From c68baecaf143427d2c631e5f9c0f9cbb07acf9b2 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sun, 26 Nov 1995 02:23:46 +0000 Subject: [PATCH] rewrote for sudo 1.3.6 --- INSTALL | 310 +++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 204 insertions(+), 106 deletions(-) diff --git a/INSTALL b/INSTALL index 7afd5bc50..1dd50fc08 100644 --- a/INSTALL +++ b/INSTALL @@ -1,109 +1,207 @@ -INSTALL NOTES - -0) Run the configure script, ie: "./configure". See the SUPPORTED file - for a list of OS's sudo is known to work on. Configure will generate - config.h, pathnames.h, Makefile and visudoers/Makefile. You shouldn't - need to hand-edit the Makefiles but if you don't like configure's choice - of C compiler, yacc or lex programs you may want to. You can also - use the --prefix flag to configure to install sudo/visudo in a place - other than /usr/local (ie: --prefix=/opt). - - BEWARE: configure caches values in config.cache. This will cause - problems if you are building for different architectures. You - *must* do a "make realclean" to remove the configure-generated - files betweem builds in this case. Basically, you should do a - "make realclean" before you run configure each time. - - NOTE: if you use shadow passwords or C2 security you need to use the - --with-C2 flag to configure. Currently this only works for SunOS 4.x, - hpux 9.x, ultrix 4.x, Digital UNIX (aka DEC OSF1), Irix 5.x and - ConvexOS with C2 security. For hpux only, you can use - --with-C2 if you are expecting to migrate to C2 security later but it - makes password lookups about twice as slow. - - NOTE2: if you use AFS, you need to run configure with --with-AFS - - NOTE3: if you use DCE integrated login services (ie, the DCE security - daemon), then you need to run configure with --with-DCE. The DCE - configuration option is presently known to work on HP-UX 10.0 and - HP-UX 9.X systems, where sudo is built with either gcc 2.7.0 or HP's - ANSI C compiler. To get the DCE version to compile on other platforms, - you will probably have to fiddle with the configure file and/or the - source code. - - NOTE4: if you use kerberos version 4 you need to run configure - with --with-kerb4. This has only been tested with the Cygnus - kerberos package (CNS) but should work for vanilla kerberos too. - If you use kerberos version 5 you need to run configure with --with-kerb5. - This enables the same code as --with-kerb4 but also adds in the - kerb4 compatibility libraries. Kerb5 support is currently untested, - please let us know if it work for you. - - NOTE5: Solaries users beware, you need to make sure that the - "real" (ie: non-ucb) cc is in your path (unless you use gcc). - Sudo is designed to compile with the standard C compiler and - will not build correctly with /usr/ucb/cc. - -1) Read the OPTIONS file and then edit options.h to enable/disable the - options you may or may not want. You should not have to edit - sudo.h or config.h. - -2) Type make. If configure did its job correctly there won't be any - problems. If this doesn't work, take a look at the file PORTING for - tips on what might have gone wrong. Please mail us if you have a - fix or if you are unable to come up with a fix (address at EOF). - -3) Do a make install (as root) to install sudo. If you get an error - about setuid(0) failing, something went wrong with the install and - the permissions on sudo are wrong. Sudo needs to run setuid root. - If you get this message, chances are it's not running setuid root. - - You can also install various pieces the package via install-binaries, - install-man, install-sudoers. - -4) Customize /etc/sudoers for your site. Read the man page and take a - look at sample.sudoers to see how to do this. - -5) You're done. - -A few notes: - -a) To use syslog with the ultrix version you may want to grab - and install pub/DEC/jtkohl-syslog-complete.tar.Z available from - gatekeeper.dec.com via anonymous ftp. If you don't I'd suggest - logging to a separate file rather than using the 4.2BSD syslog() - that comes with ultrix. The jtkohl syslog is a nice port of the - 4.3 syslogd that is backwards compatible with the ultrix version. - I recommend it highly. - -b) visudo will *NOT* use the editor referred to by the EDITOR or - VISUAL environmental variables unless you define ENV_EDITOR in - sudo.h. I like the feature, but it can be a security hole - if you don't know about it. If you have EDITOR set to something - secure (ie: no shells or external commands) in the Makefile or - sudo.h you