projects / debian / sudo / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Imported Upstream version 1.8.7
[debian/sudo] / configure.in
diff --git a/configure.in b/configure.in
index 7212ba8717e69bdd552b0e9498dc5f3671c2aae9..7328151bc50a584e91b49cbfbfbd4c465b3ed883 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1,9 +1,9 @@
 dnl
 dnl Process this file with GNU autoconf to produce a configure script.
 dnl
 dnl
 dnl Process this file with GNU autoconf to produce a configure script.
 dnl
-dnl Copyright (c) 1994-1996,1998-2011 Todd C. Miller <Todd.Miller@courtesan.com>
+dnl Copyright (c) 1994-1996,1998-2013 Todd C. Miller <Todd.Miller@courtesan.com>
 dnl
 dnl
-AC_INIT([sudo], [1.8.2], [http://www.sudo.ws/bugs/], [sudo])
+AC_INIT([sudo], [1.8.7], [http://www.sudo.ws/bugs/], [sudo])
 AC_CONFIG_HEADER([config.h pathnames.h])
 dnl
 dnl Note: this must come after AC_INIT
 AC_CONFIG_HEADER([config.h pathnames.h])
 dnl
 dnl Note: this must come after AC_INIT
@@ -20,7 +20,11 @@ AC_SUBST([PROGS])
 AC_SUBST([CPPFLAGS])
 AC_SUBST([LDFLAGS])
 AC_SUBST([SUDOERS_LDFLAGS])
 AC_SUBST([CPPFLAGS])
 AC_SUBST([LDFLAGS])
 AC_SUBST([SUDOERS_LDFLAGS])
-AC_SUBST([LTLDFLAGS])
+AC_SUBST([LT_LDFLAGS])
+AC_SUBST([LT_LDMAP])
+AC_SUBST([LT_LDOPT])
+AC_SUBST([LT_LDDEP])
+AC_SUBST([LT_LDEXPORTS])
 AC_SUBST([COMMON_OBJS])
 AC_SUBST([SUDOERS_OBJS])
 AC_SUBST([SUDO_OBJS])
 AC_SUBST([COMMON_OBJS])
 AC_SUBST([SUDOERS_OBJS])
 AC_SUBST([SUDO_OBJS])
@@ -34,13 +38,17 @@ AC_SUBST([GETGROUPS_LIB])
 AC_SUBST([OSDEFS])
 AC_SUBST([AUTH_OBJS])
 AC_SUBST([MANTYPE])
 AC_SUBST([OSDEFS])
 AC_SUBST([AUTH_OBJS])
 AC_SUBST([MANTYPE])
-AC_SUBST([MAN_POSTINSTALL])
+AC_SUBST([MANDIRTYPE])
+AC_SUBST([MANCOMPRESS])
+AC_SUBST([MANCOMPRESSEXT])
+AC_SUBST([SHLIB_MODE])
 AC_SUBST([SUDOERS_MODE])
 AC_SUBST([SUDOERS_UID])
 AC_SUBST([SUDOERS_GID])
 AC_SUBST([SUDOERS_MODE])
 AC_SUBST([SUDOERS_UID])
 AC_SUBST([SUDOERS_GID])
-AC_SUBST([DEV])
+AC_SUBST([DEVEL])
 AC_SUBST([BAMAN])
 AC_SUBST([LCMAN])
 AC_SUBST([BAMAN])
 AC_SUBST([LCMAN])
+AC_SUBST([PSMAN])
 AC_SUBST([SEMAN])
 AC_SUBST([devdir])
 AC_SUBST([mansectsu])
 AC_SUBST([SEMAN])
 AC_SUBST([devdir])
 AC_SUBST([mansectsu])
@@ -48,9 +56,9 @@ AC_SUBST([mansectform])
 AC_SUBST([mansrcdir])
 AC_SUBST([NOEXECFILE])
 AC_SUBST([NOEXECDIR])
 AC_SUBST([mansrcdir])
 AC_SUBST([NOEXECFILE])
 AC_SUBST([NOEXECDIR])
-AC_SUBST([PLUGINDIR])
 AC_SUBST([SOEXT])
 AC_SUBST([noexec_file])
 AC_SUBST([SOEXT])
 AC_SUBST([noexec_file])
+AC_SUBST([sesh_file])
 AC_SUBST([INSTALL_NOEXEC])
 AC_SUBST([DONT_LEAK_PATH_INFO])
 AC_SUBST([BSDAUTH_USAGE])
 AC_SUBST([INSTALL_NOEXEC])
 AC_SUBST([DONT_LEAK_PATH_INFO])
 AC_SUBST([BSDAUTH_USAGE])
@@ -66,6 +74,14 @@ AC_SUBST([LIBDL])
 AC_SUBST([LT_STATIC])
 AC_SUBST([LIBINTL])
 AC_SUBST([SUDO_NLS])
 AC_SUBST([LT_STATIC])
 AC_SUBST([LIBINTL])
 AC_SUBST([SUDO_NLS])
+AC_SUBST([LOCALEDIR_SUFFIX])
+AC_SUBST([COMPAT_TEST_PROGS])
+AC_SUBST([CROSS_COMPILING])
+AC_SUBST([PIE_LDFLAGS])
+AC_SUBST([PIE_CFLAGS])
+AC_SUBST([SSP_LDFLAGS])
+AC_SUBST([SSP_CFLAGS])
+AC_SUBST([NO_VIZ])
 dnl
 dnl Variables that get substituted in docs (not overridden by environment)
 dnl
 dnl
 dnl Variables that get substituted in docs (not overridden by environment)
 dnl
@@ -100,10 +116,13 @@ AC_SUBST([root_sudo])
 AC_SUBST([path_info])
 AC_SUBST([ldap_conf])
 AC_SUBST([ldap_secret])
 AC_SUBST([path_info])
 AC_SUBST([ldap_conf])
 AC_SUBST([ldap_secret])
+AC_SUBST([sssd_lib])
 AC_SUBST([nsswitch_conf])
 AC_SUBST([netsvc_conf])
 AC_SUBST([secure_path])
 AC_SUBST([editor])
 AC_SUBST([nsswitch_conf])
 AC_SUBST([netsvc_conf])
 AC_SUBST([secure_path])
 AC_SUBST([editor])
+AC_SUBST([pam_session])
+AC_SUBST([PLUGINDIR])
 #
 # Begin initial values for man page substitution
 #
 #
 # Begin initial values for man page substitution
 #
@@ -140,9 +159,12 @@ path_info=on
 ldap_conf=/etc/ldap.conf
 ldap_secret=/etc/ldap.secret
 netsvc_conf=/etc/netsvc.conf
 ldap_conf=/etc/ldap.conf
 ldap_secret=/etc/ldap.secret
 netsvc_conf=/etc/netsvc.conf
-noexec_file=/usr/local/libexec/sudo_noexec.so
+noexec_file=/usr/local/libexec/sudo/sudo_noexec.so
+sesh_file=/usr/local/libexec/sudo/sesh
 nsswitch_conf=/etc/nsswitch.conf
 secure_path="not set"
 nsswitch_conf=/etc/nsswitch.conf
 secure_path="not set"
+pam_session=on
+PLUGINDIR=/usr/local/libexec/sudo
 #
 # End initial values for man page substitution
 #
 #
 # End initial values for man page substitution
 #
@@ -153,15 +175,17 @@ dnl
 INSTALL_NOEXEC=
 devdir='$(srcdir)'
 PROGS="sudo"
 INSTALL_NOEXEC=
 devdir='$(srcdir)'
 PROGS="sudo"
-: ${MANTYPE='man'}
+: ${MANDIRTYPE='man'}
 : ${mansrcdir='.'}
 : ${mansrcdir='.'}
+: ${SHLIB_MODE='0644'}
 : ${SUDOERS_MODE='0440'}
 : ${SUDOERS_UID='0'}
 : ${SUDOERS_GID='0'}
 : ${SUDOERS_MODE='0440'}
 : ${SUDOERS_UID='0'}
 : ${SUDOERS_GID='0'}
-DEV="#"
+DEVEL=
 LDAP="#"
 BAMAN=0
 LCMAN=0
 LDAP="#"
 BAMAN=0
 LCMAN=0
+PSMAN=0
 SEMAN=0
 LIBINTL=
 ZLIB=
 SEMAN=0
 LIBINTL=
 ZLIB=
@@ -172,6 +196,11 @@ AUTH_EXCL=
 AUTH_EXCL_DEF=
 AUTH_DEF=passwd
 SUDO_NLS=disabled
 AUTH_EXCL_DEF=
 AUTH_DEF=passwd
 SUDO_NLS=disabled
+LOCALEDIR_SUFFIX=
+LT_LDEXPORTS="-export-symbols \$(shlib_exp)"
+LT_LDDEP="\$(shlib_exp)"
+NO_VIZ="-DNO_VIZ"
+OS_INIT=os_init_common
 
 dnl
 dnl Other vaiables
 
 dnl
 dnl Other vaiables
@@ -183,11 +212,31 @@ shadow_libs=
 shadow_libs_optional=
 CONFIGURE_ARGS="$@"
 
 shadow_libs_optional=
 CONFIGURE_ARGS="$@"
 
+dnl
+dnl LD_PRELOAD equivalents
+dnl
+RTLD_PRELOAD_VAR="LD_PRELOAD"
+RTLD_PRELOAD_ENABLE_VAR=
+RTLD_PRELOAD_DELIM=":"
+RTLD_PRELOAD_DEFAULT=
+
 dnl
 dnl libc replacement functions live in compat
 dnl
 AC_CONFIG_LIBOBJ_DIR(compat)
 
 dnl
 dnl libc replacement functions live in compat
 dnl
 AC_CONFIG_LIBOBJ_DIR(compat)
 
+#
+# Prior to sudo 1.8.7, sudo stored libexec files in $libexecdir.
+# Starting with sudo 1.8.7, $libexecdir/sudo is used so strip
+# off an extraneous "/sudo" from libexecdir.
+#
+case "$libexecdir" in
+    */sudo)
+       AC_MSG_WARN([libexecdir should not include the "sudo" subdirectory])
+       libexecdir=`expr "$libexecdir" : '\\(.*\\)/sudo$'`
+       ;;
+esac
+
 dnl
 dnl Deprecated --with options (these all warn or generate an error)
 dnl
 dnl
 dnl Deprecated --with options (these all warn or generate an error)
 dnl
@@ -214,7 +263,7 @@ AC_ARG_WITH(devel, [AS_HELP_STRING([--with-devel], [add development options])],
 [case $with_devel in
     yes)       AC_MSG_NOTICE([Setting up for development: -Wall, flex, yacc])
                OSDEFS="${OSDEFS} -DSUDO_DEVEL"
 [case $with_devel in
     yes)       AC_MSG_NOTICE([Setting up for development: -Wall, flex, yacc])
                OSDEFS="${OSDEFS} -DSUDO_DEVEL"
-               DEV=""
+               DEVEL="true"
                devdir=.
                ;;
     no)                ;;
                devdir=.
                ;;
     no)                ;;
@@ -224,27 +273,15 @@ esac])
 
 AC_ARG_WITH(CC, [AS_HELP_STRING([--with-CC], [C compiler to use])],
 [case $with_CC in
 
 AC_ARG_WITH(CC, [AS_HELP_STRING([--with-CC], [C compiler to use])],
 [case $with_CC in
-    yes)       AC_MSG_ERROR(["must give --with-CC an argument."])
-               ;;
-    no)                AC_MSG_ERROR(["illegal argument: --without-CC."])
-               ;;
-    *)         CC=$with_CC
+    *)         AC_MSG_ERROR([the --with-CC option is no longer supported, please set the CC environment variable instead.])
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(rpath, [AS_HELP_STRING([--with-rpath], [pass -R flag in addition to -L for lib paths])],
-[case $with_rpath in
-    yes|no)    ;;
-    *)         AC_MSG_ERROR(["--with-rpath does not take an argument."])
-               ;;
-esac])
+AC_ARG_WITH(rpath, [AS_HELP_STRING([--with-rpath], [deprecated, use --disable-rpath])],
+[AC_MSG_WARN([--with-rpath deprecated, rpath is now the default])])
 
 
-AC_ARG_WITH(blibpath, [AS_HELP_STRING([--with-blibpath[=PATH]], [pass -blibpath flag to ld for additional lib paths])],
-[case $with_blibpath in
-    yes|no)    ;;
-    *)         AC_MSG_NOTICE([will pass -blibpath:${with_blibpath} to the loader.])
-               ;;
-esac])
+AC_ARG_WITH(blibpath, [AS_HELP_STRING([--with-blibpath[=PATH]], [deprecated])],
+[AC_MSG_WARN([--with-blibpath deprecated, use --with-libpath])])
 
 dnl
 dnl Handle BSM auditing support.
 
 dnl
 dnl Handle BSM auditing support.
@@ -279,6 +316,24 @@ AC_ARG_WITH(linux-audit, [AS_HELP_STRING([--with-linux-audit], [enable Linux aud
                ;;
 esac])
 
                ;;
 esac])
 
+dnl
+dnl Handle SSSD support.
+dnl
+AC_ARG_WITH(sssd, [AS_HELP_STRING([--with-sssd], [enable SSSD support])],
+[case $with_sssd in
+    yes)       SUDOERS_OBJS="${SUDOERS_OBJS} sssd.lo"
+               AC_DEFINE(HAVE_SSSD)
+               ;;
+    no)                ;;
+    *)         AC_MSG_ERROR(["--with-sssd does not take an argument."])
+               ;;
+esac])
+
+AC_ARG_WITH(sssd-lib, [AS_HELP_STRING([--with-sssd-lib], [path to the SSSD library])])
+sssd_lib="\"LIBDIR\""
+test -n "$with_sssd_lib" && sssd_lib="$with_sssd_lib"
+SUDO_DEFINE_UNQUOTED(_PATH_SSSD_LIB, "$sssd_lib", [Path to the SSSD library])
+
 AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to look for include files])],
 [case $with_incpath in
     yes)       AC_MSG_ERROR(["must give --with-incpath an argument."])
 AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to look for include files])],
 [case $with_incpath in
     yes)       AC_MSG_ERROR(["must give --with-incpath an argument."])
@@ -287,7 +342,7 @@ AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to loo
                ;;
     *)         AC_MSG_NOTICE([Adding ${with_incpath} to CPPFLAGS])
                for i in ${with_incpath}; do
                ;;
     *)         AC_MSG_NOTICE([Adding ${with_incpath} to CPPFLAGS])
                for i in ${with_incpath}; do
-                   CPPFLAGS="${CPPFLAGS} -I${i}"
+                   SUDO_APPEND_CPPFLAGS(-I${i})
                done
                ;;
 esac])
                done
                ;;
 esac])
@@ -406,15 +461,6 @@ AC_ARG_WITH(fwtk, [AS_HELP_STRING([--with-fwtk[[=DIR]]], [enable FWTK AuthSRV su
                ;;
 esac])
 
                ;;
 esac])
 
-AC_ARG_WITH(kerb4, [AS_HELP_STRING([--with-kerb4[[=DIR]]], [enable Kerberos IV support])],
-[case $with_kerb4 in
-    no)                ;;
-    *)         AC_MSG_CHECKING(whether to try kerberos IV authentication)
-               AC_MSG_RESULT(yes)
-               AUTH_REG="$AUTH_REG kerb4"
-               ;;
-esac])
-
 AC_ARG_WITH(kerb5, [AS_HELP_STRING([--with-kerb5[[=DIR]]], [enable Kerberos V support])],
 [case $with_kerb5 in
     no)                ;;
 AC_ARG_WITH(kerb5, [AS_HELP_STRING([--with-kerb5[[=DIR]]], [enable Kerberos V support])],
 [case $with_kerb5 in
     no)                ;;
@@ -1079,17 +1125,11 @@ AC_ARG_WITH(interfaces, [AS_HELP_STRING([--without-interfaces], [don't try to re
                ;;
 esac], AC_MSG_RESULT(yes))
 
                ;;
 esac], AC_MSG_RESULT(yes))
 
-AC_MSG_CHECKING(whether stow should be used)
-AC_ARG_WITH(stow, [AS_HELP_STRING([--with-stow], [properly handle GNU stow packaging])],
+AC_ARG_WITH(stow, [AS_HELP_STRING([--with-stow], [deprecated])],
 [case $with_stow in
 [case $with_stow in
-    yes)       AC_MSG_RESULT(yes)
-               AC_DEFINE(USE_STOW)
-               ;;
-    no)                AC_MSG_RESULT(no)
-               ;;
-    *)         AC_MSG_ERROR(["--with-stow does not take an argument."])
+    *)         AC_MSG_NOTICE([--with-stow option deprecated, now is defalt behavior])
                ;;
                ;;
-esac], AC_MSG_RESULT(no))
+esac])
 
