From: Todd C. Miller Date: Wed, 5 Sep 2007 22:16:22 +0000 (+0000) Subject: New method for setting the default authentication type and X-Git-Tag: SUDO_1_7_0~369 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=72255c0ad14a128e632795b5c327a37227d5ef36;p=sudo New method for setting the default authentication type and avoiding conflicts in auth types. --- diff --git a/aclocal.m4 b/aclocal.m4 index 42eccae7f..136d87043 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -318,29 +318,6 @@ AC_DEFUN(SUDO_APPEND_LIBPATH, [ fi ]) -dnl -dnl Add a (potentially exclusive) auth method -dnl $1 - auth name -dnl $2 - object file to add to AUTH_OBJS -dnl $3 - set if method is exclusive -dnl -AC_DEFUN(SUDO_ADD_AUTH, [ -if test X"$AUTH_EXCL" != X""; then - AC_MSG_ERROR(["cannot mix $1 with an exclusive authentication method such as $AUTH_EXCL"]) -elif test X"$3" != X"" -a X"$AUTH_OBJS" != X"" -a X"$AUTH_OBJS" != X"passwd.o"; then - _AUTH=`echo "$AUTH_OBJS" | sed 's/\.o//g'` - AC_MSG_ERROR(["cannot mix $1 with other authentication methods (such as $_AUTH)"]) -fi -if test X"$3" != X""; then - AUTH_OBJS="$2" - AUTH_EXCL="$1" -elif test X"$AUTH_OBJS" = X""; then - AUTH_OBJS="$2" -else - AUTH_OBJS="$AUTH_OBJS $2" -fi -]) - dnl dnl private versions of AC_DEFINE and AC_DEFINE_UNQUOTED that don't support dnl tracing that we use to define paths for pathnames.h so autoheader doesn't diff --git a/configure.in b/configure.in index d47d0ee6b..80dae93ee 100644 --- a/configure.in +++ b/configure.in @@ -113,6 +113,10 @@ PROGS="sudo visudo" : ${SUDOERS_GID='0'} DEV="#" AUTH_OBJS= +AUTH_REG= +AUTH_EXCL= +AUTH_EXCL_DEF= +AUTH_DEF=passwd dnl dnl Other vaiables @@ -258,6 +262,8 @@ AC_ARG_WITH(passwd, [ --without-passwd don't use passwd/shadow file for [case $with_passwd in yes|no) AC_MSG_CHECKING(whether to use shadow/passwd file authentication) AC_MSG_RESULT($with_passwd) + AUTH_DEF="" + test "$with_passwd" = "yes" && AUTH_REG="$AUTH_REG passwd" ;; *) AC_MSG_ERROR(["Sorry, --with-passwd does not take an argument."]) ;; @@ -267,13 +273,10 @@ AC_ARG_WITH(skey, [ --with-skey[=DIR] enable S/Key support ], [case $with_skey in no) with_skey="" ;; - *) if test -n "$with_opie"; then - AC_MSG_ERROR(["cannot use both S/Key and OPIE"]) - fi - AC_DEFINE(HAVE_SKEY) + *) AC_DEFINE(HAVE_SKEY) AC_MSG_CHECKING(whether to try S/Key authentication) AC_MSG_RESULT(yes) - SUDO_ADD_AUTH([S/Key], [rfc1938.o]) + AUTH_REG="$AUTH_REG S/Key" ;; esac]) @@ -281,13 +284,10 @@ AC_ARG_WITH(opie, [ --with-opie[=DIR] enable OPIE support ], [case $with_opie in no) with_opie="" ;; - *) if test -n "$with_skey"; then - AC_MSG_ERROR(["cannot use both S/Key and OPIE"]) - fi - AC_DEFINE(HAVE_OPIE) + *) AC_DEFINE(HAVE_OPIE) AC_MSG_CHECKING(whether to try NRL OPIE authentication) AC_MSG_RESULT(yes) - SUDO_ADD_AUTH([NRL OPIE], [rfc1938.o]) + AUTH_REG="$AUTH_REG NRL_OPIE" ;; esac]) @@ -310,7 +310,7 @@ AC_ARG_WITH(SecurID, [ --with-SecurID[[=DIR]] enable SecurID support], *) AC_DEFINE(HAVE_SECURID) AC_MSG_CHECKING(whether to use SecurID for authentication) AC_MSG_RESULT(yes) - # AUTH_OBJS