projects / debian / sudo / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
add build deps to enable use of autoreconf in rules
[debian/sudo] / configure.in
diff --git a/configure.in b/configure.in
index 81302b5d7cc8ff272f32daec3158ee4785e9f2ce..3ab4fa2d7ea0c429af1b2a3359557dd83aa6a750 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1,101 +1,123 @@
 dnl
 dnl Process this file with GNU autoconf to produce a configure script.
 dnl
 dnl Process this file with GNU autoconf to produce a configure script.
-dnl $Sudo: configure.in,v 1.549 2009/06/13 20:52:50 millert Exp $
 dnl
 dnl
-dnl Copyright (c) 1994-1996,1998-2010 Todd C. Miller <Todd.Miller@courtesan.com>
+dnl Copyright (c) 1994-1996,1998-2012 Todd C. Miller <Todd.Miller@courtesan.com>
 dnl
 dnl
-AC_INIT([sudo], [1.7.2p5], [http://www.sudo.ws/bugs/], [sudo])
-AC_CONFIG_HEADER(config.h pathnames.h)
+AC_INIT([sudo], [1.8.5], [http://www.sudo.ws/bugs/], [sudo])
+AC_CONFIG_HEADER([config.h pathnames.h])
 dnl
 dnl
-dnl This won't work before AC_INIT
+dnl Note: this must come after AC_INIT
 dnl
 AC_MSG_NOTICE([Configuring Sudo version $PACKAGE_VERSION])
 dnl
 dnl Variables that get substituted in the Makefile and man pages
 dnl
 dnl
 AC_MSG_NOTICE([Configuring Sudo version $PACKAGE_VERSION])
 dnl
 dnl Variables that get substituted in the Makefile and man pages
 dnl
-AC_SUBST(HAVE_BSM_AUDIT)
-AC_SUBST(LIBTOOL)
-AC_SUBST(CFLAGS)
-AC_SUBST(PROGS)
-AC_SUBST(CPPFLAGS)
-AC_SUBST(LDFLAGS)
-AC_SUBST(SUDO_LDFLAGS)
-AC_SUBST(SUDO_OBJS)
-AC_SUBST(LIBS)
-AC_SUBST(SUDO_LIBS)
-AC_SUBST(NET_LIBS)
-AC_SUBST(AFS_LIBS)
-AC_SUBST(GETGROUPS_LIB)
-AC_SUBST(OSDEFS)
-AC_SUBST(AUTH_OBJS)
-AC_SUBST(MANTYPE)
-AC_SUBST(MAN_POSTINSTALL)
-AC_SUBST(SUDOERS_MODE)
-AC_SUBST(SUDOERS_UID)
-AC_SUBST(SUDOERS_GID)
-AC_SUBST(DEV)
-AC_SUBST(SELINUX)
-AC_SUBST(BAMAN)
-AC_SUBST(LCMAN)
-AC_SUBST(SEMAN)
-AC_SUBST(devdir)
-AC_SUBST(mansectsu)
-AC_SUBST(mansectform)
-AC_SUBST(mansrcdir)
-AC_SUBST(NOEXECFILE)
-AC_SUBST(NOEXECDIR)
-AC_SUBST(noexec_file)
-AC_SUBST(INSTALL_NOEXEC)
-AC_SUBST(DONT_LEAK_PATH_INFO)
-AC_SUBST(BSDAUTH_USAGE)
-AC_SUBST(SELINUX_USAGE)
-AC_SUBST(LDAP)
-AC_SUBST(LOGINCAP_USAGE)
-AC_SUBST(NONUNIX_GROUPS_IMPL)
+AC_SUBST([HAVE_BSM_AUDIT])
+AC_SUBST([SHELL])
+AC_SUBST([LIBTOOL])
+AC_SUBST([CFLAGS])
+AC_SUBST([PROGS])
+AC_SUBST([CPPFLAGS])
+AC_SUBST([LDFLAGS])
+AC_SUBST([SUDOERS_LDFLAGS])
+AC_SUBST([LTLDFLAGS])
+AC_SUBST([COMMON_OBJS])
+AC_SUBST([SUDOERS_OBJS])
+AC_SUBST([SUDO_OBJS])
+AC_SUBST([LIBS])
+AC_SUBST([SUDO_LIBS])
+AC_SUBST([SUDOERS_LIBS])
+AC_SUBST([NET_LIBS])
+AC_SUBST([AFS_LIBS])
+AC_SUBST([REPLAY_LIBS])
+AC_SUBST([GETGROUPS_LIB])
+AC_SUBST([OSDEFS])
+AC_SUBST([AUTH_OBJS])
+AC_SUBST([MANTYPE])
+AC_SUBST([MAN_POSTINSTALL])
+AC_SUBST([SUDOERS_MODE])
+AC_SUBST([SUDOERS_UID])
+AC_SUBST([SUDOERS_GID])
+AC_SUBST([DEVEL])
+AC_SUBST([BAMAN])
+AC_SUBST([LCMAN])
+AC_SUBST([SEMAN])
+AC_SUBST([devdir])
+AC_SUBST([mansectsu])
+AC_SUBST([mansectform])
+AC_SUBST([mansrcdir])
+AC_SUBST([NOEXECFILE])
+AC_SUBST([NOEXECDIR])
+AC_SUBST([PLUGINDIR])
+AC_SUBST([SOEXT])
+AC_SUBST([noexec_file])
+AC_SUBST([INSTALL_NOEXEC])
+AC_SUBST([DONT_LEAK_PATH_INFO])
+AC_SUBST([BSDAUTH_USAGE])
+AC_SUBST([SELINUX_USAGE])
+AC_SUBST([LDAP])
+AC_SUBST([LOGINCAP_USAGE])
+AC_SUBST([ZLIB])
+AC_SUBST([ZLIB_SRC])
+AC_SUBST([LIBTOOL_DEPS])
+AC_SUBST([ac_config_libobj_dir])
+AC_SUBST([CONFIGURE_ARGS])
+AC_SUBST([LIBDL])
+AC_SUBST([LT_STATIC])
+AC_SUBST([LIBINTL])
+AC_SUBST([SUDO_NLS])
+AC_SUBST([COMPAT_TEST_PROGS])
 dnl
 dnl Variables that get substituted in docs (not overridden by environment)
 dnl
 dnl
 dnl Variables that get substituted in docs (not overridden by environment)
 dnl
-AC_SUBST(timedir)dnl initial value from SUDO_TIMEDIR
-AC_SUBST(timeout)
-AC_SUBST(password_timeout)
-AC_SUBST(sudo_umask)
-AC_SUBST(passprompt)
-AC_SUBST(long_otp_prompt)
-AC_SUBST(lecture)
-AC_SUBST(logfac)
-AC_SUBST(goodpri)
-AC_SUBST(badpri)
-AC_SUBST(loglen)
-AC_SUBST(ignore_dot)
-AC_SUBST(mail_no_user)
-AC_SUBST(mail_no_host)
-AC_SUBST(mail_no_perms)
-AC_SUBST(mailto)
-AC_SUBST(mailsub)
-AC_SUBST(badpass_message)
-AC_SUBST(fqdn)
-AC_SUBST(runas_default)
-AC_SUBST(env_editor)
-AC_SUBST(passwd_tries)
-AC_SUBST(tty_tickets)
-AC_SUBST(insults)
-AC_SUBST(root_sudo)
-AC_SUBST(path_info)
-AC_SUBST(ldap_conf)
-AC_SUBST(ldap_secret)
-AC_SUBST(nsswitch_conf)
-AC_SUBST(netsvc_conf)
-AC_SUBST(secure_path)
-dnl
-dnl Initial values for above
-dnl
+AC_SUBST([iolog_dir])dnl real initial value from SUDO_IO_LOGDIR
+AC_SUBST([timedir])dnl real initial value from SUDO_TIMEDIR
+AC_SUBST([timeout])
+AC_SUBST([password_timeout])
+AC_SUBST([sudo_umask])
+AC_SUBST([umask_override])
+AC_SUBST([passprompt])
+AC_SUBST([long_otp_prompt])
+AC_SUBST([lecture])
+AC_SUBST([logfac])
+AC_SUBST([goodpri])
+AC_SUBST([badpri])
+AC_SUBST([loglen])
+AC_SUBST([ignore_dot])
+AC_SUBST([mail_no_user])
+AC_SUBST([mail_no_host])
+AC_SUBST([mail_no_perms])
+AC_SUBST([mailto])
+AC_SUBST([mailsub])
+AC_SUBST([badpass_message])
+AC_SUBST([fqdn])
+AC_SUBST([runas_default])
+AC_SUBST([env_editor])
+AC_SUBST([env_reset])
+AC_SUBST([passwd_tries])
+AC_SUBST([tty_tickets])
+AC_SUBST([insults])
+AC_SUBST([root_sudo])
+AC_SUBST([path_info])
+AC_SUBST([ldap_conf])
+AC_SUBST([ldap_secret])
+AC_SUBST([nsswitch_conf])
+AC_SUBST([netsvc_conf])
+AC_SUBST([secure_path])
+AC_SUBST([editor])
+#
+# Begin initial values for man page substitution
+#
+iolog_dir=/var/log/sudo-io
+timedir=/var/adm/sudo
 timeout=5
 password_timeout=5
 sudo_umask=0022
 timeout=5
 password_timeout=5
 sudo_umask=0022
+umask_override=off
 passprompt="Password:"
 long_otp_prompt=off
 lecture=once
 passprompt="Password:"
 long_otp_prompt=off
 lecture=once
-logfac=local2
+logfac=auth
 goodpri=notice
 badpri=alert
 loglen=80
 goodpri=notice
 badpri=alert
 loglen=80
@@ -104,40 +126,53 @@ mail_no_user=on
 mail_no_host=off
 mail_no_perms=off
 mailto=root
 mail_no_host=off
 mail_no_perms=off
 mailto=root
-mailsub='*** SECURITY information for %h ***'
-badpass_message='Sorry, try again.'
+mailsub="*** SECURITY information for %h ***"
+badpass_message="Sorry, try again."
 fqdn=off
 runas_default=root
 env_editor=off
 fqdn=off
 runas_default=root
 env_editor=off
+env_reset=on
+editor=vi
 passwd_tries=3
 passwd_tries=3
-tty_tickets=off
+tty_tickets=on
 insults=off
 root_sudo=on
 path_info=on
 insults=off
 root_sudo=on
 path_info=on
+ldap_conf=/etc/ldap.conf
+ldap_secret=/etc/ldap.secret
+netsvc_conf=/etc/netsvc.conf
+noexec_file=/usr/local/libexec/sudo_noexec.so
+nsswitch_conf=/etc/nsswitch.conf
 secure_path="not set"
 secure_path="not set"
-INSTALL_NOEXEC=
-devdir='$(srcdir)'
+#
+# End initial values for man page substitution
+#
 dnl
 dnl Initial values for Makefile variables listed above
 dnl May be overridden by environment variables..
 dnl
 dnl
 dnl Initial values for Makefile variables listed above
 dnl May be overridden by environment variables..
 dnl
-PROGS="sudo visudo"
+INSTALL_NOEXEC=
+devdir='$(srcdir)'
+PROGS="sudo"
 : ${MANTYPE='man'}
 : ${mansrcdir='.'}
 : ${SUDOERS_MODE='0440'}
 : ${SUDOERS_UID='0'}
 : ${SUDOERS_GID='0'}
 : ${MANTYPE='man'}
 : ${mansrcdir='.'}
 : ${SUDOERS_MODE='0440'}
 : ${SUDOERS_UID='0'}
 : ${SUDOERS_GID='0'}
-DEV="#"
+DEVEL=
 LDAP="#"
 LDAP="#"
-SELINUX="#"
-BAMAN='.\" '
-LCMAN='.\" '
-SEMAN='.\" '
+BAMAN=0
+LCMAN=0
+SEMAN=0
+LIBINTL=
+ZLIB=
+ZLIB_SRC=
 AUTH_OBJS=
 AUTH_REG=
 AUTH_EXCL=
 AUTH_EXCL_DEF=
 AUTH_DEF=passwd
 AUTH_OBJS=
 AUTH_REG=
 AUTH_EXCL=
 AUTH_EXCL_DEF=
 AUTH_DEF=passwd
+SUDO_NLS=disabled
 
 dnl
 dnl Other vaiables
 
 dnl
 dnl Other vaiables
@@ -147,18 +182,20 @@ shadow_defs=
 shadow_funcs=
 shadow_libs=
 shadow_libs_optional=
 shadow_funcs=
 shadow_libs=
 shadow_libs_optional=
+CONFIGURE_ARGS="$@"
 
 dnl
 
 dnl
-dnl Override default configure dirs...
+dnl LD_PRELOAD equivalents
 dnl
 dnl
-if test X"$prefix" = X"NONE"; then
-    test "$mandir" = '${datarootdir}/man' && mandir='$(prefix)/man'
-else
-    test "$mandir" = '${datarootdir}/man' && mandir='$(datarootdir)/man'
-fi
-test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
-test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
-test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
+RTLD_PRELOAD_VAR="LD_PRELOAD"
+RTLD_PRELOAD_ENABLE_VAR=
+RTLD_PRELOAD_DELIM=":"
+RTLD_PRELOAD_DEFAULT=
+
+dnl
+dnl libc replacement functions live in compat
+dnl
+AC_CONFIG_LIBOBJ_DIR(compat)
 
 dnl
 dnl Deprecated --with options (these all warn or generate an error)
 
 dnl
 dnl Deprecated --with options (these all warn or generate an error)
@@ -182,13 +219,21 @@ dnl
 dnl Options for --with
 dnl
 
 dnl Options for --with
 dnl
 
-AC_ARG_WITH(CC, [AS_HELP_STRING([--with-CC], [C compiler to use])],
-[case $with_CC in
-    yes)       AC_MSG_ERROR(["must give --with-CC an argument."])
+AC_ARG_WITH(devel, [AS_HELP_STRING([--with-devel], [add development options])],
+[case $with_devel in
+    yes)       AC_MSG_NOTICE([Setting up for development: -Wall, flex, yacc])
+               OSDEFS="${OSDEFS} -DSUDO_DEVEL"
+               DEVEL="true"
+               devdir=.
                ;;
                ;;
-    no)                AC_MSG_ERROR(["illegal argument: --without-CC."])
+    no)                ;;
+    *)         AC_MSG_WARN([Ignoring unknown argument to --with-devel: $with_devel])
                ;;
                ;;
-    *)         CC=$with_CC
+esac])
+
+AC_ARG_WITH(CC, [AS_HELP_STRING([--with-CC], [C compiler to use])],
+[case $with_CC in
+    *)         AC_MSG_ERROR([the --with-CC option is no longer supported, please set the CC environment variable instead.])
                ;;
 esac])
 
                ;;
 esac])
 
@@ -212,14 +257,33 @@ dnl
 AC_ARG_WITH(bsm-audit, [AS_HELP_STRING([--with-bsm-audit], [enable BSM audit support])],
 [case $with_bsm_audit in
     yes)       AC_DEFINE(HAVE_BSM_AUDIT)
 AC_ARG_WITH(bsm-audit, [AS_HELP_STRING([--with-bsm-audit], [enable BSM audit support])],
 [case $with_bsm_audit in
     yes)       AC_DEFINE(HAVE_BSM_AUDIT)
-               SUDO_LIBS="${SUDO_LIBS} -lbsm"
-               SUDO_OBJS="${SUDO_OBJS} bsm_audit.o"
+               SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm"
+               SUDOERS_OBJS="${SUDOERS_OBJS} bsm_audit.lo"
                ;;
     no)                ;;
     *)         AC_MSG_ERROR(["--with-bsm-audit does not take an argument."])
                ;;
 esac])
 
                ;;
     no)                ;;
     *)         AC_MSG_ERROR(["--with-bsm-audit does not take an argument."])
                ;;
 esac])
 
+dnl
+dnl Handle Linux auditing support.
+dnl
+AC_ARG_WITH(linux-audit, [AS_HELP_STRING([--with-linux-audit], [enable Linux audit support])],
+[case $with_linux_audit in
+    yes)       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <libaudit.h>]], [[int i = AUDIT_USER_CMD; (void)i;]])], [
+                   AC_DEFINE(HAVE_LINUX_AUDIT)
+                   SUDO_LIBS="${SUDO_LIBS} -laudit"
+                   SUDOERS_LIBS="${SUDO_LIBS} -laudit"
+                   SUDOERS_OBJS="${SUDOERS_OBJS} linux_audit.lo"
+               ], [
+                   AC_MSG_ERROR([unable to find AUDIT_USER_CMD in libaudit.h for --with-linux-audit])
+               ])
+               ;;
+    no)                ;;
+    *)         AC_MSG_ERROR(["--with-linux-audit does not take an argument."])
+               ;;
+esac])
+
 AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to look for include files])],
 [case $with_incpath in
     yes)       AC_MSG_ERROR(["must give --with-incpath an argument."])
 AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to look for include files])],
 [case $with_incpath in
     yes)       AC_MSG_ERROR(["must give --with-incpath an argument."])
@@ -253,19 +317,6 @@ AC_ARG_WITH(libraries, [AS_HELP_STRING([--with-libraries], [additional libraries
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(devel, [AS_HELP_STRING([--with-devel], [add development options])],
-[case $with_devel in
-    yes)       AC_MSG_NOTICE([Setting up for development: -Wall, flex, yacc])
-               PROGS="${PROGS} testsudoers"
-               OSDEFS="${OSDEFS} -DSUDO_DEVEL"
-               DEV=""
-               devdir=.
-               ;;
-    no)                ;;
-    *)         AC_MSG_WARN([Ignoring unknown argument to --with-devel: $with_devel])
-               ;;
-esac])
-
 AC_ARG_WITH(efence, [AS_HELP_STRING([--with-efence], [link with -lefence for malloc() debugging])],
 [case $with_efence in
     yes)       AC_MSG_NOTICE([Sudo will link with -lefence (Electric Fence)])
 AC_ARG_WITH(efence, [AS_HELP_STRING([--with-efence], [link with -lefence for malloc() debugging])],
 [case $with_efence in
     yes)       AC_MSG_NOTICE([Sudo will link with -lefence (Electric Fence)])
@@ -309,8 +360,7 @@ esac])
 
 AC_ARG_WITH(skey, [AS_HELP_STRING([--with-skey[=DIR]], [enable S/Key support ])],
 [case $with_skey in
 
 AC_ARG_WITH(skey, [AS_HELP_STRING([--with-skey[=DIR]], [enable S/Key support ])],
 [case $with_skey in
-    no)                with_skey=""
-               ;;
+    no)                ;;
     *)         AC_DEFINE(HAVE_SKEY)
                AC_MSG_CHECKING(whether to try S/Key authentication)
                AC_MSG_RESULT(yes)
     *)         AC_DEFINE(HAVE_SKEY)
                AC_MSG_CHECKING(whether to try S/Key authentication)
                AC_MSG_RESULT(yes)
@@ -320,8 +370,7 @@ esac])
 
 AC_ARG_WITH(opie, [AS_HELP_STRING([--with-opie[=DIR]], [enable OPIE support ])],
 [case $with_opie in
 
 AC_ARG_WITH(opie, [AS_HELP_STRING([--with-opie[=DIR]], [enable OPIE support ])],
 [case $with_opie in
-    no)                with_opie=""
-               ;;
+    no)                ;;
     *)         AC_DEFINE(HAVE_OPIE)
                AC_MSG_CHECKING(whether to try NRL OPIE authentication)
                AC_MSG_RESULT(yes)
     *)         AC_DEFINE(HAVE_OPIE)
                AC_MSG_CHECKING(whether to try NRL OPIE authentication)
                AC_MSG_RESULT(yes)
@@ -344,7 +393,7 @@ esac])
 
 AC_ARG_WITH(SecurID, [AS_HELP_STRING([--with-SecurID[[=DIR]]], [enable SecurID support])],
 [case $with_SecurID in
 
 AC_ARG_WITH(SecurID, [AS_HELP_STRING([--with-SecurID[[=DIR]]], [enable SecurID support])],
 [case $with_SecurID in
-    no)                with_SecurID="";;
+    no)                ;;
     *)         AC_DEFINE(HAVE_SECURID)
                AC_MSG_CHECKING(whether to use SecurID for authentication)
                AC_MSG_RESULT(yes)
     *)         AC_DEFINE(HAVE_SECURID)
                AC_MSG_CHECKING(whether to use SecurID for authentication)
                AC_MSG_RESULT(yes)
@@ -354,7 +403,7 @@ esac])
 
 AC_ARG_WITH(fwtk, [AS_HELP_STRING([--with-fwtk[[=DIR]]], [enable FWTK AuthSRV support])],
 [case $with_fwtk in
 
