ Special features/options:
|
||||
4.3BSD). This is off by default.
|
||||
|
||||
--without-interfaces
|
||||
This option keeps sudo from trying to glean the ip address
|
||||
from each attached ethernet interface. It is only useful
|
||||
on a machine where sudo's interface reading support does
|
||||
not work, which may be the case on some SysV-based OS's
|
||||
using STREAMS.
|
||||
This option keeps sudo from trying to glean the ip address
|
||||
from each attached ethernet interface. It is only useful
|
||||
on a machine where sudo's interface reading support does
|
||||
not work, which may be the case on some SysV-based OS's
|
||||
using STREAMS.
|
||||
|
||||
--without-passwd
|
||||
This option excludes authentication via the passwd (or
|
||||
shadow) file. It should only be used when another, alternate,
|
||||
authentication scheme is in use.
|
||||
This option excludes authentication via the passwd (or
|
||||
shadow) file. It should only be used when another, alternate,
|
||||
authentication scheme is in use.
|
||||
|
||||
--with-otp-only
|
||||
This option is now just an alias for --without-passwd.
|
||||
This option is now just an alias for --without-passwd.
|
||||
|
||||
--with-stow
|
||||
Properly handle GNU stow packaging. The sudoers file will
|
||||
physically live in ${prefix}/etc and /etc/sudoers will be
|
||||
a symbolic link.
|
||||
Properly handle GNU stow packaging. The sudoers file will
|
||||
physically live in ${prefix}/etc and /etc/sudoers will be
|
||||
a symbolic link.
|
||||
|
||||
The following options are also configurable at runtime:
|
||||
|
||||
--with-long-otp-prompt
|
||||
When validating with a One Time Password scheme (S/Key or
|
||||
OPIE), a two-line prompt is used to make it easier to cut
|
||||
and paste the challenge to a local window. It's not as
|
||||
pretty as the default but some people find it more convenient.
|
||||
When validating with a One Time Password scheme (S/Key or
|
||||
OPIE), a two-line prompt is used to make it easier to cut
|
||||
and paste the challenge to a local window. It's not as
|
||||
pretty as the default but some people find it more convenient.
|
||||
|
||||
--with-logging=TYPE
|
||||
How you want to do your logging. You may choose "syslog",
|
||||
"file", or "both". Setting this to "syslog" is nice because
|
||||
you can keep all of your sudo logs in one place (see the
|
||||
sample.syslog.conf file). The default is "syslog".
|
||||
How you want to do your logging. You may choose "syslog",
|
||||
"file", or "both". Setting this to "syslog" is nice because
|
||||
you can keep all of your sudo logs in one place (see the
|
||||
sample.syslog.conf file). The default is "syslog".
|
||||
|
||||
--with-logfac=FACILITY
|
||||
Determines which syslog facility to log to. This requires
|
||||
a 4.3BSD or later version of syslog. You can still set
|
||||
this for ancient syslogs but it will have no effect. The
|
||||
following facilities are supported: authpriv (if your OS
|
||||
supports it), auth, daemon, user, local0, local1, local2,
|
||||
local3, local4, local5, local6, and local7.
|
||||
Determines which syslog facility to log to. This requires
|
||||
a 4.3BSD or later version of syslog. You can still set
|
||||
this for ancient syslogs but it will have no effect. The
|
||||
following facilities are supported: authpriv (if your OS
|
||||
supports it), auth, daemon, user, local0, local1, local2,
|
||||
local3, local4, local5, local6, and local7.
|
||||
|
||||
--with-goodpri=PRIORITY
|
||||
Determines which syslog priority to log successfully
|
||||
authenticated commands. The following priorities are
|
||||
supported: alert, crit, debug, emerg, err, info, notice,
|
||||
and warning.
|
||||
Determines which syslog priority to log successfully
|
||||
authenticated commands. The following priorities are
|
||||
supported: alert, crit, debug, emerg, err, info, notice,
|
||||
and warning.
