Installation instructions for CU sudo 1.5.2 =========================================== Sudo uses a `configure' script to probe the capabilities and type of the system in question. Please read this document fully before configuring and building sudo. You may also wish to read the file INSTALL.configure which explains more about the `configure' script. Simple sudo installation ======================== For most systems and configurations it is possible simply to: 0) If you are upgrading from a previous version of sudo please read the section "Notes on upgrading from an older release". 1) If you previously ran `configure' on a different host you will probably want to do a `make distclean' to remove the old `config.cache' file. Otherwise, `configure' will complain and refuse to run. Alternately, one can simply `rm config.cache'. 2) Read the `OS dependent notes' section for any particular "gotchas" relating to your operating system. 3) `cd' to the source or build directory and type `./configure' to generate a Makefile and config.h file suitable for building sudo. Before you actually run configure you should read the `Available configure options' section to see if there are any special options you may want or need. Also of interest may be the section on `Mixing password authentication schemes'. 4) Edit the configure-generated Makefile if you wish to change any of the default paths (alternately you could have changed the paths via options to `configure'. 5) Edit `options.h' to enable any particular non-default options you wish to use. Refer to the OPTIONS file for an explanation of each one. If you are building in a separate build directory you may make a local copy of options.h in that directory and edit it instead. 6) Type `make' to compile sudo. If you are building sudo in a separate build tree (apart from the sudo source) GNU make will probably be required. If `configure' did its job properly (and you have a supported configuration) there won't be any problems. If this doesn't work, take a look at the files TROUBLESHOOTING and PORTING for tips on what might have gone wrong. Please mail us if you have a fix or if you are unable to come up with a fix (address at EOF). 7) Type `make install' (as root) to install sudo, visudo, the man pages, and a skeleton sudoers file. Note that the install will not overwrite an existing sudoers file. You can also install various pieces the package via the install-binaries, install-man, and install-sudoers make targets. 8) Edit the sudoers file with `visudo' as necessary for your site. You will probably want to refer the sample.sudoers file and sudoers man page included with the sudo package. Notes on upgrading from an older release ======================================== Sudo 1.5.2 expects the sudoers file to have different permissions (mode 0440) and be owned by user and group 0. This differs from version 1.4 and below which expected the sudoers file to be owned by root and mode 0400. Doing a `make install' will set the sudoers file to the new mode and group. If sudo 1.5.2 encounters a sudoers file with the old permissions it will attempt to update it to the new scheme. You cannot, however, use a sudoers file with the new permissions with an old sudo binary. It is suggested that if have a means of distributing sudo you distribute the new binaries first, then the new sudoers file (or you can leave sudoers as is and sudo will fix the permissions itself as long as sudoers is on a local filesystem). Available configure options =========================== This section describes flags accepted by the sudo's `configure' script. Defaults are listed in brackets after the description. Configuration: --cache-file=FILE Cache test results in FILE --help Print the usage/help info --no-create Do not create output files --quiet, --silent Do not print `checking...' messages Directory and file names: --prefix=PREFIX Install architecture-independent files in PREFIX This really only applies to man pages. [/usr/local] --exec-prefix=EPREFIX Install architecture-dependent files in EPREFIX This includes the sudo and visudo executables. [same as prefix] --bindir=DIR Install `sudo' in DIR [EPREFIX/bin] --sbindir=DIR Install `visudo' in DIR [EPREFIX/etc for historical reasons] --sysconfdir=DIR Install `sudoers' file in DIR [/etc] --mandir=DIR Install man pages in DIR [PREFIX/man] --srcdir=DIR Find the sources in DIR [configure dir or ..] Special features/options: --with-CC Specifies path to C compiler you wish to use. --with-getpass Use system getpass(3) instead of sudo-supplied tgetpass() for systems where tgetpass() fails. --with-C2 Enable C2 security (shadow password) support See `Shadow password and C2 support' section for a list of supported platforms. --with-skey Enable S/Key support. --with-opie Enable NRL OPIE support. --with-SecurID Enable SecurID support. --with-kerb4 Enable kerberos v4 support Tested only with the Cygnus Network Security package (CNS). --with-kerb5 Enable kerberos v5 support. This enables with kerberos v4 support and links with the standard kerberos v5 libraries as well as the v4 compatibility libraries. --with-AFS Enable AFS support with kerberos authentication. Should work under AFS 3.3. If your AFS doesn't have -laudit you should be able to link without it. --with-DCE Enable DCE support. Known to work on HP-UX 9.X and 10.0. Other platforms may require source code and/or `configure' changes. --with-incpath Adds the specified directories to CPPFLAGS so configure and the compiler will look