1 Sudo installation instructions
2 ==============================
4 Sudo uses a `configure' script to probe the capabilities and type
5 of the system in question. In this release, `configure' takes many
6 more options than it did before. Please read this document fully
7 before configuring and building sudo. You may also wish to read the
8 file INSTALL.configure which explains more about the `configure' script.
13 To build sudo from the source distribution you need a POSIX-compliant
14 operating system (any modern version of BSD, Linux or Unix should work),
15 an ANSI/ISO C compiler that supports the "long long" type, variadic
16 macros (a C99 feature) as well as the ar, make and ranlib utilities.
18 If you wish to modify the parser then you will need flex version
19 2.5.2 or later and either bison or byacc (sudo comes with a
20 pre-generated parser). You'll also have to run configure with the
21 --with-devel option or pass DEVEL=1 to make. You can get flex from
22 http://flex.sourceforge.net/. You can get GNU bison from
23 ftp://ftp.gnu.org/pub/gnu/bison/ or any GNU mirror.
25 Simple sudo installation
26 ========================
28 For most systems and configurations it is possible simply to:
30 0) If you are upgrading from a previous version of sudo
31 please read the info in the UPGRADE file before proceeding.
33 1) Read the `OS dependent notes' section for any particular
34 "gotchas" relating to your operating system.
36 2) `cd' to the source or build directory and type `./configure'
37 to generate a Makefile and config.h file suitable for building
38 sudo. Before you actually run configure you should read the
39 `Available configure options' section to see if there are
40 any special options you may want or need.
42 4) Type `make' to compile sudo. If you are building sudo
43 in a separate build tree (apart from the sudo source) GNU
44 make will probably be required. If `configure' did its job
45 properly (and you have a supported configuration) there won't
46 be any problems. If this doesn't work, take a look at the
47 doc/TROUBLESHOOTING file for tips on what might have gone
48 wrong. Please mail us if you have a fix or if you are unable
49 to come up with a fix (address at EOF).
51 5) Type `make install' (as root) to install sudo, visudo, the
52 man pages, and a skeleton sudoers file. Note that the install
53 will not overwrite an existing sudoers file. You can also
54 install various pieces the package via the install-binaries,
55 install-doc, and install-sudoers make targets.
57 6) Edit the sudoers file with `visudo' as necessary for your
58 site. You will probably want to refer the sample.sudoers
59 file and sudoers man page included with the sudo package.
61 7) If you want to use syslogd(8) to do the logging, you'll need
62 to update your /etc/syslog.conf file. See the sample.syslog.conf
63 file included in the distribution for an example.
65 Available configure options
66 ===========================
68 This section describes flags accepted by the sudo's `configure' script.
69 Defaults are listed in brackets after the description.
73 Cache test results in FILE
76 Alias for `--cache-file=config.cache'
79 Print the usage/help info
82 Do not create output files
85 Do not print `checking...' messages
88 Find the sources in DIR [configure dir or `..']
90 Directory and file names:
92 Install architecture-independent files in PREFIX. [/usr/local]
95 Install architecture-dependent files in EPREFIX.
96 This includes the executables and plugins. [same as PREFIX]
99 Install `sudo', `sudoedit' and `sudoreplay' in DIR. [EPREFIX/bin]
102 Install `visudo' in DIR. [EPREFIX/sbin]
105 Install plugins and helper programs in DIR/sudo [PREFIX/libexec/sudo]
108 Look for `sudo.conf' and `sudoers' files in DIR. [/etc]
111 Install sudo_plugin.h include file in DIR [PREFIX/include]
114 Root directory for platform-independent data files [PREFIX/share]
117 Install sudo and sudoers locale files in DIR [DATAROOTDIR/locale]
120 Install man pages in DIR [PREFIX/man]
123 Install other sudo documentation in DIR [DATAROOTDIR/doc/sudo]
125 --with-plugindir=PATH
126 Set the directory that sudo looks in to find the policy and I/O
127 logging plugins. Defaults to the LIBEXEC/sudo.
130 Use PATH to store the sudo time stamp files. By default,
131 the first existing directory in the following list is used:
132 /var/db, /var/lib, /var/adm, /usr/adm.
