projects / debian / sudo / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
update control to reflect move of primary repo to collab-maint
[debian/sudo] / configure.in
diff --git a/configure.in b/configure.in
index 6b09b5f18fd535788bc7c6ed76428e6673ea26ab..6ec6016e5afb9ffc1556a4c76437fa06a068f407 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1,97 +1,123 @@
 dnl
 dnl Process this file with GNU autoconf to produce a configure script.
 dnl
 dnl Process this file with GNU autoconf to produce a configure script.
-dnl $Sudo: configure.in,v 1.538 2008/12/09 21:13:01 millert Exp $
 dnl
 dnl
-dnl Copyright (c) 1994-1996,1998-2008 Todd C. Miller <Todd.Miller@courtesan.com>
+dnl Copyright (c) 1994-1996,1998-2012 Todd C. Miller <Todd.Miller@courtesan.com>
 dnl
 dnl
-AC_INIT([sudo], [1.7])
-AC_CONFIG_HEADER(config.h pathnames.h)
+AC_INIT([sudo], [1.8.5p2], [http://www.sudo.ws/bugs/], [sudo])
+AC_CONFIG_HEADER([config.h pathnames.h])
 dnl
 dnl
-dnl This won't work before AC_INIT
+dnl Note: this must come after AC_INIT
 dnl
 dnl
-AC_MSG_NOTICE([Configuring Sudo version 1.7])
+AC_MSG_NOTICE([Configuring Sudo version $PACKAGE_VERSION])
 dnl
 dnl Variables that get substituted in the Makefile and man pages
 dnl
 dnl
 dnl Variables that get substituted in the Makefile and man pages
 dnl
-AC_SUBST(LIBTOOL)
-AC_SUBST(CFLAGS)
-AC_SUBST(PROGS)
-AC_SUBST(CPPFLAGS)
-AC_SUBST(LDFLAGS)
-AC_SUBST(SUDO_LDFLAGS)
-AC_SUBST(SUDO_OBJS)
-AC_SUBST(LIBS)
-AC_SUBST(SUDO_LIBS)
-AC_SUBST(NET_LIBS)
-AC_SUBST(AFS_LIBS)
-AC_SUBST(GETGROUPS_LIB)
-AC_SUBST(OSDEFS)
-AC_SUBST(AUTH_OBJS)
-AC_SUBST(MANTYPE)
-AC_SUBST(MAN_POSTINSTALL)
-AC_SUBST(SUDOERS_MODE)
-AC_SUBST(SUDOERS_UID)
-AC_SUBST(SUDOERS_GID)
-AC_SUBST(DEV)
-AC_SUBST(SELINUX)
-AC_SUBST(BAMAN)
-AC_SUBST(LCMAN)
-AC_SUBST(SEMAN)
-AC_SUBST(devdir)
-AC_SUBST(mansectsu)
-AC_SUBST(mansectform)
-AC_SUBST(mansrcdir)
-AC_SUBST(NOEXECFILE)
-AC_SUBST(NOEXECDIR)
-AC_SUBST(noexec_file)
-AC_SUBST(INSTALL_NOEXEC)
-AC_SUBST(DONT_LEAK_PATH_INFO)
-AC_SUBST(BSDAUTH_USAGE)
-AC_SUBST(SELINUX_USAGE)
-AC_SUBST(LDAP)
-AC_SUBST(LOGINCAP_USAGE)
+AC_SUBST([HAVE_BSM_AUDIT])
+AC_SUBST([SHELL])
+AC_SUBST([LIBTOOL])
+AC_SUBST([CFLAGS])
+AC_SUBST([PROGS])
+AC_SUBST([CPPFLAGS])
+AC_SUBST([LDFLAGS])
+AC_SUBST([SUDOERS_LDFLAGS])
+AC_SUBST([LTLDFLAGS])
+AC_SUBST([COMMON_OBJS])
+AC_SUBST([SUDOERS_OBJS])
+AC_SUBST([SUDO_OBJS])
+AC_SUBST([LIBS])
+AC_SUBST([SUDO_LIBS])
+AC_SUBST([SUDOERS_LIBS])
+AC_SUBST([NET_LIBS])
+AC_SUBST([AFS_LIBS])
+AC_SUBST([REPLAY_LIBS])
+AC_SUBST([GETGROUPS_LIB])
+AC_SUBST([OSDEFS])
+AC_SUBST([AUTH_OBJS])
+AC_SUBST([MANTYPE])
+AC_SUBST([MAN_POSTINSTALL])
+AC_SUBST([SUDOERS_MODE])
+AC_SUBST([SUDOERS_UID])
+AC_SUBST([SUDOERS_GID])
+AC_SUBST([DEVEL])
+AC_SUBST([BAMAN])
+AC_SUBST([LCMAN])
+AC_SUBST([SEMAN])
+AC_SUBST([devdir])
+AC_SUBST([mansectsu])
+AC_SUBST([mansectform])
+AC_SUBST([mansrcdir])
+AC_SUBST([NOEXECFILE])
+AC_SUBST([NOEXECDIR])
+AC_SUBST([PLUGINDIR])
+AC_SUBST([SOEXT])
+AC_SUBST([noexec_file])
+AC_SUBST([INSTALL_NOEXEC])
+AC_SUBST([DONT_LEAK_PATH_INFO])
+AC_SUBST([BSDAUTH_USAGE])
+AC_SUBST([SELINUX_USAGE])
+AC_SUBST([LDAP])
+AC_SUBST([LOGINCAP_USAGE])
+AC_SUBST([ZLIB])
+AC_SUBST([ZLIB_SRC])
+AC_SUBST([LIBTOOL_DEPS])
+AC_SUBST([ac_config_libobj_dir])
+AC_SUBST([CONFIGURE_ARGS])
+AC_SUBST([LIBDL])
+AC_SUBST([LT_STATIC])
+AC_SUBST([LIBINTL])
+AC_SUBST([SUDO_NLS])
+AC_SUBST([COMPAT_TEST_PROGS])
 dnl
 dnl Variables that get substituted in docs (not overridden by environment)
 dnl
 dnl
 dnl Variables that get substituted in docs (not overridden by environment)
 dnl
-AC_SUBST(timedir)dnl initial value from SUDO_TIMEDIR
-AC_SUBST(timeout)
-AC_SUBST(password_timeout)
-AC_SUBST(sudo_umask)
-AC_SUBST(passprompt)
-AC_SUBST(long_otp_prompt)
-AC_SUBST(lecture)
-AC_SUBST(logfac)
-AC_SUBST(goodpri)
-AC_SUBST(badpri)
-AC_SUBST(loglen)
-AC_SUBST(ignore_dot)
-AC_SUBST(mail_no_user)
-AC_SUBST(mail_no_host)
-AC_SUBST(mail_no_perms)
-AC_SUBST(mailto)
-AC_SUBST(mailsub)
-AC_SUBST(badpass_message)
-AC_SUBST(fqdn)
-AC_SUBST(runas_default)
-AC_SUBST(env_editor)
-AC_SUBST(passwd_tries)
-AC_SUBST(tty_tickets)
-AC_SUBST(insults)
-AC_SUBST(root_sudo)
-AC_SUBST(path_info)
-AC_SUBST(ldap_conf)
-AC_SUBST(ldap_secret)
-AC_SUBST(nsswitch_conf)
-dnl
-dnl Initial values for above
-dnl
+AC_SUBST([iolog_dir])dnl real initial value from SUDO_IO_LOGDIR
+AC_SUBST([timedir])dnl real initial value from SUDO_TIMEDIR
+AC_SUBST([timeout])
+AC_SUBST([password_timeout])
+AC_SUBST([sudo_umask])
+AC_SUBST([umask_override])
+AC_SUBST([passprompt])
+AC_SUBST([long_otp_prompt])
+AC_SUBST([lecture])
+AC_SUBST([logfac])
+AC_SUBST([goodpri])
+AC_SUBST([badpri])
+AC_SUBST([loglen])
+AC_SUBST([ignore_dot])
+AC_SUBST([mail_no_user])
+AC_SUBST([mail_no_host])
+AC_SUBST([mail_no_perms])
+AC_SUBST([mailto])
+AC_SUBST([mailsub])
+AC_SUBST([badpass_message])
+AC_SUBST([fqdn])
+AC_SUBST([runas_default])
+AC_SUBST([env_editor])
+AC_SUBST([env_reset])
+AC_SUBST([passwd_tries])
+AC_SUBST([tty_tickets])
+AC_SUBST([insults])
+AC_SUBST([root_sudo])
+AC_SUBST([path_info])
+AC_SUBST([ldap_conf])
+AC_SUBST([ldap_secret])
+AC_SUBST([nsswitch_conf])
+AC_SUBST([netsvc_conf])
+AC_SUBST([secure_path])
+AC_SUBST([editor])
+#
+# Begin initial values for man page substitution
+#
+iolog_dir=/var/log/sudo-io
+timedir=/var/adm/sudo
 timeout=5
 password_timeout=5
 sudo_umask=0022
 timeout=5
 password_timeout=5
 sudo_umask=0022
+umask_override=off
 passprompt="Password:"
 long_otp_prompt=off
 lecture=once
 passprompt="Password:"
 long_otp_prompt=off
 lecture=once
-logfac=local2
+logfac=auth
 goodpri=notice
 badpri=alert
 loglen=80
 goodpri=notice
 badpri=alert
 loglen=80
@@ -100,39 +126,53 @@ mail_no_user=on
 mail_no_host=off
 mail_no_perms=off
 mailto=root
 mail_no_host=off
 mail_no_perms=off
 mailto=root
-mailsub='*** SECURITY information for %h ***'
-badpass_message='Sorry, try again.'
+mailsub="*** SECURITY information for %h ***"
+badpass_message="Sorry, try again."
 fqdn=off
 runas_default=root
 env_editor=off
 fqdn=off
 runas_default=root
 env_editor=off
+env_reset=on
+editor=vi
 passwd_tries=3
 passwd_tries=3
-tty_tickets=off
+tty_tickets=on
 insults=off
 root_sudo=on
 path_info=on
 insults=off
 root_sudo=on
 path_info=on
-INSTALL_NOEXEC=
-devdir='$(srcdir)'
+ldap_conf=/etc/ldap.conf
+ldap_secret=/etc/ldap.secret
+netsvc_conf=/etc/netsvc.conf
+noexec_file=/usr/local/libexec/sudo_noexec.so
+nsswitch_conf=/etc/nsswitch.conf
+secure_path="not set"
+#
+# End initial values for man page substitution
+#
 dnl
 dnl Initial values for Makefile variables listed above
 dnl May be overridden by environment variables..
 dnl
 dnl
 dnl Initial values for Makefile variables listed above
 dnl May be overridden by environment variables..
 dnl
-PROGS="sudo visudo"
+INSTALL_NOEXEC=
+devdir='$(srcdir)'
+PROGS="sudo"
 : ${MANTYPE='man'}
 : ${mansrcdir='.'}
 : ${SUDOERS_MODE='0440'}
 : ${SUDOERS_UID='0'}
 : ${SUDOERS_GID='0'}
 : ${MANTYPE='man'}
 : ${mansrcdir='.'}
 : ${SUDOERS_MODE='0440'}
 : ${SUDOERS_UID='0'}
 : ${SUDOERS_GID='0'}
-DEV="#"
+DEVEL=
 LDAP="#"
 LDAP="#"
-SELINUX="#"
-BAMAN='.\" '
-LCMAN='.\" '
-SEMAN='.\" '
+BAMAN=0
+LCMAN=0
+SEMAN=0
+LIBINTL=
+ZLIB=
+ZLIB_SRC=
 AUTH_OBJS=
 AUTH_REG=
 AUTH_EXCL=
 AUTH_EXCL_DEF=
 AUTH_DEF=passwd
 AUTH_OBJS=
 AUTH_REG=
 AUTH_EXCL=
 AUTH_EXCL_DEF=
 AUTH_DEF=passwd
+SUDO_NLS=disabled
 
 dnl
 dnl Other vaiables
 
 dnl
 dnl Other vaiables
@@ -142,31 +182,33 @@ shadow_defs=
 shadow_funcs=
 shadow_libs=
 shadow_libs_optional=
 shadow_funcs=
 shadow_libs=
 shadow_libs_optional=
+CONFIGURE_ARGS="$@"
 
 dnl
 
 dnl
-dnl Override default configure dirs...
+dnl LD_PRELOAD equivalents
 dnl
 dnl
-if test X"$prefix" = X"NONE"; then
-    test "$mandir" = '${datarootdir}/man' && mandir='$(prefix)/man'
-else
-    test "$mandir" = '${datarootdir}/man' && mandir='$(datarootdir)/man'
-fi
-test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
-test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
-test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
+RTLD_PRELOAD_VAR="LD_PRELOAD"
+RTLD_PRELOAD_ENABLE_VAR=
+RTLD_PRELOAD_DELIM=":"
+RTLD_PRELOAD_DEFAULT=
+
+dnl
+dnl libc replacement functions live in compat
+dnl
+AC_CONFIG_LIBOBJ_DIR(compat)
 
 dnl
 dnl Deprecated --with options (these all warn or generate an error)
 dnl
 
 
 dnl
 dnl Deprecated --with options (these all warn or generate an error)
 dnl
 
-AC_ARG_WITH(otp-only, [  --with-otp-only         deprecated],
+AC_ARG_WITH(otp-only, [AS_HELP_STRING([--with-otp-only], [deprecated])],
 [case $with_otp_only in
     yes)       with_passwd="no"
                AC_MSG_NOTICE([--with-otp-only option deprecated, treating as --without-passwd])
                ;;
 esac])
 
 [case $with_otp_only in
     yes)       with_passwd="no"
                AC_MSG_NOTICE([--with-otp-only option deprecated, treating as --without-passwd])
                ;;
 esac])
 
-AC_ARG_WITH(alertmail, [  --with-alertmail        deprecated],
+AC_ARG_WITH(alertmail, [AS_HELP_STRING([--with-alertmail], [deprecated])],
 [case $with_alertmail in
     *)         with_mailto="$with_alertmail"
                AC_MSG_NOTICE([--with-alertmail option deprecated, treating as --mailto])
 [case $with_alertmail in
     *)         with_mailto="$with_alertmail"
                AC_MSG_NOTICE([--with-alertmail option deprecated, treating as --mailto])
@@ -177,31 +219,72 @@ dnl
 dnl Options for --with
 dnl
 
 dnl Options for --with
 dnl
 
-AC_ARG_WITH(CC, [  --with-CC               C compiler to use],
-[case $with_CC in
-    yes)       AC_MSG_ERROR(["must give --with-CC an argument."])
+AC_ARG_WITH(devel, [AS_HELP_STRING([--with-devel], [add development options])],
+[case $with_devel in
+    yes)       AC_MSG_NOTICE([Setting up for development: -Wall, flex, yacc])
+               OSDEFS="${OSDEFS} -DSUDO_DEVEL"
+               DEVEL="true"
+               devdir=.
                ;;
                ;;
-    no)                AC_MSG_ERROR(["illegal argument: --without-CC."])
+    no)                ;;
+    *)         AC_MSG_WARN([Ignoring unknown argument to --with-devel: $with_devel])
                ;;
                ;;
-    *)         CC=$with_CC
+esac])
+
+AC_ARG_WITH(CC, [AS_HELP_STRING([--with-CC], [C compiler to use])],
+[case $with_CC in
+    *)         AC_MSG_ERROR([the --with-CC option is no longer supported, please set the CC environment variable instead.])
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(rpath, [  --with-rpath            pass -R flag in addition to -L for lib paths],
+AC_ARG_WITH(rpath, [AS_HELP_STRING([--with-rpath], [pass -R flag in addition to -L for lib paths])],
 [case $with_rpath in
     yes|no)    ;;
     *)         AC_MSG_ERROR(["--with-rpath does not take an argument."])
                ;;
 esac])
 
 [case $with_rpath in
     yes|no)    ;;
     *)         AC_MSG_ERROR(["--with-rpath does not take an argument."])
                ;;
 esac])
 
-AC_ARG_WITH(blibpath, [  --with-blibpath[=PATH]    pass -blibpath flag to ld for additional lib paths],
+AC_ARG_WITH(blibpath, [AS_HELP_STRING([--with-blibpath[=PATH]], [pass -blibpath flag to ld for additional lib paths])],
 [case $with_blibpath in
     yes|no)    ;;
     *)         AC_MSG_NOTICE([will pass -blibpath:${with_blibpath} to the loader.])
                ;;
 esac])
 
 [case $with_blibpath in
     yes|no)    ;;
     *)         AC_MSG_NOTICE([will pass -blibpath:${with_blibpath} to the loader.])
                ;;
 esac])
 
-AC_ARG_WITH(incpath, [  --with-incpath          additional places to look for include files],
+dnl
+dnl Handle BSM auditing support.
+dnl
+AC_ARG_WITH(bsm-audit, [AS_HELP_STRING([--with-bsm-audit], [enable BSM audit support])],
+[case $with_bsm_audit in
+    yes)       AC_DEFINE(HAVE_BSM_AUDIT)
+               SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm"
+               SUDOERS_OBJS="${SUDOERS_OBJS} bsm_audit.lo"
+               ;;
+    no)                ;;
+    *)         AC_MSG_ERROR(["--with-bsm-audit does not take an argument."])
+               ;;
+esac])
+
+dnl
+dnl Handle Linux auditing support.
+dnl
+AC_ARG_WITH(linux-audit, [AS_HELP_STRING([--with-linux-audit], [enable Linux audit support])],
+[case $with_linux_audit in
+    yes)       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <libaudit.h>]], [[int i = AUDIT_USER_CMD; (void)i;]])], [
+                   AC_DEFINE(HAVE_LINUX_AUDIT)
+                   SUDO_LIBS="${SUDO_LIBS} -laudit"
+                   SUDOERS_LIBS="${SUDO_LIBS} -laudit"
+                   SUDOERS_OBJS="${SUDOERS_OBJS} linux_audit.lo"
+               ], [
+                   AC_MSG_ERROR([unable to find AUDIT_USER_CMD in libaudit.h for --with-linux-audit])
+               ])
+               ;;
+    no)                ;;
+    *)         AC_MSG_ERROR(["--with-linux-audit does not take an argument."])
+               ;;
+esac])
+
+AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to look for include files])],
 [case $with_incpath in
     yes)       AC_MSG_ERROR(["must give --with-incpath an argument."])
                ;;
 [case $with_incpath in
     yes)       AC_MSG_ERROR(["must give --with-incpath an argument."])
                ;;
@@ -214,7 +297,7 @@ AC_ARG_WITH(incpath, [  --with-incpath          additional places to look for in
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(libpath, [  --with-libpath          additional places to look for libraries],
+AC_ARG_WITH(libpath, [AS_HELP_STRING([--with-libpath], [additional places to look for libraries])],
 [case $with_libpath in
     yes)       AC_MSG_ERROR(["must give --with-libpath an argument."])
                ;;
 [case $with_libpath in
     yes)       AC_MSG_ERROR(["must give --with-libpath an argument."])
                ;;
@@ -224,7 +307,7 @@ AC_ARG_WITH(libpath, [  --with-libpath          additional places to look for li
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(libraries, [  --with-libraries        additional libraries to link with],
+AC_ARG_WITH(libraries, [AS_HELP_STRING([--with-libraries], [additional libraries to link with])],
 [case $with_libraries in
     yes)       AC_MSG_ERROR(["must give --with-libraries an argument."])
                ;;
 [case $with_libraries in
     yes)       AC_MSG_ERROR(["must give --with-libraries an argument."])
                ;;
@@ -234,20 +317,7 @@ AC_ARG_WITH(libraries, [  --with-libraries        additional libraries to link w
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(devel, [  --with-devel            add development options],
-[case $with_devel in
-    yes)       AC_MSG_NOTICE([Setting up for development: -Wall, flex, yacc])
-               PROGS="${PROGS} testsudoers"
-               OSDEFS="${OSDEFS} -DSUDO_DEVEL"
-               DEV=""
-               devdir=.
-               ;;
-    no)                ;;
-    *)         AC_MSG_WARN([Ignoring unknown argument to --with-devel: $with_devel])
-               ;;
-esac])
-
-AC_ARG_WITH(efence, [  --with-efence           link with -lefence for malloc() debugging],
+AC_ARG_WITH(efence, [AS_HELP_STRING([--with-efence], [link with -lefence for malloc() debugging])],
 [case $with_efence in
     yes)       AC_MSG_NOTICE([Sudo will link with -lefence (Electric Fence)])
                LIBS="${LIBS} -lefence"
 [case $with_efence in
     yes)       AC_MSG_NOTICE([Sudo will link with -lefence (Electric Fence)])
                LIBS="${LIBS} -lefence"
@@ -260,7 +330,7 @@ AC_ARG_WITH(efence, [  --with-efence           link with -lefence for malloc() d
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(csops, [  --with-csops            add CSOps standard options],
+AC_ARG_WITH(csops, [AS_HELP_STRING([--with-csops], [add CSOps standard options])],
 [case $with_csops in
     yes)       AC_MSG_NOTICE([Adding CSOps standard options])
                CHECKSIA=false
 [case $with_csops in
     yes)       AC_MSG_NOTICE([Adding CSOps standard options])
                CHECKSIA=false
@@ -277,7 +347,7 @@ AC_ARG_WITH(csops, [  --with-csops            add CSOps standard options],
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(passwd, [  --without-passwd        don't use passwd/shadow file for authentication],
+AC_ARG_WITH(passwd, [AS_HELP_STRING([--without-passwd], [don't use passwd/shadow file for authentication])],
 [case $with_passwd in
     yes|no)    AC_MSG_CHECKING(whether to use shadow/passwd file authentication)
                AC_MSG_RESULT($with_passwd)
 [case $with_passwd in
     yes|no)    AC_MSG_CHECKING(whether to use shadow/passwd file authentication)
                AC_MSG_RESULT($with_passwd)
@@ -288,10 +358,9 @@ AC_ARG_WITH(passwd, [  --without-passwd        don't use passwd/shadow file for
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(skey, [  --with-skey[=DIR]         enable S/Key support ],
+AC_ARG_WITH(skey, [AS_HELP_STRING([--with-skey[=DIR]], [enable S/Key support ])],
 [case $with_skey in
 [case $with_skey in
-    no)                with_skey=""
-               ;;
+    no)                ;;
     *)         AC_DEFINE(HAVE_SKEY)
                AC_MSG_CHECKING(whether to try S/Key authentication)
                AC_MSG_RESULT(yes)
     *)         AC_DEFINE(HAVE_SKEY)
                AC_MSG_CHECKING(whether to try S/Key authentication)
                AC_MSG_RESULT(yes)
@@ -299,10 +368,9 @@ AC_ARG_WITH(skey, [  --with-skey[=DIR]         enable S/Key support ],
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(opie, [  --with-opie[=DIR]         enable OPIE support ],
+AC_ARG_WITH(opie, [AS_HELP_STRING([--with-opie[=DIR]], [enable OPIE support ])],
 [case $with_opie in
 [case $with_opie in
-    no)                with_opie=""
-               ;;
+    no)                ;;
     *)         AC_DEFINE(HAVE_OPIE)
                AC_MSG_CHECKING(whether to try NRL OPIE authentication)
                AC_MSG_RESULT(yes)
     *)         AC_DEFINE(HAVE_OPIE)
                AC_MSG_CHECKING(whether to try NRL OPIE authentication)
                AC_MSG_RESULT(yes)
@@ -310,7 +378,7 @@ AC_ARG_WITH(opie, [  --with-opie[=DIR]         enable OPIE support ],
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(long-otp-prompt, [  --with-long-otp-prompt  use a two line OTP (skey/opie) prompt],
+AC_ARG_WITH(long-otp-prompt, [AS_HELP_STRING([--with-long-otp-prompt], [use a two line OTP (skey/opie) prompt])],
 [case $with_long_otp_prompt in
     yes)       AC_DEFINE(LONG_OTP_PROMPT)
                AC_MSG_CHECKING(whether to use a two line prompt for OTP authentication)
 [case $with_long_otp_prompt in
     yes)       AC_DEFINE(LONG_OTP_PROMPT)
                AC_MSG_CHECKING(whether to use a two line prompt for OTP authentication)
@@ -323,9 +391,9 @@ AC_ARG_WITH(long-otp-prompt, [  --with-long-otp-prompt  use a two line OTP (skey
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(SecurID, [  --with-SecurID[[=DIR]]    enable SecurID support],
+AC_ARG_WITH(SecurID, [AS_HELP_STRING([--with-SecurID[[=DIR]]], [enable SecurID support])],
 [case $with_SecurID in
 [case $with_SecurID in
-    no)                with_SecurID="";;
+    no)                ;;
     *)         AC_DEFINE(HAVE_SECURID)
                AC_MSG_CHECKING(whether to use SecurID for authentication)
                AC_MSG_RESULT(yes)
     *)         AC_DEFINE(HAVE_SECURID)
                AC_MSG_CHECKING(whether to use SecurID for authentication)
                AC_MSG_RESULT(yes)
@@ -333,9 +401,9 @@ AC_ARG_WITH(SecurID, [  --with-SecurID[[=DIR]]    enable SecurID support],
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(fwtk, [  --with-fwtk[[=DIR]]       enable FWTK AuthSRV support],
+AC_ARG_WITH(fwtk, [AS_HELP_STRING([--with-fwtk[[=DIR]]], [enable FWTK AuthSRV support])],
 [case $with_fwtk in
 [case $with_fwtk in
-    no)                with_fwtk="";;
+    no)                ;;
     *)         AC_DEFINE(HAVE_FWTK)
                AC_MSG_CHECKING(whether to use FWTK AuthSRV for authentication)
                AC_MSG_RESULT(yes)
     *)         AC_DEFINE(HAVE_FWTK)
                AC_MSG_CHECKING(whether to use FWTK AuthSRV for authentication)
                AC_MSG_RESULT(yes)
@@ -343,25 +411,16 @@ AC_ARG_WITH(fwtk, [  --with-fwtk[[=DIR]]       enable FWTK AuthSRV support],
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(kerb4, [  --with-kerb4[[=DIR]]      enable Kerberos IV support],
-[case $with_kerb4 in
-    no)                with_kerb4="";;
-    *)         AC_MSG_CHECKING(whether to try kerberos IV authentication)
-               AC_MSG_RESULT(yes)
-               AUTH_REG="$AUTH_REG kerb4"
-               ;;
-esac])
-
-AC_ARG_WITH(kerb5, [  --with-kerb5[[=DIR]]      enable Kerberos V support],
+AC_ARG_WITH(kerb5, [AS_HELP_STRING([--with-kerb5[[=DIR]]], [enable Kerberos V support])],
 [case $with_kerb5 in
 [case $with_kerb5 in
-    no)                with_kerb5="";;
+    no)                ;;
     *)         AC_MSG_CHECKING(whether to try Kerberos V authentication)
                AC_MSG_RESULT(yes)
                AUTH_REG="$AUTH_REG kerb5"
                ;;
 esac])
 