 AC_ARG_WITH(fwtk, [AS_HELP_STRING([--with-fwtk[[=DIR]]], [enable FWTK AuthSRV support])],
 [case $with_fwtk in
-    no)                with_fwtk="";;
+    no)                ;;
     *)         AC_DEFINE(HAVE_FWTK)
                AC_MSG_CHECKING(whether to use FWTK AuthSRV for authentication)
                AC_MSG_RESULT(yes)
     *)         AC_DEFINE(HAVE_FWTK)
                AC_MSG_CHECKING(whether to use FWTK AuthSRV for authentication)
                AC_MSG_RESULT(yes)
@@ -362,18 +411,9 @@ AC_ARG_WITH(fwtk, [AS_HELP_STRING([--with-fwtk[[=DIR]]], [enable FWTK AuthSRV su
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(kerb4, [AS_HELP_STRING([--with-kerb4[[=DIR]]], [enable Kerberos IV support])],
-[case $with_kerb4 in
-    no)                with_kerb4="";;
-    *)         AC_MSG_CHECKING(whether to try kerberos IV authentication)
-               AC_MSG_RESULT(yes)
-               AUTH_REG="$AUTH_REG kerb4"
-               ;;
-esac])
-
 AC_ARG_WITH(kerb5, [AS_HELP_STRING([--with-kerb5[[=DIR]]], [enable Kerberos V support])],
 [case $with_kerb5 in
 AC_ARG_WITH(kerb5, [AS_HELP_STRING([--with-kerb5[[=DIR]]], [enable Kerberos V support])],
 [case $with_kerb5 in
-    no)                with_kerb5="";;
+    no)                ;;
     *)         AC_MSG_CHECKING(whether to try Kerberos V authentication)
                AC_MSG_RESULT(yes)
                AUTH_REG="$AUTH_REG kerb5"
     *)         AC_MSG_CHECKING(whether to try Kerberos V authentication)
                AC_MSG_RESULT(yes)
                AUTH_REG="$AUTH_REG kerb5"
@@ -480,8 +520,7 @@ AC_ARG_WITH(logging, [AS_HELP_STRING([--with-logging], [log via syslog, file, or
                ;;
 esac], [AC_DEFINE(LOGGING, SLOG_SYSLOG) AC_MSG_RESULT(syslog)])
 
                ;;
 esac], [AC_DEFINE(LOGGING, SLOG_SYSLOG) AC_MSG_RESULT(syslog)])
 
-AC_MSG_CHECKING(which syslog facility sudo should log with)
-AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log with (default is "local2")])],
+AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log with (default is "auth")])],
 [case $with_logfac in
     yes)       AC_MSG_ERROR(["must give --with-logfac an argument."])
                ;;
 [case $with_logfac in
     yes)       AC_MSG_ERROR(["must give --with-logfac an argument."])
                ;;
@@ -492,8 +531,6 @@ AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log wit
     *)         AC_MSG_ERROR(["$with_logfac is not a supported syslog facility."])
                ;;
 esac])
     *)         AC_MSG_ERROR(["$with_logfac is not a supported syslog facility."])
                ;;
 esac])
-AC_DEFINE_UNQUOTED(LOGFAC, "$logfac", [The syslog facility sudo will use.])
-AC_MSG_RESULT($logfac)
 
 AC_MSG_CHECKING(at which syslog priority to log commands)
 AC_ARG_WITH(goodpri, [AS_HELP_STRING([--with-goodpri], [syslog priority for commands (def is "notice")])],
 
 AC_MSG_CHECKING(at which syslog priority to log commands)
 AC_ARG_WITH(goodpri, [AS_HELP_STRING([--with-goodpri], [syslog priority for commands (def is "notice")])],
@@ -694,6 +731,13 @@ AC_ARG_WITH(timedir, [AS_HELP_STRING([--with-timedir], [path to the sudo timesta
                ;;
 esac])
 
                ;;
 esac])
 
+AC_ARG_WITH(iologdir, [AS_HELP_STRING([--with-iologdir=DIR], [directory to store sudo I/O log files in])],
+[case $with_iologdir in
+    yes)    ;;
+    no)     AC_MSG_ERROR(["--without-iologdir not supported."])
+           ;;
+esac])
+
 AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail])
 AS_HELP_STRING([--without-sendmail], [do not send mail at all])],
 [case $with_sendmail in
 AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail])
 AS_HELP_STRING([--without-sendmail], [do not send mail at all])],
 [case $with_sendmail in
@@ -755,13 +799,24 @@ AS_HELP_STRING([--without-umask], [Preserves the umask of the user invoking sudo
     *)         AC_MSG_ERROR(["you must enter a numeric mask."])
                ;;
 esac])
     *)         AC_MSG_ERROR(["you must enter a numeric mask."])
                ;;
 esac])
-AC_DEFINE_UNQUOTED(SUDO_UMASK, $sudo_umask, [The umask that the root-run prog should use.])
+AC_DEFINE_UNQUOTED(SUDO_UMASK, $sudo_umask, [The umask that the sudo-run prog should use.])
 if test "$sudo_umask" = "0777"; then
     AC_MSG_RESULT(user)
 else
     AC_MSG_RESULT($sudo_umask)
 fi
 
 if test "$sudo_umask" = "0777"; then
     AC_MSG_RESULT(user)
 else
     AC_MSG_RESULT($sudo_umask)
 fi
 
+AC_ARG_WITH(umask-override, [AS_HELP_STRING([--with-umask-override], [Use the umask specified in sudoers even if it is less restrictive than the user's.])],
+[case $with_umask_override in
+    yes)       AC_DEFINE(UMASK_OVERRIDE)
+               umask_override=on
+               ;;
+    no)                umask_override=off
+               ;;
+    *)         AC_MSG_ERROR(["--with-umask-override does not take an argument."])
+               ;;
+esac])
+
 AC_MSG_CHECKING(for default user to run commands as)
 AC_ARG_WITH(runas-default, [AS_HELP_STRING([--with-runas-default], [User to run commands as (default is "root")])],
 [case $with_runas_default in
 AC_MSG_CHECKING(for default user to run commands as)
 AC_ARG_WITH(runas-default, [AS_HELP_STRING([--with-runas-default], [User to run commands as (default is "root")])],
 [case $with_runas_default in
@@ -796,6 +851,7 @@ AC_ARG_WITH(editor, [AS_HELP_STRING([--with-editor=path], [Default editor for vi
                ;;
     *)         AC_DEFINE_UNQUOTED(EDITOR, "$with_editor", [A colon-separated list of pathnames to be used as the editor for visudo.])
                AC_MSG_RESULT([$with_editor])
                ;;
     *)         AC_DEFINE_UNQUOTED(EDITOR, "$with_editor", [A colon-separated list of pathnames to be used as the editor for visudo.])
                AC_MSG_RESULT([$with_editor])
+               editor="$with_editor"
                ;;
 esac], [AC_DEFINE(EDITOR, _PATH_VI) AC_MSG_RESULT(vi)])
 
                ;;
 esac], [AC_DEFINE(EDITOR, _PATH_VI) AC_MSG_RESULT(vi)])
 
@@ -868,11 +924,11 @@ AC_ARG_WITH(tty-tickets, [AS_HELP_STRING([--with-tty-tickets], [use a different
     *)         AC_MSG_ERROR(["--with-tty-tickets does not take an argument."])
                ;;
 esac])
     *)         AC_MSG_ERROR(["--with-tty-tickets does not take an argument."])
                ;;
 esac])
-if test "$tty_tickets" = "on"; then
-    AC_DEFINE(USE_TTY_TICKETS)
-    AC_MSG_RESULT(yes)
-else
+if test "$tty_tickets" = "off"; then
+    AC_DEFINE(NO_TTY_TICKETS)
     AC_MSG_RESULT(no)
     AC_MSG_RESULT(no)
+else
+    AC_MSG_RESULT(yes)
 fi
 
 AC_MSG_CHECKING(whether to include insults)
 fi
 
 AC_MSG_CHECKING(whether to include insults)
@@ -882,6 +938,10 @@ AC_ARG_WITH(insults, [AS_HELP_STRING([--with-insults], [insult the user for ente
                with_classic_insults=yes
                with_csops_insults=yes
                ;;
                with_classic_insults=yes
                with_csops_insults=yes
                ;;
+    disabled)  insults=off
+               with_classic_insults=yes
+               with_csops_insults=yes
+               ;;
     no)                insults=off
                ;;
     *)         AC_MSG_ERROR(["--with-insults does not take an argument."])
     no)                insults=off
                ;;
     *)         AC_MSG_ERROR(["--with-insults does not take an argument."])
@@ -960,12 +1020,12 @@ AC_ARG_WITH(ldap, [AS_HELP_STRING([--with-ldap[[=DIR]]], [enable LDAP support])]
 esac])
 
 AC_ARG_WITH(ldap-conf-file, [AS_HELP_STRING([--with-ldap-conf-file], [path to LDAP configuration file])])
 esac])
 
 AC_ARG_WITH(ldap-conf-file, [AS_HELP_STRING([--with-ldap-conf-file], [path to LDAP configuration file])])
-SUDO_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "${with_ldap_conf_file-/etc/ldap.conf}", [Path to the ldap.conf file])
-ldap_conf=${with_ldap_conf_file-'/etc/ldap.conf'}
+test -n "$with_ldap_conf_file" && ldap_conf="$with_ldap_conf_file"
+SUDO_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "$ldap_conf", [Path to the ldap.conf file])
 
 AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path to LDAP secret password file])])
 
 AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path to LDAP secret password file])])
-SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "${with_ldap_secret_file-/etc/ldap.secret}", [Path to the ldap.secret file])
-ldap_secret=${with_ldap_secret_file-'/etc/ldap.secret'}
+test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file"
+SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret file])
 
 AC_ARG_WITH(pc-insults, [AS_HELP_STRING([--with-pc-insults], [replace politically incorrect insults with less offensive ones])],
 [case $with_pc_insults in
 
 AC_ARG_WITH(pc-insults, [AS_HELP_STRING([--with-pc-insults], [replace politically incorrect insults with less offensive ones])],
 [case $with_pc_insults in
@@ -1033,32 +1093,16 @@ AC_ARG_WITH(askpass, [AS_HELP_STRING([--with-askpass=PATH], [Fully qualified pat
     yes)       AC_MSG_ERROR(["--with-askpass takes a path as an argument."])
                ;;
     no)                ;;
     yes)       AC_MSG_ERROR(["--with-askpass takes a path as an argument."])
                ;;
     no)                ;;
-    *)         AC_DEFINE_UNQUOTED(_PATH_SUDO_ASKPASS, "$with_askpass", [The fully qualified pathname of askpass])
+    *)         SUDO_DEFINE_UNQUOTED(_PATH_SUDO_ASKPASS, "$with_askpass", [The fully qualified pathname of askpass])
                ;;
 esac], AC_MSG_RESULT(no))
 
                ;;
 esac], AC_MSG_RESULT(no))
 
-dnl
-dnl If enabled, set LIBVAS_SO, LIBVAS_RPATH and USING_NONUNIX_GROUPS
-dnl
-AC_ARG_WITH(libvas, [AS_HELP_STRING([--with-libvas=NAME], [Name of the libvas shared library (default=libvas.so)])],
-[case $with_libvas in
-    yes)       with_libvas=libvas.so
+AC_ARG_WITH(plugindir, [AS_HELP_STRING([--with-plugindir], [set directory to load plugins from])],
+[case $with_plugindir in
+    no)                AC_MSG_ERROR(["illegal argument: --without-plugindir."])
                ;;
                ;;
-    no)                ;;
-    *)         AC_DEFINE_UNQUOTED([LIBVAS_SO], ["$with_with_libvas"], [The name of libvas.so])
-               ;;
-esac
-if test X"$with_libvas" != X"no"; then
-    AC_DEFINE_UNQUOTED([LIBVAS_SO], ["$with_libvas"], [The name of libvas.so])
-    AC_DEFINE(USING_NONUNIX_GROUPS)
-    NONUNIX_GROUPS_IMPL="vasgroups.o"
-    AC_ARG_WITH([libvas-rpath],
-       [AS_HELP_STRING([--with-libvas-rpath=PATH],
-                      [Path to look for libvas in [default=/opt/quest/lib]])],
-       [LIBVAS_RPATH=$withval],
-       [LIBVAS_RPATH=/opt/quest/lib])
-fi
-])
+    *)         ;;
+esac], [with_plugindir="$libexecdir"])
 
 dnl
 dnl Options for --enable
 
 dnl
 dnl Options for --enable
@@ -1218,6 +1262,66 @@ AC_ARG_ENABLE(env_debug,
   esac
 ], AC_MSG_RESULT(no))
 
   esac
 ], AC_MSG_RESULT(no))
 
+AC_ARG_ENABLE(zlib,
+[AS_HELP_STRING([--enable-zlib[[=PATH]]], [Whether to enable or disable zlib])],
+[], [enable_zlib=yes])
+
+AC_MSG_CHECKING(whether to enable environment resetting by default)
+AC_ARG_ENABLE(env_reset,
+[AS_HELP_STRING([--enable-env-reset], [Whether to enable environment resetting by default.])],
+[ case "$enableval" in
+    yes)       env_reset=on
+               ;;
+    no)                env_reset=off
+               ;;
+    *)         env_reset=on
+               AC_MSG_WARN([Ignoring unknown argument to --enable-env-reset: $enableval])
+               ;;
+  esac
+])
+if test "$env_reset" = "on"; then
+    AC_MSG_RESULT(yes)
+    AC_DEFINE(ENV_RESET, 1)
+else
+    AC_MSG_RESULT(no)
+    AC_DEFINE(ENV_RESET, 0)
+fi
+
+AC_ARG_ENABLE(warnings,
+[AS_HELP_STRING([--enable-warnings], [Whether to enable compiler warnings])],
+[ case "$enableval" in
+    yes)    ;;
+    no)            ;;
+    *)     AC_MSG_WARN([Ignoring unknown argument to --enable-warnings: $enableval])
+           ;;
+  esac
+])
+
+AC_ARG_ENABLE(werror,
+[AS_HELP_STRING([--enable-werror], [Whether to enable the -Werror compiler option])],
+[ case "$enableval" in
+    yes)    ;;
+    no)            ;;
+    *)     AC_MSG_WARN([Ignoring unknown argument to --enable-werror: $enableval])
+           ;;
+  esac
+])
+
+AC_ARG_ENABLE(admin-flag,
+[AS_HELP_STRING([--enable-admin-flag], [Whether to create a Ubuntu-style admin flag file])],
+[ case "$enableval" in
+    yes)    AC_DEFINE(USE_ADMIN_FLAG)
+           ;;
+    no)            ;;
+    *)     AC_MSG_WARN([Ignoring unknown argument to --enable-admin-flag: $enableval])
+           ;;
+  esac
+])
+
+AC_ARG_ENABLE(nls,
+[AS_HELP_STRING([--disable-nls], [Disable natural language support using gettext])],
+[], [enable_nls=yes])
+
 AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])],
 [case $with_selinux in
     yes)       SELINUX_USAGE="[[-r role]] [[-t type]] "
 AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])],
 [case $with_selinux in
     yes)       SELINUX_USAGE="[[-r role]] [[-t type]] "
@@ -1225,8 +1329,9 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])
                SUDO_LIBS="${SUDO_LIBS} -lselinux"
                SUDO_OBJS="${SUDO_OBJS} selinux.o"
                PROGS="${PROGS} sesh"
                SUDO_LIBS="${SUDO_LIBS} -lselinux"
                SUDO_OBJS="${SUDO_OBJS} selinux.o"
                PROGS="${PROGS} sesh"
-               SELINUX=""
-               SEMAN=""
+               SEMAN=1
+               AC_CHECK_LIB([selinux], [setkeycreatecon],
+                   [AC_DEFINE(HAVE_SETKEYCREATECON)])
                ;;
     no)                ;;
     *)         AC_MSG_ERROR(["--with-selinux does not take an argument."])
                ;;
     no)                ;;
     *)         AC_MSG_ERROR(["--with-selinux does not take an argument."])
@@ -1241,41 +1346,54 @@ AC_ARG_ENABLE(gss_krb5_ccache_name,
 [check_gss_krb5_ccache_name=$enableval], [check_gss_krb5_ccache_name=no])
 
 dnl
 [check_gss_krb5_ccache_name=$enableval], [check_gss_krb5_ccache_name=no])
 
 dnl
-dnl If we don't have egrep we can't do anything...
+dnl C compiler checks
 dnl
 dnl
-AC_CHECK_PROG(EGREPPROG, egrep, egrep)
-if test -z "$EGREPPROG"; then
-    AC_MSG_ERROR([Sorry, configure requires egrep to run.])
+AC_SEARCH_LIBS([strerror], [cposix])
+AC_PROG_CPP
+AC_CHECK_TOOL(AR, ar, false)
+AC_CHECK_TOOL(RANLIB, ranlib, :)
+if test X"$AR" = X"false"; then
+    AC_MSG_ERROR([the "ar" utility is required to build sudo])
 fi
 
 fi
 
-dnl
-dnl Prevent configure from adding the -g flag unless in devel mode
-dnl
-if test "$with_devel" != "yes"; then
-    ac_cv_prog_cc_g=no
+if test "x$ac_cv_prog_cc_c89" = "xno"; then
+    AC_MSG_ERROR([Sudo version $PACKAGE_VERSION requires an ANSI C compiler to build.])
 fi
 
 dnl
 fi
 
 dnl
-dnl C compiler checks
+dnl If the user specified --disable-static, override them or we'll
+dnl be unable to build the executables in the sudoers plugin dir.
 dnl
 dnl
-AC_ISC_POSIX
-AC_PROG_CPP
+if test "$enable_static" = "no"; then
+    AC_MSG_WARN([Ignoring --disable-static, sudo does not install static libs])
+    enable_static=yes
+fi
 
 dnl
 
 dnl
-dnl Libtool magic; enable shared libs and disable static libs
+dnl Libtool setup, we require libtool 2.2.6b or higher
 dnl
 AC_CANONICAL_HOST
 dnl
 AC_CANONICAL_HOST
-AC_DISABLE_STATIC
-AC_LIBTOOL_DLOPEN
-AC_PROG_LIBTOOL
+AC_CONFIG_MACRO_DIR([m4])
+LT_PREREQ([2.2.6b])
+LT_INIT([dlopen])
 
 dnl
 dnl Defer with_noexec until after libtool magic runs
 dnl
 if test "$enable_shared" = "no"; then
     with_noexec=no
 
 dnl
 dnl Defer with_noexec until after libtool magic runs
 dnl
 if test "$enable_shared" = "no"; then
     with_noexec=no
+    enable_dlopen=no
+    lt_cv_dlopen=none
+    lt_cv_dlopen_libs=
+    ac_cv_func_dlopen=no
 else
     eval _shrext="$shrext_cmds"
 else
     eval _shrext="$shrext_cmds"
+    # Darwin uses .dylib for libraries but .so for modules
+    if test X"$_shrext" = X".dylib"; then
+       SOEXT=".so"
+    else
+       SOEXT="$_shrext"
+    fi
 fi
 AC_MSG_CHECKING(path to sudo_noexec.so)
 AC_ARG_WITH(noexec, [AS_HELP_STRING([--with-noexec[=PATH]], [fully qualified pathname of sudo_noexec.so])],
 fi
 AC_MSG_CHECKING(path to sudo_noexec.so)
 AC_ARG_WITH(noexec, [AS_HELP_STRING([--with-noexec[=PATH]], [fully qualified pathname of sudo_noexec.so])],
@@ -1289,20 +1407,36 @@ AC_MSG_RESULT($with_noexec)
 NOEXECFILE="sudo_noexec$_shrext"
 NOEXECDIR="`echo $with_noexec|sed 's:^\(.*\)/[[^/]]*:\1:'`"
 
 NOEXECFILE="sudo_noexec$_shrext"
 NOEXECDIR="`echo $with_noexec|sed 's:^\(.*\)/[[^/]]*:\1:'`"
 
-dnl
-dnl It is now safe to modify CFLAGS and CPPFLAGS
-dnl
-if test "$with_devel" = "yes" -a -n "$GCC"; then
-    CFLAGS="${CFLAGS} -Wall"
-fi
-
 dnl
 dnl Find programs we use
 dnl
 dnl
 dnl Find programs we use
 dnl
-AC_CHECK_PROG(UNAMEPROG, uname, uname)
-AC_CHECK_PROG(TRPROG, tr, tr)
-AC_CHECK_PROG(NROFFPROG, nroff, nroff)
-if test -z "$NROFFPROG"; then
+AC_CHECK_PROG(UNAMEPROG, [uname], [uname])
+AC_CHECK_PROG(TRPROG, [tr], [tr])
+AC_CHECK_PROGS(NROFFPROG, [nroff mandoc])
+if test -n "$NROFFPROG"; then
+    AC_CACHE_CHECK([whether $NROFFPROG supports the -c option],
+       [sudo_cv_var_nroff_opt_c],
+       [if $NROFFPROG -c </dev/null >/dev/null 2>&1; then
+           sudo_cv_var_nroff_opt_c=yes
+       else
+           sudo_cv_var_nroff_opt_c=no
+       fi]
+    )
+    if test "$sudo_cv_var_nroff_opt_c" = "yes"; then
+       NROFFPROG="$NROFFPROG -c"
+    fi
+    AC_CACHE_CHECK([whether $NROFFPROG supports the -Tascii option],
+       [sudo_cv_var_nroff_opt_Tascii],
+       [if $NROFFPROG -Tascii </dev/null >/dev/null 2>&1; then
+           sudo_cv_var_nroff_opt_Tascii=yes
+       else
+           sudo_cv_var_nroff_opt_Tascii=no
+       fi]
+    if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then
+       NROFFPROG="$NROFFPROG -Tascii"
+    fi
+    )
+else
     MANTYPE="cat"
     mansrcdir='$(srcdir)'
 fi
     MANTYPE="cat"
     mansrcdir='$(srcdir)'
 fi
@@ -1339,6 +1473,9 @@ fi
 
 case "$host" in
     *-*-sunos4*)
 
 case "$host" in
     *-*-sunos4*)
+               # LD_PRELOAD is space-delimited
+               RTLD_PRELOAD_DELIM=" "
+
                # getcwd(3) opens a pipe to getpwd(1)!?!
                BROKEN_GETCWD=1
 