 AC_MSG_CHECKING(whether to use an askpass helper)
 AC_ARG_WITH(askpass, [AS_HELP_STRING([--with-askpass=PATH], [Fully qualified pathname of askpass helper])],
 
 AC_MSG_CHECKING(whether to use an askpass helper)
 AC_ARG_WITH(askpass, [AS_HELP_STRING([--with-askpass=PATH], [Fully qualified pathname of askpass helper])],
@@ -1097,16 +1137,43 @@ AC_ARG_WITH(askpass, [AS_HELP_STRING([--with-askpass=PATH], [Fully qualified pat
     yes)       AC_MSG_ERROR(["--with-askpass takes a path as an argument."])
                ;;
     no)                ;;
     yes)       AC_MSG_ERROR(["--with-askpass takes a path as an argument."])
                ;;
     no)                ;;
-    *)         SUDO_DEFINE_UNQUOTED(_PATH_SUDO_ASKPASS, "$with_askpass", [The fully qualified pathname of askpass])
-               ;;
-esac], AC_MSG_RESULT(no))
+    *)         ;;
+esac], [
+    with_askpass=no
+    AC_MSG_RESULT(no)
+])
+if test X"$with_askpass" != X"no"; then
+    SUDO_DEFINE_UNQUOTED(_PATH_SUDO_ASKPASS, "$with_askpass")
+else
+    SUDO_DEFINE_UNQUOTED(_PATH_SUDO_ASKPASS, NULL)
+fi
 
 AC_ARG_WITH(plugindir, [AS_HELP_STRING([--with-plugindir], [set directory to load plugins from])],
 [case $with_plugindir in
     no)                AC_MSG_ERROR(["illegal argument: --without-plugindir."])
                ;;
     *)         ;;
 
 AC_ARG_WITH(plugindir, [AS_HELP_STRING([--with-plugindir], [set directory to load plugins from])],
 [case $with_plugindir in
     no)                AC_MSG_ERROR(["illegal argument: --without-plugindir."])
                ;;
     *)         ;;
-esac], [with_plugindir="$libexecdir"])
+esac], [with_plugindir="$libexecdir/sudo"])
+
+AC_ARG_WITH(man, [AS_HELP_STRING([--with-man], [manual pages use man macros])],
+[case $with_man in
+    yes)       MANTYPE=man
+               ;;
+    no)                AC_MSG_ERROR(["--without-man not supported."])
+               ;;
+    *)         AC_MSG_ERROR(["ignoring unknown argument to --with-man: $with_man."])
+               ;;
+esac])
+
+AC_ARG_WITH(mdoc, [AS_HELP_STRING([--with-mdoc], [manual pages use mdoc macros])],
+[case $with_mdoc in
+    yes)       MANTYPE=mdoc
+               ;;
+    no)                AC_MSG_ERROR(["--without-mdoc not supported."])
+               ;;
+    *)         AC_MSG_ERROR(["ignoring unknown argument to --with-mdoc: $with_mdoc."])
+               ;;
+esac])
 
 dnl
 dnl Options for --enable
 
 dnl
 dnl Options for --enable
@@ -1285,25 +1352,39 @@ AC_ARG_ENABLE(env_reset,
 ])
 if test "$env_reset" = "on"; then
     AC_MSG_RESULT(yes)
 ])
 if test "$env_reset" = "on"; then
     AC_MSG_RESULT(yes)
-    AC_DEFINE(ENV_RESET, TRUE)
+    AC_DEFINE(ENV_RESET, 1)
 else
     AC_MSG_RESULT(no)
 else
     AC_MSG_RESULT(no)
-    AC_DEFINE(ENV_RESET, FALSE)
+    AC_DEFINE(ENV_RESET, 0)
 fi
 
 AC_ARG_ENABLE(warnings,
 [AS_HELP_STRING([--enable-warnings], [Whether to enable compiler warnings])],
 [ case "$enableval" in
 fi
 
 AC_ARG_ENABLE(warnings,
 [AS_HELP_STRING([--enable-warnings], [Whether to enable compiler warnings])],
 [ case "$enableval" in
-    yes)    if test X"$with_devel" != X"yes" -a -n "$GCC"; then
-               CFLAGS="${CFLAGS} -Wall"
-           fi
-           ;;
+    yes)    ;;
     no)            ;;
     *)     AC_MSG_WARN([Ignoring unknown argument to --enable-warnings: $enableval])
            ;;
   esac
 ])
 
     no)            ;;
     *)     AC_MSG_WARN([Ignoring unknown argument to --enable-warnings: $enableval])
            ;;
   esac
 ])
 
+AC_ARG_ENABLE(werror,
+[AS_HELP_STRING([--enable-werror], [Whether to enable the -Werror compiler option])],
+[ case "$enableval" in
+    yes)    ;;
+    no)            ;;
+    *)     AC_MSG_WARN([Ignoring unknown argument to --enable-werror: $enableval])
+           ;;
+  esac
+])
+
+AC_ARG_ENABLE(hardening,
+[AS_HELP_STRING([--disable-hardening], [Do not use compiler/linker exploit mitigation options])],
+[], [enable_hardening=yes])
+
+AC_ARG_ENABLE(pie,
+[AS_HELP_STRING([--enable-pie], [Build sudo as a position independent executable.])])
+
 AC_ARG_ENABLE(admin-flag,
 [AS_HELP_STRING([--enable-admin-flag], [Whether to create a Ubuntu-style admin flag file])],
 [ case "$enableval" in
 AC_ARG_ENABLE(admin-flag,
 [AS_HELP_STRING([--enable-admin-flag], [Whether to create a Ubuntu-style admin flag file])],
 [ case "$enableval" in
@@ -1319,6 +1400,10 @@ AC_ARG_ENABLE(nls,
 [AS_HELP_STRING([--disable-nls], [Disable natural language support using gettext])],
 [], [enable_nls=yes])
 
 [AS_HELP_STRING([--disable-nls], [Disable natural language support using gettext])],
 [], [enable_nls=yes])
 
+AC_ARG_ENABLE(rpath,
+[AS_HELP_STRING([--disable-rpath], [Disable passing of -Rpath to the linker])],
+[], [enable_rpath=yes])
+
 AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])],
 [case $with_selinux in
     yes)       SELINUX_USAGE="[[-r role]] [[-t type]] "
 AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])],
 [case $with_selinux in
     yes)       SELINUX_USAGE="[[-r role]] [[-t type]] "
@@ -1333,7 +1418,7 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])
     no)                ;;
     *)         AC_MSG_ERROR(["--with-selinux does not take an argument."])
                ;;
     no)                ;;
     *)         AC_MSG_ERROR(["--with-selinux does not take an argument."])
                ;;
-esac])
+esac], [with_selinux=no])
 
 dnl
 dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default
 
 dnl
 dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default
@@ -1357,6 +1442,15 @@ if test "x$ac_cv_prog_cc_c89" = "xno"; then
     AC_MSG_ERROR([Sudo version $PACKAGE_VERSION requires an ANSI C compiler to build.])
 fi
 
     AC_MSG_ERROR([Sudo version $PACKAGE_VERSION requires an ANSI C compiler to build.])
 fi
 
+dnl
+dnl If the user specified --disable-static, override them or we'll
+dnl be unable to build the executables in the sudoers plugin dir.
+dnl
+if test "$enable_static" = "no"; then
+    AC_MSG_WARN([Ignoring --disable-static, sudo does not install static libs])
+    enable_static=yes
+fi
+
 dnl
 dnl Libtool setup, we require libtool 2.2.6b or higher
 dnl
 dnl
 dnl Libtool setup, we require libtool 2.2.6b or higher
 dnl
@@ -1365,6 +1459,21 @@ AC_CONFIG_MACRO_DIR([m4])
 LT_PREREQ([2.2.6b])
 LT_INIT([dlopen])
 
 LT_PREREQ([2.2.6b])
 LT_INIT([dlopen])
 
+dnl
+dnl Allow the user to specify an alternate libtool.
+dnl XXX - should be able to skip LT_INIT if we are using a different libtool
+dnl
+AC_ARG_WITH(libtool, [AS_HELP_STRING([--with-libtool=PATH], [specify path to libtool])],
+[case $with_libtool in
+    yes|builtin) ;;
+    no)                AC_MSG_ERROR(["--without-libtool not supported."])
+               ;;
+    system)    LIBTOOL=libtool
+               ;;
+    *)         LIBTOOL="$with_libtool"
+               ;;
+esac])
+
 dnl
 dnl Defer with_noexec until after libtool magic runs
 dnl
 dnl
 dnl Defer with_noexec until after libtool magic runs
 dnl
@@ -1373,6 +1482,8 @@ if test "$enable_shared" = "no"; then
     enable_dlopen=no
     lt_cv_dlopen=none
     lt_cv_dlopen_libs=
     enable_dlopen=no
     lt_cv_dlopen=none
     lt_cv_dlopen_libs=
+    ac_cv_func_dlopen=no
+    LT_LDFLAGS=-static
 else
     eval _shrext="$shrext_cmds"
     # Darwin uses .dylib for libraries but .so for modules
 else
     eval _shrext="$shrext_cmds"
     # Darwin uses .dylib for libraries but .so for modules
@@ -1385,54 +1496,48 @@ fi
 AC_MSG_CHECKING(path to sudo_noexec.so)
 AC_ARG_WITH(noexec, [AS_HELP_STRING([--with-noexec[=PATH]], [fully qualified pathname of sudo_noexec.so])],
 [case $with_noexec in
 AC_MSG_CHECKING(path to sudo_noexec.so)
 AC_ARG_WITH(noexec, [AS_HELP_STRING([--with-noexec[=PATH]], [fully qualified pathname of sudo_noexec.so])],
 [case $with_noexec in
-    yes)       with_noexec="$libexecdir/sudo_noexec$_shrext"
+    yes)       with_noexec="$libexecdir/sudo/sudo_noexec.so"
                ;;
     no)                ;;
     *)         ;;
                ;;
     no)                ;;
     *)         ;;
-esac], [with_noexec="$libexecdir/sudo_noexec$_shrext"])
+esac], [with_noexec="$libexecdir/sudo/sudo_noexec.so"])
 AC_MSG_RESULT($with_noexec)
 AC_MSG_RESULT($with_noexec)
-NOEXECFILE="sudo_noexec$_shrext"
-NOEXECDIR="`echo $with_noexec|sed 's:^\(.*\)/[[^/]]*:\1:'`"
-
-dnl
-dnl It is now safe to modify CFLAGS and CPPFLAGS
-dnl
-if test X"$with_devel" = X"yes" -a -n "$GCC"; then
-    CFLAGS="${CFLAGS} -Wall"
-fi
+NOEXECFILE="sudo_noexec.so"
+NOEXECDIR="`echo $with_noexec|sed -e 's:^${\([[^}]]*\)}:$(\1):' -e 's:^\(.*\)/[[^/]]*:\1:'`"
 
 dnl
 dnl Find programs we use
 dnl
 
 dnl
 dnl Find programs we use
 dnl
-AC_CHECK_PROG(UNAMEPROG, [uname], [uname])
-AC_CHECK_PROG(TRPROG, [tr], [tr])
-AC_CHECK_PROGS(NROFFPROG, [nroff mandoc])
-if test -n "$NROFFPROG"; then
-    AC_CACHE_CHECK([whether $NROFFPROG supports the -c option],
-       [sudo_cv_var_nroff_opt_c],
-       [if $NROFFPROG -c </dev/null >/dev/null 2>&1; then
-           sudo_cv_var_nroff_opt_c=yes
-       else
-           sudo_cv_var_nroff_opt_c=no
-       fi]
-    )
-    if test "$sudo_cv_var_nroff_opt_c" = "yes"; then
-       NROFFPROG="$NROFFPROG -c"
-    fi
-    AC_CACHE_CHECK([whether $NROFFPROG supports the -Tascii option],
-       [sudo_cv_var_nroff_opt_Tascii],
-       [if $NROFFPROG -Tascii </dev/null >/dev/null 2>&1; then
-           sudo_cv_var_nroff_opt_Tascii=yes
-       else
-           sudo_cv_var_nroff_opt_Tascii=no
-       fi]
-    if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then
-       NROFFPROG="$NROFFPROG -Tascii"
-    fi
-    )
+AC_PATH_PROG(UNAMEPROG, [uname], [uname])
+AC_PATH_PROG(TRPROG, [tr], [tr])
+AC_PATH_PROG(MANDOCPROG, [mandoc], [mandoc])
+if test "$MANDOCPROG" != "mandoc"; then
+    : ${MANTYPE='mdoc'}
 else
 else
-    MANTYPE="cat"
-    mansrcdir='$(srcdir)'
+    AC_PATH_PROG(NROFFPROG, [nroff])
+    if test -n "$NROFFPROG"; then
+       test -n "$MANTYPE" && sudo_cv_var_mantype="$MANTYPE"
+       AC_CACHE_CHECK([which macro set to use for manual pages],
+           [sudo_cv_var_mantype],
+           [
+               sudo_cv_var_mantype="man"
+               echo ".Sh NAME" > conftest
+               echo ".Nm sudo" >> conftest
+               echo ".Nd sudo" >> conftest
+               echo ".Sh DESCRIPTION" >> conftest
+               echo "sudo" >> conftest
+               if $NROFFPROG -mdoc conftest >/dev/null 2>&1; then
+                   sudo_cv_var_mantype="mdoc"
+               fi
+               rm -f conftest
+           ]
+       )
+       MANTYPE="$sudo_cv_var_mantype"
+    else
+       MANTYPE=cat
+       MANDIRTYPE=cat
+       mansrcdir='$(srcdir)'
+    fi
 fi
 
 dnl
 fi
 
 dnl
@@ -1467,6 +1572,9 @@ fi
 
 case "$host" in
     *-*-sunos4*)
 
 case "$host" in
     *-*-sunos4*)
+               # LD_PRELOAD is space-delimited
+               RTLD_PRELOAD_DELIM=" "
+
                # getcwd(3) opens a pipe to getpwd(1)!?!
                BROKEN_GETCWD=1
 
                # getcwd(3) opens a pipe to getpwd(1)!?!
                BROKEN_GETCWD=1
 
@@ -1478,6 +1586,13 @@ case "$host" in
                shadow_funcs="getpwanam issecure"
                ;;
     *-*-solaris2*)
                shadow_funcs="getpwanam issecure"
                ;;
     *-*-solaris2*)
+               # LD_PRELOAD is space-delimited
+               RTLD_PRELOAD_DELIM=" "
+
+               # Solaris-specific initialization
+               OS_INIT=os_init_solaris
+               SUDO_OBJS="${SUDO_OBJS} solaris.o"
+
                # To get the crypt(3) prototype (so we pass -Wall)
                OSDEFS="${OSDEFS} -D__EXTENSIONS__"
                # AFS support needs -lucb
                # To get the crypt(3) prototype (so we pass -Wall)
                OSDEFS="${OSDEFS} -D__EXTENSIONS__"
                # AFS support needs -lucb
@@ -1486,34 +1601,23 @@ case "$host" in
                fi
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                fi
                : ${mansectsu='1m'}
                : ${mansectform='4'}
-               : ${with_rpath='yes'}
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
-               AC_CHECK_FUNCS(priv_set)
+               AC_CHECK_FUNCS(priv_set, [PSMAN=1])
                ;;
     *-*-aix*)
                # To get all prototypes (so we pass -Wall)
                OSDEFS="${OSDEFS} -D_ALL_SOURCE -D_LINUX_SOURCE_COMPAT"
                SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp"
                ;;
     *-*-aix*)
                # To get all prototypes (so we pass -Wall)
                OSDEFS="${OSDEFS} -D_ALL_SOURCE -D_LINUX_SOURCE_COMPAT"
                SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp"
-               if test X"$with_blibpath" != X"no"; then
-                   AC_MSG_CHECKING([if linker accepts -Wl,-blibpath])
-                   O_LDFLAGS="$LDFLAGS"
-                   LDFLAGS="$O_LDFLAGS -Wl,-blibpath:/usr/lib:/lib"
-                   AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])], [
-                       if test -n "$with_blibpath" -a "$with_blibpath" != "yes"; then
-                           blibpath="$with_blibpath"
-                       elif test -n "$GCC"; then
-                           blibpath="/usr/lib:/lib:/usr/local/lib"
-                       else
-                           blibpath="/usr/lib:/lib"
-                       fi
-                       AC_MSG_RESULT(yes)
-                   ], [AC_MSG_RESULT(no)])
-               fi
-               LDFLAGS="$O_LDFLAGS"
 
 
-               # Use authenticate(3) as the default authentication method
-               if test X"$with_aixauth" = X""; then
-                   AC_CHECK_FUNCS(authenticate, [AUTH_EXCL_DEF="AIX_AUTH"])
+               # On AIX 6 and higher default to PAM, else default to LAM
+               if test $OSMAJOR -ge 6; then
+                   if test X"$with_pam" = X""; then
+                       AUTH_EXCL_DEF="PAM"
+                   fi
+               else
+                   if test X"$with_aixauth" = X""; then
+                       AC_CHECK_FUNCS(authenticate, [AUTH_EXCL_DEF="AIX_AUTH"])
+                   fi
                fi
 