     *)         AC_MSG_CHECKING(whether to try Kerberos V authentication)
                AC_MSG_RESULT(yes)
                AUTH_REG="$AUTH_REG kerb5"
                ;;
 esac])
 
-AC_ARG_WITH(aixauth, [  --with-aixauth          enable AIX general authentication support],
+AC_ARG_WITH(aixauth, [AS_HELP_STRING([--with-aixauth], [enable AIX general authentication support])],
 [case $with_aixauth in
     yes)       AUTH_EXCL="$AUTH_EXCL AIX_AUTH";;
     no)                ;;
 [case $with_aixauth in
     yes)       AUTH_EXCL="$AUTH_EXCL AIX_AUTH";;
     no)                ;;
@@ -369,7 +428,7 @@ AC_ARG_WITH(aixauth, [  --with-aixauth          enable AIX general authenticatio
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(pam, [  --with-pam              enable PAM support],
+AC_ARG_WITH(pam, [AS_HELP_STRING([--with-pam], [enable PAM support])],
 [case $with_pam in
     yes)       AUTH_EXCL="$AUTH_EXCL PAM";;
     no)                ;;
 [case $with_pam in
     yes)       AUTH_EXCL="$AUTH_EXCL PAM";;
     no)                ;;
@@ -377,7 +436,7 @@ AC_ARG_WITH(pam, [  --with-pam              enable PAM support],
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(AFS, [  --with-AFS              enable AFS support],
+AC_ARG_WITH(AFS, [AS_HELP_STRING([--with-AFS], [enable AFS support])],
 [case $with_AFS in
     yes)       AC_DEFINE(HAVE_AFS)
                AC_MSG_CHECKING(whether to try AFS (kerberos) authentication)
 [case $with_AFS in
     yes)       AC_DEFINE(HAVE_AFS)
                AC_MSG_CHECKING(whether to try AFS (kerberos) authentication)
@@ -389,7 +448,7 @@ AC_ARG_WITH(AFS, [  --with-AFS              enable AFS support],
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(DCE, [  --with-DCE              enable DCE support],
+AC_ARG_WITH(DCE, [AS_HELP_STRING([--with-DCE], [enable DCE support])],
 [case $with_DCE in
     yes)       AC_DEFINE(HAVE_DCE)
                AC_MSG_CHECKING(whether to try DCE (kerberos) authentication)
 [case $with_DCE in
     yes)       AC_DEFINE(HAVE_DCE)
                AC_MSG_CHECKING(whether to try DCE (kerberos) authentication)
@@ -401,14 +460,14 @@ AC_ARG_WITH(DCE, [  --with-DCE              enable DCE support],
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(logincap, [  --with-logincap         enable BSD login class support],
+AC_ARG_WITH(logincap, [AS_HELP_STRING([--with-logincap], [enable BSD login class support])],
 [case $with_logincap in
     yes|no)    ;;
     *)         AC_MSG_ERROR(["--with-logincap does not take an argument."])
                ;;
 esac])
 
 [case $with_logincap in
     yes|no)    ;;
     *)         AC_MSG_ERROR(["--with-logincap does not take an argument."])
                ;;
 esac])
 
-AC_ARG_WITH(bsdauth, [  --with-bsdauth          enable BSD authentication support],
+AC_ARG_WITH(bsdauth, [AS_HELP_STRING([--with-bsdauth], [enable BSD authentication support])],
 [case $with_bsdauth in
     yes)       AUTH_EXCL="$AUTH_EXCL BSD_AUTH";;
     no)                ;;
 [case $with_bsdauth in
     yes)       AUTH_EXCL="$AUTH_EXCL BSD_AUTH";;
     no)                ;;
@@ -416,7 +475,7 @@ AC_ARG_WITH(bsdauth, [  --with-bsdauth          enable BSD authentication suppor
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(project, [  --with-project          enable Solaris project support],
+AC_ARG_WITH(project, [AS_HELP_STRING([--with-project], [enable Solaris project support])],
 [case $with_project in
     yes|no)    ;;
     no)        ;;
 [case $with_project in
     yes|no)    ;;
     no)        ;;
@@ -425,7 +484,7 @@ AC_ARG_WITH(project, [  --with-project          enable Solaris project support],
 esac])
 
 AC_MSG_CHECKING(whether to lecture users the first time they run sudo)
 esac])
 
 AC_MSG_CHECKING(whether to lecture users the first time they run sudo)
-AC_ARG_WITH(lecture, [  --without-lecture       don't print lecture for first-time sudoer],
+AC_ARG_WITH(lecture, [AS_HELP_STRING([--without-lecture], [don't print lecture for first-time sudoer])],
 [case $with_lecture in
     yes|short|always)  lecture=once
                ;;
 [case $with_lecture in
     yes|short|always)  lecture=once
                ;;
@@ -442,7 +501,7 @@ else
 fi
 
 AC_MSG_CHECKING(whether sudo should log via syslog or to a file by default)
 fi
 
 AC_MSG_CHECKING(whether sudo should log via syslog or to a file by default)
-AC_ARG_WITH(logging, [  --with-logging          log via syslog, file, or both],
+AC_ARG_WITH(logging, [AS_HELP_STRING([--with-logging], [log via syslog, file, or both])],
 [case $with_logging in
     yes)       AC_MSG_ERROR(["must give --with-logging an argument."])
                ;;
 [case $with_logging in
     yes)       AC_MSG_ERROR(["must give --with-logging an argument."])
                ;;
@@ -461,8 +520,7 @@ AC_ARG_WITH(logging, [  --with-logging          log via syslog, file, or both],
                ;;
 esac], [AC_DEFINE(LOGGING, SLOG_SYSLOG) AC_MSG_RESULT(syslog)])
 
                ;;
 esac], [AC_DEFINE(LOGGING, SLOG_SYSLOG) AC_MSG_RESULT(syslog)])
 
-AC_MSG_CHECKING(which syslog facility sudo should log with)
-AC_ARG_WITH(logfac, [  --with-logfac           syslog facility to log with (default is "local2")],
+AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log with (default is "auth")])],
 [case $with_logfac in
     yes)       AC_MSG_ERROR(["must give --with-logfac an argument."])
                ;;
 [case $with_logfac in
     yes)       AC_MSG_ERROR(["must give --with-logfac an argument."])
                ;;
@@ -473,11 +531,9 @@ AC_ARG_WITH(logfac, [  --with-logfac           syslog facility to log with (defa
     *)         AC_MSG_ERROR(["$with_logfac is not a supported syslog facility."])
                ;;
 esac])
     *)         AC_MSG_ERROR(["$with_logfac is not a supported syslog facility."])
                ;;
 esac])
-AC_DEFINE_UNQUOTED(LOGFAC, "$logfac", [The syslog facility sudo will use.])
-AC_MSG_RESULT($logfac)
 
 AC_MSG_CHECKING(at which syslog priority to log commands)
 
 AC_MSG_CHECKING(at which syslog priority to log commands)
-AC_ARG_WITH(goodpri, [  --with-goodpri          syslog priority for commands (def is "notice")],
+AC_ARG_WITH(goodpri, [AS_HELP_STRING([--with-goodpri], [syslog priority for commands (def is "notice")])],
 [case $with_goodpri in
     yes)       AC_MSG_ERROR(["must give --with-goodpri an argument."])
                ;;
 [case $with_goodpri in
     yes)       AC_MSG_ERROR(["must give --with-goodpri an argument."])
                ;;
@@ -493,7 +549,7 @@ AC_DEFINE_UNQUOTED(PRI_SUCCESS, "$goodpri", [The syslog priority sudo will use f
 AC_MSG_RESULT($goodpri)
 
 AC_MSG_CHECKING(at which syslog priority to log failures)
 AC_MSG_RESULT($goodpri)
 
 AC_MSG_CHECKING(at which syslog priority to log failures)
-AC_ARG_WITH(badpri, [  --with-badpri           syslog priority for failures (def is "alert")],
+AC_ARG_WITH(badpri, [AS_HELP_STRING([--with-badpri], [syslog priority for failures (def is "alert")])],
 [case $with_badpri in
     yes)       AC_MSG_ERROR(["must give --with-badpri an argument."])
                ;;
 [case $with_badpri in
     yes)       AC_MSG_ERROR(["must give --with-badpri an argument."])
                ;;
@@ -508,7 +564,7 @@ esac])
 AC_DEFINE_UNQUOTED(PRI_FAILURE, "$badpri", [The syslog priority sudo will use for unsuccessful attempts/errors.])
 AC_MSG_RESULT($badpri)
 
 AC_DEFINE_UNQUOTED(PRI_FAILURE, "$badpri", [The syslog priority sudo will use for unsuccessful attempts/errors.])
 AC_MSG_RESULT($badpri)
 
-AC_ARG_WITH(logpath, [  --with-logpath          path to the sudo log file],
+AC_ARG_WITH(logpath, [AS_HELP_STRING([--with-logpath], [path to the sudo log file])],
 [case $with_logpath in
     yes)       AC_MSG_ERROR(["must give --with-logpath an argument."])
                ;;
 [case $with_logpath in
     yes)       AC_MSG_ERROR(["must give --with-logpath an argument."])
                ;;
@@ -517,7 +573,7 @@ AC_ARG_WITH(logpath, [  --with-logpath          path to the sudo log file],
 esac])
 
 AC_MSG_CHECKING(how long a line in the log file should be)
 esac])
 
 AC_MSG_CHECKING(how long a line in the log file should be)
-AC_ARG_WITH(loglen, [  --with-loglen           maximum length of a log file line (default is 80)],
+AC_ARG_WITH(loglen, [AS_HELP_STRING([--with-loglen], [maximum length of a log file line (default is 80)])],
 [case $with_loglen in
     yes)       AC_MSG_ERROR(["must give --with-loglen an argument."])
                ;;
 [case $with_loglen in
     yes)       AC_MSG_ERROR(["must give --with-loglen an argument."])
                ;;
@@ -532,7 +588,7 @@ AC_DEFINE_UNQUOTED(MAXLOGFILELEN, $loglen, [The max number of chars per log file
 AC_MSG_RESULT($loglen)
 
 AC_MSG_CHECKING(whether sudo should ignore '.' or '' in \$PATH)
 AC_MSG_RESULT($loglen)
 
 AC_MSG_CHECKING(whether sudo should ignore '.' or '' in \$PATH)
-AC_ARG_WITH(ignore-dot, [  --with-ignore-dot       ignore '.' in the PATH],
+AC_ARG_WITH(ignore-dot, [AS_HELP_STRING([--with-ignore-dot], [ignore '.' in the PATH])],
 [case $with_ignore_dot in
     yes)       ignore_dot=on
                ;;
 [case $with_ignore_dot in
     yes)       ignore_dot=on
                ;;
@@ -549,7 +605,7 @@ else
 fi
 
 AC_MSG_CHECKING(whether to send mail when a user is not in sudoers)
 fi
 
 AC_MSG_CHECKING(whether to send mail when a user is not in sudoers)
-AC_ARG_WITH(mail-if-no-user, [  --without-mail-if-no-user do not send mail if user not in sudoers],
+AC_ARG_WITH(mail-if-no-user, [AS_HELP_STRING([--without-mail-if-no-user], [do not send mail if user not in sudoers])],
 [case $with_mail_if_no_user in
     yes)       mail_no_user=on
                ;;
 [case $with_mail_if_no_user in
     yes)       mail_no_user=on
                ;;
@@ -566,7 +622,7 @@ else
 fi
 
 AC_MSG_CHECKING(whether to send mail when user listed but not for this host)
 fi
 
 AC_MSG_CHECKING(whether to send mail when user listed but not for this host)
-AC_ARG_WITH(mail-if-no-host, [  --with-mail-if-no-host  send mail if user in sudoers but not for this host],
+AC_ARG_WITH(mail-if-no-host, [AS_HELP_STRING([--with-mail-if-no-host], [send mail if user in sudoers but not for this host])],
 [case $with_mail_if_no_host in
     yes)       mail_no_host=on
                ;;
 [case $with_mail_if_no_host in
     yes)       mail_no_host=on
                ;;
@@ -583,7 +639,7 @@ else
 fi
 
 AC_MSG_CHECKING(whether to send mail when a user tries a disallowed command)
 fi
 
 AC_MSG_CHECKING(whether to send mail when a user tries a disallowed command)
-AC_ARG_WITH(mail-if-noperms, [  --with-mail-if-noperms  send mail if user not allowed to run command],
+AC_ARG_WITH(mail-if-noperms, [AS_HELP_STRING([--with-mail-if-noperms], [send mail if user not allowed to run command])],
 [case $with_mail_if_noperms in
     yes)       mail_noperms=on
                ;;
 [case $with_mail_if_noperms in
     yes)       mail_noperms=on
                ;;
@@ -600,7 +656,7 @@ else
 fi
 
 AC_MSG_CHECKING(who should get the mail that sudo sends)
 fi
 
 AC_MSG_CHECKING(who should get the mail that sudo sends)
-AC_ARG_WITH(mailto, [  --with-mailto           who should get sudo mail (default is "root")],
+AC_ARG_WITH(mailto, [AS_HELP_STRING([--with-mailto], [who should get sudo mail (default is "root")])],
 [case $with_mailto in
     yes)       AC_MSG_ERROR(["must give --with-mailto an argument."])
                ;;
 [case $with_mailto in
     yes)       AC_MSG_ERROR(["must give --with-mailto an argument."])
                ;;
@@ -612,7 +668,7 @@ esac])
 AC_DEFINE_UNQUOTED(MAILTO, "$mailto", [The user or email address that sudo mail is sent to.])
 AC_MSG_RESULT([$mailto])
 
 AC_DEFINE_UNQUOTED(MAILTO, "$mailto", [The user or email address that sudo mail is sent to.])
 AC_MSG_RESULT([$mailto])
 
-AC_ARG_WITH(mailsubject, [  --with-mailsubject      subject of sudo mail],
+AC_ARG_WITH(mailsubject, [AS_HELP_STRING([--with-mailsubject], [subject of sudo mail])],
 [case $with_mailsubject in
     yes)       AC_MSG_ERROR(["must give --with-mailsubject an argument."])
                ;;
 [case $with_mailsubject in
     yes)       AC_MSG_ERROR(["must give --with-mailsubject an argument."])
                ;;
@@ -626,7 +682,7 @@ esac])
 AC_DEFINE_UNQUOTED(MAILSUBJECT, "$mailsub", [The subject of the mail sent by sudo to the MAILTO user/address.])
 
 AC_MSG_CHECKING(for bad password prompt)
 AC_DEFINE_UNQUOTED(MAILSUBJECT, "$mailsub", [The subject of the mail sent by sudo to the MAILTO user/address.])
 
 AC_MSG_CHECKING(for bad password prompt)
-AC_ARG_WITH(passprompt, [  --with-passprompt       default password prompt],
+AC_ARG_WITH(passprompt, [AS_HELP_STRING([--with-passprompt], [default password prompt])],
 [case $with_passprompt in
     yes)       AC_MSG_ERROR(["must give --with-passprompt an argument."])
                ;;
 [case $with_passprompt in
     yes)       AC_MSG_ERROR(["must give --with-passprompt an argument."])
                ;;
@@ -638,7 +694,7 @@ AC_MSG_RESULT($passprompt)
 AC_DEFINE_UNQUOTED(PASSPROMPT, "$passprompt", [The default password prompt.])
 
 AC_MSG_CHECKING(for bad password message)
 AC_DEFINE_UNQUOTED(PASSPROMPT, "$passprompt", [The default password prompt.])
 
 AC_MSG_CHECKING(for bad password message)
-AC_ARG_WITH(badpass-message, [  --with-badpass-message  message the user sees when the password is wrong],
+AC_ARG_WITH(badpass-message, [AS_HELP_STRING([--with-badpass-message], [message the user sees when the password is wrong])],
 [case $with_badpass_message in
     yes)       AC_MSG_ERROR(["Must give --with-badpass-message an argument."])
                ;;
 [case $with_badpass_message in
     yes)       AC_MSG_ERROR(["Must give --with-badpass-message an argument."])
                ;;
@@ -651,7 +707,7 @@ AC_DEFINE_UNQUOTED(INCORRECT_PASSWORD, "$badpass_message", [The message given wh
 AC_MSG_RESULT([$badpass_message])
 
 AC_MSG_CHECKING(whether to expect fully qualified hosts in sudoers)
 AC_MSG_RESULT([$badpass_message])
 
 AC_MSG_CHECKING(whether to expect fully qualified hosts in sudoers)
-AC_ARG_WITH(fqdn, [  --with-fqdn             expect fully qualified hosts in sudoers],
+AC_ARG_WITH(fqdn, [AS_HELP_STRING([--with-fqdn], [expect fully qualified hosts in sudoers])],
 [case $with_fqdn in
     yes)       fqdn=on
                ;;
 [case $with_fqdn in
     yes)       fqdn=on
                ;;
@@ -667,7 +723,7 @@ else
     AC_MSG_RESULT(no)
 fi
 
     AC_MSG_RESULT(no)
 fi
 
-AC_ARG_WITH(timedir, [  --with-timedir          path to the sudo timestamp dir],
+AC_ARG_WITH(timedir, [AS_HELP_STRING([--with-timedir], [path to the sudo timestamp dir])],
 [case $with_timedir in
     yes)       AC_MSG_ERROR(["must give --with-timedir an argument."])
                ;;
 [case $with_timedir in
     yes)       AC_MSG_ERROR(["must give --with-timedir an argument."])
                ;;
@@ -675,8 +731,15 @@ AC_ARG_WITH(timedir, [  --with-timedir          path to the sudo timestamp dir],
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(sendmail, [  --with-sendmail=path    set path to sendmail
-  --without-sendmail      do not send mail at all],
+AC_ARG_WITH(iologdir, [AS_HELP_STRING([--with-iologdir=DIR], [directory to store sudo I/O log files in])],
+[case $with_iologdir in
+    yes)    ;;
+    no)     AC_MSG_ERROR(["--without-iologdir not supported."])
+           ;;
+esac])
+
+AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail])
+AS_HELP_STRING([--without-sendmail], [do not send mail at all])],
 [case $with_sendmail in
     yes)       with_sendmail=""
                ;;
 [case $with_sendmail in
     yes)       with_sendmail=""
                ;;
@@ -685,7 +748,7 @@ AC_ARG_WITH(sendmail, [  --with-sendmail=path    set path to sendmail
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(sudoers-mode, [  --with-sudoers-mode     mode of sudoers file (defaults to 0440)],
+AC_ARG_WITH(sudoers-mode, [AS_HELP_STRING([--with-sudoers-mode], [mode of sudoers file (defaults to 0440)])],
 [case $with_sudoers_mode in
     yes)       AC_MSG_ERROR(["must give --with-sudoers-mode an argument."])
                ;;
 [case $with_sudoers_mode in
     yes)       AC_MSG_ERROR(["must give --with-sudoers-mode an argument."])
                ;;
@@ -699,7 +762,7 @@ AC_ARG_WITH(sudoers-mode, [  --with-sudoers-mode     mode of sudoers file (defau
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(sudoers-uid, [  --with-sudoers-uid      uid that owns sudoers file (defaults to 0)],
+AC_ARG_WITH(sudoers-uid, [AS_HELP_STRING([--with-sudoers-uid], [uid that owns sudoers file (defaults to 0)])],
 [case $with_sudoers_uid in
     yes)       AC_MSG_ERROR(["must give --with-sudoers-uid an argument."])
                ;;
 [case $with_sudoers_uid in
     yes)       AC_MSG_ERROR(["must give --with-sudoers-uid an argument."])
                ;;
@@ -711,7 +774,7 @@ AC_ARG_WITH(sudoers-uid, [  --with-sudoers-uid      uid that owns sudoers file (
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(sudoers-gid, [  --with-sudoers-gid      gid that owns sudoers file (defaults to 0)],
+AC_ARG_WITH(sudoers-gid, [AS_HELP_STRING([--with-sudoers-gid], [gid that owns sudoers file (defaults to 0)])],
 [case $with_sudoers_gid in
     yes)       AC_MSG_ERROR(["must give --with-sudoers-gid an argument."])
                ;;
 [case $with_sudoers_gid in
     yes)       AC_MSG_ERROR(["must give --with-sudoers-gid an argument."])
                ;;
@@ -724,8 +787,8 @@ AC_ARG_WITH(sudoers-gid, [  --with-sudoers-gid      gid that owns sudoers file (
 esac])
 
 AC_MSG_CHECKING(for umask programs should be run with)
 esac])
 
 AC_MSG_CHECKING(for umask programs should be run with)
-AC_ARG_WITH(umask, [  --with-umask            umask with which the prog should run (default is 022)
-  --without-umask         Preserves the umask of the user invoking sudo.],
+AC_ARG_WITH(umask, [AS_HELP_STRING([--with-umask], [umask with which the prog should run (default is 022)])
+AS_HELP_STRING([--without-umask], [Preserves the umask of the user invoking sudo.])],
 [case $with_umask in
     yes)       AC_MSG_ERROR(["must give --with-umask an argument."])
                ;;
 [case $with_umask in
     yes)       AC_MSG_ERROR(["must give --with-umask an argument."])
                ;;
@@ -736,15 +799,26 @@ AC_ARG_WITH(umask, [  --with-umask            umask with which the prog should r
     *)         AC_MSG_ERROR(["you must enter a numeric mask."])
                ;;
 esac])
     *)         AC_MSG_ERROR(["you must enter a numeric mask."])
                ;;
 esac])
-AC_DEFINE_UNQUOTED(SUDO_UMASK, $sudo_umask, [The umask that the root-run prog should use.])
+AC_DEFINE_UNQUOTED(SUDO_UMASK, $sudo_umask, [The umask that the sudo-run prog should use.])
 if test "$sudo_umask" = "0777"; then
     AC_MSG_RESULT(user)
 else
     AC_MSG_RESULT($sudo_umask)
 fi
 
 if test "$sudo_umask" = "0777"; then
     AC_MSG_RESULT(user)
 else
     AC_MSG_RESULT($sudo_umask)
 fi
 
+AC_ARG_WITH(umask-override, [AS_HELP_STRING([--with-umask-override], [Use the umask specified in sudoers even if it is less restrictive than the user's.])],
+[case $with_umask_override in
+    yes)       AC_DEFINE(UMASK_OVERRIDE)
+               umask_override=on
+               ;;
+    no)                umask_override=off
+               ;;
+    *)         AC_MSG_ERROR(["--with-umask-override does not take an argument."])
+               ;;
+esac])
+
 AC_MSG_CHECKING(for default user to run commands as)
 AC_MSG_CHECKING(for default user to run commands as)
-AC_ARG_WITH(runas-default, [  --with-runas-default    User to run commands as (default is "root")],
+AC_ARG_WITH(runas-default, [AS_HELP_STRING([--with-runas-default], [User to run commands as (default is "root")])],
 [case $with_runas_default in
     yes)       AC_MSG_ERROR(["must give --with-runas-default an argument."])
                ;;
 [case $with_runas_default in
     yes)       AC_MSG_ERROR(["must give --with-runas-default an argument."])
                ;;
@@ -756,7 +830,7 @@ esac])
 AC_DEFINE_UNQUOTED(RUNAS_DEFAULT, "$runas_default", [The user sudo should run commands as by default.])
 AC_MSG_RESULT([$runas_default])
 
 AC_DEFINE_UNQUOTED(RUNAS_DEFAULT, "$runas_default", [The user sudo should run commands as by default.])
 AC_MSG_RESULT([$runas_default])
 
-AC_ARG_WITH(exempt, [  --with-exempt=group     no passwd needed for users in this group],
+AC_ARG_WITH(exempt, [AS_HELP_STRING([--with-exempt=group], [no passwd needed for users in this group])],
 [case $with_exempt in
     yes)       AC_MSG_ERROR(["must give --with-exempt an argument."])
                ;;
 [case $with_exempt in
     yes)       AC_MSG_ERROR(["must give --with-exempt an argument."])
                ;;
@@ -769,7 +843,7 @@ AC_ARG_WITH(exempt, [  --with-exempt=group     no passwd needed for users in thi
 esac])
 
 AC_MSG_CHECKING(for editor that visudo should use)
 esac])
 
 AC_MSG_CHECKING(for editor that visudo should use)
-AC_ARG_WITH(editor, [  --with-editor=path      Default editor for visudo (defaults to vi)],
+AC_ARG_WITH(editor, [AS_HELP_STRING([--with-editor=path], [Default editor for visudo (defaults to vi)])],
 [case $with_editor in
     yes)       AC_MSG_ERROR(["must give --with-editor an argument."])
                ;;
 [case $with_editor in
     yes)       AC_MSG_ERROR(["must give --with-editor an argument."])
                ;;
@@ -777,11 +851,12 @@ AC_ARG_WITH(editor, [  --with-editor=path      Default editor for visudo (defaul
                ;;
     *)         AC_DEFINE_UNQUOTED(EDITOR, "$with_editor", [A colon-separated list of pathnames to be used as the editor for visudo.])
                AC_MSG_RESULT([$with_editor])
                ;;
     *)         AC_DEFINE_UNQUOTED(EDITOR, "$with_editor", [A colon-separated list of pathnames to be used as the editor for visudo.])
                AC_MSG_RESULT([$with_editor])
+               editor="$with_editor"
                ;;
 esac], [AC_DEFINE(EDITOR, _PATH_VI) AC_MSG_RESULT(vi)])
 
 AC_MSG_CHECKING(whether to obey EDITOR and VISUAL environment variables)
                ;;
 esac], [AC_DEFINE(EDITOR, _PATH_VI) AC_MSG_RESULT(vi)])
 
