Installation instructions for CU sudo 1.4.2
===========================================

Sudo uses a `configure' script to probe the capabilities and type
of the system in question.  Please read this document fully before
configuring and building sudo.

Simple sudo installation
========================

For most systems and configurations it is possible simply to:

    0) If you previously ran `configure' on a different host
       you will probably want to do a `make clean' to remove
       the old `config.cache' file.  Otherwise, `configure'
       will use the cached values which is probably not
       what you want unless the two hosts are running the
       same OS and are virtually identical.  Alternately,
       one can simply `rm config.cache'.

    1) Read the `OS dependent notes' section for any particular
       "gotchas" relating to your operating system.

    2) `cd' to the source or build directory and type `./configure'
       to generate a Makefile and config.h file suitable for
       building sudo.  Before you actually run configure you
       should read the `Available configure options' section
       to see if there are any special options you may want
       or need.  Also of interest may be the section on
       `Mixing password authentication schemes'.

    3) Edit the configure-generated Makefile if you wish to
       change any of the default paths (alternately you could
       have changed the paths via options to `configure'.

    4) Edit `options.h' to enable any particular non-default
       options you wish to use.  Refer to the OPTIONS file for
       an explanation of each one.  If you are building in
       a separate build directory you may make a local copy
       of options.h in that directory and edit it instead.

    5) Type `make' to compile sudo.  If you are building sudo
       in a separate build tree (apart from the sudo source)
       GNU make will probably be required.  If `configure' did
       its job properly (and you have a supported configuration)
       there won't be any problems.  If this doesn't work, take
       a look at the files TROUBLESHOOTING and PORTING for tips
       on what might have gone wrong.  Please mail us if you have a
       fix or if you are unable to come up with a fix (address at EOF).

    6) Type `make install' (as root) to install sudo, visudo, the
       man pages, and a skeleton sudoers file.  Note that the install
       will not overwrite an existing sudoers file.  You can also
       install various pieces the package via the install-binaries,
       install-man, and install-sudoers make targets.

    7) Edit the sudoers file with `visudo' as necessary for your
       site.  You will probably want to refer the sample.sudoers
       file and sudoers man page included with the sudo package.

Available configure options
===========================

This section describes flags accepted by the sudo's `configure' script.
Defaults are listed in brackets after the description.

Configuration:
  --cache-file=FILE       Cache test results in FILE

  --help                  Print the usage/help info

  --no-create             Do not create output files

  --quiet, --silent       Do not print `checking...' messages

Directory and file names:
  --prefix=PREFIX         Install architecture-independent files in PREFIX
                          This really only applies to man pages.
                          [/usr/local]

  --exec-prefix=EPREFIX   Install architecture-dependent files in EPREFIX
                          This includes the sudo and visudo executables.
                          [same as prefix]

  --bindir=DIR            Install `sudo' in DIR [EPREFIX/bin]

  --sbindir=DIR           Install `visudo' in DIR
                          [EPREFIX/etc for historical reasons]

  --sysconfdir=DIR        Install `sudoers' file in DIR [/etc]

  --mandir=DIR            Install man pages in DIR [PREFIX/man]

  --srcdir=DIR            Find the sources in DIR [configure dir or ..]

Special features/options:
  --with-getpass          Use system getpass(3) instead of sudo-supplied
                          tgetpass() for systems where tgetpass() fails.

  --with-C2               Enable C2 security (shadow password) support
                          See `Shadow password and C2 support' section
                          for a list of supported platforms.

  --with-skey             Enable S/Key support.

  --with-SecurID          Enable SecurID support.

  --with-kerb4            Enable kerberos v4 support
                          Tested only with the Cygnus Network Security
                          package (CNS).

  --with-kerb5            Enable kerberos v5 support.
                          This enables with kerberos v4 support and
                          links with the standard kerberos v5 libraries
                          as well as the v4 compatibility libraries.

  --with-AFS              Enable AFS support.
                          Written for AFS under AIX 3.2.x but should
                          work for AFS on most platforms.

  --with-DCE              Enable DCE support.
                          Known to work on HP-UX 9.X and 10.0.
                          Other platforms may require source code
                          and/or `configure' changes.

