path: root/configure.in

dnl
dnl Process this file with GNU autoconf to produce a configure script.
dnl
dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller <Todd.Miller@courtesan.com>
dnl
AC_INIT([sudo], [1.6.9])
AC_CONFIG_HEADER(config.h pathnames.h)
dnl
dnl This won't work before AC_INIT
dnl
AC_MSG_NOTICE([Configuring Sudo version 1.6.9])
dnl
dnl Variables that get substituted in the Makefile and man pages
dnl
AC_SUBST(LIBTOOL)
AC_SUBST(CFLAGS)
AC_SUBST(PROGS)
AC_SUBST(CPPFLAGS)
AC_SUBST(LDFLAGS)
AC_SUBST(SUDO_LDFLAGS)
AC_SUBST(SUDO_OBJS)
AC_SUBST(LIBS)
AC_SUBST(SUDO_LIBS)
AC_SUBST(NET_LIBS)
AC_SUBST(AFS_LIBS)
AC_SUBST(GETGROUPS_LIB)
AC_SUBST(OSDEFS)
AC_SUBST(AUTH_OBJS)
AC_SUBST(MANTYPE)
AC_SUBST(MAN_POSTINSTALL)
AC_SUBST(SUDOERS_MODE)
AC_SUBST(SUDOERS_UID)
AC_SUBST(SUDOERS_GID)
AC_SUBST(DEV)
AC_SUBST(SELINUX)
AC_SUBST(BAMAN)
AC_SUBST(LCMAN)
AC_SUBST(SEMAN)
AC_SUBST(mansectsu)
AC_SUBST(mansectform)
AC_SUBST(mansrcdir)
AC_SUBST(NOEXECFILE)
AC_SUBST(NOEXECDIR)
AC_SUBST(noexec_file)
AC_SUBST(INSTALL_NOEXEC)
AC_SUBST(DONT_LEAK_PATH_INFO)
dnl
dnl Variables that get substituted in docs (not overridden by environment)
dnl
AC_SUBST(timedir)dnl initial value from SUDO_TIMEDIR
AC_SUBST(timeout)
AC_SUBST(password_timeout)
AC_SUBST(sudo_umask)
AC_SUBST(passprompt)
AC_SUBST(long_otp_prompt)
AC_SUBST(lecture)
AC_SUBST(logfac)
AC_SUBST(goodpri)
AC_SUBST(badpri)
AC_SUBST(loglen)
AC_SUBST(ignore_dot)
AC_SUBST(mail_no_user)
AC_SUBST(mail_no_host)
AC_SUBST(mail_no_perms)
AC_SUBST(mailto)
AC_SUBST(mailsub)
AC_SUBST(badpass_message)
AC_SUBST(fqdn)
AC_SUBST(runas_default)
AC_SUBST(env_editor)
AC_SUBST(passwd_tries)
AC_SUBST(tty_tickets)
AC_SUBST(insults)
AC_SUBST(root_sudo)
AC_SUBST(path_info)
dnl
dnl Initial values for above
dnl
timeout=5
password_timeout=5
sudo_umask=0022
passprompt="Password:"
long_otp_prompt=off
lecture=once
logfac=local2
goodpri=notice
badpri=alert
loglen=80
ignore_dot=off
mail_no_user=on
mail_no_host=off
mail_no_perms=off
mailto=root
mailsub='*** SECURITY information for %h ***'
badpass_message='Sorry, try again.'
fqdn=off
runas_default=root
env_editor=off
passwd_tries=3
tty_tickets=off
insults=off
root_sudo=on
path_info=on
INSTALL_NOEXEC=
dnl
dnl Initial values for Makefile variables listed above
dnl May be overridden by environment variables..
dnl
PROGS="sudo visudo"
: ${MANTYPE='man'}
: ${mansrcdir='.'}
: ${SUDOERS_MODE='0440'}
: ${SUDOERS_UID='0'}
: ${SUDOERS_GID='0'}
DEV="#"
SELINUX="#"
BAMAN='.\" '
LCMAN='.\" '
SEMAN='.\" '
AUTH_OBJS=
AUTH_REG=
AUTH_EXCL=
AUTH_EXCL_DEF=
AUTH_DEF=passwd

dnl
dnl Other vaiables
dnl
CHECKSHADOW=true
shadow_defs=
shadow_funcs=
shadow_libs=
shadow_libs_optional=

dnl
dnl Override default configure dirs...
dnl
if test X"$prefix" = X"NONE"; then
    test "$mandir" = '${datarootdir}/man' && mandir='$(prefix)/man'
else
    test "$mandir" = '${datarootdir}/man' && mandir='$(datarootdir)/man'
fi
test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'

dnl
dnl Deprecated --with options (these all warn or generate an error)
dnl

AC_ARG_WITH(otp-only, [  --with-otp-only         deprecated],
[case $with_otp_only in
    yes)	with_passwd="no"
		AC_MSG_NOTICE([--with-otp-only option deprecated, treating as --without-passwd])
		;;
esac])

AC_ARG_WITH(alertmail, [  --with-alertmail        deprecated],
[case $with_alertmail in
    *)		with_mailto="$with_alertmail"
		AC_MSG_NOTICE([--with-alertmail option deprecated, treating as --mailto])
		;;
esac])

dnl
dnl Options for --with
dnl

AC_ARG_WITH(CC, [  --with-CC               C compiler to use],
[case $with_CC in
    yes)	AC_MSG_ERROR(["must give --with-CC an argument."])
		;;
    no)		AC_MSG_ERROR(["illegal argument: --without-CC."])
		;;
    *)		CC=$with_CC
		;;
esac])

AC_ARG_WITH(rpath, [  --with-rpath            pass -R flag in addition to -L for lib paths],
[case $with_rpath in
    yes|no)	;;
    *)		AC_MSG_ERROR(["--with-rpath does not take an argument."])
		;;
esac])

AC_ARG_WITH(blibpath, [  --with-blibpath[=PATH]    pass -blibpath flag to ld for additional lib paths],
[case $with_blibpath in
    yes|no)	;;
    *)		AC_MSG_NOTICE([will pass -blibpath:${with_blibpath} to the loader.])
		;;
esac])

AC_ARG_WITH(incpath, [  --with-incpath          additional places to look for include files],
[case $with_incpath in
    yes)	AC_MSG_ERROR(["must give --with-incpath an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-incpath not supported."])
		;;
    *)		AC_MSG_NOTICE([Adding ${with_incpath} to CPPFLAGS])
		for i in ${with_incpath}; do
		    CPPFLAGS="${CPPFLAGS} -I${i}"
		done
		;;
esac])

AC_ARG_WITH(libpath, [  --with-libpath          additional places to look for libraries],
[case $with_libpath in
    yes)	AC_MSG_ERROR(["must give --with-libpath an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-libpath not supported."])
		;;
    *)		AC_MSG_NOTICE([Adding ${with_libpath} to LDFLAGS])
		;;
esac])

AC_ARG_WITH(libraries, [  --with-libraries        additional libraries to link with],
[case $with_libraries in
    yes)	AC_MSG_ERROR(["must give --with-libraries an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-libraries not supported."])
		;;
    *)		AC_MSG_NOTICE([Adding ${with_libraries} to LIBS])
		;;
esac])

AC_ARG_WITH(devel, [  --with-devel            add development options],
[case $with_devel in
    yes)	AC_MSG_NOTICE([Setting up for development: -Wall, flex, yacc])
		PROGS="${PROGS} testsudoers"
		OSDEFS="${OSDEFS} -DSUDO_DEVEL"
		DEV=""
		;;
    no)		;;
    *)		AC_MSG_WARN([Ignoring unknown argument to --with-devel: $with_devel])
		;;
esac])

AC_ARG_WITH(efence, [  --with-efence           link with -lefence for malloc() debugging],
[case $with_efence in
    yes)	AC_MSG_NOTICE([Sudo will link with -lefence (Electric Fence)])
		LIBS="${LIBS} -lefence"
		if test -f /usr/local/lib/libefence.a; then
		    with_libpath="${with_libpath} /usr/local/lib"
		fi
		;;
    no)		;;
    *)		AC_MSG_WARN([Ignoring unknown argument to --with-efence: $with_efence])
		;;
esac])

AC_ARG_WITH(csops, [  --with-csops            add CSOps standard options],
[case $with_csops in
    yes)	AC_MSG_NOTICE([Adding CSOps standard options])
		CHECKSIA=false
		with_ignore_dot=yes
		insults=on
		with_classic_insults=yes
		with_csops_insults=yes
		with_env_editor=yes
		: ${mansectsu='8'}
		: ${mansectform='5'}
		;;
    no)		;;
    *)		AC_MSG_WARN([Ignoring unknown argument to --with-csops: $with_csops])
		;;
esac])

AC_ARG_WITH(passwd, [  --without-passwd        don't use passwd/shadow file for authentication],
[case $with_passwd in
    yes|no)	AC_MSG_CHECKING(whether to use shadow/passwd file authentication)
		AC_MSG_RESULT($with_passwd)
		AUTH_DEF=""
		test "$with_passwd" = "yes" && AUTH_REG="$AUTH_REG passwd"
		;;
    *)		AC_MSG_ERROR(["Sorry, --with-passwd does not take an argument."])
		;;
esac])

AC_ARG_WITH(skey, [  --with-skey[=DIR]         enable S/Key support ],
[case $with_skey in
    no)		with_skey=""
		;;
    *)		AC_DEFINE(HAVE_SKEY)
		AC_MSG_CHECKING(whether to try S/Key authentication)
		AC_MSG_RESULT(yes)
		AUTH_REG="$AUTH_REG S/Key"
		;;
esac])

AC_ARG_WITH(opie, [  --with-opie[=DIR]         enable OPIE support ],
[case $with_opie in
    no)		with_opie=""
		;;
    *)		AC_DEFINE(HAVE_OPIE)
		AC_MSG_CHECKING(whether to try NRL OPIE authentication)
		AC_MSG_RESULT(yes)
		AUTH_REG="$AUTH_REG NRL_OPIE"
		;;
esac])

AC_ARG_WITH(long-otp-prompt, [  --with-long-otp-prompt  use a two line OTP (skey/opie) prompt],
[case $with_long_otp_prompt in
    yes)	AC_DEFINE(LONG_OTP_PROMPT)
		AC_MSG_CHECKING(whether to use a two line prompt for OTP authentication)
		AC_MSG_RESULT(yes)
		long_otp_prompt=on
		;;
    no)		long_otp_prompt=off
		;;
    *)		AC_MSG_ERROR(["--with-long-otp-prompt does not take an argument."])
		;;
esac])

AC_ARG_WITH(SecurID, [  --with-SecurID[[=DIR]]    enable SecurID support],
[case $with_SecurID in
    no)		with_SecurID="";;
    *)		AC_DEFINE(HAVE_SECURID)
		AC_MSG_CHECKING(whether to use SecurID for authentication)
		AC_MSG_RESULT(yes)
		AUTH_EXCL="$AUTH_EXCL SecurID"
		;;
esac])

AC_ARG_WITH(fwtk, [  --with-fwtk[[=DIR]]       enable FWTK AuthSRV support],
[case $with_fwtk in
    no)		with_fwtk="";;
    *)		AC_DEFINE(HAVE_FWTK)
		AC_MSG_CHECKING(whether to use FWTK AuthSRV for authentication)
		AC_MSG_RESULT(yes)
		AUTH_EXCL="$AUTH_EXCL FWTK"
		;;
esac])

AC_ARG_WITH(kerb4, [  --with-kerb4[[=DIR]]      enable Kerberos IV support],
[case $with_kerb4 in
    no)		with_kerb4="";;
    *)		AC_MSG_CHECKING(whether to try kerberos IV authentication)
		AC_MSG_RESULT(yes)
		AUTH_REG="$AUTH_REG kerb4"
		;;
esac])

AC_ARG_WITH(kerb5, [  --with-kerb5[[=DIR]]      enable Kerberos V support],
[case $with_kerb5 in
    no)		with_kerb5="";;
    *)		AC_MSG_CHECKING(whether to try Kerberos V authentication)
		AC_MSG_RESULT(yes)
		AUTH_REG="$AUTH_REG kerb5"
		;;
esac])

AC_ARG_WITH(aixauth, [  --with-aixauth          enable AIX general authentication support],
[case $with_aixauth in
    yes)	AUTH_EXCL="$AUTH_EXCL AIX_AUTH";;
    no)		;;
    *)		AC_MSG_ERROR(["--with-aixauth does not take an argument."])
		;;
esac])

AC_ARG_WITH(pam, [  --with-pam              enable PAM support],
[case $with_pam in
    yes)	AUTH_EXCL="$AUTH_EXCL PAM";;
    no)		;;
    *)		AC_MSG_ERROR(["--with-pam does not take an argument."])
		;;
esac])

AC_ARG_WITH(AFS, [  --with-AFS              enable AFS support],
[case $with_AFS in
    yes)	AC_DEFINE(HAVE_AFS)
		AC_MSG_CHECKING(whether to try AFS (kerberos) authentication)
		AC_MSG_RESULT(yes)
		AUTH_REG="$AUTH_REG AFS"
		;;
    no)		;;
    *)		AC_MSG_ERROR(["--with-AFS does not take an argument."])
		;;
esac])