                # getcwd(3) opens a pipe to getpwd(1)!?!
                BROKEN_GETCWD=1
 
@@ -1350,6 +1487,9 @@ case "$host" in
                shadow_funcs="getpwanam issecure"
                ;;
     *-*-solaris2*)
                shadow_funcs="getpwanam issecure"
                ;;
     *-*-solaris2*)
+               # LD_PRELOAD is space-delimited
+               RTLD_PRELOAD_DELIM=" "
+
                # To get the crypt(3) prototype (so we pass -Wall)
                OSDEFS="${OSDEFS} -D__EXTENSIONS__"
                # AFS support needs -lucb
                # To get the crypt(3) prototype (so we pass -Wall)
                OSDEFS="${OSDEFS} -D__EXTENSIONS__"
                # AFS support needs -lucb
@@ -1360,11 +1500,12 @@ case "$host" in
                : ${mansectform='4'}
                : ${with_rpath='yes'}
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                : ${mansectform='4'}
                : ${with_rpath='yes'}
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
+               AC_CHECK_FUNCS(priv_set)
                ;;
     *-*-aix*)
                # To get all prototypes (so we pass -Wall)
                ;;
     *-*-aix*)
                # To get all prototypes (so we pass -Wall)
-               OSDEFS="${OSDEFS} -D_XOPEN_EXTENDED_SOURCE -D_ALL_SOURCE"
-               SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp"
+               OSDEFS="${OSDEFS} -D_ALL_SOURCE -D_LINUX_SOURCE_COMPAT"
+               SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp"
                if test X"$with_blibpath" != X"no"; then
                    AC_MSG_CHECKING([if linker accepts -Wl,-blibpath])
                    O_LDFLAGS="$LDFLAGS"
                if test X"$with_blibpath" != X"no"; then
                    AC_MSG_CHECKING([if linker accepts -Wl,-blibpath])
                    O_LDFLAGS="$LDFLAGS"
@@ -1382,9 +1523,15 @@ case "$host" in
                fi
                LDFLAGS="$O_LDFLAGS"
 
                fi
                LDFLAGS="$O_LDFLAGS"
 
-               # Use authenticate(3) as the default authentication method
-               if test X"$with_aixauth" = X""; then
-                   AC_CHECK_FUNCS(authenticate, [AUTH_EXCL_DEF="AIX_AUTH"])
+               # On AIX 6 and higher default to PAM, else default to LAM
+               if test $OSMAJOR -ge 6; then
+                   if test X"$with_pam" = X""; then
+                       AUTH_EXCL_DEF="PAM"
+                   fi
+               else
+                   if test X"$with_aixauth" = X""; then
+                       AC_CHECK_FUNCS(authenticate, [AUTH_EXCL_DEF="AIX_AUTH"])
+                   fi
                fi
 
                # AIX analog of nsswitch.conf, enabled by default
                fi
 
                # AIX analog of nsswitch.conf, enabled by default
@@ -1399,9 +1546,19 @@ case "$host" in
                    with_netsvc="/etc/netsvc.conf"
                fi
 
                    with_netsvc="/etc/netsvc.conf"
                fi
 
+               # For implementing getgrouplist()
+               AC_CHECK_FUNCS(getgrset)
+
+               # LDR_PRELOAD is only supported in AIX 5.3 and later
+               if test $OSMAJOR -lt 5; then
+                   with_noexec=no
+               else
+                   RTLD_PRELOAD_VAR="LDR_PRELOAD"
+               fi
+
                # AIX-specific functions
                # AIX-specific functions
-               AC_CHECK_FUNCS(getuserattr)
-               SUDO_OBJS="$SUDO_OBJS aix.o"
+               AC_CHECK_FUNCS(getuserattr setauthdb)
+               COMMON_OBJS="$COMMON_OBJS aix.lo"
                ;;
     *-*-hiuxmpp*)
                : ${mansectsu='1m'}
                ;;
     *-*-hiuxmpp*)
                : ${mansectsu='1m'}
@@ -1415,33 +1572,49 @@ case "$host" in
                : ${mansectsu='1m'}
                : ${mansectform='4'}
 
                : ${mansectsu='1m'}
                : ${mansectform='4'}
 
-               # HP-UX bundled compiler can't generate shared objects
-               if test "x$ac_cv_prog_cc_c89" = "xno"; then
-                   with_noexec=no
+               # The HP bundled compiler cannot generate shared libs
+               if test -z "$GCC"; then
+                   AC_CACHE_CHECK([for HP bundled C compiler],
+                       [sudo_cv_var_hpccbundled],
+                       [if $CC -V 2>&1 | grep '^(Bundled)' >/dev/null 2>&1; then
+                           sudo_cv_var_hpccbundled=yes
+                       else
+                           sudo_cv_var_hpccbundled=no
+                       fi]
+                   )
+                   if test "$sudo_cv_var_hpccbundled" = "yes"; then
+                       AC_MSG_ERROR([The HP bundled C compiler is unable to build Sudo, you must use gcc or the HP ANSI C compiler instead.])
+                   fi
                fi
 
                fi
 
-               # Use the +DAportable flag if it is supported
-               _CFLAGS="$CFLAGS"
-               CFLAGS="$CFLAGS +DAportable"
-               AC_CACHE_CHECK([whether $CC understands +DAportable],
-                   [sudo_cv_var_daportable],
-                   [AC_TRY_LINK([], [], [sudo_cv_var_daportable=yes],
-                                [sudo_cv_var_daportable=no])]
-               )
-               if test X"$sudo_cv_var_daportable" != X"yes"; then
-                   CFLAGS="$_CFLAGS"
-               fi
+               # Build PA-RISC1.1 objects for better portability
+               case "$host_cpu" in
+                   hppa[[2-9]]*)
+                       _CFLAGS="$CFLAGS"
+                       if test -n "$GCC"; then
+                           portable_flag="-march=1.1"
+                       else
+                           portable_flag="+DAportable"
+                       fi
+                       CFLAGS="$CFLAGS $portable_flag"
+                       AC_CACHE_CHECK([whether $CC understands $portable_flag],
+                           [sudo_cv_var_daportable],
+                           [AC_LINK_IFELSE(
+                               [AC_LANG_PROGRAM([[]], [[]])],
+                                   [sudo_cv_var_daportable=yes],
+                                   [sudo_cv_var_daportable=no]
+                               )
+                           ]
+                       )
+                       if test X"$sudo_cv_var_daportable" != X"yes"; then
+                           CFLAGS="$_CFLAGS"
+                       fi
+                       ;;
+               esac
 
                case "$host" in
 
                case "$host" in
-                       *-*-hpux[1-8].*)
+                       *-*-hpux[[1-8]].*)
                            AC_DEFINE(BROKEN_SYSLOG)
                            AC_DEFINE(BROKEN_SYSLOG)
-
-                           # Not sure if setuid binaries are safe in < 9.x
-                           if test -n "$GCC"; then
-                               SUDO_LDFLAGS="${SUDO_LDFLAGS} -static"
-                           else
-                               SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-a,archive"
-                           fi
                        ;;
                        *-*-hpux9.*)
                            AC_DEFINE(BROKEN_SYSLOG)
                        ;;
                        *-*-hpux9.*)
                            AC_DEFINE(BROKEN_SYSLOG)
@@ -1451,7 +1624,7 @@ case "$host" in
                            # DCE support (requires ANSI C compiler)
                            if test "$with_DCE" = "yes"; then
                                # order of libs in 9.X is important. -lc_r must be last
                            # DCE support (requires ANSI C compiler)
                            if test "$with_DCE" = "yes"; then
                                # order of libs in 9.X is important. -lc_r must be last
-                               SUDO_LIBS="${SUDO_LIBS} -ldce -lM -lc_r"
+                               SUDOERS_LIBS="${SUDOERS_LIBS} -ldce -lM -lc_r"
                                LIBS="${LIBS} -ldce -lM -lc_r"
                                CPPFLAGS="${CPPFLAGS} -D_REENTRANT -I/usr/include/reentrant"
                            fi
                                LIBS="${LIBS} -ldce -lM -lc_r"
                                CPPFLAGS="${CPPFLAGS} -D_REENTRANT -I/usr/include/reentrant"
                            fi
@@ -1459,6 +1632,8 @@ case "$host" in
                        *-*-hpux10.*)
                            shadow_funcs="getprpwnam iscomsec"
                            shadow_libs="-lsec"
                        *-*-hpux10.*)
                            shadow_funcs="getprpwnam iscomsec"
                            shadow_libs="-lsec"
+                           # HP-UX 10.20 libc has an incompatible getline
+                           ac_cv_func_getline="no"
                        ;;
                        *)
                            shadow_funcs="getspnam iscomsec"
                        ;;
                        *)
                            shadow_funcs="getspnam iscomsec"
@@ -1469,7 +1644,7 @@ case "$host" in
                ;;
     *-dec-osf*)
                # ignore envariables wrt dynamic lib path
                ;;
     *-dec-osf*)
                # ignore envariables wrt dynamic lib path
-               SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-no_library_replacement"
+               SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-no_library_replacement"
 
                : ${CHECKSIA='true'}
                AC_MSG_CHECKING(whether to disable sia support on Digital UNIX)
 
                : ${CHECKSIA='true'}
                AC_MSG_CHECKING(whether to disable sia support on Digital UNIX)
@@ -1512,6 +1687,9 @@ case "$host" in
                ]], [[exit(0);]])], [AC_MSG_RESULT(no)], [AC_MSG_RESULT([yes, fixing locally])
                sed 's:<acl.h>:<sys/acl.h>:g' < /usr/include/prot.h > prot.h
                ])
                ]], [[exit(0);]])], [AC_MSG_RESULT(no)], [AC_MSG_RESULT([yes, fixing locally])
                sed 's:<acl.h>:<sys/acl.h>:g' < /usr/include/prot.h > prot.h
                ])
+               # ":DEFAULT" must be appended to _RLD_LIST
+               RTLD_PRELOAD_VAR="_RLD_LIST"
+               RTLD_PRELOAD_DEFAULT="DEFAULT"
                : ${mansectsu='8'}
                : ${mansectform='4'}
                ;;
                : ${mansectsu='8'}
                : ${mansectform='4'}
                ;;
@@ -1519,7 +1697,7 @@ case "$host" in
                OSDEFS="${OSDEFS} -D_BSD_TYPES"
                if test -z "$NROFFPROG"; then
                    MAN_POSTINSTALL='   /bin/rm -f $(mandirsu)/sudo.$(mansectsu).z $(mandirsu)/visudo.$(mansectsu).z $(mandirform)/sudoers.$(mansectform).z ; /usr/bin/pack $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudoers.$(mansectform)'
                OSDEFS="${OSDEFS} -D_BSD_TYPES"
                if test -z "$NROFFPROG"; then
                    MAN_POSTINSTALL='   /bin/rm -f $(mandirsu)/sudo.$(mansectsu).z $(mandirsu)/visudo.$(mansectsu).z $(mandirform)/sudoers.$(mansectform).z ; /usr/bin/pack $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudoers.$(mansectform)'
-                   if test "$prefix" = "/usr/local" -a "$mandir" = '$(prefix)/man'; then
+                   if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
                        if test -d /usr/share/catman/local; then
                            mandir="/usr/share/catman/local"
                        else
                        if test -d /usr/share/catman/local; then
                            mandir="/usr/share/catman/local"
                        else
@@ -1527,7 +1705,7 @@ case "$host" in
                        fi
                    fi
                else
                        fi
                    fi
                else
-                   if test "$prefix" = "/usr/local" -a "$mandir" = '$(prefix)/man'; then
+                   if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
                        if test -d "/usr/share/man/local"; then
                            mandir="/usr/share/man/local"
                        else
                        if test -d "/usr/share/man/local"; then
                            mandir="/usr/share/man/local"
                        else
@@ -1539,6 +1717,9 @@ case "$host" in
                if test "$OSMAJOR" -le 4; then
                    AC_CHECK_LIB(sun, getpwnam, [LIBS="${LIBS} -lsun"])
                fi
                if test "$OSMAJOR" -le 4; then
                    AC_CHECK_LIB(sun, getpwnam, [LIBS="${LIBS} -lsun"])
                fi
+               # ":DEFAULT" must be appended to _RLD_LIST
+               RTLD_PRELOAD_VAR="_RLD_LIST"
+               RTLD_PRELOAD_DEFAULT="DEFAULT"
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                ;;
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                ;;
@@ -1574,8 +1755,7 @@ case "$host" in
     *-*-isc*)
                OSDEFS="${OSDEFS} -D_ISC"
                LIB_CRYPT=1
     *-*-isc*)
                OSDEFS="${OSDEFS} -D_ISC"
                LIB_CRYPT=1
-               SUDO_LIBS="${SUDO_LIBS} -lcrypt"
-               LIBS="${LIBS} -lcrypt"
+               SUDOERS_LIBS="${SUDOERS_LIBS} -lcrypt"
 
                shadow_funcs="getspnam"
                shadow_libs="-lsec"
 
                shadow_funcs="getspnam"
                shadow_libs="-lsec"
@@ -1603,30 +1783,20 @@ case "$host" in
                : ${with_rpath='yes'}
                ;;
     *-ncr-sysv4*|*-ncr-sysvr4*)
                : ${with_rpath='yes'}
                ;;
     *-ncr-sysv4*|*-ncr-sysvr4*)
-               AC_CHECK_LIB(c89, strcasecmp, AC_DEFINE(HAVE_STRCASECMP) [LIBS="${LIBS} -lc89"; ac_cv_func_strcasecmp=yes])
+               AC_CHECK_LIB(c89, strcasecmp, [LIBS="${LIBS} -lc89"])
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                : ${with_rpath='yes'}
                ;;
     *-ccur-sysv4*|*-ccur-sysvr4*)
                LIBS="${LIBS} -lgen"
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                : ${with_rpath='yes'}
                ;;
     *-ccur-sysv4*|*-ccur-sysvr4*)
                LIBS="${LIBS} -lgen"
-               SUDO_LIBS="${SUDO_LIBS} -lgen"
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                : ${with_rpath='yes'}
                ;;
     *-*-bsdi*)
                SKIP_SETREUID=yes
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                : ${with_rpath='yes'}
                ;;
     *-*-bsdi*)
                SKIP_SETREUID=yes
-               # Use shlicc for BSD/OS [23].x unless asked to do otherwise
-               if test "${with_CC+set}" != set -a "$ac_cv_prog_CC" = gcc; then
-                   case "$OSMAJOR" in
-                       2|3)    AC_MSG_NOTICE([using shlicc as CC])
-                               ac_cv_prog_CC=shlicc
-                               CC="$ac_cv_prog_CC"
-                               ;;
-                   esac
-               fi
-               # Check for newer BSD auth API (just check for >= 3.0?)
+               # Check for newer BSD auth API
                if test -z "$with_bsdauth"; then
                    AC_CHECK_FUNCS(auth_challenge, [AUTH_EXCL_DEF="BSD_AUTH"])
                fi
                if test -z "$with_bsdauth"; then
                    AC_CHECK_FUNCS(auth_challenge, [AUTH_EXCL_DEF="BSD_AUTH"])
                fi
@@ -1639,8 +1809,9 @@ case "$host" in
                    SKIP_SETREUID=yes
                    ;;
                esac
                    SKIP_SETREUID=yes
                    ;;
                esac
-               if test "$with_skey" = "yes"; then
-                    SUDO_LIBS="${SUDO_LIBS} -lmd"
+               OSDEFS="${OSDEFS} -D_BSD_SOURCE"
+               if test "${with_skey-'no'}" = "yes"; then
+                    SUDOERS_LIBS="${SUDOERS_LIBS} -lmd"
                fi
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                fi
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
@@ -1648,25 +1819,22 @@ case "$host" in
                ;;
     *-*-*openbsd*)
                # OpenBSD has a real setreuid(2) starting with 3.3 but
                ;;
     *-*-*openbsd*)
                # OpenBSD has a real setreuid(2) starting with 3.3 but
-               # we will use setreuid(2) instead.
+               # we will use setresuid(2) instead.
                SKIP_SETREUID=yes
                SKIP_SETREUID=yes
+               OSDEFS="${OSDEFS} -D_BSD_SOURCE"
                CHECKSHADOW="false"
                # OpenBSD >= 3.0 supports BSD auth
                if test -z "$with_bsdauth"; then
                CHECKSHADOW="false"
                # OpenBSD >= 3.0 supports BSD auth
                if test -z "$with_bsdauth"; then
-                   case "$OSREV" in
-                   [0-2].*)
-                       ;;
-                   *)
+                   if test "$OSMAJOR" -ge 3; then
                        AUTH_EXCL_DEF="BSD_AUTH"
                        AUTH_EXCL_DEF="BSD_AUTH"
-                       ;;
-                   esac
+                   fi
                fi
                : ${with_logincap='maybe'}
                ;;
     *-*-*netbsd*)
                # NetBSD has a real setreuid(2) starting with 1.3.2
                case "$OSREV" in
                fi
                : ${with_logincap='maybe'}
                ;;
     *-*-*netbsd*)
                # NetBSD has a real setreuid(2) starting with 1.3.2
                case "$OSREV" in
-               0.9*|1.[012]*|1.3|1.3.1)
+               0.9*|1.[[012]]*|1.3|1.3.1)
                    SKIP_SETREUID=yes
                    ;;
                esac
                    SKIP_SETREUID=yes
                    ;;
                esac
@@ -1675,8 +1843,9 @@ case "$host" in
                : ${with_logincap='maybe'}
                ;;
     *-*-dragonfly*)
                : ${with_logincap='maybe'}
                ;;
     *-*-dragonfly*)
-               if test "$with_skey" = "yes"; then
-                    SUDO_LIBS="${SUDO_LIBS} -lmd"
+               OSDEFS="${OSDEFS} -D_BSD_SOURCE"
+               if test "${with_skey-'no'}" = "yes"; then
+                    SUDOERS_LIBS="${SUDOERS_LIBS} -lmd"
                fi
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                fi
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
@@ -1686,15 +1855,22 @@ case "$host" in
                CHECKSHADOW="false"
                ;;
     *-*-darwin*)
                CHECKSHADOW="false"
                ;;
     *-*-darwin*)
-               SKIP_SETREUID=yes
+               # Darwin has a real setreuid(2) starting with 9.0
+               if test $OSMAJOR -lt 9; then
+                   SKIP_SETREUID=yes
+               fi
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                : ${with_logincap='yes'}
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                : ${with_logincap='yes'}
+               RTLD_PRELOAD_VAR="DYLD_INSERT_LIBRARIES"
+               RTLD_PRELOAD_ENABLE_VAR="DYLD_FORCE_FLAT_NAMESPACE"
                ;;
     *-*-nextstep*)
                # lockf() on is broken on the NeXT -- use flock instead
                ac_cv_func_lockf=no
                ac_cv_func_flock=yes
                ;;
     *-*-nextstep*)
                # lockf() on is broken on the NeXT -- use flock instead
                ac_cv_func_lockf=no
                ac_cv_func_flock=yes
+               RTLD_PRELOAD_VAR="DYLD_INSERT_LIBRARIES"
+               RTLD_PRELOAD_ENABLE_VAR="DYLD_FORCE_FLAT_NAMESPACE"
                ;;
     *-*-*sysv4*)
                : ${mansectsu='1m'}
                ;;
     *-*-*sysv4*)
                : ${mansectsu='1m'}
@@ -1710,6 +1886,20 @@ case "$host" in
                ;;
 esac
 