updated later + AUTH_EXCL="$AUTH_EXCL SecurID" ;; esac]) @@ -320,7 +320,7 @@ AC_ARG_WITH(fwtk, [ --with-fwtk[[=DIR]] enable FWTK AuthSRV support], *) AC_DEFINE(HAVE_FWTK) AC_MSG_CHECKING(whether to use FWTK AuthSRV for authentication) AC_MSG_RESULT(yes) - SUDO_ADD_AUTH([FWTK AuthSRV], [fwtk.o], [true]) + AUTH_EXCL="$AUTH_EXCL FWTK" ;; esac]) @@ -329,6 +329,7 @@ AC_ARG_WITH(kerb4, [ --with-kerb4[[=DIR]] enable Kerberos IV support], no) with_kerb4="";; *) AC_MSG_CHECKING(whether to try kerberos IV authentication) AC_MSG_RESULT(yes) + AUTH_REG="$AUTH_REG kerb4" ;; esac]) @@ -337,19 +338,22 @@ AC_ARG_WITH(kerb5, [ --with-kerb5[[=DIR]] enable Kerberos V support], no) with_kerb5="";; *) AC_MSG_CHECKING(whether to try Kerberos V authentication) AC_MSG_RESULT(yes) + AUTH_REG="$AUTH_REG kerb5" ;; esac]) AC_ARG_WITH(aixauth, [ --with-aixauth enable AIX general authentication support], [case $with_aixauth in - yes|no) ;; + yes) AUTH_EXCL="$AUTH_EXCL AIX_AUTH";; + no) ;; *) AC_MSG_ERROR(["--with-aixauth does not take an argument."]) ;; esac]) AC_ARG_WITH(pam, [ --with-pam enable PAM support], [case $with_pam in - yes|no) ;; + yes) AUTH_EXCL="$AUTH_EXCL PAM";; + no) ;; *) AC_MSG_ERROR(["--with-pam does not take an argument."]) ;; esac]) @@ -359,7 +363,7 @@ AC_ARG_WITH(AFS, [ --with-AFS enable AFS support], yes) AC_DEFINE(HAVE_AFS) AC_MSG_CHECKING(whether to try AFS (kerberos) authentication) AC_MSG_RESULT(yes) - SUDO_ADD_AUTH([AFS], [afs.o]) + AUTH_REG="$AUTH_REG AFS" ;; no) ;; *) AC_MSG_ERROR(["--with-AFS does not take an argument."]) @@ -371,7 +375,7 @@ AC_ARG_WITH(DCE, [ --with-DCE enable DCE support], yes) AC_DEFINE(HAVE_DCE) AC_MSG_CHECKING(whether to try DCE (kerberos) authentication) AC_MSG_RESULT(yes) - SUDO_ADD_AUTH([DCE], [dce.o]) + AUTH_REG="$AUTH_REG DCE" ;; no) ;; *) AC_MSG_ERROR(["--with-DCE does not take an argument."]) @@ -387,7 +391,8 @@ esac]) AC_ARG_WITH(bsdauth, [ --with-bsdauth enable BSD authentication support], [case $with_bsdauth in - yes|no) ;; + yes) AUTH_EXCL="$AUTH_EXCL BSD_AUTH";; + no) ;; *) AC_MSG_ERROR(["--with-bsdauth does not take an argument."]) ;; esac]) @@ -1210,7 +1215,6 @@ else OSMAJOR=0 fi -: ${with_passwd='default'} case "$host" in *-*-sunos4*) # getcwd(3) opens a pipe to getpwd(1)!?! @@ -1233,9 +1237,7 @@ case "$host" in : ${mansectsu='1m'} : ${mansectform='4'} : ${with_rpath='yes'} - if test "$with_passwd" != "yes"; then - : ${with_pam='maybe'} - fi + test -z "$with_pam" && AUTH_EXCL_DEF="PAM" ;; *-*-aix*) # To get all prototypes (so we pass -Wall) @@ -1258,9 +1260,9 @@ case "$host" in fi LDFLAGS="$O_LDFLAGS" - # check for authenticate(3) - if test X"$with_aixauth" = X"" -a X"$with_passwd" != X"yes"; then - AC_CHECK_FUNCS(authenticate, [with_aixauth=maybe]) + # Use authenticate(3) as the default authentication method + if test X"$with_aixauth" = X""; then + AC_CHECK_FUNCS(authenticate, [AUTH_EXCL_DEF="AIX_AUTH"]) fi ;; *-*-hiuxmpp*) @@ -1306,9 +1308,7 @@ case "$host" in *) shadow_funcs="getspnam iscomsec" shadow_libs="-lsec" - if test "$with_passwd" != "yes"; then - : ${with_pam='maybe'} - fi + test -z "$with_pam" && AUTH_EXCL_DEF="PAM" ;; esac ;; @@ -1318,7 +1318,7 @@ case "$host" in AC_MSG_CHECKING(whether to disable sia support on Digital UNIX) AC_ARG_ENABLE(sia, - [ --disable-sia Never use SIA on Digital UNIX], + [ --disable-sia Disable SIA on Digital UNIX], [ case "$enableval" in yes) AC_MSG_RESULT(no) ;; @@ -1340,24 +1340,21 @@ case "$host" in fi # use SIA by default, if we have it - if test "$CHECKSIA" = "true" -a "$with_passwd" != "yes"; then - AC_CHECK_FUNCS(sia_ses_init, [found=true], [found=false]) - if test "$found" = "true"; then - SUDO_ADD_AUTH([SIA], [sia.o], [true]) - with_passwd=no - fi - fi - if test "$with_passwd" != "no"; then - # prot.h is included when using shadow passwords - AC_MSG_CHECKING([for broken prot.h]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + test "$CHECKSIA" = "true" && AUTH_EXCL_DEF="SIA" + + # + # Some versions of Digital Unix ship with a broken + # copy of prot.h, which we need for shadow passwords. + # XXX - make should remove this as part of distclean + # + AC_MSG_CHECKING([for broken prot.h]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include #include #include - ]], [[exit(0);]])], [AC_MSG_RESULT(no)], [AC_MSG_RESULT([yes, fixing locally]) - sed 's:::g' < /usr/include/prot.h > prot.h - ]) - fi + ]], [[exit(0);]])], [AC_MSG_RESULT(no)], [AC_MSG_RESULT([yes, fixing locally]) + sed 's:::g' < /usr/include/prot.h > prot.h + ]) : ${mansectsu='8'} : ${mansectform='4'} ;; @@ -1393,9 +1390,7 @@ case "$host" in # Some Linux versions need to link with -lshadow shadow_funcs="getspnam" shadow_libs_optional="-lshadow" - if test "$with_passwd" != "yes"; then - : ${with_pam='maybe'} - fi + test -z "$with_pam" && AUTH_EXCL_DEF="PAM" ;; *-convex-bsd*) OSDEFS="${OSDEFS} -D_CONVEX_SOURCE" @@ -1475,8 +1470,8 @@ case "$host" in esac fi # Check for newer BSD auth API (just check for >= 3.0?) - if test -z "$with_bsdauth" -a "$with_passwd" != "yes"; then - AC_CHECK_FUNCS(auth_challenge, [with_bsdauth=maybe]) + if test -z "$with_bsdauth"; then + AC_CHECK_FUNCS(auth_challenge, [AUTH_EXCL_DEF="BSD_AUTH"]) fi ;; *-*-freebsd*) @@ -1491,9 +1486,7 @@ case "$host" in SUDO_LIBS="${SUDO_LIBS} -lmd" fi CHECKSHADOW="false" - if test "$with_passwd" != "yes"; then - : ${with_pam='maybe'} - fi + test -z "$with_pam" && AUTH_EXCL_DEF="PAM" : ${with_logincap='maybe'} ;; *-*-*openbsd*) @@ -1502,12 +1495,12 @@ case "$host" in SKIP_SETREUID=yes CHECKSHADOW="false" # OpenBSD >= 3.0 supports BSD auth - if test -z "$with_bsdauth" -a "$with_passwd" != "yes"; then + if test -z "$with_bsdauth"; then case "$OSREV" in [0-2].*) ;; *) - with_bsdauth=maybe + AUTH_EXCL_DEF="BSD_AUTH" ;; esac fi @@ -1521,9 +1514,7 @@ case "$host" in ;; esac CHECKSHADOW="false" - if test "$with_passwd" != "yes"; then - : ${with_pam='maybe'} - fi + test -z "$with_pam" && AUTH_EXCL_DEF="PAM" : ${with_logincap='maybe'} ;; *-*-dragonfly*) @@ -1531,7 +1522,7 @@ case "$host" in SUDO_LIBS="${SUDO_LIBS} -lmd" fi CHECKSHADOW="false" - : ${with_pam='yes'} + test -z "$with_pam" && AUTH_EXCL_DEF="PAM" : ${with_logincap='yes'} ;; *-*-*bsd*) @@ -1540,7 +1531,7 @@ case "$host" in *-*-darwin*) SKIP_SETREUID=yes CHECKSHADOW="false" - : ${with_pam='yes'} + test -z "$with_pam" && AUTH_EXCL_DEF="PAM" : ${with_logincap='yes'} ;; *-*-nextstep*) @@ -1562,6 +1553,27 @@ case "$host" in ;; esac +dnl +dnl Check for mixing mutually exclusive and regular auth methods +dnl +AUTH_REG=${AUTH_REG# } +AUTH_EXCL=${AUTH_EXCL# } +if test -n "$AUTH_EXCL"; then + set -- $AUTH_EXCL + if test $# != 1; then + AC_MSG_ERROR([More than one mutually exclusive authentication method specified: $AUTH_EXCL]) + fi + if test -n "$AUTH_REG"; then + AC_MSG_ERROR([Cannot mix mutually exclusive ($AUTH_EXCL) and regular ($AUTH_REG) authentication methods]) + fi +fi +dnl +dnl Only one of S/Key and OPIE may be specified +dnl +if test X"${with_skey}${with_opie}" = X"yesyes"; then + AC_MSG_ERROR(["cannot use both S/Key and OPIE"]) +fi + dnl dnl Use BSD-style man sections by default dnl @@ -1726,12 +1738,6 @@ if test -n "$NEED_SNPRINTF"; then AC_LIBOBJ(snprintf) fi dnl -dnl if crypt(3) not in libc, look elsewhere -dnl -if test -z "$LIB_CRYPT" -a "$with_passwd" != "no"; then - AC_CHECK_FUNC(crypt, , [AC_CHECK_LIB(crypt, crypt, [SUDO_LIBS="${SUDO_LIBS} -lcrypt"; LIBS="${LIBS} -lcrypt"], AC_CHECK_LIB(crypt_d, crypt, [SUDO_LIBS="${SUDO_LIBS} -lcrypt_d"; LIBS="${LIBS} -lcrypt_d"], AC_CHECK_LIB(ufc, crypt, [SUDO_LIBS="${SUDO_LIBS} -lufc"; LIBS="${LIBS} -lufc"])))]) -fi -dnl dnl If socket(2) not in libc, check -lsocket and -linet dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols dnl In this case we look for main(), not socket() to avoid using a cached value @@ -1769,10 +1775,156 @@ AC_CHECK_FUNCS(getprogname, , [ fi AC_MSG_RESULT($sudo_cv___progname) ]) + +dnl +dnl Mutually exclusive auth checks come first, followed by +dnl non-exclusive ones. Note: passwd must be last of all! +dnl + +dnl +dnl Convert default authentication methods to with_* if +dnl no explicit authentication scheme was specified. +dnl +if test -z "${AUTH_EXCL}${AUTH_REG}" -a -n "$AUTH_EXCL_DEF"; then + for auth in $AUTH_EXCL_DEF; do + case $auth in + AIX_AUTH) with_aixauth=maybe;; + BSD_AUTH) with_bsdauth=maybe;; + PAM) with_pam=maybe;; + SIA) CHECKSIA=true;; + esac + done +fi + +dnl +dnl PAM support. Systems that use PAM by default set with_pam=default +dnl and we do the actual tests here. +dnl +if test ${with_pam-"no"} != "no"; then + dnl + dnl Linux may need this + dnl + AC_CHECK_LIB([dl], [main], [SUDO_LIBS="${SUDO_LIBS} -lpam -ldl"], [SUDO_LIBS="${SUDO_LIBS} -lpam"]) + ac_cv_lib_dl=ac_cv_lib_dl_main + + dnl + dnl Some PAM implementations (MacOS X for example) put the PAM headers + dnl in /usr/include/pam instead of /usr/include/security... + dnl + AC_CHECK_HEADERS([security/pam_appl.h] [pam/pam_appl.h], [with_pam=yes; break]) + if test "$with_pam" = "yes"; then + AC_DEFINE(HAVE_PAM) + AUTH_OBJS="$AUTH_OBJS pam.o"; + AUTH_EXCL=PAM + fi +fi + +dnl +dnl AIX general authentication +dnl If set to "maybe" only enable if no other exclusive method in use. +dnl +if test ${with_aixauth-'no'} != "no"; then + if