Installation instructions for CU sudo 1.5.4
===========================================

Sudo uses a `configure' script to probe the capabilities and type
of the system in question.  Please read this document fully before
configuring and building sudo.  You may also wish to read the file
INSTALL.configure which explains more about the `configure' script.

Simple sudo installation
========================

For most systems and configurations it is possible simply to:

    0) If you are upgrading from a previous version of sudo
       please read the section "Notes on upgrading from an older release".

    1) If you previously ran `configure' on a different host
       you will probably want to do a `make distclean' to remove
       the old `config.cache' file.  Otherwise, `configure'
       will complain and refuse to run.  Alternately, one can
       simply `rm config.cache'.

    2) Read the `OS dependent notes' section for any particular
       "gotchas" relating to your operating system.

    3) `cd' to the source or build directory and type `./configure'
       to generate a Makefile and config.h file suitable for
       building sudo.  Before you actually run configure you
       should read the `Available configure options' section
       to see if there are any special options you may want
       or need.  Also of interest may be the section on
       `Mixing password authentication schemes'.

    4) Edit the configure-generated Makefile if you wish to
       change any of the default paths (alternately you could
       have changed the paths via options to `configure'.

    5) Edit `options.h' to enable any particular non-default
       options you wish to use.  Refer to the OPTIONS file for
       an explanation of each one.  If you are building in
       a separate build directory you may make a local copy
       of options.h in that directory and edit it instead.

    6) Type `make' to compile sudo.  If you are building sudo
       in a separate build tree (apart from the sudo source)
       GNU make will probably be required.  If `configure' did
       its job properly (and you have a supported configuration)
       there won't be any problems.  If this doesn't work, take
       a look at the files TROUBLESHOOTING and PORTING for tips
       on what might have gone wrong.  Please mail us if you have a
       fix or if you are unable to come up with a fix (address at EOF).

    7) Type `make install' (as root) to install sudo, visudo, the
       man pages, and a skeleton sudoers file.  Note that the install
       will not overwrite an existing sudoers file.  You can also
       install various pieces the package via the install-binaries,
       install-man, and install-sudoers make targets.

    8) Edit the sudoers file with `visudo' as necessary for your
       site.  You will probably want to refer the sample.sudoers
       file and sudoers man page included with the sudo package.

Notes on upgrading from an older release
========================================
Sudo 1.5.4 expects the sudoers file to have different permissions
(mode 0440) and be owned by user and group 0.  This differs from
version 1.4 and below which expected the sudoers file to be owned
by root and mode 0400.  Doing a `make install' will set the sudoers
file to the new mode and group.  If sudo 1.5.4 encounters a sudoers
file with the old permissions it will attempt to update it to the
new scheme.  You cannot, however, use a sudoers file with the new
permissions with an old sudo binary.  It is suggested that if have
a means of distributing sudo you distribute the new binaries first,
then the new sudoers file (or you can leave sudoers as is and sudo
will fix the permissions itself as long as sudoers is on a local
filesystem).

Available configure options
===========================

This section describes flags accepted by the sudo's `configure' script.
Defaults are listed in brackets after the description.

Configuration:
  --cache-file=FILE       Cache test results in FILE

  --help                  Print the usage/help info

  --no-create             Do not create output files

  --quiet, --silent       Do not print `checking...' messages

Directory and file names:
  --prefix=PREFIX         Install architecture-independent files in PREFIX
                          This really only applies to man pages.
                          [/usr/local]

  --exec-prefix=EPREFIX   Install architecture-dependent files in EPREFIX
                          This includes the sudo and visudo executables.
                          [same as prefix]

  --bindir=DIR            Install `sudo' in DIR [EPREFIX/bin]

  --sbindir=DIR           Install `visudo' in DIR
                          [EPREFIX/etc for historical reasons]

  --sysconfdir=DIR        Install `sudoers' file in DIR [/etc]

  --mandir=DIR            Install man pages in DIR [PREFIX/man]

  --srcdir=DIR            Find the sources in DIR [configure dir or ..]

Special features/options:
  --with-CC               Specifies path to C compiler you wish to use.

  --with-getpass          Use system getpass(3) instead of sudo-supplied
                          tgetpass() for systems where tgetpass() fails.

  --with-C2               Enable C2 security (shadow password) support
                          See `Shadow password and C2 support' section
                          for a list of supported platforms.

  --with-skey             Enable S/Key support.

  --with-opie             Enable NRL OPIE support.

  --with-SecurID          Enable SecurID support.

  --with-kerb4            Enable kerberos v4 support
                          Tested only with the Cygnus Network Security
                          package (CNS).

  --with-kerb5            Enable kerberos v5 support.
                          This enables with kerberos v4 support and
                          links with the standard kerberos v5 libraries
                          as well as the v4 compatibility libraries.

  --with-AFS              Enable AFS support with kerberos authentication.
                          Should work under AFS 3.3.  If your AFS
                          doesn't have -laudit you should be able to
                          link without it.

  --with-DCE              Enable DCE support.
                          Known to work on HP-UX 9.X and 10.0.
                          Other platforms may require source code
                          and/or `configure' changes.

  --with-incpath          Adds the specified directories to CPPFLAGS
                          so configure and the compiler will look there
			  for include files.  Multiple directories may
			  be specified as long as they are space separated.
			  Eg: --with-incpath="/usr/local/include /opt/include"

  --with-libpath          Adds the specified directories to SUDO_LDFLAGS
			  and VISUDO_LDFLAGS so configure and the compiler
			  will look there for libraries.  Multiple directories
			  may be specified as with --with-incpath.