                ;;
 esac
 
+dnl
+dnl Library preloading to support NOEXEC
+dnl
+if test -n "$with_noexec"; then
+    SUDO_DEFINE_UNQUOTED(RTLD_PRELOAD_VAR, "$RTLD_PRELOAD_VAR")
+    SUDO_DEFINE_UNQUOTED(RTLD_PRELOAD_DELIM, "$RTLD_PRELOAD_DELIM")
+    if test -n "$RTLD_PRELOAD_DEFAULT"; then
+       SUDO_DEFINE_UNQUOTED(RTLD_PRELOAD_DEFAULT, "$RTLD_PRELOAD_DEFAULT")
+    fi
+    if test -n "$RTLD_PRELOAD_ENABLE_VAR"; then
+       SUDO_DEFINE_UNQUOTED(RTLD_PRELOAD_ENABLE_VAR, "$RTLD_PRELOAD_ENABLE_VAR")
+    fi
+fi
+
 dnl
 dnl Check for mixing mutually exclusive and regular auth methods
 dnl
 dnl
 dnl Check for mixing mutually exclusive and regular auth methods
 dnl
@@ -1763,6 +1953,32 @@ dnl
 AC_PROG_GCC_TRADITIONAL
 AC_C_CONST
 AC_C_VOLATILE
 AC_PROG_GCC_TRADITIONAL
 AC_C_CONST
 AC_C_VOLATILE
+# Check for variadic macro support in cpp
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
+AC_INCLUDES_DEFAULT
+#if defined(__GNUC__) && __GNUC__ == 2
+# define sudo_fprintf(fp, fmt...) fprintf((fp), (fmt))
+#else
+# define sudo_fprintf(fp, ...) fprintf((fp), __VA_ARGS__)
+#endif
+], [sudo_fprintf(stderr, "a %s", "test");])], [], [AC_MSG_ERROR([Your C compiler doesn't support variadic macros, try building with gcc instead])])
+if test X"$with_gnu_ld" != "yes" -a -n "$GCC"; then
+    _CFLAGS="$CFLAGS"
+    CFLAGS="$CFLAGS -static-libgcc"
+    AC_CACHE_CHECK([whether $CC understands -static-libgcc],
+       [sudo_cv_var_gcc_static_libgcc],
+       [AC_LINK_IFELSE(
+           [AC_LANG_PROGRAM([[]], [[]])],
+               [sudo_cv_var_gcc_static_libgcc=yes],
+               [sudo_cv_var_gcc_static_libgcc=no]
+           )
+       ]
+    )
+    CFLAGS="$_CFLAGS"
+    if test "$sudo_cv_var_gcc_static_libgcc" = "yes"; then
+       LTLDFLAGS="$LTLDFLAGS -Wc,-static-libgcc"
+    fi
+fi
 dnl
 dnl Program checks
 dnl
 dnl
 dnl Program checks
 dnl
@@ -1773,36 +1989,77 @@ SUDO_PROG_BSHELL
 if test -z "$with_sendmail"; then
     SUDO_PROG_SENDMAIL
 fi
 if test -z "$with_sendmail"; then
     SUDO_PROG_SENDMAIL
 fi
-if test -z "$with_editor"; then
-    SUDO_PROG_VI
+SUDO_PROG_VI
+dnl
+dnl Check for authpriv support in syslog
+dnl
+AC_MSG_CHECKING(which syslog facility sudo should log with)
+if test X"$with_logfac" = X""; then
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <syslog.h>]], [[int i = LOG_AUTHPRIV; (void)i;]])], [logfac=authpriv])
 fi
 fi
+AC_DEFINE_UNQUOTED(LOGFAC, "$logfac", [The syslog facility sudo will use.])
+AC_MSG_RESULT($logfac)
 dnl
 dnl Header file checks
 dnl
 AC_HEADER_STDC
 AC_HEADER_DIRENT
 AC_HEADER_TIME
 dnl
 dnl Header file checks
 dnl
 AC_HEADER_STDC
 AC_HEADER_DIRENT
 AC_HEADER_TIME
-AC_CHECK_HEADERS(malloc.h paths.h utime.h netgroup.h sys/sockio.h sys/bsdtypes.h sys/select.h)
-dnl ultrix termio/termios are broken
-if test "$OS" != "ultrix"; then
-    AC_SYS_POSIX_TERMIOS
-    if test "$ac_cv_sys_posix_termios" = "yes"; then
-       AC_DEFINE(HAVE_TERMIOS_H)
-    else
-       AC_CHECK_HEADERS(termio.h)
-    fi
+AC_HEADER_STDBOOL
+AC_HEADER_MAJOR
+AC_CHECK_HEADERS(malloc.h netgroup.h paths.h spawn.h utime.h utmpx.h sys/sockio.h sys/bsdtypes.h sys/select.h sys/stropts.h sys/sysmacros.h)
+AC_CHECK_HEADERS([procfs.h] [sys/procfs.h], [AC_CHECK_MEMBERS(struct psinfo.pr_ttydev, [AC_CHECK_FUNCS(_ttyname_dev)], [], [AC_INCLUDES_DEFAULT
+#ifdef HAVE_PROCFS_H
+#include <procfs.h>
+#endif
+#ifdef HAVE_SYS_PROCFS_H
+#include <sys/procfs.h>
+#endif
+])]
+break)
+dnl
+dnl Check for large file support.  HP-UX 11.23 has a broken sys/type.h
+dnl when large files support is enabled so work around it.
+dnl
+AC_SYS_LARGEFILE
+case "$host" in
+    *-*-hpux11.*)
+       AC_CACHE_CHECK([whether sys/types.h needs _XOPEN_SOURCE_EXTENDED], [sudo_cv_xopen_source_extended],
+       [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT
+       #include <sys/socket.h>], [])], [sudo_cv_xopen_source_extended=no], [
+           AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#define _XOPEN_SOURCE_EXTENDED
+           AC_INCLUDES_DEFAULT
+           #include <sys/socket.h>], [])], [sudo_cv_xopen_source_extended=yes],
+           [sudo_cv_xopen_source_extended=error])
+       ])])
+       if test "$sudo_cv_xopen_source_extended" = "yes"; then
+           OSDEFS="${OSDEFS} -D_XOPEN_SOURCE_EXTENDED"
+           SUDO_DEFINE(_XOPEN_SOURCE_EXTENDED)
+       fi
+       ;;
+esac
+AC_SYS_POSIX_TERMIOS
+if test "$ac_cv_sys_posix_termios" != "yes"; then
+    AC_MSG_ERROR([Must have POSIX termios to build sudo])
 fi
 fi
+SUDO_MAILDIR
 if test ${with_logincap-'no'} != "no"; then
 if test ${with_logincap-'no'} != "no"; then
-    AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN=""
+    AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN=1
        case "$OS" in
        case "$OS" in
-           freebsd|netbsd)     SUDO_LIBS="${SUDO_LIBS} -lutil"
-           ;;
+           freebsd|netbsd)
+               SUDO_LIBS="${SUDO_LIBS} -lutil"
+               SUDOERS_LIBS="${SUDOERS_LIBS} -lutil"
+               ;;
        esac
     ])
 fi
 if test ${with_project-'no'} != "no"; then
        esac
     ])
 fi
 if test ${with_project-'no'} != "no"; then
-    AC_CHECK_HEADER(project.h, AC_DEFINE(HAVE_PROJECT_H)
-       [SUDO_LIBS="${SUDO_LIBS} -lproject"], -)
+    AC_CHECK_HEADER(project.h, [
+       AC_CHECK_LIB(project, setproject, [
+           AC_DEFINE(HAVE_PROJECT_H)
+           SUDO_LIBS="${SUDO_LIBS} -lproject"
+       ])
+    ], [])
 fi
 dnl
 dnl typedef checks
 fi
 dnl
 dnl typedef checks
@@ -1812,40 +2069,148 @@ AC_TYPE_UID_T
 AC_CHECK_TYPE([__signed char], [], [AC_CHECK_TYPE([signed char], [AC_DEFINE(__signed, signed)], [AC_DEFINE(__signed, [])])])
 AC_CHECK_TYPE([sig_atomic_t], [], [AC_DEFINE(sig_atomic_t, int)], [#include <sys/types.h>
 #include <signal.h>])
 AC_CHECK_TYPE([__signed char], [], [AC_CHECK_TYPE([signed char], [AC_DEFINE(__signed, signed)], [AC_DEFINE(__signed, [])])])
 AC_CHECK_TYPE([sig_atomic_t], [], [AC_DEFINE(sig_atomic_t, int)], [#include <sys/types.h>
 #include <signal.h>])
-AC_CHECK_TYPES([sigaction_t], [AC_DEFINE(HAVE_SIGACTION_T)], [], [#include <sys/types.h>
+AC_CHECK_TYPES([sigaction_t], [], [], [#include <sys/types.h>
 #include <signal.h>])
 #include <signal.h>])
-AC_CHECK_TYPE([struct timespec], [AC_DEFINE(HAVE_TIMESPEC)], [], [#include <sys/types.h>
+AC_CHECK_TYPES([struct timespec], [], [], [#include <sys/types.h>
 #if TIME_WITH_SYS_TIME
 # include <sys/time.h>
 #endif
 #include <time.h>])
 #if TIME_WITH_SYS_TIME
 # include <sys/time.h>
 #endif
 #include <time.h>])
-AC_CHECK_TYPES([struct in6_addr], [AC_DEFINE(HAVE_IN6_ADDR)], [], [#include <sys/types.h>
+AC_CHECK_TYPES([struct in6_addr], [], [], [#include <sys/types.h>
 #include <netinet/in.h>])
 #include <netinet/in.h>])
-SUDO_TYPE_SIZE_T
-SUDO_TYPE_SSIZE_T
-SUDO_TYPE_DEV_T
-SUDO_TYPE_INO_T
+AC_TYPE_LONG_LONG_INT
+AC_CHECK_SIZEOF([long int])
+AC_CHECK_TYPE(size_t, unsigned int)
+AC_CHECK_TYPE(ssize_t, int)
+AC_CHECK_TYPE(dev_t, int)
+AC_CHECK_TYPE(ino_t, unsigned int)
+AC_CHECK_TYPE(socklen_t, [], [AC_DEFINE(socklen_t, unsigned int)], [
+AC_INCLUDES_DEFAULT
+#include <sys/socket.h>])
 SUDO_UID_T_LEN
 SUDO_UID_T_LEN
-SUDO_TYPE_LONG_LONG
 SUDO_SOCK_SA_LEN
 dnl
 SUDO_SOCK_SA_LEN
 dnl
-dnl only set RETSIGTYPE if it is not set already
+dnl Check for utmp/utmpx struct members.
+dnl We need to include OSDEFS for glibc which only has __e_termination
+dnl visible when _GNU_SOURCE is *not* defined.
 dnl
 dnl
-case "$DEFS" in
-    *"RETSIGTYPE"*)    ;;
-    *)                 AC_TYPE_SIGNAL;;
-esac
+_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $OSDEFS"
+if test $ac_cv_header_utmpx_h = "yes"; then
+    AC_CHECK_MEMBERS([struct utmpx.ut_id, struct utmpx.ut_pid, struct utmpx.ut_tv, struct utmpx.ut_type], [], [], [
+       #include <sys/types.h>
+       #include <utmpx.h>
+    ])
+    dnl
+    dnl Check for ut_exit.__e_termination first, then ut_exit.e_termination
+    dnl
+    AC_CHECK_MEMBERS([struct utmpx.ut_exit.__e_termination], [AC_DEFINE(HAVE_STRUCT_UTMPX_UT_EXIT)], [
+       AC_CHECK_MEMBERS([struct utmpx.ut_exit.e_termination], [AC_DEFINE(HAVE_STRUCT_UTMPX_UT_EXIT)], [], [
+           #include <sys/types.h>
+           #include <utmpx.h>
+       ])
+    ], [
+       #include <sys/types.h>
+       #include <utmpx.h>
+    ])
+else
+    AC_CHECK_MEMBERS([struct utmp.ut_id, struct utmp.ut_pid, struct utmp.ut_tv, struct utmp.ut_type, struct utmp.ut_user], [], [], [
+       #include <sys/types.h>
+       #include <utmp.h>
+    ])
+    dnl
+    dnl Check for ut_exit.__e_termination first, then ut_exit.e_termination
+    dnl
+    AC_CHECK_MEMBERS([struct utmp.ut_exit.__e_termination], [AC_DEFINE(HAVE_STRUCT_UTMP_UT_EXIT)], [
+       AC_CHECK_MEMBERS([struct utmp.ut_exit.e_termination], [AC_DEFINE(HAVE_STRUCT_UTMP_UT_EXIT)], [], [
+           #include <sys/types.h>
+           #include <utmp.h>
+       ])
+    ], [
+       #include <sys/types.h>
+       #include <utmp.h>
+    ])
+fi
+CFLAGS="$_CFLAGS"
+
 dnl
 dnl Function checks
 dnl
 AC_FUNC_GETGROUPS
 dnl
 dnl Function checks
 dnl
 AC_FUNC_GETGROUPS
-AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
-              strftime setrlimit initgroups getgroups fstat gettimeofday \
-              setlocale getaddrinfo setsid setenv setrlimit64)
-AC_CHECK_FUNCS(unsetenv, SUDO_FUNC_UNSETENV_VOID)
+AC_CHECK_FUNCS(glob strrchr sysconf tzset strftime setenv \
+              regcomp setlocale nl_langinfo mbr_check_membership \
+              setrlimit64)
+AC_REPLACE_FUNCS(getgrouplist)
+AC_CHECK_FUNCS(getline, [], [
+    AC_LIBOBJ(getline)
+    AC_CHECK_FUNCS(fgetln)
+])
+dnl
+dnl If libc supports _FORTIFY_SOURCE check functions, use it.
+dnl
+O_CPPFLAGS="$CPPFLAGS"
+CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2"
+AC_CHECK_FUNC(__sprintf_chk, [
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]])], [OSDEFS="${OSDEFS} -D_FORTIFY_SOURCE=2"], [])
+], [])
+CPPFLAGS="$O_CPPFLAGS"
+
+utmp_style=LEGACY
+AC_CHECK_FUNCS(getutxid getutid, [utmp_style=POSIX; break])
+if test "$utmp_style" = "LEGACY"; then
+    AC_CHECK_FUNCS(getttyent ttyslot, [break])
+fi
+
+AC_CHECK_FUNCS(sysctl, [AC_CHECK_MEMBERS([struct kinfo_proc.ki_tdev], [],
+    [
+       AC_CHECK_MEMBERS([struct kinfo_proc2.p_tdev], [], [
+           AC_CHECK_MEMBERS([struct kinfo_proc.p_tdev], [], [
+               AC_CHECK_MEMBERS([struct kinfo_proc.kp_eproc.e_tdev], [], [], [
+                   #include <sys/param.h>
+                   #include <sys/sysctl.h>
+               ])
+           ], [
+               #include <sys/param.h>
+               #include <sys/sysctl.h>
+           ])
+       ],
+       [
+           #include <sys/param.h>
+           #include <sys/sysctl.h>
+       ])
+    ],
+    [
+       #include <sys/param.h>
+       #include <sys/sysctl.h>
+       #include <sys/user.h>
+    ])
+])
+
+AC_CHECK_FUNCS(openpty, [AC_CHECK_HEADERS(libutil.h util.h pty.h, [break])], [
+    AC_CHECK_LIB(util, openpty, [
+       AC_CHECK_HEADERS(libutil.h util.h pty.h, [break])
+       case "$SUDO_LIBS" in
+           *-lutil*) ;;
+           *) SUDO_LIBS="${SUDO_LIBS} -lutil";;
+       esac
+       AC_DEFINE(HAVE_OPENPTY)
+    ], [
+       AC_CHECK_FUNCS(_getpty, [], [
+           AC_CHECK_FUNCS(grantpt, [
+               AC_CHECK_FUNCS(posix_openpt)
+           ], [
+               AC_CHECK_FUNCS(revoke)
+           ])
+       ])
+    ])
+])
+AC_CHECK_FUNCS(unsetenv, [SUDO_FUNC_UNSETENV_VOID], [])
 SUDO_FUNC_PUTENV_CONST
 if test -z "$SKIP_SETRESUID"; then
 SUDO_FUNC_PUTENV_CONST
 if test -z "$SKIP_SETRESUID"; then
-    AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes])
+    AC_CHECK_FUNCS(setresuid, [
+       SKIP_SETREUID=yes
+       AC_CHECK_FUNCS(getresuid)
+    ])
 fi
 if test -z "$SKIP_SETREUID"; then
     AC_CHECK_FUNCS(setreuid, [SKIP_SETEUID=yes])
 fi
 if test -z "$SKIP_SETREUID"; then
     AC_CHECK_FUNCS(setreuid, [SKIP_SETEUID=yes])
@@ -1859,46 +2224,44 @@ fi
 if test -z "$BROKEN_GETCWD"; then
     AC_REPLACE_FUNCS(getcwd)
 fi
 if test -z "$BROKEN_GETCWD"; then
     AC_REPLACE_FUNCS(getcwd)
 fi
-AC_CHECK_FUNCS(glob, [AC_MSG_CHECKING(for GLOB_BRACE and GLOB_TILDE in glob.h)
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <glob.h>]], [[int i = GLOB_BRACE | GLOB_TILDE; (void)i;]])], [AC_DEFINE(HAVE_EXTENDED_GLOB)
-    AC_MSG_RESULT(yes)], [AC_LIBOBJ(glob)
-    AC_MSG_RESULT(no)])], [AC_LIBOBJ(glob)])
 AC_CHECK_FUNCS(lockf flock, [break])
 AC_CHECK_FUNCS(lockf flock, [break])
-AC_CHECK_FUNCS(waitpid wait3, [break])
 AC_CHECK_FUNCS(innetgr _innetgr, [AC_CHECK_FUNCS(getdomainname) [break]])
 AC_CHECK_FUNCS(utimes, [AC_CHECK_FUNCS(futimes futimesat, [break])], [AC_CHECK_FUNCS(futime) AC_LIBOBJ(utimes)])
 AC_CHECK_FUNCS(innetgr _innetgr, [AC_CHECK_FUNCS(getdomainname) [break]])
 AC_CHECK_FUNCS(utimes, [AC_CHECK_FUNCS(futimes futimesat, [break])], [AC_CHECK_FUNCS(futime) AC_LIBOBJ(utimes)])
-SUDO_FUNC_FNMATCH([AC_DEFINE(HAVE_FNMATCH)], [AC_LIBOBJ(fnmatch)])
+AC_CHECK_FUNCS(killpg, [], [AC_LIBOBJ(killpg)])
+SUDO_FUNC_FNMATCH([AC_DEFINE(HAVE_FNMATCH)], [AC_LIBOBJ(fnmatch)
+    COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }fnm_test"
+])
 SUDO_FUNC_ISBLANK
 SUDO_FUNC_ISBLANK
-AC_REPLACE_FUNCS(memrchr strerror strcasecmp sigaction strlcpy strlcat)
+AC_REPLACE_FUNCS(memrchr pw_dup strlcpy strlcat)
+AC_CHECK_FUNCS(nanosleep, [], [
+    # On Solaris, nanosleep is in librt
+    AC_CHECK_LIB(rt, nanosleep, [REPLAY_LIBS="${REPLAY_LIBS} -lrt"], [AC_LIBOBJ(nanosleep)])
+])
 AC_CHECK_FUNCS(closefrom, [], [AC_LIBOBJ(closefrom)
     AC_CHECK_DECL(F_CLOSEM, AC_DEFINE(HAVE_FCNTL_CLOSEM), [],
        [ #include <limits.h>
          #include <fcntl.h> ])
 ])
 AC_CHECK_FUNCS(closefrom, [], [AC_LIBOBJ(closefrom)
     AC_CHECK_DECL(F_CLOSEM, AC_DEFINE(HAVE_FCNTL_CLOSEM), [],
        [ #include <limits.h>
          #include <fcntl.h> ])
 ])
-AC_CHECK_FUNCS(mkstemp, [], [SUDO_OBJS="${SUDO_OBJS} mkstemp.o"
+AC_CHECK_FUNCS(mkstemps mkdtemp, [], [
     AC_CHECK_FUNCS(random lrand48, [break])
     AC_CHECK_FUNCS(random lrand48, [break])
+    AC_LIBOBJ(mktemp)
 ])
 AC_CHECK_FUNCS(snprintf vsnprintf asprintf vasprintf, , [NEED_SNPRINTF=1])
 if test X"$ac_cv_type_struct_timespec" != X"no"; then
     AC_CHECK_MEMBER([struct stat.st_mtim], [AC_DEFINE(HAVE_ST_MTIM)]
        [AC_CHECK_MEMBER([struct stat.st_mtim.st__tim], AC_DEFINE(HAVE_ST__TIM))],
        [AC_CHECK_MEMBER([struct stat.st_mtimespec], AC_DEFINE([HAVE_ST_MTIMESPEC]))])
 ])
 AC_CHECK_FUNCS(snprintf vsnprintf asprintf vasprintf, , [NEED_SNPRINTF=1])
 if test X"$ac_cv_type_struct_timespec" != X"no"; then
     AC_CHECK_MEMBER([struct stat.st_mtim], [AC_DEFINE(HAVE_ST_MTIM)]
        [AC_CHECK_MEMBER([struct stat.st_mtim.st__tim], AC_DEFINE(HAVE_ST__TIM))],
        [AC_CHECK_MEMBER([struct stat.st_mtimespec], AC_DEFINE([HAVE_ST_MTIMESPEC]))])
-    AC_MSG_CHECKING([for two-parameter timespecsub])
-    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
-#include <sys/time.h>]], [[struct timespec ts1, ts2;
-ts1.tv_sec = 1; ts1.tv_nsec = 0; ts2.tv_sec = 0; ts2.tv_nsec = 0;
-#ifndef timespecsub
-#error missing timespecsub
-#endif
-timespecsub(&ts1, &ts2);]])], [AC_DEFINE(HAVE_TIMESPECSUB2)
-    AC_MSG_RESULT(yes)], [AC_MSG_RESULT(no)])
 fi
 dnl
 dnl Check for the dirfd function/macro.  If not found, look for dd_fd in DIR.
 dnl
 AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
 fi
 dnl
 dnl Check for the dirfd function/macro.  If not found, look for dd_fd in DIR.
 dnl
 AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
-#include <$ac_header_dirent>]], [[DIR *d; (void)dirfd(d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_TRY_LINK([#include <sys/types.h>
-#include <$ac_header_dirent>], [DIR d; memset(&d, 0, sizeof(d)); return(d.dd_fd);], [AC_DEFINE(HAVE_DD_FD)])])
+#include <$ac_header_dirent>]], [[DIR *d; (void)dirfd(d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
+#include <$ac_header_dirent>]], [[DIR d; memset(&d, 0, sizeof(d)); return(d.dd_fd);]])], [AC_DEFINE(HAVE_DD_FD)], [])])
+AC_CHECK_MEMBERS([struct dirent.d_type], [], [], [
+AC_INCLUDES_DEFAULT
+#include <$ac_header_dirent>
+])
 dnl
 dnl If NEED_SNPRINTF is set, add snprintf.c to LIBOBJS
 dnl (it contains snprintf, vsnprintf, asprintf, and vasprintf)
 dnl
 dnl If NEED_SNPRINTF is set, add snprintf.c to LIBOBJS
 dnl (it contains snprintf, vsnprintf, asprintf, and vasprintf)
@@ -1909,20 +2272,88 @@ fi
 dnl
 dnl If socket(2) not in libc, check -lsocket and -linet
 dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
 dnl
 dnl If socket(2) not in libc, check -lsocket and -linet
 dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
-dnl In this case we look for main(), not socket() to avoid using a cached value
 dnl
 dnl
-AC_CHECK_FUNC(socket, , [AC_CHECK_LIB(socket, socket, [NET_LIBS="${NET_LIBS} -lsocket"; LIBS="${LIBS} -lsocket"], AC_CHECK_LIB(inet, socket, [NET_LIBS="${NET_LIBS} -linet"; LIBS="${LIBS} -linet"], AC_MSG_WARN(unable to find socket() trying -lsocket -lnsl)
-AC_CHECK_LIB(socket, socket, [NET_LIBS="${NET_LIBS} -lsocket -lnsl"; LIBS="${LIBS} -lsocket -lnsl"], , -lnsl)))])
+AC_CHECK_FUNC(socket, [], [
+    for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do
+       _libs=
+       for lib in $libs; do
+           case "$NET_LIBS" in
+               *"$lib"*)   ;;
+               *)          _libs="$_libs $lib";;
+           esac
+       done
+       libs="${_libs# }"
+       test -z "$libs" && continue
+       lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`"
+       extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`"
+       SUDO_CHECK_LIB($lib, socket, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; break], [], [$extralibs])
+    done
+])
 dnl
 dnl If inet_addr(3) not in libc, check -lnsl and -linet
 dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
 dnl
 dnl
 dnl If inet_addr(3) not in libc, check -lnsl and -linet
 dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
 dnl
-AC_CHECK_FUNC(inet_addr, , [AC_CHECK_FUNC(__inet_addr, , AC_CHECK_LIB(nsl, inet_addr, [NET_LIBS="${NET_LIBS} -lnsl"; LIBS="${LIBS} -lnsl"], AC_CHECK_LIB(inet, inet_addr, [NET_LIBS="${NET_LIBS} -linet"; LIBS="${LIBS} -linet"], AC_MSG_WARN(unable to find inet_addr() trying -lsocket -lnsl)
-AC_CHECK_LIB(socket, inet_addr, [NET_LIBS="${NET_LIBS} -lsocket -lnsl"; LIBS="${LIBS} -lsocket -lnsl"], , -lnsl))))])
+AC_CHECK_FUNC(inet_addr, [], [
+    AC_CHECK_FUNC(__inet_addr, [], [
+       for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do
+           _libs=
+           for lib in $libs; do
+               case "$NET_LIBS" in
+                   *"$lib"*)   ;;
+                   *)          _libs="$_libs $lib";;
+               esac
+           done
+           libs="${_libs# }"
+           test -z "$libs" && continue
+           lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`"
+           extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`"
+           SUDO_CHECK_LIB($lib, inet_addr, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; break], [], [$extralibs])
+       done
+    ])
+])
 dnl
 dnl If syslog(3) not in libc, check -lsocket, -lnsl and -linet
 dnl
 dnl
 dnl If syslog(3) not in libc, check -lsocket, -lnsl and -linet
 dnl
-AC_CHECK_FUNC(syslog, , [AC_CHECK_LIB(socket, syslog, [NET_LIBS="${NET_LIBS} -lsocket"; LIBS="${LIBS} -lsocket"], AC_CHECK_LIB(nsl, syslog, [NET_LIBS="${NET_LIBS} -lnsl"; LIBS="${LIBS} -lnsl"], AC_CHECK_LIB(inet, syslog, [NET_LIBS="${NET_LIBS} -linet"; LIBS="${LIBS} -linet"])))])
+AC_CHECK_FUNC(syslog, [], [
+    for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do
+       _libs=
+       for lib in $libs; do
+           case "$NET_LIBS" in
+               *"$lib"*)   ;;
+               *)          _libs="$_libs $lib";;
+           esac
+       done
+       libs="${_libs# }"
+       test -z "$libs" && continue
+       lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`"
+       extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`"
+       SUDO_CHECK_LIB($lib, syslog, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; break], [], [$extralibs])
+    done
+])
+dnl
+dnl If getaddrinfo(3) not in libc, check -lsocket and -linet
+dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols.
+dnl
+AC_CHECK_FUNCS(getaddrinfo, [], [
+    found=no
+    for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do
+       _libs=
+       for lib in $libs; do
+           case "$NET_LIBS" in
+               *"$lib"*)   ;;
+               *)          _libs="$_libs $lib";;
+           esac
+       done
+       libs="${_libs# }"
+       test -z "$libs" && continue
+       lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`"
+       extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`"
+       SUDO_CHECK_LIB($lib, getaddrinfo, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; found=yes; break], [], [$extralibs])
+    done
+    if test X"$found" != X"no"; then
+       AC_DEFINE(HAVE_GETADDRINFO)
+    fi
+])
 dnl
 dnl Check for getprogname() or __progname
 dnl
 dnl
 dnl Check for getprogname() or __progname
 dnl
@@ -1937,12 +2368,152 @@ AC_CHECK_FUNCS(getprogname, , [
     fi
     AC_MSG_RESULT($sudo_cv___progname)
 ])
     fi
     AC_MSG_RESULT($sudo_cv___progname)
 ])
+dnl
+dnl Check for __func__ or __FUNCTION__
+dnl
+AC_MSG_CHECKING([for __func__])
+AC_CACHE_VAL(sudo_cv___func__, [
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[(void)puts(__func__);]])], [sudo_cv___func__=yes], [sudo_cv___func__=no])])
+AC_MSG_RESULT($sudo_cv___func__)
+if test "$sudo_cv___func__" = "yes"; then
+    AC_DEFINE(HAVE___FUNC__)
+elif test -n "$GCC"; then
+    AC_MSG_CHECKING([for __FUNCTION__])
+    AC_CACHE_VAL(sudo_cv___FUNCTION__, [
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[(void)puts(__FUNCTION__);]])], [sudo_cv___FUNCTION__=yes], [sudo_cv___FUNCTION__=no])])
+    AC_MSG_RESULT($sudo_cv___FUNCTION__)
+    if test "$sudo_cv___FUNCTION__" = "yes"; then
+       AC_DEFINE(HAVE___FUNC__)
+       AC_DEFINE(__func__, __FUNCTION__, [Define to __FUNCTION__ if your compiler support __FUNCTION__ but not __func__])
+    fi
+fi
+
+# gettext() and friends may be located in libc (Linux and Solaris)
+# or in libintl.  However, it is possible to have libintl installed
+# even when gettext() is present in libc.  In the case of GNU libintl,
+# gettext() will be defined to gettext_libintl in libintl.h.
+# Since gcc prefers /usr/local/include to /usr/include, we need to
+# make sure we use the gettext() that matches the include file.
+if test "$enable_nls" != "no"; then
+    if test "$enable_nls" != "yes"; then
+       CPPFLAGS="${CPPFLAGS} -I${enable_nls}/include"
+       SUDO_APPEND_LIBPATH(LDFLAGS, [$enable_nls/lib])
+    fi
+    OLIBS="$LIBS"
+    for l in "libc" "-lintl" "-lintl -liconv"; do
+       if test "$l" = "libc"; then
+           # If user specified a dir for libintl ignore libc
+           if test "$enable_nls" != "yes"; then
+               continue
+           fi
+           gettext_name=sudo_cv_gettext
+           AC_MSG_CHECKING([for gettext])
+       else
+           LIBS="$OLIBS $l"
+           gettext_name=sudo_cv_gettext"`echo $l|sed -e 's/ //g' -e 's/-/_/g'`"
+           AC_MSG_CHECKING([for gettext in $l])
+       fi
+       AC_CACHE_VAL($gettext_name, [
+               AC_LINK_IFELSE(
+                   [
+                       AC_LANG_PROGRAM([[#include <libintl.h>]], [(void)gettext((char *)0);])
+                   ], [eval $gettext_name=yes], [eval $gettext_name=no]
+               )
+       ])
+       eval gettext_result="\$$gettext_name"
+       AC_MSG_RESULT($gettext_result)
+       test "$gettext_result" = "yes" && break
+    done
+    LIBS="$OLIBS"
+
+    if test "$sudo_cv_gettext" = "yes"; then
+       AC_DEFINE(HAVE_LIBINTL_H)
+       SUDO_NLS=enabled
+    elif test "$sudo_cv_gettext_lintl" = "yes"; then
+       AC_DEFINE(HAVE_LIBINTL_H)
+       SUDO_NLS=enabled
+       LIBINTL="-lintl"
+    elif test "$sudo_cv_gettext_lintl_liconv" = "yes"; then
+       AC_DEFINE(HAVE_LIBINTL_H)
+       SUDO_NLS=enabled
+       LIBINTL="-lintl -liconv"
+    fi
+fi
+
+dnl
+dnl Deferred zlib option processing.
+dnl By default we use the system zlib if it is present.
+dnl If a directory was specified for zlib (or we are use sudo's version),
+dnl prepend the include dir to make sure we get the right zlib header.
+dnl
+case "$enable_zlib" in
+    yes)
+       AC_CHECK_LIB(z, gzdopen, [
+           AC_CHECK_HEADERS(zlib.h, [ZLIB="-lz"], [enable_zlib=builtin])
+       ])
+       ;;
+    no)
+       ;;
+    system)
+       AC_DEFINE(HAVE_ZLIB_H)
+       ZLIB="-lz"
+       ;;
+    builtin)
+       # handled below
+       ;;
+    *)
+       AC_DEFINE(HAVE_ZLIB_H)
+       CPPFLAGS="-I${enable_zlib}/include ${CPPFLAGS}"
+       SUDO_APPEND_LIBPATH(ZLIB, [$enable_zlib/lib])
+       ZLIB="${ZLIB} -lz"
+       ;;
+esac
+if test X"$enable_zlib" = X"builtin"; then
+    AC_DEFINE(HAVE_ZLIB_H)
+    CPPFLAGS='-I$(top_builddir)/zlib -I$(top_srcdir)/zlib '"${CPPFLAGS}"
+    ZLIB="${ZLIB}"' $(top_builddir)/zlib/libz.la'
+    ZLIB_SRC=zlib
+    AC_CONFIG_HEADER([zlib/zconf.h])
+    AC_CONFIG_FILES([zlib/Makefile])
+fi
+
+dnl
+dnl Check for errno declaration in errno.h
+dnl
+AC_CHECK_DECLS([errno], [], [], [
+AC_INCLUDES_DEFAULT
+#include <errno.h>
+])
+
+dnl
+dnl Check for h_errno declaration in netdb.h
+dnl
+AC_CHECK_DECLS([h_errno], [], [], [
+AC_INCLUDES_DEFAULT
+#include <netdb.h>
+])
+
+dnl
+dnl Check for strsignal() or sys_siglist
+dnl
+AC_CHECK_FUNCS(strsignal, [], [
+    AC_LIBOBJ(strsignal)
+    HAVE_SIGLIST="false"
+    AC_CHECK_DECLS([sys_siglist, _sys_siglist, __sys_siglist], [
+       HAVE_SIGLIST="true"
+       break
+    ], [ ], [
+AC_INCLUDES_DEFAULT
+#include <signal.h>
+    ])
+    if test "$HAVE_SIGLIST" != "true"; then
+       AC_LIBOBJ(siglist)
+    fi
+])
 