test X"$with_aixauth" != X"maybe" -o X"$AUTH_EXCL" = X""; then + AC_MSG_NOTICE([using AIX general authentication]) + AC_DEFINE(HAVE_AIXAUTH) + AUTH_OBJS="$AUTH_OBJS aix_auth.o"; + SUDO_LIBS="${SUDO_LIBS} -ls" + AUTH_EXCL=AIX_AUTH + fi +fi + +dnl +dnl BSD authentication +dnl If set to "maybe" only enable if no other exclusive method in use. +dnl +if test ${with_bsdauth-'no'} != "no"; then + AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H) + [AUTH_OBJS="$AUTH_OBJS bsdauth.o"] + [BSDAUTH_USAGE='[[-a auth_type]] '] + [AUTH_EXCL=BSD_AUTH], + [AC_MSG_ERROR([BSD authentication was specified but bsd_auth.h could not be found])]) +fi + +dnl +dnl SIA authentication for Tru64 Unix +dnl +if test ${CHECKSIA-'false'} = "true"; then + AC_CHECK_FUNCS(sia_ses_init, [found=true], [found=false]) + if test "$found" = "true"; then + AUTH_EXCL=SIA + AUTH_OBJS="$AUTH_OBJS sia.o" + fi +fi + +dnl +dnl extra FWTK libs + includes +dnl +if test ${with_fwtk-'no'} != "no"; then + if test "$with_fwtk" != "yes"; then + SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_fwtk}]) + CPPFLAGS="${CPPFLAGS} -I${with_fwtk}" + with_fwtk=yes + fi + SUDO_LIBS="${SUDO_LIBS} -lauth -lfwall" + AUTH_OBJS="$AUTH_OBJS fwtk.o" +fi + +dnl +dnl extra SecurID lib + includes +dnl +if test ${with_SecurID-'no'} != "no"; then + if test "$with_SecurID" != "yes"; then + : + elif test -d /usr/ace/examples; then + with_SecurID=/usr/ace/examples + else + with_SecurID=/usr/ace + fi + CPPFLAGS="${CPPFLAGS} -I${with_SecurID}" + _LDFLAGS="${LDFLAGS}" + SUDO_APPEND_LIBPATH(LDFLAGS, [${with_SecurID}]) + # + # Determine whether to use the new or old SecurID API + # + AC_CHECK_LIB(aceclnt, SD_Init, + [ + AUTH_OBJS="$AUTH_OBJS securid5.o"; + SUDO_LIBS="${SUDO_LIBS} -laceclnt -lpthread" + ] + [ + SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_SecurID}]) + ], [ + AUTH_OBJS="$AUTH_OBJS securid.o"; + SUDO_LIBS="${SUDO_LIBS} ${with_SecurID}/sdiclient.a" + ], + [ + -lpthread + ] + ) + LDFLAGS="${_LDFLAGS}" +fi + +dnl +dnl Non-mutually exclusive auth checks come next. +dnl Note: passwd must be last of all! +dnl + +dnl +dnl Convert default authentication methods to with_* if +dnl no explicit authentication scheme was specified. +dnl +if test -z "${AUTH_EXCL}" -a -n "$AUTH_DEF"; then + for auth in $AUTH_DEF; do + case $auth in + passwd) : ${with_passwd='maybe'};; + esac + done +fi + dnl dnl Kerberos IV dnl -if test -n "$with_kerb4"; then +if test ${with_kerb4-'no'} != "no"; then AC_DEFINE(HAVE_KERB4) dnl dnl Use the specified directory, if any, else search for correct inc dir @@ -1825,18 +1977,18 @@ if test -n "$with_kerb4"; then ], [$K4LIBS]) LDFLAGS="$O_LDFLAGS" SUDO_LIBS="${SUDO_LIBS} $K4LIBS" - SUDO_ADD_AUTH([Kerberos 4], [kerb4.o]) + AUTH_OBJS="$AUTH_OBJS kerb4.o" fi dnl dnl Kerberos V dnl There is an easy way and a hard way... dnl -if test "$with_kerb5" = "yes"; then +if test ${with_kerb5-'no'} != "no"; then AC_CHECK_PROG(KRB5CONFIG, krb5-config, yes, "") if test -n "$KRB5CONFIG"; then AC_DEFINE(HAVE_KERB5) - SUDO_ADD_AUTH([Kerberos 5], [kerb5.o]) + AUTH_OBJS="$AUTH_OBJS