                # AIX analog of nsswitch.conf, enabled by default
                fi
 
                # AIX analog of nsswitch.conf, enabled by default
@@ -1528,21 +1632,23 @@ case "$host" in
                    with_netsvc="/etc/netsvc.conf"
                fi
 
                    with_netsvc="/etc/netsvc.conf"
                fi
 
-               # For implementing getgrouplist()
-               AC_CHECK_FUNCS(getgrset)
-
-               # LDR_PRELOAD is supported in AIX 5.3 and later
-               case "$OSREV" in
-                   [1-4].*) with_noexec=no ;;
-               esac
+               # LDR_PRELOAD is only supported in AIX 5.3 and later
+               if test $OSMAJOR -lt 5; then
+                   with_noexec=no
+               else
+                   RTLD_PRELOAD_VAR="LDR_PRELOAD"
+               fi
 
                # AIX-specific functions
 
                # AIX-specific functions
-               AC_CHECK_FUNCS(getuserattr setauthdb)
+               AC_CHECK_FUNCS(getuserattr setauthdb setrlimit64)
                COMMON_OBJS="$COMMON_OBJS aix.lo"
                ;;
     *-*-hiuxmpp*)
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                COMMON_OBJS="$COMMON_OBJS aix.lo"
                ;;
     *-*-hiuxmpp*)
                : ${mansectsu='1m'}
                : ${mansectform='4'}
+
+               # HP-UX shared libs must be executable
+               SHLIB_MODE=0755
                ;;
     *-*-hpux*)
                # AFS support needs -lBSD
                ;;
     *-*-hpux*)
                # AFS support needs -lBSD
@@ -1552,6 +1658,9 @@ case "$host" in
                : ${mansectsu='1m'}
                : ${mansectform='4'}
 
                : ${mansectsu='1m'}
                : ${mansectform='4'}
 
+               # HP-UX shared libs must be executable
+               SHLIB_MODE=0755
+
                # The HP bundled compiler cannot generate shared libs
                if test -z "$GCC"; then
                    AC_CACHE_CHECK([for HP bundled C compiler],
                # The HP bundled compiler cannot generate shared libs
                if test -z "$GCC"; then
                    AC_CACHE_CHECK([for HP bundled C compiler],
@@ -1569,7 +1678,7 @@ case "$host" in
 
                # Build PA-RISC1.1 objects for better portability
                case "$host_cpu" in
 
                # Build PA-RISC1.1 objects for better portability
                case "$host_cpu" in
-                   hppa[2-9]*)
+                   hppa[[2-9]]*)
                        _CFLAGS="$CFLAGS"
                        if test -n "$GCC"; then
                            portable_flag="-march=1.1"
                        _CFLAGS="$CFLAGS"
                        if test -n "$GCC"; then
                            portable_flag="-march=1.1"
@@ -1592,11 +1701,11 @@ case "$host" in
                        ;;
                esac
 
                        ;;
                esac
 
-               case "$host" in
-                       *-*-hpux[1-8].*)
+               case "$host_os" in
+                       hpux[[1-8]].*)
                            AC_DEFINE(BROKEN_SYSLOG)
                        ;;
                            AC_DEFINE(BROKEN_SYSLOG)
                        ;;
-                       *-*-hpux9.*)
+                       hpux9.*)
                            AC_DEFINE(BROKEN_SYSLOG)
 
                            shadow_funcs="getspwuid"
                            AC_DEFINE(BROKEN_SYSLOG)
 
                            shadow_funcs="getspwuid"
@@ -1606,10 +1715,11 @@ case "$host" in
                                # order of libs in 9.X is important. -lc_r must be last
                                SUDOERS_LIBS="${SUDOERS_LIBS} -ldce -lM -lc_r"
                                LIBS="${LIBS} -ldce -lM -lc_r"
                                # order of libs in 9.X is important. -lc_r must be last
                                SUDOERS_LIBS="${SUDOERS_LIBS} -ldce -lM -lc_r"
                                LIBS="${LIBS} -ldce -lM -lc_r"
-                               CPPFLAGS="${CPPFLAGS} -D_REENTRANT -I/usr/include/reentrant"
+                               SUDO_APPEND_CPPFLAGS(-D_REENTRANT)
+                               SUDO_APPEND_CPPFLAGS(-I/usr/include/reentrant)
                            fi
                        ;;
                            fi
                        ;;
-                       *-*-hpux10.*)
+                       hpux10.*)
                            shadow_funcs="getprpwnam iscomsec"
                            shadow_libs="-lsec"
                            # HP-UX 10.20 libc has an incompatible getline
                            shadow_funcs="getprpwnam iscomsec"
                            shadow_libs="-lsec"
                            # HP-UX 10.20 libc has an incompatible getline
@@ -1621,9 +1731,11 @@ case "$host" in
                            test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                        ;;
                esac
                            test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                        ;;
                esac
+               AC_CHECK_FUNCS(pstat_getproc)
                ;;
     *-dec-osf*)
                # ignore envariables wrt dynamic lib path
                ;;
     *-dec-osf*)
                # ignore envariables wrt dynamic lib path
+               # XXX - sudo LDFLAGS instead?
                SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-no_library_replacement"
 
                : ${CHECKSIA='true'}
                SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-no_library_replacement"
 
                : ${CHECKSIA='true'}
@@ -1667,13 +1779,15 @@ case "$host" in
                ]], [[exit(0);]])], [AC_MSG_RESULT(no)], [AC_MSG_RESULT([yes, fixing locally])
                sed 's:<acl.h>:<sys/acl.h>:g' < /usr/include/prot.h > prot.h
                ])
                ]], [[exit(0);]])], [AC_MSG_RESULT(no)], [AC_MSG_RESULT([yes, fixing locally])
                sed 's:<acl.h>:<sys/acl.h>:g' < /usr/include/prot.h > prot.h
                ])
+               # ":DEFAULT" must be appended to _RLD_LIST
+               RTLD_PRELOAD_VAR="_RLD_LIST"
+               RTLD_PRELOAD_DEFAULT="DEFAULT"
                : ${mansectsu='8'}
                : ${mansectform='4'}
                ;;
     *-*-irix*)
                OSDEFS="${OSDEFS} -D_BSD_TYPES"
                if test -z "$NROFFPROG"; then
                : ${mansectsu='8'}
                : ${mansectform='4'}
                ;;
     *-*-irix*)
                OSDEFS="${OSDEFS} -D_BSD_TYPES"
                if test -z "$NROFFPROG"; then
-                   MAN_POSTINSTALL='   /bin/rm -f $(mandirsu)/sudo.$(mansectsu).z $(mandirsu)/visudo.$(mansectsu).z $(mandirform)/sudoers.$(mansectform).z ; /usr/bin/pack $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudoers.$(mansectform)'
                    if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
                        if test -d /usr/share/catman/local; then
                            mandir="/usr/share/catman/local"
                    if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
                        if test -d /usr/share/catman/local; then
                            mandir="/usr/share/catman/local"
@@ -1681,6 +1795,9 @@ case "$host" in
                            mandir="/usr/catman/local"
                        fi
                    fi
                            mandir="/usr/catman/local"
                        fi
                    fi
+                   # Compress cat pages with pack
+                   MANCOMPRESS='pack'
+                   MANCOMPRESSEXT='.z'
                else
                    if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
                        if test -d "/usr/share/man/local"; then
                else
                    if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
                        if test -d "/usr/share/man/local"; then
@@ -1694,6 +1811,9 @@ case "$host" in
                if test "$OSMAJOR" -le 4; then
                    AC_CHECK_LIB(sun, getpwnam, [LIBS="${LIBS} -lsun"])
                fi
                if test "$OSMAJOR" -le 4; then
                    AC_CHECK_LIB(sun, getpwnam, [LIBS="${LIBS} -lsun"])
                fi
+               # ":DEFAULT" must be appended to _RLD_LIST
+               RTLD_PRELOAD_VAR="_RLD_LIST"
+               RTLD_PRELOAD_DEFAULT="DEFAULT"
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                ;;
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                ;;
@@ -1721,7 +1841,8 @@ case "$host" in
                ;;
     *-*-riscos*)
                LIBS="${LIBS} -lsun -lbsd"
                ;;
     *-*-riscos*)
                LIBS="${LIBS} -lsun -lbsd"
-               CPPFLAGS="${CPPFLAGS} -I/usr/include -I/usr/include/bsd"
+               SUDO_APPEND_CPPFLAGS(-I/usr/include)
+               SUDO_APPEND_CPPFLAGS(-I/usr/include/bsd)
                OSDEFS="${OSDEFS} -D_MIPS"
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                OSDEFS="${OSDEFS} -D_MIPS"
                : ${mansectsu='1m'}
                : ${mansectform='4'}
@@ -1754,32 +1875,20 @@ case "$host" in
                shadow_libs="-lsec"
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                shadow_libs="-lsec"
                : ${mansectsu='1m'}
                : ${mansectform='4'}
-               : ${with_rpath='yes'}
                ;;
     *-ncr-sysv4*|*-ncr-sysvr4*)
                AC_CHECK_LIB(c89, strcasecmp, [LIBS="${LIBS} -lc89"])
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                ;;
     *-ncr-sysv4*|*-ncr-sysvr4*)
                AC_CHECK_LIB(c89, strcasecmp, [LIBS="${LIBS} -lc89"])
                : ${mansectsu='1m'}
                : ${mansectform='4'}
-               : ${with_rpath='yes'}
                ;;
     *-ccur-sysv4*|*-ccur-sysvr4*)
                LIBS="${LIBS} -lgen"
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                ;;
     *-ccur-sysv4*|*-ccur-sysvr4*)
                LIBS="${LIBS} -lgen"
                : ${mansectsu='1m'}
                : ${mansectform='4'}
-               : ${with_rpath='yes'}
                ;;
     *-*-bsdi*)
                SKIP_SETREUID=yes
                ;;
     *-*-bsdi*)
                SKIP_SETREUID=yes
-               # Use shlicc for BSD/OS [23].x unless asked to do otherwise
-               if test "${with_CC+set}" != set -a "$ac_cv_prog_CC" = gcc; then
-                   case "$OSMAJOR" in
-                       2|3)    AC_MSG_NOTICE([using shlicc as CC])
-                               ac_cv_prog_CC=shlicc
-                               CC="$ac_cv_prog_CC"
-                               ;;
-                   esac
-               fi
-               # Check for newer BSD auth API (just check for >= 3.0?)
+               # Check for newer BSD auth API
                if test -z "$with_bsdauth"; then
                    AC_CHECK_FUNCS(auth_challenge, [AUTH_EXCL_DEF="BSD_AUTH"])
                fi
                if test -z "$with_bsdauth"; then
                    AC_CHECK_FUNCS(auth_challenge, [AUTH_EXCL_DEF="BSD_AUTH"])
                fi
@@ -1792,6 +1901,7 @@ case "$host" in
                    SKIP_SETREUID=yes
                    ;;
                esac
                    SKIP_SETREUID=yes
                    ;;
                esac
+               OSDEFS="${OSDEFS} -D_BSD_SOURCE"
                if test "${with_skey-'no'}" = "yes"; then
                     SUDOERS_LIBS="${SUDOERS_LIBS} -lmd"
                fi
                if test "${with_skey-'no'}" = "yes"; then
                     SUDOERS_LIBS="${SUDOERS_LIBS} -lmd"
                fi
@@ -1800,26 +1910,27 @@ case "$host" in
                : ${with_logincap='maybe'}
                ;;
     *-*-*openbsd*)
                : ${with_logincap='maybe'}
                ;;
     *-*-*openbsd*)
+               # OpenBSD-specific initialization
+               OS_INIT=os_init_openbsd
+               SUDO_OBJS="${SUDO_OBJS} openbsd.o"
+
                # OpenBSD has a real setreuid(2) starting with 3.3 but
                # OpenBSD has a real setreuid(2) starting with 3.3 but
-               # we will use setreuid(2) instead.
+               # we will use setresuid(2) instead.
                SKIP_SETREUID=yes
                SKIP_SETREUID=yes
+               OSDEFS="${OSDEFS} -D_BSD_SOURCE"
                CHECKSHADOW="false"
                # OpenBSD >= 3.0 supports BSD auth
                if test -z "$with_bsdauth"; then
                CHECKSHADOW="false"
                # OpenBSD >= 3.0 supports BSD auth
                if test -z "$with_bsdauth"; then
-                   case "$OSREV" in
-                   [0-2].*)
-                       ;;
-                   *)
+                   if test "$OSMAJOR" -ge 3; then
                        AUTH_EXCL_DEF="BSD_AUTH"
                        AUTH_EXCL_DEF="BSD_AUTH"
-                       ;;
-                   esac
+                   fi
                fi
                : ${with_logincap='maybe'}
                ;;
     *-*-*netbsd*)
                # NetBSD has a real setreuid(2) starting with 1.3.2
                case "$OSREV" in
                fi
                : ${with_logincap='maybe'}
                ;;
     *-*-*netbsd*)
                # NetBSD has a real setreuid(2) starting with 1.3.2
                case "$OSREV" in
-               0.9*|1.[012]*|1.3|1.3.1)
+               0.9*|1.[[012]]*|1.3|1.3.1)
                    SKIP_SETREUID=yes
                    ;;
                esac
                    SKIP_SETREUID=yes
                    ;;
                esac
@@ -1828,6 +1939,7 @@ case "$host" in
                : ${with_logincap='maybe'}
                ;;
     *-*-dragonfly*)
                : ${with_logincap='maybe'}
                ;;
     *-*-dragonfly*)
+               OSDEFS="${OSDEFS} -D_BSD_SOURCE"
                if test "${with_skey-'no'}" = "yes"; then
                     SUDOERS_LIBS="${SUDOERS_LIBS} -lmd"
                fi
                if test "${with_skey-'no'}" = "yes"; then
                     SUDOERS_LIBS="${SUDOERS_LIBS} -lmd"
                fi
@@ -1846,16 +1958,19 @@ case "$host" in
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                : ${with_logincap='yes'}
                CHECKSHADOW="false"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                : ${with_logincap='yes'}
+               RTLD_PRELOAD_VAR="DYLD_INSERT_LIBRARIES"
+               RTLD_PRELOAD_ENABLE_VAR="DYLD_FORCE_FLAT_NAMESPACE"
                ;;
     *-*-nextstep*)
                # lockf() on is broken on the NeXT -- use flock instead
                ac_cv_func_lockf=no
                ac_cv_func_flock=yes
                ;;
     *-*-nextstep*)
                # lockf() on is broken on the NeXT -- use flock instead
                ac_cv_func_lockf=no
                ac_cv_func_flock=yes
+               RTLD_PRELOAD_VAR="DYLD_INSERT_LIBRARIES"
+               RTLD_PRELOAD_ENABLE_VAR="DYLD_FORCE_FLAT_NAMESPACE"
                ;;
     *-*-*sysv4*)
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                ;;
     *-*-*sysv4*)
                : ${mansectsu='1m'}
                : ${mansectform='4'}
-               : ${with_rpath='yes'}
                ;;
     *-*-sysv*)
                : ${mansectsu='1m'}
                ;;
     *-*-sysv*)
                : ${mansectsu='1m'}
@@ -1866,6 +1981,20 @@ case "$host" in
                ;;
 esac
 