 dnl
 dnl nsswitch.conf and its equivalents
 dnl
 
 dnl
 dnl nsswitch.conf and its equivalents
 dnl
-netsvc_conf='/etc/netsvc.conf'
-nsswitch_conf='/etc/nsswitch.conf'
 if test ${with_netsvc-"no"} != "no"; then
     SUDO_DEFINE_UNQUOTED(_PATH_NETSVC_CONF, "${with_netsvc-/etc/netsvc.conf}")
     netsvc_conf=${with_netsvc-/etc/netsvc.conf}
 if test ${with_netsvc-"no"} != "no"; then
     SUDO_DEFINE_UNQUOTED(_PATH_NETSVC_CONF, "${with_netsvc-/etc/netsvc.conf}")
     netsvc_conf=${with_netsvc-/etc/netsvc.conf}
@@ -1976,21 +2547,60 @@ dnl PAM support.  Systems that use PAM by default set with_pam=default
 dnl and we do the actual tests here.
 dnl
 if test ${with_pam-"no"} != "no"; then
 dnl and we do the actual tests here.
 dnl
 if test ${with_pam-"no"} != "no"; then
-    dnl
-    dnl Linux may need this
-    dnl
-    AC_CHECK_LIB([dl], [main], [SUDO_LIBS="${SUDO_LIBS} -lpam -ldl"], [SUDO_LIBS="${SUDO_LIBS} -lpam"])
-    ac_cv_lib_dl=ac_cv_lib_dl_main
+    #
+    # Check for pam_start() in libpam first, then for pam_appl.h.
+    #
+    found_pam_lib=no
+    AC_CHECK_LIB(pam, pam_start, [found_pam_lib=yes], [], [$lt_cv_dlopen_libs])
+    #
+    # Some PAM implementations (MacOS X for example) put the PAM headers
+    # in /usr/include/pam instead of /usr/include/security...
+    #
+    found_pam_hdrs=no
+    AC_CHECK_HEADERS([security/pam_appl.h] [pam/pam_appl.h], [found_pam_hdrs=yes; break])
+    if test "$found_pam_lib" = "yes" -a "$found_pam_hdrs" = "yes"; then
+       # Found both PAM libs and headers
+       with_pam=yes
+    elif test "$with_pam" = "yes"; then
+       if test "$found_pam_lib" = "no"; then
+           AC_MSG_ERROR(["--with-pam specified but unable to locate PAM development library."])
+       fi
+       if test "$found_pam_hdrs" = "no"; then
+           AC_MSG_ERROR(["--with-pam specified but unable to locate PAM development headers."])
+       fi
+    elif test "$found_pam_lib" != "$found_pam_hdrs"; then
+       if test "$found_pam_lib" = "no"; then
+           AC_MSG_ERROR(["found PAM headers but no PAM development library; specify --without-pam to build without PAM"])
+       fi
+       if test "$found_pam_hdrs" = "no"; then
+           AC_MSG_ERROR(["found PAM library but no PAM development headers; specify --without-pam to build without PAM"])
+       fi
+    fi
 
 
-    dnl
-    dnl Some PAM implementations (MacOS X for example) put the PAM headers
-    dnl in /usr/include/pam instead of /usr/include/security...
-    dnl
-    AC_CHECK_HEADERS([security/pam_appl.h] [pam/pam_appl.h], [with_pam=yes; break])
     if test "$with_pam" = "yes"; then
     if test "$with_pam" = "yes"; then
+       # Older PAM implementations lack pam_getenvlist
+       OLIBS="$LIBS"
+       LIBS="$LIBS -lpam $lt_cv_dlopen_libs"
+       AC_CHECK_FUNCS(pam_getenvlist)
+       LIBS="$OLIBS"
+
+       # We already link with -ldl if needed (see LIBDL below)
+       SUDOERS_LIBS="${SUDOERS_LIBS} -lpam"
        AC_DEFINE(HAVE_PAM)
        AC_DEFINE(HAVE_PAM)
-       AUTH_OBJS="$AUTH_OBJS pam.o";
+       AUTH_OBJS="$AUTH_OBJS pam.lo";
        AUTH_EXCL=PAM
        AUTH_EXCL=PAM
+
+       AC_ARG_WITH(pam-login, [AS_HELP_STRING([--with-pam-login], [enable specific PAM session for sudo -i])],
+       [case $with_pam_login in
+           yes)        AC_DEFINE([HAVE_PAM_LOGIN])
+                       AC_MSG_CHECKING(whether to use PAM login)
+                       AC_MSG_RESULT(yes)
+                       ;;
+           no)         ;;
+           *)          AC_MSG_ERROR(["--with-pam-login does not take an argument."])
+                       ;;
+       esac])
+
        AC_MSG_CHECKING(whether to use PAM session support)
        AC_ARG_ENABLE(pam_session,
        [AS_HELP_STRING([--disable-pam-session], [Disable PAM session support])],
        AC_MSG_CHECKING(whether to use PAM session support)
        AC_ARG_ENABLE(pam_session,
        [AS_HELP_STRING([--disable-pam-session], [Disable PAM session support])],
@@ -1998,24 +2608,12 @@ if test ${with_pam-"no"} != "no"; then
                yes)    AC_MSG_RESULT(yes)
                        ;;
                no)             AC_MSG_RESULT(no)
                yes)    AC_MSG_RESULT(yes)
                        ;;
                no)             AC_MSG_RESULT(no)
-                           AC_DEFINE([NO_PAM_SESSION], [], [PAM session support disabled])
+                           AC_DEFINE(NO_PAM_SESSION)
                            ;;
                *)              AC_MSG_RESULT(no)
                            AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
                            ;;
            esac], AC_MSG_RESULT(yes))
                            ;;
                *)              AC_MSG_RESULT(no)
                            AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
                            ;;
            esac], AC_MSG_RESULT(yes))
-       case $host in
-           *-*-linux*|*-*-solaris*)
-                   # dgettext() may be defined to dgettext_libintl in the
-                   # header file, so first check that it links w/ additional
-                   # libs, then try with -lintl
-                   AC_LINK_IFELSE([AC_LANG_PROGRAM(
-                   [[#include <libintl.h>]], [(void)dgettext((char *)0, (char *)0);])],
-                   [AC_DEFINE(HAVE_DGETTEXT)],
-                   [AC_CHECK_LIB(intl, dgettext, [LIBS="${LIBS} -lintl"]
-                       [AC_DEFINE(HAVE_DGETTEXT)])])
-                   ;;
-       esac
     fi
 fi
 
     fi
 fi
 
@@ -2027,8 +2625,8 @@ if test ${with_aixauth-'no'} != "no"; then
     if test X"$with_aixauth" != X"maybe" -o X"$AUTH_EXCL" = X""; then
        AC_MSG_NOTICE([using AIX general authentication])
        AC_DEFINE(HAVE_AIXAUTH)
     if test X"$with_aixauth" != X"maybe" -o X"$AUTH_EXCL" = X""; then
        AC_MSG_NOTICE([using AIX general authentication])
        AC_DEFINE(HAVE_AIXAUTH)
-       AUTH_OBJS="$AUTH_OBJS aix_auth.o";
-       SUDO_LIBS="${SUDO_LIBS} -ls"
+       AUTH_OBJS="$AUTH_OBJS aix_auth.lo";
+       SUDOERS_LIBS="${SUDOERS_LIBS} -ls"
        AUTH_EXCL=AIX_AUTH
     fi
 fi
        AUTH_EXCL=AIX_AUTH
     fi
 fi
@@ -2039,9 +2637,9 @@ dnl If set to "maybe" only enable if no other exclusive method in use.
 dnl
 if test ${with_bsdauth-'no'} != "no"; then
     AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H)
 dnl
 if test ${with_bsdauth-'no'} != "no"; then
     AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H)
-       [AUTH_OBJS="$AUTH_OBJS bsdauth.o"]
+       [AUTH_OBJS="$AUTH_OBJS bsdauth.lo"]
        [BSDAUTH_USAGE='[[-a auth_type]] ']
        [BSDAUTH_USAGE='[[-a auth_type]] ']
-       [AUTH_EXCL=BSD_AUTH; BAMAN=""],
+       [AUTH_EXCL=BSD_AUTH; BAMAN=1],
        [AC_MSG_ERROR([BSD authentication was specified but bsd_auth.h could not be found])])
 fi
 