136 Disable the use of compiler/linker exploit mitigation options
137 which are enabled by default. This includes compiling with
138 _FORTIFY_SOURCE defined to 2, building with -fstack-protector
139 and linking with -zrelro, where supported.
142 Build sudo and related programs as as a position independent
143 executables (PIE). This improves the effectiveness of address
144 space layout randomization (ASLR) on systems that support it.
145 Sudo will create PIE binaries by default on Linux systems.
148 Disable the creation of position independent executables (PIE),
149 even if the compiler creates PIE binaries by default. This
150 option may be needed on some Linux systems where PIE binaries
151 are not fully supported.
154 By default, configure will use -Rpath in addition to -Lpath
155 when passing library paths to the loader. This option will
156 disable the use of -Rpath.
159 Disable dynamic shared object support. By default, sudo
160 is built with a plugin API capable of loading arbitrary
161 policy and I/O logging plugins. If the --disable-shared
162 option is specified, this support is disabled and the default
163 sudoers policy and I/O plugins are embedded in the sudo
164 binary itself. This will also disable the noexec option
165 as it too relies on dynamic shared object support.
167 --enable-zlib[=location]
168 Enable the use of the zlib compress library when storing
169 I/O log files. If specified, location is the base directory
170 containing the zlib include and lib directories. The special
171 values "system" and "builtin" can be used to indicate that
172 the system version of zlib should be used or that the version
173 of zlib shipped with sudo should be used instead.
174 If this option is not specified, configure will use the
175 system zlib if it is present.
178 Adds the specified directory (or directories) to CPPFLAGS
179 so configure and the compiler will look there for include
180 files. Multiple directories may be specified as long as
181 they are space separated.
182 E.g. --with-incpath="/usr/local/include /opt/include"
185 Adds the specified directory (or directories) to LDFLAGS
186 so configure and the compiler will look there for libraries.
187 Multiple directories may be specified as with --with-incpath.
189 --with-libraries=LIBRARY
190 Adds the specified library (or libraries) to SUDO_LIBS and
191 and VISUDO_LIBS so sudo will link against them. If the
192 library doesn't start with `-l' or end in `.a' or `.o' a
193 `-l' will be pre-pended to it. Multiple libraries may be
194 specified as long as they are space separated.
197 By default, sudo will use the included version of libtool
198 to build shared libraries. The --with-libtool option can
199 be used to specify a different version of libtool to use.
200 The special values "system" and "builtin" can be used in
201 place of a path to denote the default system libtool (obtained
202 via the user's PATH) and the default libtool that comes
206 --disable-root-mailer
207 By default sudo will run the mailer as root when tattling
208 on a user so as to prevent that user from killing the mailer.
209 With this option, sudo will run the mailer as the invoking
210 user which some people consider to be safer.
212 --enable-nls[=location]
213 Enable natural language support using the gettext() family
214 of functions. If specified, location is the base directory
215 containing the libintl include and lib directories. If
216 this option is not specified, configure will look for the
217 gettext() family of functions in the standard C library
218 first, then check for a standalone libintl (linking with
222 Disable natural language support. By default, sudo will
223 use the gettext() family of functions, if available, to
224 implement messages in the invoking user's native language.
225 Note that translations do not exist for all languages.
228 Enable LDAP support. If specified, DIR is the base directory
229 containing the LDAP include and lib directories. Please see
230 README.LDAP for more information.
232 --with-ldap-conf-file=PATH
233 Path to LDAP configuration file. If specified, sudo reads
234 this file instead of /etc/ldap.conf to locate the LDAP server.
236 --with-ldap-secret-file=PATH
237 Path to LDAP secret password file. If specified, sudo uses
238 this file instead of /etc/ldap.secret to read the secret password
239 when rootbinddn is specified in the ldap config file.
242 This adds support for login classes specified in /etc/login.conf.
243 It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and
244 NetBSD (where available). By default, a login class is not applied
245 unless the 'use_loginclass' option is defined in sudoers or the user
246 specifies a class on the command line.