  --with-libraries        Adds the specified libaries to SUDO_LIBS and
			  and VISUDO_LIBS so sudo will link against them.
			  If the library doesn't start with `-l' or end
			  in `.a' or `.o' a `-l' will be prepended to it.
			  Multiple libraries may be specified as long
			  as they are space separated.

  --with-csops            Add CSOps standard options.

Shadow password and C2 support
==============================

Shadow passwords (also included with most C2 security packages)
are supported on most major platforms for which they exist.
The `configure' script will attempt to determine if your
system uses shadow passwords, but this is really just a guess.
If configure guesses incorrectly you can use the `--with-C2' option
to cause sudo to use shadow passwords (assuming sudo can figure
out what type of shadow password scheme is available).  If configure
thinks you can shadow passwords but you really do not you can
use the `--without-C2' option to override configure's guess.

Shadow passwords are supported on the following platforms:

    SunOS 4.x
    Solaris 2.x
    HP-UX 9.x and 10.x
    Ultrix 4.x
    Digital UNIX 3.x amd 4.x
    Irix 5.x and 6.x
    AIX 3.2.x ad 4.x
    ConvexOS with C2 security (not tested recently)
    Linux
    SCO 3.2.2
    Pyramid DC/OSx
    UnixWare
    SVR4 (and variants using standard SVR4 shadow passwords)
    4.4BSD based systems (including OpenBSD, NetBSD, FreeBSD, and BSD/OS)
    OS's using SecureWare's C2 security.

It is possible to configure in shadow password support even
if your system does not currently use shadow passwords.
That way, if you put shadow passwords in place, your installed
sudo will already support them.

Mixing password authentication schemes
======================================

It is possible to build sudo with support for several authentication
schemes, including shadow passwords, kerberos, s/key, AFS, DCE and
normal UN*X passwords into a single binary.  User validation will
take slightly longer, of course, but it may be valuable to have a
single sudo binary that is distributed among systems with varying
authentication mechanisms.  The exception to this rule is SecurID
which must be the only authentication mechanism used.

OS dependent notes
==================

OpenBSD < 2.2 and NetBSD < 1.2.1:
    The fdesc filesystem has a bug wrt /dev/tty handling that
    causes sudo to hang at the password prompt.  The workaround
    is to set PASSWORD_TIMEOUT (in options.h) to 0.

Solaris 2.x:
    You need to have a C compiler in order to build sudo.
    Since Solaris 2.x does not come with one by default this
    means that you either need to have purchased the unbundled Sun
    C compiler or have a copy of the GNU C compiler (gcc).
    The SunSoft Catalyst CD should contain gcc binaries for
    Solaris.  You can also get them from various places on the
    net, including http://smc.vnet.net/solaris_2.5.html.
    NOTE: sudo will *not* build with the sun C compiler in BSD
          compatibility mode (/usr/ucb/cc).  Sudo is designed
          to compile with the standard C compiler (or gcc) and
          will not build correctly with /usr/ucb/cc.  You can
	  use the `--with-CC' option to point `configure' to the
	  non-ucb compiler if it is not the first cc in your path.
    Also: Many versions of Solaris come with a broken syslogd.
	  If you have having problems with sudo logging you should
	  make sure you have the latest syslogd patch installed.
	  This is a problem for Solaris 2.4 and 2.5 at least.

AIX 3.2.x:
    I've had various problems with the AIX C compiler producing
    incorrect code when the -O flag was used.  When optimization
    is not used, the problems go away.  Gcc does not appear
    to have this problem.

    Also, the AIX 3.2.x lex will not work with sudo's parse.lex.
    This should not be a problem as sudo comes shipped with
    a pre-generated lex.yy.c (created by flex).  If you want
    to modify the lex tokenizer, make sure you grab a copy of
    flex from ftp.ee.lbl.gov (also available on most GNU mirrors)
    and sudo will use that instead.

Ultrix 4.x:
    Ultrix still ships with the 4.2BSD syslog(3) which does not
    allow things like logging different faclities to different
    files, redirecting logs to a single loghost and other niceties.
    You may want to just grab and install:
	ftp://gatekeeper.dec.com/pub/DEC/jtkohl-syslog-complete.tar.Z
    (available via anonymous ftp) which is a port if the 4.3BSD
    syslog/syslogd that is backwards compatible with the Ultrix version.
    I recommend it highly.  If you do not do this you probably want
    to set `LOGGING' to SLOG_FILE in options.h.

Digital UNIX:
    Digital UNIX 4.0 shipped with /usr/include/prot.h including acl.h,
    but there is no /usr/include/acl.h.  Digital says this will be
    fixed in the next release of Digital UNIX.  In the meantime
    you can use the acl.h from /usr/sys/include/sys.  Digital
    recommends that you just:
	cd /usr/include
	ln -s sys/acl.h acl.h
    This will only be an issue if you are using C2 (enhanced)
    security.

Linux:
    One person reported that he needed to run configure with
    the --with-getpass flag to get a working sudo.  Other people
    haven't had that problem so it may only affect certain
    distributions.
    NOTE: Reportedly, Linux's execvp(3) doesn't always execute
	  scripts that lack the "#!/some/shell" header correctly.
	  The workaround is to give all your scripts a proper
	  header.

SCO ODT:
    You'll probably need libcrypt_i.a available via anonymous ftp
    from sosco.sco.com.  The necessary files are /SLS/lng225b.Z
    and /SLS/lng225b.ltr.Z.

Please send changes, bugs, security holes, and gripes to:
    sudo-bugs@courtesan.com