AC_ARG_WITH(DCE, [  --with-DCE              enable DCE support],
[case $with_DCE in
    yes)	AC_DEFINE(HAVE_DCE)
		AC_MSG_CHECKING(whether to try DCE (kerberos) authentication)
		AC_MSG_RESULT(yes)
		AUTH_REG="$AUTH_REG DCE"
		;;
    no)		;;
    *)		AC_MSG_ERROR(["--with-DCE does not take an argument."])
		;;
esac])

AC_ARG_WITH(logincap, [  --with-logincap         enable BSD login class support],
[case $with_logincap in
    yes|no)	;;
    *)		AC_MSG_ERROR(["--with-logincap does not take an argument."])
		;;
esac])

AC_ARG_WITH(bsdauth, [  --with-bsdauth          enable BSD authentication support],
[case $with_bsdauth in
    yes)	AUTH_EXCL="$AUTH_EXCL BSD_AUTH";;
    no)		;;
    *)		AC_MSG_ERROR(["--with-bsdauth does not take an argument."])
		;;
esac])

AC_ARG_WITH(project, [  --with-project          enable Solaris project support],
[case $with_project in
    yes|no)	;;
    no)	;;
    *)		AC_MSG_ERROR(["--with-project does not take an argument."])
		;;
esac])

AC_MSG_CHECKING(whether to lecture users the first time they run sudo)
AC_ARG_WITH(lecture, [  --without-lecture       don't print lecture for first-time sudoer],
[case $with_lecture in
    yes|short|always)	lecture=once
		;;
    no|none|never)	lecture=never
		;;
    *)		AC_MSG_ERROR(["unknown argument to --with-lecture: $with_lecture"])
		;;
esac])
if test "$lecture" = "once"; then
    AC_MSG_RESULT(yes)
else
    AC_DEFINE(NO_LECTURE)
    AC_MSG_RESULT(no)
fi

AC_MSG_CHECKING(whether sudo should log via syslog or to a file by default)
AC_ARG_WITH(logging, [  --with-logging          log via syslog, file, or both],
[case $with_logging in
    yes)	AC_MSG_ERROR(["must give --with-logging an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-logging not supported."])
		;;
    syslog)	AC_DEFINE(LOGGING, SLOG_SYSLOG)
		AC_MSG_RESULT(syslog)
		;;
    file)	AC_DEFINE(LOGGING, SLOG_FILE)
		AC_MSG_RESULT(file)
		;;
    both)	AC_DEFINE(LOGGING, SLOG_BOTH)
		AC_MSG_RESULT(both)
		;;
    *)		AC_MSG_ERROR(["unknown argument to --with-logging: $with_logging"])
		;;
esac], [AC_DEFINE(LOGGING, SLOG_SYSLOG) AC_MSG_RESULT(syslog)])

AC_MSG_CHECKING(which syslog facility sudo should log with)
AC_ARG_WITH(logfac, [  --with-logfac           syslog facility to log with (default is "local2")],
[case $with_logfac in
    yes)	AC_MSG_ERROR(["must give --with-logfac an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-logfac not supported."])
		;;
    authpriv|auth|daemon|user|local0|local1|local2|local3|local4|local5|local6|local7)		logfac=$with_logfac
		;;
    *)		AC_MSG_ERROR(["$with_logfac is not a supported syslog facility."])
		;;
esac])
AC_DEFINE_UNQUOTED(LOGFAC, "$logfac", [The syslog facility sudo will use.])
AC_MSG_RESULT($logfac)

AC_MSG_CHECKING(at which syslog priority to log commands)
AC_ARG_WITH(goodpri, [  --with-goodpri          syslog priority for commands (def is "notice")],
[case $with_goodpri in
    yes)	AC_MSG_ERROR(["must give --with-goodpri an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-goodpri not supported."])
		;;
    alert|crit|debug|emerg|err|info|notice|warning)
		goodpri=$with_goodpri
		;;
    *)		AC_MSG_ERROR(["$with_goodpri is not a supported syslog priority."])
		;;
esac])
AC_DEFINE_UNQUOTED(PRI_SUCCESS, "$goodpri", [The syslog priority sudo will use for successful attempts.])
AC_MSG_RESULT($goodpri)

AC_MSG_CHECKING(at which syslog priority to log failures)
AC_ARG_WITH(badpri, [  --with-badpri           syslog priority for failures (def is "alert")],
[case $with_badpri in
    yes)	AC_MSG_ERROR(["must give --with-badpri an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-badpri not supported."])
		;;
    alert|crit|debug|emerg|err|info|notice|warning)
		badpri=$with_badpri
		;;
    *)		AC_MSG_ERROR([$with_badpri is not a supported syslog priority.])
		;;
esac])
AC_DEFINE_UNQUOTED(PRI_FAILURE, "$badpri", [The syslog priority sudo will use for unsuccessful attempts/errors.])
AC_MSG_RESULT($badpri)

AC_ARG_WITH(logpath, [  --with-logpath          path to the sudo log file],
[case $with_logpath in
    yes)	AC_MSG_ERROR(["must give --with-logpath an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-logpath not supported."])
		;;
esac])

AC_MSG_CHECKING(how long a line in the log file should be)
AC_ARG_WITH(loglen, [  --with-loglen           maximum length of a log file line (default is 80)],
[case $with_loglen in
    yes)	AC_MSG_ERROR(["must give --with-loglen an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-loglen not supported."])
		;;
    [[0-9]]*)	loglen=$with_loglen
		;;
    *)		AC_MSG_ERROR(["you must enter a number, not $with_loglen"])
		;;
esac])
AC_DEFINE_UNQUOTED(MAXLOGFILELEN, $loglen, [The max number of chars per log file line (for line wrapping).])
AC_MSG_RESULT($loglen)

AC_MSG_CHECKING(whether sudo should ignore '.' or '' in \$PATH)
AC_ARG_WITH(ignore-dot, [  --with-ignore-dot       ignore '.' in the PATH],
[case $with_ignore_dot in
    yes)	ignore_dot=on
		;;
    no)		ignore_dot=off
		;;
    *)		AC_MSG_ERROR(["--with-ignore-dot does not take an argument."])
		;;
esac])
if test "$ignore_dot" = "on"; then
    AC_DEFINE(IGNORE_DOT_PATH)
    AC_MSG_RESULT(yes)
else
    AC_MSG_RESULT(no)
fi

AC_MSG_CHECKING(whether to send mail when a user is not in sudoers)
AC_ARG_WITH(mail-if-no-user, [  --without-mail-if-no-user do not send mail if user not in sudoers],
[case $with_mail_if_no_user in
    yes)	mail_no_user=on
		;;
    no)		mail_no_user=off
		;;
    *)		AC_MSG_ERROR(["--with-mail-if-no-user does not take an argument."])
		;;
esac])
if test "$mail_no_user" = "on"; then
    AC_DEFINE(SEND_MAIL_WHEN_NO_USER)
    AC_MSG_RESULT(yes)
else
    AC_MSG_RESULT(no)
fi

AC_MSG_CHECKING(whether to send mail when user listed but not for this host)
AC_ARG_WITH(mail-if-no-host, [  --with-mail-if-no-host  send mail if user in sudoers but not for this host],
[case $with_mail_if_no_host in
    yes)	mail_no_host=on
		;;
    no)		mail_no_host=off
		;;
    *)		AC_MSG_ERROR(["--with-mail-if-no-host does not take an argument."])
		;;
esac])
if test "$mail_no_host" = "on"; then
    AC_DEFINE(SEND_MAIL_WHEN_NO_HOST)
    AC_MSG_RESULT(yes)
else
    AC_MSG_RESULT(no)
fi

AC_MSG_CHECKING(whether to send mail when a user tries a disallowed command)
AC_ARG_WITH(mail-if-noperms, [  --with-mail-if-noperms  send mail if user not allowed to run command],
[case $with_mail_if_noperms in
    yes)	mail_noperms=on
		;;
    no)		mail_noperms=off
		;;
    *)		AC_MSG_ERROR(["--with-mail-if-noperms does not take an argument."])
		;;
esac])
if test "$mail_noperms" = "on"; then
    AC_DEFINE(SEND_MAIL_WHEN_NOT_OK)
    AC_MSG_RESULT(yes)
else
    AC_MSG_RESULT(no)
fi

AC_MSG_CHECKING(who should get the mail that sudo sends)
AC_ARG_WITH(mailto, [  --with-mailto           who should get sudo mail (default is "root")],
[case $with_mailto in
    yes)	AC_MSG_ERROR(["must give --with-mailto an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-mailto not supported."])
		;;
    *)		mailto=$with_mailto
		;;
esac])
AC_DEFINE_UNQUOTED(MAILTO, "$mailto", [The user or email address that sudo mail is sent to.])
AC_MSG_RESULT([$mailto])

AC_ARG_WITH(mailsubject, [  --with-mailsubject      subject of sudo mail],
[case $with_mailsubject in
    yes)	AC_MSG_ERROR(["must give --with-mailsubject an argument."])
		;;
    no)		AC_MSG_WARN([Sorry, --without-mailsubject not supported.])
		;;
    *)		mailsub="$with_mailsubject"
		AC_MSG_CHECKING(sudo mail subject)
		AC_MSG_RESULT([Using alert mail subject: $mailsub])
		;;
esac])
AC_DEFINE_UNQUOTED(MAILSUBJECT, "$mailsub", [The subject of the mail sent by sudo to the MAILTO user/address.])

AC_MSG_CHECKING(for bad password prompt)
AC_ARG_WITH(passprompt, [  --with-passprompt       default password prompt],
[case $with_passprompt in
    yes)	AC_MSG_ERROR(["must give --with-passprompt an argument."])
		;;
    no)		AC_MSG_WARN([Sorry, --without-passprompt not supported.])
		;;
    *)		passprompt="$with_passprompt"
esac])
AC_MSG_RESULT($passprompt)
AC_DEFINE_UNQUOTED(PASSPROMPT, "$passprompt", [The default password prompt.])

AC_MSG_CHECKING(for bad password message)
AC_ARG_WITH(badpass-message, [  --with-badpass-message  message the user sees when the password is wrong],
[case $with_badpass_message in
    yes)	AC_MSG_ERROR(["Must give --with-badpass-message an argument."])
		;;
    no)		AC_MSG_WARN([Sorry, --without-badpass-message not supported.])
		;;
    *)		badpass_message="$with_badpass_message"
		;;
esac])
AC_DEFINE_UNQUOTED(INCORRECT_PASSWORD, "$badpass_message", [The message given when a bad password is entered.])
AC_MSG_RESULT([$badpass_message])

AC_MSG_CHECKING(whether to expect fully qualified hosts in sudoers)
AC_ARG_WITH(fqdn, [  --with-fqdn             expect fully qualified hosts in sudoers],
[case $with_fqdn in
    yes)	fqdn=on
		;;
    no)		fqdn=off
		;;
    *)		AC_MSG_ERROR(["--with-fqdn does not take an argument."])
		;;
esac])
if test "$fqdn" = "on"; then
    AC_DEFINE(FQDN)
    AC_MSG_RESULT(yes)
else
    AC_MSG_RESULT(no)
fi

AC_ARG_WITH(timedir, [  --with-timedir          path to the sudo timestamp dir],
[case $with_timedir in
    yes)	AC_MSG_ERROR(["must give --with-timedir an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-timedir not supported."])
		;;
esac])

AC_ARG_WITH(sendmail, [  --with-sendmail=path    set path to sendmail
  --without-sendmail      do not send mail at all],
[case $with_sendmail in
    yes)	with_sendmail=""
		;;
    no)		;;
    *)		SUDO_DEFINE_UNQUOTED(_PATH_SUDO_SENDMAIL, "$with_sendmail")
		;;
esac])

AC_ARG_WITH(sudoers-mode, [  --with-sudoers-mode     mode of sudoers file (defaults to 0440)],
[case $with_sudoers_mode in
    yes)	AC_MSG_ERROR(["must give --with-sudoers-mode an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-sudoers-mode not supported."])
		;;
    [[1-9]]*)	SUDOERS_MODE=0${with_sudoers_mode}
		;;
    0*)		SUDOERS_MODE=$with_sudoers_mode
		;;
    *)		AC_MSG_ERROR(["you must use an octal mode, not a name."])
		;;
esac])

AC_ARG_WITH(sudoers-uid, [  --with-sudoers-uid      uid that owns sudoers file (defaults to 0)],
[case $with_sudoers_uid in
    yes)	AC_MSG_ERROR(["must give --with-sudoers-uid an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-sudoers-uid not supported."])
		;;
    [[0-9]]*)	SUDOERS_UID=$with_sudoers_uid
		;;
    *)		AC_MSG_ERROR(["you must use an unsigned numeric uid, not a name."])
		;;
esac])

AC_ARG_WITH(sudoers-gid, [  --with-sudoers-gid      gid that owns sudoers file (defaults to 0)],
[case $with_sudoers_gid in
    yes)	AC_MSG_ERROR(["must give --with-sudoers-gid an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-sudoers-gid not supported."])
		;;
    [[0-9]]*)	SUDOERS_GID=$with_sudoers_gid
		;;
    *)		AC_MSG_ERROR(["you must use an unsigned numeric gid, not a name."])
		;;
esac])