don't want to define ENV_EDITOR. Note that vi (the default - editor) is anything *but* secure in this respect (and no, setting the - editor to a wrapper that sets the SHELL envar to /bin/true does *not* - make vi secure--you can change your shell from within vi). If you - leave the default of vi, you really don't stand to lose anything by - defining ENV_EDITOR. - -c) If you have a sense of humor you may want to define USE_INSULTS to - get the insults from the "old" sudo when you enter an incorrect - password. Beware, this feature causes some people to want to throw - their machine across the room and dash it to tiny pieces. - Sci fi fans may want to define HAL as well (see insults.h). - -d) If you are *not* running sendmail or some other mailer, you should - comment out the MAILER #define in sudo.h. - -e) If you are running AIX and sudo says that it cannot find a user - that is clearly listed in the sudoers file try compiling with - optimization turned off. The AIX C compiler produces incorrect - code with the -O flag on some versions of AIX. In fact, I've - run into some nasty bugs in the C compiler on an AIX 3.2.x box - that just produced incorrect code, even without opitmization. - Morale of the story, use gcc if you can... +Installation instructions for CU sudo 1.3.6 +=========================================== + +Sudo uses a `configure' script to probe the capabilities and type +of the system in question. Please read this document fully before +configuring and building sudo. + +Simple sudo installation +======================== + +For most systems and configurations it is possible simply to: + + 0) If you previously ran `configure' on a different host + you will probably want to do a `make clean' to remove + the old `config.cache' file. Otherwise, `configure' + will use the cached values which is probably not + what you want unless the two hosts are running the + same OS and are virtually identical. Alternately, + one can simply `rm config.cache'. + + 1) Read the `OS dependent notes' section for any particular + "gotchas" relating to your operating system. + + 2) `cd' to the source or build directory and type `./configure' + to generate a Makefile and config.h file suitable for + building sudo. Before you actually run configure you + should read the `Available configure options' section + to see if there are any special options you may want + or need. Also of interest may be the section on + `Mixing password authentication schemes'. + + 3) Edit the configure-generated Makefile if you wish to + change any of the default paths (alternately you could + have changed the paths via options to `configure'. + + 4) Edit `options.h' to enable any particular non-default + options you wish to use. Refer to the OPTIONS file for + an explanation of each one. If you are building in + a separate build directory you may make a local copy + of options.h in that directory and edit it instead. + + 5) Type `make' to compile sudo. If you are building sudo + in a separate build tree (apart from the sudo source) + GNU make will probably be required. If `configure' did + its job properly (and you have a supported configuration) + there won't be any problems. If this doesn't work, take + a look at the files TROUBLESHOOTING and PORTING for tips + on what might have gone wrong. Please mail us if you have a + fix or if you are unable to come up with a fix (address at EOF). + + 6) Type `make install' (as root) to install sudo, visudo, the + man pages, and a skeleton sudoers file. Note that the install + will not overwrite an existing sudoers file. You can also + install various pieces the package via the install-binaries, + install-man, and install-sudoers make targets. + + 7) Edit the sudoers file with `visudo' as necessary for your + site. You will probably want to refer the sample.sudoers + file and sudoers man page included with the sudo package. + +Available configure options +=========================== + +This section describes flags accepted by the sudo's `configure' script. +Defaults are listed in brackets after the description. + +Configuration: + --cache-file=FILE Cache test results in FILE + + --help Print the usage/help info + + --no-create Do not create output files + + --quiet, --silent Do not print `checking...' messages + +Directory and file names: + --prefix=PREFIX Install architecture-independent files in PREFIX + This really only applies to man pages. + [/usr/local] + + --exec-prefix=EPREFIX Install architecture-dependent files in EPREFIX + This includes the sudo and visudo executables. + [same as prefix] + + --bindir=DIR Install `sudo' in DIR [EPREFIX/bin] + + --sbindir=DIR Install `visudo' in DIR + [EPREFIX/etc for historical reasons] + + --sysconfdir=DIR Install `sudoers' file in DIR [/etc] + + --mandir=DIR Install man pages in DIR [PREFIX/man] + + --srcdir=DIR Find the sources in DIR [configure dir or ..] + +Special features/options: + --with-getpass Use system getpass(3) instead of sudo-supplied + tgetpass() for systems where tgetpass() fails. + + --with-C2 Enable C2 security (shadow password) support + See `Shadow password and C2 support' section + for a list of supported platforms. + + --with-skey Enable S/Key support. + + --with-SecurID Enable SecurID support. + + --with-kerb4 Enable kerberos v4 support + Tested only with the Cygnus Network Security + package (CNS). + + --with-kerb5 Enable kerberos v5 support. + This enables with kerberos v4 support and + links with the standard kerberos v5 libraries + as well as the v4 compatibility libraries. + + --with-AFS Enable AFS support. + Written for AFS under AIX 3.2.x but should + work for AFS on most platforms. + + --with-DCE Enable DCE support. + Known to work on HP-UX 9.X and 10.0. + Other platforms may require source code + and/or `configure' changes. + + --with-csops Add CSOps standard options. + +Shadow password and C2 support +============================== + +Shadow passwords (also included with most C2 security packages) +are supported on most major platforms for which they exist. +The `configure' script will attempt to determine if your +system uses shadow passwords, but this is really just a guess. +Therefore, it is suggested that you use the `--with-C2' option +to `configure' if you need shadow password support. + +Shadow passwords are supported on the following platforms: + + SunOS 4.x + Solaris 2.x + HP-UX 9.x + Ultrix 4.x + Digital UNIX 3.x + Irix 5.x + AIX 3.2.x + ConvexOS with C2 security + Linux + SCO 3.2.2 + SVR4 (and variants using standard SVR4 shadow passwords) + +It is possible to configure in shadow password support even +if your system does not currently use shadow passwords. +That way, if you put shadow passwords in place, your installed +sudo will already support them. + +Mixing password authentication schemes +====================================== + +It is possible to build sudo with support for several authentication +schemes, including shadow passwords, kerberos, s/key, AFS, DCE, +and normal UN*X passwords into a single binary. User validation +will take slightly longer, of course, but it may be valuable +to have a single sudo binary that is distributed among systems +with varying authentication mechanisms. + +OS dependent notes +================== + +Solaris 2.x: + You need to have a C compiler in order to build sudo. + Since Solaris 2.x does not come with one by default this + means that you either need to have purchased the unbundled Sun + C compiler or have a copy of the GNU C compiler (gcc). + Sparc binaries for gcc may be gotten via the URL + ftp://prep.ai.mit.edu/pub/gnu/sparc-sun-solaris2 + NOTE: sudo will not build with the sun C compiler in BSD + compatibility mode (/usr/ucb/cc). Sudo is designed + to compile with the standard C compiler (or gcc) and + will not build correctly with /usr/ucb/cc. + +AIX 3.2.x: + I've had various problems with the AIX C compiler producing + incorrect code when the -O flag was used. When optimization + is not used, the problems go away. Gcc does not appear + to have this problem. + + Also, the AIX 3.2.x lex will not work with sudo's parse.lex. + This should not be a problem as sudo comes shipped with + a pre-generated lex.yy.c (created by flex). If you want + to modify the lex tokenizer, make sure you grab a copy of + flex from ftp.ee.lbl.gov (also available on most GNU mirrors) + and sudo will use that instead. + +Ultrix 4.x: + Ultrix still ships with the 4.2BSD syslog(3) which does not + allow things like logging different faclities to different + files, redirecting logs to a single loghost and other niceties. + You may want to just grab and install: + ftp://gatekeeper.dec.com/pub/DEC/jtkohl-syslog-complete.tar.Z + (available via anonymous ftp) which is a port if the 4.3BSD + syslog/syslogd that is backwards compatible with the Ultrix version. + I recommend it highly. If you do not do this you probably want + to set `LOGGING' to SLOG_FILE in options.h. Please send changes, bugs, security holes, and gripes to: sudo-bugs@cs.colorado.edu -- 2.40.0