        [AC_MSG_ERROR([BSD authentication was specified but bsd_auth.h could not be found])])
 fi
 
@@ -2052,7 +2650,7 @@ if test ${CHECKSIA-'false'} = "true"; then
     AC_CHECK_FUNCS(sia_ses_init, [found=true], [found=false])
     if test "$found" = "true"; then
        AUTH_EXCL=SIA
     AC_CHECK_FUNCS(sia_ses_init, [found=true], [found=false])
     if test "$found" = "true"; then
        AUTH_EXCL=SIA
-       AUTH_OBJS="$AUTH_OBJS sia.o"
+       AUTH_OBJS="$AUTH_OBJS sia.lo"
     fi
 fi
 
     fi
 fi
 
@@ -2061,12 +2659,12 @@ dnl extra FWTK libs + includes
 dnl
 if test ${with_fwtk-'no'} != "no"; then
     if test "$with_fwtk" != "yes"; then
 dnl
 if test ${with_fwtk-'no'} != "no"; then
     if test "$with_fwtk" != "yes"; then
-       SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_fwtk}])
+       SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_fwtk}])
        CPPFLAGS="${CPPFLAGS} -I${with_fwtk}"
        with_fwtk=yes
     fi
        CPPFLAGS="${CPPFLAGS} -I${with_fwtk}"
        with_fwtk=yes
     fi
-    SUDO_LIBS="${SUDO_LIBS} -lauth -lfwall"
-    AUTH_OBJS="$AUTH_OBJS fwtk.o"
+    SUDOERS_LIBS="${SUDOERS_LIBS} -lauth -lfwall"
+    AUTH_OBJS="$AUTH_OBJS fwtk.lo"
 fi
 
 dnl
 fi
 
 dnl
@@ -2081,27 +2679,9 @@ if test ${with_SecurID-'no'} != "no"; then
        with_SecurID=/usr/ace
     fi
     CPPFLAGS="${CPPFLAGS} -I${with_SecurID}"
        with_SecurID=/usr/ace
     fi
     CPPFLAGS="${CPPFLAGS} -I${with_SecurID}"
-    _LDFLAGS="${LDFLAGS}"
     SUDO_APPEND_LIBPATH(LDFLAGS, [${with_SecurID}])
     SUDO_APPEND_LIBPATH(LDFLAGS, [${with_SecurID}])
-    #
-    # Determine whether to use the new or old SecurID API
-    #
-    AC_CHECK_LIB(aceclnt, SD_Init,
-       [
-           AUTH_OBJS="$AUTH_OBJS securid5.o";
-           SUDO_LIBS="${SUDO_LIBS} -laceclnt -lpthread"
-       ]
-       [
-           SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_SecurID}])
-       ], [
-           AUTH_OBJS="$AUTH_OBJS securid.o";
-           SUDO_LIBS="${SUDO_LIBS} ${with_SecurID}/sdiclient.a"
-       ],
-       [
-           -lpthread
-       ]
-    )
-    LDFLAGS="${_LDFLAGS}"
+    SUDOERS_LIBS="${SUDOERS_LIBS} -laceclnt -lpthread"
+    AUTH_OBJS="$AUTH_OBJS securid5.lo";
 fi
 
 dnl
 fi
 
 dnl
@@ -2121,65 +2701,6 @@ if test -z "${AUTH_EXCL}" -a -n "$AUTH_DEF"; then
     done
 fi
 
     done
 fi
 
-dnl
-dnl Kerberos IV
-dnl
-if test ${with_kerb4-'no'} != "no"; then
-    AC_DEFINE(HAVE_KERB4)
-    dnl
-    dnl Use the specified directory, if any, else search for correct inc dir
-    dnl
-    O_LDFLAGS="$LDFLAGS"
-    if test "$with_kerb4" = "yes"; then
-       found=no
-       O_CPPFLAGS="$CPPFLAGS"
-       for dir in "" "kerberosIV/" "krb4/" "kerberos4/" "kerberosv4/"; do
-           CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
-           AC_PREPROC_IFELSE([#include <krb.h>], [found=yes; break])
-       done
-       test X"$found" = X"no" && CPPFLAGS="$O_CPPFLAGS"
-    else
-       SUDO_APPEND_LIBPATH(LDFLAGS, [${with_kerb4}/lib])
-       SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_kerb4}/lib])
-       CPPFLAGS="$CPPFLAGS -I${with_kerb4}/include"
-       AC_CHECK_HEADER([krb.h], [found=yes], [found=no])
-    fi
-    if test X"$found" = X"no"; then
-       AC_MSG_WARN([Unable to locate Kerberos IV include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS])
-    fi
-
-    dnl
-    dnl Check for -ldes vs. -ldes425
-    dnl
-    AC_CHECK_LIB(des, des_cbc_encrypt, [K4LIBS="-ldes"], [
-       AC_CHECK_LIB(des425, des_cbc_encrypt, [K4LIBS="-ldes425"], [K4LIBS=""])
-    ])
-    dnl
-    dnl Try to determine whether we have KTH or MIT/CNS Kerberos IV
-    dnl
-    AC_MSG_CHECKING(whether we are using KTH Kerberos IV)
-    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb.h>]], [[const char *tmp = krb4_version;]])], [
-           AC_MSG_RESULT(yes)
-           K4LIBS="${K4LIBS} -lcom_err"
-           AC_CHECK_LIB(roken, main, [K4LIBS="${K4LIBS} -lroken"])
-       ], [
-           AC_MSG_RESULT(no)
-       ]
-    )
-    dnl
-    dnl The actual Kerberos IV lib might be -lkrb or -lkrb4
-    dnl
-    AC_CHECK_LIB(krb, main, [K4LIBS="-lkrb $K4LIBS"], [
-       AC_CHECK_LIB(krb4, main, [K4LIBS="-lkrb4 $K4LIBS"],
-           [K4LIBS="-lkrb $K4LIBS"]
-           [AC_MSG_WARN([Unable to locate Kerberos IV libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDO_LDFLAGS and possibly add Kerberos libs to SUDO_LIBS])]
-       , [$K4LIBS])
-    ], [$K4LIBS])
-    LDFLAGS="$O_LDFLAGS"
-    SUDO_LIBS="${SUDO_LIBS} $K4LIBS"
-    AUTH_OBJS="$AUTH_OBJS kerb4.o"
-fi
-
 dnl
 dnl Kerberos V
 dnl There is an easy way and a hard way...
 dnl
 dnl Kerberos V
 dnl There is an easy way and a hard way...
@@ -2188,9 +2709,9 @@ if test ${with_kerb5-'no'} != "no"; then
     AC_CHECK_PROG(KRB5CONFIG, krb5-config, yes, "")
     if test -n "$KRB5CONFIG"; then
        AC_DEFINE(HAVE_KERB5)
     AC_CHECK_PROG(KRB5CONFIG, krb5-config, yes, "")
     if test -n "$KRB5CONFIG"; then
        AC_DEFINE(HAVE_KERB5)
-       AUTH_OBJS="$AUTH_OBJS kerb5.o"
+       AUTH_OBJS="$AUTH_OBJS kerb5.lo"
        CPPFLAGS="$CPPFLAGS `krb5-config --cflags`"
        CPPFLAGS="$CPPFLAGS `krb5-config --cflags`"
-       SUDO_LIBS="$SUDO_LIBS `krb5-config --libs`"
+       SUDOERS_LIBS="$SUDOERS_LIBS `krb5-config --libs`"
        dnl
        dnl Try to determine whether we have Heimdal or MIT Kerberos
        dnl
        dnl
        dnl Try to determine whether we have Heimdal or MIT Kerberos
        dnl
@@ -2202,54 +2723,56 @@ if test ${with_kerb5-'no'} != "no"; then
                AC_MSG_RESULT(no)
            ]
        )
                AC_MSG_RESULT(no)
            ]
        )
-    fi
-fi
-if test ${with_kerb5-'no'} != "no" -a -z "$KRB5CONFIG"; then
-    AC_DEFINE(HAVE_KERB5)
-    dnl
-    dnl Use the specified directory, if any, else search for correct inc dir
-    dnl
-    if test "$with_kerb5" = "yes"; then
-       found=no
-       O_CPPFLAGS="$CPPFLAGS"
-       for dir in "" "kerberosV/" "krb5/" "kerberos5/" "kerberosv5/"; do
-           CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
-           AC_PREPROC_IFELSE([#include <krb5.h>], [found=yes; break])
-       done
-       if test X"$found" = X"no"; then
-           CPPFLAGS="$O_CPPFLAGS"
-           AC_MSG_WARN([Unable to locate Kerberos V include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS])
-       fi
     else
     else
-       dnl XXX - try to include krb5.h here too
-       SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_kerb5}/lib])
-       CPPFLAGS="$CPPFLAGS -I${with_kerb5}/include"
-    fi
+       AC_DEFINE(HAVE_KERB5)
+       dnl
+       dnl Use the specified directory, if any, else search for correct inc dir
+       dnl
+       if test "$with_kerb5" = "yes"; then
+           found=no
+           O_CPPFLAGS="$CPPFLAGS"
+           for dir in "" "kerberosV/" "krb5/" "kerberos5/" "kerberosv5/"; do
+               CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
+               AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]])], [found=yes; break])
+           done
+           if test X"$found" = X"no"; then
+               CPPFLAGS="$O_CPPFLAGS"
+               AC_MSG_WARN([Unable to locate Kerberos V include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS])
+           fi
+       else
+           dnl XXX - try to include krb5.h here too
+           SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_kerb5}/lib])
+           CPPFLAGS="$CPPFLAGS -I${with_kerb5}/include"
+       fi
 
 
-    dnl
-    dnl Try to determine whether we have Heimdal or MIT Kerberos
-    dnl
-    AC_MSG_CHECKING(whether we are using Heimdal)
-    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
-           AC_MSG_RESULT(yes)
-           AC_DEFINE(HAVE_HEIMDAL)
-           # XXX - need to check whether -lcrypo is needed!
-           SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lcrypto -ldes -lcom_err -lasn1"
-           AC_CHECK_LIB(roken, main, [SUDO_LIBS="${SUDO_LIBS} -lroken"])
-       ], [
-           AC_MSG_RESULT(no)
-           SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
-           AC_CHECK_LIB(krb5support, main, [SUDO_LIBS="${SUDO_LIBS} -lkrb5support"])
-    ])
-    AUTH_OBJS="$AUTH_OBJS kerb5.o"
+       dnl
+       dnl Try to determine whether we have Heimdal or MIT Kerberos
+       dnl
+       AC_MSG_CHECKING(whether we are using Heimdal)
+       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
+               AC_MSG_RESULT(yes)
+               AC_DEFINE(HAVE_HEIMDAL)
+               # XXX - need to check whether -lcrypo is needed!
+               SUDOERS_LIBS="${SUDOERS_LIBS} -lkrb5 -lcrypto -ldes -lcom_err -lasn1"
+               AC_CHECK_LIB(roken, main, [SUDOERS_LIBS="${SUDOERS_LIBS} -lroken"])
+           ], [
+               AC_MSG_RESULT(no)
+               SUDOERS_LIBS="${SUDOERS_LIBS} -lkrb5 -lk5crypto -lcom_err"
+               AC_CHECK_LIB(krb5support, main, [SUDOERS_LIBS="${SUDOERS_LIBS} -lkrb5support"])
+       ])
+       AUTH_OBJS="$AUTH_OBJS kerb5.lo"
+    fi
     _LIBS="$LIBS"
     _LIBS="$LIBS"
-    LIBS="${LIBS} ${SUDO_LIBS}"
+    LIBS="${LIBS} ${SUDOERS_LIBS}"
     AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context)
     AC_CHECK_FUNCS(krb5_get_init_creds_opt_alloc, [
        AC_CACHE_CHECK([whether krb5_get_init_creds_opt_free takes a context],
            sudo_cv_krb5_get_init_creds_opt_free_two_args, [
     AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context)
     AC_CHECK_FUNCS(krb5_get_init_creds_opt_alloc, [
        AC_CACHE_CHECK([whether krb5_get_init_creds_opt_free takes a context],
            sudo_cv_krb5_get_init_creds_opt_free_two_args, [
-               AC_TRY_COMPILE([#include <krb5.h>],
-                   [krb5_get_init_creds_opt_free(NULL, NULL);],
+               AC_COMPILE_IFELSE(
+                   [AC_LANG_PROGRAM(
+                       [[#include <krb5.h>]],
+                       [[krb5_get_init_creds_opt_free(NULL, NULL);]]
+                   )],
                    [sudo_cv_krb5_get_init_creds_opt_free_two_args=yes],
                    [sudo_cv_krb5_get_init_creds_opt_free_two_args=no]
                )
                    [sudo_cv_krb5_get_init_creds_opt_free_two_args=yes],
                    [sudo_cv_krb5_get_init_creds_opt_free_two_args=no]
                )
@@ -2260,6 +2783,18 @@ if test ${with_kerb5-'no'} != "no" -a -z "$KRB5CONFIG"; then
        AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
     fi
     LIBS="$_LIBS"
        AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
     fi
     LIBS="$_LIBS"
+    AC_MSG_CHECKING(whether to use an instance name for Kerberos V)
+    AC_ARG_ENABLE(kerb5-instance,
+    [AS_HELP_STRING([--enable-kerb5-instance], [instance string to append to the username (separated by a slash)])],
+       [ case "$enableval" in
+           yes)        AC_MSG_ERROR(["must give --enable-kerb5-instance an argument."])
+                       ;;
+           no)         AC_MSG_RESULT(no)
+                       ;;
+           *)          SUDO_DEFINE_UNQUOTED(SUDO_KRB5_INSTANCE, "$enableval")
+                       AC_MSG_RESULT([$enableval])
+                       ;;
+       esac], AC_MSG_RESULT(no))
 fi
 
 dnl
 fi
 
 dnl
@@ -2271,12 +2806,12 @@ if test ${with_AFS-'no'} = "yes"; then
     AFSLIBDIRS="/usr/lib/afs /usr/afsws/lib /usr/afsws/lib/afs"
     for i in $AFSLIBDIRS; do
        if test -d ${i}; then
     AFSLIBDIRS="/usr/lib/afs /usr/afsws/lib /usr/afsws/lib/afs"
     for i in $AFSLIBDIRS; do
        if test -d ${i}; then
-           SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [$i])
+           SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [$i])
            FOUND_AFSLIBDIR=true
        fi
     done
     if test -z "$FOUND_AFSLIBDIR"; then
            FOUND_AFSLIBDIR=true
        fi
     done
     if test -z "$FOUND_AFSLIBDIR"; then
-       AC_MSG_WARN([Unable to locate AFS libraries, you will have to edit the Makefile and add -L/path/to/afs/libs to SUDO_LDFLAGS or rerun configure with the --with-libpath options.])
+       AC_MSG_WARN([Unable to locate AFS libraries, you will have to edit the Makefile and add -L/path/to/afs/libs to SUDOERS_LDFLAGS or rerun configure with the --with-libpath options.])
     fi
 
     # Order is important here.  Note that we build AFS_LIBS from right to left
     fi
 
     # Order is important here.  Note that we build AFS_LIBS from right to left
@@ -2306,7 +2841,7 @@ if test ${with_AFS-'no'} = "yes"; then
        AC_MSG_WARN([Unable to locate AFS include dir, you may have to edit the Makefile and add -I/path/to/afs/includes to CPPFLAGS or rerun configure with the --with-incpath options.])
     fi
 
        AC_MSG_WARN([Unable to locate AFS include dir, you may have to edit the Makefile and add -I/path/to/afs/includes to CPPFLAGS or rerun configure with the --with-incpath options.])
     fi
 
-    AUTH_OBJS="$AUTH_OBJS afs.o"
+    AUTH_OBJS="$AUTH_OBJS afs.lo"
 fi
 
 dnl
 fi
 
 dnl
@@ -2315,75 +2850,91 @@ dnl Order of libs in HP-UX 10.x is important, -ldce must be last.
 dnl
 if test ${with_DCE-'no'} = "yes"; then
     DCE_OBJS="${DCE_OBJS} dce_pwent.o"
 dnl
 if test ${with_DCE-'no'} = "yes"; then
     DCE_OBJS="${DCE_OBJS} dce_pwent.o"
-    SUDO_LIBS="${SUDO_LIBS} -ldce"
-    AUTH_OBJS="$AUTH_OBJS dce.o"
+    SUDOERS_LIBS="${SUDOERS_LIBS} -ldce"
+    AUTH_OBJS="$AUTH_OBJS dce.lo"
 fi
 
 dnl
 dnl extra S/Key lib and includes
 dnl
 fi
 
 dnl
 dnl extra S/Key lib and includes
 dnl
-if test ${with_skey-'no'} = "yes"; then
+if test "${with_skey-'no'}" = "yes"; then
     O_LDFLAGS="$LDFLAGS"
     if test "$with_skey" != "yes"; then
        CPPFLAGS="${CPPFLAGS} -I${with_skey}/include"
        SUDO_APPEND_LIBPATH(LDFLAGS, [${with_skey}/lib])
     O_LDFLAGS="$LDFLAGS"
     if test "$with_skey" != "yes"; then
        CPPFLAGS="${CPPFLAGS} -I${with_skey}/include"
        SUDO_APPEND_LIBPATH(LDFLAGS, [${with_skey}/lib])
-       SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_skey}/lib])
-       AC_PREPROC_IFELSE([#include <skey.h>], [found=yes], [found=no])
+       SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_skey}/lib])
+       AC_CHECK_HEADER([skey.h], [found=yes], [found=no], [#include <stdio.h>])
     else
        found=no
        O_CPPFLAGS="$CPPFLAGS"
        for dir in "" "/usr/local" "/usr/contrib"; do
            test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include"
     else
        found=no
        O_CPPFLAGS="$CPPFLAGS"
        for dir in "" "/usr/local" "/usr/contrib"; do
            test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include"
-           AC_PREPROC_IFELSE([#include <skey.h>], [found=yes; break])
+           AC_CHECK_HEADER([skey.h], [found=yes; break], [],
+               [#include <stdio.h>]) 
        done
        if test "$found" = "no" -o -z "$dir"; then
            CPPFLAGS="$O_CPPFLAGS"
        else
            SUDO_APPEND_LIBPATH(LDFLAGS, [${dir}/lib])
        done
        if test "$found" = "no" -o -z "$dir"; then
            CPPFLAGS="$O_CPPFLAGS"
        else
            SUDO_APPEND_LIBPATH(LDFLAGS, [${dir}/lib])
-           SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${dir}/lib])
+           SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${dir}/lib])
+       fi
+       if test "$found" = "no"; then
+           AC_MSG_WARN([Unable to locate skey.h, you will have to edit the Makefile and add -I/path/to/skey/includes to CPPFLAGS])
        fi
     fi
        fi
     fi
-    if test "$found" = "no"; then
-       AC_MSG_WARN([Unable to locate skey.h, you will have to edit the Makefile and add -I/path/to/skey/includes to CPPFLAGS])
-    fi
-    AC_CHECK_LIB(skey, main, [found=yes], [AC_MSG_WARN([Unable to locate libskey.a, you will have to edit the Makefile and add -L/path/to/skey/lib to SUDO_LDFLAGS])])
+    AC_CHECK_LIB(skey, main, [found=yes], [AC_MSG_WARN([Unable to locate libskey.a, you will have to edit the Makefile and add -L/path/to/skey/lib to SUDOERS_LDFLAGS])])
     AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS))
     AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS))
+
+    AC_MSG_CHECKING([for RFC1938-compliant skeychallenge])
+    AC_COMPILE_IFELSE(
+       [AC_LANG_PROGRAM(
+           [[#include <stdio.h>
+           #include <skey.h>]],
+           [[skeychallenge(NULL, NULL, NULL, 0);]]
+       )], [
+           AC_DEFINE(HAVE_RFC1938_SKEYCHALLENGE)
+           AC_MSG_RESULT([yes])
+       ], [
+           AC_MSG_RESULT([no])
+       ]
+    )
+
     LDFLAGS="$O_LDFLAGS"
     LDFLAGS="$O_LDFLAGS"
-    SUDO_LIBS="${SUDO_LIBS} -lskey"
-    AUTH_OBJS="$AUTH_OBJS rfc1938.o"
+    SUDOERS_LIBS="${SUDOERS_LIBS} -lskey"
+    AUTH_OBJS="$AUTH_OBJS rfc1938.lo"
 fi
 