AC_MSG_CHECKING(for umask programs should be run with)
AC_ARG_WITH(umask, [  --with-umask            umask with which the prog should run (default is 022)
  --without-umask         Preserves the umask of the user invoking sudo.],
[case $with_umask in
    yes)	AC_MSG_ERROR(["must give --with-umask an argument."])
		;;
    no)		sudo_umask=0777
		;;
    [[0-9]]*)	sudo_umask=$with_umask
		;;
    *)		AC_MSG_ERROR(["you must enter a numeric mask."])
		;;
esac])
AC_DEFINE_UNQUOTED(SUDO_UMASK, $sudo_umask, [The umask that the root-run prog should use.])
if test "$sudo_umask" = "0777"; then
    AC_MSG_RESULT(user)
else
    AC_MSG_RESULT($sudo_umask)
fi

AC_MSG_CHECKING(for default user to run commands as)
AC_ARG_WITH(runas-default, [  --with-runas-default    User to run commands as (default is "root")],
[case $with_runas_default in
    yes)	AC_MSG_ERROR(["must give --with-runas-default an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-runas-default not supported."])
		;;
    *)		runas_default="$with_runas_default"
		;;
esac])
AC_DEFINE_UNQUOTED(RUNAS_DEFAULT, "$runas_default", [The user sudo should run commands as by default.])
AC_MSG_RESULT([$runas_default])

AC_ARG_WITH(exempt, [  --with-exempt=group     no passwd needed for users in this group],
[case $with_exempt in
    yes)	AC_MSG_ERROR(["must give --with-exempt an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-exempt not supported."])
		;;
    *)		AC_DEFINE_UNQUOTED(EXEMPTGROUP, "$with_exempt", [If defined, users in this group need not enter a passwd (ie "sudo").])
		AC_MSG_CHECKING(for group to be exempt from password)
		AC_MSG_RESULT([$with_exempt])
		;;
esac])

AC_MSG_CHECKING(for editor that visudo should use)
AC_ARG_WITH(editor, [  --with-editor=path      Default editor for visudo (defaults to vi)],
[case $with_editor in
    yes)	AC_MSG_ERROR(["must give --with-editor an argument."])
		;;
    no)		AC_MSG_ERROR(["--without-editor not supported."])
		;;
    *)		AC_DEFINE_UNQUOTED(EDITOR, "$with_editor", [A colon-separated list of pathnames to be used as the editor for visudo.])
		AC_MSG_RESULT([$with_editor])
		;;
esac], [AC_DEFINE(EDITOR, _PATH_VI) AC_MSG_RESULT(vi)])

AC_MSG_CHECKING(whether to obey EDITOR and VISUAL environment variables)
AC_ARG_WITH(env-editor, [  --with-env-editor       Use the environment variable EDITOR for visudo],
[case $with_env_editor in
    yes)	env_editor=on
		;;
    no)		env_editor=off
		;;
    *)		AC_MSG_ERROR(["--with-env-editor does not take an argument."])
		;;
esac])
if test "$env_editor" = "on"; then
    AC_DEFINE(ENV_EDITOR)
    AC_MSG_RESULT(yes)
else
    AC_MSG_RESULT(no)
fi

AC_MSG_CHECKING(number of tries a user gets to enter their password)
AC_ARG_WITH(passwd-tries, [  --with-passwd-tries     number of tries to enter password (default is 3)],
[case $with_passwd_tries in
    yes)	;;
    no)		AC_MSG_ERROR(["--without-editor not supported."])
		;;
    [[1-9]]*)	passwd_tries=$with_passwd_tries
		;;
    *)		AC_MSG_ERROR(["you must enter the numer of tries, > 0"])
		;;
esac])
AC_DEFINE_UNQUOTED(TRIES_FOR_PASSWORD, $passwd_tries, [The number of tries a user gets to enter their password.])
AC_MSG_RESULT($passwd_tries)

AC_MSG_CHECKING(time in minutes after which sudo will ask for a password again)
AC_ARG_WITH(timeout, [  --with-timeout          minutes before sudo asks for passwd again (def is 5 minutes)],
[case $with_timeout in
    yes)	;;
    no)		timeout=0
		;;
    [[0-9]]*)	timeout=$with_timeout
		;;
    *)		AC_MSG_ERROR(["you must enter the numer of minutes."])
		;;
esac])
AC_DEFINE_UNQUOTED(TIMEOUT, $timeout, [The number of minutes before sudo asks for a password again.])
AC_MSG_RESULT($timeout)

AC_MSG_CHECKING(time in minutes after the password prompt will time out)
AC_ARG_WITH(password-timeout, [  --with-password-timeout passwd prompt timeout in minutes (default is 5 minutes)],
[case $with_password_timeout in
    yes)	;;
    no)		password_timeout=0
		;;
    [[0-9]]*)	password_timeout=$with_password_timeout
		;;
    *)		AC_MSG_ERROR(["you must enter the numer of minutes."])
		;;
esac])
AC_DEFINE_UNQUOTED(PASSWORD_TIMEOUT, $password_timeout, [The passwd prompt timeout (in minutes).])
AC_MSG_RESULT($password_timeout)

AC_MSG_CHECKING(whether to use per-tty ticket files)
AC_ARG_WITH(tty-tickets, [  --with-tty-tickets      use a different ticket file for each tty],
[case $with_tty_tickets in
    yes)	tty_tickets=on
		;;
    no)		tty_tickets=off
		;;
    *)		AC_MSG_ERROR(["--with-tty-tickets does not take an argument."])
		;;
esac])
if test "$tty_tickets" = "on"; then
    AC_DEFINE(USE_TTY_TICKETS)
    AC_MSG_RESULT(yes)
else
    AC_MSG_RESULT(no)
fi

AC_MSG_CHECKING(whether to include insults)
AC_ARG_WITH(insults, [  --with-insults          insult the user for entering an incorrect password],
[case $with_insults in
    yes)	insults=on
		with_classic_insults=yes
		with_csops_insults=yes
		;;
    no)		insults=off
		;;
    *)		AC_MSG_ERROR(["--with-insults does not take an argument."])
		;;
esac])
if test "$insults" = "on"; then
    AC_DEFINE(USE_INSULTS)
    AC_MSG_RESULT(yes)
else
    AC_MSG_RESULT(no)
fi

AC_ARG_WITH(all-insults, [  --with-all-insults      include all the sudo insult sets],
[case $with_all_insults in
    yes)	with_classic_insults=yes
		with_csops_insults=yes
		with_hal_insults=yes
		with_goons_insults=yes
		;;
    no)		;;
    *)		AC_MSG_ERROR(["--with-all-insults does not take an argument."])
		;;
esac])

AC_ARG_WITH(classic-insults, [  --with-classic-insults  include the insults from the "classic" sudo],
[case $with_classic_insults in
    yes)	AC_DEFINE(CLASSIC_INSULTS)
		;;
    no)		;;
    *)		AC_MSG_ERROR(["--with-classic-insults does not take an argument."])
		;;
esac])

AC_ARG_WITH(csops-insults, [  --with-csops-insults    include CSOps insults],
[case $with_csops_insults in
    yes)	AC_DEFINE(CSOPS_INSULTS)
		;;
    no)		;;
    *)		AC_MSG_ERROR(["--with-csops-insults does not take an argument."])
		;;
esac])

AC_ARG_WITH(hal-insults, [  --with-hal-insults      include 2001-like insults],
[case $with_hal_insults in
    yes)	AC_DEFINE(HAL_INSULTS)
		;;
    no)		;;
    *)		AC_MSG_ERROR(["--with-hal-insults does not take an argument."])
		;;
esac])

AC_ARG_WITH(goons-insults, [  --with-goons-insults    include the insults from the "Goon Show"],
[case $with_goons_insults in
    yes)	AC_DEFINE(GOONS_INSULTS)
		;;
    no)		;;
    *)		AC_MSG_ERROR(["--with-goons-insults does not take an argument."])
		;;
esac])

AC_ARG_WITH(ldap, [  --with-ldap[[=DIR]]       enable LDAP support],
[case $with_ldap in
    no)		with_ldap="";;
    *)		AC_DEFINE(HAVE_LDAP)
		AC_MSG_CHECKING(whether to use sudoers from LDAP)
		AC_MSG_RESULT(yes)
		;;
esac])
AC_ARG_WITH(ldap-conf-file, [  --with-ldap-conf-file   path to LDAP configuration file],
[AC_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "$with_ldap_conf_file", [Path to the ldap.conf file])])
AC_ARG_WITH(ldap-secret-file, [  --with-ldap-secret-file path to LDAP secret password file],
[AC_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$with_ldap_secret_file", [Path to the ldap.secret file])])

AC_ARG_WITH(pc-insults, [  --with-pc-insults       replace politically incorrect insults with less offensive ones],
[case $with_pc_insults in
    yes)	AC_DEFINE(PC_INSULTS)
		;;
    no)		;;
    *)		AC_MSG_ERROR(["--with-pc-insults does not take an argument."])
		;;
esac])

dnl include all insult sets on one line
if test "$insults" = "on"; then
    AC_MSG_CHECKING(which insult sets to include)
    i=""
    test "$with_goons_insults" = "yes" && i="goons ${i}"
    test "$with_hal_insults" = "yes" && i="hal ${i}"
    test "$with_csops_insults" = "yes" && i="csops ${i}"
    test "$with_classic_insults" = "yes" && i="classic ${i}"
    AC_MSG_RESULT([$i])
fi

AC_MSG_CHECKING(whether to override the user's path)
AC_ARG_WITH(secure-path, [  --with-secure-path      override the user's path with a built-in one],
[case $with_secure_path in
    yes)	AC_DEFINE_UNQUOTED(SECURE_PATH, "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc")
		AC_MSG_RESULT([:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc])
		;;
    no)		AC_MSG_RESULT(no)
		;;
    *)		AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path")
		AC_MSG_RESULT([$with_secure_path])
		;;
esac], AC_MSG_RESULT(no))

AC_MSG_CHECKING(whether to get ip addresses from the network interfaces)
AC_ARG_WITH(interfaces, [  --without-interfaces    don't try to read the ip addr of ether interfaces],
[case $with_interfaces in
    yes)	AC_MSG_RESULT(yes)
		;;
    no)		AC_DEFINE(STUB_LOAD_INTERFACES)
		AC_MSG_RESULT(no)
		;;
    *)		AC_MSG_ERROR(["--with-interfaces does not take an argument."])
		;;
esac], AC_MSG_RESULT(yes))

AC_MSG_CHECKING(whether stow should be used)
AC_ARG_WITH(stow, [  --with-stow             properly handle GNU stow packaging],
[case $with_stow in
    yes)	AC_MSG_RESULT(yes)
		AC_DEFINE(USE_STOW)
		;;
    no)		AC_MSG_RESULT(no)
		;;
    *)		AC_MSG_ERROR(["--with-stow does not take an argument."])
		;;
esac], AC_MSG_RESULT(no))

dnl
dnl Options for --enable
dnl

AC_MSG_CHECKING(whether to do user authentication by default)
AC_ARG_ENABLE(authentication,
[  --disable-authentication
                          Do not require authentication by default],
[ case "$enableval" in
    yes)	AC_MSG_RESULT(yes)
		;;
    no)		AC_MSG_RESULT(no)
		AC_DEFINE(NO_AUTHENTICATION)
		;;
    *)		AC_MSG_RESULT(no)
    		AC_MSG_WARN([Ignoring unknown argument to --enable-authentication: $enableval])
		;;
  esac
], AC_MSG_RESULT(yes))

AC_MSG_CHECKING(whether to disable running the mailer as root)
AC_ARG_ENABLE(root-mailer,
[  --disable-root-mailer   Don't run the mailer as root, run as the user],
[ case "$enableval" in
    yes)	AC_MSG_RESULT(no)
		;;
    no)		AC_MSG_RESULT(yes)
		AC_DEFINE(NO_ROOT_MAILER)
		;;
    *)		AC_MSG_RESULT(no)
    		AC_MSG_WARN([Ignoring unknown argument to --enable-root-mailer: $enableval])
		;;
  esac
], AC_MSG_RESULT(no))

AC_ARG_ENABLE(setreuid,
[  --disable-setreuid      Don't try to use the setreuid() function],
[ case "$enableval" in
    no)		SKIP_SETREUID=yes
		;;
    *)		;;
  esac
])

AC_ARG_ENABLE(setresuid,
[  --disable-setresuid     Don't try to use the setresuid() function],
[ case "$enableval" in
    no)		SKIP_SETRESUID=yes
		;;
    *)		;;
  esac
])

AC_MSG_CHECKING(whether to disable shadow password support)
AC_ARG_ENABLE(shadow,
[  --disable-shadow        Never use shadow passwords],
[ case "$enableval" in
    yes)	AC_MSG_RESULT(no)
		;;
    no)		AC_MSG_RESULT(yes)
		CHECKSHADOW="false"
		;;
    *)		AC_MSG_RESULT(no)
    		AC_MSG_WARN([Ignoring unknown argument to --enable-shadow: $enableval])
		;;
  esac
], AC_MSG_RESULT(no))

AC_MSG_CHECKING(whether root should be allowed to use sudo)
AC_ARG_ENABLE(root-sudo,
[  --disable-root-sudo     Don't allow root to run sudo],
[ case "$enableval" in
    yes)	AC_MSG_RESULT(yes)
		;;
    no)		AC_DEFINE(NO_ROOT_SUDO)
		AC_MSG_RESULT(no)
		root_sudo=off
		;;
    *)		AC_MSG_ERROR(["--enable-root-sudo does not take an argument."])
		;;
  esac
], AC_MSG_RESULT(yes))