248 --with-interfaces=no, --without-interfaces
249 This option keeps sudo from trying to glean the ip address
250 from each attached Ethernet interface. It is only useful
251 on a machine where sudo's interface reading support does
252 not work, which may be the case on some SysV-based OS's
256 Enable support for the "noexec" functionality which prevents
257 a dynamically-linked program being run by sudo from executing
258 another program (think shell escapes). Please see the
259 "PREVENTING SHELL ESCAPES" section in the sudoers man page
260 for details. If specified, PATH should be a fully qualified
261 path name, e.g. /usr/local/libexec/sudo_noexec.so. If PATH
262 is "no", noexec support will not be compiled in. The default
263 is to compile noexec support if libtool supports building
264 shared objects on your OS.
267 Enable support for role based access control (RBAC) on
268 systems that support SELinux.
271 Enable support for using the System Security Services Daemon
272 (SSSD) as a sudoers data source. For more information on
273 SSD, see http://fedorahosted.org/sssd/
276 Specify the path to the SSSD shared library, which is loaded
279 Operating system-specific options:
281 Disable use of the setreuid() function for operating systems
282 where it is broken. For instance, 4.4BSD has setreuid()
283 that is not fully functional.
286 Disable use of the setresuid() function for operating systems
287 where it is broken (none currently known).
290 Enable the creation of an Ubuntu-style admin flag file
291 the first time sudo is run.
294 Enable support for sudo BSM audit logs on systems that support it.
295 This includes recent versions of FreeBSD, Mac OS X and Solaris.
298 Enable audit support for Linux systems. Audits attempts
299 to run a command as well as SELinux role changes.
302 Use the "man" macros for manual pages. By default, mdoc versions
303 of the manuals are installed if supported. This can be used to
304 override configure's test for "nroff -mdoc" support.
307 Use the "mdoc" macros for manual pages. By default, mdoc versions
308 of the manuals are installed if supported. This can be used to
309 override configure's test for "nroff -mdoc" support.
312 Path to netsvc.conf or "no" to disable netsvc.conf support.
313 If specified, sudo uses this file instead of /etc/netsvc.conf
314 on AIX systems. If netsvc support is disabled but LDAP is
315 enabled, sudo will check LDAP first, then the sudoers file.
317 --with-nsswitch[=PATH]
318 Path to nsswitch.conf or "no" to disable nsswitch support.
319 If specified, sudo uses this file instead of /etc/nsswitch.conf.
320 If nsswitch support is disabled but LDAP is enabled, sudo will
321 check LDAP first, then the sudoers file.
324 Enable support for Solaris project resource limits.
325 This option is only available on Solaris 9 and above.
327 Authentication options:
329 Enable AFS support with Kerberos authentication. Should work under
330 AFS 3.3. If your AFS doesn't have -laudit you should be able to
334 Enable support for the AIX 4.x general authentication function.
335 This will use the authentication scheme specified for the user
336 on the machine. It is on by default for AIX systems that
340 Enable support for BSD authentication. This is the default
341 for BSD/OS and OpenBSD systems that support it.
342 It is not possible to mix BSD authentication with other
343 authentication methods (and there really should be no need
344 to do so). Note that only the newer BSD authentication API
345 is supported. If you don't have /usr/include/bsd_auth.h
346 then you cannot use this.
349 Enable DCE support for systems without PAM. Known to work on
350 HP-UX 9.X, 10.X, and 11.0; other systems may require source
351 code and/or `configure' changes. On systems with PAM support
352 (such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the
353 DCE PAM module (usually libpam_dce) should be used instead.
356 Enable TIS Firewall Toolkit (FWTK) 'authsrv' support. If specified,
357 DIR is the base directory containing the compiled FWTK package
358 (or at least the library and header files).
361 Enable Kerberos V support. If specified, DIR is the base
362 directory containing the Kerberos V include and lib dirs.
363 This uses Kerberos pass phrases for authentication but
364 does not use the Kerberos cookie scheme. Will not work for
365 Kerberos V older than version 1.1.
367 --enable-kerb5-instance=string
368 By default, the user name is used as the principal name
369 when authenticating via Kerberos V. If this option is
370 enabled, the specified instance string will be appended to
371 the user name (separated by a slash) when creating the
375 Enable NRL OPIE OTP (One Time Password) support. If specified,
376 DIR should contain include and lib directories with opie.h
377 and libopie.a respectively.