kerb5.o" CPPFLAGS="$CPPFLAGS `krb5-config --cflags`" SUDO_LIBS="$SUDO_LIBS `krb5-config --libs`" dnl @@ -1852,7 +2004,7 @@ if test "$with_kerb5" = "yes"; then ) fi fi -if test -n "$with_kerb5" -a -z "$KRB5CONFIG"; then +if test ${with_kerb5-'no'} != "no" -a -z "$KRB5CONFIG"; then AC_DEFINE(HAVE_KERB5) dnl dnl Use the specified directory, if any, else search for correct inc dir @@ -1889,7 +2041,7 @@ if test -n "$with_kerb5" -a -z "$KRB5CONFIG"; then SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err" ]) - SUDO_ADD_AUTH([Kerberos 5], [kerb5.o]) + AUTH_OBJS="$AUTH_OBJS kerb5.o" _LIBS="$LIBS" LIBS="${LIBS} ${SUDO_LIBS}" AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context) @@ -1899,109 +2051,17 @@ fi dnl dnl Some systems put login_cap(3) in libutil dnl -if test "$with_logincap" = "yes"; then +if test ${with_logincap-'no'} = "yes"; then case "$OS" in freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil" ;; esac fi -dnl -dnl PAM support. Systems that might support PAM set with_pam=maybe -dnl and we do that actual tests here. -dnl -if test ${with_pam-'no'} != "no"; then - dnl - dnl Linux may need this - dnl - AC_CHECK_LIB([dl], [main], [SUDO_LIBS="${SUDO_LIBS} -lpam -ldl"], [SUDO_LIBS="${SUDO_LIBS} -lpam"]) - ac_cv_lib_dl=ac_cv_lib_dl_main - - dnl - dnl Some PAM implementations (MacOS X for example) put the PAM headers - dnl in /usr/include/pam instead of /usr/include/security... - dnl - AC_CHECK_HEADERS([security/pam_appl.h] [pam/pam_appl.h], [with_pam=yes; break]) - if test "$with_pam" = "yes"; then - AC_DEFINE(HAVE_PAM) - SUDO_ADD_AUTH([PAM], [pam.o], [true]) - with_passwd=no - fi -fi - -dnl -dnl AIX general authentication -dnl If set to "maybe" only enable if no other exclusive method in use. -dnl -if test ${with_aixauth-'no'} != "no"; then - if test X"$with_aixauth" != X"maybe" -o X"$AUTH_EXCL" = X""; then - AC_MSG_NOTICE([using AIX general authentication]) - AC_DEFINE(HAVE_AIXAUTH) - SUDO_ADD_AUTH([AIX general authentication], [aix_auth.o], [true]) - SUDO_LIBS="${SUDO_LIBS} -ls" - with_passwd=no - fi -fi - -dnl -dnl BSD authentication -dnl If set to "maybe" only enable if no other exclusive method in use. -dnl -if test ${with_bsdauth-'no'} != "no"; then - if test X"$with_bsdauth" != X"maybe" -o X"$AUTH_EXCL" = X""; then - AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H) - [SUDO_ADD_AUTH([BSD authentication], [bsdauth.o], [true])] - [BSDAUTH_USAGE='[[-a auth_type]] '] - [with_passwd=no], -) - fi -fi - -dnl -dnl Check for shadow password routines if we have not already done so. -dnl If there is a specific list of functions to check we do that first. -dnl Otherwise, we check for SVR4-style and then SecureWare-style. -dnl -if test "$with_passwd" != "no"; then - if test "$CHECKSHADOW" = "true" -a -n "$shadow_funcs"; then - _LIBS="$LIBS" - LIBS="$LIBS $shadow_libs" - found=no - AC_CHECK_FUNCS($shadow_funcs, [found=yes]) - if test "$found" = "yes"; then - SUDO_LIBS="$SUDO_LIBS $shadow_libs" - elif test -n "$shadow_libs_optional"; then - LIBS="$LIBS $shadow_libs_optional" - AC_CHECK_FUNCS($shadow_funcs, [found=yes]) - if