there for include files. Multiple directories may be specified as long as they are space separated. Eg: --with-incpath="/usr/local/include /opt/include" --with-libpath Adds the specified directories to SUDO_LDFLAGS and VISUDO_LDFLAGS so configure and the compiler will look there for libraries. Multiple directories may be specified as with --with-incpath. --with-libraries Adds the specified libaries to SUDO_LIBS and and VISUDO_LIBS so sudo will link against them. If the library doesn't start with `-l' or end in `.a' or `.o' a `-l' will be prepended to it. Multiple libraries may be specified as long as they are space separated. --with-csops Add CSOps standard options. Shadow password and C2 support ============================== Shadow passwords (also included with most C2 security packages) are supported on most major platforms for which they exist. The `configure' script will attempt to determine if your system uses shadow passwords, but this is really just a guess. If configure guesses incorrectly you can use the `--with-C2' option to cause sudo to use shadow passwords (assuming sudo can figure out what type of shadow password scheme is available). If configure thinks you can shadow passwords but you really do not you can use the `--without-C2' option to override configure's guess. Shadow passwords are supported on the following platforms: SunOS 4.x Solaris 2.x HP-UX 9.x and 10.x Ultrix 4.x Digital UNIX 3.x amd 4.x Irix 5.x and 6.x AIX 3.2.x ad 4.x ConvexOS with C2 security (not tested recently) Linux SCO 3.2.2 Pyramid DC/OSx UnixWare SVR4 (and variants using standard SVR4 shadow passwords) 4.4BSD based systems (including OpenBSD, NetBSD, FreeBSD, and BSD/OS) OS's using SecureWare's C2 security. It is possible to configure in shadow password support even if your system does not currently use shadow passwords. That way, if you put shadow passwords in place, your installed sudo will already support them. Mixing password authentication schemes ====================================== It is possible to build sudo with support for several authentication schemes, including shadow passwords, kerberos, s/key, AFS, DCE and normal UN*X passwords into a single binary. User validation will take slightly longer, of course, but it may be valuable to have a single sudo binary that is distributed among systems with varying authentication mechanisms. The exception to this rule is SecurID which must be the only authentication mechanism used. OS dependent notes ================== Solaris 2.x: You need to have a C compiler in order to build sudo. Since Solaris 2.x does not come with one by default this means that you either need to have purchased the unbundled Sun C compiler or have a copy of the GNU C compiler (gcc). The SunSoft Catalyst CD should contain gcc binaries for Solaris. You can also get them from various places on the net, including http://smc.vnet.net/solaris_2.5.html. NOTE: sudo will *not* build with the sun C compiler in BSD compatibility mode (/usr/ucb/cc). Sudo is designed to compile with the standard C compiler (or gcc) and will not build correctly with /usr/ucb/cc. You can use the `--with-CC' option to point `configure' to the non-ucb compiler if it is not the first cc in your path. Also: Many versions of Solaris come with a broken syslogd. If you have having problems with sudo logging you should make sure you have the latest syslogd patch installed. This is a problem for Solaris 2.4 and 2.5 at least. AIX 3.2.x: I've had various problems with the AIX C compiler producing incorrect code when the -O flag was used. When optimization is not used, the problems go away. Gcc does not appear to have this problem. Also, the AIX 3.2.x lex will not work with sudo's parse.lex. This should not be a problem as sudo comes shipped with a pre-generated lex.yy.c (created by flex). If you want to modify the lex tokenizer, make sure you grab a copy of flex from ftp.ee.lbl.gov (also available on most GNU mirrors) and sudo will use that instead. Ultrix 4.x: Ultrix still ships with the 4.2BSD syslog(3) which does not allow things like logging different faclities to different files, redirecting logs to a single loghost and other niceties. You may want to just grab and install: ftp://gatekeeper.dec.com/pub/DEC/jtkohl-syslog-complete.tar.Z (available via anonymous ftp) which is a port if the 4.3BSD syslog/syslogd that is backwards compatible with the Ultrix version. I recommend it highly. If you do not do this you probably want to set `LOGGING' to SLOG_FILE in options.h. Digital UNIX: Digital UNIX 4.0 shipped with /usr/include/prot.h including acl.h, but there is no /usr/include/acl.h. Digital says this will be fixed in the next release of Digital UNIX. In the meantime you can use the acl.h from /usr/sys/include/sys. Digital recommends that you just: cd /usr/include ln -s sys/acl.h acl.h This will only be an issue if you are using C2 (enhanced) security. Linux: One person reported that he needed to run configure with the --with-getpass flag to get a working sudo. Other people haven't had that problem so it may only affect certain distributions. NOTE: Reportedly, Linux's execvp(3) doesn't always execute scripts that lack the "#!/some/shell" header correctly. The workaround is to give all your scripts a proper header. SCO ODT: You'll probably need libcrypt_i.a available via anonymous ftp from sosco.sco.com. The necessary files are /SLS/lng225b.Z and /SLS/lng225b.ltr.Z. Please send changes, bugs, security holes, and gripes to: sudo-bugs@courtesan.com