 dnl
 dnl extra OPIE lib and includes
 dnl
 fi
 
 dnl
 dnl extra OPIE lib and includes
 dnl
-if test ${with_opie-'no'} = "yes"; then
+if test "${with_opie-'no'}" = "yes"; then
     O_LDFLAGS="$LDFLAGS"
     if test "$with_opie" != "yes"; then
        CPPFLAGS="${CPPFLAGS} -I${with_opie}/include"
        SUDO_APPEND_LIBPATH(LDFLAGS, [${with_opie}/lib])
     O_LDFLAGS="$LDFLAGS"
     if test "$with_opie" != "yes"; then
        CPPFLAGS="${CPPFLAGS} -I${with_opie}/include"
        SUDO_APPEND_LIBPATH(LDFLAGS, [${with_opie}/lib])
-       SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_opie}/lib])
-       AC_PREPROC_IFELSE([#include <opie.h>], [found=yes], [found=no])
+       SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_opie}/lib])
+       AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <opie.h>]])], [found=yes], [found=no])
     else
        found=no
        O_CPPFLAGS="$CPPFLAGS"
        for dir in "" "/usr/local" "/usr/contrib"; do
            test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include"
     else
        found=no
        O_CPPFLAGS="$CPPFLAGS"
        for dir in "" "/usr/local" "/usr/contrib"; do
            test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include"
-           AC_PREPROC_IFELSE([#include <opie.h>], [found=yes; break])
+           AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <opie.h>]])], [found=yes; break])
        done
        if test "$found" = "no" -o -z "$dir"; then
            CPPFLAGS="$O_CPPFLAGS"
        else
            SUDO_APPEND_LIBPATH(LDFLAGS, [${dir}/lib])
        done
        if test "$found" = "no" -o -z "$dir"; then
            CPPFLAGS="$O_CPPFLAGS"
        else
            SUDO_APPEND_LIBPATH(LDFLAGS, [${dir}/lib])
-           SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${dir}/lib])
+           SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${dir}/lib])
+       fi
+       if test "$found" = "no"; then
+           AC_MSG_WARN([Unable to locate opie.h, you will have to edit the Makefile and add -I/path/to/opie/includes to CPPFLAGS])
        fi
     fi
        fi
     fi
-    if test "$found" = "no"; then
-       AC_MSG_WARN([Unable to locate opie.h, you will have to edit the Makefile and add -I/path/to/opie/includes to CPPFLAGS])
-    fi
-    AC_CHECK_LIB(opie, main, [found=yes], [AC_MSG_WARN([Unable to locate libopie.a, you will have to edit the Makefile and add -L/path/to/opie/lib to SUDO_LDFLAGS])])
+    AC_CHECK_LIB(opie, main, [found=yes], [AC_MSG_WARN([Unable to locate libopie.a, you will have to edit the Makefile and add -L/path/to/opie/lib to SUDOERS_LDFLAGS])])
     LDFLAGS="$O_LDFLAGS"
     LDFLAGS="$O_LDFLAGS"
-    SUDO_LIBS="${SUDO_LIBS} -lopie"
-    AUTH_OBJS="$AUTH_OBJS rfc1938.o"
+    SUDOERS_LIBS="${SUDOERS_LIBS} -lopie"
+    AUTH_OBJS="$AUTH_OBJS rfc1938.lo"
 fi
 
 dnl
 fi
 
 dnl
@@ -2395,8 +2946,10 @@ if test ${with_passwd-'no'} != "no"; then
     dnl
     dnl if crypt(3) not in libc, look elsewhere
     dnl
     dnl
     dnl if crypt(3) not in libc, look elsewhere
     dnl
-    if test -z "$LIB_CRYPT" -a "$with_passwd" != "no"; then
-       AC_SEARCH_LIBS([crypt], [crypt crypt_d ufc], [test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"])
+    if test -z "$LIB_CRYPT"; then
+       _LIBS="$LIBS"
+       AC_SEARCH_LIBS([crypt], [crypt crypt_d ufc], [test -n "$ac_lib" && SUDOERS_LIBS="${SUDOERS_LIBS} $ac_res"])
+       LIBS="$_LIBS"
     fi
 
     if test "$CHECKSHADOW" = "true" -a -n "$shadow_funcs"; then
     fi
 
     if test "$CHECKSHADOW" = "true" -a -n "$shadow_funcs"; then
@@ -2405,12 +2958,12 @@ if test ${with_passwd-'no'} != "no"; then
        found=no
        AC_CHECK_FUNCS($shadow_funcs, [found=yes])
        if test "$found" = "yes"; then
        found=no
        AC_CHECK_FUNCS($shadow_funcs, [found=yes])
        if test "$found" = "yes"; then
-           SUDO_LIBS="$SUDO_LIBS $shadow_libs"
+           SUDOERS_LIBS="$SUDOERS_LIBS $shadow_libs"
        elif test -n "$shadow_libs_optional"; then
            LIBS="$LIBS $shadow_libs_optional"
            AC_CHECK_FUNCS($shadow_funcs, [found=yes])
            if test "$found" = "yes"; then
        elif test -n "$shadow_libs_optional"; then
            LIBS="$LIBS $shadow_libs_optional"
            AC_CHECK_FUNCS($shadow_funcs, [found=yes])
            if test "$found" = "yes"; then
-               SUDO_LIBS="$SUDO_LIBS $shadow_libs $shadow_libs_optional"
+               SUDOERS_LIBS="$SUDOERS_LIBS $shadow_libs $shadow_libs_optional"
            fi
        fi
        if test "$found" = "yes"; then
            fi
        fi
        if test "$found" = "yes"; then
@@ -2424,14 +2977,14 @@ if test ${with_passwd-'no'} != "no"; then
        CHECKSHADOW=false
     fi
     if test "$CHECKSHADOW" = "true"; then
        CHECKSHADOW=false
     fi
     if test "$CHECKSHADOW" = "true"; then
-       AC_SEARCH_LIBS([getspnam], [gen], [AC_DEFINE(HAVE_GETSPNAM)] [CHECKSHADOW=false; test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"])
+       AC_SEARCH_LIBS([getspnam], [gen], [AC_DEFINE(HAVE_GETSPNAM)] [CHECKSHADOW=false; test -n "$ac_lib" && SUDOERS_LIBS="${SUDOERS_LIBS} $ac_res"])
     fi
     if test "$CHECKSHADOW" = "true"; then
     fi
     if test "$CHECKSHADOW" = "true"; then
-       AC_SEARCH_LIBS([getprpwnam], [sec security prot], [AC_DEFINE(HAVE_GETPRPWNAM)] [CHECKSHADOW=false; SECUREWARE=1; test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"])
+       AC_SEARCH_LIBS([getprpwnam], [sec security prot], [AC_DEFINE(HAVE_GETPRPWNAM)] [CHECKSHADOW=false; SECUREWARE=1; test -n "$ac_lib" && SUDOERS_LIBS="${SUDOERS_LIBS} $ac_res"])
     fi
     if test -n "$SECUREWARE"; then
        AC_CHECK_FUNCS(bigcrypt set_auth_parameters initprivs)
     fi
     if test -n "$SECUREWARE"; then
        AC_CHECK_FUNCS(bigcrypt set_auth_parameters initprivs)
-       AUTH_OBJS="$AUTH_OBJS secureware.o"
+       AUTH_OBJS="$AUTH_OBJS secureware.lo"
     fi
 fi
 
     fi
 fi
 
@@ -2441,13 +2994,13 @@ dnl
 if test ${with_ldap-'no'} != "no"; then
     _LDFLAGS="$LDFLAGS"
     if test "$with_ldap" != "yes"; then
 if test ${with_ldap-'no'} != "no"; then
     _LDFLAGS="$LDFLAGS"
     if test "$with_ldap" != "yes"; then
-       SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_ldap}/lib])
+       SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_ldap}/lib])
        SUDO_APPEND_LIBPATH(LDFLAGS, [${with_ldap}/lib])
        CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
        with_ldap=yes
        SUDO_APPEND_LIBPATH(LDFLAGS, [${with_ldap}/lib])
        CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
        with_ldap=yes
-       LDAP=""
     fi
     fi
-    SUDO_OBJS="${SUDO_OBJS} ldap.o"
+    SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo"
+    LDAP=""
 
     AC_MSG_CHECKING([for LDAP libraries])
     LDAP_LIBS=""
 
     AC_MSG_CHECKING([for LDAP libraries])
     LDAP_LIBS=""
@@ -2460,6 +3013,17 @@ if test ${with_ldap-'no'} != "no"; then
        #include <lber.h>
        #include <ldap.h>]], [[(void)ldap_init(0, 0)]])], [found=yes; break])
     done
        #include <lber.h>
        #include <ldap.h>]], [[(void)ldap_init(0, 0)]])], [found=yes; break])
     done
+    if test "$found" = "no"; then
+       LDAP_LIBS=""
+       LIBS="$_LIBS"
+       for l in -libmldap -lidsldif; do
+           LIBS="${LIBS} $l"
+           LDAP_LIBS="${LDAP_LIBS} $l"
+           AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
+           #include <lber.h>
+           #include <ldap.h>]], [[(void)ldap_init(0, 0)]])], [found=yes; break])
+       done
+    fi
     dnl if nothing linked just try with -lldap
     if test "$found" = "no"; then
        LIBS="${_LIBS} -lldap"
     dnl if nothing linked just try with -lldap
     if test "$found" = "no"; then
        LIBS="${_LIBS} -lldap"
@@ -2483,7 +3047,8 @@ if test ${with_ldap-'no'} != "no"; then
 
     AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break])
     AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
 
     AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break])
     AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
-    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np)
+    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np)
+    AC_CHECK_FUNCS(ldap_search_ext_s ldap_search_st, [break])
 
     if test X"$check_gss_krb5_ccache_name" = X"yes"; then
        AC_CHECK_LIB(gssapi, gss_krb5_ccache_name,
 
     if test X"$check_gss_krb5_ccache_name" = X"yes"; then
        AC_CHECK_LIB(gssapi, gss_krb5_ccache_name,
@@ -2499,7 +3064,7 @@ if test ${with_ldap-'no'} != "no"; then
        O_CPPFLAGS="$CPPFLAGS"
        for dir in "" "kerberosV" "krb5" "kerberos5" "kerberosv5"; do
            test X"$dir" != X"" && CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
        O_CPPFLAGS="$CPPFLAGS"
        for dir in "" "kerberosV" "krb5" "kerberos5" "kerberosv5"; do
            test X"$dir" != X"" && CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
-           AC_PREPROC_IFELSE([#include <gssapi/gssapi.h>], [found="gssapi/gssapi.h"; break], [AC_PREPROC_IFELSE([#include <gssapi.h>], [found="gssapi.h"; break])])
+           AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <gssapi/gssapi.h>]])], [found="gssapi/gssapi.h"; break], [AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <gssapi.h>]])], [found="gssapi.h"; break])])
        done
        if test X"$found" != X"no"; then
            AC_CHECK_HEADERS([$found])
        done
        if test X"$found" != X"no"; then
            AC_CHECK_HEADERS([$found])
@@ -2512,47 +3077,87 @@ if test ${with_ldap-'no'} != "no"; then
        fi
     fi
 
        fi
     fi
 
-    SUDO_LIBS="${SUDO_LIBS} ${LDAP_LIBS}"
+    SUDOERS_LIBS="${SUDOERS_LIBS} ${LDAP_LIBS}"
     LIBS="$_LIBS"
     LDFLAGS="$_LDFLAGS"
 fi
 
     LIBS="$_LIBS"
     LDFLAGS="$_LDFLAGS"
 fi
 
-dnl
-dnl Add LIBVAS_RPATH to LDFLAGS
-dnl GNU ld accepts -R/path/ as an alias for -rpath /path/
-dnl
-if test X"$LIBVAS_RPATH" != X""; then
-    if test -n "$blibpath"; then
-       blibpath_add="${blibpath_add}:$LIBVAS_RPATH"
-    else
-       LDFLAGS="$LDFLAGS -R$LIBVAS_RPATH"
-    fi
+#
+# How to do dynamic object loading.
+# We support dlopen() and sh_load(), else fall back to static loading.
+#
+case "$lt_cv_dlopen" in
+    dlopen)
+       AC_DEFINE(HAVE_DLOPEN)
+       SUDOERS_OBJS="$SUDOERS_OBJS plugin_error.lo"
+       LT_STATIC="--tag=disable-static"
+       ;;
+    shl_load)
+       AC_DEFINE(HAVE_SHL_LOAD)
+       SUDOERS_OBJS="$SUDOERS_OBJS plugin_error.lo"
+       LT_STATIC="--tag=disable-static"
+       AC_LIBOBJ(dlopen)
+       ;;
+    *)
+       if test X"${ac_cv_func_dlopen}" = X"yes"; then
+           AC_MSG_ERROR(["dlopen present but libtool doesn't appear to support your platform."])
+       fi
+       # Preload sudoers module symbols
+       SUDO_OBJS="${SUDO_OBJS} preload.o"
+       SUDO_LIBS="${SUDO_LIBS} \$(top_builddir)/plugins/sudoers/sudoers.la"
+       LT_STATIC=""
+       AC_LIBOBJ(dlopen)
+       ;;
+esac
+
+#
+# Add library needed for dynamic loading, if any.
+#
+LIBDL="$lt_cv_dlopen_libs"
+if test X"$LIBDL" != X""; then
+    SUDO_LIBS="${SUDO_LIBS} $LIBDL"
+    SUDOERS_LIBS="${SUDOERS_LIBS} $LIBDL"
 fi
 
 fi
 
+# On HP-UX, you cannot dlopen() a shared object that uses pthreads
+# unless the main program is linked against -lpthread.  Since we
+# have no knowledge what libraries a plugin may depend on, we always
+# link against -lpthread on HP-UX if it is available.
+# This check should go after all other libraries tests.
+case "$host" in
+    *-*-hpux*)
+       AC_CHECK_LIB(pthread, main, [SUDO_LIBS="${SUDO_LIBS} -lpthread"])
+       ;;
+esac
+
 dnl
 dnl
-dnl Add $blibpath to SUDO_LDFLAGS if specified by the user or if we
-dnl added -L dirpaths to SUDO_LDFLAGS.
+dnl Add $blibpath to SUDOERS_LDFLAGS if specified by the user or if we
+dnl added -L dirpaths to SUDOERS_LDFLAGS.
 dnl
 if test -n "$blibpath"; then
     if test -n "$blibpath_add"; then
 dnl
 if test -n "$blibpath"; then
     if test -n "$blibpath_add"; then
-       SUDO_LDFLAGS="$SUDO_LDFLAGS -Wl,-blibpath:${blibpath}${blibpath_add}"
+       SUDOERS_LDFLAGS="$SUDOERS_LDFLAGS -Wl,-blibpath:${blibpath}${blibpath_add}"
     elif test -n "$with_blibpath" -a "$with_blibpath" != "yes"; then
     elif test -n "$with_blibpath" -a "$with_blibpath" != "yes"; then
-       SUDO_LDFLAGS="$SUDO_LDFLAGS -Wl,-blibpath:${blibpath}"
+       SUDOERS_LDFLAGS="$SUDOERS_LDFLAGS -Wl,-blibpath:${blibpath}"
     fi
 fi
 
 dnl
     fi
 fi
 
 dnl
-dnl Check for log file and timestamp locations
+dnl Check for log file, timestamp and iolog locations
 dnl
 dnl
+if test "$utmp_style" = "LEGACY"; then
+    SUDO_PATH_UTMP
+fi
 SUDO_LOGFILE
 SUDO_TIMEDIR
 SUDO_LOGFILE
 SUDO_TIMEDIR
+SUDO_IO_LOGDIR
 
 dnl
 
 dnl
-dnl Use passwd (and secureware) auth modules?
+dnl Use passwd auth module?
 dnl
 case "$with_passwd" in
 yes|maybe)
 dnl
 case "$with_passwd" in
 yes|maybe)
-    AUTH_OBJS="$AUTH_OBJS passwd.o"
+    AUTH_OBJS="$AUTH_OBJS getspwuid.lo passwd.lo"
     ;;
 *)
     AC_DEFINE(WITHOUT_PASSWD)
     ;;
 *)
     AC_DEFINE(WITHOUT_PASSWD)
@@ -2562,24 +3167,36 @@ yes|maybe)
     ;;
 esac
 AUTH_OBJS=${AUTH_OBJS# }
     ;;
 esac
 AUTH_OBJS=${AUTH_OBJS# }
-_AUTH=`echo "$AUTH_OBJS" | sed 's/\.o//g'`
+_AUTH=`echo "$AUTH_OBJS" | sed -e 's/\.lo//g' -e 's/getspwuid *//'`
 AC_MSG_NOTICE([using the following authentication methods: $_AUTH])
 
 dnl
 AC_MSG_NOTICE([using the following authentication methods: $_AUTH])
 
 dnl
-dnl LIBS may contain duplicates from SUDO_LIBS or NET_LIBS so prune it.
+dnl LIBS may contain duplicates from SUDO_LIBS, SUDOERS_LIBS, or NET_LIBS
 dnl
 if test -n "$LIBS"; then
     L="$LIBS"
     LIBS=
     for l in ${L}; do
        dupe=0
 dnl
 if test -n "$LIBS"; then
     L="$LIBS"
     LIBS=
     for l in ${L}; do
        dupe=0
-       for sl in ${SUDO_LIBS} ${NET_LIBS}; do
+       for sl in ${SUDO_LIBS} ${SUDOERS_LIBS} ${NET_LIBS}; do
            test $l = $sl && dupe=1
        done
        test $dupe = 0 && LIBS="${LIBS} $l"
     done
 fi
 
            test $l = $sl && dupe=1
        done
        test $dupe = 0 && LIBS="${LIBS} $l"
     done
 fi
 
+dnl
+dnl We add -Wall and -Werror after all tests so they don't cause failures
+dnl
+if test -n "$GCC"; then
+    if test X"$enable_warnings" = X"yes" -o X"$with_devel" = X"yes"; then
+       CFLAGS="${CFLAGS} -Wall"
+    fi
+    if test X"$enable_werror" = X"yes"; then
+       CFLAGS="${CFLAGS} -Werror"
+    fi
+fi
+
 dnl
 dnl Set exec_prefix
 dnl
 dnl
 dnl Set exec_prefix
 dnl
@@ -2599,23 +3216,58 @@ if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then
        fi
     fi
     if test X"$with_noexec" != X"no"; then
        fi
     fi
     if test X"$with_noexec" != X"no"; then
-       PROGS="${PROGS} sudo_noexec.la"
+       PROGS="${PROGS} libsudo_noexec.la"
        INSTALL_NOEXEC="install-noexec"
 
        INSTALL_NOEXEC="install-noexec"
 