380 This option is now just an alias for --without-passwd.
383 Enable PAM support. This is on by default for Darwin, FreeBSD,
384 Linux, Solaris and HP-UX (version 11 and higher).
386 NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo
387 file install. You may either use the sample.pam file included with
388 sudo or use /etc/pam.d/su as a reference. The sample.pam file
389 included with sudo may or may not work with other Linux distributions.
390 On Solaris and HP-UX 11 systems you should check (and understand)
391 the contents of /etc/pam.conf. Do a "man pam.conf" for more
392 information and consider using the "debug" option, if available,
393 with your PAM libraries in /etc/pam.conf to obtain syslog output
394 for debugging purposes.
397 Enable a specific PAM session when sudo is given the -i option.
398 This changes the PAM service name when sudo is run with the -i
399 option from "sudo" to "sudo-i", allowing for a separate pam
400 configuration for sudo's initial login mode.
402 --disable-pam-session
403 Disable sudo's PAM session support. This may be needed on
404 older PAM implementations or on operating systems where
405 opening a PAM session changes the utmp or wtmp files. If
406 PAM session support is disabled, resource limits may not
407 be updated for the command being run.
409 --with-passwd=no, --without-passwd
410 This option excludes authentication via the passwd (or
411 shadow) file. It should only be used when another, alternative,
412 authentication scheme is in use.
415 Enable SecurID support. If specified, DIR is directory containing
416 libaceclnt.a, acexport.h, and sdacmvls.h.
419 Enable S/Key OTP (One Time Password) support. If specified,
420 DIR should contain include and lib directories with skey.h
421 and libskey.a respectively.
424 Disable SIA support. This is the "Security Integration
425 Architecture" on Digital UNIX. If you disable SIA sudo will
426 use its own authentication routines.
429 Disable shadow password support. Normally, sudo will compile
430 in shadow password support and use a shadow password if it
433 --enable-gss-krb5-ccache-name
434 Use the gss_krb5_ccache_name() function to set the Kerberos
435 V credential cache file name. By default, sudo will use
436 the KRB5CCNAME environment variable to set this. While
437 gss_krb5_ccache_name() provides a better API to do this it
438 is not supported by all Kerberos V and SASL combinations.
442 Enable debugging of the environment setting functions. This
443 enables extra checks to make sure the environment does not
447 Enable compiler warnings when building sudo with gcc.
450 Enable the -Werror compiler option when building sudo with gcc.
453 Configure development options. This will enable compiler warnings
454 and set up the Makefile to be able to regenerate the sudoers parser
455 as well as the manual pages.
458 Link with the "electric fence" debugging malloc.
460 Options that set runtime-changeable default values:
461 --disable-authentication
462 By default, sudo requires the user to authenticate via a
463 password or similar means. This options causes sudo to
464 *not* require authentication. It is possible to turn
465 authentication back on in sudoers via the PASSWD attribute.
466 Sudoers option: !authenticate
469 Disable environment resetting. This sets the default value
470 of the "env_reset" Defaults option in sudoers to false.
471 Sudoers option: !env_reset
474 Normally, sudo will tell the user when a command could not be found
475 in their $PATH. Some sites may wish to disable this as it could
476 be used to gather information on the location of executables that
477 the normal user does not have access to. The disadvantage is that
478 if the executable is simply not in the user's path, sudo will tell
479 the user that they are not allowed to run it, which can be confusing.
480 Sudoers option: path_info
483 Don't let root run sudo. This can be used to prevent people from
484 "chaining" sudo commands to get a root shell by doing something
485 like "sudo sudo /bin/sh".
486 Sudoers option: !root_sudo
489 Disable the use of the zlib compress library when storing
491 Sudoers option: !compress_io
494 Log the hostname in the log file.
495 Sudoers option: log_host
497 --enable-noargs-shell
498 If sudo is invoked with no arguments it acts as if the "-s" flag had
499 been given. That is, it runs a shell as root (the shell is determined
500 by the SHELL environment variable, falling back on the shell listed
501 in the invoking user's /etc/passwd entry).