 AC_MSG_CHECKING(whether to obey EDITOR and VISUAL environment variables)
-AC_ARG_WITH(env-editor, [  --with-env-editor       Use the environment variable EDITOR for visudo],
+AC_ARG_WITH(env-editor, [AS_HELP_STRING([--with-env-editor], [Use the environment variable EDITOR for visudo])],
 [case $with_env_editor in
     yes)       env_editor=on
                ;;
 [case $with_env_editor in
     yes)       env_editor=on
                ;;
@@ -798,7 +873,7 @@ else
 fi
 
 AC_MSG_CHECKING(number of tries a user gets to enter their password)
 fi
 
 AC_MSG_CHECKING(number of tries a user gets to enter their password)
-AC_ARG_WITH(passwd-tries, [  --with-passwd-tries     number of tries to enter password (default is 3)],
+AC_ARG_WITH(passwd-tries, [AS_HELP_STRING([--with-passwd-tries], [number of tries to enter password (default is 3)])],
 [case $with_passwd_tries in
     yes)       ;;
     no)                AC_MSG_ERROR(["--without-editor not supported."])
 [case $with_passwd_tries in
     yes)       ;;
     no)                AC_MSG_ERROR(["--without-editor not supported."])
@@ -812,7 +887,7 @@ AC_DEFINE_UNQUOTED(TRIES_FOR_PASSWORD, $passwd_tries, [The number of tries a use
 AC_MSG_RESULT($passwd_tries)
 
 AC_MSG_CHECKING(time in minutes after which sudo will ask for a password again)
 AC_MSG_RESULT($passwd_tries)
 
 AC_MSG_CHECKING(time in minutes after which sudo will ask for a password again)
-AC_ARG_WITH(timeout, [  --with-timeout          minutes before sudo asks for passwd again (def is 5 minutes)],
+AC_ARG_WITH(timeout, [AS_HELP_STRING([--with-timeout], [minutes before sudo asks for passwd again (def is 5 minutes)])],
 [case $with_timeout in
     yes)       ;;
     no)                timeout=0
 [case $with_timeout in
     yes)       ;;
     no)                timeout=0
@@ -826,7 +901,7 @@ AC_DEFINE_UNQUOTED(TIMEOUT, $timeout, [The number of minutes before sudo asks fo
 AC_MSG_RESULT($timeout)
 
 AC_MSG_CHECKING(time in minutes after the password prompt will time out)
 AC_MSG_RESULT($timeout)
 
 AC_MSG_CHECKING(time in minutes after the password prompt will time out)
-AC_ARG_WITH(password-timeout, [  --with-password-timeout passwd prompt timeout in minutes (default is 5 minutes)],
+AC_ARG_WITH(password-timeout, [AS_HELP_STRING([--with-password-timeout], [passwd prompt timeout in minutes (default is 5 minutes)])],
 [case $with_password_timeout in
     yes)       ;;
     no)                password_timeout=0
 [case $with_password_timeout in
     yes)       ;;
     no)                password_timeout=0
@@ -840,7 +915,7 @@ AC_DEFINE_UNQUOTED(PASSWORD_TIMEOUT, $password_timeout, [The passwd prompt timeo
 AC_MSG_RESULT($password_timeout)
 
 AC_MSG_CHECKING(whether to use per-tty ticket files)
 AC_MSG_RESULT($password_timeout)
 
 AC_MSG_CHECKING(whether to use per-tty ticket files)
-AC_ARG_WITH(tty-tickets, [  --with-tty-tickets      use a different ticket file for each tty],
+AC_ARG_WITH(tty-tickets, [AS_HELP_STRING([--with-tty-tickets], [use a different ticket file for each tty])],
 [case $with_tty_tickets in
     yes)       tty_tickets=on
                ;;
 [case $with_tty_tickets in
     yes)       tty_tickets=on
                ;;
@@ -849,20 +924,24 @@ AC_ARG_WITH(tty-tickets, [  --with-tty-tickets      use a different ticket file
     *)         AC_MSG_ERROR(["--with-tty-tickets does not take an argument."])
                ;;
 esac])
     *)         AC_MSG_ERROR(["--with-tty-tickets does not take an argument."])
                ;;
 esac])
-if test "$tty_tickets" = "on"; then
-    AC_DEFINE(USE_TTY_TICKETS)
-    AC_MSG_RESULT(yes)
-else
+if test "$tty_tickets" = "off"; then
+    AC_DEFINE(NO_TTY_TICKETS)
     AC_MSG_RESULT(no)
     AC_MSG_RESULT(no)
+else
+    AC_MSG_RESULT(yes)
 fi
 
 AC_MSG_CHECKING(whether to include insults)
 fi
 
 AC_MSG_CHECKING(whether to include insults)
-AC_ARG_WITH(insults, [  --with-insults          insult the user for entering an incorrect password],
+AC_ARG_WITH(insults, [AS_HELP_STRING([--with-insults], [insult the user for entering an incorrect password])],
 [case $with_insults in
     yes)       insults=on
                with_classic_insults=yes
                with_csops_insults=yes
                ;;
 [case $with_insults in
     yes)       insults=on
                with_classic_insults=yes
                with_csops_insults=yes
                ;;
+    disabled)  insults=off
+               with_classic_insults=yes
+               with_csops_insults=yes
+               ;;
     no)                insults=off
                ;;
     *)         AC_MSG_ERROR(["--with-insults does not take an argument."])
     no)                insults=off
                ;;
     *)         AC_MSG_ERROR(["--with-insults does not take an argument."])
@@ -875,7 +954,7 @@ else
     AC_MSG_RESULT(no)
 fi
 
     AC_MSG_RESULT(no)
 fi
 
-AC_ARG_WITH(all-insults, [  --with-all-insults      include all the sudo insult sets],
+AC_ARG_WITH(all-insults, [AS_HELP_STRING([--with-all-insults], [include all the sudo insult sets])],
 [case $with_all_insults in
     yes)       with_classic_insults=yes
                with_csops_insults=yes
 [case $with_all_insults in
     yes)       with_classic_insults=yes
                with_csops_insults=yes
@@ -887,7 +966,7 @@ AC_ARG_WITH(all-insults, [  --with-all-insults      include all the sudo insult
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(classic-insults, [  --with-classic-insults  include the insults from the "classic" sudo],
+AC_ARG_WITH(classic-insults, [AS_HELP_STRING([--with-classic-insults], [include the insults from the "classic" sudo])],
 [case $with_classic_insults in
     yes)       AC_DEFINE(CLASSIC_INSULTS)
                ;;
 [case $with_classic_insults in
     yes)       AC_DEFINE(CLASSIC_INSULTS)
                ;;
@@ -896,7 +975,7 @@ AC_ARG_WITH(classic-insults, [  --with-classic-insults  include the insults from
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(csops-insults, [  --with-csops-insults    include CSOps insults],
+AC_ARG_WITH(csops-insults, [AS_HELP_STRING([--with-csops-insults], [include CSOps insults])],
 [case $with_csops_insults in
     yes)       AC_DEFINE(CSOPS_INSULTS)
                ;;
 [case $with_csops_insults in
     yes)       AC_DEFINE(CSOPS_INSULTS)
                ;;
@@ -905,7 +984,7 @@ AC_ARG_WITH(csops-insults, [  --with-csops-insults    include CSOps insults],
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(hal-insults, [  --with-hal-insults      include 2001-like insults],
+AC_ARG_WITH(hal-insults, [AS_HELP_STRING([--with-hal-insults], [include 2001-like insults])],
 [case $with_hal_insults in
     yes)       AC_DEFINE(HAL_INSULTS)
                ;;
 [case $with_hal_insults in
     yes)       AC_DEFINE(HAL_INSULTS)
                ;;
@@ -914,7 +993,7 @@ AC_ARG_WITH(hal-insults, [  --with-hal-insults      include 2001-like insults],
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(goons-insults, [  --with-goons-insults    include the insults from the "Goon Show"],
+AC_ARG_WITH(goons-insults, [AS_HELP_STRING([--with-goons-insults], [include the insults from the "Goon Show"])],
 [case $with_goons_insults in
     yes)       AC_DEFINE(GOONS_INSULTS)
                ;;
 [case $with_goons_insults in
     yes)       AC_DEFINE(GOONS_INSULTS)
                ;;
@@ -923,38 +1002,32 @@ AC_ARG_WITH(goons-insults, [  --with-goons-insults    include the insults from t
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(nsswitch, [  --with-nsswitch[[=PATH]]  path to nsswitch.conf],
+AC_ARG_WITH(nsswitch, [AS_HELP_STRING([--with-nsswitch[[=PATH]]], [path to nsswitch.conf])],
 [case $with_nsswitch in
     no)                ;;
     yes)       with_nsswitch="/etc/nsswitch.conf"
                ;;
     *)         ;;
 esac])
 [case $with_nsswitch in
     no)                ;;
     yes)       with_nsswitch="/etc/nsswitch.conf"
                ;;
     *)         ;;
 esac])
-if test ${with_nsswitch-"yes"} != "no"; then
-    SUDO_DEFINE_UNQUOTED(_PATH_NSSWITCH_CONF, "${with_nsswitch-/etc/nsswitch.conf}")
-    nsswitch_conf=${with_nsswitch-/etc/nsswitch.conf}
-else
-    nsswitch_conf='/etc/nsswitch.conf'
-fi
 
 
-AC_ARG_WITH(ldap, [  --with-ldap[[=DIR]]       enable LDAP support],
+AC_ARG_WITH(ldap, [AS_HELP_STRING([--with-ldap[[=DIR]]], [enable LDAP support])],
 [case $with_ldap in
 [case $with_ldap in
-    no)                with_ldap="";;
+    no)                ;;
     *)         AC_DEFINE(HAVE_LDAP)
                AC_MSG_CHECKING(whether to use sudoers from LDAP)
                AC_MSG_RESULT(yes)
                ;;
 esac])
 
     *)         AC_DEFINE(HAVE_LDAP)
                AC_MSG_CHECKING(whether to use sudoers from LDAP)
                AC_MSG_RESULT(yes)
                ;;
 esac])
 
-AC_ARG_WITH(ldap-conf-file, [  --with-ldap-conf-file   path to LDAP configuration file])
-SUDO_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "${with_ldap_conf_file-/etc/ldap.conf}", [Path to the ldap.conf file])
-ldap_conf=${with_ldap_conf_file-'/etc/ldap.conf'}
+AC_ARG_WITH(ldap-conf-file, [AS_HELP_STRING([--with-ldap-conf-file], [path to LDAP configuration file])])
+test -n "$with_ldap_conf_file" && ldap_conf="$with_ldap_conf_file"
+SUDO_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "$ldap_conf", [Path to the ldap.conf file])
 
 
-AC_ARG_WITH(ldap-secret-file, [  --with-ldap-secret-file path to LDAP secret password file])
-SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "${with_ldap_secret_file-/etc/ldap.secret}", [Path to the ldap.secret file])
-ldap_secret=${with_ldap_secret_file-'/etc/ldap.secret'}
+AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path to LDAP secret password file])])
+test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file"
+SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret file])
 
 
-AC_ARG_WITH(pc-insults, [  --with-pc-insults       replace politically incorrect insults with less offensive ones],
+AC_ARG_WITH(pc-insults, [AS_HELP_STRING([--with-pc-insults], [replace politically incorrect insults with less offensive ones])],
 [case $with_pc_insults in
     yes)       AC_DEFINE(PC_INSULTS)
                ;;
 [case $with_pc_insults in
     yes)       AC_DEFINE(PC_INSULTS)
                ;;
@@ -975,20 +1048,23 @@ if test "$insults" = "on"; then
 fi
 
 AC_MSG_CHECKING(whether to override the user's path)
 fi
 
 AC_MSG_CHECKING(whether to override the user's path)
-AC_ARG_WITH(secure-path, [  --with-secure-path      override the user's path with a built-in one],
+AC_ARG_WITH(secure-path, [AS_HELP_STRING([--with-secure-path], [override the user's path with a built-in one])],
 [case $with_secure_path in
 [case $with_secure_path in
-    yes)       AC_DEFINE_UNQUOTED(SECURE_PATH, "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc")
-               AC_MSG_RESULT([:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc])
+    yes)       with_secure_path="/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc"
+               AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path")
+               AC_MSG_RESULT([$with_secure_path])
+               secure_path="set to $with_secure_path"
                ;;
     no)                AC_MSG_RESULT(no)
                ;;
     *)         AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path")
                AC_MSG_RESULT([$with_secure_path])
                ;;
     no)                AC_MSG_RESULT(no)
                ;;
     *)         AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path")
                AC_MSG_RESULT([$with_secure_path])
+               secure_path="set to F<$with_secure_path>"
                ;;
 esac], AC_MSG_RESULT(no))
 
 AC_MSG_CHECKING(whether to get ip addresses from the network interfaces)
                ;;
 esac], AC_MSG_RESULT(no))
 
 AC_MSG_CHECKING(whether to get ip addresses from the network interfaces)
-AC_ARG_WITH(interfaces, [  --without-interfaces    don't try to read the ip addr of ether interfaces],
+AC_ARG_WITH(interfaces, [AS_HELP_STRING([--without-interfaces], [don't try to read the ip addr of ether interfaces])],
 [case $with_interfaces in
     yes)       AC_MSG_RESULT(yes)
                ;;
 [case $with_interfaces in
     yes)       AC_MSG_RESULT(yes)
                ;;
@@ -1000,7 +1076,7 @@ AC_ARG_WITH(interfaces, [  --without-interfaces    don't try to read the ip addr
 esac], AC_MSG_RESULT(yes))
 
 AC_MSG_CHECKING(whether stow should be used)
 esac], AC_MSG_RESULT(yes))
 
 AC_MSG_CHECKING(whether stow should be used)
-AC_ARG_WITH(stow, [  --with-stow             properly handle GNU stow packaging],
+AC_ARG_WITH(stow, [AS_HELP_STRING([--with-stow], [properly handle GNU stow packaging])],
 [case $with_stow in
     yes)       AC_MSG_RESULT(yes)
                AC_DEFINE(USE_STOW)
 [case $with_stow in
     yes)       AC_MSG_RESULT(yes)
                AC_DEFINE(USE_STOW)
@@ -1012,23 +1088,29 @@ AC_ARG_WITH(stow, [  --with-stow             properly handle GNU stow packaging]
 esac], AC_MSG_RESULT(no))
 
 AC_MSG_CHECKING(whether to use an askpass helper)
 esac], AC_MSG_RESULT(no))
 
 AC_MSG_CHECKING(whether to use an askpass helper)
-AC_ARG_WITH(askpass, [  --with-askpass=PATH     Fully qualified pathname of askpass helper],
+AC_ARG_WITH(askpass, [AS_HELP_STRING([--with-askpass=PATH], [Fully qualified pathname of askpass helper])],
 [case $with_askpass in
     yes)       AC_MSG_ERROR(["--with-askpass takes a path as an argument."])
                ;;
     no)                ;;
 [case $with_askpass in
     yes)       AC_MSG_ERROR(["--with-askpass takes a path as an argument."])
                ;;
     no)                ;;
-    *)         AC_DEFINE_UNQUOTED(_PATH_SUDO_ASKPASS, "$with_askpass", [The fully qualified pathname of askpass])
+    *)         SUDO_DEFINE_UNQUOTED(_PATH_SUDO_ASKPASS, "$with_askpass", [The fully qualified pathname of askpass])
                ;;
 esac], AC_MSG_RESULT(no))
 
                ;;
 esac], AC_MSG_RESULT(no))
 
+AC_ARG_WITH(plugindir, [AS_HELP_STRING([--with-plugindir], [set directory to load plugins from])],
+[case $with_plugindir in
+    no)                AC_MSG_ERROR(["illegal argument: --without-plugindir."])
+               ;;
+    *)         ;;
+esac], [with_plugindir="$libexecdir"])
+
 dnl
 dnl Options for --enable
 dnl
 
 AC_MSG_CHECKING(whether to do user authentication by default)
 AC_ARG_ENABLE(authentication,
 dnl
 dnl Options for --enable
 dnl
 
 AC_MSG_CHECKING(whether to do user authentication by default)
 AC_ARG_ENABLE(authentication,
-[  --disable-authentication
-                          Do not require authentication by default],
+[AS_HELP_STRING([--disable-authentication], [Do not require authentication by default])],
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(yes)
                ;;
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(yes)
                ;;
@@ -1043,7 +1125,7 @@ AC_ARG_ENABLE(authentication,
 
 AC_MSG_CHECKING(whether to disable running the mailer as root)
 AC_ARG_ENABLE(root-mailer,
 
 AC_MSG_CHECKING(whether to disable running the mailer as root)
 AC_ARG_ENABLE(root-mailer,
-[  --disable-root-mailer   Don't run the mailer as root, run as the user],
+[AS_HELP_STRING([--disable-root-mailer], [Don't run the mailer as root, run as the user])],
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(no)
                ;;
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(no)
                ;;
@@ -1057,7 +1139,7 @@ AC_ARG_ENABLE(root-mailer,
 ], AC_MSG_RESULT(no))
 
 AC_ARG_ENABLE(setreuid,
 ], AC_MSG_RESULT(no))
 
 AC_ARG_ENABLE(setreuid,
-[  --disable-setreuid      Don't try to use the setreuid() function],
+[AS_HELP_STRING([--disable-setreuid], [Don't try to use the setreuid() function])],
 [ case "$enableval" in
     no)                SKIP_SETREUID=yes
                ;;
 [ case "$enableval" in
     no)                SKIP_SETREUID=yes
                ;;
@@ -1066,7 +1148,7 @@ AC_ARG_ENABLE(setreuid,
 ])
 
 AC_ARG_ENABLE(setresuid,
 ])
 
 AC_ARG_ENABLE(setresuid,
-[  --disable-setresuid     Don't try to use the setresuid() function],
+[AS_HELP_STRING([--disable-setresuid], [Don't try to use the setresuid() function])],
 [ case "$enableval" in
     no)                SKIP_SETRESUID=yes
                ;;
 [ case "$enableval" in
     no)                SKIP_SETRESUID=yes
                ;;
@@ -1076,7 +1158,7 @@ AC_ARG_ENABLE(setresuid,
 
 AC_MSG_CHECKING(whether to disable shadow password support)
 AC_ARG_ENABLE(shadow,
 
 AC_MSG_CHECKING(whether to disable shadow password support)
 AC_ARG_ENABLE(shadow,
-[  --disable-shadow        Never use shadow passwords],
+[AS_HELP_STRING([--disable-shadow], [Never use shadow passwords])],
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(no)
                ;;
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(no)
                ;;
@@ -1091,7 +1173,7 @@ AC_ARG_ENABLE(shadow,
 
 AC_MSG_CHECKING(whether root should be allowed to use sudo)
 AC_ARG_ENABLE(root-sudo,
 
 AC_MSG_CHECKING(whether root should be allowed to use sudo)
 AC_ARG_ENABLE(root-sudo,
-[  --disable-root-sudo     Don't allow root to run sudo],
+[AS_HELP_STRING([--disable-root-sudo], [Don't allow root to run sudo])],
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(yes)
                ;;
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(yes)
                ;;
@@ -1106,7 +1188,7 @@ AC_ARG_ENABLE(root-sudo,
 
 AC_MSG_CHECKING(whether to log the hostname in the log file)
 AC_ARG_ENABLE(log-host,
 
 AC_MSG_CHECKING(whether to log the hostname in the log file)
 AC_ARG_ENABLE(log-host,
-[  --enable-log-host       Log the hostname in the log file],
+[AS_HELP_STRING([--enable-log-host], [Log the hostname in the log file])],
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(yes)
                AC_DEFINE(HOST_IN_LOG)
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(yes)
                AC_DEFINE(HOST_IN_LOG)
@@ -1121,7 +1203,7 @@ AC_ARG_ENABLE(log-host,
 
 AC_MSG_CHECKING(whether to invoke a shell if sudo is given no arguments)
 AC_ARG_ENABLE(noargs-shell,
 
 AC_MSG_CHECKING(whether to invoke a shell if sudo is given no arguments)
 AC_ARG_ENABLE(noargs-shell,
-[  --enable-noargs-shell   If sudo is given no arguments run a shell],
+[AS_HELP_STRING([--enable-noargs-shell], [If sudo is given no arguments run a shell])],
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(yes)
                AC_DEFINE(SHELL_IF_NO_ARGS)
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(yes)
                AC_DEFINE(SHELL_IF_NO_ARGS)
@@ -1136,8 +1218,7 @@ AC_ARG_ENABLE(noargs-shell,
 
 AC_MSG_CHECKING(whether to set \$HOME to target user in shell mode)
 AC_ARG_ENABLE(shell-sets-home,
 
 AC_MSG_CHECKING(whether to set \$HOME to target user in shell mode)
 AC_ARG_ENABLE(shell-sets-home,
-[  --enable-shell-sets-home
-                          Set $HOME to target user in shell mode],
+[AS_HELP_STRING([--enable-shell-sets-home], [Set $HOME to target user in shell mode])],
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(yes)
                AC_DEFINE(SHELL_SETS_HOME)
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(yes)
                AC_DEFINE(SHELL_SETS_HOME)
@@ -1152,7 +1233,7 @@ AC_ARG_ENABLE(shell-sets-home,
 
 AC_MSG_CHECKING(whether to disable 'command not found' messages)
 AC_ARG_ENABLE(path_info,
 
 AC_MSG_CHECKING(whether to disable 'command not found' messages)
 AC_ARG_ENABLE(path_info,
-[  --disable-path-info     Print 'command not allowed' not 'command not found'],
+[AS_HELP_STRING([--disable-path-info], [Print 'command not allowed' not 'command not found'])],
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(no)
                ;;
 [ case "$enableval" in
     yes)       AC_MSG_RESULT(no)
                ;;
@@ -1166,15 +1247,91 @@ AC_ARG_ENABLE(path_info,
   esac
 ], AC_MSG_RESULT(no))
 
   esac
 ], AC_MSG_RESULT(no))
 
-AC_ARG_WITH(selinux, [  --with-selinux          enable SELinux support],
+AC_MSG_CHECKING(whether to enable environment debugging)
+AC_ARG_ENABLE(env_debug,
+[AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])],
+[ case "$enableval" in
+    yes)       AC_MSG_RESULT(yes)
+               AC_DEFINE(ENV_DEBUG)
+               ;;
+    no)                AC_MSG_RESULT(no)
+               ;;
+    *)         AC_MSG_RESULT(no)
+               AC_MSG_WARN([Ignoring unknown argument to --enable-env-debug: $enableval])
+               ;;
+  esac
+], AC_MSG_RESULT(no))
+
+AC_ARG_ENABLE(zlib,
+[AS_HELP_STRING([--enable-zlib[[=PATH]]], [Whether to enable or disable zlib])],
+[], [enable_zlib=yes])
+
+AC_MSG_CHECKING(whether to enable environment resetting by default)
+AC_ARG_ENABLE(env_reset,
+[AS_HELP_STRING([--enable-env-reset], [Whether to enable environment resetting by default.])],
+[ case "$enableval" in
+    yes)       env_reset=on
+               ;;
+    no)                env_reset=off
+               ;;
+    *)         env_reset=on
+               AC_MSG_WARN([Ignoring unknown argument to --enable-env-reset: $enableval])
+               ;;
+  esac
+])
+if test "$env_reset" = "on"; then
+    AC_MSG_RESULT(yes)
+    AC_DEFINE(ENV_RESET, 1)
+else
+    AC_MSG_RESULT(no)
+    AC_DEFINE(ENV_RESET, 0)
+fi
+
+AC_ARG_ENABLE(warnings,
+[AS_HELP_STRING([--enable-warnings], [Whether to enable compiler warnings])],
+[ case "$enableval" in
+    yes)    ;;
+    no)            ;;
+    *)     AC_MSG_WARN([Ignoring unknown argument to --enable-warnings: $enableval])
+           ;;
+  esac
+])
+
+AC_ARG_ENABLE(werror,
+[AS_HELP_STRING([--enable-werror], [Whether to enable the -Werror compiler option])],
+[ case "$enableval" in
+    yes)    ;;
+    no)            ;;
+    *)     AC_MSG_WARN([Ignoring unknown argument to --enable-werror: $enableval])
+           ;;
+  esac
+])
+
+AC_ARG_ENABLE(admin-flag,
+[AS_HELP_STRING([--enable-admin-flag], [Whether to create a Ubuntu-style admin flag file])],
+[ case "$enableval" in
+    yes)    AC_DEFINE(USE_ADMIN_FLAG)
+           ;;
+    no)            ;;
+    *)     AC_MSG_WARN([Ignoring unknown argument to --enable-admin-flag: $enableval])
+           ;;
+  esac
+])
+
+AC_ARG_ENABLE(nls,
+[AS_HELP_STRING([--disable-nls], [Disable natural language support using gettext])],
+[], [enable_nls=yes])
+
+AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])],
 [case $with_selinux in
     yes)       SELINUX_USAGE="[[-r role]] [[-t type]] "
                AC_DEFINE(HAVE_SELINUX)
                SUDO_LIBS="${SUDO_LIBS} -lselinux"
                SUDO_OBJS="${SUDO_OBJS} selinux.o"
                PROGS="${PROGS} sesh"
 [case $with_selinux in
     yes)       SELINUX_USAGE="[[-r role]] [[-t type]] "
                AC_DEFINE(HAVE_SELINUX)
                SUDO_LIBS="${SUDO_LIBS} -lselinux"
                SUDO_OBJS="${SUDO_OBJS} selinux.o"
                PROGS="${PROGS} sesh"
-               SELINUX=""
-               SEMAN=""
+               SEMAN=1
+               AC_CHECK_LIB([selinux], [setkeycreatecon],
+                   [AC_DEFINE(HAVE_SETKEYCREATECON)])
                ;;
     no)                ;;
     *)         AC_MSG_ERROR(["--with-selinux does not take an argument."])
                ;;
     no)                ;;
     *)         AC_MSG_ERROR(["--with-selinux does not take an argument."])
@@ -1184,48 +1341,62 @@ esac])
 dnl
 dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default
 dnl
 dnl
 dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default
 dnl
-AC_ARG_ENABLE(gss_krb5_ccache_name, [  --enable-gss-krb5-ccache-name
-                          Use GSS-API to set the Kerberos V cred cache name], [check_gss_krb5_ccache_name=$enableval], [check_gss_krb5_ccache_name=no])
+AC_ARG_ENABLE(gss_krb5_ccache_name,
+[AS_HELP_STRING([--enable-gss-krb5-ccache-name], [Use GSS-API to set the Kerberos V cred cache name])],
+[check_gss_krb5_ccache_name=$enableval], [check_gss_krb5_ccache_name=no])
 
 dnl
 
 dnl
-dnl If we don't have egrep we can't do anything...
+dnl C compiler checks
 dnl
 dnl
-AC_CHECK_PROG(EGREPPROG, egrep, egrep)
-if test -z "$EGREPPROG"; then
-    AC_MSG_ERROR([Sorry, configure requires egrep to run.])
+AC_SEARCH_LIBS([strerror], [cposix])
+AC_PROG_CPP
+AC_CHECK_TOOL(AR, ar, false)
+AC_CHECK_TOOL(RANLIB, ranlib, :)
+if test X"$AR" = X"false"; then
+    AC_MSG_ERROR([the "ar" utility is required to build sudo])
 fi
 
 fi
 
-dnl
-dnl Prevent configure from adding the -g flag unless in devel mode
-dnl
-if test "$with_devel" != "yes"; then
-    ac_cv_prog_cc_g=no
+if test "x$ac_cv_prog_cc_c89" = "xno"; then
+    AC_MSG_ERROR([Sudo version $PACKAGE_VERSION requires an ANSI C compiler to build.])
 fi
 
 dnl
 fi
 
 dnl
-dnl C compiler checks
+dnl If the user specified --disable-static, override them or we'll
+dnl be unable to build the executables in the sudoers plugin dir.
 dnl
 dnl
-AC_ISC_POSIX
-AC_PROG_CPP
+if test "$enable_static" = "no"; then
+    AC_MSG_WARN([Ignoring --disable-static, sudo does not install static libs])
+    enable_static=yes
+fi
 
 dnl
 
 dnl
-dnl Libtool magic; enable shared libs and disable static libs
+dnl Libtool setup, we require libtool 2.2.6b or higher
 dnl
 AC_CANONICAL_HOST
 dnl
 AC_CANONICAL_HOST
-AC_CANONICAL_TARGET([])
-AC_DISABLE_STATIC
-AC_PROG_LIBTOOL
+AC_CONFIG_MACRO_DIR([m4])
+LT_PREREQ([2.2.6b])
+LT_INIT([dlopen])
 
 dnl
 dnl Defer with_noexec until after libtool magic runs
 dnl
 if test "$enable_shared" = "no"; then
     with_noexec=no
 
 dnl
 dnl Defer with_noexec until after libtool magic runs
 dnl
 if test "$enable_shared" = "no"; then
     with_noexec=no
+    enable_dlopen=no
+    lt_cv_dlopen=none
+    lt_cv_dlopen_libs=
+    ac_cv_func_dlopen=no
 else
     eval _shrext="$shrext_cmds"
 else
     eval _shrext="$shrext_cmds"
+    # Darwin uses .dylib for libraries but .so for modules
+    if test X"$_shrext" = X".dylib"; then
+       SOEXT=".so"
+    else
+       SOEXT="$_shrext"
+    fi
 fi
 AC_MSG_CHECKING(path to sudo_noexec.so)
 fi
 AC_MSG_CHECKING(path to sudo_noexec.so)
-AC_ARG_WITH(noexec, [  --with-noexec[=PATH]      fully qualified pathname of sudo_noexec.so],
+AC_ARG_WITH(noexec, [AS_HELP_STRING([--with-noexec[=PATH]], [fully qualified pathname of sudo_noexec.so])],
 [case $with_noexec in
     yes)       with_noexec="$libexecdir/sudo_noexec$_shrext"
                ;;
 [case $with_noexec in
     yes)       with_noexec="$libexecdir/sudo_noexec$_shrext"
                ;;
@@ -1236,20 +1407,36 @@ AC_MSG_RESULT($with_noexec)
 NOEXECFILE="sudo_noexec$_shrext"
 NOEXECDIR="`echo $with_noexec|sed 's:^\(.*\)/[[^/]]*:\1:'`"
 