AC_MSG_CHECKING(whether to log the hostname in the log file)
AC_ARG_ENABLE(log-host,
[  --enable-log-host       Log the hostname in the log file],
[ case "$enableval" in
    yes)	AC_MSG_RESULT(yes)
		AC_DEFINE(HOST_IN_LOG)
		;;
    no)		AC_MSG_RESULT(no)
		;;
    *)		AC_MSG_RESULT(no)
    		AC_MSG_WARN([Ignoring unknown argument to --enable-log-host: $enableval])
		;;
  esac
], AC_MSG_RESULT(no))

AC_MSG_CHECKING(whether to invoke a shell if sudo is given no arguments)
AC_ARG_ENABLE(noargs-shell,
[  --enable-noargs-shell   If sudo is given no arguments run a shell],
[ case "$enableval" in
    yes)	AC_MSG_RESULT(yes)
		AC_DEFINE(SHELL_IF_NO_ARGS)
		;;
    no)		AC_MSG_RESULT(no)
		;;
    *)		AC_MSG_RESULT(no)
    		AC_MSG_WARN([Ignoring unknown argument to --enable-noargs-shell: $enableval])
		;;
  esac
], AC_MSG_RESULT(no))

AC_MSG_CHECKING(whether to set \$HOME to target user in shell mode)
AC_ARG_ENABLE(shell-sets-home,
[  --enable-shell-sets-home
                          set $HOME to target user in shell mode],
[ case "$enableval" in
    yes)	AC_MSG_RESULT(yes)
		AC_DEFINE(SHELL_SETS_HOME)
		;;
    no)		AC_MSG_RESULT(no)
		;;
    *)		AC_MSG_RESULT(no)
    		AC_MSG_WARN([Ignoring unknown argument to --enable-shell-sets-home: $enableval])
		;;
  esac
], AC_MSG_RESULT(no))

AC_MSG_CHECKING(whether to disable 'command not found' messages)
AC_ARG_ENABLE(path_info,
[  --disable-path-info     Print 'command not allowed' not 'command not found'],
[ case "$enableval" in
    yes)	AC_MSG_RESULT(no)
		;;
    no)		AC_MSG_RESULT(yes)
		AC_DEFINE(DONT_LEAK_PATH_INFO)
		path_info=off
		;;
    *)		AC_MSG_RESULT(no)
		AC_MSG_WARN([Ignoring unknown argument to --enable-path-info: $enableval])
		;;
  esac
], AC_MSG_RESULT(no))

AC_ARG_WITH(selinux, [  --with-selinux          enable SELinux support],
[case $with_selinux in
    yes)	AC_DEFINE(HAVE_SELINUX)
		SUDO_LIBS="${SUDO_LIBS} -lselinux"
		SUDO_OBJS="${SUDO_OBJS} selinux.o"
		PROGS="${PROGS} sesh"
		SELINUX=""
		SEMAN=""
		;;
    no)		;;
    *)		AC_MSG_ERROR(["--with-selinux does not take an argument."])
		;;
esac])

dnl
dnl If we don't have egrep we can't do anything...
dnl
AC_CHECK_PROG(EGREPPROG, egrep, egrep)
if test -z "$EGREPPROG"; then
    AC_MSG_ERROR([Sorry, configure requires egrep to run.])
fi

dnl
dnl Prevent configure from adding the -g flag unless in devel mode
dnl
if test "$with_devel" != "yes"; then
    ac_cv_prog_cc_g=no
fi

dnl
dnl C compiler checks
dnl
AC_ISC_POSIX
AC_PROG_CPP

dnl
dnl Libtool magic; enable shared libs and disable static libs
dnl
AC_CANONICAL_HOST
AC_DISABLE_STATIC
AC_PROG_LIBTOOL

dnl
dnl Defer with_noexec until after libtool magic runs
dnl
if test "$enable_shared" = "no"; then
    with_noexec=no
else
    eval _shrext="$shrext_cmds"
fi
AC_MSG_CHECKING(path to sudo_noexec.so)
AC_ARG_WITH(noexec, [  --with-noexec[=PATH]      fully qualified pathname of sudo_noexec.so],
[case $with_noexec in
    yes)	with_noexec="$libexecdir/sudo_noexec$_shrext"
		;;
    no)		;;
    *)		;;
esac], [with_noexec="$libexecdir/sudo_noexec$_shrext"])
AC_MSG_RESULT($with_noexec)
NOEXECFILE="sudo_noexec$_shrext"
NOEXECDIR="`echo $with_noexec|sed 's:^\(.*\)/[[^/]]*:\1:'`"

dnl
dnl It is now safe to modify CFLAGS and CPPFLAGS
dnl
if test "$with_devel" = "yes" -a -n "$GCC"; then
    CFLAGS="${CFLAGS} -Wall"
fi

dnl
dnl Find programs we use
dnl
AC_CHECK_PROG(UNAMEPROG, uname, uname)
AC_CHECK_PROG(TRPROG, tr, tr)
AC_CHECK_PROG(NROFFPROG, nroff, nroff)
if test -z "$NROFFPROG"; then
    MANTYPE="cat"
    mansrcdir='$(srcdir)'
fi

dnl
dnl What kind of beastie are we being run on?
dnl Barf if config.cache was generated on another host.
dnl
if test -n "$sudo_cv_prev_host"; then
    if test "$sudo_cv_prev_host" != "$host"; then
	AC_MSG_ERROR([config.cache was created on a different host; remove it and re-run configure.])
    else
	AC_MSG_CHECKING(previous host type)
	AC_CACHE_VAL(sudo_cv_prev_host, sudo_cv_prev_host="$host")
	AC_MSG_RESULT([$sudo_cv_prev_host])
    fi
else
    # this will produce no output since there is no cached value
    AC_CACHE_VAL(sudo_cv_prev_host, sudo_cv_prev_host="$host")
fi

dnl
dnl We want to be able to differentiate between different rev's
dnl
if test -n "$host_os"; then
    OS=`echo $host_os | sed 's/[[0-9]].*//'`
    OSREV=`echo $host_os | sed 's/^[[^0-9\.]]*\([[0-9\.]]*\).*$/\1/'`
    OSMAJOR=`echo $OSREV | sed 's/\..*$//'`
else
    OS="unknown"
    OSREV=0
    OSMAJOR=0
fi

case "$host" in
    *-*-sunos4*)
		# getcwd(3) opens a pipe to getpwd(1)!?!
		BROKEN_GETCWD=1

		# system headers lack prototypes but gcc helps...
		if test -n "$GCC"; then
		    OSDEFS="${OSDEFS} -D__USE_FIXED_PROTOTYPES__"
		fi

		shadow_funcs="getpwanam issecure"
		;;
    *-*-solaris2*)
		# To get the crypt(3) prototype (so we pass -Wall)
		OSDEFS="${OSDEFS} -D__EXTENSIONS__"
		# AFS support needs -lucb
		if test "$with_AFS" = "yes"; then
		    AFS_LIBS="-lc -lucb"
		fi
		: ${mansectsu='1m'}
		: ${mansectform='4'}
		: ${with_rpath='yes'}
		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
		;;
    *-*-aix*)
		# To get all prototypes (so we pass -Wall)
		OSDEFS="${OSDEFS} -D_XOPEN_EXTENDED_SOURCE -D_ALL_SOURCE"
		SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp"
		if test X"$with_blibpath" != X"no"; then
		    AC_MSG_CHECKING([if linker accepts -Wl,-blibpath])
		    O_LDFLAGS="$LDFLAGS"
		    LDFLAGS="$O_LDFLAGS -Wl,-blibpath:/usr/lib:/lib"
		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])], [
			if test -n "$with_blibpath" -a "$with_blibpath" != "yes"; then
			    blibpath="$with_blibpath"
			elif test -n "$GCC"; then
			    blibpath="/usr/lib:/lib:/usr/local/lib"
			else
			    blibpath="/usr/lib:/lib"
			fi
			AC_MSG_RESULT(yes)
		    ], [AC_MSG_RESULT(no)])
		fi
		LDFLAGS="$O_LDFLAGS"

		# Use authenticate(3) as the default authentication method
		if test X"$with_aixauth" = X""; then
		    AC_CHECK_FUNCS(authenticate, [AUTH_EXCL_DEF="AIX_AUTH"])
		    AC_CHECK_FUNCS(unsetenv)
		fi
		;;
    *-*-hiuxmpp*)
		: ${mansectsu='1m'}
		: ${mansectform='4'}
		;;
    *-*-hpux*)
		# AFS support needs -lBSD
		if test "$with_AFS" = "yes"; then
		    AFS_LIBS="-lc -lBSD"
		fi
		: ${mansectsu='1m'}
		: ${mansectform='4'}

		case "$host" in
			*-*-hpux[1-8].*)
			    AC_DEFINE(BROKEN_SYSLOG)

			    # Not sure if setuid binaries are safe in < 9.x
			    if test -n "$GCC"; then
				SUDO_LDFLAGS="${SUDO_LDFLAGS} -static"
			    else
				SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-a,archive"
			    fi
			;;
			*-*-hpux9.*)
			    AC_DEFINE(BROKEN_SYSLOG)

			    shadow_funcs="getspwuid"

			    # DCE support (requires ANSI C compiler)
			    if test "$with_DCE" = "yes"; then
				# order of libs in 9.X is important. -lc_r must be last
				SUDO_LIBS="${SUDO_LIBS} -ldce -lM -lc_r"
				LIBS="${LIBS} -ldce -lM -lc_r"
				CPPFLAGS="${CPPFLAGS} -D_REENTRANT -I/usr/include/reentrant"
			    fi
			;;
			*-*-hpux10.*)
			    shadow_funcs="getprpwnam iscomsec"
			    shadow_libs="-lsec"
			;;
			*)
			    shadow_funcs="getspnam iscomsec"
			    shadow_libs="-lsec"
			    test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
			;;
		esac
		;;
    *-dec-osf*)
		# ignore envariables wrt dynamic lib path
		SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-no_library_replacement"

		: ${CHECKSIA='true'}
		AC_MSG_CHECKING(whether to disable sia support on Digital UNIX)
		AC_ARG_ENABLE(sia,
		[  --disable-sia           Disable SIA on Digital UNIX],
		[ case "$enableval" in
		    yes)	AC_MSG_RESULT(no)
				CHECKSIA=true
				;;
		    no)		AC_MSG_RESULT(yes)
				CHECKSIA=false
				;;
		    *)		AC_MSG_RESULT(no)
				AC_MSG_WARN([Ignoring unknown argument to --enable-sia: $enableval])
				;;
		  esac
		], AC_MSG_RESULT(no))

		shadow_funcs="getprpwnam dispcrypt"
		# OSF/1 4.x and higher need -ldb too
		if test $OSMAJOR -lt 4; then
		    shadow_libs="-lsecurity -laud -lm"
		else
		    shadow_libs="-lsecurity -ldb -laud -lm"
		fi

		# use SIA by default, if we have it
		test "$CHECKSIA" = "true" && AUTH_EXCL_DEF="SIA"

		#
		# Some versions of Digital Unix ship with a broken
		# copy of prot.h, which we need for shadow passwords.
		# XXX - make should remove this as part of distclean
		#
		AC_MSG_CHECKING([for broken prot.h])
		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
#include <sys/types.h>
#include <sys/security.h>
#include <prot.h>
		]], [[exit(0);]])], [AC_MSG_RESULT(no)], [AC_MSG_RESULT([yes, fixing locally])
		sed 's:<acl.h>:<sys/acl.h>:g' < /usr/include/prot.h > prot.h
		])
		: ${mansectsu='8'}
		: ${mansectform='4'}
		;;
    *-*-irix*)
		OSDEFS="${OSDEFS} -D_BSD_TYPES"
		if test -z "$NROFFPROG"; then
		    MAN_POSTINSTALL='	/bin/rm -f $(mandirsu)/sudo.$(mansectsu).z $(mandirsu)/visudo.$(mansectsu).z $(mandirform)/sudoers.$(mansectform).z ; /usr/bin/pack $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudoers.$(mansectform)'
		    if test "$prefix" = "/usr/local" -a "$mandir" = '$(prefix)/man'; then
			if test -d /usr/share/catman/local; then
			    mandir="/usr/share/catman/local"
			else
			    mandir="/usr/catman/local"
			fi
		    fi
		else
		    if test "$prefix" = "/usr/local" -a "$mandir" = '$(prefix)/man'; then
			if test -d "/usr/share/man/local"; then
			    mandir="/usr/share/man/local"
			else
			    mandir="/usr/man/local"
			fi
		    fi
		fi
		# IRIX <= 4 needs -lsun
		if test "$OSMAJOR" -le 4; then
		    AC_CHECK_LIB(sun, getpwnam, [LIBS="${LIBS} -lsun"])
		fi
		: ${mansectsu='1m'}
		: ${mansectform='4'}
		;;
    *-*-linux*|*-*-k*bsd*-gnu)
		OSDEFS="${OSDEFS} -D_GNU_SOURCE"
		# Some Linux versions need to link with -lshadow
		shadow_funcs="getspnam"
		shadow_libs_optional="-lshadow"
		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
		;;
    *-convex-bsd*)
		OSDEFS="${OSDEFS} -D_CONVEX_SOURCE"
		if test -z "$GCC"; then
		    CFLAGS="${CFLAGS} -D__STDC__"
		fi

		shadow_defs="-D_AUDIT -D_ACL -DSecureWare"
		shadow_funcs="getprpwnam"
		shadow_libs="-lprot"
		;;
    *-*-ultrix*)
		OS="ultrix"
		shadow_funcs="getauthuid"
		shadow_libs="-lauth"
		;;
    *-*-riscos*)
		LIBS="${LIBS} -lsun -lbsd"
		CPPFLAGS="${CPPFLAGS} -I/usr/include -I/usr/include/bsd"
		OSDEFS="${OSDEFS} -D_MIPS"
		: ${mansectsu='1m'}
		: ${mansectform='4'}
		;;
    *-*-isc*)
		OSDEFS="${OSDEFS} -D_ISC"
		LIB_CRYPT=1
		SUDO_LIBS="${SUDO_LIBS} -lcrypt"
		LIBS="${LIBS} -lcrypt"

		shadow_funcs="getspnam"
		shadow_libs="-lsec"