                ;;
 esac
 
+dnl
+dnl Library preloading to support NOEXEC
+dnl
+if test -n "$with_noexec"; then
+    SUDO_DEFINE_UNQUOTED(RTLD_PRELOAD_VAR, "$RTLD_PRELOAD_VAR")
+    SUDO_DEFINE_UNQUOTED(RTLD_PRELOAD_DELIM, "$RTLD_PRELOAD_DELIM")
+    if test -n "$RTLD_PRELOAD_DEFAULT"; then
+       SUDO_DEFINE_UNQUOTED(RTLD_PRELOAD_DEFAULT, "$RTLD_PRELOAD_DEFAULT")
+    fi
+    if test -n "$RTLD_PRELOAD_ENABLE_VAR"; then
+       SUDO_DEFINE_UNQUOTED(RTLD_PRELOAD_ENABLE_VAR, "$RTLD_PRELOAD_ENABLE_VAR")
+    fi
+fi
+
 dnl
 dnl Check for mixing mutually exclusive and regular auth methods
 dnl
 dnl
 dnl Check for mixing mutually exclusive and regular auth methods
 dnl
@@ -1919,23 +2048,16 @@ dnl
 AC_PROG_GCC_TRADITIONAL
 AC_C_CONST
 AC_C_VOLATILE
 AC_PROG_GCC_TRADITIONAL
 AC_C_CONST
 AC_C_VOLATILE
-if test X"$with_gnu_ld" != "yes" -a -n "$GCC"; then
-    _CFLAGS="$CFLAGS"
-    CFLAGS="$CFLAGS -static-libgcc"
-    AC_CACHE_CHECK([whether $CC understands -static-libgcc],
-       [sudo_cv_var_gcc_static_libgcc],
-       [AC_LINK_IFELSE(
-           [AC_LANG_PROGRAM([[]], [[]])],
-               [sudo_cv_var_gcc_static_libgcc=yes],
-               [sudo_cv_var_gcc_static_libgcc=no]
-           )
-       ]
-    )
-    CFLAGS="$_CFLAGS"
-    if test "$sudo_cv_var_gcc_static_libgcc" = "yes"; then
-       LTLDFLAGS="$LTLDFLAGS -Wc,-static-libgcc"
-    fi
-fi
+# Check for variadic macro support in cpp
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
+AC_INCLUDES_DEFAULT
+#if defined(__GNUC__) && __GNUC__ == 2
+# define sudo_fprintf(fp, fmt...) fprintf((fp), (fmt))
+#else
+# define sudo_fprintf(fp, ...) fprintf((fp), __VA_ARGS__)
+#endif
+], [sudo_fprintf(stderr, "a %s", "test");])], [], [AC_MSG_ERROR([Your C compiler doesn't support variadic macros, try building with gcc instead])])
+
 dnl
 dnl Program checks
 dnl
 dnl
 dnl Program checks
 dnl
@@ -1962,14 +2084,26 @@ dnl
 AC_HEADER_STDC
 AC_HEADER_DIRENT
 AC_HEADER_TIME
 AC_HEADER_STDC
 AC_HEADER_DIRENT
 AC_HEADER_TIME
-AC_CHECK_HEADERS(malloc.h paths.h utime.h netgroup.h utmpx.h sys/sockio.h sys/bsdtypes.h sys/select.h sys/stropts.h sys/sysmacros.h)
+AC_HEADER_STDBOOL
+AC_HEADER_MAJOR
+AC_CHECK_HEADERS(malloc.h netgroup.h paths.h spawn.h utime.h utmpx.h sys/sockio.h sys/bsdtypes.h sys/select.h sys/stropts.h sys/sysmacros.h)
+AC_CHECK_HEADERS([endian.h] [sys/endian.h] [machine/endian.h], [break])
+AC_CHECK_HEADERS([procfs.h] [sys/procfs.h], [AC_CHECK_MEMBERS(struct psinfo.pr_ttydev, [AC_CHECK_FUNCS(_ttyname_dev)], [], [AC_INCLUDES_DEFAULT
+#ifdef HAVE_PROCFS_H
+#include <procfs.h>
+#endif
+#ifdef HAVE_SYS_PROCFS_H
+#include <sys/procfs.h>
+#endif
+])]
+break)
 dnl
 dnl Check for large file support.  HP-UX 11.23 has a broken sys/type.h
 dnl when large files support is enabled so work around it.
 dnl
 AC_SYS_LARGEFILE
 dnl
 dnl Check for large file support.  HP-UX 11.23 has a broken sys/type.h
 dnl when large files support is enabled so work around it.
 dnl
 AC_SYS_LARGEFILE
-case "$host" in
-    *-*-hpux11.*)
+case "$host_os" in
+    hpux11.*)
        AC_CACHE_CHECK([whether sys/types.h needs _XOPEN_SOURCE_EXTENDED], [sudo_cv_xopen_source_extended],
        [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT
        #include <sys/socket.h>], [])], [sudo_cv_xopen_source_extended=no], [
        AC_CACHE_CHECK([whether sys/types.h needs _XOPEN_SOURCE_EXTENDED], [sudo_cv_xopen_source_extended],
        [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT
        #include <sys/socket.h>], [])], [sudo_cv_xopen_source_extended=no], [
@@ -2015,21 +2149,30 @@ AC_TYPE_UID_T
 AC_CHECK_TYPE([__signed char], [], [AC_CHECK_TYPE([signed char], [AC_DEFINE(__signed, signed)], [AC_DEFINE(__signed, [])])])
 AC_CHECK_TYPE([sig_atomic_t], [], [AC_DEFINE(sig_atomic_t, int)], [#include <sys/types.h>
 #include <signal.h>])
 AC_CHECK_TYPE([__signed char], [], [AC_CHECK_TYPE([signed char], [AC_DEFINE(__signed, signed)], [AC_DEFINE(__signed, [])])])
 AC_CHECK_TYPE([sig_atomic_t], [], [AC_DEFINE(sig_atomic_t, int)], [#include <sys/types.h>
 #include <signal.h>])
-AC_CHECK_TYPES([sigaction_t], [AC_DEFINE(HAVE_SIGACTION_T)], [], [#include <sys/types.h>
+AC_CHECK_TYPES([sigaction_t], [], [], [#include <sys/types.h>
 #include <signal.h>])
 #include <signal.h>])
-AC_CHECK_TYPE([struct timespec], [AC_DEFINE(HAVE_TIMESPEC)], [], [#include <sys/types.h>
+AC_CHECK_TYPES([struct timespec], [], [], [#include <sys/types.h>
 #if TIME_WITH_SYS_TIME
 # include <sys/time.h>
 #endif
 #include <time.h>])
 #if TIME_WITH_SYS_TIME
 # include <sys/time.h>
 #endif
 #include <time.h>])
-AC_CHECK_TYPES([struct in6_addr], [AC_DEFINE(HAVE_IN6_ADDR)], [], [#include <sys/types.h>
+AC_CHECK_TYPES([struct in6_addr], [], [], [#include <sys/types.h>
 #include <netinet/in.h>])
 AC_TYPE_LONG_LONG_INT
 #include <netinet/in.h>])
 AC_TYPE_LONG_LONG_INT
+if test X"$ac_cv_type_long_long_int" != X"yes"; then
+    AC_MSG_ERROR(["C compiler does not appear have required long long support"])
+fi
 AC_CHECK_SIZEOF([long int])
 AC_CHECK_SIZEOF([long int])
-SUDO_TYPE_SIZE_T
-SUDO_TYPE_SSIZE_T
-SUDO_TYPE_DEV_T
-SUDO_TYPE_INO_T
+AC_CHECK_TYPE(size_t, unsigned int)
+AC_CHECK_TYPE(ssize_t, int)
+AC_CHECK_TYPE(dev_t, int)
+AC_CHECK_TYPE(ino_t, unsigned int)
+AC_CHECK_TYPE(uint8_t, unsigned char)
+AC_CHECK_TYPE(uint32_t, unsigned int)
+AC_CHECK_TYPE(uint64_t, unsigned long long)
+AC_CHECK_TYPE(socklen_t, [], [AC_DEFINE(socklen_t, unsigned int)], [
+AC_INCLUDES_DEFAULT
+#include <sys/socket.h>])
 SUDO_UID_T_LEN
 SUDO_SOCK_SA_LEN
 dnl
 SUDO_UID_T_LEN
 SUDO_SOCK_SA_LEN
 dnl
@@ -2080,23 +2223,90 @@ dnl
 dnl Function checks
 dnl
 AC_FUNC_GETGROUPS
 dnl Function checks
 dnl
 AC_FUNC_GETGROUPS
-AC_CHECK_FUNCS(strrchr sysconf tzset strftime fstat \
-              regcomp setlocale nl_langinfo getaddrinfo mbr_check_membership \
-              setrlimit64 sysctl)
-AC_REPLACE_FUNCS(getgrouplist)
+AC_CHECK_FUNCS(glob nl_langinfo regcomp setenv strftime strrchr strtoll \
+              sysconf tzset)
+AC_CHECK_FUNCS(getgrouplist, [], [
+    case "$host_os" in
+    aix*)
+       AC_CHECK_FUNCS(getgrset)
+       ;;
+    *)
+       AC_CHECK_FUNC(nss_search, [
+           AC_CHECK_FUNC(_nss_XbyY_buf_alloc, [
+               # Solaris
+               AC_CHECK_FUNC(_nss_initf_group, [
+                   AC_CHECK_HEADERS(nss_dbdefs.h)
+                   AC_DEFINE([HAVE_NSS_SEARCH])
+                   AC_DEFINE([HAVE__NSS_XBYY_BUF_ALLOC])
+                   AC_DEFINE([HAVE__NSS_INITF_GROUP])
+               ])
+           ], [
+               # HP-UX
+               AC_CHECK_FUNC(__nss_XbyY_buf_alloc, [
+                   AC_CHECK_FUNC(__nss_initf_group, [
+                       AC_CHECK_HEADERS(nss_dbdefs.h)
+                       AC_DEFINE([HAVE_NSS_SEARCH])
+                       AC_DEFINE([HAVE___NSS_XBYY_BUF_ALLOC])
+                       AC_DEFINE([HAVE___NSS_INITF_GROUP])
+                   ])
+               ])
+           ])
+       ])
+       ;;
+    esac
+    AC_LIBOBJ(getgrouplist)
+])
 AC_CHECK_FUNCS(getline, [], [
     AC_LIBOBJ(getline)
     AC_CHECK_FUNCS(fgetln)
 ])
 AC_CHECK_FUNCS(getline, [], [
     AC_LIBOBJ(getline)
     AC_CHECK_FUNCS(fgetln)
 ])
+dnl
+dnl If libc supports _FORTIFY_SOURCE check functions, use it.
+dnl
+if test "$enable_hardening" != "no"; then
+    O_CPPFLAGS="$CPPFLAGS"
+    CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2"
+    AC_CHECK_FUNC(__sprintf_chk, [
+       AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]])], [OSDEFS="${OSDEFS} -D_FORTIFY_SOURCE=2"], [])
+    ], [])
+    CPPFLAGS="$O_CPPFLAGS"
+fi
+
 utmp_style=LEGACY
 AC_CHECK_FUNCS(getutxid getutid, [utmp_style=POSIX; break])
 if test "$utmp_style" = "LEGACY"; then
     AC_CHECK_FUNCS(getttyent ttyslot, [break])
 utmp_style=LEGACY
 AC_CHECK_FUNCS(getutxid getutid, [utmp_style=POSIX; break])
 if test "$utmp_style" = "LEGACY"; then
     AC_CHECK_FUNCS(getttyent ttyslot, [break])
+    AC_CHECK_FUNCS(fseeko)
 fi
 