  --with-csops            Add CSOps standard options.

Shadow password and C2 support
==============================

Shadow passwords (also included with most C2 security packages)
are supported on most major platforms for which they exist.
The `configure' script will attempt to determine if your
system uses shadow passwords, but this is really just a guess.
Also, if you are using an alternate authentication scheme
(s/key. kerberos, AFS, DCE, etc...) configure will *not* try
to check for a shadowed passwd file.
Therefore, it is suggested that you use the `--with-C2' option
to `configure' if you need shadow password support.

Shadow passwords are supported on the following platforms:

    SunOS 4.x
    Solaris 2.x
    HP-UX 9.x
    Ultrix 4.x
    Digital UNIX 3.x
    Irix 5.x
    AIX 3.2.x
    ConvexOS with C2 security (not tested recently)
    Linux
    SCO 3.2.2
    SVR4 (and variants using standard SVR4 shadow passwords)

The following operating systems have shadow passwords turned
on by *default* (use --without-C2 to turn them off):

    Solaris 2.x
    Pyramid DC/OSx
    UnixWare

The following operating systems have transparent shadow password
support so --with-C2 and --without-C2 will have no effect
(and neither is necesary).

    AIX 3.x
    AIX 4.x
    BSD/386 1.x
    BSD/OS 2.x
    NetBSD
    FreeBSD
    OpenBSD
    HPBSD 2.x

It is possible to configure in shadow password support even
if your system does not currently use shadow passwords.
That way, if you put shadow passwords in place, your installed
sudo will already support them.

Mixing password authentication schemes
======================================

It is possible to build sudo with support for several authentication
schemes, including shadow passwords, kerberos, s/key, AFS, DCE and
normal UN*X passwords into a single binary.  User validation will
take slightly longer, of course, but it may be valuable to have a
single sudo binary that is distributed among systems with varying
authentication mechanisms.  The exception to this rule is SecurID
which must be the only authentication mechanism used.

OS dependent notes
==================

Solaris 2.x:
    You need to have a C compiler in order to build sudo.
    Since Solaris 2.x does not come with one by default this
    means that you either need to have purchased the unbundled Sun
    C compiler or have a copy of the GNU C compiler (gcc).
    Sparc binaries for gcc may be gotten via the URL
	ftp://prep.ai.mit.edu/pub/gnu/sparc-sun-solaris2
    NOTE: sudo will *not* build with the sun C compiler in BSD
          compatibility mode (/usr/ucb/cc).  Sudo is designed
          to compile with the standard C compiler (or gcc) and
          will not build correctly with /usr/ucb/cc.

AIX 3.2.x:
    I've had various problems with the AIX C compiler producing
    incorrect code when the -O flag was used.  When optimization
    is not used, the problems go away.  Gcc does not appear
    to have this problem.

    Also, the AIX 3.2.x lex will not work with sudo's parse.lex.
    This should not be a problem as sudo comes shipped with
    a pre-generated lex.yy.c (created by flex).  If you want
    to modify the lex tokenizer, make sure you grab a copy of
    flex from ftp.ee.lbl.gov (also available on most GNU mirrors)
    and sudo will use that instead.

Ultrix 4.x:
    Ultrix still ships with the 4.2BSD syslog(3) which does not
    allow things like logging different faclities to different
    files, redirecting logs to a single loghost and other niceties.
    You may want to just grab and install:
	ftp://gatekeeper.dec.com/pub/DEC/jtkohl-syslog-complete.tar.Z
    (available via anonymous ftp) which is a port if the 4.3BSD
    syslog/syslogd that is backwards compatible with the Ultrix version.
    I recommend it highly.  If you do not do this you probably want
    to set `LOGGING' to SLOG_FILE in options.h.

Linux:
    One person reported that he needed to run configure with
    the --with-getpass flag to get a working sudo.  Other people
    haven't had that problem so it may only affect certain
    distributions.

SCO ODT:
    You'll probably need libcrypt_i.a available via anonymous ftp
    from sosco.sco.com.  The necesary files are /SLS/lng225b.Z
    and /SLS/lng225b.ltr.Z.

Please send changes, bugs, security holes, and gripes to:
    sudo-bugs@cs.colorado.edu
