From: Todd C. Miller Date: Sat, 7 Aug 1999 11:46:39 +0000 (+0000) Subject: Update to reality. X-Git-Tag: SUDO_1_6_0~148 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=be4e87f66642620d9eec7f2619e404799c416923;p=sudo Update to reality. --- diff --git a/INSTALL b/INSTALL index 0ef66a512..6db558f63 100644 --- a/INSTALL +++ b/INSTALL @@ -435,35 +435,24 @@ support is now compiled in by default (it doesn't hurt anything if you don't have them configured). To disable the shadow password support, use the --disable-shadow option to configure. -Shadow passwords are supported on the following platforms: +Shadow passwords are known to work on the following platforms: SunOS 4.x Solaris 2.x HP-UX >= 9.x Ultrix 4.x - Digital UNIX 3.x and 4.x - IRIX 5.x and 6.x - AIX 3.2.x ad 4.x + Digital UNIX + IRIX >= 5.x + AIX >= 3.2.x ConvexOS with C2 security (not tested recently) Linux - SCO 3.2.2 + SCO >= 3.2.2 Pyramid DC/OSx UnixWare SVR4 (and variants using standard SVR4 shadow passwords) 4.4BSD based systems (including OpenBSD, NetBSD, FreeBSD, and BSD/OS) OS's using SecureWare's C2 security. -Mixing password authentication schemes -====================================== - -It is possible to build sudo with support for several authentication -schemes, including shadow passwords, kerberos, s/key, AFS, DCE and -normal UN*X passwords into a single binary. User validation will -take slightly longer, of course, but it may be valuable to have a -single sudo binary that is distributed among systems with varying -authentication mechanisms. The exception to this rule is SecurID -which must be the only authentication mechanism used. - OS dependent notes ================== diff --git a/PORTING b/PORTING index 589373dce..fb6db446f 100644 --- a/PORTING +++ b/PORTING @@ -1,11 +1,11 @@ -sudo porting hints: +Sudo porting hints +================== Before trying to port sudo to a new architecture, please join the -sudo-workers mailing list (see the README) and ask if anyone has -a port working or in-progress. - -Sudo should be fairly easy to port. In fact, now that it uses a configure -script, most of the work should be done for you. +sudo-workers mailing list (see the README) and ask if anyone has a +port working or in-progress. Sudo should be fairly easy to port. +Since it uses a configure script, most of the work should be done +for you. If your OS is an SVR4 derivative (or some approximation thereof), it may be sufficient to tell configure you are runnng SVR4, something like: @@ -24,25 +24,30 @@ OS that has shared libraries you'll want to mask out the variables that allow one to change the shared library path. See badenv_table() in sudo.c to see how this is done for various OS's. -It is possible that on a really weird system, tgetpass() may not compile. -(The most common cause for this is that the "fd_set" type is not -defined in a place that sudo expects it to be. If you can fine the -header file where "fd_set" is typedef'd, have tgetpass.c include -it and send in a bug report.) -Alternately, it may compile but not work (nothing happens at Password: prompt). -It is possible that your C library contains a broken or unusable crypt() -function--try linking with -lcrypt if that exists. Another possibility -is that select() is not fully functional; running configure with ---with-password-timeout=0 will disable the use of select(). +It is possible that on a really weird system, tgetpass() may not +compile. (The most common cause for this is that the "fd_set" type +is not defined in a place that sudo expects it to be. If you can +find the header file where "fd_set" is typedef'd, have tgetpass.c +include it and send in a bug report.) +Alternately, tgetpass.c may compile but not work (nothing happens +at the Password: prompt). It is possible that your C library +contains a broken or unusable crypt() function--try linking with +-lcrypt if that exists. Another possibility is that select() is +not fully functional; running configure with --with-password-timeout=0 +will disable the use of select(). If you are trying to port to a system without standard Berkeley networking you may find that interfaces.c will not compile. This is most likely on OS's with STREAMS-based networking. It should be possible to make it work by modifying the ISC streams support (see the _ISC #ifdef's). However, if you don't care about ip address -and network address support, you can just define STUB_LOAD_INTERFACES -to get a do-nothing load_interfaces() stub function. +and network address support, you can just run configure with the +--without-interfaces flag to get a do-nothing load_interfaces() stub function. If you port sudo to a new architecture, please send the output of -"configure" and your changes to: +"configure", the config.log file and your changes to: sudo-bugs@courtesan.com + +If you are unable to get sudo working, and you are willing to +give me an account on a machine, send mail to sudo-bugs@courtesan.com. +Note, however, that I can't make any promises. diff --git a/README b/README index 8ae51d89e..e8d7a52ae 100644 --- a/README +++ b/README @@ -11,7 +11,7 @@ Where to find sudo Before you try and build sudo, *please* make sure you have the current version. The latest sudo may always be gotten via anonymous ftp from ftp.courtesan.com in the directory /pub/sudo/. -The distribution is cu-sudo.vM.m.tar.Z where `M' is the major +The distribution is sudo-M.m.tar.gz where `M' is the major version number and `m' is the minor version number. BETA versions of sudo may also be