502 Sudoers option: shell_noargs
504 --enable-shell-sets-home
505 If sudo is invoked with the "-s" flag the HOME environment variable
506 will be set to the home directory of the target user (which is root
507 unless the "-u" option is used). This option effectively makes the
508 "-s" flag imply "-H".
509 Sudoers option: set_home
512 Include all the insult sets listed below. You must either specify
513 --with-insults or enable insults in the sudoers file for this to
517 Set PATH as the "askpass" program to use when no tty is
518 available. Typically, this is a graphical password prompter,
519 similar to the one used by ssh. The program must take a
520 prompt as an argument and print the received password to
521 the standard output. This value may overridden at run-time
522 in the sudo.conf file.
524 --with-badpass-message="BAD PASSWORD MESSAGE"
525 Message that is displayed if a user enters an incorrect password.
526 The default is "Sorry, try again." unless insults are turned on.
527 Sudoers option: badpass_message
529 --with-badpri=PRIORITY
530 Determines which syslog priority to log unauthenticated
531 commands and errors. The following priorities are supported:
532 alert, crit, debug, emerg, err, info, notice, and warning.
533 Sudoers option: syslog_badpri
535 --with-classic-insults
536 Uses insults from sudo "classic." If you just specify --with-insults
537 you will get the classic and CSOps insults. This is on by default if
538 --with-insults is given.
541 Insults the user with an extra set of insults (some quotes, some
542 original) from a sysadmin group at CU (CSOps). You must specify
543 --with-insults as well for this to have any effect. This is on by
544 default if --with-insults is given.
547 Specify the default editor path for use by visudo. This may be a
548 single path name or a colon-separated list of editors. In the latter
549 case, visudo will choose the editor that matches the user's VISUAL
550 or EDITOR environment variables or the first editor in the list that
551 exists. The default is the path to vi on your system.
552 Sudoers option: editor
555 Makes visudo consult the VISUAL and EDITOR environment variables before
556 falling back on the default editor list (as specified by --with-editor).
557 Note that this may create a security hole as it allows the user to
558 run any arbitrary command as root without logging. A safer alternative
559 is to use a colon-separated list of editors with the --with-editor
560 option. visudo will then only use the VISUAL or EDITOR variables
561 if they match a value specified via --with-editor.
562 Sudoers option: env_editor
565 Users in the specified group don't need to enter a password when
566 running sudo. This may be useful for sites that don't want their
567 "core" sysadmins to have to enter a password but where Jr. sysadmins
568 need to. You should probably use NOPASSWD in sudoers instead.
569 Sudoers option: exempt_group
572 Define this if you want to put fully qualified host names in the sudoers
573 file. Ie: instead of myhost you would use myhost.mydomain.edu. You may
574 still use the short form if you wish (and even mix the two). Beware
575 that turning FQDN on requires sudo to make DNS lookups which may make
576 sudo unusable if your DNS is totally hosed. Also note that you must
577 use the host's official name as DNS knows it. That is, you may not use
578 a host alias (CNAME entry) due to performance issues and the fact that
579 there is no way to get all aliases from DNS.
582 --with-goodpri=PRIORITY
583 Determines which syslog priority to log successfully
584 authenticated commands. The following priorities are
585 supported: alert, crit, debug, emerg, err, info, notice,
587 Sudoers option: syslog_goodpri
590 Insults the user with lines from the "Goon Show" when an incorrect
591 password is entered. You must either specify --with-insults or
592 enable insults in the sudoers file for this to have any effect.
595 Uses 2001-like insults when an incorrect password is entered.
596 You must either specify --with-insults or enable insults in the
597 sudoers file for this to have any effect.
600 If set, sudo will ignore '.' or '' (current dir) in $PATH.
601 The $PATH itself is not modified.
602 Sudoers option: ignore_dot
605 Define this if you want to be insulted for typing an incorrect password
606 just like the original sudo(8). This is off by default.