 NOEXECFILE="sudo_noexec$_shrext"
 NOEXECDIR="`echo $with_noexec|sed 's:^\(.*\)/[[^/]]*:\1:'`"
 
-dnl
-dnl It is now safe to modify CFLAGS and CPPFLAGS
-dnl
-if test "$with_devel" = "yes" -a -n "$GCC"; then
-    CFLAGS="${CFLAGS} -Wall"
-fi
-
 dnl
 dnl Find programs we use
 dnl
 dnl
 dnl Find programs we use
 dnl
-AC_CHECK_PROG(UNAMEPROG, uname, uname)
-AC_CHECK_PROG(TRPROG, tr, tr)
-AC_CHECK_PROG(NROFFPROG, nroff, nroff)
-if test -z "$NROFFPROG"; then
+AC_CHECK_PROG(UNAMEPROG, [uname], [uname])
+AC_CHECK_PROG(TRPROG, [tr], [tr])
+AC_CHECK_PROGS(NROFFPROG, [nroff mandoc])
+if test -n "$NROFFPROG"; then
+    AC_CACHE_CHECK([whether $NROFFPROG supports the -c option],
+       [sudo_cv_var_nroff_opt_c],
+       [if $NROFFPROG -c </dev/null >/dev/null 2>&1; then
+           sudo_cv_var_nroff_opt_c=yes
+       else
+           sudo_cv_var_nroff_opt_c=no
+       fi]
+    )
+    if test "$sudo_cv_var_nroff_opt_c" = "yes"; then
+       NROFFPROG="$NROFFPROG -c"
+    fi
+    AC_CACHE_CHECK([whether $NROFFPROG supports the -Tascii option],
+       [sudo_cv_var_nroff_opt_Tascii],
+       [if $NROFFPROG -Tascii </dev/null >/dev/null 2>&1; then
+           sudo_cv_var_nroff_opt_Tascii=yes
+       else
+           sudo_cv_var_nroff_opt_Tascii=no
+       fi]
+    if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then
+       NROFFPROG="$NROFFPROG -Tascii"
+    fi
+    )
+else
     MANTYPE="cat"
     mansrcdir='$(srcdir)'
 fi
     MANTYPE="cat"
     mansrcdir='$(srcdir)'
 fi
@@ -1286,6 +1473,9 @@ fi
 
 case "$host" in
     *-*-sunos4*)
 
 case "$host" in
     *-*-sunos4*)
+               # LD_PRELOAD is space-delimited
+               RTLD_PRELOAD_DELIM=" "
+
                # getcwd(3) opens a pipe to getpwd(1)!?!
                BROKEN_GETCWD=1
 
                # getcwd(3) opens a pipe to getpwd(1)!?!
                BROKEN_GETCWD=1
 
@@ -1297,6 +1487,9 @@ case "$host" in
                shadow_funcs="getpwanam issecure"
                ;;
     *-*-solaris2*)
                shadow_funcs="getpwanam issecure"
                ;;
     *-*-solaris2*)
+               # LD_PRELOAD is space-delimited
+               RTLD_PRELOAD_DELIM=" "
+
                # To get the crypt(3) prototype (so we pass -Wall)
                OSDEFS="${OSDEFS} -D__EXTENSIONS__"
                # AFS support needs -lucb
                # To get the crypt(3) prototype (so we pass -Wall)
                OSDEFS="${OSDEFS} -D__EXTENSIONS__"
                # AFS support needs -lucb
@@ -1307,11 +1500,12 @@ case "$host" in
                : ${mansectform='4'}
                : ${with_rpath='yes'}
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                : ${mansectform='4'}
                : ${with_rpath='yes'}
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
+               AC_CHECK_FUNCS(priv_set)
                ;;
     *-*-aix*)
                # To get all prototypes (so we pass -Wall)
                ;;
     *-*-aix*)
                # To get all prototypes (so we pass -Wall)
-               OSDEFS="${OSDEFS} -D_XOPEN_EXTENDED_SOURCE -D_ALL_SOURCE"
-               SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp"
+               OSDEFS="${OSDEFS} -D_ALL_SOURCE -D_LINUX_SOURCE_COMPAT"
+               SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp"
                if test X"$with_blibpath" != X"no"; then
                    AC_MSG_CHECKING([if linker accepts -Wl,-blibpath])
                    O_LDFLAGS="$LDFLAGS"
                if test X"$with_blibpath" != X"no"; then
                    AC_MSG_CHECKING([if linker accepts -Wl,-blibpath])
                    O_LDFLAGS="$LDFLAGS"
@@ -1329,14 +1523,42 @@ case "$host" in
                fi
                LDFLAGS="$O_LDFLAGS"
 
                fi
                LDFLAGS="$O_LDFLAGS"
 
-               # Use authenticate(3) as the default authentication method
-               if test X"$with_aixauth" = X""; then
-                   AC_CHECK_FUNCS(authenticate, [AUTH_EXCL_DEF="AIX_AUTH"])
+               # On AIX 6 and higher default to PAM, else default to LAM
+               if test $OSMAJOR -ge 6; then
+                   if test X"$with_pam" = X""; then
+                       AUTH_EXCL_DEF="PAM"
+                   fi
+               else
+                   if test X"$with_aixauth" = X""; then
+                       AC_CHECK_FUNCS(authenticate, [AUTH_EXCL_DEF="AIX_AUTH"])
+                   fi
+               fi
+
+               # AIX analog of nsswitch.conf, enabled by default
+               AC_ARG_WITH(netsvc, [AS_HELP_STRING([--with-netsvc[[=PATH]]], [path to netsvc.conf])],
+               [case $with_netsvc in
+                   no)         ;;
+                   yes)        with_netsvc="/etc/netsvc.conf"
+                               ;;
+                   *)          ;;
+               esac])
+               if test -z "$with_nsswitch" -a -z "$with_netsvc"; then
+                   with_netsvc="/etc/netsvc.conf"
+               fi
+
+               # For implementing getgrouplist()
+               AC_CHECK_FUNCS(getgrset)
+
+               # LDR_PRELOAD is only supported in AIX 5.3 and later
+               if test $OSMAJOR -lt 5; then
+                   with_noexec=no
+               else
+                   RTLD_PRELOAD_VAR="LDR_PRELOAD"
                fi
 
                # AIX-specific functions
                fi
 
                # AIX-specific functions
-               AC_CHECK_FUNCS(getuserattr)
-               SUDO_OBJS="$SUDO_OBJS aix.o"
+               AC_CHECK_FUNCS(getuserattr setauthdb)
+               COMMON_OBJS="$COMMON_OBJS aix.lo"
                ;;
     *-*-hiuxmpp*)
                : ${mansectsu='1m'}
                ;;
     *-*-hiuxmpp*)
                : ${mansectsu='1m'}
@@ -1350,20 +1572,49 @@ case "$host" in
                : ${mansectsu='1m'}
                : ${mansectform='4'}
 
                : ${mansectsu='1m'}
                : ${mansectform='4'}
 
-               # HP-UX bundled compiler can't generate shared objects
-               if test "x$ac_cv_prog_cc_c89" = "xno"; then
-                   with_noexec=no
+               # The HP bundled compiler cannot generate shared libs
+               if test -z "$GCC"; then
+                   AC_CACHE_CHECK([for HP bundled C compiler],
+                       [sudo_cv_var_hpccbundled],
+                       [if $CC -V 2>&1 | grep '^(Bundled)' >/dev/null 2>&1; then
+                           sudo_cv_var_hpccbundled=yes
+                       else
+                           sudo_cv_var_hpccbundled=no
+                       fi]
+                   )
+                   if test "$sudo_cv_var_hpccbundled" = "yes"; then
+                       AC_MSG_ERROR([The HP bundled C compiler is unable to build Sudo, you must use gcc or the HP ANSI C compiler instead.])
+                   fi
                fi
                fi
+
+               # Build PA-RISC1.1 objects for better portability
+               case "$host_cpu" in
+                   hppa[[2-9]]*)
+                       _CFLAGS="$CFLAGS"
+                       if test -n "$GCC"; then
+                           portable_flag="-march=1.1"
+                       else
+                           portable_flag="+DAportable"
+                       fi
+                       CFLAGS="$CFLAGS $portable_flag"
+                       AC_CACHE_CHECK([whether $CC understands $portable_flag],
+                           [sudo_cv_var_daportable],
+                           [AC_LINK_IFELSE(
+                               [AC_LANG_PROGRAM([[]], [[]])],
+                                   [sudo_cv_var_daportable=yes],
+                                   [sudo_cv_var_daportable=no]
+                               )
+                           ]
+                       )
+                       if test X"$sudo_cv_var_daportable" != X"yes"; then
+                           CFLAGS="$_CFLAGS"
+                       fi
+                       ;;
+               esac
+
                case "$host" in
                case "$host" in
-                       *-*-hpux[1-8].*)
+                       *-*-hpux[[1-8]].*)
                            AC_DEFINE(BROKEN_SYSLOG)
                            AC_DEFINE(BROKEN_SYSLOG)
-
-                           # Not sure if setuid binaries are safe in < 9.x
-                           if test -n "$GCC"; then
-                               SUDO_LDFLAGS="${SUDO_LDFLAGS} -static"
-                           else
-                               SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-a,archive"
-                           fi
                        ;;
                        *-*-hpux9.*)
                            AC_DEFINE(BROKEN_SYSLOG)
                        ;;
                        *-*-hpux9.*)
                            AC_DEFINE(BROKEN_SYSLOG)
@@ -1373,7 +1624,7 @@ case "$host" in
                            # DCE support (requires ANSI C compiler)
                            if test "$with_DCE" = "yes"; then
                                # order of libs in 9.X is important. -lc_r must be last
                            # DCE support (requires ANSI C compiler)
                            if test "$with_DCE" = "yes"; then
                                # order of libs in 9.X is important. -lc_r must be last
-                               SUDO_LIBS="${SUDO_LIBS} -ldce -lM -lc_r"
+                               SUDOERS_LIBS="${SUDOERS_LIBS} -ldce -lM -lc_r"
                                LIBS="${LIBS} -ldce -lM -lc_r"
                                CPPFLAGS="${CPPFLAGS} -D_REENTRANT -I/usr/include/reentrant"
                            fi
                                LIBS="${LIBS} -ldce -lM -lc_r"
                                CPPFLAGS="${CPPFLAGS} -D_REENTRANT -I/usr/include/reentrant"
                            fi
@@ -1381,6 +1632,8 @@ case "$host" in
                        *-*-hpux10.*)
                            shadow_funcs="getprpwnam iscomsec"
                            shadow_libs="-lsec"
                        *-*-hpux10.*)
                            shadow_funcs="getprpwnam iscomsec"
                            shadow_libs="-lsec"
+                           # HP-UX 10.20 libc has an incompatible getline
+                           ac_cv_func_getline="no"
                        ;;
                        *)
                            shadow_funcs="getspnam iscomsec"
                        ;;
                        *)
                            shadow_funcs="getspnam iscomsec"
@@ -1391,12 +1644,12 @@ case "$host" in
                ;;
     *-dec-osf*)
                # ignore envariables wrt dynamic lib path
                ;;
     *-dec-osf*)
                # ignore envariables wrt dynamic lib path
-               SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-no_library_replacement"
+               SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-no_library_replacement"
 
                : ${CHECKSIA='true'}
                AC_MSG_CHECKING(whether to disable sia support on Digital UNIX)
                AC_ARG_ENABLE(sia,
 
                : ${CHECKSIA='true'}
                AC_MSG_CHECKING(whether to disable sia support on Digital UNIX)
                AC_ARG_ENABLE(sia,
-               [  --disable-sia           Disable SIA on Digital UNIX],
+               [AS_HELP_STRING([--disable-sia], [Disable SIA on Digital UNIX])],
                [ case "$enableval" in
                    yes)        AC_MSG_RESULT(no)
                                CHECKSIA=true
                [ case "$enableval" in
                    yes)        AC_MSG_RESULT(no)
                                CHECKSIA=true
@@ -1434,6 +1687,9 @@ case "$host" in
                ]], [[exit(0);]])], [AC_MSG_RESULT(no)], [AC_MSG_RESULT([yes, fixing locally])
                sed 's:<acl.h>:<sys/acl.h>:g' < /usr/include/prot.h > prot.h
                ])
                ]], [[exit(0);]])], [AC_MSG_RESULT(no)], [AC_MSG_RESULT([yes, fixing locally])
                sed 's:<acl.h>:<sys/acl.h>:g' < /usr/include/prot.h > prot.h
                ])
+               # ":DEFAULT" must be appended to _RLD_LIST
+               RTLD_PRELOAD_VAR="_RLD_LIST"
+               RTLD_PRELOAD_DEFAULT="DEFAULT"
                : ${mansectsu='8'}
                : ${mansectform='4'}
                ;;
                : ${mansectsu='8'}
                : ${mansectform='4'}
                ;;
@@ -1441,7 +1697,7 @@ case "$host" in
                OSDEFS="${OSDEFS} -D_BSD_TYPES"
                if test -z "$NROFFPROG"; then
                    MAN_POSTINSTALL='   /bin/rm -f $(mandirsu)/sudo.$(mansectsu).z $(mandirsu)/visudo.$(mansectsu).z $(mandirform)/sudoers.$(mansectform).z ; /usr/bin/pack $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudoers.$(mansectform)'
                OSDEFS="${OSDEFS} -D_BSD_TYPES"
                if test -z "$NROFFPROG"; then
                    MAN_POSTINSTALL='   /bin/rm -f $(mandirsu)/sudo.$(mansectsu).z $(mandirsu)/visudo.$(mansectsu).z $(mandirform)/sudoers.$(mansectform).z ; /usr/bin/pack $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudoers.$(mansectform)'
-                   if test "$prefix" = "/usr/local" -a "$mandir" = '$(prefix)/man'; then
+                   if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
                        if test -d /usr/share/catman/local; then
                            mandir="/usr/share/catman/local"
                        else
                        if test -d /usr/share/catman/local; then
                            mandir="/usr/share/catman/local"
                        else
@@ -1449,7 +1705,7 @@ case "$host" in
                        fi
                    fi
                else
                        fi
                    fi
                else
-                   if test "$prefix" = "/usr/local" -a "$mandir" = '$(prefix)/man'; then
+                   if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
                        if test -d "/usr/share/man/local"; then
                            mandir="/usr/share/man/local"
                        else
                        if test -d "/usr/share/man/local"; then
                            mandir="/usr/share/man/local"
                        else
@@ -1461,6 +1717,9 @@ case "$host" in
                if test "$OSMAJOR" -le 4; then
                    AC_CHECK_LIB(sun, getpwnam, [LIBS="${LIBS} -lsun"])
                fi
                if test "$OSMAJOR" -le 4; then
                    AC_CHECK_LIB(sun, getpwnam, [LIBS="${LIBS} -lsun"])
                fi
+               # ":DEFAULT" must be appended to _RLD_LIST
+               RTLD_PRELOAD_VAR="_RLD_LIST"
+               RTLD_PRELOAD_DEFAULT="DEFAULT"
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                ;;
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                ;;
@@ -1496,8 +1755,7 @@ case "$host" in
     *-*-isc*)
                OSDEFS="${OSDEFS} -D_ISC"
                LIB_CRYPT=1
     *-*-isc*)
                OSDEFS="${OSDEFS} -D_ISC"
                LIB_CRYPT=1
-               SUDO_LIBS="${SUDO_LIBS} -lcrypt"
-               LIBS="${LIBS} -lcrypt"
+               SUDOERS_LIBS="${SUDOERS_LIBS} -lcrypt"
 
                shadow_funcs="getspnam"
                shadow_libs="-lsec"
 
                shadow_funcs="getspnam"
                shadow_libs="-lsec"
@@ -1525,30 +1783,20 @@ case "$host" in
                : ${with_rpath='yes'}
                ;;
     *-ncr-sysv4*|*-ncr-sysvr4*)
                : ${with_rpath='yes'}
                ;;
     *-ncr-sysv4*|*-ncr-sysvr4*)
-               AC_CHECK_LIB(c89, strcasecmp, AC_DEFINE(HAVE_STRCASECMP) [LIBS="${LIBS} -lc89"; ac_cv_func_strcasecmp=yes])
+               AC_CHECK_LIB(c89, strcasecmp, [LIBS="${LIBS} -lc89"])
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                : ${with_rpath='yes'}
                ;;
     *-ccur-sysv4*|*-ccur-sysvr4*)
                LIBS="${LIBS} -lgen"
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                : ${with_rpath='yes'}
                ;;
     *-ccur-sysv4*|*-ccur-sysvr4*)
                LIBS="${LIBS} -lgen"
-               SUDO_LIBS="${SUDO_LIBS} -lgen"
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                : ${with_rpath='yes'}
                ;;
     *-*-bsdi*)
                SKIP_SETREUID=yes
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                : ${with_rpath='yes'}
                ;;
     *-*-bsdi*)
                SKIP_SETREUID=yes
-               # Use shlicc for BSD/OS [23].x unless asked to do otherwise
-               if test "${with_CC+set}" != set -a "$ac_cv_prog_CC" = gcc; then
-                   case "$OSMAJOR" in
-                       2|3)    AC_MSG_NOTICE([using shlicc as CC])
-                               ac_cv_prog_CC=shlicc
-                               CC="$ac_cv_prog_CC"
-                               ;;
-                   esac
-               fi
-               # Check for newer BSD auth API (just check for >= 3.0?)
+               # Check for newer BSD auth API
                if test -z "$with_bsdauth"; then
                    AC_CHECK_FUNCS(auth_challenge, [AUTH_EXCL_DEF="BSD_AUTH"])
                fi
                if test -z "$with_bsdauth"; then
                    AC_CHECK_FUNCS(auth_challenge, [AUTH_EXCL_DEF="BSD_AUTH"])
                fi
@@ -1561,8 +1809,9 @@ case "$host" in
                    SKIP_SETREUID=yes
                    ;;
                esac
                    SKIP_SETREUID=yes
                    ;;
                esac
-               if test "$with_skey" = "yes"; then
-                    SUDO_LIBS="${SUDO_LIBS} -lmd"
+               OSDEFS="${OSDEFS} -D_BSD_SOURCE"
+               if test "${with_skey-'no'}" = "yes"; then
+                    SUDOERS_LIBS="${SUDOERS_LIBS} -lmd"
                fi
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                fi
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
@@ -1570,25 +1819,22 @@ case "$host" in
                ;;
     *-*-*openbsd*)
                # OpenBSD has a real setreuid(2) starting with 3.3 but
                ;;
     *-*-*openbsd*)
                # OpenBSD has a real setreuid(2) starting with 3.3 but
-               # we will use setreuid(2) instead.
+               # we will use setresuid(2) instead.
                SKIP_SETREUID=yes
                SKIP_SETREUID=yes
+               OSDEFS="${OSDEFS} -D_BSD_SOURCE"
                CHECKSHADOW="false"
                # OpenBSD >= 3.0 supports BSD auth
                if test -z "$with_bsdauth"; then
                CHECKSHADOW="false"
                # OpenBSD >= 3.0 supports BSD auth
                if test -z "$with_bsdauth"; then
-                   case "$OSREV" in
-                   [0-2].*)
-                       ;;
-                   *)
+                   if test "$OSMAJOR" -ge 3; then
                        AUTH_EXCL_DEF="BSD_AUTH"
                        AUTH_EXCL_DEF="BSD_AUTH"
-                       ;;
-                   esac
+                   fi
                fi
                : ${with_logincap='maybe'}
                ;;
     *-*-*netbsd*)
                # NetBSD has a real setreuid(2) starting with 1.3.2
                case "$OSREV" in
                fi
                : ${with_logincap='maybe'}
                ;;
     *-*-*netbsd*)
                # NetBSD has a real setreuid(2) starting with 1.3.2
                case "$OSREV" in
-               0.9*|1.[012]*|1.3|1.3.1)
+               0.9*|1.[[012]]*|1.3|1.3.1)
                    SKIP_SETREUID=yes
                    ;;
                esac
                    SKIP_SETREUID=yes
                    ;;
                esac
@@ -1597,8 +1843,9 @@ case "$host" in
                : ${with_logincap='maybe'}
                ;;
     *-*-dragonfly*)
                : ${with_logincap='maybe'}
                ;;
     *-*-dragonfly*)
-               if test "$with_skey" = "yes"; then
-                    SUDO_LIBS="${SUDO_LIBS} -lmd"
+               OSDEFS="${OSDEFS} -D_BSD_SOURCE"
+               if test "${with_skey-'no'}" = "yes"; then
+                    SUDOERS_LIBS="${SUDOERS_LIBS} -lmd"
                fi
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                fi
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
@@ -1608,15 +1855,22 @@ case "$host" in
                CHECKSHADOW="false"
                ;;
     *-*-darwin*)
                CHECKSHADOW="false"
                ;;
     *-*-darwin*)
-               SKIP_SETREUID=yes
+               # Darwin has a real setreuid(2) starting with 9.0
+               if test $OSMAJOR -lt 9; then
+                   SKIP_SETREUID=yes
+               fi
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                : ${with_logincap='yes'}
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                : ${with_logincap='yes'}
+               RTLD_PRELOAD_VAR="DYLD_INSERT_LIBRARIES"
+               RTLD_PRELOAD_ENABLE_VAR="DYLD_FORCE_FLAT_NAMESPACE"
                ;;
     *-*-nextstep*)
                # lockf() on is broken on the NeXT -- use flock instead
                ac_cv_func_lockf=no
                ac_cv_func_flock=yes
                ;;
     *-*-nextstep*)
                # lockf() on is broken on the NeXT -- use flock instead
                ac_cv_func_lockf=no
                ac_cv_func_flock=yes
+               RTLD_PRELOAD_VAR="DYLD_INSERT_LIBRARIES"
+               RTLD_PRELOAD_ENABLE_VAR="DYLD_FORCE_FLAT_NAMESPACE"
                ;;
     *-*-*sysv4*)
                : ${mansectsu='1m'}
                ;;
     *-*-*sysv4*)
                : ${mansectsu='1m'}
@@ -1632,6 +1886,20 @@ case "$host" in
                ;;
 esac
 