 fi
 
-AC_CHECK_FUNCS(openpty, [AC_CHECK_HEADERS(util.h pty.h, [break])], [
+AC_CHECK_FUNCS(sysctl, [AC_CHECK_MEMBERS([struct kinfo_proc.ki_tdev], [],
+    [
+       AC_CHECK_MEMBERS([struct kinfo_proc2.p_tdev], [], [
+           AC_CHECK_MEMBERS([struct kinfo_proc.p_tdev], [], [
+               AC_CHECK_MEMBERS([struct kinfo_proc.kp_eproc.e_tdev], [], [], [
+                   #include <sys/param.h>
+                   #include <sys/sysctl.h>
+               ])
+           ], [
+               #include <sys/param.h>
+               #include <sys/sysctl.h>
+           ])
+       ],
+       [
+           #include <sys/param.h>
+           #include <sys/sysctl.h>
+       ])
+    ],
+    [
+       #include <sys/param.h>
+       #include <sys/sysctl.h>
+       #include <sys/user.h>
+    ])
+])
+
+AC_CHECK_FUNCS(openpty, [AC_CHECK_HEADERS(libutil.h util.h pty.h, [break])], [
     AC_CHECK_LIB(util, openpty, [
     AC_CHECK_LIB(util, openpty, [
-       AC_CHECK_HEADERS(util.h pty.h, [break])
+       AC_CHECK_HEADERS(libutil.h util.h pty.h, [break])
        case "$SUDO_LIBS" in
            *-lutil*) ;;
            *) SUDO_LIBS="${SUDO_LIBS} -lutil";;
        case "$SUDO_LIBS" in
            *-lutil*) ;;
            *) SUDO_LIBS="${SUDO_LIBS} -lutil";;
@@ -2112,7 +2322,8 @@ AC_CHECK_FUNCS(openpty, [AC_CHECK_HEADERS(util.h pty.h, [break])], [
        ])
     ])
 ])
        ])
     ])
 ])
-AC_CHECK_FUNCS(unsetenv, [SUDO_FUNC_UNSETENV_VOID], [AC_LIBOBJ(unsetenv)])
+AC_CHECK_FUNCS(unsetenv, [SUDO_FUNC_UNSETENV_VOID], [])
+SUDO_FUNC_PUTENV_CONST
 if test -z "$SKIP_SETRESUID"; then
     AC_CHECK_FUNCS(setresuid, [
        SKIP_SETREUID=yes
 if test -z "$SKIP_SETRESUID"; then
     AC_CHECK_FUNCS(setresuid, [
        SKIP_SETREUID=yes
@@ -2120,28 +2331,24 @@ if test -z "$SKIP_SETRESUID"; then
     ])
 fi
 if test -z "$SKIP_SETREUID"; then
     ])
 fi
 if test -z "$SKIP_SETREUID"; then
-    AC_CHECK_FUNCS(setreuid, [SKIP_SETEUID=yes])
-fi
-if test -z "$SKIP_SETEUID"; then
-    AC_CHECK_FUNCS(seteuid)
+    AC_CHECK_FUNCS(setreuid)
 fi
 fi
+AC_CHECK_FUNCS(seteuid)
 if test X"$with_interfaces" != X"no"; then
     AC_CHECK_FUNCS(getifaddrs, [AC_CHECK_FUNCS(freeifaddrs)])
 fi
 if test -z "$BROKEN_GETCWD"; then
     AC_REPLACE_FUNCS(getcwd)
 fi
 if test X"$with_interfaces" != X"no"; then
     AC_CHECK_FUNCS(getifaddrs, [AC_CHECK_FUNCS(freeifaddrs)])
 fi
 if test -z "$BROKEN_GETCWD"; then
     AC_REPLACE_FUNCS(getcwd)
 fi
-AC_CHECK_FUNCS(glob, [AC_MSG_CHECKING(for GLOB_BRACE and GLOB_TILDE in glob.h)
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <glob.h>]], [[int i = GLOB_BRACE | GLOB_TILDE; (void)i;]])], [AC_DEFINE(HAVE_EXTENDED_GLOB)
-    AC_MSG_RESULT(yes)], [AC_LIBOBJ(glob)
-    AC_MSG_RESULT(no)])], [AC_LIBOBJ(glob)])
 AC_CHECK_FUNCS(lockf flock, [break])
 AC_CHECK_FUNCS(innetgr _innetgr, [AC_CHECK_FUNCS(getdomainname) [break]])
 AC_CHECK_FUNCS(utimes, [AC_CHECK_FUNCS(futimes futimesat, [break])], [AC_CHECK_FUNCS(futime) AC_LIBOBJ(utimes)])
 AC_CHECK_FUNCS(killpg, [], [AC_LIBOBJ(killpg)])
 AC_CHECK_FUNCS(lockf flock, [break])
 AC_CHECK_FUNCS(innetgr _innetgr, [AC_CHECK_FUNCS(getdomainname) [break]])
 AC_CHECK_FUNCS(utimes, [AC_CHECK_FUNCS(futimes futimesat, [break])], [AC_CHECK_FUNCS(futime) AC_LIBOBJ(utimes)])
 AC_CHECK_FUNCS(killpg, [], [AC_LIBOBJ(killpg)])
-SUDO_FUNC_FNMATCH([AC_DEFINE(HAVE_FNMATCH)], [AC_LIBOBJ(fnmatch)])
+SUDO_FUNC_FNMATCH([AC_DEFINE(HAVE_FNMATCH)], [AC_LIBOBJ(fnmatch)
+    COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }fnm_test"
+])
 SUDO_FUNC_ISBLANK
 SUDO_FUNC_ISBLANK
-AC_REPLACE_FUNCS(memrchr strlcpy strlcat setenv)
+AC_REPLACE_FUNCS(memrchr pw_dup strlcpy strlcat)
 AC_CHECK_FUNCS(nanosleep, [], [
     # On Solaris, nanosleep is in librt
     AC_CHECK_LIB(rt, nanosleep, [REPLAY_LIBS="${REPLAY_LIBS} -lrt"], [AC_LIBOBJ(nanosleep)])
 AC_CHECK_FUNCS(nanosleep, [], [
     # On Solaris, nanosleep is in librt
     AC_CHECK_LIB(rt, nanosleep, [REPLAY_LIBS="${REPLAY_LIBS} -lrt"], [AC_LIBOBJ(nanosleep)])
@@ -2167,6 +2374,10 @@ dnl
 AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
 #include <$ac_header_dirent>]], [[DIR *d; (void)dirfd(d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
 #include <$ac_header_dirent>]], [[DIR d; memset(&d, 0, sizeof(d)); return(d.dd_fd);]])], [AC_DEFINE(HAVE_DD_FD)], [])])
 AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
 #include <$ac_header_dirent>]], [[DIR *d; (void)dirfd(d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
 #include <$ac_header_dirent>]], [[DIR d; memset(&d, 0, sizeof(d)); return(d.dd_fd);]])], [AC_DEFINE(HAVE_DD_FD)], [])])
+AC_CHECK_MEMBERS([struct dirent.d_type], [], [], [
+AC_INCLUDES_DEFAULT
+#include <$ac_header_dirent>
+])
 dnl
 dnl If NEED_SNPRINTF is set, add snprintf.c to LIBOBJS
 dnl (it contains snprintf, vsnprintf, asprintf, and vasprintf)
 dnl
 dnl If NEED_SNPRINTF is set, add snprintf.c to LIBOBJS
 dnl (it contains snprintf, vsnprintf, asprintf, and vasprintf)
@@ -2177,20 +2388,88 @@ fi
 dnl
 dnl If socket(2) not in libc, check -lsocket and -linet
 dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
 dnl
 dnl If socket(2) not in libc, check -lsocket and -linet
 dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
-dnl In this case we look for main(), not socket() to avoid using a cached value
 dnl
 dnl
-AC_CHECK_FUNC(socket, , [AC_CHECK_LIB(socket, socket, [NET_LIBS="${NET_LIBS} -lsocket"; LIBS="${LIBS} -lsocket"], AC_CHECK_LIB(inet, socket, [NET_LIBS="${NET_LIBS} -linet"; LIBS="${LIBS} -linet"], AC_MSG_WARN(unable to find socket() trying -lsocket -lnsl)
-AC_CHECK_LIB(socket, socket, [NET_LIBS="${NET_LIBS} -lsocket -lnsl"; LIBS="${LIBS} -lsocket -lnsl"], , -lnsl)))])
+AC_CHECK_FUNC(socket, [], [
+    for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do
+       _libs=
+       for lib in $libs; do
+           case "$NET_LIBS" in
+               *"$lib"*)   ;;
+               *)          _libs="$_libs $lib";;
+           esac
+       done
+       libs="${_libs# }"
+       test -z "$libs" && continue
+       lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`"
+       extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`"
+       SUDO_CHECK_LIB($lib, socket, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; break], [], [$extralibs])
+    done
+])
 dnl
 dnl If inet_addr(3) not in libc, check -lnsl and -linet
 dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
 dnl
 dnl
 dnl If inet_addr(3) not in libc, check -lnsl and -linet
 dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
 dnl
-AC_CHECK_FUNC(inet_addr, , [AC_CHECK_FUNC(__inet_addr, , AC_CHECK_LIB(nsl, inet_addr, [NET_LIBS="${NET_LIBS} -lnsl"; LIBS="${LIBS} -lnsl"], AC_CHECK_LIB(inet, inet_addr, [NET_LIBS="${NET_LIBS} -linet"; LIBS="${LIBS} -linet"], AC_MSG_WARN(unable to find inet_addr() trying -lsocket -lnsl)
-AC_CHECK_LIB(socket, inet_addr, [NET_LIBS="${NET_LIBS} -lsocket -lnsl"; LIBS="${LIBS} -lsocket -lnsl"], , -lnsl))))])
+AC_CHECK_FUNC(inet_addr, [], [
+    AC_CHECK_FUNC(__inet_addr, [], [
+       for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do
+           _libs=
+           for lib in $libs; do
+               case "$NET_LIBS" in
+                   *"$lib"*)   ;;
+                   *)          _libs="$_libs $lib";;
+               esac
+           done
+           libs="${_libs# }"
+           test -z "$libs" && continue
+           lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`"
+           extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`"
+           SUDO_CHECK_LIB($lib, inet_addr, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; break], [], [$extralibs])
+       done
+    ])
+])
 dnl
 dnl If syslog(3) not in libc, check -lsocket, -lnsl and -linet
 dnl
 dnl
 dnl If syslog(3) not in libc, check -lsocket, -lnsl and -linet
 dnl
-AC_CHECK_FUNC(syslog, , [AC_CHECK_LIB(socket, syslog, [NET_LIBS="${NET_LIBS} -lsocket"; LIBS="${LIBS} -lsocket"], AC_CHECK_LIB(nsl, syslog, [NET_LIBS="${NET_LIBS} -lnsl"; LIBS="${LIBS} -lnsl"], AC_CHECK_LIB(inet, syslog, [NET_LIBS="${NET_LIBS} -linet"; LIBS="${LIBS} -linet"])))])
+AC_CHECK_FUNC(syslog, [], [
+    for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do
+       _libs=
+       for lib in $libs; do
+           case "$NET_LIBS" in
+               *"$lib"*)   ;;
+               *)          _libs="$_libs $lib";;
+           esac
+       done
+       libs="${_libs# }"
+       test -z "$libs" && continue
+       lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`"
+       extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`"
+       SUDO_CHECK_LIB($lib, syslog, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; break], [], [$extralibs])
+    done
+])
+dnl
+dnl If getaddrinfo(3) not in libc, check -lsocket and -linet
+dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols.
+dnl
+AC_CHECK_FUNCS(getaddrinfo, [], [
+    found=no
+    for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do
+       _libs=
+       for lib in $libs; do
+           case "$NET_LIBS" in
+               *"$lib"*)   ;;
+               *)          _libs="$_libs $lib";;
+           esac
+       done
+       libs="${_libs# }"
+       test -z "$libs" && continue
+       lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`"
+       extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`"
+       SUDO_CHECK_LIB($lib, getaddrinfo, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; found=yes; break], [], [$extralibs])
+    done
+    if test X"$found" != X"no"; then
+       AC_DEFINE(HAVE_GETADDRINFO)
+    fi
+])
 dnl
 dnl Check for getprogname() or __progname
 dnl
 dnl
 dnl Check for getprogname() or __progname
 dnl
@@ -2205,6 +2484,25 @@ AC_CHECK_FUNCS(getprogname, , [
     fi
     AC_MSG_RESULT($sudo_cv___progname)
 ])
     fi
     AC_MSG_RESULT($sudo_cv___progname)
 ])
+dnl
+dnl Check for __func__ or __FUNCTION__
+dnl
+AC_MSG_CHECKING([for __func__])
+AC_CACHE_VAL(sudo_cv___func__, [
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[(void)puts(__func__);]])], [sudo_cv___func__=yes], [sudo_cv___func__=no])])
+AC_MSG_RESULT($sudo_cv___func__)
+if test "$sudo_cv___func__" = "yes"; then
+    AC_DEFINE(HAVE___FUNC__)
+elif test -n "$GCC"; then
+    AC_MSG_CHECKING([for __FUNCTION__])
+    AC_CACHE_VAL(sudo_cv___FUNCTION__, [
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[(void)puts(__FUNCTION__);]])], [sudo_cv___FUNCTION__=yes], [sudo_cv___FUNCTION__=no])])
+    AC_MSG_RESULT($sudo_cv___FUNCTION__)
+    if test "$sudo_cv___FUNCTION__" = "yes"; then
+       AC_DEFINE(HAVE___FUNC__)
+       AC_DEFINE(__func__, __FUNCTION__, [Define to __FUNCTION__ if your compiler supports __FUNCTION__ but not __func__])
+    fi
+fi
 
 # gettext() and friends may be located in libc (Linux and Solaris)
 # or in libintl.  However, it is possible to have libintl installed
 
 # gettext() and friends may be located in libc (Linux and Solaris)
 # or in libintl.  However, it is possible to have libintl installed
@@ -2214,7 +2512,7 @@ AC_CHECK_FUNCS(getprogname, , [
 # make sure we use the gettext() that matches the include file.
 if test "$enable_nls" != "no"; then
     if test "$enable_nls" != "yes"; then
 # make sure we use the gettext() that matches the include file.
 if test "$enable_nls" != "no"; then
     if test "$enable_nls" != "yes"; then
-       CPPFLAGS="${CPPFLAGS} -I${enable_nls}/include"
+       SUDO_APPEND_CPPFLAGS(-I${enable_nls}/include)
        SUDO_APPEND_LIBPATH(LDFLAGS, [$enable_nls/lib])
     fi
     OLIBS="$LIBS"
        SUDO_APPEND_LIBPATH(LDFLAGS, [$enable_nls/lib])
     fi
     OLIBS="$LIBS"
@@ -2240,13 +2538,20 @@ if test "$enable_nls" != "no"; then
        ])
        eval gettext_result="\$$gettext_name"
        AC_MSG_RESULT($gettext_result)
        ])
        eval gettext_result="\$$gettext_name"
        AC_MSG_RESULT($gettext_result)
-       test "$gettext_result" = "yes" && break
+       if test "$gettext_result" = "yes"; then
+           AC_CHECK_FUNCS(ngettext)
+           break
+       fi
     done
     LIBS="$OLIBS"
 
     if test "$sudo_cv_gettext" = "yes"; then
        AC_DEFINE(HAVE_LIBINTL_H)
        SUDO_NLS=enabled
     done
     LIBS="$OLIBS"
 
     if test "$sudo_cv_gettext" = "yes"; then
        AC_DEFINE(HAVE_LIBINTL_H)
        SUDO_NLS=enabled
+       # For Solaris we need links from lang to lang.UTF-8 in localedir
+       case "$host_os" in
+           solaris2*) LOCALEDIR_SUFFIX=".UTF-8";;
+       esac
     elif test "$sudo_cv_gettext_lintl" = "yes"; then
        AC_DEFINE(HAVE_LIBINTL_H)
        SUDO_NLS=enabled
     elif test "$sudo_cv_gettext_lintl" = "yes"; then
        AC_DEFINE(HAVE_LIBINTL_H)
        SUDO_NLS=enabled
@@ -2261,6 +2566,8 @@ fi
 dnl
 dnl Deferred zlib option processing.
 dnl By default we use the system zlib if it is present.
 dnl
 dnl Deferred zlib option processing.
 dnl By default we use the system zlib if it is present.
+dnl If a directory was specified for zlib (or we are use sudo's version),
+dnl prepend the include dir to make sure we get the right zlib header.
 dnl
 case "$enable_zlib" in
     yes)
 dnl
 case "$enable_zlib" in
     yes)
@@ -2279,20 +2586,36 @@ case "$enable_zlib" in
        ;;
     *)
        AC_DEFINE(HAVE_ZLIB_H)
        ;;
     *)
        AC_DEFINE(HAVE_ZLIB_H)
-       CPPFLAGS="${CPPFLAGS} -I${enable_zlib}/include"
+       SUDO_APPEND_CPPFLAGS(-I${enable_zlib}/include)
        SUDO_APPEND_LIBPATH(ZLIB, [$enable_zlib/lib])
        ZLIB="${ZLIB} -lz"
        ;;
 esac
 if test X"$enable_zlib" = X"builtin"; then
     AC_DEFINE(HAVE_ZLIB_H)
        SUDO_APPEND_LIBPATH(ZLIB, [$enable_zlib/lib])
        ZLIB="${ZLIB} -lz"
        ;;
 esac
 if test X"$enable_zlib" = X"builtin"; then
     AC_DEFINE(HAVE_ZLIB_H)
-    CPPFLAGS="${CPPFLAGS}"' -I$(top_srcdir)/zlib'
+    CPPFLAGS='-I$(top_builddir)/zlib -I$(top_srcdir)/zlib '"${CPPFLAGS}"
     ZLIB="${ZLIB}"' $(top_builddir)/zlib/libz.la'
     ZLIB_SRC=zlib
     AC_CONFIG_HEADER([zlib/zconf.h])
     AC_CONFIG_FILES([zlib/Makefile])
 fi
 
     ZLIB="${ZLIB}"' $(top_builddir)/zlib/libz.la'
     ZLIB_SRC=zlib
     AC_CONFIG_HEADER([zlib/zconf.h])
     AC_CONFIG_FILES([zlib/Makefile])
 fi
 
+dnl
+dnl Check for errno declaration in errno.h
+dnl
+AC_CHECK_DECLS([errno], [], [], [
+AC_INCLUDES_DEFAULT
+#include <errno.h>
+])
+
+dnl
+dnl Check for h_errno declaration in netdb.h
+dnl
+AC_CHECK_DECLS([h_errno], [], [], [
+AC_INCLUDES_DEFAULT
+#include <netdb.h>
+])
+
 dnl
 dnl Check for strsignal() or sys_siglist
 dnl
 dnl
 dnl Check for strsignal() or sys_siglist
 dnl
@@ -2311,6 +2634,37 @@ AC_INCLUDES_DEFAULT
     fi
 ])
 
     fi
 ])
 
+dnl
+dnl Check for sig2str(), sys_signame or sys_sigabbrev
+dnl
+AC_CHECK_FUNCS(sig2str, [], [
+    AC_LIBOBJ(sig2str)
+    HAVE_SIGNAME="false"
+    AC_CHECK_DECLS([sys_signame, _sys_signame, __sys_signame, sys_sigabbrev], [
+       HAVE_SIGNAME="true"
+       break
+    ], [ ], [
+AC_INCLUDES_DEFAULT
+#include <signal.h>
+    ])
+    if test "$HAVE_SIGNAME" != "true"; then
+       AC_CACHE_CHECK([for undeclared sys_sigabbrev],
+           [sudo_cv_var_sys_sigabbrev],
+           [AC_LINK_IFELSE(
+               [AC_LANG_PROGRAM([[extern char **sys_sigabbrev;]], [[return sys_sigabbrev[1];]])],
+                   [sudo_cv_var_sys_sigabbrev=yes],
+                   [sudo_cv_var_sys_sigabbrev=no]
+               )
+           ]
+       )
+       if test "$sudo_cv_var_sys_sigabbrev" = yes; then
+           AC_DEFINE(HAVE_SYS_SIGABBREV)
+       else
+           AC_LIBOBJ(signame)
+       fi
+    fi
+])
+
 dnl
 dnl nsswitch.conf and its equivalents
 dnl
 dnl
 dnl nsswitch.conf and its equivalents
 dnl
@@ -2347,15 +2701,45 @@ dnl PAM support.  Systems that use PAM by default set with_pam=default
 dnl and we do the actual tests here.
 dnl
 if test ${with_pam-"no"} != "no"; then
 dnl and we do the actual tests here.
 dnl
 if test ${with_pam-"no"} != "no"; then
-    # We already link with -ldl (see LIBDL below) so no need for that here.
-    SUDOERS_LIBS="${SUDOERS_LIBS} -lpam"
+    #
+    # Check for pam_start() in libpam first, then for pam_appl.h.
+    #
+    found_pam_lib=no
+    AC_CHECK_LIB(pam, pam_start, [found_pam_lib=yes], [], [$lt_cv_dlopen_libs])
+    #
+    # Some PAM implementations (MacOS X for example) put the PAM headers
+    # in /usr/include/pam instead of /usr/include/security...
+    #
+    found_pam_hdrs=no
+    AC_CHECK_HEADERS([security/pam_appl.h] [pam/pam_appl.h], [found_pam_hdrs=yes; break])
+    if test "$found_pam_lib" = "yes" -a "$found_pam_hdrs" = "yes"; then
+       # Found both PAM libs and headers
+       with_pam=yes
+    elif test "$with_pam" = "yes"; then
+       if test "$found_pam_lib" = "no"; then
+           AC_MSG_ERROR(["--with-pam specified but unable to locate PAM development library."])
+       fi
+       if test "$found_pam_hdrs" = "no"; then
+           AC_MSG_ERROR(["--with-pam specified but unable to locate PAM development headers."])
+       fi
+    elif test "$found_pam_lib" != "$found_pam_hdrs"; then
+       if test "$found_pam_lib" = "no"; then
+           AC_MSG_ERROR(["found PAM headers but no PAM development library; specify --without-pam to build without PAM"])
+       fi
+       if test "$found_pam_hdrs" = "no"; then
+           AC_MSG_ERROR(["found PAM library but no PAM development headers; specify --without-pam to build without PAM"])
+       fi
+    fi
 
