Update to sudo 1.6.8p1

1 files changed, 58 insertions, 29 deletions

diff --git a/usr.bin/sudo/INSTALL b/usr.bin/sudo/INSTALL
index bac66a5084a..f23a650b65c 100644
--- a/usr.bin/sudo/INSTALL
+++ b/usr.bin/sudo/INSTALL
@@ -1,4 +1,4 @@
-Installation instructions for Sudo 1.6.7
+Installation instructions for Sudo 1.6.8
 ========================================
 
 Sudo uses a `configure' script to probe the capabilities and type
@@ -175,6 +175,15 @@ Special features/options:
         does not use the Kerberos cookie scheme.  Will not work for
         Kerberos V older than version 1.1.
 
+  --with-ldap[=DIR]
+	Enable LDAP support.  If specified, DIR is the base directory
+	containing the LDAP include and lib directories.  Please see
+	README.LDAP for more information.
+
+  --with-ldap-conf-file
+	Path to LDAP configuration file.  If specified, sudo reads
+	this file instead of /etc/ldap.conf to locate the LDAP server.
+
   --with-authenticate
 	Enable support for the AIX 4.x general authentication function.
 	This will use the authentication scheme specified for the user
@@ -182,16 +191,18 @@ Special features/options:
 
   --with-pam
 	Enable PAM support.  Tested on:
-	    Redhat Linux 5.x, 6.0, and 6.1
-	    Solaris 2.6 and 7
-	    HP-UX 11.0
-        NOTE: on RedHat Linux you *must* install an /etc/pam.d/sudo file.
-	You may either use the sample.pam file included with sudo or use
-	/etc/pam.d/su as a reference.  On Solaris and HP-UX 11 systems
-	you should check (and understand) the contents of /etc/pam.conf.
-	Do a "man pam.conf" for more information and consider using the
-	"debug" option, if available, with your PAM libraries in
-	/etc/pam.conf to obtain syslog output for debugging purposes.
+	    Redhat Linux >= 5.x
+	    Solaris >= 2.6
+	    HP-UX >= 11.0
+        NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo
+	file install.  You may either use the sample.pam file included with
+	sudo or use /etc/pam.d/su as a reference.  The sample.pam file
+	included with sudo may or may not work with other Linux distributions.
+	On Solaris and HP-UX 11 systems you should check (and understand)
+	the contents of /etc/pam.conf.  Do a "man pam.conf" for more
+	information and consider using the "debug" option, if available,
+	with your PAM libraries in /etc/pam.conf to obtain syslog output
+	for debugging purposes.
 
   --with-AFS
 	Enable AFS support with Kerberos authentication.  Should work under
@@ -199,14 +210,11 @@ Special features/options:
 	link without it.
 
   --with-DCE
-	Enable DCE support.  Known to work on HP-UX 9.X, 10.X, and 11.0.
-	The use of PAM is recommended for HP-UX 11.X systems, since PAM is
-	fully implemented (this is not true for 10.20 and earlier versions).
-	Check to see that your 11.X (or other) system uses DCE via PAM by
-	looking at /etc/pam.conf to see if "libpam_dce" libraries are 
-	referenced there.  Other platforms may require source code and/or 
-	`configure' changes; you should check to see if your platform can 
-	access DCE via PAM before using this option.
+	Enable DCE support for systems without PAM.  Known to work on
+	HP-UX 9.X, 10.X, and 11.0; other systems may require source
+	code and/or `configure' changes.  On systems with PAM support
+	(such as HP-UX 11.0 and higher, Solaris, FreeBSD and Linux), the
+	DCE PAM module (usually libpam_dce) should be used instead.
 
   --with-logincap
 	Enable support for BSD login classes where available (OS-dependent).
@@ -223,6 +231,17 @@ Special features/options:
         only the newer BSD authentication API is supported.  If you
         don't have /usr/include/bsd_auth.h then you cannot use this.
 
+  --with-noexec[=PATH]
+        Enable support for the "noexec" functionality which prevents
+        a dynamically-linked program being run by sudo from executing
+        another program (think shell escapes).  Please see the
+        "PREVENTING SHELL ESCAPES" section in the sudoers man page
+        for details.  If specified, PATH should be a fully qualified
+        pathname, e.g. /usr/local/libexec/sudo_noexec.so.  If PATH
+        is "no", noexec support will not be compiled in.  The default
+        is to compile noexec support if libtool supports building
+        shared objects on your OS.
+
   --disable-root-mailer
         By default sudo will run the mailer as root when tattling
         on a user so as to prevent that user from killing the mailer.
@@ -464,6 +483,9 @@ The following options are also configurable at runtime:
 	password is entered.  You must either specify --with-insults or
 	enable insults in the sudoers file for this to have any effect.
 
+  --with-pc-insults
+	Replace politically incorrect insults with less objectionable ones.
+
   --with-secure-path[=PATH]
 	Path used for every command run from sudo(8).  If you don't trust the
 	people running sudo to have a sane PATH environment variable you may
@@ -477,20 +499,20 @@ The following options are also configurable at runtime:
 	Don't print the lecture the first time a user runs sudo.
 
   --with-editor=PATH
-	Specify the default editor path for use by visudo.  This may be
-	a single pathname or a colon-separated list of editors.  In
-	the latter case, visudo will choose the editor that matches
-	the user's USER environment variable or the first editor in
-	the list that exists.  The default is the path to vi on your system.
+	Specify the default editor path for use by visudo.  This may be a
+	single pathname or a colon-separated list of editors.  In the latter
+	case, visudo will choose the editor that matches the user's VISUAL
+	or EDITOR environment variables or the first editor in the list that
+	exists.  The default is the path to vi on your system.
 
   --with-env-editor
-	Makes visudo consult the EDITOR and VISUAL environment variables before
+	Makes visudo consult the VISUAL and EDITOR environment variables before
 	falling back on the default editor list (as specified by --with-editor).
 	Note that this may create a security hole as it allows the user to
 	run any arbitrary command as root without logging.  A safer alternative
-	is to use a colon-separated list of editors with the --with-env-editor
-	option.  visudo will then only use the EDITOR or VISUAL if they match
-	a value specified via --with-editor.
+	is to use a colon-separated list of editors with the --with-editor
+	option.  visudo will then only use the VISUAL or EDITOR variables
+	if they match a value specified via --with-editor.
 
   --disable-authentication
         By default, sudo requires the user to authenticate via a
@@ -559,7 +581,7 @@ OS dependent notes
 ==================
 
 OpenBSD < 2.2 and NetBSD < 1.2.1:
-    The fdesc filesystem has a bug wrt /dev/tty handling that
+    The fdesc file system has a bug wrt /dev/tty handling that
     causes sudo to hang at the password prompt.  The workaround
     is to run configure with --with-password-timeout=0
 
@@ -666,3 +688,10 @@ Dynix:
     on Dynix, try using the native compiler (cc).  You can do so
     by removing the config.cache file and then re-running configure
     with the --with-CC=cc option.
+
+HP-UX:
+    The default C compiler shipped with HP-UX does not support creating
+    position independent code and so is unable to support sudo's "noexec"
+    functionality.  You must use either the HP ANSI C compiler or gcc for
+    noexec to work.  Binary packages of gcc are available from
+    http://hpux.connect.org.uk/ and http://hpux.cs.utah.edu/.