                ;;
 esac
 
+dnl
+dnl Library preloading to support NOEXEC
+dnl
+if test -n "$with_noexec"; then
+    SUDO_DEFINE_UNQUOTED(RTLD_PRELOAD_VAR, "$RTLD_PRELOAD_VAR")
+    SUDO_DEFINE_UNQUOTED(RTLD_PRELOAD_DELIM, "$RTLD_PRELOAD_DELIM")
+    if test -n "$RTLD_PRELOAD_DEFAULT"; then
+       SUDO_DEFINE_UNQUOTED(RTLD_PRELOAD_DEFAULT, "$RTLD_PRELOAD_DEFAULT")
+    fi
+    if test -n "$RTLD_PRELOAD_ENABLE_VAR"; then
+       SUDO_DEFINE_UNQUOTED(RTLD_PRELOAD_ENABLE_VAR, "$RTLD_PRELOAD_ENABLE_VAR")
+    fi
+fi
+
 dnl
 dnl Check for mixing mutually exclusive and regular auth methods
 dnl
 dnl
 dnl Check for mixing mutually exclusive and regular auth methods
 dnl
@@ -1685,45 +1953,113 @@ dnl
 AC_PROG_GCC_TRADITIONAL
 AC_C_CONST
 AC_C_VOLATILE
 AC_PROG_GCC_TRADITIONAL
 AC_C_CONST
 AC_C_VOLATILE
+# Check for variadic macro support in cpp
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
+AC_INCLUDES_DEFAULT
+#if defined(__GNUC__) && __GNUC__ == 2
+# define sudo_fprintf(fp, fmt...) fprintf((fp), (fmt))
+#else
+# define sudo_fprintf(fp, ...) fprintf((fp), __VA_ARGS__)
+#endif
+], [sudo_fprintf(stderr, "a %s", "test");])], [], [AC_MSG_ERROR([Your C compiler doesn't support variadic macros, try building with gcc instead])])
+if test X"$with_gnu_ld" != "yes" -a -n "$GCC"; then
+    _CFLAGS="$CFLAGS"
+    CFLAGS="$CFLAGS -static-libgcc"
+    AC_CACHE_CHECK([whether $CC understands -static-libgcc],
+       [sudo_cv_var_gcc_static_libgcc],
+       [AC_LINK_IFELSE(
+           [AC_LANG_PROGRAM([[]], [[]])],
+               [sudo_cv_var_gcc_static_libgcc=yes],
+               [sudo_cv_var_gcc_static_libgcc=no]
+           )
+       ]
+    )
+    CFLAGS="$_CFLAGS"
+    if test "$sudo_cv_var_gcc_static_libgcc" = "yes"; then
+       LTLDFLAGS="$LTLDFLAGS -Wc,-static-libgcc"
+    fi
+fi
 dnl
 dnl Program checks
 dnl
 AC_PROG_YACC
 dnl
 dnl Program checks
 dnl
 AC_PROG_YACC
+AC_PATH_PROG([FLEX], [flex], [flex])
 SUDO_PROG_MV
 SUDO_PROG_BSHELL
 if test -z "$with_sendmail"; then
     SUDO_PROG_SENDMAIL
 fi
 SUDO_PROG_MV
 SUDO_PROG_BSHELL
 if test -z "$with_sendmail"; then
     SUDO_PROG_SENDMAIL
 fi
-if test -z "$with_editor"; then
-    SUDO_PROG_VI
+SUDO_PROG_VI
+dnl
+dnl Check for authpriv support in syslog
+dnl
+AC_MSG_CHECKING(which syslog facility sudo should log with)
+if test X"$with_logfac" = X""; then
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <syslog.h>]], [[int i = LOG_AUTHPRIV; (void)i;]])], [logfac=authpriv])
 fi
 fi
+AC_DEFINE_UNQUOTED(LOGFAC, "$logfac", [The syslog facility sudo will use.])
+AC_MSG_RESULT($logfac)
 dnl
 dnl Header file checks
 dnl
 AC_HEADER_STDC
 AC_HEADER_DIRENT
 AC_HEADER_TIME
 dnl
 dnl Header file checks
 dnl
 AC_HEADER_STDC
 AC_HEADER_DIRENT
 AC_HEADER_TIME
-AC_CHECK_HEADERS(malloc.h paths.h utime.h netgroup.h sys/sockio.h sys/bsdtypes.h sys/select.h)
-dnl ultrix termio/termios are broken
-if test "$OS" != "ultrix"; then
-    AC_SYS_POSIX_TERMIOS
-    if test "$ac_cv_sys_posix_termios" = "yes"; then
-       AC_DEFINE(HAVE_TERMIOS_H)
-    else
-       AC_CHECK_HEADERS(termio.h)
-    fi
+AC_HEADER_STDBOOL
+AC_HEADER_MAJOR
+AC_CHECK_HEADERS(malloc.h netgroup.h paths.h spawn.h utime.h utmpx.h sys/sockio.h sys/bsdtypes.h sys/select.h sys/stropts.h sys/sysmacros.h)
+AC_CHECK_HEADERS([procfs.h] [sys/procfs.h], [AC_CHECK_MEMBERS(struct psinfo.pr_ttydev, [AC_CHECK_FUNCS(_ttyname_dev)], [], [AC_INCLUDES_DEFAULT
+#ifdef HAVE_PROCFS_H
+#include <procfs.h>
+#endif
+#ifdef HAVE_SYS_PROCFS_H
+#include <sys/procfs.h>
+#endif
+])]
+break)
+dnl
+dnl Check for large file support.  HP-UX 11.23 has a broken sys/type.h
+dnl when large files support is enabled so work around it.
+dnl
+AC_SYS_LARGEFILE
+case "$host" in
+    *-*-hpux11.*)
+       AC_CACHE_CHECK([whether sys/types.h needs _XOPEN_SOURCE_EXTENDED], [sudo_cv_xopen_source_extended],
+       [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT
+       #include <sys/socket.h>], [])], [sudo_cv_xopen_source_extended=no], [
+           AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#define _XOPEN_SOURCE_EXTENDED
+           AC_INCLUDES_DEFAULT
+           #include <sys/socket.h>], [])], [sudo_cv_xopen_source_extended=yes],
+           [sudo_cv_xopen_source_extended=error])
+       ])])
+       if test "$sudo_cv_xopen_source_extended" = "yes"; then
+           OSDEFS="${OSDEFS} -D_XOPEN_SOURCE_EXTENDED"
+           SUDO_DEFINE(_XOPEN_SOURCE_EXTENDED)
+       fi
+       ;;
+esac
+AC_SYS_POSIX_TERMIOS
+if test "$ac_cv_sys_posix_termios" != "yes"; then
+    AC_MSG_ERROR([Must have POSIX termios to build sudo])
 fi
 fi
+SUDO_MAILDIR
 if test ${with_logincap-'no'} != "no"; then
 if test ${with_logincap-'no'} != "no"; then
-    AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN=""
+    AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN=1
        case "$OS" in
        case "$OS" in
-           freebsd|netbsd)     SUDO_LIBS="${SUDO_LIBS} -lutil"
-           ;;
+           freebsd|netbsd)
+               SUDO_LIBS="${SUDO_LIBS} -lutil"
+               SUDOERS_LIBS="${SUDOERS_LIBS} -lutil"
+               ;;
        esac
     ])
 fi
 if test ${with_project-'no'} != "no"; then
        esac
     ])
 fi
 if test ${with_project-'no'} != "no"; then
-    AC_CHECK_HEADER(project.h, AC_DEFINE(HAVE_PROJECT_H)
-       [SUDO_LIBS="${SUDO_LIBS} -lproject"], -)
+    AC_CHECK_HEADER(project.h, [
+       AC_CHECK_LIB(project, setproject, [
+           AC_DEFINE(HAVE_PROJECT_H)
+           SUDO_LIBS="${SUDO_LIBS} -lproject"
+       ])
+    ], [])
 fi
 dnl
 dnl typedef checks
 fi
 dnl
 dnl typedef checks
@@ -1733,38 +2069,148 @@ AC_TYPE_UID_T
 AC_CHECK_TYPE([__signed char], [], [AC_CHECK_TYPE([signed char], [AC_DEFINE(__signed, signed)], [AC_DEFINE(__signed, [])])])
 AC_CHECK_TYPE([sig_atomic_t], [], [AC_DEFINE(sig_atomic_t, int)], [#include <sys/types.h>
 #include <signal.h>])
 AC_CHECK_TYPE([__signed char], [], [AC_CHECK_TYPE([signed char], [AC_DEFINE(__signed, signed)], [AC_DEFINE(__signed, [])])])
 AC_CHECK_TYPE([sig_atomic_t], [], [AC_DEFINE(sig_atomic_t, int)], [#include <sys/types.h>
 #include <signal.h>])
-AC_CHECK_TYPES([sigaction_t], [AC_DEFINE(HAVE_SIGACTION_T)], [], [#include <sys/types.h>
+AC_CHECK_TYPES([sigaction_t], [], [], [#include <sys/types.h>
 #include <signal.h>])
 #include <signal.h>])
-AC_CHECK_TYPE([struct timespec], [AC_DEFINE(HAVE_TIMESPEC)], [], [#include <sys/types.h>
+AC_CHECK_TYPES([struct timespec], [], [], [#include <sys/types.h>
 #if TIME_WITH_SYS_TIME
 # include <sys/time.h>
 #endif
 #include <time.h>])
 #if TIME_WITH_SYS_TIME
 # include <sys/time.h>
 #endif
 #include <time.h>])
-AC_CHECK_TYPES([struct in6_addr], [AC_DEFINE(HAVE_IN6_ADDR)], [], [#include <sys/types.h>
+AC_CHECK_TYPES([struct in6_addr], [], [], [#include <sys/types.h>
 #include <netinet/in.h>])
 #include <netinet/in.h>])
-SUDO_TYPE_SIZE_T
-SUDO_TYPE_SSIZE_T
-SUDO_TYPE_DEV_T
-SUDO_TYPE_INO_T
+AC_TYPE_LONG_LONG_INT
+AC_CHECK_SIZEOF([long int])
+AC_CHECK_TYPE(size_t, unsigned int)
+AC_CHECK_TYPE(ssize_t, int)
+AC_CHECK_TYPE(dev_t, int)
+AC_CHECK_TYPE(ino_t, unsigned int)
+AC_CHECK_TYPE(socklen_t, [], [AC_DEFINE(socklen_t, unsigned int)], [
+AC_INCLUDES_DEFAULT
+#include <sys/socket.h>])
 SUDO_UID_T_LEN
 SUDO_UID_T_LEN
-SUDO_TYPE_LONG_LONG
 SUDO_SOCK_SA_LEN
 dnl
 SUDO_SOCK_SA_LEN
 dnl
-dnl only set RETSIGTYPE if it is not set already
+dnl Check for utmp/utmpx struct members.
+dnl We need to include OSDEFS for glibc which only has __e_termination
+dnl visible when _GNU_SOURCE is *not* defined.
 dnl
 dnl
-case "$DEFS" in
-    *"RETSIGTYPE"*)    ;;
-    *)                 AC_TYPE_SIGNAL;;
-esac
+_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $OSDEFS"
+if test $ac_cv_header_utmpx_h = "yes"; then
+    AC_CHECK_MEMBERS([struct utmpx.ut_id, struct utmpx.ut_pid, struct utmpx.ut_tv, struct utmpx.ut_type], [], [], [
+       #include <sys/types.h>
+       #include <utmpx.h>
+    ])
+    dnl
+    dnl Check for ut_exit.__e_termination first, then ut_exit.e_termination
+    dnl
+    AC_CHECK_MEMBERS([struct utmpx.ut_exit.__e_termination], [AC_DEFINE(HAVE_STRUCT_UTMPX_UT_EXIT)], [
+       AC_CHECK_MEMBERS([struct utmpx.ut_exit.e_termination], [AC_DEFINE(HAVE_STRUCT_UTMPX_UT_EXIT)], [], [
+           #include <sys/types.h>
+           #include <utmpx.h>
+       ])
+    ], [
+       #include <sys/types.h>
+       #include <utmpx.h>
+    ])
+else
+    AC_CHECK_MEMBERS([struct utmp.ut_id, struct utmp.ut_pid, struct utmp.ut_tv, struct utmp.ut_type, struct utmp.ut_user], [], [], [
+       #include <sys/types.h>
+       #include <utmp.h>
+    ])
+    dnl
+    dnl Check for ut_exit.__e_termination first, then ut_exit.e_termination
+    dnl
+    AC_CHECK_MEMBERS([struct utmp.ut_exit.__e_termination], [AC_DEFINE(HAVE_STRUCT_UTMP_UT_EXIT)], [
+       AC_CHECK_MEMBERS([struct utmp.ut_exit.e_termination], [AC_DEFINE(HAVE_STRUCT_UTMP_UT_EXIT)], [], [
+           #include <sys/types.h>
+           #include <utmp.h>
+       ])
+    ], [
+       #include <sys/types.h>
+       #include <utmp.h>
+    ])
+fi
+CFLAGS="$_CFLAGS"
+
 dnl
 dnl Function checks
 dnl
 AC_FUNC_GETGROUPS
 dnl
 dnl Function checks
 dnl
 AC_FUNC_GETGROUPS
-AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
-              strftime setrlimit initgroups getgroups fstat gettimeofday \
-              setlocale getaddrinfo setsid)
+AC_CHECK_FUNCS(glob strrchr sysconf tzset strftime setenv \
+              regcomp setlocale nl_langinfo mbr_check_membership \
+              setrlimit64)
+AC_REPLACE_FUNCS(getgrouplist)
+AC_CHECK_FUNCS(getline, [], [
+    AC_LIBOBJ(getline)
+    AC_CHECK_FUNCS(fgetln)
+])
+dnl
+dnl If libc supports _FORTIFY_SOURCE check functions, use it.
+dnl
+O_CPPFLAGS="$CPPFLAGS"
+CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2"
+AC_CHECK_FUNC(__sprintf_chk, [
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]])], [OSDEFS="${OSDEFS} -D_FORTIFY_SOURCE=2"], [])
+], [])
+CPPFLAGS="$O_CPPFLAGS"
+
+utmp_style=LEGACY
+AC_CHECK_FUNCS(getutxid getutid, [utmp_style=POSIX; break])
+if test "$utmp_style" = "LEGACY"; then
+    AC_CHECK_FUNCS(getttyent ttyslot, [break])
+fi
+
+AC_CHECK_FUNCS(sysctl, [AC_CHECK_MEMBERS([struct kinfo_proc.ki_tdev], [],
+    [
+       AC_CHECK_MEMBERS([struct kinfo_proc2.p_tdev], [], [
+           AC_CHECK_MEMBERS([struct kinfo_proc.p_tdev], [], [
+               AC_CHECK_MEMBERS([struct kinfo_proc.kp_eproc.e_tdev], [], [], [
+                   #include <sys/param.h>
+                   #include <sys/sysctl.h>
+               ])
+           ], [
+               #include <sys/param.h>
+               #include <sys/sysctl.h>
+           ])
+       ],
+       [
+           #include <sys/param.h>
+           #include <sys/sysctl.h>
+       ])
+    ],
+    [
+       #include <sys/param.h>
+       #include <sys/sysctl.h>
+       #include <sys/user.h>
+    ])
+])
+
+AC_CHECK_FUNCS(openpty, [AC_CHECK_HEADERS(libutil.h util.h pty.h, [break])], [
+    AC_CHECK_LIB(util, openpty, [
+       AC_CHECK_HEADERS(libutil.h util.h pty.h, [break])
+       case "$SUDO_LIBS" in
+           *-lutil*) ;;
+           *) SUDO_LIBS="${SUDO_LIBS} -lutil";;
+       esac
+       AC_DEFINE(HAVE_OPENPTY)
+    ], [
+       AC_CHECK_FUNCS(_getpty, [], [
+           AC_CHECK_FUNCS(grantpt, [
+               AC_CHECK_FUNCS(posix_openpt)
+           ], [
+               AC_CHECK_FUNCS(revoke)
+           ])
+       ])
+    ])
+])
+AC_CHECK_FUNCS(unsetenv, [SUDO_FUNC_UNSETENV_VOID], [])
+SUDO_FUNC_PUTENV_CONST
 if test -z "$SKIP_SETRESUID"; then
 if test -z "$SKIP_SETRESUID"; then
-    AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes])
+    AC_CHECK_FUNCS(setresuid, [
+       SKIP_SETREUID=yes
+       AC_CHECK_FUNCS(getresuid)
+    ])
 fi
 if test -z "$SKIP_SETREUID"; then
     AC_CHECK_FUNCS(setreuid, [SKIP_SETEUID=yes])
 fi
 if test -z "$SKIP_SETREUID"; then
     AC_CHECK_FUNCS(setreuid, [SKIP_SETEUID=yes])
@@ -1778,46 +2224,44 @@ fi
 if test -z "$BROKEN_GETCWD"; then
     AC_REPLACE_FUNCS(getcwd)
 fi
 if test -z "$BROKEN_GETCWD"; then
     AC_REPLACE_FUNCS(getcwd)
 fi
-AC_CHECK_FUNCS(glob, [AC_MSG_CHECKING(for GLOB_BRACE and GLOB_TILDE in glob.h)
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <glob.h>]], [[int i = GLOB_BRACE | GLOB_TILDE; (void)i;]])], [AC_DEFINE(HAVE_EXTENDED_GLOB)
-    AC_MSG_RESULT(yes)], [AC_LIBOBJ(glob)
-    AC_MSG_RESULT(no)])], [AC_LIBOBJ(glob)])
 AC_CHECK_FUNCS(lockf flock, [break])
 AC_CHECK_FUNCS(lockf flock, [break])
-AC_CHECK_FUNCS(waitpid wait3, [break])
 AC_CHECK_FUNCS(innetgr _innetgr, [AC_CHECK_FUNCS(getdomainname) [break]])
 AC_CHECK_FUNCS(utimes, [AC_CHECK_FUNCS(futimes futimesat, [break])], [AC_CHECK_FUNCS(futime) AC_LIBOBJ(utimes)])
 AC_CHECK_FUNCS(innetgr _innetgr, [AC_CHECK_FUNCS(getdomainname) [break]])
 AC_CHECK_FUNCS(utimes, [AC_CHECK_FUNCS(futimes futimesat, [break])], [AC_CHECK_FUNCS(futime) AC_LIBOBJ(utimes)])
-SUDO_FUNC_FNMATCH([AC_DEFINE(HAVE_FNMATCH)], [AC_LIBOBJ(fnmatch)])
+AC_CHECK_FUNCS(killpg, [], [AC_LIBOBJ(killpg)])
+SUDO_FUNC_FNMATCH([AC_DEFINE(HAVE_FNMATCH)], [AC_LIBOBJ(fnmatch)
+    COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }fnm_test"
+])
 SUDO_FUNC_ISBLANK
 SUDO_FUNC_ISBLANK
-AC_REPLACE_FUNCS(memrchr strerror strcasecmp sigaction strlcpy strlcat)
+AC_REPLACE_FUNCS(memrchr pw_dup strlcpy strlcat)
+AC_CHECK_FUNCS(nanosleep, [], [
+    # On Solaris, nanosleep is in librt
+    AC_CHECK_LIB(rt, nanosleep, [REPLAY_LIBS="${REPLAY_LIBS} -lrt"], [AC_LIBOBJ(nanosleep)])
+])
 AC_CHECK_FUNCS(closefrom, [], [AC_LIBOBJ(closefrom)
     AC_CHECK_DECL(F_CLOSEM, AC_DEFINE(HAVE_FCNTL_CLOSEM), [],
        [ #include <limits.h>
          #include <fcntl.h> ])
 ])
 AC_CHECK_FUNCS(closefrom, [], [AC_LIBOBJ(closefrom)
     AC_CHECK_DECL(F_CLOSEM, AC_DEFINE(HAVE_FCNTL_CLOSEM), [],
        [ #include <limits.h>
          #include <fcntl.h> ])
 ])
-AC_CHECK_FUNCS(mkstemp, [], [SUDO_OBJS="${SUDO_OBJS} mkstemp.o"
+AC_CHECK_FUNCS(mkstemps mkdtemp, [], [
     AC_CHECK_FUNCS(random lrand48, [break])
     AC_CHECK_FUNCS(random lrand48, [break])
+    AC_LIBOBJ(mktemp)
 ])
 AC_CHECK_FUNCS(snprintf vsnprintf asprintf vasprintf, , [NEED_SNPRINTF=1])
 if test X"$ac_cv_type_struct_timespec" != X"no"; then
     AC_CHECK_MEMBER([struct stat.st_mtim], [AC_DEFINE(HAVE_ST_MTIM)]
        [AC_CHECK_MEMBER([struct stat.st_mtim.st__tim], AC_DEFINE(HAVE_ST__TIM))],
        [AC_CHECK_MEMBER([struct stat.st_mtimespec], AC_DEFINE([HAVE_ST_MTIMESPEC]))])
 ])
 AC_CHECK_FUNCS(snprintf vsnprintf asprintf vasprintf, , [NEED_SNPRINTF=1])
 if test X"$ac_cv_type_struct_timespec" != X"no"; then
     AC_CHECK_MEMBER([struct stat.st_mtim], [AC_DEFINE(HAVE_ST_MTIM)]
        [AC_CHECK_MEMBER([struct stat.st_mtim.st__tim], AC_DEFINE(HAVE_ST__TIM))],
        [AC_CHECK_MEMBER([struct stat.st_mtimespec], AC_DEFINE([HAVE_ST_MTIMESPEC]))])
-    AC_MSG_CHECKING([for two-parameter timespecsub])
-    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
-#include <sys/time.h>]], [[struct timespec ts1, ts2;
-ts1.tv_sec = 1; ts1.tv_nsec = 0; ts2.tv_sec = 0; ts2.tv_nsec = 0;
-#ifndef timespecsub
-#error missing timespecsub
-#endif
-timespecsub(&ts1, &ts2);]])], [AC_DEFINE(HAVE_TIMESPECSUB2)
-    AC_MSG_RESULT(yes)], [AC_MSG_RESULT(no)])
 fi
 dnl
 dnl Check for the dirfd function/macro.  If not found, look for dd_fd in DIR.
 dnl
 AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
 fi
 dnl
 dnl Check for the dirfd function/macro.  If not found, look for dd_fd in DIR.
 dnl
 AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
-#include <$ac_header_dirent>]], [[DIR *d; (void)dirfd(d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_TRY_LINK([#include <sys/types.h>
-#include <$ac_header_dirent>], [DIR d; memset(&d, 0, sizeof(d)); return(d.dd_fd);], [AC_DEFINE(HAVE_DD_FD)])])
+#include <$ac_header_dirent>]], [[DIR *d; (void)dirfd(d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
+#include <$ac_header_dirent>]], [[DIR d; memset(&d, 0, sizeof(d)); return(d.dd_fd);]])], [AC_DEFINE(HAVE_DD_FD)], [])])
+AC_CHECK_MEMBERS([struct dirent.d_type], [], [], [
+AC_INCLUDES_DEFAULT
+#include <$ac_header_dirent>
+])
 dnl
 dnl If NEED_SNPRINTF is set, add snprintf.c to LIBOBJS
 dnl (it contains snprintf, vsnprintf, asprintf, and vasprintf)
 dnl
 dnl If NEED_SNPRINTF is set, add snprintf.c to LIBOBJS
 dnl (it contains snprintf, vsnprintf, asprintf, and vasprintf)
@@ -1828,20 +2272,88 @@ fi
 dnl
 dnl If socket(2) not in libc, check -lsocket and -linet
 dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
 dnl
 dnl If socket(2) not in libc, check -lsocket and -linet
 dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
-dnl In this case we look for main(), not socket() to avoid using a cached value
 dnl
 dnl
-AC_CHECK_FUNC(socket, , [AC_CHECK_LIB(socket, socket, [NET_LIBS="${NET_LIBS} -lsocket"; LIBS="${LIBS} -lsocket"], AC_CHECK_LIB(inet, socket, [NET_LIBS="${NET_LIBS} -linet"; LIBS="${LIBS} -linet"], AC_MSG_WARN(unable to find socket() trying -lsocket -lnsl)
-AC_CHECK_LIB(socket, socket, [NET_LIBS="${NET_LIBS} -lsocket -lnsl"; LIBS="${LIBS} -lsocket -lnsl"], , -lnsl)))])
+AC_CHECK_FUNC(socket, [], [
+    for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do
+       _libs=
+       for lib in $libs; do
+           case "$NET_LIBS" in
+               *"$lib"*)   ;;
+               *)          _libs="$_libs $lib";;
+           esac
+       done
+       libs="${_libs# }"
+       test -z "$libs" && continue
+       lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`"
+       extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`"
+       SUDO_CHECK_LIB($lib, socket, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; break], [], [$extralibs])
+    done
+])
 dnl
 dnl If inet_addr(3) not in libc, check -lnsl and -linet
 dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
 dnl
 dnl
 dnl If inet_addr(3) not in libc, check -lnsl and -linet
 dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
 dnl
-AC_CHECK_FUNC(inet_addr, , [AC_CHECK_FUNC(__inet_addr, , AC_CHECK_LIB(nsl, inet_addr, [NET_LIBS="${NET_LIBS} -lnsl"; LIBS="${LIBS} -lnsl"], AC_CHECK_LIB(inet, inet_addr, [NET_LIBS="${NET_LIBS} -linet"; LIBS="${LIBS} -linet"], AC_MSG_WARN(unable to find inet_addr() trying -lsocket -lnsl)
-AC_CHECK_LIB(socket, inet_addr, [NET_LIBS="${NET_LIBS} -lsocket -lnsl"; LIBS="${LIBS} -lsocket -lnsl"], , -lnsl))))])
+AC_CHECK_FUNC(inet_addr, [], [
+    AC_CHECK_FUNC(__inet_addr, [], [
+       for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do
+           _libs=
+           for lib in $libs; do
+               case "$NET_LIBS" in
+                   *"$lib"*)   ;;
+                   *)          _libs="$_libs $lib";;
+               esac
+           done
+           libs="${_libs# }"
+           test -z "$libs" && continue
+           lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`"
+           extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`"
+           SUDO_CHECK_LIB($lib, inet_addr, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; break], [], [$extralibs])
+       done
+    ])
+])
 dnl
 dnl If syslog(3) not in libc, check -lsocket, -lnsl and -linet
 dnl
 dnl
 dnl If syslog(3) not in libc, check -lsocket, -lnsl and -linet
 dnl
-AC_CHECK_FUNC(syslog, , [AC_CHECK_LIB(socket, syslog, [NET_LIBS="${NET_LIBS} -lsocket"; LIBS="${LIBS} -lsocket"], AC_CHECK_LIB(nsl, syslog, [NET_LIBS="${NET_LIBS} -lnsl"; LIBS="${LIBS} -lnsl"], AC_CHECK_LIB(inet, syslog, [NET_LIBS="${NET_LIBS} -linet"; LIBS="${LIBS} -linet"])))])
+AC_CHECK_FUNC(syslog, [], [
+    for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do
+       _libs=
+       for lib in $libs; do
+           case "$NET_LIBS" in
+               *"$lib"*)   ;;
+               *)          _libs="$_libs $lib";;
+           esac
+       done
+       libs="${_libs# }"
+       test -z "$libs" && continue
+       lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`"
+       extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`"
+       SUDO_CHECK_LIB($lib, syslog, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; break], [], [$extralibs])
+    done
+])
+dnl
+dnl If getaddrinfo(3) not in libc, check -lsocket and -linet
+dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols.
+dnl
+AC_CHECK_FUNCS(getaddrinfo, [], [
+    found=no
+    for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do
+       _libs=
+       for lib in $libs; do
+           case "$NET_LIBS" in
+               *"$lib"*)   ;;
+               *)          _libs="$_libs $lib";;
+           esac
+       done
+       libs="${_libs# }"
+       test -z "$libs" && continue
+       lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`"
+       extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`"
+       SUDO_CHECK_LIB($lib, getaddrinfo, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; found=yes; break], [], [$extralibs])
+    done
+    if test X"$found" != X"no"; then
+       AC_DEFINE(HAVE_GETADDRINFO)
+    fi
+])
 dnl
 dnl Check for getprogname() or __progname
 dnl
 dnl
 dnl Check for getprogname() or __progname
 dnl
@@ -1856,6 +2368,159 @@ AC_CHECK_FUNCS(getprogname, , [
     fi
     AC_MSG_RESULT($sudo_cv___progname)
 ])
     fi
     AC_MSG_RESULT($sudo_cv___progname)
 ])
+dnl
+dnl Check for __func__ or __FUNCTION__
+dnl
+AC_MSG_CHECKING([for __func__])
+AC_CACHE_VAL(sudo_cv___func__, [
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[(void)puts(__func__);]])], [sudo_cv___func__=yes], [sudo_cv___func__=no])])
+AC_MSG_RESULT($sudo_cv___func__)
+if test "$sudo_cv___func__" = "yes"; then
+    AC_DEFINE(HAVE___FUNC__)
+elif test -n "$GCC"; then
+    AC_MSG_CHECKING([for __FUNCTION__])
+    AC_CACHE_VAL(sudo_cv___FUNCTION__, [
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[(void)puts(__FUNCTION__);]])], [sudo_cv___FUNCTION__=yes], [sudo_cv___FUNCTION__=no])])
+    AC_MSG_RESULT($sudo_cv___FUNCTION__)
+    if test "$sudo_cv___FUNCTION__" = "yes"; then
+       AC_DEFINE(HAVE___FUNC__)
+       AC_DEFINE(__func__, __FUNCTION__, [Define to __FUNCTION__ if your compiler support __FUNCTION__ but not __func__])
+    fi
+fi
+
+# gettext() and friends may be located in libc (Linux and Solaris)
+# or in libintl.  However, it is possible to have libintl installed
+# even when gettext() is present in libc.  In the case of GNU libintl,
+# gettext() will be defined to gettext_libintl in libintl.h.
+# Since gcc prefers /usr/local/include to /usr/include, we need to
+# make sure we use the gettext() that matches the include file.
+if test "$enable_nls" != "no"; then
+    if test "$enable_nls" != "yes"; then
+       CPPFLAGS="${CPPFLAGS} -I${enable_nls}/include"
+       SUDO_APPEND_LIBPATH(LDFLAGS, [$enable_nls/lib])
+    fi
+    OLIBS="$LIBS"
+    for l in "libc" "-lintl" "-lintl -liconv"; do
+       if test "$l" = "libc"; then
+           # If user specified a dir for libintl ignore libc
+           if test "$enable_nls" != "yes"; then
+               continue
+           fi
+           gettext_name=sudo_cv_gettext
+           AC_MSG_CHECKING([for gettext])
+       else
+           LIBS="$OLIBS $l"
+           gettext_name=sudo_cv_gettext"`echo $l|sed -e 's/ //g' -e 's/-/_/g'`"
+           AC_MSG_CHECKING([for gettext in $l])
+       fi
+       AC_CACHE_VAL($gettext_name, [
+               AC_LINK_IFELSE(
+                   [
+                       AC_LANG_PROGRAM([[#include <libintl.h>]], [(void)gettext((char *)0);])
+                   ], [eval $gettext_name=yes], [eval $gettext_name=no]
+               )
+       ])
+       eval gettext_result="\$$gettext_name"
+       AC_MSG_RESULT($gettext_result)
+       test "$gettext_result" = "yes" && break
+    done
+    LIBS="$OLIBS"
+
+    if test "$sudo_cv_gettext" = "yes"; then
+       AC_DEFINE(HAVE_LIBINTL_H)
+       SUDO_NLS=enabled
+    elif test "$sudo_cv_gettext_lintl" = "yes"; then
+       AC_DEFINE(HAVE_LIBINTL_H)
+       SUDO_NLS=enabled
+       LIBINTL="-lintl"
+    elif test "$sudo_cv_gettext_lintl_liconv" = "yes"; then
+       AC_DEFINE(HAVE_LIBINTL_H)
+       SUDO_NLS=enabled
+       LIBINTL="-lintl -liconv"
+    fi
+fi
+
+dnl
+dnl Deferred zlib option processing.
+dnl By default we use the system zlib if it is present.
+dnl If a directory was specified for zlib (or we are use sudo's version),
+dnl prepend the include dir to make sure we get the right zlib header.
+dnl
+case "$enable_zlib" in
+    yes)
+       AC_CHECK_LIB(z, gzdopen, [
+           AC_CHECK_HEADERS(zlib.h, [ZLIB="-lz"], [enable_zlib=builtin])
+       ])
+       ;;
+    no)
+       ;;
+    system)
+       AC_DEFINE(HAVE_ZLIB_H)
+       ZLIB="-lz"
+       ;;
+    builtin)
+       # handled below
+       ;;
+    *)
+       AC_DEFINE(HAVE_ZLIB_H)
+       CPPFLAGS="-I${enable_zlib}/include ${CPPFLAGS}"
+       SUDO_APPEND_LIBPATH(ZLIB, [$enable_zlib/lib])
+       ZLIB="${ZLIB} -lz"
+       ;;
+esac
+if test X"$enable_zlib" = X"builtin"; then
+    AC_DEFINE(HAVE_ZLIB_H)
+    CPPFLAGS='-I$(top_builddir)/zlib -I$(top_srcdir)/zlib '"${CPPFLAGS}"
+    ZLIB="${ZLIB}"' $(top_builddir)/zlib/libz.la'
+    ZLIB_SRC=zlib
+    AC_CONFIG_HEADER([zlib/zconf.h])
+    AC_CONFIG_FILES([zlib/Makefile])
+fi
+
+dnl
+dnl Check for errno declaration in errno.h
+dnl
+AC_CHECK_DECLS([errno], [], [], [
+AC_INCLUDES_DEFAULT
+#include <errno.h>
+])
+
+dnl
+dnl Check for h_errno declaration in netdb.h
+dnl
+AC_CHECK_DECLS([h_errno], [], [], [
+AC_INCLUDES_DEFAULT
+#include <netdb.h>
+])
+
+dnl
+dnl Check for strsignal() or sys_siglist
+dnl
+AC_CHECK_FUNCS(strsignal, [], [
+    AC_LIBOBJ(strsignal)
+    HAVE_SIGLIST="false"
+    AC_CHECK_DECLS([sys_siglist, _sys_siglist, __sys_siglist], [
+       HAVE_SIGLIST="true"
+       break
+    ], [ ], [
+AC_INCLUDES_DEFAULT
+#include <signal.h>
+    ])
+    if test "$HAVE_SIGLIST" != "true"; then
+       AC_LIBOBJ(siglist)
+    fi
+])
+
+dnl
+dnl nsswitch.conf and its equivalents
+dnl
+if test ${with_netsvc-"no"} != "no"; then
+    SUDO_DEFINE_UNQUOTED(_PATH_NETSVC_CONF, "${with_netsvc-/etc/netsvc.conf}")
+    netsvc_conf=${with_netsvc-/etc/netsvc.conf}
+elif test ${with_nsswitch-"yes"} != "no"; then
+    SUDO_DEFINE_UNQUOTED(_PATH_NSSWITCH_CONF, "${with_nsswitch-/etc/nsswitch.conf}")
+    nsswitch_conf=${with_nsswitch-/etc/nsswitch.conf}
+fi
 