 
-    dnl
-    dnl Some PAM implementations (MacOS X for example) put the PAM headers
-    dnl in /usr/include/pam instead of /usr/include/security...
-    dnl
-    AC_CHECK_HEADERS([security/pam_appl.h] [pam/pam_appl.h], [with_pam=yes; break])
     if test "$with_pam" = "yes"; then
     if test "$with_pam" = "yes"; then
+       # Older PAM implementations lack pam_getenvlist
+       OLIBS="$LIBS"
+       LIBS="$LIBS -lpam $lt_cv_dlopen_libs"
+       AC_CHECK_FUNCS(pam_getenvlist)
+       LIBS="$OLIBS"
+
+       # We already link with -ldl if needed (see LIBDL below)
+       SUDOERS_LIBS="${SUDOERS_LIBS} -lpam"
        AC_DEFINE(HAVE_PAM)
        AUTH_OBJS="$AUTH_OBJS pam.lo";
        AUTH_EXCL=PAM
        AC_DEFINE(HAVE_PAM)
        AUTH_OBJS="$AUTH_OBJS pam.lo";
        AUTH_EXCL=PAM
@@ -2377,12 +2761,13 @@ if test ${with_pam-"no"} != "no"; then
            [ case "$enableval" in
                yes)    AC_MSG_RESULT(yes)
                        ;;
            [ case "$enableval" in
                yes)    AC_MSG_RESULT(yes)
                        ;;
-               no)             AC_MSG_RESULT(no)
-                           AC_DEFINE(NO_PAM_SESSION)
-                           ;;
-               *)              AC_MSG_RESULT(no)
-                           AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
-                           ;;
+               no)     AC_MSG_RESULT(no)
+                       AC_DEFINE(NO_PAM_SESSION)
+                       pam_session=off
+                       ;;
+               *)      AC_MSG_RESULT(no)
+                       AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
+                       ;;
            esac], AC_MSG_RESULT(yes))
     fi
 fi
            esac], AC_MSG_RESULT(yes))
     fi
 fi
@@ -2430,7 +2815,7 @@ dnl
 if test ${with_fwtk-'no'} != "no"; then
     if test "$with_fwtk" != "yes"; then
        SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_fwtk}])
 if test ${with_fwtk-'no'} != "no"; then
     if test "$with_fwtk" != "yes"; then
        SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_fwtk}])
-       CPPFLAGS="${CPPFLAGS} -I${with_fwtk}"
+       SUDO_APPEND_CPPFLAGS(-I${with_fwtk})
        with_fwtk=yes
     fi
     SUDOERS_LIBS="${SUDOERS_LIBS} -lauth -lfwall"
        with_fwtk=yes
     fi
     SUDOERS_LIBS="${SUDOERS_LIBS} -lauth -lfwall"
@@ -2448,28 +2833,10 @@ if test ${with_SecurID-'no'} != "no"; then
     else
        with_SecurID=/usr/ace
     fi
     else
        with_SecurID=/usr/ace
     fi
-    CPPFLAGS="${CPPFLAGS} -I${with_SecurID}"
-    _LDFLAGS="${LDFLAGS}"
-    SUDO_APPEND_LIBPATH(LDFLAGS, [${with_SecurID}])
-    #
-    # Determine whether to use the new or old SecurID API
-    #
-    AC_CHECK_LIB(aceclnt, SD_Init,
-       [
-           AUTH_OBJS="$AUTH_OBJS securid5.lo";
-           SUDOERS_LIBS="${SUDOERS_LIBS} -laceclnt -lpthread"
-       ]
-       [
-           SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_SecurID}])
-       ], [
-           AUTH_OBJS="$AUTH_OBJS securid.lo";
-           SUDOERS_LIBS="${SUDOERS_LIBS} ${with_SecurID}/sdiclient.a"
-       ],
-       [
-           -lpthread
-       ]
-    )
-    LDFLAGS="${_LDFLAGS}"
+    SUDO_APPEND_CPPFLAGS(-I${with_SecurID})
+    SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_SecurID}])
+    SUDOERS_LIBS="${SUDOERS_LIBS} -laceclnt -lpthread"
+    AUTH_OBJS="$AUTH_OBJS securid5.lo";
 fi
 
 dnl
 fi
 
 dnl
@@ -2489,65 +2856,6 @@ if test -z "${AUTH_EXCL}" -a -n "$AUTH_DEF"; then
     done
 fi
 
     done
 fi
 
-dnl
-dnl Kerberos IV
-dnl
-if test ${with_kerb4-'no'} != "no"; then
-    AC_DEFINE(HAVE_KERB4)
-    dnl
-    dnl Use the specified directory, if any, else search for correct inc dir
-    dnl
-    O_LDFLAGS="$LDFLAGS"
-    if test "$with_kerb4" = "yes"; then
-       found=no
-       O_CPPFLAGS="$CPPFLAGS"
-       for dir in "" "kerberosIV/" "krb4/" "kerberos4/" "kerberosv4/"; do
-           CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
-           AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <krb.h>]])], [found=yes; break])
-       done
-       test X"$found" = X"no" && CPPFLAGS="$O_CPPFLAGS"
-    else
-       SUDO_APPEND_LIBPATH(LDFLAGS, [${with_kerb4}/lib])
-       SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_kerb4}/lib])
-       CPPFLAGS="$CPPFLAGS -I${with_kerb4}/include"
-       AC_CHECK_HEADER([krb.h], [found=yes], [found=no])
-    fi
-    if test X"$found" = X"no"; then
-       AC_MSG_WARN([Unable to locate Kerberos IV include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS])
-    fi
-
-    dnl
-    dnl Check for -ldes vs. -ldes425
-    dnl
-    AC_CHECK_LIB(des, des_cbc_encrypt, [K4LIBS="-ldes"], [
-       AC_CHECK_LIB(des425, des_cbc_encrypt, [K4LIBS="-ldes425"], [K4LIBS=""])
-    ])
-    dnl
-    dnl Try to determine whether we have KTH or MIT/CNS Kerberos IV
-    dnl
-    AC_MSG_CHECKING(whether we are using KTH Kerberos IV)
-    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb.h>]], [[const char *tmp = krb4_version;]])], [
-           AC_MSG_RESULT(yes)
-           K4LIBS="${K4LIBS} -lcom_err"
-           AC_CHECK_LIB(roken, main, [K4LIBS="${K4LIBS} -lroken"])
-       ], [
-           AC_MSG_RESULT(no)
-       ]
-    )
-    dnl
-    dnl The actual Kerberos IV lib might be -lkrb or -lkrb4
-    dnl
-    AC_CHECK_LIB(krb, main, [K4LIBS="-lkrb $K4LIBS"], [
-       AC_CHECK_LIB(krb4, main, [K4LIBS="-lkrb4 $K4LIBS"],
-           [K4LIBS="-lkrb $K4LIBS"]
-           [AC_MSG_WARN([Unable to locate Kerberos IV libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDOERS_LDFLAGS and possibly add Kerberos libs to SUDOERS_LIBS])]
-       , [$K4LIBS])
-    ], [$K4LIBS])
-    LDFLAGS="$O_LDFLAGS"
-    SUDOERS_LIBS="${SUDOERS_LIBS} $K4LIBS"
-    AUTH_OBJS="$AUTH_OBJS kerb4.lo"
-fi
-
 dnl
 dnl Kerberos V
 dnl There is an easy way and a hard way...
 dnl
 dnl Kerberos V
 dnl There is an easy way and a hard way...
@@ -2589,7 +2897,7 @@ if test ${with_kerb5-'no'} != "no"; then
        else
            dnl XXX - try to include krb5.h here too
            SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_kerb5}/lib])
        else
            dnl XXX - try to include krb5.h here too
            SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_kerb5}/lib])
-           CPPFLAGS="$CPPFLAGS -I${with_kerb5}/include"
+           SUDO_APPEND_CPPFLAGS(-I${with_kerb5}/include)
        fi
 
        dnl
        fi
 
        dnl
@@ -2630,6 +2938,18 @@ if test ${with_kerb5-'no'} != "no"; then
        AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
     fi
     LIBS="$_LIBS"
        AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
     fi
     LIBS="$_LIBS"
+    AC_MSG_CHECKING(whether to use an instance name for Kerberos V)
+    AC_ARG_ENABLE(kerb5-instance,
+    [AS_HELP_STRING([--enable-kerb5-instance], [instance string to append to the username (separated by a slash)])],
+       [ case "$enableval" in
+           yes)        AC_MSG_ERROR(["must give --enable-kerb5-instance an argument."])
+                       ;;
+           no)         AC_MSG_RESULT(no)
+                       ;;
+           *)          SUDO_DEFINE_UNQUOTED(SUDO_KRB5_INSTANCE, "$enableval")
+                       AC_MSG_RESULT([$enableval])
+                       ;;
+       esac], AC_MSG_RESULT(no))
 fi
 
 dnl
 fi
 
 dnl
@@ -2667,7 +2987,7 @@ if test ${with_AFS-'no'} = "yes"; then
     # AFS includes may live in /usr/include on some machines...
     for i in /usr/afsws/include; do
        if test -d ${i}; then
     # AFS includes may live in /usr/include on some machines...
     for i in /usr/afsws/include; do
        if test -d ${i}; then
-           CPPFLAGS="${CPPFLAGS} -I${i}"
+           SUDO_APPEND_CPPFLAGS(-I${i})
            FOUND_AFSINCDIR=true
        fi
     done
            FOUND_AFSINCDIR=true
        fi
     done
@@ -2695,8 +3015,8 @@ dnl
 if test "${with_skey-'no'}" = "yes"; then
     O_LDFLAGS="$LDFLAGS"
     if test "$with_skey" != "yes"; then
 if test "${with_skey-'no'}" = "yes"; then
     O_LDFLAGS="$LDFLAGS"
     if test "$with_skey" != "yes"; then
-       CPPFLAGS="${CPPFLAGS} -I${with_skey}/include"
-       SUDO_APPEND_LIBPATH(LDFLAGS, [${with_skey}/lib])
+       SUDO_APPEND_CPPFLAGS(-I${with_skey}/include)
+       LDFLAGS="$LDFLAGS -L${with_skey}/lib"
        SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_skey}/lib])
        AC_CHECK_HEADER([skey.h], [found=yes], [found=no], [#include <stdio.h>])
     else
        SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_skey}/lib])
        AC_CHECK_HEADER([skey.h], [found=yes], [found=no], [#include <stdio.h>])
     else
@@ -2705,12 +3025,12 @@ if test "${with_skey-'no'}" = "yes"; then
        for dir in "" "/usr/local" "/usr/contrib"; do
            test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include"
            AC_CHECK_HEADER([skey.h], [found=yes; break], [],
        for dir in "" "/usr/local" "/usr/contrib"; do
            test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include"
            AC_CHECK_HEADER([skey.h], [found=yes; break], [],
-               [#include <stdio.h>]) 
+               [#include <stdio.h>])
        done
        if test "$found" = "no" -o -z "$dir"; then
            CPPFLAGS="$O_CPPFLAGS"
        else
        done
        if test "$found" = "no" -o -z "$dir"; then
            CPPFLAGS="$O_CPPFLAGS"
        else
-           SUDO_APPEND_LIBPATH(LDFLAGS, [${dir}/lib])
+           LDFLAGS="$LDFLAGS -L${dir}/lib"
            SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${dir}/lib])
        fi
        if test "$found" = "no"; then
            SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${dir}/lib])
        fi
        if test "$found" = "no"; then
@@ -2745,8 +3065,8 @@ dnl
 if test "${with_opie-'no'}" = "yes"; then
     O_LDFLAGS="$LDFLAGS"
     if test "$with_opie" != "yes"; then
 if test "${with_opie-'no'}" = "yes"; then
     O_LDFLAGS="$LDFLAGS"
     if test "$with_opie" != "yes"; then
-       CPPFLAGS="${CPPFLAGS} -I${with_opie}/include"
-       SUDO_APPEND_LIBPATH(LDFLAGS, [${with_opie}/lib])
+       SUDO_APPEND_CPPFLAGS(-I${with_opie}/include)
+       LDFLAGS="$LDFLAGS -L${with_opie}/lib"
        SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_opie}/lib])
        AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <opie.h>]])], [found=yes], [found=no])
     else
        SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_opie}/lib])
        AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <opie.h>]])], [found=yes], [found=no])
     else
@@ -2759,7 +3079,7 @@ if test "${with_opie-'no'}" = "yes"; then
        if test "$found" = "no" -o -z "$dir"; then
            CPPFLAGS="$O_CPPFLAGS"
        else
        if test "$found" = "no" -o -z "$dir"; then
            CPPFLAGS="$O_CPPFLAGS"
        else
-           SUDO_APPEND_LIBPATH(LDFLAGS, [${dir}/lib])
+           LDFLAGS="$LDFLAGS -L${dir}/lib"
            SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${dir}/lib])
        fi
        if test "$found" = "no"; then
            SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${dir}/lib])
        fi
        if test "$found" = "no"; then
@@ -2827,35 +3147,33 @@ dnl
 dnl extra lib and .o file for LDAP support
 dnl
 if test ${with_ldap-'no'} != "no"; then
 dnl extra lib and .o file for LDAP support
 dnl
 if test ${with_ldap-'no'} != "no"; then
-    _LDFLAGS="$LDFLAGS"
+    O_LDFLAGS="$LDFLAGS"
     if test "$with_ldap" != "yes"; then
        SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_ldap}/lib])
     if test "$with_ldap" != "yes"; then
        SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_ldap}/lib])
-       SUDO_APPEND_LIBPATH(LDFLAGS, [${with_ldap}/lib])
-       CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
+       LDFLAGS="$LDFLAGS -L${with_ldap}/lib"
+       SUDO_APPEND_CPPFLAGS(-I${with_ldap}/include)
        with_ldap=yes
     fi
     SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo"
     LDAP=""
 
        with_ldap=yes
     fi
     SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo"
     LDAP=""
 
-    AC_MSG_CHECKING([for LDAP libraries])
-    LDAP_LIBS=""
     _LIBS="$LIBS"
     _LIBS="$LIBS"
+    LDAP_LIBS=""
+    IBMLDAP_EXTRA=""
     found=no
     found=no
-    for l in -lldap -llber '-lssl -lcrypto'; do
-       LIBS="${LIBS} $l"
-       LDAP_LIBS="${LDAP_LIBS} $l"
-       AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
-       #include <lber.h>
-       #include <ldap.h>]], [[(void)ldap_init(0, 0)]])], [found=yes; break])
-    done
-    dnl if nothing linked just try with -lldap
+    # On HP-UX, libibmldap has a hidden dependency on libCsup
+    case "$host_os" in
+       hpux*) AC_CHECK_LIB(Csup, main, [IBMLDAP_EXTRA=" -lCsup"]);;
+    esac
+    AC_SEARCH_LIBS(ldap_init, "ldap" "ldap -llber" "ldap -llber -lssl -lcrypto" "ibmldap${IBMLDAP_EXTRA}" "ibmldap -lidsldif${IBMLDAP_EXTRA}", [
+       test "$ac_res" != "none required" && LDAP_LIBS="$ac_res"
+       found=yes
+    ])
+    # If nothing linked, try -lldap and hope for the best
     if test "$found" = "no"; then
     if test "$found" = "no"; then
-       LIBS="${_LIBS} -lldap"
        LDAP_LIBS="-lldap"
        LDAP_LIBS="-lldap"
-       AC_MSG_RESULT([not found, using -lldap])
-    else
-       AC_MSG_RESULT([$LDAP_LIBS])
     fi
     fi
+    LIBS="${_LIBS} ${LDAP_LIBS}"
     dnl check if we need to link with -llber for ber_set_option
     OLIBS="$LIBS"
     AC_SEARCH_LIBS([ber_set_option], [lber], [found=yes], [found=no])
     dnl check if we need to link with -llber for ber_set_option
     OLIBS="$LIBS"
     AC_SEARCH_LIBS([ber_set_option], [lber], [found=yes], [found=no])
@@ -2869,9 +3187,12 @@ if test ${with_ldap-'no'} != "no"; then
     AC_MSG_RESULT([yes])
     AC_DEFINE(HAVE_LBER_H)])
 
     AC_MSG_RESULT([yes])
     AC_DEFINE(HAVE_LBER_H)])
 
-    AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break])
+    AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [
+       AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)
+       break
+    ])
     AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
     AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
-    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np)
+    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_init ldap_ssl_client_init ldap_start_tls_s_np)
     AC_CHECK_FUNCS(ldap_search_ext_s ldap_search_st, [break])
 
     if test X"$check_gss_krb5_ccache_name" = X"yes"; then
     AC_CHECK_FUNCS(ldap_search_ext_s ldap_search_st, [break])
 
     if test X"$check_gss_krb5_ccache_name" = X"yes"; then
@@ -2903,7 +3224,7 @@ if test ${with_ldap-'no'} != "no"; then
 
     SUDOERS_LIBS="${SUDOERS_LIBS} ${LDAP_LIBS}"
     LIBS="$_LIBS"
 