		: ${mansectsu='1m'}
		: ${mansectform='4'}
		;;
    *-*-sco*|*-sco-*)
		shadow_funcs="getprpwnam"
		shadow_libs="-lprot -lx"
		: ${mansectsu='1m'}
		: ${mansectform='4'}
		;;
    m88k-motorola-sysv*)
		# motorolla's cc (a variant of gcc) does -O but not -O2
		CFLAGS=`echo $CFLAGS | sed 's/-O2/-O/g'`
		: ${mansectsu='1m'}
		: ${mansectform='4'}
		;;
    *-sequent-sysv*)
		shadow_funcs="getspnam"
		shadow_libs="-lsec"
		: ${mansectsu='1m'}
		: ${mansectform='4'}
		: ${with_rpath='yes'}
		;;
    *-ncr-sysv4*|*-ncr-sysvr4*)
		AC_CHECK_LIB(c89, strcasecmp, AC_DEFINE(HAVE_STRCASECMP) [LIBS="${LIBS} -lc89"; ac_cv_func_strcasecmp=yes])
		: ${mansectsu='1m'}
		: ${mansectform='4'}
		: ${with_rpath='yes'}
		;;
    *-ccur-sysv4*|*-ccur-sysvr4*)
		LIBS="${LIBS} -lgen"
		SUDO_LIBS="${SUDO_LIBS} -lgen"
		: ${mansectsu='1m'}
		: ${mansectform='4'}
		: ${with_rpath='yes'}
		;;
    *-*-bsdi*)
		SKIP_SETREUID=yes
		# Use shlicc for BSD/OS [23].x unless asked to do otherwise
		if test "${with_CC+set}" != set -a "$ac_cv_prog_CC" = gcc; then
		    case "$OSMAJOR" in
			2|3)	AC_MSG_NOTICE([using shlicc as CC])
				ac_cv_prog_CC=shlicc
				CC="$ac_cv_prog_CC"
				;;
		    esac
		fi
		# Check for newer BSD auth API (just check for >= 3.0?)
		if test -z "$with_bsdauth"; then
		    AC_CHECK_FUNCS(auth_challenge, [AUTH_EXCL_DEF="BSD_AUTH"])
		fi
		;;
    *-*-freebsd*)
		# FreeBSD has a real setreuid(2) starting with 2.1 and
		# backported to 2.0.5.  We just take 2.1 and above...
		case "$OSREV" in
		0.*|1.*|2.0*)
		    SKIP_SETREUID=yes
		    ;;
		esac
		if test "$with_skey" = "yes"; then
		     SUDO_LIBS="${SUDO_LIBS} -lmd"
		fi
		CHECKSHADOW="false"
		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
		: ${with_logincap='maybe'}
		;;
    *-*-*openbsd*)
		# OpenBSD has a real setreuid(2) starting with 3.3 but
		# we will use setreuid(2) instead.
		SKIP_SETREUID=yes
		CHECKSHADOW="false"
		# OpenBSD >= 3.0 supports BSD auth
		if test -z "$with_bsdauth"; then
		    case "$OSREV" in
		    [0-2].*)
			;;
		    *)
			AUTH_EXCL_DEF="BSD_AUTH"
			;;
		    esac
		fi
		: ${with_logincap='maybe'}
		;;
    *-*-*netbsd*)
		# NetBSD has a real setreuid(2) starting with 1.3.2
		case "$OSREV" in
		0.9*|1.[012]*|1.3|1.3.1)
		    SKIP_SETREUID=yes
		    ;;
		esac
		CHECKSHADOW="false"
		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
		: ${with_logincap='maybe'}
		;;
    *-*-dragonfly*)
		if test "$with_skey" = "yes"; then
		     SUDO_LIBS="${SUDO_LIBS} -lmd"
		fi
		CHECKSHADOW="false"
		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
		: ${with_logincap='yes'}
		;;
    *-*-*bsd*)
		CHECKSHADOW="false"
		;;
    *-*-darwin*)
		SKIP_SETREUID=yes
		CHECKSHADOW="false"
		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
		: ${with_logincap='yes'}
		;;
    *-*-nextstep*)
		# lockf() on is broken on the NeXT -- use flock instead
		ac_cv_func_lockf=no
		ac_cv_func_flock=yes
		;;
    *-*-*sysv4*)
		: ${mansectsu='1m'}
		: ${mansectform='4'}
		: ${with_rpath='yes'}
		;;
    *-*-sysv*)
		: ${mansectsu='1m'}
		: ${mansectform='4'}
		;;
    *-gnu*)
		OSDEFS="${OSDEFS} -D_GNU_SOURCE"
		;;
esac

dnl
dnl Check for mixing mutually exclusive and regular auth methods
dnl
AUTH_REG=${AUTH_REG# }
AUTH_EXCL=${AUTH_EXCL# }
if test -n "$AUTH_EXCL"; then
    set -- $AUTH_EXCL
    if test $# != 1; then
	AC_MSG_ERROR([More than one mutually exclusive authentication method specified: $AUTH_EXCL])
    fi
    if test -n "$AUTH_REG"; then
	AC_MSG_ERROR([Cannot mix mutually exclusive ($AUTH_EXCL) and regular ($AUTH_REG) authentication methods])
    fi
fi
dnl
dnl Only one of S/Key and OPIE may be specified
dnl
if test X"${with_skey}${with_opie}" = X"yesyes"; then
    AC_MSG_ERROR(["cannot use both S/Key and OPIE"])
fi

dnl
dnl Use BSD-style man sections by default
dnl
: ${mansectsu='8'}
: ${mansectform='5'}

dnl
dnl Add in any libpaths or libraries specified via configure
dnl
if test -n "$with_libpath"; then
    for i in ${with_libpath}; do
	SUDO_APPEND_LIBPATH(LDFLAGS, [$i])
    done
fi
if test -n "$with_libraries"; then
    for i in ${with_libraries}; do
	case $i in
	    -l*)	;;
	    *.a)	;;
	    *.o)	;;
	    *)	i="-l${i}";;
	esac
	LIBS="${LIBS} ${i}"
    done
fi

dnl
dnl C compiler checks (to be done after os checks)
dnl
AC_PROG_GCC_TRADITIONAL
AC_C_CONST
AC_C_VOLATILE
dnl
dnl Program checks
dnl
AC_PROG_YACC
SUDO_PROG_MV
SUDO_PROG_BSHELL
if test -z "$with_sendmail"; then
    SUDO_PROG_SENDMAIL
fi
if test -z "$with_editor"; then
    SUDO_PROG_VI
fi
dnl
dnl Header file checks
dnl
AC_HEADER_STDC
AC_HEADER_DIRENT
AC_HEADER_TIME
AC_CHECK_HEADERS(malloc.h paths.h utime.h netgroup.h sys/sockio.h sys/bsdtypes.h sys/select.h)
AC_CHECK_HEADERS([err.h], [], [AC_LIBOBJ(err)])
dnl ultrix termio/termios are broken
if test "$OS" != "ultrix"; then
    AC_SYS_POSIX_TERMIOS
    if test "$ac_cv_sys_posix_termios" = "yes"; then
	AC_DEFINE(HAVE_TERMIOS_H)
    else
	AC_CHECK_HEADERS(termio.h)
    fi
fi
if test ${with_logincap-'no'} != "no"; then
    AC_CHECK_HEADERS(login_cap.h, [LCMAN=""
	case "$OS" in
	    freebsd|netbsd)	SUDO_LIBS="${SUDO_LIBS} -lutil"
	    ;;
	esac
    ])
fi
if test ${with_project-'no'} != "no"; then
    AC_CHECK_HEADER(project.h, AC_DEFINE(HAVE_PROJECT_H)
	[SUDO_LIBS="${SUDO_LIBS} -lproject"], -)
fi
dnl
dnl typedef checks
dnl
AC_TYPE_MODE_T
AC_TYPE_UID_T
AC_CHECK_TYPES([sig_atomic_t], , [AC_DEFINE(sig_atomic_t, int)], [#include <sys/types.h>
#include <signal.h>])
AC_CHECK_TYPES([sigaction_t], [AC_DEFINE(HAVE_SIGACTION_T)], [], [#include <sys/types.h>
#include <signal.h>])
AC_CHECK_TYPE([struct timespec], [AC_DEFINE(HAVE_TIMESPEC)], [], [#include <sys/types.h>
#if TIME_WITH_SYS_TIME
# include <sys/time.h>
#endif
#include <time.h>])
AC_CHECK_TYPES([struct in6_addr], [AC_DEFINE(HAVE_IN6_ADDR)], [], [#include <sys/types.h>
#include <netinet/in.h>])
SUDO_TYPE_SIZE_T
SUDO_TYPE_SSIZE_T
SUDO_TYPE_DEV_T
SUDO_TYPE_INO_T
SUDO_FULL_VOID
SUDO_UID_T_LEN
SUDO_TYPE_LONG_LONG
SUDO_SOCK_SA_LEN
dnl
dnl only set RETSIGTYPE if it is not set already
dnl
case "$DEFS" in
    *"RETSIGTYPE"*)	;;
    *)			AC_TYPE_SIGNAL;;
esac
dnl
dnl Function checks
dnl
AC_FUNC_GETGROUPS
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
	       strftime setrlimit initgroups getgroups fstat gettimeofday \
	       setlocale getaddrinfo setsid)
if test -z "$SKIP_SETRESUID"; then
    AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes])
fi
if test -z "$SKIP_SETREUID"; then
    AC_CHECK_FUNCS(setreuid, [SKIP_SETEUID=yes])
fi
if test -z "$SKIP_SETEUID"; then
    AC_CHECK_FUNCS(seteuid)
fi
if test X"$with_interfaces" != X"no"; then
    AC_CHECK_FUNCS(getifaddrs, [AC_CHECK_FUNCS(freeifaddrs)])
fi
if test -z "$BROKEN_GETCWD"; then
    AC_REPLACE_FUNCS(getcwd)
fi
AC_CHECK_FUNCS(glob, [AC_MSG_CHECKING(for GLOB_BRACE and GLOB_TILDE in glob.h)
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <glob.h>]], [[int i = GLOB_BRACE | GLOB_TILDE; (void)i;]])], [AC_DEFINE(HAVE_EXTENDED_GLOB)
    AC_MSG_RESULT(yes)], [AC_LIBOBJ(glob)
    AC_MSG_RESULT(no)])], [AC_LIBOBJ(glob)])
AC_CHECK_FUNCS(lockf flock, [break])
AC_CHECK_FUNCS(waitpid wait3, [break])
AC_CHECK_FUNCS(innetgr _innetgr, [AC_CHECK_FUNCS(getdomainname) [break]])
AC_CHECK_FUNCS(lsearch, [], [AC_CHECK_LIB([compat], [lsearch], [AC_CHECK_HEADER([search.h], [AC_DEFINE(HAVE_LSEARCH)] [LIBS="${LIBS} -lcompat"], [AC_LIBOBJ(lsearch)], -)], [AC_LIBOBJ(lsearch)])])
AC_CHECK_FUNCS(utimes, [AC_CHECK_FUNCS(futimes futimesat, [break])], [AC_CHECK_FUNCS(futime) AC_LIBOBJ(utimes)])
SUDO_FUNC_FNMATCH([AC_DEFINE(HAVE_FNMATCH)], [AC_LIBOBJ(fnmatch)])
SUDO_FUNC_ISBLANK
AC_REPLACE_FUNCS(memrchr strerror strcasecmp sigaction strlcpy strlcat)
AC_CHECK_FUNCS(closefrom, [], [AC_LIBOBJ(closefrom)
    AC_CHECK_DECL(F_CLOSEM, AC_DEFINE(HAVE_FCNTL_CLOSEM), [],
	[ #include <limits.h>
	  #include <fcntl.h> ])
])
AC_CHECK_FUNCS(mkstemp, [], [SUDO_OBJS="${SUDO_OBJS} mkstemp.o"
    AC_CHECK_FUNCS(random lrand48, [break])
])
AC_CHECK_FUNCS(snprintf vsnprintf asprintf vasprintf, , [NEED_SNPRINTF=1])
if test X"$ac_cv_type_struct_timespec" != X"no"; then
    AC_CHECK_MEMBER([struct stat.st_mtim], [AC_DEFINE(HAVE_ST_MTIM)]
	[AC_CHECK_MEMBER([struct stat.st_mtim.st__tim], AC_DEFINE(HAVE_ST__TIM))],
	[AC_CHECK_MEMBER([struct stat.st_mtimespec], AC_DEFINE([HAVE_ST_MTIMESPEC]))])
    AC_MSG_CHECKING([for two-parameter timespecsub])
    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
#include <sys/time.h>]], [[struct timespec ts1, ts2;
ts1.tv_sec = 1; ts1.tv_nsec = 0; ts2.tv_sec = 0; ts2.tv_nsec = 0;
#ifndef timespecsub
#error missing timespecsub
#endif
timespecsub(&ts1, &ts2);]])], [AC_DEFINE(HAVE_TIMESPECSUB2)
    AC_MSG_RESULT(yes)], [AC_MSG_RESULT(no)])
fi
dnl
dnl Check for the dirfd function/macro.  If not found, look for dd_fd in DIR.
dnl
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
#include <$ac_header_dirent>]], [[DIR *d; (void)dirfd(d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_TRY_LINK([#include <sys/types.h>
#include <$ac_header_dirent>], [DIR d; memset(&d, 0, sizeof(d)); return(d.dd_fd);], [AC_DEFINE(HAVE_DD_FD)])])
dnl
dnl If NEED_SNPRINTF is set, add snprintf.c to LIBOBJS
dnl (it contains snprintf, vsnprintf, asprintf, and vasprintf)
dnl
if test -n "$NEED_SNPRINTF"; then
    AC_LIBOBJ(snprintf)
fi
dnl
dnl If socket(2) not in libc, check -lsocket and -linet
dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
dnl In this case we look for main(), not socket() to avoid using a cached value
dnl
AC_CHECK_FUNC(socket, , [AC_CHECK_LIB(socket, socket, [NET_LIBS="${NET_LIBS} -lsocket"; LIBS="${LIBS} -lsocket"], AC_CHECK_LIB(inet, socket, [NET_LIBS="${NET_LIBS} -linet"; LIBS="${LIBS} -linet"], AC_MSG_WARN(unable to find socket() trying -lsocket -lnsl)
AC_CHECK_LIB(socket, socket, [NET_LIBS="${NET_LIBS} -lsocket -lnsl"; LIBS="${LIBS} -lsocket -lnsl"], , -lnsl)))])
dnl
dnl If inet_addr(3) not in libc, check -lnsl and -linet
dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
dnl
AC_CHECK_FUNC(inet_addr, , [AC_CHECK_FUNC(__inet_addr, , AC_CHECK_LIB(nsl, inet_addr, [NET_LIBS="${NET_LIBS} -lnsl"; LIBS="${LIBS} -lnsl"], AC_CHECK_LIB(inet, inet_addr, [NET_LIBS="${NET_LIBS} -linet"; LIBS="${LIBS} -linet"], AC_MSG_WARN(unable to find inet_addr() trying -lsocket -lnsl)
AC_CHECK_LIB(socket, inet_addr, [NET_LIBS="${NET_LIBS} -lsocket -lnsl"; LIBS="${LIBS} -lsocket -lnsl"], , -lnsl))))])
dnl
dnl If syslog(3) not in libc, check -lsocket, -lnsl and -linet
dnl
AC_CHECK_FUNC(syslog, , [AC_CHECK_LIB(socket, syslog, [NET_LIBS="${NET_LIBS} -lsocket"; LIBS="${LIBS} -lsocket"], AC_CHECK_LIB(nsl, syslog, [NET_LIBS="${NET_LIBS} -lnsl"; LIBS="${LIBS} -lnsl"], AC_CHECK_LIB(inet, syslog, [NET_LIBS="${NET_LIBS} -linet"; LIBS="${LIBS} -linet"])))])
dnl
dnl Bison and DCE use alloca(3), if not in libc, use the sudo one (from gcc)
dnl (gcc includes its own alloca(3) but other compilers may not)
dnl
if test "$with_DCE" = "yes" -o "$ac_cv_prog_YACC" = "bison -y"; then
    AC_FUNC_ALLOCA
fi
dnl
dnl Check for getprogname() or __progname
dnl
AC_CHECK_FUNCS(getprogname, , [
    AC_MSG_CHECKING([for __progname])
    AC_CACHE_VAL(sudo_cv___progname, [
    AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[extern char *__progname; (void)puts(__progname);]])], [sudo_cv___progname=yes], [sudo_cv___progname=no])])
    if test "$sudo_cv___progname" = "yes"; then
	AC_DEFINE(HAVE___PROGNAME)
    else
	AC_LIBOBJ(getprogname)
    fi
    AC_MSG_RESULT($sudo_cv___progname)
])