available. If you join the `sudo-workers' mailing list you will get the BETA announcements @@ -36,7 +36,7 @@ NOTE: Starting with sudo 1.5.7 the configuration method has changed System requirements =================== Sudo requires a machine running UN*X (most flavors of BSD, SYSV, -or POSIX will do), a C compiler, and the make utility. +or POSIX will do), a working C compiler, and the make utility. If you wish to modify the parser then you will need flex version 2.5.2 or later and a version of bison or yacc (sudo comes with a @@ -47,11 +47,10 @@ any GNU mirror. You can get GNU bison from ftp://prep.ai.mit.edu/pub/gnu/bison* or any GNU mirror. Building the release -=================== +==================== Please read the installation guide in the `INSTALL' file before -trying to build sudo. Things have changed quite a bit from the -previous release (1.5.6). The `RUNSON' file contains a list of -of platforms that this version of sudo is known to work on. If you +trying to build sudo. The `RUNSON' file contains a list of of +platforms that this version of sudo is known to work on. If you can add to this list, please send mail to sudo-bugs@courtesan.com. If something goes wrong you may want to refer to the `TROUBLESHOOTING' file. @@ -80,5 +79,7 @@ Bug reports =========== A list of known bugs may be found in the `BUGS' file. Please send (new) bugs, problems, comments, features, ports, etc to -sudo-bugs@courtesan.com. Also, please read over the `TROUBLESHOOTING' -file before submitting a bug report. +sudo-bugs@courtesan.com. Please read over the `TROUBLESHOOTING' +file *before* submitting a bug report. When reporting bugs, please +be sure to include the version of sudo you are using as well as the +platform you are running it on. diff --git a/TODO b/TODO index d19150018..2b5acd045 100644 --- a/TODO +++ b/TODO @@ -47,3 +47,7 @@ TODO list (most will be addressed in the next rewrite) 19) Sudo should have a separate error message for when the user is in sudoers but not allowed to run stuff on that host, and send mail. + +20) Use getrlimit() in preference to getconf() + +21) Include a syslog.conf sample diff --git a/TROUBLESHOOTING b/TROUBLESHOOTING index 8ca4163e3..cafe78be6 100644 --- a/TROUBLESHOOTING +++ b/TROUBLESHOOTING @@ -19,8 +19,8 @@ A) Make sure you have an entry in your syslog.conf file to save depending whether you want to forward the messages to another host or keep them locally. Don't forget to send a SIGHUP to your syslogd so that it re-reads its conf file. Also, remember - that syslogd does not create log files, you need to create the - file before syslogd will log to it (ie: touch /var/adm/sudo.log). + that syslogd does *not* create log files, you need to create the + file before syslogd will log to it (ie: touch /var/log/sudo.log). Note: the facility ("local2.debug") must be separated from the destination ("/var/adm/sudo.log" or "@loghost") by tabs, *not* spaces. This is a common error. @@ -64,6 +64,9 @@ A) Sudo removes the following "dangerous" environment variables to guard against shared library spoofing, shell voodoo, and kerberos server spoofing. IFS + LOCALDOMAIN + RES_OPTIONS + HOSTALIASES ENV BASH_ENV LD_* @@ -73,17 +76,11 @@ A) Sudo removes the following "dangerous" environment variables KRB_CONF (kerb4 only) KRB5_CONFIG (kerb5 only) -Q) I modified parse.lex but the Makefile is not generating a new - lex.yy.c. -A) You need to uncomment the rule in Makefile (or Makefile.in) - that generates lex.yy.c from parse.lex. This is not enable - by default since sudo comes with a pre-flex'd parse.lex. - May sure you are using flex version 2.5.2 or higher--the - lex that came with your OS may not like parse.lex. - Q) How can I keep sudo from asking for a password? -A) Use the 'NOPASSWD' reserved word right before the command list in - sudoers. See the sudoers man page and sample.sudoers for details. +A) To specify this on a per-user (and per-command) basis, use the 'NOPASSWD' + tag right before the command list in sudoers. See the sudoers man page + and sample.sudoers for details. To disable passwords completely, + run configure with the --without-passwd option. Q) When I run configure, it dies with the following error: "no acceptable cc found in $PATH". @@ -104,19 +101,14 @@ A) configure caches the results of its tests in a file called Note that "make realclean" will also remove any object files and configure temp files that are laying around as well. -Q) I built sudo on a Solaris 2.5 machine but the resulting binary - doesn't work on Solaris 2.4. Why? -A) Sun added many of the BSD library functions from -lucb into - libc for Solaris 2.5. To generate a sudo binary on Solaris 2.5 - that will run on Solaris 2.4 just add "getwd.o" to LIBOBJS - in the Makefile and recompile. - -Q) When I compile sudo on Solaris with gcc I get: - logging.c: In function `send_mail': - logging.c:448: storage size of `action' isn't known - *** Error code 1 -A) You probably didn't install the gcc-fixed include files. - Try adding -D__EXTENSIONS__ to CFLAGS in the Makefile. +Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary + doesn't work on Solaris <= 2.5.1. Why? +A) Starting with Solaris 2.6, snprintf(3) is included in the standard + C library. To build a version of sudo on a >= 2.6 machine that + will run on a <= 2.5.1 machine, edit config.h and comment out the lines: + #define HAVE_SNPRINTF 1 + #define HAVE_VSNPRINTF 1 + and run make. Q) When I run "visudo" it says "sudoers file busy, try again later." and doesn't do anything.