-       eval noexec_file="$with_noexec"
-       AC_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
+       noexec_file="$with_noexec"
+       _noexec_file=
+       while test X"$noexec_file" != X"$_noexec_file"; do
+           _noexec_file="$noexec_file"
+           eval noexec_file="$_noexec_file"
+       done
+       SUDO_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
     fi
     if test X"$with_selinux" != X"no"; then
     fi
     if test X"$with_selinux" != X"no"; then
-       eval sesh_file="$libexecdir/sesh"
-       AC_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file", [The fully qualified pathname of sesh])
+       sesh_file="$libexecdir/sesh"
+       _sesh_file=
+       while test X"$sesh_file" != X"$_sesh_file"; do
+           _sesh_file="$sesh_file"
+           eval sesh_file="$_sesh_file"
+       done
+       SUDO_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file", [The fully qualified pathname of sesh])
     fi
     fi
+    PLUGINDIR="$with_plugindir"
+    _PLUGINDIR=
+    while test X"$PLUGINDIR" != X"$_PLUGINDIR"; do
+       _PLUGINDIR="$PLUGINDIR"
+       eval PLUGINDIR="$_PLUGINDIR"
+    done
+    SUDO_DEFINE_UNQUOTED(_PATH_SUDO_PLUGIN_DIR, "$PLUGINDIR/")
+    SUDO_DEFINE_UNQUOTED(SUDOERS_PLUGIN, "sudoers${SOEXT}")
     exec_prefix="$oexec_prefix"
 fi
 
     exec_prefix="$oexec_prefix"
 fi
 
+dnl
+dnl Override default configure dirs for the Makefile
+dnl
+if test X"$prefix" = X"NONE"; then
+    test "$mandir" = '${datarootdir}/man' && mandir='$(prefix)/man'
+else
+    test "$mandir" = '${datarootdir}/man' && mandir='$(datarootdir)/man'
+fi
+test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
+test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
+test "$libexecdir" = '${exec_prefix}/libexec' && libexecdir='$(exec_prefix)/libexec'
+test "$includedir" = '${prefix}/include' && includedir='$(prefix)/include'
+test "$datarootdir" = '${prefix}/share' && datarootdir='$(prefix)/share'
+test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
+test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
+
 dnl
 dnl Substitute into the Makefile and man pages
 dnl
 dnl
 dnl Substitute into the Makefile and man pages
 dnl
-AC_CONFIG_FILES([Makefile sudo.man visudo.man sudoers.man sudoers.ldap.man sudo_usage.h])
+dnl AC_CONFIG_FILES([doc/sudo.man doc/visudo.man doc/sudoers.man doc/sudoers.ldap.man doc/sudoreplay.man src/Makefile src/sudo_usage.h])
+AC_CONFIG_FILES([Makefile common/Makefile compat/Makefile doc/Makefile include/Makefile src/sudo_usage.h src/Makefile plugins/sample/Makefile plugins/sample_group/Makefile plugins/system_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers])
 AC_OUTPUT
 
 dnl
 AC_OUTPUT
 
 dnl
@@ -2623,6 +3275,12 @@ dnl Spew any text the user needs to know about
 dnl
 if test "$with_pam" = "yes"; then
     case $host in
 dnl
 if test "$with_pam" = "yes"; then
     case $host in
+       *-*-hpux*)
+           if test -f /usr/lib/security/libpam_hpsec.so.1; then
+               AC_MSG_NOTICE([You may wish to add the following line to /etc/pam.conf])
+               AC_MSG_NOTICE([sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login])
+           fi
+           ;;
        *-*-linux*)
            AC_MSG_NOTICE([You will need to customize sample.pam and install it as /etc/pam.d/sudo])
            ;;
        *-*-linux*)
            AC_MSG_NOTICE([You will need to customize sample.pam and install it as /etc/pam.d/sudo])
            ;;
@@ -2635,21 +3293,23 @@ dnl
 AH_TEMPLATE(BROKEN_SYSLOG, [Define to 1 if the `syslog' function returns a non-zero int to denote failure.])
 AH_TEMPLATE(CLASSIC_INSULTS, [Define to 1 if you want the insults from the "classic" version sudo.])
 AH_TEMPLATE(CSOPS_INSULTS, [Define to 1 if you want insults culled from the twisted minds of CSOps.])
 AH_TEMPLATE(BROKEN_SYSLOG, [Define to 1 if the `syslog' function returns a non-zero int to denote failure.])
 AH_TEMPLATE(CLASSIC_INSULTS, [Define to 1 if you want the insults from the "classic" version sudo.])
 AH_TEMPLATE(CSOPS_INSULTS, [Define to 1 if you want insults culled from the twisted minds of CSOps.])
+AH_TEMPLATE(SUDOERS_PLUGIN, [The name of the sudoers plugin, including extension.])
 AH_TEMPLATE(DONT_LEAK_PATH_INFO, [Define to 1 if you want sudo to display "command not allowed" instead of "command not found" when a command cannot be found.])
 AH_TEMPLATE(DONT_LEAK_PATH_INFO, [Define to 1 if you want sudo to display "command not allowed" instead of "command not found" when a command cannot be found.])
+AH_TEMPLATE(ENV_DEBUG, [Define to 1 to enable environment function debugging.])
 AH_TEMPLATE(ENV_EDITOR, [Define to 1 if you want visudo to honor the EDITOR and VISUAL env variables.])
 AH_TEMPLATE(FQDN, [Define to 1 if you want to require fully qualified hosts in sudoers.])
 AH_TEMPLATE(ENV_EDITOR, [Define to 1 if you want visudo to honor the EDITOR and VISUAL env variables.])
 AH_TEMPLATE(FQDN, [Define to 1 if you want to require fully qualified hosts in sudoers.])
+AH_TEMPLATE(ENV_RESET, [Define to 1 to enable environment resetting by default.])
 AH_TEMPLATE(GOONS_INSULTS, [Define to 1 if you want insults from the "Goon Show".])
 AH_TEMPLATE(HAL_INSULTS, [Define to 1 if you want 2001-like insults.])
 AH_TEMPLATE(HAVE_AFS, [Define to 1 if you use AFS.])
 AH_TEMPLATE(HAVE_AIXAUTH, [Define to 1 if you use AIX general authentication.])
 AH_TEMPLATE(HAVE_BSD_AUTH_H, [Define to 1 if you use BSD authentication.])
 AH_TEMPLATE(GOONS_INSULTS, [Define to 1 if you want insults from the "Goon Show".])
 AH_TEMPLATE(HAL_INSULTS, [Define to 1 if you want 2001-like insults.])
 AH_TEMPLATE(HAVE_AFS, [Define to 1 if you use AFS.])
 AH_TEMPLATE(HAVE_AIXAUTH, [Define to 1 if you use AIX general authentication.])
 AH_TEMPLATE(HAVE_BSD_AUTH_H, [Define to 1 if you use BSD authentication.])
-AH_TEMPLATE(HAVE_BSM_AUDIT, [Define to 1 to enable BSM auditing.])
+AH_TEMPLATE(HAVE_BSM_AUDIT, [Define to 1 to enable BSM audit support.])
 AH_TEMPLATE(HAVE_DCE, [Define to 1 if you use OSF DCE.])
 AH_TEMPLATE(HAVE_DD_FD, [Define to 1 if your `DIR' contains dd_fd.])
 AH_TEMPLATE(HAVE_DIRFD, [Define to 1 if you have the `dirfd' function or macro.])
 AH_TEMPLATE(HAVE_DCE, [Define to 1 if you use OSF DCE.])
 AH_TEMPLATE(HAVE_DD_FD, [Define to 1 if your `DIR' contains dd_fd.])
 AH_TEMPLATE(HAVE_DIRFD, [Define to 1 if you have the `dirfd' function or macro.])
-AH_TEMPLATE(HAVE_DGETTEXT, [Define to 1 if you have the `dgettext' function.])
 AH_TEMPLATE(HAVE_DISPCRYPT, [Define to 1 if you have the `dispcrypt' function.])
 AH_TEMPLATE(HAVE_DISPCRYPT, [Define to 1 if you have the `dispcrypt' function.])
-AH_TEMPLATE(HAVE_EXTENDED_GLOB, [Define to 1 if your glob.h defines the GLOB_BRACE and GLOB_TILDE flags.])
+AH_TEMPLATE(HAVE_DLOPEN, [Define to 1 if you have the `dlopen' function.])
 AH_TEMPLATE(HAVE_FCNTL_CLOSEM, [Define to 1 if your system has the F_CLOSEM fcntl.])
 AH_TEMPLATE(HAVE_FNMATCH, [Define to 1 if you have the `fnmatch' function.])
 AH_TEMPLATE(HAVE_FWTK, [Define to 1 if you use the FWTK authsrv daemon.])
 AH_TEMPLATE(HAVE_FCNTL_CLOSEM, [Define to 1 if your system has the F_CLOSEM fcntl.])
 AH_TEMPLATE(HAVE_FNMATCH, [Define to 1 if you have the `fnmatch' function.])
 AH_TEMPLATE(HAVE_FWTK, [Define to 1 if you use the FWTK authsrv daemon.])
@@ -2660,10 +3320,8 @@ AH_TEMPLATE(HAVE_GETSPNAM, [Define to 1 if you have the `getspnam' function (SVR
 AH_TEMPLATE(HAVE_GETSPWUID, [Define to 1 if you have the `getspwuid' function. (HP-UX <= 9.X shadow passwords)])
 AH_TEMPLATE(HAVE_GSS_KRB5_CCACHE_NAME, [Define to 1 if you have the `gss_krb5_ccache_name' function.])
 AH_TEMPLATE(HAVE_HEIMDAL, [Define to 1 if your Kerberos is Heimdal.])
 AH_TEMPLATE(HAVE_GETSPWUID, [Define to 1 if you have the `getspwuid' function. (HP-UX <= 9.X shadow passwords)])
 AH_TEMPLATE(HAVE_GSS_KRB5_CCACHE_NAME, [Define to 1 if you have the `gss_krb5_ccache_name' function.])
 AH_TEMPLATE(HAVE_HEIMDAL, [Define to 1 if your Kerberos is Heimdal.])
-AH_TEMPLATE(HAVE_IN6_ADDR, [Define to 1 if <netinet/in.h> contains struct in6_addr.])
 AH_TEMPLATE(HAVE_ISCOMSEC, [Define to 1 if you have the `iscomsec' function. (HP-UX >= 10.x check for shadow enabled)])
 AH_TEMPLATE(HAVE_ISSECURE, [Define to 1 if you have the `issecure' function. (SunOS 4.x check for shadow enabled)])
 AH_TEMPLATE(HAVE_ISCOMSEC, [Define to 1 if you have the `iscomsec' function. (HP-UX >= 10.x check for shadow enabled)])
 AH_TEMPLATE(HAVE_ISSECURE, [Define to 1 if you have the `issecure' function. (SunOS 4.x check for shadow enabled)])
-AH_TEMPLATE(HAVE_KERB4, [Define to 1 if you use Kerberos IV.])
 AH_TEMPLATE(HAVE_KERB5, [Define to 1 if you use Kerberos V.])
 AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC, [Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function.])
 AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS, [Define to 1 if your `krb5_get_init_creds_opt_free' function takes two arguments.])
 AH_TEMPLATE(HAVE_KERB5, [Define to 1 if you use Kerberos V.])
 AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC, [Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function.])
 AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS, [Define to 1 if your `krb5_get_init_creds_opt_free' function takes two arguments.])
@@ -2671,20 +3329,22 @@ AH_TEMPLATE(HAVE_KRB5_INIT_SECURE_CONTEXT, [Define to 1 if you have the `krb5_in
 AH_TEMPLATE(HAVE_KRB5_VERIFY_USER, [Define to 1 if you have the `krb5_verify_user' function.])
 AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not)])
 AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.])
 AH_TEMPLATE(HAVE_KRB5_VERIFY_USER, [Define to 1 if you have the `krb5_verify_user' function.])
 AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not)])
 AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.])
+AH_TEMPLATE(HAVE_LIBINTL_H, [Define to 1 if you have the <libintl.h> header file.])
+AH_TEMPLATE(HAVE_LINUX_AUDIT, [Define to 1 to enable Linux audit support.])
 AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
 AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
 AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
 AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
+AH_TEMPLATE(HAVE_PAM_LOGIN, [Define to 1 if you use a specific PAM session for sudo -i.])
 AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file.])
 AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
 AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])
 AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file.])
 AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
 AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])
-AH_TEMPLATE(HAVE_SIGACTION_T, [Define to 1 if <signal.h> has the sigaction_t typedef.])
+AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.])
+AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.])
 AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
 AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
 AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
 AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
+AH_TEMPLATE(HAVE_RFC1938_SKEYCHALLENGE, [Define to 1 if the skeychallenge() function is RFC1938-compliant and takes 4 arguments])
 AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union])
 AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member])
 AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member])
 AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union])
 AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member])
 AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member])
-AH_TEMPLATE(HAVE_TERMIOS_H, [Define to 1 if you have the <termios.h> header file and the `tcgetattr' function.])
-AH_TEMPLATE(HAVE_TIMESPEC, [Define to 1 if you have struct timespec in sys/time.h])
-AH_TEMPLATE(HAVE_TIMESPECSUB2, [Define to 1 if you have a timespecsub macro or function that takes two arguments (not three)])
 AH_TEMPLATE(HAVE___PROGNAME, [Define to 1 if your crt0.o defines the __progname symbol for you.])
 AH_TEMPLATE(HOST_IN_LOG, [Define to 1 if you want the hostname to be entered into the log file.])
 AH_TEMPLATE(IGNORE_DOT_PATH, [Define to 1 if you want to ignore '.' and empty PATH elements])
 AH_TEMPLATE(HAVE___PROGNAME, [Define to 1 if your crt0.o defines the __progname symbol for you.])
 AH_TEMPLATE(HOST_IN_LOG, [Define to 1 if you want the hostname to be entered into the log file.])
 AH_TEMPLATE(IGNORE_DOT_PATH, [Define to 1 if you want to ignore '.' and empty PATH elements])
@@ -2692,8 +3352,10 @@ AH_TEMPLATE(LOGGING, [Define to SLOG_SYSLOG, SLOG_FILE, or SLOG_BOTH.])
 AH_TEMPLATE(LONG_OTP_PROMPT, [Define to 1 if you want a two line OTP (S/Key or OPIE) prompt.])
 AH_TEMPLATE(NO_AUTHENTICATION, [Define to 1 if you don't want sudo to prompt for a password by default.])
 AH_TEMPLATE(NO_LECTURE, [Define to 1 if you don't want users to get the lecture the first they user sudo.])
 AH_TEMPLATE(LONG_OTP_PROMPT, [Define to 1 if you want a two line OTP (S/Key or OPIE) prompt.])
 AH_TEMPLATE(NO_AUTHENTICATION, [Define to 1 if you don't want sudo to prompt for a password by default.])
 AH_TEMPLATE(NO_LECTURE, [Define to 1 if you don't want users to get the lecture the first they user sudo.])
+AH_TEMPLATE(NO_PAM_SESSION, [Define to 1 if you don't want to use sudo's PAM session support])
 AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid runing the mailer as root.])
 AH_TEMPLATE(NO_ROOT_SUDO, [Define to 1 if root should not be allowed to use sudo.])
 AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid runing the mailer as root.])
 AH_TEMPLATE(NO_ROOT_SUDO, [Define to 1 if root should not be allowed to use sudo.])
+AH_TEMPLATE(NO_TTY_TICKETS, [Define to 1 if you want a single ticket file instead of per-tty files.])
 AH_TEMPLATE(PC_INSULTS, [Define to 1 to replace politically incorrect insults with less offensive ones.])
 AH_TEMPLATE(SECURE_PATH, [Define to 1 to override the user's path with a built-in one.])
 AH_TEMPLATE(SEND_MAIL_WHEN_NOT_OK, [Define to 1 to send mail when the user is not allowed to run a command.])
 AH_TEMPLATE(PC_INSULTS, [Define to 1 to replace politically incorrect insults with less offensive ones.])
 AH_TEMPLATE(SECURE_PATH, [Define to 1 to override the user's path with a built-in one.])
 AH_TEMPLATE(SEND_MAIL_WHEN_NOT_OK, [Define to 1 to send mail when the user is not allowed to run a command.])
@@ -2702,13 +3364,22 @@ AH_TEMPLATE(SEND_MAIL_WHEN_NO_USER, [Define to 1 to send mail when the user is n
 AH_TEMPLATE(SHELL_IF_NO_ARGS, [Define to 1 if you want sudo to start a shell if given no arguments.])
 AH_TEMPLATE(SHELL_SETS_HOME, [Define to 1 if you want sudo to set $HOME in shell mode.])
 AH_TEMPLATE(STUB_LOAD_INTERFACES, [Define to 1 if the code in interfaces.c does not compile for you.])
 AH_TEMPLATE(SHELL_IF_NO_ARGS, [Define to 1 if you want sudo to start a shell if given no arguments.])
 AH_TEMPLATE(SHELL_SETS_HOME, [Define to 1 if you want sudo to set $HOME in shell mode.])
 AH_TEMPLATE(STUB_LOAD_INTERFACES, [Define to 1 if the code in interfaces.c does not compile for you.])
+AH_TEMPLATE(UMASK_OVERRIDE, [Define to 1 to use the umask specified in sudoers even when it is less restrictive than the invoking user's.])
+AH_TEMPLATE(USE_ADMIN_FLAG, [Define to 1 if you want to create ~/.sudo_as_admin_successful if the user is in the admin group the first time they run sudo.])
 AH_TEMPLATE(USE_INSULTS, [Define to 1 if you want to insult the user for entering an incorrect password.])
 AH_TEMPLATE(USE_STOW, [Define to 1 if you use GNU stow packaging.])
 AH_TEMPLATE(USE_INSULTS, [Define to 1 if you want to insult the user for entering an incorrect password.])
 AH_TEMPLATE(USE_STOW, [Define to 1 if you use GNU stow packaging.])
-AH_TEMPLATE(USE_TTY_TICKETS, [Define to 1 if you want a different ticket file for each tty.])
 AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.])
 AH_TEMPLATE(sig_atomic_t, [Define to `int' if <signal.h> does not define.])
 AH_TEMPLATE(__signed, [Define to `signed' or nothing if compiler does not support a signed type qualifier.])
 AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.])
 AH_TEMPLATE(sig_atomic_t, [Define to `int' if <signal.h> does not define.])
 AH_TEMPLATE(__signed, [Define to `signed' or nothing if compiler does not support a signed type qualifier.])
-AH_TEMPLATE(USING_NONUNIX_GROUPS, [Define to 1 if using a non-Unix group lookup implementation.])
+AH_TEMPLATE(socklen_t, [Define to `unsigned int' if <sys/socket.h> doesn't define.])
+AH_TEMPLATE(HAVE_STRUCT_UTMP_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmp'.])
+AH_TEMPLATE(HAVE_STRUCT_UTMPX_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmpx'.])
+AH_TEMPLATE(HAVE___FUNC__, [Define to 1 if the compiler supports the C99 __func__ variable.])
+AH_TEMPLATE(SUDO_KRB5_INSTANCE, [An instance string to append to the username (separated by a slash) for Kerberos V authentication])
+AH_TEMPLATE(RTLD_PRELOAD_VAR, [The environment variable that controls preloading of dynamic objects.])
+AH_TEMPLATE(RTLD_PRELOAD_ENABLE_VAR, [An extra environment variable that is required to enable preloading (if any).])
+AH_TEMPLATE(RTLD_PRELOAD_DELIM, [The delimiter to use when defining multiple preloaded objects.])
+AH_TEMPLATE(RTLD_PRELOAD_DEFAULT, [The default value of preloaded objects (if any).])
 
 dnl
 dnl Bits to copy verbatim into config.h.in
 
 dnl
 dnl Bits to copy verbatim into config.h.in
@@ -2717,37 +3388,38 @@ AH_TOP([#ifndef _SUDO_CONFIG_H
 #define _SUDO_CONFIG_H])
 
 AH_BOTTOM([/*
 #define _SUDO_CONFIG_H])
 
 AH_BOTTOM([/*
- * Macros to pull sec and nsec parts of mtime from struct stat.
- * We need to be able to convert between timeval and timespec
- * so the last 3 digits of tv_nsec are not significant.
+ * Macros to convert ctime and mtime into timevals.
  */
  */
+#define timespec2timeval(_ts, _tv) do {                                        \
+    (_tv)->tv_sec = (_ts)->tv_sec;                                     \
+    (_tv)->tv_usec = (_ts)->tv_nsec / 1000;                            \
+} while (0)
+
 #ifdef HAVE_ST_MTIM
 # ifdef HAVE_ST__TIM
 #ifdef HAVE_ST_MTIM
 # ifdef HAVE_ST__TIM
-#  define mtim_getsec(_x)      ((_x).st_mtim.st__tim.tv_sec)
-#  define mtim_getnsec(_x)     (((_x).st_mtim.st__tim.tv_nsec / 1000) * 1000)
+#  define ctim_get(_x, _y)     timespec2timeval(&(_x)->st_ctim.st__tim, (_y))
+#  define mtim_get(_x, _y)     timespec2timeval(&(_x)->st_mtim.st__tim, (_y))
 # else
 # else
-#  define mtim_getsec(_x)      ((_x).st_mtim.tv_sec)
-#  define mtim_getnsec(_x)     (((_x).st_mtim.tv_nsec / 1000) * 1000)
+#  define ctim_get(_x, _y)     timespec2timeval(&(_x)->st_ctim, (_y))
+#  define mtim_get(_x, _y)     timespec2timeval(&(_x)->st_mtim, (_y))
 # endif
 #else
 # ifdef HAVE_ST_MTIMESPEC
 # endif
 #else
 # ifdef HAVE_ST_MTIMESPEC
-#  define mtim_getsec(_x)      ((_x).st_mtimespec.tv_sec)
-#  define mtim_getnsec(_x)     (((_x).st_mtimespec.tv_nsec / 1000) * 1000)
+#  define ctim_get(_x, _y)     timespec2timeval(&(_x)->st_ctimespec, (_y))
+#  define mtim_get(_x, _y)     timespec2timeval(&(_x)->st_mtimespec, (_y))
 # else
 # else
-#  define mtim_getsec(_x)      ((_x).st_mtime)
-#  define mtim_getnsec(_x)     (0)
+#  define ctim_get(_x, _y)     do { (_y)->tv_sec = (_x)->st_ctime; (_y)->tv_usec = 0; } while (0)
+#  define mtim_get(_x, _y)     do { (_y)->tv_sec = (_x)->st_mtime; (_y)->tv_usec = 0; } while (0)
 # endif /* HAVE_ST_MTIMESPEC */
 #endif /* HAVE_ST_MTIM */
 
 # endif /* HAVE_ST_MTIMESPEC */
 #endif /* HAVE_ST_MTIM */
 
-/*
- * Emulate a subset of waitpid() if we don't have it.
- */
-#ifdef HAVE_WAITPID
-# define sudo_waitpid(p, s, o) waitpid(p, s, o)
+#ifdef __GNUC__
+# define ignore_result(x) do {                                                \
+    __typeof__(x) y = (x);                                                    \
+    (void)y;                                                                  \
+} while(0)
 #else
 #else
-# ifdef HAVE_WAIT3
-#  define sudo_waitpid(p, s, o)        wait3(s, o, NULL)
-# endif
+# define ignore_result(x)      (void)(x)
 #endif
 
 /* GNU stow needs /etc/sudoers to be a symlink. */
 #endif
 
 /* GNU stow needs /etc/sudoers to be a symlink. */
@@ -2765,7 +3437,7 @@ AH_BOTTOM([/*
 #undef ISSET
 #define ISSET(t, f)     ((t) & (f))
 
 #undef ISSET
 #define ISSET(t, f)     ((t) & (f))
 
-/* New ANSI-style OS defs for HP-UX and ConvexOS. */
+/* ANSI-style OS defs for HP-UX and ConvexOS. */
 #if defined(hpux) && !defined(__hpux)
 # define __hpux                1
 #endif /* hpux */
 #if defined(hpux) && !defined(__hpux)
 # define __hpux                1
 #endif /* hpux */
Debian packaging of sudo