dnl
dnl Mutually exclusive auth checks come first, followed by
dnl non-exclusive ones.  Note: passwd must be last of all!
dnl

dnl
dnl Convert default authentication methods to with_* if
dnl no explicit authentication scheme was specified.
dnl
if test -z "${AUTH_EXCL}${AUTH_REG}" -a -n "$AUTH_EXCL_DEF"; then
    for auth in $AUTH_EXCL_DEF; do
	case $auth in
	    AIX_AUTH)	with_aixauth=maybe;;
	    BSD_AUTH)	with_bsdauth=maybe;;
	    PAM)	with_pam=maybe;;
	    SIA)	CHECKSIA=true;;
	esac
    done
fi

dnl
dnl PAM support.  Systems that use PAM by default set with_pam=default
dnl and we do the actual tests here.
dnl
if test ${with_pam-"no"} != "no"; then
    dnl
    dnl Linux may need this
    dnl
    AC_CHECK_LIB([dl], [main], [SUDO_LIBS="${SUDO_LIBS} -lpam -ldl"], [SUDO_LIBS="${SUDO_LIBS} -lpam"])
    ac_cv_lib_dl=ac_cv_lib_dl_main

    dnl
    dnl Some PAM implementations (MacOS X for example) put the PAM headers
    dnl in /usr/include/pam instead of /usr/include/security...
    dnl
    AC_CHECK_HEADERS([security/pam_appl.h] [pam/pam_appl.h], [with_pam=yes; break])
    if test "$with_pam" = "yes"; then
	AC_DEFINE(HAVE_PAM)
	AUTH_OBJS="$AUTH_OBJS pam.o";
	AUTH_EXCL=PAM
	AC_MSG_CHECKING(whether to use PAM session support)
	AC_ARG_ENABLE(pam_session,
	[  --disable-pam-session   Disable PAM session support],
	    [ case "$enableval" in
		yes)	AC_MSG_RESULT(yes)
			;;
		no)		AC_MSG_RESULT(no)
			    AC_DEFINE(NO_PAM_SESSION)
			    ;;
		*)		AC_MSG_RESULT(no)
			    AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])
			    ;;
	    esac], AC_MSG_RESULT(yes))
	case $host in
	    *-*-linux*|*-*-solaris*)
		    # dgettext() may be defined to dgettext_libintl in the
		    # header file, so first check that it links w/ additional
		    # libs, then try with -lintl
		    AC_LINK_IFELSE([AC_LANG_PROGRAM(
		    [[#include <libintl.h>]], [(void)dgettext((char *)0, (char *)0);])],
		    [AC_DEFINE(HAVE_DGETTEXT)],
		    [AC_CHECK_LIB(intl, dgettext, [LIBS="${LIBS} -lintl"]
			[AC_DEFINE(HAVE_DGETTEXT)])])
		    ;;
	esac
    fi
fi

dnl
dnl AIX general authentication
dnl If set to "maybe" only enable if no other exclusive method in use.
dnl
if test ${with_aixauth-'no'} != "no"; then
    if test X"$with_aixauth" != X"maybe" -o X"$AUTH_EXCL" = X""; then
	AC_MSG_NOTICE([using AIX general authentication])
	AC_DEFINE(HAVE_AIXAUTH)
	AUTH_OBJS="$AUTH_OBJS aix_auth.o";
	SUDO_LIBS="${SUDO_LIBS} -ls"
	AUTH_EXCL=AIX_AUTH
    fi
fi

dnl
dnl BSD authentication
dnl If set to "maybe" only enable if no other exclusive method in use.
dnl
if test ${with_bsdauth-'no'} != "no"; then
    AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H)
	[AUTH_OBJS="$AUTH_OBJS bsdauth.o"]
	[AUTH_EXCL=BSD_AUTH; BAMAN=""],
	[AC_MSG_ERROR([BSD authentication was specified but bsd_auth.h could not be found])])
fi

dnl
dnl SIA authentication for Tru64 Unix
dnl
if test ${CHECKSIA-'false'} = "true"; then
    AC_CHECK_FUNCS(sia_ses_init, [found=true], [found=false])
    if test "$found" = "true"; then
	AUTH_EXCL=SIA
	AUTH_OBJS="$AUTH_OBJS sia.o"
    fi
fi

dnl
dnl extra FWTK libs + includes
dnl
if test ${with_fwtk-'no'} != "no"; then
    if test "$with_fwtk" != "yes"; then
	SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_fwtk}])
	CPPFLAGS="${CPPFLAGS} -I${with_fwtk}"
	with_fwtk=yes
    fi
    SUDO_LIBS="${SUDO_LIBS} -lauth -lfwall"
    AUTH_OBJS="$AUTH_OBJS fwtk.o"
fi

dnl
dnl extra SecurID lib + includes
dnl
if test ${with_SecurID-'no'} != "no"; then
    if test "$with_SecurID" != "yes"; then
	:
    elif test -d /usr/ace/examples; then
	with_SecurID=/usr/ace/examples
    else
	with_SecurID=/usr/ace
    fi
    CPPFLAGS="${CPPFLAGS} -I${with_SecurID}"
    _LDFLAGS="${LDFLAGS}"
    SUDO_APPEND_LIBPATH(LDFLAGS, [${with_SecurID}])
    #
    # Determine whether to use the new or old SecurID API
    #
    AC_CHECK_LIB(aceclnt, SD_Init,
	[
	    AUTH_OBJS="$AUTH_OBJS securid5.o";
	    SUDO_LIBS="${SUDO_LIBS} -laceclnt -lpthread"
	]
	[
	    SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_SecurID}])
	], [
	    AUTH_OBJS="$AUTH_OBJS securid.o";
	    SUDO_LIBS="${SUDO_LIBS} ${with_SecurID}/sdiclient.a"
	],
	[
	    -lpthread
	]
    )
    LDFLAGS="${_LDFLAGS}"
fi

dnl
dnl Non-mutually exclusive auth checks come next.
dnl Note: passwd must be last of all!
dnl

dnl
dnl Convert default authentication methods to with_* if
dnl no explicit authentication scheme was specified.
dnl
if test -z "${AUTH_EXCL}" -a -n "$AUTH_DEF"; then
    for auth in $AUTH_DEF; do
	case $auth in
	    passwd)	: ${with_passwd='maybe'};;
	esac
    done
fi

dnl
dnl Kerberos IV
dnl
if test ${with_kerb4-'no'} != "no"; then
    AC_DEFINE(HAVE_KERB4)
    dnl
    dnl Use the specified directory, if any, else search for correct inc dir
    dnl
    O_LDFLAGS="$LDFLAGS"
    if test "$with_kerb4" = "yes"; then
	found=no
	O_CPPFLAGS="$CPPFLAGS"
	for dir in "" "kerberosIV/" "krb4/" "kerberos4/" "kerberosv4/"; do
	    CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
	    AC_PREPROC_IFELSE([#include <krb.h>], [found=yes; break])
	done
	test X"$found" = X"no" && CPPFLAGS="$O_CPPFLAGS"
    else
	SUDO_APPEND_LIBPATH(LDFLAGS, [${with_kerb4}/lib])
	SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_kerb4}/lib])
	CPPFLAGS="$CPPFLAGS -I${with_kerb4}/include"
	AC_CHECK_HEADER([krb.h], [found=yes], [found=no])
    fi
    if test X"$found" = X"no"; then
	AC_MSG_WARN([Unable to locate Kerberos IV include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS])
    fi

    dnl
    dnl Check for -ldes vs. -ldes425
    dnl
    AC_CHECK_LIB(des, des_cbc_encrypt, [K4LIBS="-ldes"], [
	AC_CHECK_LIB(des425, des_cbc_encrypt, [K4LIBS="-ldes425"], [K4LIBS=""])
    ])
    dnl
    dnl Try to determine whether we have KTH or MIT/CNS Kerberos IV
    dnl
    AC_MSG_CHECKING(whether we are using KTH Kerberos IV)
    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb.h>]], [[const char *tmp = krb4_version;]])], [
	    AC_MSG_RESULT(yes)
	    K4LIBS="${K4LIBS} -lcom_err"
	    AC_CHECK_LIB(roken, main, [K4LIBS="${K4LIBS} -lroken"])
	], [
	    AC_MSG_RESULT(no)
	]
    )
    dnl
    dnl The actual Kerberos IV lib might be -lkrb or -lkrb4
    dnl
    AC_CHECK_LIB(krb, main, [K4LIBS="-lkrb $K4LIBS"], [
	AC_CHECK_LIB(krb4, main, [K4LIBS="-lkrb4 $K4LIBS"],
	    [K4LIBS="-lkrb $K4LIBS"]
	    [AC_MSG_WARN([Unable to locate Kerberos IV libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDO_LDFLAGS and possibly add Kerberos libs to SUDO_LIBS])]
	, [$K4LIBS])
    ], [$K4LIBS])
    LDFLAGS="$O_LDFLAGS"
    SUDO_LIBS="${SUDO_LIBS} $K4LIBS"
    AUTH_OBJS="$AUTH_OBJS kerb4.o"
fi