607 Sudoers option: insults
609 --with-insults=disabled
610 Include support for insults but disable them unless explicitly
612 Sudoers option: !insults
614 --with-iologdir[=DIR]
615 By default, sudo stores I/O log files in either /var/log/sudo-io,
616 /var/adm/sudo-io, or /usr/log/sudo-io. If this option is
617 specified, I/O logs will be stored in the indicated directory
619 Sudoers option: iolog_dir
621 --with-lecture=no, --without-lecture
622 Don't print the lecture the first time a user runs sudo.
623 Sudoers option: !lecture
625 --with-logfac=FACILITY
626 Determines which syslog facility to log to. This requires
627 a 4.3BSD or later version of syslog. You can still set
628 this for ancient syslogs but it will have no effect. The
629 following facilities are supported: authpriv (if your OS
630 supports it), auth, daemon, user, local0, local1, local2,
631 local3, local4, local5, local6, and local7.
632 Sudoers option: syslog
635 How you want to do your logging. You may choose "syslog",
636 "file", or "both". Setting this to "syslog" is nice because
637 you can keep all of your sudo logs in one place (see the
638 sample.syslog.conf file). The default is "syslog".
639 Sudoers options: syslog and logfile
642 Number of characters per line for the file log. This is only used if
643 you are to "file" or "both". This value is used to decide when to wrap
644 lines for nicer log files. The default is 80. Setting this to 0
645 will disable the wrapping.
646 Sudoers options: loglinelen
649 Override the default location of the sudo log file and use
650 "path" instead. By default will use /var/log/sudo.log if
651 there is a /var/log dir, falling back to /var/adm/sudo.log
652 or /usr/adm/sudo.log if not.
653 Sudoers option: logfile
655 --with-long-otp-prompt
656 When validating with a One Time Password scheme (S/Key or
657 OPIE), a two-line prompt is used to make it easier to cut
658 and paste the challenge to a local window. It's not as
659 pretty as the default but some people find it more convenient.
660 Sudoers option: long_otp_prompt
662 --with-mail-if-no-user=no, --without-mail-if-no-user
663 Normally, sudo will mail to the "alertmail" user if the user invoking
664 sudo is not in the sudoers file. This option disables that behavior.
665 Sudoers option: mail_no_user
667 --with-mail-if-no-host
668 Send mail to the "alermail" user if the user exists in the sudoers
669 file, but is not allowed to run commands on the current host.
670 Sudoers option: mail_no_host
672 --with-mail-if-noperms
673 Send mail to the "alermail" user if the user is allowed to use sudo but
674 the command they are trying is not listed in their sudoers file entry.
675 Sudoers option: mail_no_perms
677 --with-mailsubject="SUBJECT OF MAIL"
678 Subject of the mail sent to the "mailto" user. The token "%h"
679 will expand to the hostname of the machine.
680 Default is "*** SECURITY information for %h ***".
681 Sudoers option: mailsub
683 --with-mailto=USER|MAIL_ALIAS
684 User (or mail alias) that mail from sudo is sent to.
685 This should go to a sysadmin at your site. The default is "root".
686 Sudoers option: mailto
688 --with-passprompt="PASSWORD PROMPT"
689 Default prompt to use when asking for a password; can be overridden
690 via the -p option and the SUDO_PROMPT environment variable. Supports
691 the "%H", "%h", "%U" and "%u" escapes as documented in the sudo
692 manual page. The default value is "Password:".
693 Sudoers option: passprompt
695 --with-password-timeout=NUMBER
696 Number of minutes before the sudo password prompt times out.
697 The default is 5, set this to 0 for no password timeout.
698 Sudoers option: passwd_timeout
700 --with-passwd-tries=NUMBER
701 Number of tries a user gets to enter his/her password before sudo logs
702 the failure and exits. The default is 3.
703 Sudoers option: passwd_tries
706 Replace politically incorrect insults with less objectionable ones.
708 --with-runas-default=USER
709 The default user to run commands as if the -u flag is not specified
710 on the command line. This defaults to "root".