test "$found" = "yes"; then - SUDO_LIBS="$SUDO_LIBS $shadow_libs $shadow_libs_optional" - fi - fi - if test "$found" = "yes"; then - case "$shadow_funcs" in - *getprpwnam*) SECUREWARE=1;; - esac - test -n "$shadow_defs" && OSDEFS="${OSDEFS} $shadow_defs" - else - LIBS="$_LIBS" - fi - CHECKSHADOW=false - fi - if test "$CHECKSHADOW" = "true"; then - AC_SEARCH_LIBS([getspnam], [gen], [AC_DEFINE(HAVE_GETSPNAM)] [CHECKSHADOW=false; test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"]) - fi - if test "$CHECKSHADOW" = "true"; then - AC_SEARCH_LIBS([getprpwnam], [sec security prot], [AC_DEFINE(HAVE_GETPRPWNAM)] [CHECKSHADOW=false; SECUREWARE=1; test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"]) - fi - if test -n "$SECUREWARE"; then - AC_CHECK_FUNCS(bigcrypt set_auth_parameters initprivs) - SUDO_ADD_AUTH([SecureWare], [secureware.o]) - fi -fi - dnl dnl extra AFS libs and includes dnl -if test "$with_AFS" = "yes"; then +if test ${with_AFS-'no'} = "yes"; then # looks like the "standard" place for AFS libs is /usr/afsws/lib AFSLIBDIRS="/usr/lib/afs /usr/afsws/lib /usr/afsws/lib/afs" @@ -2041,21 +2101,24 @@ if test "$with_AFS" = "yes"; then if test -z "$FOUND_AFSLIBDIR"; then AC_MSG_WARN([Unable to locate AFS include dir, you may have to edit the Makefile and add -I/path/to/afs/includes to CPPFLAGS or rerun configure with the --with-incpath options.]) fi + + AUTH_OBJS="$AUTH_OBJS afs.o" fi dnl dnl extra DCE obj + lib dnl Order of libs in HP-UX 10.x is important, -ldce must be last. dnl -if test "$with_DCE" = "yes"; then +if test ${with_DCE-'no'} = "yes"; then DCE_OBJS="${DCE_OBJS} dce_pwent.o" SUDO_LIBS="${SUDO_LIBS} -ldce" + AUTH_OBJS="$AUTH_OBJS dce.o" fi dnl dnl extra S/Key lib and includes dnl -if test -n "$with_skey"; then +if test ${with_skey-'no'} = "yes"; then O_LDFLAGS="$LDFLAGS" if test "$with_skey" != "yes"; then CPPFLAGS="${CPPFLAGS} -I${with_skey}/include" @@ -2083,12 +2146,13 @@ if test -n "$with_skey"; then AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS)) LDFLAGS="$O_LDFLAGS" SUDO_LIBS="${SUDO_LIBS} -lskey" + AUTH_OBJS="$AUTH_OBJS rfc1938.o" fi dnl dnl extra OPIE lib and includes dnl -if test -n "$with_opie"; then +if test ${with_opie-'no'} = "yes"; then O_LDFLAGS="$LDFLAGS" if test "$with_opie" != "yes"; then CPPFLAGS="${CPPFLAGS} -I${with_opie}/include" @@ -2115,59 +2179,62 @@ if test -n "$with_opie"; then AC_CHECK_LIB(opie, main, [found=yes], [AC_MSG_WARN([Unable to locate libopie.a, you will have to edit the Makefile and add -L/path/to/opie/lib to SUDO_LDFLAGS])]) LDFLAGS="$O_LDFLAGS" SUDO_LIBS="${SUDO_LIBS} -lopie" + AUTH_OBJS="$AUTH_OBJS rfc1938.o" fi dnl -dnl extra SecurID lib + includes +dnl Check for shadow password routines if we have not already done so. +dnl If there is a specific list of functions to check we do that first. +dnl Otherwise, we check for SVR4-style and then SecureWare-style. dnl -if test ${with_SecurID-'no'} != "no"; then - if test "$with_SecurID" != "yes"; then - : - elif test -d /usr/ace/examples; then - with_SecurID=/usr/ace/examples - else - with_SecurID=/usr/ace +if test ${with_passwd-'no'} != "no"; then + dnl + dnl if crypt(3) not in libc, look elsewhere + dnl + if test -z "$LIB_CRYPT" -a "$with_passwd" != "no"; then + AC_SEARCH_LIBS([crypt], [crypt crypt_d ufc], [test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"]) fi - CPPFLAGS="${CPPFLAGS} -I${with_SecurID}" - _LDFLAGS="${LDFLAGS}" - SUDO_APPEND_LIBPATH(LDFLAGS, [${with_SecurID}]) - # - # Determine whether to use the new or old SecurID API - # - AC_CHECK_LIB(aceclnt, SD_Init, - [ - SUDO_ADD_AUTH([SecurID 5], [securid5.o], true) - SUDO_LIBS="${SUDO_LIBS} -laceclnt -lpthread" - ] - [ - SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_SecurID}]) - ], [ - SUDO_ADD_AUTH([SecurID], [securid.o], true) - SUDO_LIBS="${SUDO_LIBS} ${with_SecurID}/sdiclient.a" - ], - [ - -lpthread - ] - ) - LDFLAGS="${_LDFLAGS}" -fi -dnl -dnl extra FWTK libs + includes -dnl -if test -n "$with_fwtk"; then - if test "$with_fwtk" != "yes"; then - SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_fwtk}]) - CPPFLAGS="${CPPFLAGS} -I${with_fwtk}" - with_fwtk=yes + if test "$CHECKSHADOW" = "true" -a -n "$shadow_funcs"; then + _LIBS="$LIBS" + LIBS="$LIBS $shadow_libs" + found=no + AC_CHECK_FUNCS($shadow_funcs, [found=yes]) + if test "$found" = "yes"; then + SUDO_LIBS="$SUDO_LIBS $shadow_libs" + elif test -n "$shadow_libs_optional"; then + LIBS="$LIBS $shadow_libs_optional" + AC_CHECK_FUNCS($shadow_funcs, [found=yes]) + if test "$found" = "yes"; then + SUDO_LIBS="$SUDO_LIBS $shadow_libs $shadow_libs_optional" + fi + fi + if test "$found" = "yes"; then + case "$shadow_funcs" in + *getprpwnam*) SECUREWARE=1;; + esac + test -n "$shadow_defs" && OSDEFS="${OSDEFS} $shadow_defs" + else + LIBS="$_LIBS" + fi + CHECKSHADOW=false + fi + if test "$CHECKSHADOW" = "true"; then + AC_SEARCH_LIBS([getspnam], [gen], [AC_DEFINE(HAVE_GETSPNAM)] [CHECKSHADOW=false; test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"]) + fi + if test "$CHECKSHADOW" = "true"; then + AC_SEARCH_LIBS([getprpwnam], [sec security prot], [AC_DEFINE(HAVE_GETPRPWNAM)] [CHECKSHADOW=false; SECUREWARE=1; test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"]) + fi + if test -n "$SECUREWARE"; then + AC_CHECK_FUNCS(bigcrypt set_auth_parameters initprivs) + AUTH_OBJS="$AUTH_OBJS secureware.o" fi - SUDO_LIBS="${SUDO_LIBS} -lauth -lfwall" fi dnl dnl extra lib and .o file for LDAP support dnl -if test -n "$with_ldap"; then +if test ${with_ldap-'no'} != "no"; then _LDFLAGS="$LDFLAGS" if test "$with_ldap" != "yes"; then SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_ldap}/lib]) @@ -2259,16 +2326,17 @@ dnl dnl Use passwd (and secureware) auth modules? dnl case "$with_passwd" in -no) +yes|maybe) + AUTH_OBJS="$AUTH_OBJS passwd.o" + ;; +*) AC_DEFINE(WITHOUT_PASSWD) if test -z "$AUTH_OBJS"; then AC_MSG_ERROR([no authentication methods defined.]) fi ;; -*) - AUTH_OBJS="$AUTH_OBJS passwd.o" - ;; esac +AUTH_OBJS=${AUTH_OBJS# } _AUTH=`echo "$AUTH_OBJS" | sed 's/\.o//g'` AC_MSG_NOTICE([using the following authentication methods: $_AUTH])