dnl
dnl Kerberos V
dnl There is an easy way and a hard way...
dnl
if test ${with_kerb5-'no'} != "no"; then
    AC_CHECK_PROG(KRB5CONFIG, krb5-config, yes, "")
    if test -n "$KRB5CONFIG"; then
	AC_DEFINE(HAVE_KERB5)
	AUTH_OBJS="$AUTH_OBJS kerb5.o"
	CPPFLAGS="$CPPFLAGS `krb5-config --cflags`"
	SUDO_LIBS="$SUDO_LIBS `krb5-config --libs`"
	dnl
	dnl Try to determine whether we have Heimdal or MIT Kerberos
	dnl
	AC_MSG_CHECKING(whether we are using Heimdal)
	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
		AC_MSG_RESULT(yes)
		AC_DEFINE(HAVE_HEIMDAL)
	    ], [
		AC_MSG_RESULT(no)
	    ]
	)
    fi
fi
if test ${with_kerb5-'no'} != "no" -a -z "$KRB5CONFIG"; then
    AC_DEFINE(HAVE_KERB5)
    dnl
    dnl Use the specified directory, if any, else search for correct inc dir
    dnl
    if test "$with_kerb5" = "yes"; then
	found=no
	O_CPPFLAGS="$CPPFLAGS"
	for dir in "" "kerberosV/" "krb5/" "kerberos5/" "kerberosv5/"; do
	    CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
	    AC_PREPROC_IFELSE([#include <krb5.h>], [found=yes; break])
	done
	if test X"$found" = X"no"; then
	    CPPFLAGS="$O_CPPFLAGS"
	    AC_MSG_WARN([Unable to locate Kerberos V include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS])
	fi
    else
	dnl XXX - try to include krb5.h here too
	SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_kerb5}/lib])
	CPPFLAGS="$CPPFLAGS -I${with_kerb5}/include"
    fi

    dnl
    dnl Try to determine whether we have Heimdal or MIT Kerberos
    dnl
    AC_MSG_CHECKING(whether we are using Heimdal)
    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
	    AC_MSG_RESULT(yes)
	    AC_DEFINE(HAVE_HEIMDAL)
	    SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lcrypto -ldes -lcom_err -lasn1"
	    AC_CHECK_LIB(roken, main, [SUDO_LIBS="${SUDO_LIBS} -lroken"])
	], [
	    AC_MSG_RESULT(no)
	    SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
	    AC_CHECK_LIB(krb5support, main, [SUDO_LIBS="${SUDO_LIBS} -lkrb5support,"])
    ])
    AUTH_OBJS="$AUTH_OBJS kerb5.o"
    _LIBS="$LIBS"
    LIBS="${LIBS} ${SUDO_LIBS}"
    AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context krb5_get_init_creds_opt_alloc)
    AC_CACHE_CHECK(whether krb5_get_init_creds_opt_free takes a two argument2,
	sudo_cv_krb5_get_init_creds_opt_free_two_args, [
	    AC_TRY_COMPILE([#include <krb5.h>],
		[
		    krb5_context context = NULL;
		    krb5_get_init_creds_opt *opts = NULL;
		    krb5_get_init_creds_opt_free(context, opts);
		],
		[sudo_cv_krb5_get_init_creds_opt_free_two_args=yes],
		[sudo_cv_krb5_get_init_creds_opt_free_two_args=no]
	    )
	]
    )
    if test X"$sudo_cv_krb5_get_init_creds_opt_free_two_args" = X"yes"; then
  	AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
    fi
    LIBS="$_LIBS"
fi

dnl
dnl extra AFS libs and includes
dnl
if test ${with_AFS-'no'} = "yes"; then

    # looks like the "standard" place for AFS libs is /usr/afsws/lib
    AFSLIBDIRS="/usr/lib/afs /usr/afsws/lib /usr/afsws/lib/afs"
    for i in $AFSLIBDIRS; do
	if test -d ${i}; then
	    SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [$i])
	    FOUND_AFSLIBDIR=true
	fi
    done
    if test -z "$FOUND_AFSLIBDIR"; then
	AC_MSG_WARN([Unable to locate AFS libraries, you will have to edit the Makefile and add -L/path/to/afs/libs to SUDO_LDFLAGS or rerun configure with the --with-libpath options.])
    fi

    # Order is important here.  Note that we build AFS_LIBS from right to left
    # since AFS_LIBS may be initialized with BSD compat libs that must go last
    AFS_LIBS="-laudit ${AFS_LIBS}"
    for i in $AFSLIBDIRS; do
	if test -f ${i}/util.a; then
	    AFS_LIBS="${i}/util.a ${AFS_LIBS}"
	    FOUND_UTIL_A=true
	    break;
	fi
    done
    if test -z "$FOUND_UTIL_A"; then
	AFS_LIBS="-lutil ${AFS_LIBS}"
    fi
    AFS_LIBS="-lkauth -lprot -lubik -lauth -lrxkad -lsys -ldes -lrx -llwp -lcom_err ${AFS_LIBS}"

    # AFS includes may live in /usr/include on some machines...
    for i in /usr/afsws/include; do
	if test -d ${i}; then
	    CPPFLAGS="${CPPFLAGS} -I${i}"
	    FOUND_AFSINCDIR=true
	fi
    done

    if test -z "$FOUND_AFSLIBDIR"; then
	AC_MSG_WARN([Unable to locate AFS include dir, you may have to edit the Makefile and add -I/path/to/afs/includes to CPPFLAGS or rerun configure with the --with-incpath options.])
    fi

    AUTH_OBJS="$AUTH_OBJS afs.o"
fi

dnl
dnl extra DCE obj + lib
dnl Order of libs in HP-UX 10.x is important, -ldce must be last.
dnl
if test ${with_DCE-'no'} = "yes"; then
    DCE_OBJS="${DCE_OBJS} dce_pwent.o"
    SUDO_LIBS="${SUDO_LIBS} -ldce"
    AUTH_OBJS="$AUTH_OBJS dce.o"
fi

dnl
dnl extra S/Key lib and includes
dnl
if test ${with_skey-'no'} = "yes"; then
    O_LDFLAGS="$LDFLAGS"
    if test "$with_skey" != "yes"; then
	CPPFLAGS="${CPPFLAGS} -I${with_skey}/include"
	SUDO_APPEND_LIBPATH(LDFLAGS, [${with_skey}/lib])
	SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_skey}/lib])
	AC_PREPROC_IFELSE([#include <skey.h>], [found=yes], [found=no])
    else
	found=no
	O_CPPFLAGS="$CPPFLAGS"
	for dir in "" "/usr/local" "/usr/contrib"; do
	    test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include"
	    AC_PREPROC_IFELSE([#include <skey.h>], [found=yes; break])
	done
	if test "$found" = "no" -o -z "$dir"; then
	    CPPFLAGS="$O_CPPFLAGS"
	else
	    SUDO_APPEND_LIBPATH(LDFLAGS, [${dir}/lib])
	    SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${dir}/lib])
	fi
    fi
    if test "$found" = "no"; then
	AC_MSG_WARN([Unable to locate skey.h, you will have to edit the Makefile and add -I/path/to/skey/includes to CPPFLAGS])
    fi
    AC_CHECK_LIB(skey, main, [found=yes], [AC_MSG_WARN([Unable to locate libskey.a, you will have to edit the Makefile and add -L/path/to/skey/lib to SUDO_LDFLAGS])])
    AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS))
    LDFLAGS="$O_LDFLAGS"
    SUDO_LIBS="${SUDO_LIBS} -lskey"
    AUTH_OBJS="$AUTH_OBJS rfc1938.o"
fi

dnl
dnl extra OPIE lib and includes
dnl
if test ${with_opie-'no'} = "yes"; then
    O_LDFLAGS="$LDFLAGS"
    if test "$with_opie" != "yes"; then
	CPPFLAGS="${CPPFLAGS} -I${with_opie}/include"
	SUDO_APPEND_LIBPATH(LDFLAGS, [${with_opie}/lib])
	SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_opie}/lib])
	AC_PREPROC_IFELSE([#include <opie.h>], [found=yes], [found=no])
    else
	found=no
	O_CPPFLAGS="$CPPFLAGS"
	for dir in "" "/usr/local" "/usr/contrib"; do
	    test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include"
	    AC_PREPROC_IFELSE([#include <opie.h>], [found=yes; break])
	done
	if test "$found" = "no" -o -z "$dir"; then
	    CPPFLAGS="$O_CPPFLAGS"
	else
	    SUDO_APPEND_LIBPATH(LDFLAGS, [${dir}/lib])
	    SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${dir}/lib])
	fi
    fi
    if test "$found" = "no"; then
	AC_MSG_WARN([Unable to locate opie.h, you will have to edit the Makefile and add -I/path/to/opie/includes to CPPFLAGS])
    fi
    AC_CHECK_LIB(opie, main, [found=yes], [AC_MSG_WARN([Unable to locate libopie.a, you will have to edit the Makefile and add -L/path/to/opie/lib to SUDO_LDFLAGS])])
    LDFLAGS="$O_LDFLAGS"
    SUDO_LIBS="${SUDO_LIBS} -lopie"
    AUTH_OBJS="$AUTH_OBJS rfc1938.o"
fi

dnl
dnl Check for shadow password routines if we have not already done so.
dnl If there is a specific list of functions to check we do that first.
dnl Otherwise, we check for SVR4-style and then SecureWare-style.
dnl
if test ${with_passwd-'no'} != "no"; then
    dnl
    dnl if crypt(3) not in libc, look elsewhere
    dnl
    if test -z "$LIB_CRYPT" -a "$with_passwd" != "no"; then
	AC_SEARCH_LIBS([crypt], [crypt crypt_d ufc], [test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"])
    fi

    if test "$CHECKSHADOW" = "true" -a -n "$shadow_funcs"; then
	_LIBS="$LIBS"
	LIBS="$LIBS $shadow_libs"
	found=no
	AC_CHECK_FUNCS($shadow_funcs, [found=yes])
	if test "$found" = "yes"; then
	    SUDO_LIBS="$SUDO_LIBS $shadow_libs"
	elif test -n "$shadow_libs_optional"; then
	    LIBS="$LIBS $shadow_libs_optional"
	    AC_CHECK_FUNCS($shadow_funcs, [found=yes])
	    if test "$found" = "yes"; then
		SUDO_LIBS="$SUDO_LIBS $shadow_libs $shadow_libs_optional"
	    fi
	fi
	if test "$found" = "yes"; then
	    case "$shadow_funcs" in
		*getprpwnam*) SECUREWARE=1;;
	    esac
	    test -n "$shadow_defs" && OSDEFS="${OSDEFS} $shadow_defs"
	else
	    LIBS="$_LIBS"
	fi
	CHECKSHADOW=false
    fi
    if test "$CHECKSHADOW" = "true"; then
	AC_SEARCH_LIBS([getspnam], [gen], [AC_DEFINE(HAVE_GETSPNAM)] [CHECKSHADOW=false; test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"])
    fi
    if test "$CHECKSHADOW" = "true"; then
	AC_SEARCH_LIBS([getprpwnam], [sec security prot], [AC_DEFINE(HAVE_GETPRPWNAM)] [CHECKSHADOW=false; SECUREWARE=1; test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"])
    fi
    if test -n "$SECUREWARE"; then
	AC_CHECK_FUNCS(bigcrypt set_auth_parameters initprivs)
	AUTH_OBJS="$AUTH_OBJS secureware.o"
    fi
fi

dnl
dnl extra lib and .o file for LDAP support
dnl
if test ${with_ldap-'no'} != "no"; then
    _LDFLAGS="$LDFLAGS"
    if test "$with_ldap" != "yes"; then
	SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_ldap}/lib])
	SUDO_APPEND_LIBPATH(LDFLAGS, [${with_ldap}/lib])
	CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
	with_ldap=yes
    fi
    SUDO_OBJS="${SUDO_OBJS} ldap.o"

    AC_MSG_CHECKING([for LDAP libraries])
    LDAP_LIBS=""
    _LIBS="$LIBS"
    found=no
    for l in -lldap -llber '-lssl -lcrypto'; do
	LIBS="${LIBS} $l"
	LDAP_LIBS="${LDAP_LIBS} $l"
	AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
	#include <lber.h>
	#include <ldap.h>]], [[(void)ldap_init(0, 0)]])], [found=yes; break])
    done
    dnl if nothing linked just try with -lldap
    if test "$found" = "no"; then
	LIBS="${_LIBS} -lldap"
	LDAP_LIBS="-lldap"
	AC_MSG_RESULT([not found, using -lldap])
    else
	AC_MSG_RESULT([$LDAP_LIBS])
    fi
    dnl check if we need to link with -llber for ber_set_option
    OLIBS="$LIBS"
    AC_SEARCH_LIBS([ber_set_option], [lber], [found=yes], [found=no])
    if test X"$found" = X"yes" -a X"$LIBS" != X"$OLIBS"; then
	LDAP_LIBS="$LDAP_LIBS -llber"
    fi
    dnl check if ldap.h includes lber.h for us
    AC_MSG_CHECKING([whether lber.h is needed])
    AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
    #include <ldap.h>]], [[(void)ldap_init(0, 0)]])], [AC_MSG_RESULT([no])], [
    AC_MSG_RESULT([yes])
    AC_DEFINE(HAVE_LBER_H)])

    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength)
    AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])