|
||||
|
||||
--with-badpri=PRIORITY
|
||||
Determines which syslog priority to log unauthenticated
|
||||
commands and errors. The following priorities are supported:
|
||||
alert, crit, debug, emerg, err, info, notice, and warning.
|
||||
Determines which syslog priority to log unauthenticated
|
||||
commands and errors. The following priorities are supported:
|
||||
alert, crit, debug, emerg, err, info, notice, and warning.
|
||||
|
||||
--with-logpath=PATH
|
||||
Override the default location of the sudo log file and use
|
||||
"path" instead. By default will use /var/log/sudo.log if
|
||||
there is a /var/log dir, falling back to /var/adm/sudo.log
|
||||
or /usr/adm/sudo.log if not.
|
||||
Override the default location of the sudo log file and use
|
||||
"path" instead. By default will use /var/log/sudo.log if
|
||||
there is a /var/log dir, falling back to /var/adm/sudo.log
|
||||
or /usr/adm/sudo.log if not.
|
||||
|
||||
--with-loglen=NUMBER
|
||||
Number of characters per line for the file log. This is only used if
|
||||
@@ -400,7 +401,7 @@ The following options are also configurable at runtime:
|
||||
The default is "Sorry, try again." unless insults are turned on.
|
||||
|
||||
--with-fqdn
|
||||
Define this if you want to put fully qualified hostnames in the sudoers
|
||||
Define this if you want to put fully qualified hostnames in the sudoers
|
||||
file. Ie: instead of myhost you would use myhost.mydomain.edu. You may
|
||||
still use the short form if you wish (and even mix the two). Beware
|
||||
that turning FQDN on requires sudo to make DNS lookups which may make
|
||||
@@ -518,10 +519,10 @@ The following options are also configurable at runtime:
|
||||
if they match a value specified via --with-editor.
|
||||
|
||||
--disable-authentication
|
||||
By default, sudo requires the user to authenticate via a
|
||||
password or similar means. This options causes sudo to
|
||||
*not* require authentication. It is possible to turn
|
||||
authentication back on in sudoers via the PASSWD attribute.
|
||||
By default, sudo requires the user to authenticate via a
|
||||
password or similar means. This options causes sudo to
|
||||
*not* require authentication. It is possible to turn
|
||||
authentication back on in sudoers via the PASSWD attribute.
|
||||
|
||||
--disable-root-sudo
|
||||
Don't let root run sudo. This can be used to prevent people from
|
||||
@@ -597,14 +598,14 @@ Solaris 2.x:
|
||||
Solaris. You can also get them from various places on the
|
||||
net, including http://www.sunfreeware.com/
|
||||
NOTE: sudo will *not* build with the sun C compiler in BSD
|
||||
compatibility mode (/usr/ucb/cc). Sudo is designed to
|
||||
compile with the standard C compiler (or gcc) and will
|
||||
not build correctly with /usr/ucb/cc. You can use the
|
||||
`--with-CC' option to point `configure' to the non-ucb
|
||||
compiler if it is not the first cc in your path. Some
|
||||
sites link /usr/ucb/cc to gcc; configure will not notice
|
||||
this an still refuse to use /usr/ucb/cc, so make sure gcc
|
||||
is also in your path if your site is setup this way.
|
||||
compatibility mode (/usr/ucb/cc). Sudo is designed to
|
||||
compile with the standard C compiler (or gcc) and will
|
||||
not build correctly with /usr/ucb/cc. You can use the
|
||||
`--with-CC' option to point `configure' to the non-ucb
|
||||
compiler if it is not the first cc in your path. Some
|
||||
sites link /usr/ucb/cc to gcc; configure will not notice
|
||||
this an still refuse to use /usr/ucb/cc, so make sure gcc
|
||||
is also in your path if your site is setup this way.
|
||||
Also: Many versions of Solaris come with a broken syslogd.
|
||||
If you have having problems with sudo logging you should
|
||||
make sure you have the latest syslogd patch installed.
|
||||
|
||||
Reference in New Issue
Block a user