     SUDOERS_LIBS="${SUDOERS_LIBS} ${LDAP_LIBS}"
     LIBS="$_LIBS"
-    LDFLAGS="$_LDFLAGS"
+    LDFLAGS="$O_LDFLAGS"
 fi
 
 #
 fi
 
 #
@@ -2913,12 +3234,12 @@ fi
 case "$lt_cv_dlopen" in
     dlopen)
        AC_DEFINE(HAVE_DLOPEN)
 case "$lt_cv_dlopen" in
     dlopen)
        AC_DEFINE(HAVE_DLOPEN)
-       SUDOERS_OBJS="$SUDOERS_OBJS plugin_error.lo"
+       SUDO_OBJS="$SUDO_OBJS locale_stub.o"
        LT_STATIC="--tag=disable-static"
        ;;
     shl_load)
        AC_DEFINE(HAVE_SHL_LOAD)
        LT_STATIC="--tag=disable-static"
        ;;
     shl_load)
        AC_DEFINE(HAVE_SHL_LOAD)
-       SUDOERS_OBJS="$SUDOERS_OBJS plugin_error.lo"
+       SUDO_OBJS="$SUDO_OBJS locale_stub.o"
        LT_STATIC="--tag=disable-static"
        AC_LIBOBJ(dlopen)
        ;;
        LT_STATIC="--tag=disable-static"
        AC_LIBOBJ(dlopen)
        ;;
@@ -2943,29 +3264,18 @@ if test X"$LIBDL" != X""; then
     SUDOERS_LIBS="${SUDOERS_LIBS} $LIBDL"
 fi
 
     SUDOERS_LIBS="${SUDOERS_LIBS} $LIBDL"
 fi
 
-# On HP-UX, you cannot dlopen() a shared object that uses pthreads
-# unless the main program is linked against -lpthread.  Since we
-# have no knowledge what libraries a plugin may depend on, we always
-# link against -lpthread on HP-UX if it is available.
+# On HP-UX, you cannot dlopen() a shared object that uses pthreads unless
+# the main program is linked against -lpthread.  We have no knowledge of
+# what libraries a plugin may depend on (e.g. HP-UX LDAP which uses pthreads)
+# so always link against -lpthread on HP-UX if it is available.
 # This check should go after all other libraries tests.
 # This check should go after all other libraries tests.
-case "$host" in
-    *-*-hpux*)
+case "$host_os" in
+    hpux*)
        AC_CHECK_LIB(pthread, main, [SUDO_LIBS="${SUDO_LIBS} -lpthread"])
        AC_CHECK_LIB(pthread, main, [SUDO_LIBS="${SUDO_LIBS} -lpthread"])
+       OSDEFS="${OSDEFS} -D_REENTRANT"
        ;;
 esac
 
        ;;
 esac
 
-dnl
-dnl Add $blibpath to SUDOERS_LDFLAGS if specified by the user or if we
-dnl added -L dirpaths to SUDOERS_LDFLAGS.
-dnl
-if test -n "$blibpath"; then
-    if test -n "$blibpath_add"; then
-       SUDOERS_LDFLAGS="$SUDOERS_LDFLAGS -Wl,-blibpath:${blibpath}${blibpath_add}"
-    elif test -n "$with_blibpath" -a "$with_blibpath" != "yes"; then
-       SUDOERS_LDFLAGS="$SUDOERS_LDFLAGS -Wl,-blibpath:${blibpath}"
-    fi
-fi
-
 dnl
 dnl Check for log file, timestamp and iolog locations
 dnl
 dnl
 dnl Check for log file, timestamp and iolog locations
 dnl
@@ -2976,6 +3286,216 @@ SUDO_LOGFILE
 SUDO_TIMEDIR
 SUDO_IO_LOGDIR
 
 SUDO_TIMEDIR
 SUDO_IO_LOGDIR
 
+dnl
+dnl Turn warnings into errors.
+dnl All compiler/loader tests after this point will fail if
+dnl a warning is displayed (nornally, warnings are not fata).
+dnl
+AC_LANG_WERROR
+
+dnl
+dnl If compiler supports the -static-libgcc flag use it unless we have
+dnl GNU ld (which can avoid linking in libgcc when it is not needed).
+dnl This test relies on AC_LANG_WERROR
+dnl
+if test -n "$GCC" -a "$lt_cv_prog_gnu_ld" != "yes" -a -n "$GCC"; then
+    AX_CHECK_COMPILE_FLAG([-static-libgcc], [LT_LDFLAGS="$LT_LDFLAGS -Wc,-static-libgcc"])
+fi
+
+dnl
+dnl Check for symbol visibility support.
+dnl This test relies on AC_LANG_WERROR
+dnl
+if test -n "$GCC"; then
+    AX_CHECK_COMPILE_FLAG([-fvisibility=hidden], [
+       AC_DEFINE(HAVE_DSO_VISIBILITY)
+       CFLAGS="${CFLAGS} -fvisibility=hidden"
+       LT_LDEXPORTS=
+       LT_LDDEP=
+       NO_VIZ=
+    ])
+else
+    case "$host_os" in
+       hpux*)
+           AX_CHECK_COMPILE_FLAG([-Bhidden_def], [
+               AC_DEFINE(HAVE_DSO_VISIBILITY)
+               CFLAGS="${CFLAGS} -Bhidden_def"
+               LT_LDEXPORTS=
+               LT_LDDEP=
+           ])
+           ;;
+       solaris2*)
+           AX_CHECK_COMPILE_FLAG([-xldscope=hidden], [
+               AC_DEFINE(HAVE_DSO_VISIBILITY)
+               CFLAGS="${CFLAGS} -xldscope=hidden"
+               LT_LDEXPORTS=
+               LT_LDDEP=
+           ])
+           ;;
+    esac
+fi
+
+dnl
+dnl If the compiler doesn't have symbol visibility support, it may
+dnl support version scripts (only GNU and Solaris ld).
+dnl This test relies on AC_LANG_WERROR
+dnl
+if test -n "$LT_LDEXPORTS"; then
+    if test "$lt_cv_prog_gnu_ld" = "yes"; then
+       AC_CACHE_CHECK([whether ld supports anonymous map files],
+           [sudo_cv_var_gnu_ld_anon_map],
+           [
+               sudo_cv_var_gnu_ld_anon_map=no
+               cat > conftest.map <<-EOF
+               {
+                   global: foo;
+                   local:  *;
+               };
+EOF
+               _CFLAGS="$CFLAGS"
+               CFLAGS="$CFLAGS $lt_prog_compiler_pic"
+               _LDFLAGS="$LDFLAGS"
+               LDFLAGS="$LDFLAGS -fpic -shared -Wl,--version-script,./conftest.map"
+               AC_LINK_IFELSE([AC_LANG_PROGRAM([[int foo;]], [[]])],
+                   [sudo_cv_var_gnu_ld_anon_map=yes])
+               CFLAGS="$_CFLAGS"
+               LDFLAGS="$_LDFLAGS"
+           ]
+       )
+       if test "$sudo_cv_var_gnu_ld_anon_map" = "yes"; then
+           LT_LDEXPORTS=; LT_LDDEP="\$(shlib_map)"; LT_LDMAP="-Wl,--version-script,\$(shlib_map)"
+       fi
+    else
+       case "$host_os" in
+           solaris2*)
+               AC_CACHE_CHECK([whether ld supports anonymous map files],
+                   [sudo_cv_var_solaris_ld_anon_map],
+                   [
+                       sudo_cv_var_solaris_ld_anon_map=no
+                       cat > conftest.map <<-EOF
+                       {
+                           global: foo;
+                           local:  *;
+                       };
+EOF
+                       _CFLAGS="$CFLAGS"
+                       CFLAGS="$CFLAGS $lt_prog_compiler_pic"
+                       _LDFLAGS="$LDFLAGS"
+                       LDFLAGS="$LDFLAGS -shared -Wl,-M,./conftest.map"
+                       AC_LINK_IFELSE([AC_LANG_PROGRAM([[int foo;]], [[]])],
+                           [sudo_cv_var_solaris_ld_anon_map=yes])
+                       CFLAGS="$_CFLAGS"
+                       LDFLAGS="$_LDFLAGS"
+                   ]
+               )
+               if test "$sudo_cv_var_solaris_ld_anon_map" = "yes"; then
+                   LT_LDEXPORTS=; LT_LDDEP="\$(shlib_map)"; LT_LDMAP="-Wl,-M,\$(shlib_map)"
+               fi
+               ;;
+           hpux*)
+               AC_CACHE_CHECK([whether ld supports controlling exported symbols],
+                   [sudo_cv_var_hpux_ld_symbol_export],
+                   [
+                       sudo_cv_var_hpux_ld_symbol_export=no
+                       echo "+e foo" > conftest.opt
+                       _CFLAGS="$CFLAGS"
+                       CFLAGS="$CFLAGS $lt_prog_compiler_pic"
+                       _LDFLAGS="$LDFLAGS"
+                       if test -n "$GCC"; then
+                           LDFLAGS="$LDFLAGS -shared -Wl,-c,./conftest.opt"
+                       else
+                           LDFLAGS="$LDFLAGS -Wl,-b -Wl,-c,./conftest.opt"
+                       fi
+                       AC_LINK_IFELSE([AC_LANG_PROGRAM([[int foo;]], [[]])],
+                           [sudo_cv_var_hpux_ld_symbol_export=yes])
+                       CFLAGS="$_CFLAGS"
+                       LDFLAGS="$_LDFLAGS"
+                       rm -f conftest.opt
+                   ]
+               )
+               if test "$sudo_cv_var_hpux_ld_symbol_export" = "yes"; then
+                   LT_LDEXPORTS=; LT_LDDEP="\$(shlib_opt)"; LT_LDOPT="-Wl,-c,\$(shlib_opt)"
+               fi
+               ;;
+       esac
+    fi
+fi
+
+dnl
+dnl Check for PIE executable support if using gcc.
+dnl This test relies on AC_LANG_WERROR
+dnl
+if test -n "$GCC"; then
+    if test -z "$enable_pie"; then
+       case "$host_os" in
+           linux*)
+               # Attempt to build with PIE support
+               enable_pie="maybe"
+               ;;
+       esac
+    fi
+    if test -n "$enable_pie"; then
+       if test "$enable_pie" = "no"; then
+           AX_CHECK_COMPILE_FLAG([-fno-pie], [
+               _CFLAGS="$CFLAGS"
+               CFLAGS="$CFLAGS -fno-pie"
+               AX_CHECK_LINK_FLAG([-nopie], [
+                   PIE_CFLAGS="-fno-pie"
+                   PIE_LDFLAGS="-nopie"
+               ])
+               CFLAGS="$_CFLAGS"
+           ])
+       else
+           AX_CHECK_COMPILE_FLAG([-fPIE], [
+               _CFLAGS="$CFLAGS"
+               CFLAGS="$CFLAGS -fPIE"
+               AX_CHECK_LINK_FLAG([-pie], [
+                   if test "$enable_pie" = "maybe"; then
+                       SUDO_WORKING_PIE([enable_pie=yes], [])
+                   fi
+                   if test "$enable_pie" = "yes"; then
+                       PIE_CFLAGS="-fPIE"
+                       PIE_LDFLAGS="-Wc,-fPIE -pie"
+                   fi
+               ])
+               CFLAGS="$_CFLAGS"
+           ])
+       fi
+    fi
+fi
+if test "$enable_pie" != "yes"; then
+    # Solaris 11.1 and higher supports tagging binaries to use ASLR
+    case "$host_os" in
+       solaris2.1[[1-9]]|solaris2.[[2-9]][[0-9]])
+           AX_CHECK_LINK_FLAG([-Wl,-z,aslr], [PIE_LDFLAGS="${PIE_LDFLAGS}${PIE_LDFLAGS+ }-Wl,-z,aslr"])
+           ;;
+    esac
+fi
+
+dnl
+dnl Check for -fstack-protector and -z relro support
+dnl This test relies on AC_LANG_WERROR
+dnl
+if test "$enable_hardening" != "no"; then
+    if test -n "$GCC"; then
+       AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [
+           AX_CHECK_LINK_FLAG([-fstack-protector-all], [
+               SSP_CFLAGS="-fstack-protector-all"
+               SSP_LDFLAGS="-Wc,-fstack-protector-all"
+           ])
+       ])
+       if test -z "$SSP_CFLAGS"; then
+           AX_CHECK_COMPILE_FLAG([-fstack-protector], [
+               AX_CHECK_LINK_FLAG([-fstack-protector], [
+                   SSP_CFLAGS="-fstack-protector"
+                   SSP_LDFLAGS="-Wc,-fstack-protector"
+               ])
+           ])
+       fi
+    fi
+    AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="${LDFLAGS} -Wl,-z,relro"])
+fi
+
 dnl
 dnl Use passwd auth module?
 dnl
 dnl
 dnl Use passwd auth module?
 dnl
@@ -3009,6 +3529,28 @@ if test -n "$LIBS"; then
     done
 fi
 
     done
 fi
 
+dnl
+dnl OS-specific initialization
+dnl
+AC_DEFINE_UNQUOTED(os_init, $OS_INIT, [Define to an OS-specific initialization function or `os_init_common'.])
+
+dnl
+dnl We add -Wall and -Werror after all tests so they don't cause failures
+dnl
+if test -n "$GCC"; then
+    if test X"$enable_warnings" = X"yes" -o X"$with_devel" = X"yes"; then
+       CFLAGS="${CFLAGS} -Wall"
+    fi
+    if test X"$enable_werror" = X"yes"; then
+       CFLAGS="${CFLAGS} -Werror"
+    fi
+fi
+
+dnl
+dnl Skip regress tests and sudoers sanity check if cross compiling.
+dnl
+CROSS_COMPILING="$cross_compiling"
+
 dnl
 dnl Set exec_prefix
 dnl
 dnl
 dnl Set exec_prefix
 dnl
@@ -3018,7 +3560,7 @@ dnl
 dnl Defer setting _PATH_SUDO_NOEXEC until after exec_prefix is set
 dnl XXX - this is gross!
 dnl
 dnl Defer setting _PATH_SUDO_NOEXEC until after exec_prefix is set
 dnl XXX - this is gross!
 dnl
-if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then
+if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no" -o "$enabled_shared" != X"no"; then
     oexec_prefix="$exec_prefix"
     if test "$exec_prefix" = '$(prefix)'; then
        if test "$prefix" = "NONE"; then
     oexec_prefix="$exec_prefix"
     if test "$exec_prefix" = '$(prefix)'; then
        if test "$prefix" = "NONE"; then
@@ -3031,18 +3573,51 @@ if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then
        PROGS="${PROGS} libsudo_noexec.la"
        INSTALL_NOEXEC="install-noexec"
 
        PROGS="${PROGS} libsudo_noexec.la"
        INSTALL_NOEXEC="install-noexec"
 
-       eval noexec_file="$with_noexec"
+       noexec_file="$with_noexec"
+       _noexec_file=
+       while test X"$noexec_file" != X"$_noexec_file"; do
+           _noexec_file="$noexec_file"
+           eval noexec_file="$_noexec_file"
+       done
        SUDO_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
     fi
     if test X"$with_selinux" != X"no"; then
        SUDO_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
     fi
     if test X"$with_selinux" != X"no"; then
-       eval sesh_file="$libexecdir/sesh"
-       SUDO_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file", [The fully qualified pathname of sesh])
+       sesh_file="$libexecdir/sudo/sesh"
+       _sesh_file=
+       while test X"$sesh_file" != X"$_sesh_file"; do
+           _sesh_file="$sesh_file"
+           eval sesh_file="$_sesh_file"
+       done
+       SUDO_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file")
+    fi
+    if test X"$enable_shared" != X"no"; then
+       PLUGINDIR="$with_plugindir"
+       _PLUGINDIR=
+       while test X"$PLUGINDIR" != X"$_PLUGINDIR"; do
+           _PLUGINDIR="$PLUGINDIR"
+           eval PLUGINDIR="$_PLUGINDIR"
+       done
+       SUDO_DEFINE_UNQUOTED(_PATH_SUDO_PLUGIN_DIR, "$PLUGINDIR/")
+       SUDO_DEFINE_UNQUOTED(SUDOERS_PLUGIN, "sudoers.so")
     fi
     fi
-    eval PLUGINDIR="$with_plugindir"
-    SUDO_DEFINE_UNQUOTED(_PATH_SUDO_PLUGIN_DIR, "$PLUGINDIR/")
-    SUDO_DEFINE_UNQUOTED(SUDOERS_PLUGIN, "sudoers${SOEXT}")
     exec_prefix="$oexec_prefix"
 fi
     exec_prefix="$oexec_prefix"
 fi
+if test X"$with_selinux" = X"no"; then
+    SUDO_DEFINE_UNQUOTED(_PATH_SUDO_SESH, NULL)
+fi
+
+dnl
+dnl Add -R options to LDFLAGS, etc.
+dnl
+if test X"$LDFLAGS_R" != X""; then
+    LDFLAGS="$LDFLAGS $LDFLAGS_R"
+fi
+if test X"$SUDOERS_LDFLAGS_R" != X""; then
+    SUDOERS_LDFLAGS="$SUDOERS_LDFLAGS $SUDOERS_LDFLAGS_R"
+fi
+if test X"$ZLIB_R" != X""; then
+    ZLIB="$ZLIB_R $ZLIB"
+fi
 