    SUDO_LIBS="${SUDO_LIBS} ${LDAP_LIBS}"
    LIBS="$_LIBS"
    LDFLAGS="$_LDFLAGS"
    # XXX - OpenLDAP has deprecated ldap_get_values()
    CPPFLAGS="${CPPFLAGS} -DLDAP_DEPRECATED"
fi

dnl
dnl Add $blibpath to SUDO_LDFLAGS if specified by the user or if we
dnl added -L dirpaths to SUDO_LDFLAGS.
dnl
if test -n "$blibpath"; then
    if test -n "$blibpath_add"; then
    	SUDO_LDFLAGS="$SUDO_LDFLAGS -Wl,-blibpath:${blibpath}${blibpath_add}"
    elif test -n "$with_blibpath" -a "$with_blibpath" != "yes"; then
    	SUDO_LDFLAGS="$SUDO_LDFLAGS -Wl,-blibpath:${blibpath}"
    fi
fi

dnl
dnl Check for log file and timestamp locations
dnl
SUDO_LOGFILE
SUDO_TIMEDIR

dnl
dnl Use passwd (and secureware) auth modules?
dnl
case "$with_passwd" in
yes|maybe)
    AUTH_OBJS="$AUTH_OBJS passwd.o"
    ;;
*)
    AC_DEFINE(WITHOUT_PASSWD)
    if test -z "$AUTH_OBJS"; then
	AC_MSG_ERROR([no authentication methods defined.])
    fi
    ;;
esac
AUTH_OBJS=${AUTH_OBJS# }
_AUTH=`echo "$AUTH_OBJS" | sed 's/\.o//g'`
AC_MSG_NOTICE([using the following authentication methods: $_AUTH])

dnl
dnl LIBS may contain duplicates from SUDO_LIBS or NET_LIBS so prune it.
dnl
if test -n "$LIBS"; then
    L="$LIBS"
    LIBS=
    for l in ${L}; do
	dupe=0
	for sl in ${SUDO_LIBS} ${NET_LIBS}; do
	    test $l = $sl && dupe=1
	done
	test $dupe = 0 && LIBS="${LIBS} $l"
    done
fi

dnl
dnl Set exec_prefix
dnl
test "$exec_prefix" = "NONE" && exec_prefix='$(prefix)'

dnl
dnl Defer setting _PATH_SUDO_NOEXEC and _PATH_SUDO_SESH
dnl until after exec_prefix is set
dnl XXX - this is gross!
dnl
if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then
    oexec_prefix="$exec_prefix"
    if test "$exec_prefix" = '$(prefix)'; then
	if test "$prefix" = "NONE"; then
	    exec_prefix="$ac_default_prefix"
	else
	    exec_prefix="$prefix"
	fi
    fi
    if test X"$with_noexec" != X"no"; then
	PROGS="${PROGS} sudo_noexec.la"
	INSTALL_NOEXEC="install-noexec"

	eval noexec_file="$with_noexec"
	AC_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
    fi
    if test X"$with_selinux" != X"no"; then
	eval sesh_file="$libexecdir/sesh"
	AC_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file", [The fully qualified pathname of sesh])
    fi
    exec_prefix="$oexec_prefix"
fi

dnl
dnl Substitute into the Makefile and man pages
dnl
AC_CONFIG_FILES([Makefile sudo.man visudo.man sudoers.man])
AC_OUTPUT

dnl
dnl Spew any text the user needs to know about
dnl
if test "$with_pam" = "yes"; then
    case $host in
	*-*-linux*)
	    AC_MSG_NOTICE([You will need to customize sample.pam and install it as /etc/pam.d/sudo])
	    ;;
    esac
fi

dnl
dnl Autoheader templates
dnl
AH_TEMPLATE(BROKEN_SYSLOG, [Define to 1 if the `syslog' function returns a non-zero int to denote failure.])
AH_TEMPLATE(CLASSIC_INSULTS, [Define to 1 if you want the insults from the "classic" version sudo.])
AH_TEMPLATE(CSOPS_INSULTS, [Define to 1 if you want insults culled from the twisted minds of CSOps.])
AH_TEMPLATE(DONT_LEAK_PATH_INFO, [Define to 1 if you want sudo to display "command not allowed" instead of "command not found" when a command cannot be found.])
AH_TEMPLATE(ENV_EDITOR, [Define to 1 if you want visudo to honor the EDITOR and VISUAL env variables.])
AH_TEMPLATE(FQDN, [Define to 1 if you want to require fully qualified hosts in sudoers.])
AH_TEMPLATE(GOONS_INSULTS, [Define to 1 if you want insults from the "Goon Show".])
AH_TEMPLATE(HAL_INSULTS, [Define to 1 if you want 2001-like insults.])
AH_TEMPLATE(HAVE_AFS, [Define to 1 if you use AFS.])
AH_TEMPLATE(HAVE_AIXAUTH, [Define to 1 if you use AIX general authentication.])
AH_TEMPLATE(HAVE_BSD_AUTH_H, [Define to 1 if you use BSD authentication.])
AH_TEMPLATE(HAVE_DCE, [Define to 1 if you use OSF DCE.])
AH_TEMPLATE(HAVE_DD_FD, [Define to 1 if your `DIR' contains dd_fd.])
AH_TEMPLATE(HAVE_DIRFD, [Define to 1 if you have the `dirfd' function or macro.])
AH_TEMPLATE(HAVE_DGETTEXT, [Define to 1 if you have the `dgettext' function.])
AH_TEMPLATE(HAVE_DISPCRYPT, [Define to 1 if you have the `dispcrypt' function.])
AH_TEMPLATE(HAVE_EXTENDED_GLOB, [Define to 1 if your glob.h defines the GLOB_BRACE and GLOB_TILDE flags.])
AH_TEMPLATE(HAVE_FCNTL_CLOSEM, [Define to 1 if your system has the F_CLOSEM fcntl.])
AH_TEMPLATE(HAVE_FNMATCH, [Define to 1 if you have the `fnmatch' function.])
AH_TEMPLATE(HAVE_FWTK, [Define to 1 if you use the FWTK authsrv daemon.])
AH_TEMPLATE(HAVE_GETAUTHUID, [Define to 1 if you have the `getauthuid' function. (ULTRIX 4.x  shadow passwords)])
AH_TEMPLATE(HAVE_GETPRPWNAM, [Define to 1 if you have the `getprpwnam' function.  (SecureWare-style shadow passwords)])
AH_TEMPLATE(HAVE_GETPWANAM, [Define to 1 if you have the `getpwanam' function. (SunOS 4.x shadow passwords)])
AH_TEMPLATE(HAVE_GETSPNAM, [Define to 1 if you have the `getspnam' function (SVR4-style shadow passwords)])
AH_TEMPLATE(HAVE_GETSPWUID, [Define to 1 if you have the `getspwuid' function. (HP-UX <= 9.X shadow passwords)])
AH_TEMPLATE(HAVE_HEIMDAL, [Define to 1 if your Kerberos is Heimdal.])
AH_TEMPLATE(HAVE_IN6_ADDR, [Define to 1 if <netinet/in.h> contains struct in6_addr.])
AH_TEMPLATE(HAVE_ISCOMSEC, [Define to 1 if you have the `iscomsec' function. (HP-UX >= 10.x check for shadow enabled)])
AH_TEMPLATE(HAVE_ISSECURE, [Define to 1 if you have the `issecure' function. (SunOS 4.x check for shadow enabled)])
AH_TEMPLATE(HAVE_KERB4, [Define to 1 if you use Kerberos IV.])
AH_TEMPLATE(HAVE_KERB5, [Define to 1 if you use Kerberos V.])
AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC, [Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function.])
AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS, [Define to 1 if your `krb5_get_init_creds_opt_alloc' function takes two arguments.])
AH_TEMPLATE(HAVE_KRB5_INIT_SECURE_CONTEXT, [Define to 1 if you have the `krb5_init_secure_context' function.])
AH_TEMPLATE(HAVE_KRB5_VERIFY_USER, [Define to 1 if you have the `krb5_verify_user' function.])
AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not)])
AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.])
AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file.])
AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])
AH_TEMPLATE(HAVE_SIGACTION_T, [Define to 1 if <signal.h> has the sigaction_t typedef.])
AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union])
AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member])
AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member])
AH_TEMPLATE(HAVE_TERMIOS_H, [Define to 1 if you have the <termios.h> header file and the `tcgetattr' function.])
AH_TEMPLATE(HAVE_TIMESPEC, [Define to 1 if you have struct timespec in sys/time.h])
AH_TEMPLATE(HAVE_TIMESPECSUB2, [Define to 1 if you have a timespecsub macro or function that takes two arguments (not three)])
AH_TEMPLATE(HAVE___PROGNAME, [Define to 1 if your crt0.o defines the __progname symbol for you.])
AH_TEMPLATE(HOST_IN_LOG, [Define to 1 if you want the hostname to be entered into the log file.])
AH_TEMPLATE(IGNORE_DOT_PATH, [Define to 1 if you want to ignore '.' and empty PATH elements])
AH_TEMPLATE(LOGGING, [Define to SLOG_SYSLOG, SLOG_FILE, or SLOG_BOTH.])
AH_TEMPLATE(LONG_OTP_PROMPT, [Define to 1 if you want a two line OTP (S/Key or OPIE) prompt.])
AH_TEMPLATE(NO_AUTHENTICATION, [Define to 1 if you don't want sudo to prompt for a password by default.])
AH_TEMPLATE(NO_LECTURE, [Define to 1 if you don't want users to get the lecture the first they user sudo.])
AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid runing the mailer as root.])
AH_TEMPLATE(NO_ROOT_SUDO, [Define to 1 if root should not be allowed to use sudo.])
AH_TEMPLATE(PC_INSULTS, [Define to 1 to replace politically incorrect insults with less offensive ones.])
AH_TEMPLATE(SECURE_PATH, [Define to 1 to override the user's path with a built-in one.])
AH_TEMPLATE(SEND_MAIL_WHEN_NOT_OK, [Define to 1 to send mail when the user is not allowed to run a command.])
AH_TEMPLATE(SEND_MAIL_WHEN_NO_HOST, [Define to 1 to send mail when the user is not allowed to run sudo on this host.])
AH_TEMPLATE(SEND_MAIL_WHEN_NO_USER, [Define to 1 to send mail when the user is not in the sudoers file.])
AH_TEMPLATE(SHELL_IF_NO_ARGS, [Define to 1 if you want sudo to start a shell if given no arguments.])
AH_TEMPLATE(SHELL_SETS_HOME, [Define to 1 if you want sudo to set $HOME in shell mode.])
AH_TEMPLATE(STUB_LOAD_INTERFACES, [Define to 1 if the code in interfaces.c does not compile for you.])
AH_TEMPLATE(USE_INSULTS, [Define to 1 if you want to insult the user for entering an incorrect password.])
AH_TEMPLATE(USE_STOW, [Define to 1 if you use GNU stow packaging.])
AH_TEMPLATE(USE_TTY_TICKETS, [Define to 1 if you want a different ticket file for each tty.])
AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.])
AH_TEMPLATE(sig_atomic_t, [Define to `int' if <signal.h> does not define.])

dnl
dnl Bits to copy verbatim into config.h.in
dnl
AH_TOP([#ifndef _SUDO_CONFIG_H
#define _SUDO_CONFIG_H])

AH_BOTTOM([/*
 * Macros to pull sec and nsec parts of mtime from struct stat.
 * We need to be able to convert between timeval and timespec
 * so the last 3 digits of tv_nsec are not significant.
 */
#ifdef HAVE_ST_MTIM
# ifdef HAVE_ST__TIM
#  define mtim_getsec(_x)	((_x).st_mtim.st__tim.tv_sec)
#  define mtim_getnsec(_x)	(((_x).st_mtim.st__tim.tv_nsec / 1000) * 1000)
# else
#  define mtim_getsec(_x)	((_x).st_mtim.tv_sec)
#  define mtim_getnsec(_x)	(((_x).st_mtim.tv_nsec / 1000) * 1000)
# endif
#else
# ifdef HAVE_ST_MTIMESPEC
#  define mtim_getsec(_x)	((_x).st_mtimespec.tv_sec)
#  define mtim_getnsec(_x)	(((_x).st_mtimespec.tv_nsec / 1000) * 1000)
# else
#  define mtim_getsec(_x)	((_x).st_mtime)
#  define mtim_getnsec(_x)	(0)
# endif /* HAVE_ST_MTIMESPEC */
#endif /* HAVE_ST_MTIM */

/*
 * Emulate a subset of waitpid() if we don't have it.
 */
#ifdef HAVE_WAITPID
# define sudo_waitpid(p, s, o)	waitpid(p, s, o)
#else
# ifdef HAVE_WAIT3
#  define sudo_waitpid(p, s, o)	wait3(s, o, NULL)
# endif
#endif

/* GNU stow needs /etc/sudoers to be a symlink. */
#ifdef USE_STOW
# define stat_sudoers	stat
#else
# define stat_sudoers	lstat
#endif

/* Macros to set/clear/test flags. */
#undef SET
#define SET(t, f)	((t) |= (f))
#undef CLR
#define CLR(t, f)	((t) &= ~(f))
#undef ISSET
#define ISSET(t, f)     ((t) & (f))

/* New ANSI-style OS defs for HP-UX and ConvexOS. */
#if defined(hpux) && !defined(__hpux)
# define __hpux		1
#endif /* hpux */

#if defined(convex) && !defined(__convex__)
# define __convex__	1
#endif /* convex */

/* BSD compatibility on some SVR4 systems. */
#ifdef __svr4__
# define BSD_COMP
#endif /* __svr4__ */

#endif /* _SUDO_CONFIG_H */])