711 Sudoers option: runas_default
713 --with-secure-path[=PATH]
714 Path used for every command run from sudo(8). If you don't trust the
715 people running sudo to have a sane PATH environment variable you may
716 want to use this. Another use is if you want to have the "root path"
717 be separate from the "user path." You will need to customize the path
718 for your site. NOTE: this is not applied to users in the group
719 specified by --with-exemptgroup. If you do not specify a path,
720 "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
721 Sudoers option: secure_path
724 Override configure's guess as to the location of sendmail.
725 Sudoers option: mailerpath
727 --with-sendmail=no, --without-sendmail
728 Do not use sendmail to mail messages to the "mailto" user.
729 Use only if you don't run sendmail or the equivalent.
730 Sudoers options: !mailerpath or !mailto
732 --with-sudoers-mode=MODE
733 File mode for the sudoers file (octal). Note that if you
734 wish to NFS-mount the sudoers file this must be group
735 readable. This value may overridden at run-time in the
736 sudo.conf file. The default mode is 0440.
738 --with-sudoers-uid=UID
739 User id that "owns" the sudoers file. Note that this is
740 the numeric id, *not* the symbolic name. This value may
741 overridden at run-time in the sudo.conf file. The default
744 --with-sudoers-gid=GID
745 Group id that "owns" the sudoers file. Note that this is
746 the numeric id, *not* the symbolic name. This value may
747 overridden at run-time in the sudo.conf file. The default
750 --with-timeout=NUMBER
751 Number of minutes that can elapse before sudo will ask for a passwd
752 again. The default is 5, set this to 0 to always prompt for a password.
753 Sudoers option: timestamp_timeout
755 --with-tty-tickets=no, --without-tty-tickets
756 By default, sudo uses a different ticket file for each user/tty combo.
757 With this option disabled, a single ticket will be used for all
758 of a user's login sessions.
759 Sudoers option: tty_tickets
762 Umask to use when running the root command. The default is 0022.
763 Sudoers option: umask
765 --with-umask=no, --without-umask
766 Preserves the umask of the user invoking sudo.
767 Sudoers option: !umask
769 --with-umask-override
770 Use the umask specified in sudoers even if it is less restrictive
771 than the user's. The default is to use the intersection of the
772 user's umask and the umask specified in sudoers.
773 Sudoers option: umask_override
779 The default C compiler shipped with HP-UX is not an ANSI compiler.
780 You must use either the HP ANSI C compiler or gcc to build sudo.
781 Binary packages of gcc are available from http://hpux.connect.org.uk/.
783 To prevent PAM from overriding the value of umask on HP-UX 11,
784 you will need to add a line like the following to /etc/pam.conf:
786 sudo session required libpam_hpsec.so.1 bypass_umask
788 If every command run via sudo displays information about the last
789 successful login and the last authentication failure you should
790 make use an /etc/pam.conf line like:
792 sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login
795 PAM and LDAP headers are not installed by default on most Linux
796 systems. You will need to install the "pam-dev" package if
797 /usr/include/security/pam_appl.h is not present on your system.
798 If you wish to build with LDAP support you will also need the
799 openldap-devel package.
802 The pseudo-tty support in the Mac OS X kernel has bugs related
803 to its handling of the SIGTSTP, SIGTTIN and SIGTTOU signals.
804 It does not restart reads and writes when those signals are
805 delivered. This may cause problems for some commands when I/O
806 logging is enabled. The issue has been reported to Apple and
810 You need to have a C compiler in order to build sudo. Since
811 Solaris does not come with one by default this means that you
812 either need to either install the Solaris Studio compiler suite,
813 available for free from www.oracle.com, or install the GNU C
814 compiler (gcc) which is can be installed via the pkg utility
815 on Solaris 11 and higher and is distributed on the Solaris
816 Companion CD for older Solaris releases. You can also download
817 gcc packages from http://www.opencsw.org/packages/CSWgcc4core/
820 SunOS does not ship with an ANSI C compiler. You will need to
821 install an ANSI compiler such as gcc to build sudo.
823 The /bin/sh shipped with SunOS blows up while running configure.
824 You can work around this by installing bash or zsh. If you
825 have bash or zsh in your path, configure will use it automatically.