 dnl
 dnl Override default configure dirs for the Makefile
 
 dnl
 dnl Override default configure dirs for the Makefile
@@ -3058,21 +3633,28 @@ test "$libexecdir" = '${exec_prefix}/libexec' && libexecdir='$(exec_prefix)/libe
 test "$includedir" = '${prefix}/include' && includedir='$(prefix)/include'
 test "$datarootdir" = '${prefix}/share' && datarootdir='$(prefix)/share'
 test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
 test "$includedir" = '${prefix}/include' && includedir='$(prefix)/include'
 test "$datarootdir" = '${prefix}/share' && datarootdir='$(prefix)/share'
 test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
+test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
+test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
 test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
 
 dnl
 dnl Substitute into the Makefile and man pages
 dnl
 test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
 
 dnl
 dnl Substitute into the Makefile and man pages
 dnl
-dnl AC_CONFIG_FILES([doc/sudo.man doc/visudo.man doc/sudoers.man doc/sudoers.ldap.man doc/sudoreplay.man src/Makefile src/sudo_usage.h])
-AC_CONFIG_FILES([Makefile common/Makefile compat/Makefile doc/Makefile include/Makefile src/sudo_usage.h src/Makefile plugins/sample/Makefile plugins/sample_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers])
+AC_CONFIG_FILES([Makefile common/Makefile compat/Makefile doc/Makefile include/Makefile src/sudo_usage.h src/Makefile plugins/sample/Makefile plugins/group_file/Makefile plugins/system_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers])
 AC_OUTPUT
 
 dnl
 dnl Spew any text the user needs to know about
 dnl
 if test "$with_pam" = "yes"; then
 AC_OUTPUT
 
 dnl
 dnl Spew any text the user needs to know about
 dnl
 if test "$with_pam" = "yes"; then
-    case $host in
-       *-*-linux*)
+    case $host_os in
+       hpux*)
+           if test -f /usr/lib/security/libpam_hpsec.so.1; then
+               AC_MSG_NOTICE([You may wish to add the following line to /etc/pam.conf])
+               AC_MSG_NOTICE([sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login])
+           fi
+           ;;
+       linux*)
            AC_MSG_NOTICE([You will need to customize sample.pam and install it as /etc/pam.d/sudo])
            ;;
     esac
            AC_MSG_NOTICE([You will need to customize sample.pam and install it as /etc/pam.d/sudo])
            ;;
     esac
@@ -3101,30 +3683,28 @@ AH_TEMPLATE(HAVE_DD_FD, [Define to 1 if your `DIR' contains dd_fd.])
 AH_TEMPLATE(HAVE_DIRFD, [Define to 1 if you have the `dirfd' function or macro.])
 AH_TEMPLATE(HAVE_DISPCRYPT, [Define to 1 if you have the `dispcrypt' function.])
 AH_TEMPLATE(HAVE_DLOPEN, [Define to 1 if you have the `dlopen' function.])
 AH_TEMPLATE(HAVE_DIRFD, [Define to 1 if you have the `dirfd' function or macro.])
 AH_TEMPLATE(HAVE_DISPCRYPT, [Define to 1 if you have the `dispcrypt' function.])
 AH_TEMPLATE(HAVE_DLOPEN, [Define to 1 if you have the `dlopen' function.])
-AH_TEMPLATE(HAVE_EXTENDED_GLOB, [Define to 1 if your glob.h defines the GLOB_BRACE and GLOB_TILDE flags.])
 AH_TEMPLATE(HAVE_FCNTL_CLOSEM, [Define to 1 if your system has the F_CLOSEM fcntl.])
 AH_TEMPLATE(HAVE_FNMATCH, [Define to 1 if you have the `fnmatch' function.])
 AH_TEMPLATE(HAVE_FWTK, [Define to 1 if you use the FWTK authsrv daemon.])
 AH_TEMPLATE(HAVE_FCNTL_CLOSEM, [Define to 1 if your system has the F_CLOSEM fcntl.])
 AH_TEMPLATE(HAVE_FNMATCH, [Define to 1 if you have the `fnmatch' function.])
 AH_TEMPLATE(HAVE_FWTK, [Define to 1 if you use the FWTK authsrv daemon.])
-AH_TEMPLATE(HAVE_GETAUTHUID, [Define to 1 if you have the `getauthuid' function. (ULTRIX 4.x  shadow passwords)])
-AH_TEMPLATE(HAVE_GETPRPWNAM, [Define to 1 if you have the `getprpwnam' function.  (SecureWare-style shadow passwords)])
-AH_TEMPLATE(HAVE_GETPWANAM, [Define to 1 if you have the `getpwanam' function. (SunOS 4.x shadow passwords)])
-AH_TEMPLATE(HAVE_GETSPNAM, [Define to 1 if you have the `getspnam' function (SVR4-style shadow passwords)])
-AH_TEMPLATE(HAVE_GETSPWUID, [Define to 1 if you have the `getspwuid' function. (HP-UX <= 9.X shadow passwords)])
+AH_TEMPLATE(HAVE_GETAUTHUID, [Define to 1 if you have the `getauthuid' function. (ULTRIX 4.x  shadow passwords).])
+AH_TEMPLATE(HAVE_GETPRPWNAM, [Define to 1 if you have the `getprpwnam' function.  (SecureWare-style shadow passwords).])
+AH_TEMPLATE(HAVE_GETPWANAM, [Define to 1 if you have the `getpwanam' function. (SunOS 4.x shadow passwords).])
+AH_TEMPLATE(HAVE_GETSPNAM, [Define to 1 if you have the `getspnam' function (SVR4-style shadow passwords).])
+AH_TEMPLATE(HAVE_GETSPWUID, [Define to 1 if you have the `getspwuid' function. (HP-UX <= 9.X shadow passwords).])
 AH_TEMPLATE(HAVE_GSS_KRB5_CCACHE_NAME, [Define to 1 if you have the `gss_krb5_ccache_name' function.])
 AH_TEMPLATE(HAVE_HEIMDAL, [Define to 1 if your Kerberos is Heimdal.])
 AH_TEMPLATE(HAVE_GSS_KRB5_CCACHE_NAME, [Define to 1 if you have the `gss_krb5_ccache_name' function.])
 AH_TEMPLATE(HAVE_HEIMDAL, [Define to 1 if your Kerberos is Heimdal.])
-AH_TEMPLATE(HAVE_IN6_ADDR, [Define to 1 if <netinet/in.h> contains struct in6_addr.])
-AH_TEMPLATE(HAVE_ISCOMSEC, [Define to 1 if you have the `iscomsec' function. (HP-UX >= 10.x check for shadow enabled)])
-AH_TEMPLATE(HAVE_ISSECURE, [Define to 1 if you have the `issecure' function. (SunOS 4.x check for shadow enabled)])
-AH_TEMPLATE(HAVE_KERB4, [Define to 1 if you use Kerberos IV.])
+AH_TEMPLATE(HAVE_ISCOMSEC, [Define to 1 if you have the `iscomsec' function. (HP-UX >= 10.x check for shadow enabled).])
+AH_TEMPLATE(HAVE_ISSECURE, [Define to 1 if you have the `issecure' function. (SunOS 4.x check for shadow enabled).])
 AH_TEMPLATE(HAVE_KERB5, [Define to 1 if you use Kerberos V.])
 AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC, [Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function.])
 AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS, [Define to 1 if your `krb5_get_init_creds_opt_free' function takes two arguments.])
 AH_TEMPLATE(HAVE_KRB5_INIT_SECURE_CONTEXT, [Define to 1 if you have the `krb5_init_secure_context' function.])
 AH_TEMPLATE(HAVE_KRB5_VERIFY_USER, [Define to 1 if you have the `krb5_verify_user' function.])
 AH_TEMPLATE(HAVE_KERB5, [Define to 1 if you use Kerberos V.])
 AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC, [Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function.])
 AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS, [Define to 1 if your `krb5_get_init_creds_opt_free' function takes two arguments.])
 AH_TEMPLATE(HAVE_KRB5_INIT_SECURE_CONTEXT, [Define to 1 if you have the `krb5_init_secure_context' function.])
 AH_TEMPLATE(HAVE_KRB5_VERIFY_USER, [Define to 1 if you have the `krb5_verify_user' function.])
-AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not)])
+AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not).])
 AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.])
 AH_TEMPLATE(HAVE_LIBINTL_H, [Define to 1 if you have the <libintl.h> header file.])
 AH_TEMPLATE(HAVE_LINUX_AUDIT, [Define to 1 to enable Linux audit support.])
 AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.])
 AH_TEMPLATE(HAVE_LIBINTL_H, [Define to 1 if you have the <libintl.h> header file.])
 AH_TEMPLATE(HAVE_LINUX_AUDIT, [Define to 1 to enable Linux audit support.])
+AH_TEMPLATE(HAVE_SSSD, [Define to 1 to enable SSSD support.])
 AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
 AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
 AH_TEMPLATE(HAVE_PAM_LOGIN, [Define to 1 if you use a specific PAM session for sudo -i.])
 AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
 AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
 AH_TEMPLATE(HAVE_PAM_LOGIN, [Define to 1 if you use a specific PAM session for sudo -i.])
@@ -3133,22 +3713,20 @@ AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
 AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])
 AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.])
 AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.])
 AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])
 AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.])
 AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.])
-AH_TEMPLATE(HAVE_SIGACTION_T, [Define to 1 if <signal.h> has the sigaction_t typedef.])
 AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
 AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
 AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
 AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
-AH_TEMPLATE(HAVE_RFC1938_SKEYCHALLENGE, [Define to 1 if the skeychallenge() function is RFC1938-compliant and takes 4 arguments])
-AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union])
-AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member])
-AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member])
-AH_TEMPLATE(HAVE_TIMESPEC, [Define to 1 if you have struct timespec in sys/time.h])
+AH_TEMPLATE(HAVE_RFC1938_SKEYCHALLENGE, [Define to 1 if the skeychallenge() function is RFC1938-compliant and takes 4 arguments.])
+AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union.])
+AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member.])
+AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member.])
 AH_TEMPLATE(HAVE___PROGNAME, [Define to 1 if your crt0.o defines the __progname symbol for you.])
 AH_TEMPLATE(HOST_IN_LOG, [Define to 1 if you want the hostname to be entered into the log file.])
 AH_TEMPLATE(HAVE___PROGNAME, [Define to 1 if your crt0.o defines the __progname symbol for you.])
 AH_TEMPLATE(HOST_IN_LOG, [Define to 1 if you want the hostname to be entered into the log file.])
-AH_TEMPLATE(IGNORE_DOT_PATH, [Define to 1 if you want to ignore '.' and empty PATH elements])
+AH_TEMPLATE(IGNORE_DOT_PATH, [Define to 1 if you want to ignore '.' and empty PATH elements.])
 AH_TEMPLATE(LOGGING, [Define to SLOG_SYSLOG, SLOG_FILE, or SLOG_BOTH.])
 AH_TEMPLATE(LONG_OTP_PROMPT, [Define to 1 if you want a two line OTP (S/Key or OPIE) prompt.])
 AH_TEMPLATE(NO_AUTHENTICATION, [Define to 1 if you don't want sudo to prompt for a password by default.])
 AH_TEMPLATE(NO_LECTURE, [Define to 1 if you don't want users to get the lecture the first they user sudo.])
 AH_TEMPLATE(LOGGING, [Define to SLOG_SYSLOG, SLOG_FILE, or SLOG_BOTH.])
 AH_TEMPLATE(LONG_OTP_PROMPT, [Define to 1 if you want a two line OTP (S/Key or OPIE) prompt.])
 AH_TEMPLATE(NO_AUTHENTICATION, [Define to 1 if you don't want sudo to prompt for a password by default.])
 AH_TEMPLATE(NO_LECTURE, [Define to 1 if you don't want users to get the lecture the first they user sudo.])
-AH_TEMPLATE(NO_PAM_SESSION, [Define to 1 if you don't want to use sudo's PAM session support])
+AH_TEMPLATE(NO_PAM_SESSION, [Define to 1 if you don't want to use sudo's PAM session support.])
 AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid runing the mailer as root.])
 AH_TEMPLATE(NO_ROOT_SUDO, [Define to 1 if root should not be allowed to use sudo.])
 AH_TEMPLATE(NO_TTY_TICKETS, [Define to 1 if you want a single ticket file instead of per-tty files.])
 AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid runing the mailer as root.])
 AH_TEMPLATE(NO_ROOT_SUDO, [Define to 1 if root should not be allowed to use sudo.])
 AH_TEMPLATE(NO_TTY_TICKETS, [Define to 1 if you want a single ticket file instead of per-tty files.])
@@ -3167,8 +3745,22 @@ AH_TEMPLATE(USE_STOW, [Define to 1 if you use GNU stow packaging.])
 AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.])
 AH_TEMPLATE(sig_atomic_t, [Define to `int' if <signal.h> does not define.])
 AH_TEMPLATE(__signed, [Define to `signed' or nothing if compiler does not support a signed type qualifier.])
 AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.])
 AH_TEMPLATE(sig_atomic_t, [Define to `int' if <signal.h> does not define.])
 AH_TEMPLATE(__signed, [Define to `signed' or nothing if compiler does not support a signed type qualifier.])
+AH_TEMPLATE(socklen_t, [Define to `unsigned int' if <sys/socket.h> doesn't define.])
 AH_TEMPLATE(HAVE_STRUCT_UTMP_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmp'.])
 AH_TEMPLATE(HAVE_STRUCT_UTMPX_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmpx'.])
 AH_TEMPLATE(HAVE_STRUCT_UTMP_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmp'.])
 AH_TEMPLATE(HAVE_STRUCT_UTMPX_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmpx'.])
+AH_TEMPLATE(HAVE___FUNC__, [Define to 1 if the compiler supports the C99 __func__ variable.])
+AH_TEMPLATE(SUDO_KRB5_INSTANCE, [An instance string to append to the username (separated by a slash) for Kerberos V authentication.])
+AH_TEMPLATE(RTLD_PRELOAD_VAR, [The environment variable that controls preloading of dynamic objects.])
+AH_TEMPLATE(RTLD_PRELOAD_ENABLE_VAR, [An extra environment variable that is required to enable preloading (if any).])
+AH_TEMPLATE(RTLD_PRELOAD_DELIM, [The delimiter to use when defining multiple preloaded objects.])
+AH_TEMPLATE(RTLD_PRELOAD_DEFAULT, [The default value of preloaded objects (if any).])
+AH_TEMPLATE(HAVE_DSO_VISIBILITY, [Define to 1 if the compiler supports the __visibility__ attribute.])
+AH_TEMPLATE(HAVE_SYS_SIGABBREV, [Define to 1 if your libc has the `sys_sigabbrev' symbol.])
+AH_TEMPLATE(HAVE_NSS_SEARCH, [Define to 1 if you have the `nss_search' function.])
+AH_TEMPLATE(HAVE__NSS_INITF_GROUP, [Define to 1 if you have the `_nss_initf_group' function.])
+AH_TEMPLATE(HAVE___NSS_INITF_GROUP, [Define to 1 if you have the `__nss_initf_group' function.])
+AH_TEMPLATE(HAVE__NSS_XBYY_BUF_ALLOC, [Define to 1 if you have the `_nss_XbyY_buf_alloc' function.])
+AH_TEMPLATE(HAVE___NSS_XBYY_BUF_ALLOC, [Define to 1 if you have the `__nss_XbyY_buf_alloc' function.])
 
 dnl
 dnl Bits to copy verbatim into config.h.in
 
 dnl
 dnl Bits to copy verbatim into config.h.in
@@ -3202,30 +3794,15 @@ AH_BOTTOM([/*
 # endif /* HAVE_ST_MTIMESPEC */
 #endif /* HAVE_ST_MTIM */
 
 # endif /* HAVE_ST_MTIMESPEC */
 #endif /* HAVE_ST_MTIM */
 
-/* GNU stow needs /etc/sudoers to be a symlink. */
-#ifdef USE_STOW
-# define stat_sudoers  stat
+#ifdef __GNUC__
+# define ignore_result(x) do {                                                \
+    __typeof__(x) y = (x);                                                    \
+    (void)y;                                                                  \
+} while(0)
 #else
 #else
-# define stat_sudoers  lstat
+# define ignore_result(x)      (void)(x)
 #endif
 
 #endif
 
-/* Macros to set/clear/test flags. */
-#undef SET
-#define SET(t, f)      ((t) |= (f))
-#undef CLR
-#define CLR(t, f)      ((t) &= ~(f))
-#undef ISSET
-#define ISSET(t, f)     ((t) & (f))
-
-/* ANSI-style OS defs for HP-UX and ConvexOS. */
-#if defined(hpux) && !defined(__hpux)
-# define __hpux                1
-#endif /* hpux */
-
-#if defined(convex) && !defined(__convex__)
-# define __convex__    1
-#endif /* convex */
-
 /* BSD compatibility on some SVR4 systems. */
 #ifdef __svr4__
 # define BSD_COMP
 /* BSD compatibility on some SVR4 systems. */
 #ifdef __svr4__
 # define BSD_COMP
Debian packaging of sudo