 dnl
 dnl Mutually exclusive auth checks come first, followed by
 
 dnl
 dnl Mutually exclusive auth checks come first, followed by
@@ -1882,46 +2547,73 @@ dnl PAM support.  Systems that use PAM by default set with_pam=default
 dnl and we do the actual tests here.
 dnl
 if test ${with_pam-"no"} != "no"; then
 dnl and we do the actual tests here.
 dnl
 if test ${with_pam-"no"} != "no"; then
-    dnl
-    dnl Linux may need this
-    dnl
-    AC_CHECK_LIB([dl], [main], [SUDO_LIBS="${SUDO_LIBS} -lpam -ldl"], [SUDO_LIBS="${SUDO_LIBS} -lpam"])
-    ac_cv_lib_dl=ac_cv_lib_dl_main
+    #
+    # Check for pam_start() in libpam first, then for pam_appl.h.
+    #
+    found_pam_lib=no
+    AC_CHECK_LIB(pam, pam_start, [found_pam_lib=yes], [], [$lt_cv_dlopen_libs])
+    #
+    # Some PAM implementations (MacOS X for example) put the PAM headers
+    # in /usr/include/pam instead of /usr/include/security...
+    #
+    found_pam_hdrs=no
+    AC_CHECK_HEADERS([security/pam_appl.h] [pam/pam_appl.h], [found_pam_hdrs=yes; break])
+    if test "$found_pam_lib" = "yes" -a "$found_pam_hdrs" = "yes"; then
+       # Found both PAM libs and headers
+       with_pam=yes
+    elif test "$with_pam" = "yes"; then
+       if test "$found_pam_lib" = "no"; then
+           AC_MSG_ERROR(["--with-pam specified but unable to locate PAM development library."])
+       fi
+       if test "$found_pam_hdrs" = "no"; then
+           AC_MSG_ERROR(["--with-pam specified but unable to locate PAM development headers."])
+       fi
+    elif test "$found_pam_lib" != "$found_pam_hdrs"; then
+       if test "$found_pam_lib" = "no"; then
+           AC_MSG_ERROR(["found PAM headers but no PAM development library; specify --without-pam to build without PAM"])
+       fi
+       if test "$found_pam_hdrs" = "no"; then
+           AC_MSG_ERROR(["found PAM library but no PAM development headers; specify --without-pam to build without PAM"])
+       fi
+    fi
 
 
-    dnl
-    dnl Some PAM implementations (MacOS X for example) put the PAM headers
-    dnl in /usr/include/pam instead of /usr/include/security...
-    dnl
-    AC_CHECK_HEADERS([security/pam_appl.h] [pam/pam_appl.h], [with_pam=yes; break])
     if test "$with_pam" = "yes"; then
     if test "$with_pam" = "yes"; then
+       # Older PAM implementations lack pam_getenvlist
+       OLIBS="$LIBS"
+       LIBS="$LIBS -lpam $lt_cv_dlopen_libs"
+       AC_CHECK_FUNCS(pam_getenvlist)
+       LIBS="$OLIBS"
+
+       # We already link with -ldl if needed (see LIBDL below)
+       SUDOERS_LIBS="${SUDOERS_LIBS} -lpam"
        AC_DEFINE(HAVE_PAM)
        AC_DEFINE(HAVE_PAM)
-       AUTH_OBJS="$AUTH_OBJS pam.o";
+       AUTH_OBJS="$AUTH_OBJS pam.lo";
        AUTH_EXCL=PAM
        AUTH_EXCL=PAM
+
+       AC_ARG_WITH(pam-login, [AS_HELP_STRING([--with-pam-login], [enable specific PAM session for sudo -i])],
+       [case $with_pam_login in
+           yes)        AC_DEFINE([HAVE_PAM_LOGIN])
+                       AC_MSG_CHECKING(whether to use PAM login)
+                       AC_MSG_RESULT(yes)
+                       ;;
+           no)         ;;
+           *)          AC_MSG_ERROR(["--with-pam-login does not take an argument."])
+                       ;;
+       esac])
+
        AC_MSG_CHECKING(whether to use PAM session support)
        AC_ARG_ENABLE(pam_session,
        AC_MSG_CHECKING(whether to use PAM session support)
        AC_ARG_ENABLE(pam_session,
-       [  --disable-pam-session   Disable PAM session support],
+       [AS_HELP_STRING([--disable-pam-session], [Disable PAM session support])],
            [ case "$enableval" in
                yes)    AC_MSG_RESULT(yes)
                        ;;
                no)             AC_MSG_RESULT(no)
            [ case "$enableval" in
                yes)    AC_MSG_RESULT(yes)
                        ;;
                no)             AC_MSG_RESULT(no)
-                           AC_DEFINE([NO_PAM_SESSION], [], [PAM session support disabled])
+                           AC_DEFINE(NO_PAM_SESSION)
                            ;;
                *)              AC_MSG_RESULT(no)
                            AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
                            ;;
            esac], AC_MSG_RESULT(yes))
                            ;;
                *)              AC_MSG_RESULT(no)
                            AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
                            ;;
            esac], AC_MSG_RESULT(yes))
-       case $host in
-           *-*-linux*|*-*-solaris*)
-                   # dgettext() may be defined to dgettext_libintl in the
-                   # header file, so first check that it links w/ additional
-                   # libs, then try with -lintl
-                   AC_LINK_IFELSE([AC_LANG_PROGRAM(
-                   [[#include <libintl.h>]], [(void)dgettext((char *)0, (char *)0);])],
-                   [AC_DEFINE(HAVE_DGETTEXT)],
-                   [AC_CHECK_LIB(intl, dgettext, [LIBS="${LIBS} -lintl"]
-                       [AC_DEFINE(HAVE_DGETTEXT)])])
-                   ;;
-       esac
     fi
 fi
 
     fi
 fi
 
@@ -1933,8 +2625,8 @@ if test ${with_aixauth-'no'} != "no"; then
     if test X"$with_aixauth" != X"maybe" -o X"$AUTH_EXCL" = X""; then
        AC_MSG_NOTICE([using AIX general authentication])
        AC_DEFINE(HAVE_AIXAUTH)
     if test X"$with_aixauth" != X"maybe" -o X"$AUTH_EXCL" = X""; then
        AC_MSG_NOTICE([using AIX general authentication])
        AC_DEFINE(HAVE_AIXAUTH)
-       AUTH_OBJS="$AUTH_OBJS aix_auth.o";
-       SUDO_LIBS="${SUDO_LIBS} -ls"
+       AUTH_OBJS="$AUTH_OBJS aix_auth.lo";
+       SUDOERS_LIBS="${SUDOERS_LIBS} -ls"
        AUTH_EXCL=AIX_AUTH
     fi
 fi
        AUTH_EXCL=AIX_AUTH
     fi
 fi
@@ -1945,9 +2637,9 @@ dnl If set to "maybe" only enable if no other exclusive method in use.
 dnl
 if test ${with_bsdauth-'no'} != "no"; then
     AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H)
 dnl
 if test ${with_bsdauth-'no'} != "no"; then
     AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H)
-       [AUTH_OBJS="$AUTH_OBJS bsdauth.o"]
+       [AUTH_OBJS="$AUTH_OBJS bsdauth.lo"]
        [BSDAUTH_USAGE='[[-a auth_type]] ']
        [BSDAUTH_USAGE='[[-a auth_type]] ']
-       [AUTH_EXCL=BSD_AUTH; BAMAN=""],
+       [AUTH_EXCL=BSD_AUTH; BAMAN=1],
        [AC_MSG_ERROR([BSD authentication was specified but bsd_auth.h could not be found])])
 fi
 
        [AC_MSG_ERROR([BSD authentication was specified but bsd_auth.h could not be found])])
 fi
 
@@ -1958,7 +2650,7 @@ if test ${CHECKSIA-'false'} = "true"; then
     AC_CHECK_FUNCS(sia_ses_init, [found=true], [found=false])
     if test "$found" = "true"; then
        AUTH_EXCL=SIA
     AC_CHECK_FUNCS(sia_ses_init, [found=true], [found=false])
     if test "$found" = "true"; then
        AUTH_EXCL=SIA
-       AUTH_OBJS="$AUTH_OBJS sia.o"
+       AUTH_OBJS="$AUTH_OBJS sia.lo"
     fi
 fi
 
     fi
 fi
 
@@ -1967,12 +2659,12 @@ dnl extra FWTK libs + includes
 dnl
 if test ${with_fwtk-'no'} != "no"; then
     if test "$with_fwtk" != "yes"; then
 dnl
 if test ${with_fwtk-'no'} != "no"; then
     if test "$with_fwtk" != "yes"; then
-       SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_fwtk}])
+       SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_fwtk}])
        CPPFLAGS="${CPPFLAGS} -I${with_fwtk}"
        with_fwtk=yes
     fi
        CPPFLAGS="${CPPFLAGS} -I${with_fwtk}"
        with_fwtk=yes
     fi
-    SUDO_LIBS="${SUDO_LIBS} -lauth -lfwall"
-    AUTH_OBJS="$AUTH_OBJS fwtk.o"
+    SUDOERS_LIBS="${SUDOERS_LIBS} -lauth -lfwall"
+    AUTH_OBJS="$AUTH_OBJS fwtk.lo"
 fi
 
 dnl
 fi
 
 dnl
@@ -1987,27 +2679,9 @@ if test ${with_SecurID-'no'} != "no"; then
        with_SecurID=/usr/ace
     fi
     CPPFLAGS="${CPPFLAGS} -I${with_SecurID}"
        with_SecurID=/usr/ace
     fi
     CPPFLAGS="${CPPFLAGS} -I${with_SecurID}"
-    _LDFLAGS="${LDFLAGS}"
     SUDO_APPEND_LIBPATH(LDFLAGS, [${with_SecurID}])
     SUDO_APPEND_LIBPATH(LDFLAGS, [${with_SecurID}])
-    #
-    # Determine whether to use the new or old SecurID API
-    #
-    AC_CHECK_LIB(aceclnt, SD_Init,
-       [
-           AUTH_OBJS="$AUTH_OBJS securid5.o";
-           SUDO_LIBS="${SUDO_LIBS} -laceclnt -lpthread"
-       ]
-       [
-           SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_SecurID}])
-       ], [
-           AUTH_OBJS="$AUTH_OBJS securid.o";
-           SUDO_LIBS="${SUDO_LIBS} ${with_SecurID}/sdiclient.a"
-       ],
-       [
-           -lpthread
-       ]
-    )
-    LDFLAGS="${_LDFLAGS}"
+    SUDOERS_LIBS="${SUDOERS_LIBS} -laceclnt -lpthread"
+    AUTH_OBJS="$AUTH_OBJS securid5.lo";
 fi
 
 dnl
 fi
 
 dnl
@@ -2027,65 +2701,6 @@ if test -z "${AUTH_EXCL}" -a -n "$AUTH_DEF"; then
     done
 fi
 
     done
 fi
 
-dnl
-dnl Kerberos IV
-dnl
-if test ${with_kerb4-'no'} != "no"; then
-    AC_DEFINE(HAVE_KERB4)
-    dnl
-    dnl Use the specified directory, if any, else search for correct inc dir
-    dnl
-    O_LDFLAGS="$LDFLAGS"
-    if test "$with_kerb4" = "yes"; then
-       found=no
-       O_CPPFLAGS="$CPPFLAGS"
-       for dir in "" "kerberosIV/" "krb4/" "kerberos4/" "kerberosv4/"; do
-           CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
-           AC_PREPROC_IFELSE([#include <krb.h>], [found=yes; break])
-       done
-       test X"$found" = X"no" && CPPFLAGS="$O_CPPFLAGS"
-    else
-       SUDO_APPEND_LIBPATH(LDFLAGS, [${with_kerb4}/lib])
-       SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_kerb4}/lib])
-       CPPFLAGS="$CPPFLAGS -I${with_kerb4}/include"
-       AC_CHECK_HEADER([krb.h], [found=yes], [found=no])
-    fi
-    if test X"$found" = X"no"; then
-       AC_MSG_WARN([Unable to locate Kerberos IV include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS])
-    fi
-
-    dnl
-    dnl Check for -ldes vs. -ldes425
-    dnl
-    AC_CHECK_LIB(des, des_cbc_encrypt, [K4LIBS="-ldes"], [
-       AC_CHECK_LIB(des425, des_cbc_encrypt, [K4LIBS="-ldes425"], [K4LIBS=""])
-    ])
-    dnl
-    dnl Try to determine whether we have KTH or MIT/CNS Kerberos IV
-    dnl
-    AC_MSG_CHECKING(whether we are using KTH Kerberos IV)
-    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb.h>]], [[const char *tmp = krb4_version;]])], [
-           AC_MSG_RESULT(yes)
-           K4LIBS="${K4LIBS} -lcom_err"
-           AC_CHECK_LIB(roken, main, [K4LIBS="${K4LIBS} -lroken"])
-       ], [
-           AC_MSG_RESULT(no)
-       ]
-    )
-    dnl
-    dnl The actual Kerberos IV lib might be -lkrb or -lkrb4
-    dnl
-    AC_CHECK_LIB(krb, main, [K4LIBS="-lkrb $K4LIBS"], [
-       AC_CHECK_LIB(krb4, main, [K4LIBS="-lkrb4 $K4LIBS"],
-           [K4LIBS="-lkrb $K4LIBS"]
-           [AC_MSG_WARN([Unable to locate Kerberos IV libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDO_LDFLAGS and possibly add Kerberos libs to SUDO_LIBS])]
-       , [$K4LIBS])
-    ], [$K4LIBS])
-    LDFLAGS="$O_LDFLAGS"
-    SUDO_LIBS="${SUDO_LIBS} $K4LIBS"
-    AUTH_OBJS="$AUTH_OBJS kerb4.o"
-fi
-
 dnl
 dnl Kerberos V
 dnl There is an easy way and a hard way...
 dnl
 dnl Kerberos V
 dnl There is an easy way and a hard way...
@@ -2094,9 +2709,9 @@ if test ${with_kerb5-'no'} != "no"; then
     AC_CHECK_PROG(KRB5CONFIG, krb5-config, yes, "")
     if test -n "$KRB5CONFIG"; then
        AC_DEFINE(HAVE_KERB5)
     AC_CHECK_PROG(KRB5CONFIG, krb5-config, yes, "")
     if test -n "$KRB5CONFIG"; then
        AC_DEFINE(HAVE_KERB5)
-       AUTH_OBJS="$AUTH_OBJS kerb5.o"
+       AUTH_OBJS="$AUTH_OBJS kerb5.lo"
        CPPFLAGS="$CPPFLAGS `krb5-config --cflags`"
        CPPFLAGS="$CPPFLAGS `krb5-config --cflags`"
-       SUDO_LIBS="$SUDO_LIBS `krb5-config --libs`"
+       SUDOERS_LIBS="$SUDOERS_LIBS `krb5-config --libs`"
        dnl
        dnl Try to determine whether we have Heimdal or MIT Kerberos
        dnl
        dnl
        dnl Try to determine whether we have Heimdal or MIT Kerberos
        dnl
@@ -2108,66 +2723,78 @@ if test ${with_kerb5-'no'} != "no"; then
                AC_MSG_RESULT(no)
            ]
        )
                AC_MSG_RESULT(no)
            ]
        )
-    fi
-fi
-if test ${with_kerb5-'no'} != "no" -a -z "$KRB5CONFIG"; then
-    AC_DEFINE(HAVE_KERB5)
-    dnl
-    dnl Use the specified directory, if any, else search for correct inc dir
-    dnl
-    if test "$with_kerb5" = "yes"; then
-       found=no
-       O_CPPFLAGS="$CPPFLAGS"
-       for dir in "" "kerberosV/" "krb5/" "kerberos5/" "kerberosv5/"; do
-           CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
-           AC_PREPROC_IFELSE([#include <krb5.h>], [found=yes; break])
-       done
-       if test X"$found" = X"no"; then
-           CPPFLAGS="$O_CPPFLAGS"
-           AC_MSG_WARN([Unable to locate Kerberos V include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS])
-       fi
     else
     else
-       dnl XXX - try to include krb5.h here too
-       SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_kerb5}/lib])
-       CPPFLAGS="$CPPFLAGS -I${with_kerb5}/include"
-    fi
+       AC_DEFINE(HAVE_KERB5)
+       dnl
+       dnl Use the specified directory, if any, else search for correct inc dir
+       dnl
+       if test "$with_kerb5" = "yes"; then
+           found=no
+           O_CPPFLAGS="$CPPFLAGS"
+           for dir in "" "kerberosV/" "krb5/" "kerberos5/" "kerberosv5/"; do
+               CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
+               AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]])], [found=yes; break])
+           done
+           if test X"$found" = X"no"; then
+               CPPFLAGS="$O_CPPFLAGS"
+               AC_MSG_WARN([Unable to locate Kerberos V include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS])
+           fi
+       else
+           dnl XXX - try to include krb5.h here too
+           SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_kerb5}/lib])
+           CPPFLAGS="$CPPFLAGS -I${with_kerb5}/include"
+       fi
 
 
-    dnl
-    dnl Try to determine whether we have Heimdal or MIT Kerberos
-    dnl
-    AC_MSG_CHECKING(whether we are using Heimdal)
-    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
-           AC_MSG_RESULT(yes)
-           AC_DEFINE(HAVE_HEIMDAL)
-           # XXX - need to check whether -lcrypo is needed!
-           SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lcrypto -ldes -lcom_err -lasn1"
-           AC_CHECK_LIB(roken, main, [SUDO_LIBS="${SUDO_LIBS} -lroken"])
-       ], [
-           AC_MSG_RESULT(no)
-           SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
-           AC_CHECK_LIB(krb5support, main, [SUDO_LIBS="${SUDO_LIBS} -lkrb5support,"])
-    ])
-    AUTH_OBJS="$AUTH_OBJS kerb5.o"
+       dnl
+       dnl Try to determine whether we have Heimdal or MIT Kerberos
+       dnl
+       AC_MSG_CHECKING(whether we are using Heimdal)
+       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
+               AC_MSG_RESULT(yes)
+               AC_DEFINE(HAVE_HEIMDAL)
+               # XXX - need to check whether -lcrypo is needed!
+               SUDOERS_LIBS="${SUDOERS_LIBS} -lkrb5 -lcrypto -ldes -lcom_err -lasn1"
+               AC_CHECK_LIB(roken, main, [SUDOERS_LIBS="${SUDOERS_LIBS} -lroken"])
+           ], [
+               AC_MSG_RESULT(no)
+               SUDOERS_LIBS="${SUDOERS_LIBS} -lkrb5 -lk5crypto -lcom_err"
+               AC_CHECK_LIB(krb5support, main, [SUDOERS_LIBS="${SUDOERS_LIBS} -lkrb5support"])
+       ])
+       AUTH_OBJS="$AUTH_OBJS kerb5.lo"
+    fi
     _LIBS="$LIBS"
     _LIBS="$LIBS"
-    LIBS="${LIBS} ${SUDO_LIBS}"
-    AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context krb5_get_init_creds_opt_alloc)
-    AC_CACHE_CHECK(whether krb5_get_init_creds_opt_free takes a two argument2,
-       sudo_cv_krb5_get_init_creds_opt_free_two_args, [
-           AC_TRY_COMPILE([#include <krb5.h>],
-               [
-                   krb5_context context = NULL;
-                   krb5_get_init_creds_opt *opts = NULL;
-                   krb5_get_init_creds_opt_free(context, opts);
-               ],
-               [sudo_cv_krb5_get_init_creds_opt_free_two_args=yes],
-               [sudo_cv_krb5_get_init_creds_opt_free_two_args=no]
-           )
-       ]
-    )
+    LIBS="${LIBS} ${SUDOERS_LIBS}"
+    AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context)
+    AC_CHECK_FUNCS(krb5_get_init_creds_opt_alloc, [
+       AC_CACHE_CHECK([whether krb5_get_init_creds_opt_free takes a context],
+           sudo_cv_krb5_get_init_creds_opt_free_two_args, [
+               AC_COMPILE_IFELSE(
+                   [AC_LANG_PROGRAM(
+                       [[#include <krb5.h>]],
+                       [[krb5_get_init_creds_opt_free(NULL, NULL);]]
+                   )],
+                   [sudo_cv_krb5_get_init_creds_opt_free_two_args=yes],
+                   [sudo_cv_krb5_get_init_creds_opt_free_two_args=no]
+               )
+           ]
+       )
+    ])
     if test X"$sudo_cv_krb5_get_init_creds_opt_free_two_args" = X"yes"; then
        AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
     fi
     LIBS="$_LIBS"
     if test X"$sudo_cv_krb5_get_init_creds_opt_free_two_args" = X"yes"; then
        AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
     fi
     LIBS="$_LIBS"
+    AC_MSG_CHECKING(whether to use an instance name for Kerberos V)
+    AC_ARG_ENABLE(kerb5-instance,
+    [AS_HELP_STRING([--enable-kerb5-instance], [instance string to append to the username (separated by a slash)])],
+       [ case "$enableval" in
+           yes)        AC_MSG_ERROR(["must give --enable-kerb5-instance an argument."])
+                       ;;
+           no)         AC_MSG_RESULT(no)
+                       ;;
+           *)          SUDO_DEFINE_UNQUOTED(SUDO_KRB5_INSTANCE, "$enableval")
+                       AC_MSG_RESULT([$enableval])
+                       ;;
+       esac], AC_MSG_RESULT(no))
 fi
 
 dnl
 fi
 
 dnl
@@ -2179,12 +2806,12 @@ if test ${with_AFS-'no'} = "yes"; then
     AFSLIBDIRS="/usr/lib/afs /usr/afsws/lib /usr/afsws/lib/afs"
     for i in $AFSLIBDIRS; do
        if test -d ${i}; then
     AFSLIBDIRS="/usr/lib/afs /usr/afsws/lib /usr/afsws/lib/afs"
     for i in $AFSLIBDIRS; do
        if test -d ${i}; then
-           SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [$i])
+           SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [$i])
            FOUND_AFSLIBDIR=true
        fi
     done
     if test -z "$FOUND_AFSLIBDIR"; then
            FOUND_AFSLIBDIR=true
        fi
     done
     if test -z "$FOUND_AFSLIBDIR"; then
-       AC_MSG_WARN([Unable to locate AFS libraries, you will have to edit the Makefile and add -L/path/to/afs/libs to SUDO_LDFLAGS or rerun configure with the --with-libpath options.])
+       AC_MSG_WARN([Unable to locate AFS libraries, you will have to edit the Makefile and add -L/path/to/afs/libs to SUDOERS_LDFLAGS or rerun configure with the --with-libpath options.])
     fi
 
     # Order is important here.  Note that we build AFS_LIBS from right to left
     fi
 
     # Order is important here.  Note that we build AFS_LIBS from right to left
@@ -2214,7 +2841,7 @@ if test ${with_AFS-'no'} = "yes"; then
        AC_MSG_WARN([Unable to locate AFS include dir, you may have to edit the Makefile and add -I/path/to/afs/includes to CPPFLAGS or rerun configure with the --with-incpath options.])
     fi
 
        AC_MSG_WARN([Unable to locate AFS include dir, you may have to edit the Makefile and add -I/path/to/afs/includes to CPPFLAGS or rerun configure with the --with-incpath options.])
     fi
 
-    AUTH_OBJS="$AUTH_OBJS afs.o"
+    AUTH_OBJS="$AUTH_OBJS afs.lo"
 fi
 
 dnl
 fi
 
 dnl
@@ -2223,75 +2850,91 @@ dnl Order of libs in HP-UX 10.x is important, -ldce must be last.
 dnl
 if test ${with_DCE-'no'} = "yes"; then
     DCE_OBJS="${DCE_OBJS} dce_pwent.o"
 dnl
 if test ${with_DCE-'no'} = "yes"; then
     DCE_OBJS="${DCE_OBJS} dce_pwent.o"
-    SUDO_LIBS="${SUDO_LIBS} -ldce"
-    AUTH_OBJS="$AUTH_OBJS dce.o"
+    SUDOERS_LIBS="${SUDOERS_LIBS} -ldce"
+    AUTH_OBJS="$AUTH_OBJS dce.lo"
 fi
 
 dnl
 dnl extra S/Key lib and includes
 dnl
 fi
 
 dnl
 dnl extra S/Key lib and includes
 dnl
-if test ${with_skey-'no'} = "yes"; then
+if test "${with_skey-'no'}" = "yes"; then
     O_LDFLAGS="$LDFLAGS"
     if test "$with_skey" != "yes"; then
        CPPFLAGS="${CPPFLAGS} -I${with_skey}/include"
        SUDO_APPEND_LIBPATH(LDFLAGS, [${with_skey}/lib])
     O_LDFLAGS="$LDFLAGS"
     if test "$with_skey" != "yes"; then
        CPPFLAGS="${CPPFLAGS} -I${with_skey}/include"
        SUDO_APPEND_LIBPATH(LDFLAGS, [${with_skey}/lib])
-       SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_skey}/lib])
-       AC_PREPROC_IFELSE([#include <skey.h>], [found=yes], [found=no])
+       SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_skey}/lib])
+       AC_CHECK_HEADER([skey.h], [found=yes], [found=no], [#include <stdio.h>])
     else
        found=no
        O_CPPFLAGS="$CPPFLAGS"
        for dir in "" "/usr/local" "/usr/contrib"; do
            test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include"
     else
        found=no
        O_CPPFLAGS="$CPPFLAGS"
        for dir in "" "/usr/local" "/usr/contrib"; do
            test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include"
-           AC_PREPROC_IFELSE([#include <skey.h>], [found=yes; break])
+           AC_CHECK_HEADER([skey.h], [found=yes; break], [],
+               [#include <stdio.h>]) 
        done
        if test "$found" = "no" -o -z "$dir"; then
            CPPFLAGS="$O_CPPFLAGS"
        else
            SUDO_APPEND_LIBPATH(LDFLAGS, [${dir}/lib])
        done
        if test "$found" = "no" -o -z "$dir"; then
            CPPFLAGS="$O_CPPFLAGS"
        else
            SUDO_APPEND_LIBPATH(LDFLAGS, [${dir}/lib])
-           SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${dir}/lib])
+           SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${dir}/lib])
+       fi
+       if test "$found" = "no"; then
+           AC_MSG_WARN([Unable to locate skey.h, you will have to edit the Makefile and add -I/path/to/skey/includes to CPPFLAGS])
        fi
     fi
        fi
     fi
-    if test "$found" = "no"; then
-       AC_MSG_WARN([Unable to locate skey.h, you will have to edit the Makefile and add -I/path/to/skey/includes to CPPFLAGS])
-    fi
-    AC_CHECK_LIB(skey, main, [found=yes], [AC_MSG_WARN([Unable to locate libskey.a, you will have to edit the Makefile and add -L/path/to/skey/lib to SUDO_LDFLAGS])])
+    AC_CHECK_LIB(skey, main, [found=yes], [AC_MSG_WARN([Unable to locate libskey.a, you will have to edit the Makefile and add -L/path/to/skey/lib to SUDOERS_LDFLAGS])])
     AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS))
     AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS))
+
+    AC_MSG_CHECKING([for RFC1938-compliant skeychallenge])
+    AC_COMPILE_IFELSE(
+       [AC_LANG_PROGRAM(
+           [[#include <stdio.h>
+           #include <skey.h>]],
+           [[skeychallenge(NULL, NULL, NULL, 0);]]
+       )], [
+           AC_DEFINE(HAVE_RFC1938_SKEYCHALLENGE)
+           AC_MSG_RESULT([yes])
+       ], [
+           AC_MSG_RESULT([no])
+       ]
+    )
+
     LDFLAGS="$O_LDFLAGS"
     LDFLAGS="$O_LDFLAGS"
-    SUDO_LIBS="${SUDO_LIBS} -lskey"
-    AUTH_OBJS="$AUTH_OBJS rfc1938.o"
+    SUDOERS_LIBS="${SUDOERS_LIBS} -lskey"
+    AUTH_OBJS="$AUTH_OBJS rfc1938.lo"
 fi
 
 dnl
 dnl extra OPIE lib and includes
 dnl
 fi
 
 dnl
 dnl extra OPIE lib and includes
 dnl
-if test ${with_opie-'no'} = "yes"; then
+if test "${with_opie-'no'}" = "yes"; then
     O_LDFLAGS="$LDFLAGS"
     if test "$with_opie" != "yes"; then
        CPPFLAGS="${CPPFLAGS} -I${with_opie}/include"
        SUDO_APPEND_LIBPATH(LDFLAGS, [${with_opie}/lib])
     O_LDFLAGS="$LDFLAGS"
     if test "$with_opie" != "yes"; then
        CPPFLAGS="${CPPFLAGS} -I${with_opie}/include"
        SUDO_APPEND_LIBPATH(LDFLAGS, [${with_opie}/lib])
-       SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_opie}/lib])
-       AC_PREPROC_IFELSE([#include <opie.h>], [found=yes], [found=no])
+       SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_opie}/lib])
+       AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <opie.h>]])], [found=yes], [found=no])
     else
        found=no
        O_CPPFLAGS="$CPPFLAGS"
        for dir in "" "/usr/local" "/usr/contrib"; do
            test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include"
     else
        found=no
        O_CPPFLAGS="$CPPFLAGS"
        for dir in "" "/usr/local" "/usr/contrib"; do
            test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include"
-           AC_PREPROC_IFELSE([#include <opie.h>], [found=yes; break])
+           AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <opie.h>]])], [found=yes; break])
        done
        if test "$found" = "no" -o -z "$dir"; then
            CPPFLAGS="$O_CPPFLAGS"
        else
            SUDO_APPEND_LIBPATH(LDFLAGS, [${dir}/lib])
        done
        if test "$found" = "no" -o -z "$dir"; then
            CPPFLAGS="$O_CPPFLAGS"
        else
            SUDO_APPEND_LIBPATH(LDFLAGS, [${dir}/lib])
-           SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${dir}/lib])
+           SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${dir}/lib])
+       fi
+       if test "$found" = "no"; then
+           AC_MSG_WARN([Unable to locate opie.h, you will have to edit the Makefile and add -I/path/to/opie/includes to CPPFLAGS])
        fi
     fi
        fi
     fi
-    if test "$found" = "no"; then
-       AC_MSG_WARN([Unable to locate opie.h, you will have to edit the Makefile and add -I/path/to/opie/includes to CPPFLAGS])
-    fi
-    AC_CHECK_LIB(opie, main, [found=yes], [AC_MSG_WARN([Unable to locate libopie.a, you will have to edit the Makefile and add -L/path/to/opie/lib to SUDO_LDFLAGS])])
+    AC_CHECK_LIB(opie, main, [found=yes], [AC_MSG_WARN([Unable to locate libopie.a, you will have to edit the Makefile and add -L/path/to/opie/lib to SUDOERS_LDFLAGS])])
     LDFLAGS="$O_LDFLAGS"
     LDFLAGS="$O_LDFLAGS"
-    SUDO_LIBS="${SUDO_LIBS} -lopie"
-    AUTH_OBJS="$AUTH_OBJS rfc1938.o"
+    SUDOERS_LIBS="${SUDOERS_LIBS} -lopie"
+    AUTH_OBJS="$AUTH_OBJS rfc1938.lo"
 fi
 
 dnl
 fi
 
 dnl
@@ -2303,8 +2946,10 @@ if test ${with_passwd-'no'} != "no"; then
     dnl
     dnl if crypt(3) not in libc, look elsewhere
     dnl
     dnl
     dnl if crypt(3) not in libc, look elsewhere
     dnl
-    if test -z "$LIB_CRYPT" -a "$with_passwd" != "no"; then
-       AC_SEARCH_LIBS([crypt], [crypt crypt_d ufc], [test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"])
+    if test -z "$LIB_CRYPT"; then
+       _LIBS="$LIBS"
+       AC_SEARCH_LIBS([crypt], [crypt crypt_d ufc], [test -n "$ac_lib" && SUDOERS_LIBS="${SUDOERS_LIBS} $ac_res"])
+       LIBS="$_LIBS"
     fi
 
     if test "$CHECKSHADOW" = "true" -a -n "$shadow_funcs"; then
     fi
 
     if test "$CHECKSHADOW" = "true" -a -n "$shadow_funcs"; then
@@ -2313,12 +2958,12 @@ if test ${with_passwd-'no'} != "no"; then
        found=no
        AC_CHECK_FUNCS($shadow_funcs, [found=yes])
        if test "$found" = "yes"; then
        found=no
        AC_CHECK_FUNCS($shadow_funcs, [found=yes])
        if test "$found" = "yes"; then
-           SUDO_LIBS="$SUDO_LIBS $shadow_libs"
+           SUDOERS_LIBS="$SUDOERS_LIBS $shadow_libs"
        elif test -n "$shadow_libs_optional"; then
            LIBS="$LIBS $shadow_libs_optional"
            AC_CHECK_FUNCS($shadow_funcs, [found=yes])
            if test "$found" = "yes"; then
        elif test -n "$shadow_libs_optional"; then
            LIBS="$LIBS $shadow_libs_optional"
            AC_CHECK_FUNCS($shadow_funcs, [found=yes])
            if test "$found" = "yes"; then
-               SUDO_LIBS="$SUDO_LIBS $shadow_libs $shadow_libs_optional"
+               SUDOERS_LIBS="$SUDOERS_LIBS $shadow_libs $shadow_libs_optional"
            fi
        fi
        if test "$found" = "yes"; then
            fi
        fi
        if test "$found" = "yes"; then
@@ -2332,14 +2977,14 @@ if test ${with_passwd-'no'} != "no"; then
        CHECKSHADOW=false
     fi
     if test "$CHECKSHADOW" = "true"; then
        CHECKSHADOW=false
     fi
     if test "$CHECKSHADOW" = "true"; then
-       AC_SEARCH_LIBS([getspnam], [gen], [AC_DEFINE(HAVE_GETSPNAM)] [CHECKSHADOW=false; test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"])
+       AC_SEARCH_LIBS([getspnam], [gen], [AC_DEFINE(HAVE_GETSPNAM)] [CHECKSHADOW=false; test -n "$ac_lib" && SUDOERS_LIBS="${SUDOERS_LIBS} $ac_res"])
     fi
     if test "$CHECKSHADOW" = "true"; then
     fi
     if test "$CHECKSHADOW" = "true"; then
-       AC_SEARCH_LIBS([getprpwnam], [sec security prot], [AC_DEFINE(HAVE_GETPRPWNAM)] [CHECKSHADOW=false; SECUREWARE=1; test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"])
+       AC_SEARCH_LIBS([getprpwnam], [sec security prot], [AC_DEFINE(HAVE_GETPRPWNAM)] [CHECKSHADOW=false; SECUREWARE=1; test -n "$ac_lib" && SUDOERS_LIBS="${SUDOERS_LIBS} $ac_res"])
     fi
     if test -n "$SECUREWARE"; then
        AC_CHECK_FUNCS(bigcrypt set_auth_parameters initprivs)
     fi
     if test -n "$SECUREWARE"; then
        AC_CHECK_FUNCS(bigcrypt set_auth_parameters initprivs)
-       AUTH_OBJS="$AUTH_OBJS secureware.o"
+       AUTH_OBJS="$AUTH_OBJS secureware.lo"
     fi
 fi
 
     fi
 fi
 
@@ -2349,13 +2994,13 @@ dnl
 if test ${with_ldap-'no'} != "no"; then
     _LDFLAGS="$LDFLAGS"
     if test "$with_ldap" != "yes"; then
 if test ${with_ldap-'no'} != "no"; then
     _LDFLAGS="$LDFLAGS"
     if test "$with_ldap" != "yes"; then
-       SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_ldap}/lib])
+       SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_ldap}/lib])
        SUDO_APPEND_LIBPATH(LDFLAGS, [${with_ldap}/lib])
        CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
        with_ldap=yes
        SUDO_APPEND_LIBPATH(LDFLAGS, [${with_ldap}/lib])
        CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
        with_ldap=yes
-       LDAP=""
     fi
     fi
-    SUDO_OBJS="${SUDO_OBJS} ldap.o"
+    SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo"
+    LDAP=""
 
     AC_MSG_CHECKING([for LDAP libraries])
     LDAP_LIBS=""
 
     AC_MSG_CHECKING([for LDAP libraries])
     LDAP_LIBS=""
@@ -2368,6 +3013,17 @@ if test ${with_ldap-'no'} != "no"; then
        #include <lber.h>
        #include <ldap.h>]], [[(void)ldap_init(0, 0)]])], [found=yes; break])
     done
        #include <lber.h>
        #include <ldap.h>]], [[(void)ldap_init(0, 0)]])], [found=yes; break])
     done
+    if test "$found" = "no"; then
+       LDAP_LIBS=""
+       LIBS="$_LIBS"
+       for l in -libmldap -lidsldif; do
+           LIBS="${LIBS} $l"
+           LDAP_LIBS="${LDAP_LIBS} $l"
+           AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
+           #include <lber.h>
+           #include <ldap.h>]], [[(void)ldap_init(0, 0)]])], [found=yes; break])
+       done
+    fi
     dnl if nothing linked just try with -lldap
     if test "$found" = "no"; then
        LIBS="${_LIBS} -lldap"
     dnl if nothing linked just try with -lldap
     if test "$found" = "no"; then
        LIBS="${_LIBS} -lldap"
@@ -2389,9 +3045,10 @@ if test ${with_ldap-'no'} != "no"; then
     AC_MSG_RESULT([yes])
     AC_DEFINE(HAVE_LBER_H)])
 
     AC_MSG_RESULT([yes])
     AC_DEFINE(HAVE_LBER_H)])
 
-    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldapssl_set_strength ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s)
-    AC_CHECK_HEADERS([sasl/sasl.h])
+    AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break])
     AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
     AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
+    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np)
+    AC_CHECK_FUNCS(ldap_search_ext_s ldap_search_st, [break])
 
     if test X"$check_gss_krb5_ccache_name" = X"yes"; then
        AC_CHECK_LIB(gssapi, gss_krb5_ccache_name,
 
     if test X"$check_gss_krb5_ccache_name" = X"yes"; then
        AC_CHECK_LIB(gssapi, gss_krb5_ccache_name,
@@ -2407,7 +3064,7 @@ if test ${with_ldap-'no'} != "no"; then
        O_CPPFLAGS="$CPPFLAGS"
        for dir in "" "kerberosV" "krb5" "kerberos5" "kerberosv5"; do
            test X"$dir" != X"" && CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
        O_CPPFLAGS="$CPPFLAGS"
        for dir in "" "kerberosV" "krb5" "kerberos5" "kerberosv5"; do
            test X"$dir" != X"" && CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
-           AC_PREPROC_IFELSE([#include <gssapi/gssapi.h>], [found="gssapi/gssapi.h"; break], [AC_PREPROC_IFELSE([#include <gssapi.h>], [found="gssapi.h"; break])])
+           AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <gssapi/gssapi.h>]])], [found="gssapi/gssapi.h"; break], [AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <gssapi.h>]])], [found="gssapi.h"; break])])
        done
        if test X"$found" != X"no"; then
            AC_CHECK_HEADERS([$found])
        done
        if test X"$found" != X"no"; then
            AC_CHECK_HEADERS([$found])
@@ -2420,35 +3077,87 @@ if test ${with_ldap-'no'} != "no"; then
        fi
     fi
 
        fi
     fi
 
-    SUDO_LIBS="${SUDO_LIBS} ${LDAP_LIBS}"
+    SUDOERS_LIBS="${SUDOERS_LIBS} ${LDAP_LIBS}"
     LIBS="$_LIBS"
     LDFLAGS="$_LDFLAGS"
 fi
 
     LIBS="$_LIBS"
     LDFLAGS="$_LDFLAGS"
 fi
 
+#
+# How to do dynamic object loading.
+# We support dlopen() and sh_load(), else fall back to static loading.
+#
+case "$lt_cv_dlopen" in
+    dlopen)
+       AC_DEFINE(HAVE_DLOPEN)
+       SUDOERS_OBJS="$SUDOERS_OBJS plugin_error.lo"
+       LT_STATIC="--tag=disable-static"
+       ;;
+    shl_load)
+       AC_DEFINE(HAVE_SHL_LOAD)
+       SUDOERS_OBJS="$SUDOERS_OBJS plugin_error.lo"
+       LT_STATIC="--tag=disable-static"
+       AC_LIBOBJ(dlopen)
+       ;;
+    *)
+       if test X"${ac_cv_func_dlopen}" = X"yes"; then
+           AC_MSG_ERROR(["dlopen present but libtool doesn't appear to support your platform."])
+       fi
+       # Preload sudoers module symbols
+       SUDO_OBJS="${SUDO_OBJS} preload.o"
+       SUDO_LIBS="${SUDO_LIBS} \$(top_builddir)/plugins/sudoers/sudoers.la"
+       LT_STATIC=""
+       AC_LIBOBJ(dlopen)
+       ;;
+esac
+
+#
+# Add library needed for dynamic loading, if any.
+#
+LIBDL="$lt_cv_dlopen_libs"
+if test X"$LIBDL" != X""; then
+    SUDO_LIBS="${SUDO_LIBS} $LIBDL"
+    SUDOERS_LIBS="${SUDOERS_LIBS} $LIBDL"
+fi
+
+# On HP-UX, you cannot dlopen() a shared object that uses pthreads
+# unless the main program is linked against -lpthread.  Since we
+# have no knowledge what libraries a plugin may depend on, we always
+# link against -lpthread on HP-UX if it is available.
+# This check should go after all other libraries tests.
+case "$host" in
+    *-*-hpux*)
+       AC_CHECK_LIB(pthread, main, [SUDO_LIBS="${SUDO_LIBS} -lpthread"])
+       ;;
+esac
+
 dnl
 dnl
-dnl Add $blibpath to SUDO_LDFLAGS if specified by the user or if we
-dnl added -L dirpaths to SUDO_LDFLAGS.
+dnl Add $blibpath to SUDOERS_LDFLAGS if specified by the user or if we
+dnl added -L dirpaths to SUDOERS_LDFLAGS.
 dnl
 if test -n "$blibpath"; then
     if test -n "$blibpath_add"; then
 dnl
 if test -n "$blibpath"; then
     if test -n "$blibpath_add"; then
-       SUDO_LDFLAGS="$SUDO_LDFLAGS -Wl,-blibpath:${blibpath}${blibpath_add}"
+       SUDOERS_LDFLAGS="$SUDOERS_LDFLAGS -Wl,-blibpath:${blibpath}${blibpath_add}"
     elif test -n "$with_blibpath" -a "$with_blibpath" != "yes"; then
     elif test -n "$with_blibpath" -a "$with_blibpath" != "yes"; then
-       SUDO_LDFLAGS="$SUDO_LDFLAGS -Wl,-blibpath:${blibpath}"
+       SUDOERS_LDFLAGS="$SUDOERS_LDFLAGS -Wl,-blibpath:${blibpath}"
     fi
 fi
 
 dnl
     fi
 fi
 
 dnl
-dnl Check for log file and timestamp locations
+dnl Check for log file, timestamp and iolog locations
 dnl
 dnl
+if test "$utmp_style" = "LEGACY"; then
+    SUDO_PATH_UTMP
+fi
 SUDO_LOGFILE
 SUDO_TIMEDIR
 SUDO_LOGFILE
 SUDO_TIMEDIR
+SUDO_IO_LOGDIR
 
 dnl
 
 dnl
-dnl Use passwd (and secureware) auth modules?
+dnl Use passwd auth module?
 dnl
 case "$with_passwd" in
 yes|maybe)
 dnl
 case "$with_passwd" in
 yes|maybe)
-    AUTH_OBJS="$AUTH_OBJS passwd.o"
+    AUTH_OBJS="$AUTH_OBJS getspwuid.lo passwd.lo"
     ;;
 *)
     AC_DEFINE(WITHOUT_PASSWD)
     ;;
 *)
     AC_DEFINE(WITHOUT_PASSWD)
@@ -2458,24 +3167,36 @@ yes|maybe)
     ;;
 esac
 AUTH_OBJS=${AUTH_OBJS# }
     ;;
 esac
 AUTH_OBJS=${AUTH_OBJS# }
-_AUTH=`echo "$AUTH_OBJS" | sed 's/\.o//g'`
+_AUTH=`echo "$AUTH_OBJS" | sed -e 's/\.lo//g' -e 's/getspwuid *//'`
 AC_MSG_NOTICE([using the following authentication methods: $_AUTH])
 
 dnl
 AC_MSG_NOTICE([using the following authentication methods: $_AUTH])
 
 dnl
-dnl LIBS may contain duplicates from SUDO_LIBS or NET_LIBS so prune it.
+dnl LIBS may contain duplicates from SUDO_LIBS, SUDOERS_LIBS, or NET_LIBS
 dnl
 if test -n "$LIBS"; then
     L="$LIBS"
     LIBS=
     for l in ${L}; do
        dupe=0
 dnl
 if test -n "$LIBS"; then
     L="$LIBS"
     LIBS=
     for l in ${L}; do
        dupe=0
-       for sl in ${SUDO_LIBS} ${NET_LIBS}; do
+       for sl in ${SUDO_LIBS} ${SUDOERS_LIBS} ${NET_LIBS}; do
            test $l = $sl && dupe=1
        done
        test $dupe = 0 && LIBS="${LIBS} $l"
     done
 fi
 
            test $l = $sl && dupe=1
        done
        test $dupe = 0 && LIBS="${LIBS} $l"
     done
 fi
 
+dnl
+dnl We add -Wall and -Werror after all tests so they don't cause failures
+dnl
+if test -n "$GCC"; then
+    if test X"$enable_warnings" = X"yes" -o X"$with_devel" = X"yes"; then
+       CFLAGS="${CFLAGS} -Wall"
+    fi
+    if test X"$enable_werror" = X"yes"; then
+       CFLAGS="${CFLAGS} -Werror"
+    fi
+fi
+
 dnl
 dnl Set exec_prefix
 dnl
 dnl
 dnl Set exec_prefix
 dnl
@@ -2495,23 +3216,58 @@ if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then
        fi
     fi
     if test X"$with_noexec" != X"no"; then
        fi
     fi
     if test X"$with_noexec" != X"no"; then
-       PROGS="${PROGS} sudo_noexec.la"
+       PROGS="${PROGS} libsudo_noexec.la"
        INSTALL_NOEXEC="install-noexec"
 
        INSTALL_NOEXEC="install-noexec"
 
-       eval noexec_file="$with_noexec"
-       AC_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
+       noexec_file="$with_noexec"
+       _noexec_file=
+       while test X"$noexec_file" != X"$_noexec_file"; do
+           _noexec_file="$noexec_file"
+           eval noexec_file="$_noexec_file"
+       done
+       SUDO_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
     fi
     if test X"$with_selinux" != X"no"; then
     fi
     if test X"$with_selinux" != X"no"; then
-       eval sesh_file="$libexecdir/sesh"
-       AC_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file", [The fully qualified pathname of sesh])
+       sesh_file="$libexecdir/sesh"
+       _sesh_file=
+       while test X"$sesh_file" != X"$_sesh_file"; do
+           _sesh_file="$sesh_file"
+           eval sesh_file="$_sesh_file"
+       done
+       SUDO_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file", [The fully qualified pathname of sesh])
     fi
     fi
+    PLUGINDIR="$with_plugindir"
+    _PLUGINDIR=
+    while test X"$PLUGINDIR" != X"$_PLUGINDIR"; do
+       _PLUGINDIR="$PLUGINDIR"
+       eval PLUGINDIR="$_PLUGINDIR"
+    done
+    SUDO_DEFINE_UNQUOTED(_PATH_SUDO_PLUGIN_DIR, "$PLUGINDIR/")
+    SUDO_DEFINE_UNQUOTED(SUDOERS_PLUGIN, "sudoers${SOEXT}")
     exec_prefix="$oexec_prefix"
 fi
 
     exec_prefix="$oexec_prefix"
 fi
 
+dnl
+dnl Override default configure dirs for the Makefile
+dnl
+if test X"$prefix" = X"NONE"; then
+    test "$mandir" = '${datarootdir}/man' && mandir='$(prefix)/man'
+else
+    test "$mandir" = '${datarootdir}/man' && mandir='$(datarootdir)/man'
+fi
+test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
+test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
+test "$libexecdir" = '${exec_prefix}/libexec' && libexecdir='$(exec_prefix)/libexec'
+test "$includedir" = '${prefix}/include' && includedir='$(prefix)/include'
+test "$datarootdir" = '${prefix}/share' && datarootdir='$(prefix)/share'
+test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
+test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
+
 dnl
 dnl Substitute into the Makefile and man pages
 dnl
 dnl
 dnl Substitute into the Makefile and man pages
 dnl
-AC_CONFIG_FILES([Makefile sudo.man visudo.man sudoers.man sudoers.ldap.man sudo_usage.h])
+dnl AC_CONFIG_FILES([doc/sudo.man doc/visudo.man doc/sudoers.man doc/sudoers.ldap.man doc/sudoreplay.man src/Makefile src/sudo_usage.h])
+AC_CONFIG_FILES([Makefile common/Makefile compat/Makefile doc/Makefile include/Makefile src/sudo_usage.h src/Makefile plugins/sample/Makefile plugins/sample_group/Makefile plugins/system_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers])
 AC_OUTPUT
 
 dnl
 AC_OUTPUT
 
 dnl
@@ -2519,6 +3275,12 @@ dnl Spew any text the user needs to know about
 dnl
 if test "$with_pam" = "yes"; then
     case $host in
 dnl
 if test "$with_pam" = "yes"; then
     case $host in
+       *-*-hpux*)
+           if test -f /usr/lib/security/libpam_hpsec.so.1; then
+               AC_MSG_NOTICE([You may wish to add the following line to /etc/pam.conf])
+               AC_MSG_NOTICE([sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login])
+           fi
+           ;;
        *-*-linux*)
            AC_MSG_NOTICE([You will need to customize sample.pam and install it as /etc/pam.d/sudo])
            ;;
        *-*-linux*)
            AC_MSG_NOTICE([You will need to customize sample.pam and install it as /etc/pam.d/sudo])
            ;;
@@ -2531,20 +3293,23 @@ dnl
 AH_TEMPLATE(BROKEN_SYSLOG, [Define to 1 if the `syslog' function returns a non-zero int to denote failure.])
 AH_TEMPLATE(CLASSIC_INSULTS, [Define to 1 if you want the insults from the "classic" version sudo.])
 AH_TEMPLATE(CSOPS_INSULTS, [Define to 1 if you want insults culled from the twisted minds of CSOps.])
 AH_TEMPLATE(BROKEN_SYSLOG, [Define to 1 if the `syslog' function returns a non-zero int to denote failure.])
 AH_TEMPLATE(CLASSIC_INSULTS, [Define to 1 if you want the insults from the "classic" version sudo.])
 AH_TEMPLATE(CSOPS_INSULTS, [Define to 1 if you want insults culled from the twisted minds of CSOps.])
+AH_TEMPLATE(SUDOERS_PLUGIN, [The name of the sudoers plugin, including extension.])
 AH_TEMPLATE(DONT_LEAK_PATH_INFO, [Define to 1 if you want sudo to display "command not allowed" instead of "command not found" when a command cannot be found.])
 AH_TEMPLATE(DONT_LEAK_PATH_INFO, [Define to 1 if you want sudo to display "command not allowed" instead of "command not found" when a command cannot be found.])
+AH_TEMPLATE(ENV_DEBUG, [Define to 1 to enable environment function debugging.])
 AH_TEMPLATE(ENV_EDITOR, [Define to 1 if you want visudo to honor the EDITOR and VISUAL env variables.])
 AH_TEMPLATE(FQDN, [Define to 1 if you want to require fully qualified hosts in sudoers.])
 AH_TEMPLATE(ENV_EDITOR, [Define to 1 if you want visudo to honor the EDITOR and VISUAL env variables.])
 AH_TEMPLATE(FQDN, [Define to 1 if you want to require fully qualified hosts in sudoers.])
+AH_TEMPLATE(ENV_RESET, [Define to 1 to enable environment resetting by default.])
 AH_TEMPLATE(GOONS_INSULTS, [Define to 1 if you want insults from the "Goon Show".])
 AH_TEMPLATE(HAL_INSULTS, [Define to 1 if you want 2001-like insults.])
 AH_TEMPLATE(HAVE_AFS, [Define to 1 if you use AFS.])
 AH_TEMPLATE(HAVE_AIXAUTH, [Define to 1 if you use AIX general authentication.])
 AH_TEMPLATE(HAVE_BSD_AUTH_H, [Define to 1 if you use BSD authentication.])
 AH_TEMPLATE(GOONS_INSULTS, [Define to 1 if you want insults from the "Goon Show".])
 AH_TEMPLATE(HAL_INSULTS, [Define to 1 if you want 2001-like insults.])
 AH_TEMPLATE(HAVE_AFS, [Define to 1 if you use AFS.])
 AH_TEMPLATE(HAVE_AIXAUTH, [Define to 1 if you use AIX general authentication.])
 AH_TEMPLATE(HAVE_BSD_AUTH_H, [Define to 1 if you use BSD authentication.])
+AH_TEMPLATE(HAVE_BSM_AUDIT, [Define to 1 to enable BSM audit support.])
 AH_TEMPLATE(HAVE_DCE, [Define to 1 if you use OSF DCE.])
 AH_TEMPLATE(HAVE_DD_FD, [Define to 1 if your `DIR' contains dd_fd.])
 AH_TEMPLATE(HAVE_DIRFD, [Define to 1 if you have the `dirfd' function or macro.])
 AH_TEMPLATE(HAVE_DCE, [Define to 1 if you use OSF DCE.])
 AH_TEMPLATE(HAVE_DD_FD, [Define to 1 if your `DIR' contains dd_fd.])
 AH_TEMPLATE(HAVE_DIRFD, [Define to 1 if you have the `dirfd' function or macro.])
-AH_TEMPLATE(HAVE_DGETTEXT, [Define to 1 if you have the `dgettext' function.])
 AH_TEMPLATE(HAVE_DISPCRYPT, [Define to 1 if you have the `dispcrypt' function.])
 AH_TEMPLATE(HAVE_DISPCRYPT, [Define to 1 if you have the `dispcrypt' function.])
-AH_TEMPLATE(HAVE_EXTENDED_GLOB, [Define to 1 if your glob.h defines the GLOB_BRACE and GLOB_TILDE flags.])
+AH_TEMPLATE(HAVE_DLOPEN, [Define to 1 if you have the `dlopen' function.])
 AH_TEMPLATE(HAVE_FCNTL_CLOSEM, [Define to 1 if your system has the F_CLOSEM fcntl.])
 AH_TEMPLATE(HAVE_FNMATCH, [Define to 1 if you have the `fnmatch' function.])
 AH_TEMPLATE(HAVE_FWTK, [Define to 1 if you use the FWTK authsrv daemon.])
 AH_TEMPLATE(HAVE_FCNTL_CLOSEM, [Define to 1 if your system has the F_CLOSEM fcntl.])
 AH_TEMPLATE(HAVE_FNMATCH, [Define to 1 if you have the `fnmatch' function.])
 AH_TEMPLATE(HAVE_FWTK, [Define to 1 if you use the FWTK authsrv daemon.])
@@ -2555,31 +3320,31 @@ AH_TEMPLATE(HAVE_GETSPNAM, [Define to 1 if you have the `getspnam' function (SVR
 AH_TEMPLATE(HAVE_GETSPWUID, [Define to 1 if you have the `getspwuid' function. (HP-UX <= 9.X shadow passwords)])
 AH_TEMPLATE(HAVE_GSS_KRB5_CCACHE_NAME, [Define to 1 if you have the `gss_krb5_ccache_name' function.])
 AH_TEMPLATE(HAVE_HEIMDAL, [Define to 1 if your Kerberos is Heimdal.])
 AH_TEMPLATE(HAVE_GETSPWUID, [Define to 1 if you have the `getspwuid' function. (HP-UX <= 9.X shadow passwords)])
 AH_TEMPLATE(HAVE_GSS_KRB5_CCACHE_NAME, [Define to 1 if you have the `gss_krb5_ccache_name' function.])
 AH_TEMPLATE(HAVE_HEIMDAL, [Define to 1 if your Kerberos is Heimdal.])
-AH_TEMPLATE(HAVE_IN6_ADDR, [Define to 1 if <netinet/in.h> contains struct in6_addr.])
 AH_TEMPLATE(HAVE_ISCOMSEC, [Define to 1 if you have the `iscomsec' function. (HP-UX >= 10.x check for shadow enabled)])
 AH_TEMPLATE(HAVE_ISSECURE, [Define to 1 if you have the `issecure' function. (SunOS 4.x check for shadow enabled)])
 AH_TEMPLATE(HAVE_ISCOMSEC, [Define to 1 if you have the `iscomsec' function. (HP-UX >= 10.x check for shadow enabled)])
 AH_TEMPLATE(HAVE_ISSECURE, [Define to 1 if you have the `issecure' function. (SunOS 4.x check for shadow enabled)])
-AH_TEMPLATE(HAVE_KERB4, [Define to 1 if you use Kerberos IV.])
 AH_TEMPLATE(HAVE_KERB5, [Define to 1 if you use Kerberos V.])
 AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC, [Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function.])
 AH_TEMPLATE(HAVE_KERB5, [Define to 1 if you use Kerberos V.])
 AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC, [Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function.])
-AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS, [Define to 1 if your `krb5_get_init_creds_opt_alloc' function takes two arguments.])
+AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS, [Define to 1 if your `krb5_get_init_creds_opt_free' function takes two arguments.])
 AH_TEMPLATE(HAVE_KRB5_INIT_SECURE_CONTEXT, [Define to 1 if you have the `krb5_init_secure_context' function.])
 AH_TEMPLATE(HAVE_KRB5_VERIFY_USER, [Define to 1 if you have the `krb5_verify_user' function.])
 AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not)])
 AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.])
 AH_TEMPLATE(HAVE_KRB5_INIT_SECURE_CONTEXT, [Define to 1 if you have the `krb5_init_secure_context' function.])
 AH_TEMPLATE(HAVE_KRB5_VERIFY_USER, [Define to 1 if you have the `krb5_verify_user' function.])
 AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not)])
 AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.])
+AH_TEMPLATE(HAVE_LIBINTL_H, [Define to 1 if you have the <libintl.h> header file.])
+AH_TEMPLATE(HAVE_LINUX_AUDIT, [Define to 1 to enable Linux audit support.])
 AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
 AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
 AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
 AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
+AH_TEMPLATE(HAVE_PAM_LOGIN, [Define to 1 if you use a specific PAM session for sudo -i.])
 AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file.])
 AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
 AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])
 AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file.])
 AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
 AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])
-AH_TEMPLATE(HAVE_SIGACTION_T, [Define to 1 if <signal.h> has the sigaction_t typedef.])
+AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.])
+AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.])
 AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
 AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
 AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
 AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
+AH_TEMPLATE(HAVE_RFC1938_SKEYCHALLENGE, [Define to 1 if the skeychallenge() function is RFC1938-compliant and takes 4 arguments])
 AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union])
 AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member])
 AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member])
 AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union])
 AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member])
 AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member])
-AH_TEMPLATE(HAVE_TERMIOS_H, [Define to 1 if you have the <termios.h> header file and the `tcgetattr' function.])
-AH_TEMPLATE(HAVE_TIMESPEC, [Define to 1 if you have struct timespec in sys/time.h])
-AH_TEMPLATE(HAVE_TIMESPECSUB2, [Define to 1 if you have a timespecsub macro or function that takes two arguments (not three)])
 AH_TEMPLATE(HAVE___PROGNAME, [Define to 1 if your crt0.o defines the __progname symbol for you.])
 AH_TEMPLATE(HOST_IN_LOG, [Define to 1 if you want the hostname to be entered into the log file.])
 AH_TEMPLATE(IGNORE_DOT_PATH, [Define to 1 if you want to ignore '.' and empty PATH elements])
 AH_TEMPLATE(HAVE___PROGNAME, [Define to 1 if your crt0.o defines the __progname symbol for you.])
 AH_TEMPLATE(HOST_IN_LOG, [Define to 1 if you want the hostname to be entered into the log file.])
 AH_TEMPLATE(IGNORE_DOT_PATH, [Define to 1 if you want to ignore '.' and empty PATH elements])
@@ -2587,8 +3352,10 @@ AH_TEMPLATE(LOGGING, [Define to SLOG_SYSLOG, SLOG_FILE, or SLOG_BOTH.])
 AH_TEMPLATE(LONG_OTP_PROMPT, [Define to 1 if you want a two line OTP (S/Key or OPIE) prompt.])
 AH_TEMPLATE(NO_AUTHENTICATION, [Define to 1 if you don't want sudo to prompt for a password by default.])
 AH_TEMPLATE(NO_LECTURE, [Define to 1 if you don't want users to get the lecture the first they user sudo.])
 AH_TEMPLATE(LONG_OTP_PROMPT, [Define to 1 if you want a two line OTP (S/Key or OPIE) prompt.])
 AH_TEMPLATE(NO_AUTHENTICATION, [Define to 1 if you don't want sudo to prompt for a password by default.])
 AH_TEMPLATE(NO_LECTURE, [Define to 1 if you don't want users to get the lecture the first they user sudo.])
+AH_TEMPLATE(NO_PAM_SESSION, [Define to 1 if you don't want to use sudo's PAM session support])
 AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid runing the mailer as root.])
 AH_TEMPLATE(NO_ROOT_SUDO, [Define to 1 if root should not be allowed to use sudo.])
 AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid runing the mailer as root.])
 AH_TEMPLATE(NO_ROOT_SUDO, [Define to 1 if root should not be allowed to use sudo.])
+AH_TEMPLATE(NO_TTY_TICKETS, [Define to 1 if you want a single ticket file instead of per-tty files.])
 AH_TEMPLATE(PC_INSULTS, [Define to 1 to replace politically incorrect insults with less offensive ones.])
 AH_TEMPLATE(SECURE_PATH, [Define to 1 to override the user's path with a built-in one.])
 AH_TEMPLATE(SEND_MAIL_WHEN_NOT_OK, [Define to 1 to send mail when the user is not allowed to run a command.])
 AH_TEMPLATE(PC_INSULTS, [Define to 1 to replace politically incorrect insults with less offensive ones.])
 AH_TEMPLATE(SECURE_PATH, [Define to 1 to override the user's path with a built-in one.])
 AH_TEMPLATE(SEND_MAIL_WHEN_NOT_OK, [Define to 1 to send mail when the user is not allowed to run a command.])
@@ -2597,12 +3364,22 @@ AH_TEMPLATE(SEND_MAIL_WHEN_NO_USER, [Define to 1 to send mail when the user is n
 AH_TEMPLATE(SHELL_IF_NO_ARGS, [Define to 1 if you want sudo to start a shell if given no arguments.])
 AH_TEMPLATE(SHELL_SETS_HOME, [Define to 1 if you want sudo to set $HOME in shell mode.])
 AH_TEMPLATE(STUB_LOAD_INTERFACES, [Define to 1 if the code in interfaces.c does not compile for you.])
 AH_TEMPLATE(SHELL_IF_NO_ARGS, [Define to 1 if you want sudo to start a shell if given no arguments.])
 AH_TEMPLATE(SHELL_SETS_HOME, [Define to 1 if you want sudo to set $HOME in shell mode.])
 AH_TEMPLATE(STUB_LOAD_INTERFACES, [Define to 1 if the code in interfaces.c does not compile for you.])
+AH_TEMPLATE(UMASK_OVERRIDE, [Define to 1 to use the umask specified in sudoers even when it is less restrictive than the invoking user's.])
+AH_TEMPLATE(USE_ADMIN_FLAG, [Define to 1 if you want to create ~/.sudo_as_admin_successful if the user is in the admin group the first time they run sudo.])
 AH_TEMPLATE(USE_INSULTS, [Define to 1 if you want to insult the user for entering an incorrect password.])
 AH_TEMPLATE(USE_STOW, [Define to 1 if you use GNU stow packaging.])
 AH_TEMPLATE(USE_INSULTS, [Define to 1 if you want to insult the user for entering an incorrect password.])
 AH_TEMPLATE(USE_STOW, [Define to 1 if you use GNU stow packaging.])
-AH_TEMPLATE(USE_TTY_TICKETS, [Define to 1 if you want a different ticket file for each tty.])
 AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.])
 AH_TEMPLATE(sig_atomic_t, [Define to `int' if <signal.h> does not define.])
 AH_TEMPLATE(__signed, [Define to `signed' or nothing if compiler does not support a signed type qualifier.])
 AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.])
 AH_TEMPLATE(sig_atomic_t, [Define to `int' if <signal.h> does not define.])
 AH_TEMPLATE(__signed, [Define to `signed' or nothing if compiler does not support a signed type qualifier.])
+AH_TEMPLATE(socklen_t, [Define to `unsigned int' if <sys/socket.h> doesn't define.])
+AH_TEMPLATE(HAVE_STRUCT_UTMP_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmp'.])
+AH_TEMPLATE(HAVE_STRUCT_UTMPX_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmpx'.])
+AH_TEMPLATE(HAVE___FUNC__, [Define to 1 if the compiler supports the C99 __func__ variable.])
+AH_TEMPLATE(SUDO_KRB5_INSTANCE, [An instance string to append to the username (separated by a slash) for Kerberos V authentication])
+AH_TEMPLATE(RTLD_PRELOAD_VAR, [The environment variable that controls preloading of dynamic objects.])
+AH_TEMPLATE(RTLD_PRELOAD_ENABLE_VAR, [An extra environment variable that is required to enable preloading (if any).])
+AH_TEMPLATE(RTLD_PRELOAD_DELIM, [The delimiter to use when defining multiple preloaded objects.])
+AH_TEMPLATE(RTLD_PRELOAD_DEFAULT, [The default value of preloaded objects (if any).])
 
 dnl
 dnl Bits to copy verbatim into config.h.in
 
 dnl
 dnl Bits to copy verbatim into config.h.in
@@ -2611,37 +3388,38 @@ AH_TOP([#ifndef _SUDO_CONFIG_H
 #define _SUDO_CONFIG_H])
 
 AH_BOTTOM([/*
 #define _SUDO_CONFIG_H])
 
 AH_BOTTOM([/*
- * Macros to pull sec and nsec parts of mtime from struct stat.
- * We need to be able to convert between timeval and timespec
- * so the last 3 digits of tv_nsec are not significant.
+ * Macros to convert ctime and mtime into timevals.
  */
  */
+#define timespec2timeval(_ts, _tv) do {                                        \
+    (_tv)->tv_sec = (_ts)->tv_sec;                                     \
+    (_tv)->tv_usec = (_ts)->tv_nsec / 1000;                            \
+} while (0)
+
 #ifdef HAVE_ST_MTIM
 # ifdef HAVE_ST__TIM
 #ifdef HAVE_ST_MTIM
 # ifdef HAVE_ST__TIM
-#  define mtim_getsec(_x)      ((_x).st_mtim.st__tim.tv_sec)
-#  define mtim_getnsec(_x)     (((_x).st_mtim.st__tim.tv_nsec / 1000) * 1000)
+#  define ctim_get(_x, _y)     timespec2timeval(&(_x)->st_ctim.st__tim, (_y))
+#  define mtim_get(_x, _y)     timespec2timeval(&(_x)->st_mtim.st__tim, (_y))
 # else
 # else
-#  define mtim_getsec(_x)      ((_x).st_mtim.tv_sec)
-#  define mtim_getnsec(_x)     (((_x).st_mtim.tv_nsec / 1000) * 1000)
+#  define ctim_get(_x, _y)     timespec2timeval(&(_x)->st_ctim, (_y))
+#  define mtim_get(_x, _y)     timespec2timeval(&(_x)->st_mtim, (_y))
 # endif
 #else
 # ifdef HAVE_ST_MTIMESPEC
 # endif
 #else
 # ifdef HAVE_ST_MTIMESPEC
-#  define mtim_getsec(_x)      ((_x).st_mtimespec.tv_sec)
-#  define mtim_getnsec(_x)     (((_x).st_mtimespec.tv_nsec / 1000) * 1000)
+#  define ctim_get(_x, _y)     timespec2timeval(&(_x)->st_ctimespec, (_y))
+#  define mtim_get(_x, _y)     timespec2timeval(&(_x)->st_mtimespec, (_y))
 # else
 # else
-#  define mtim_getsec(_x)      ((_x).st_mtime)
-#  define mtim_getnsec(_x)     (0)
+#  define ctim_get(_x, _y)     do { (_y)->tv_sec = (_x)->st_ctime; (_y)->tv_usec = 0; } while (0)
+#  define mtim_get(_x, _y)     do { (_y)->tv_sec = (_x)->st_mtime; (_y)->tv_usec = 0; } while (0)
 # endif /* HAVE_ST_MTIMESPEC */
 #endif /* HAVE_ST_MTIM */
 
 # endif /* HAVE_ST_MTIMESPEC */
 #endif /* HAVE_ST_MTIM */
 
-/*
- * Emulate a subset of waitpid() if we don't have it.
- */
-#ifdef HAVE_WAITPID
-# define sudo_waitpid(p, s, o) waitpid(p, s, o)
+#ifdef __GNUC__
+# define ignore_result(x) do {                                                \
+    __typeof__(x) y = (x);                                                    \
+    (void)y;                                                                  \
+} while(0)
 #else
 #else
-# ifdef HAVE_WAIT3
-#  define sudo_waitpid(p, s, o)        wait3(s, o, NULL)
-# endif
+# define ignore_result(x)      (void)(x)
 #endif
 
 /* GNU stow needs /etc/sudoers to be a symlink. */
 #endif
 
 /* GNU stow needs /etc/sudoers to be a symlink. */
@@ -2659,7 +3437,7 @@ AH_BOTTOM([/*
 #undef ISSET
 #define ISSET(t, f)     ((t) & (f))
 
 #undef ISSET
 #define ISSET(t, f)     ((t) & (f))
 
-/* New ANSI-style OS defs for HP-UX and ConvexOS. */
+/* ANSI-style OS defs for HP-UX and ConvexOS. */
 #if defined(hpux) && !defined(__hpux)
 # define __hpux                1
 #endif /* hpux */
 #if defined(hpux) && !defined(__hpux)
 # define __hpux                1
 #endif /* hpux */
Debian packaging of sudo