version 1.1.1.1, 2012/02/21 16:23:02
|
version 1.1.1.3, 2013/07/22 10:46:11
|
Line 16 A) As part of the build process, sudo creates a tempor
|
Line 16 A) As part of the build process, sudo creates a tempor
|
you may need to install the SUNWbtool package. On other systems |
you may need to install the SUNWbtool package. On other systems |
"ar" may be included in the GNU binutils package. |
"ar" may be included in the GNU binutils package. |
|
|
Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root." | Q) Sudo compiles and installs OK but when I try to run it I get: |
and sudo quits. | /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set |
A) Sudo must be setuid root to do its work. You need to do something like | A) Sudo must be setuid root to do its work. Either /usr/local/bin/sudo |
| is not owned by uid 0 or the setuid bit is not set. This should have |
| been done for you by "make install" but you can fix it manually by |
| running the following as root: |
| # chown root /usr/local/bin/sudo; chmod 4111 /usr/local/bin/sudo |
| |
| Q) Sudo compiles and installs OK but when I try to run it I get: |
| effective uid is not 0, is /usr/local/bin/sudo on a file system with the |
| 'nosuid' option set or an NFS file system without root privileges? |
| A) The owner and permissions on the sudo binary appear to be OK but when |
| sudo ran, the setuid bit did not have an effect. There are two common |
| causes for this. The first is that the file system the sudo binary |
| is located on is mounted with the 'nosuid' mount option, which disables |
| setuid binaries. The other is that sudo is installed on an NFS-mounted |
| file system that is exported without root privileges. By default, NFS |
| file systems are exported with uid 0 mapped to a non-privileged uid |
| (usually -2). |
| |
| You need to do something like |
`chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides |
`chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides |
on must *not* be mounted (or exported) with the nosuid option or sudo |
on must *not* be mounted (or exported) with the nosuid option or sudo |
will not be able to work. Another possibility is you may have '.' in |
will not be able to work. Another possibility is you may have '.' in |
Line 49 A) Make sure you have an entry in your syslog.conf fil
|
Line 67 A) Make sure you have an entry in your syslog.conf fil
|
its conf file. Also, remember that syslogd does *not* create |
its conf file. Also, remember that syslogd does *not* create |
log files, you need to create the file before syslogd will log |
log files, you need to create the file before syslogd will log |
to it (ie: touch /var/log/sudo). |
to it (ie: touch /var/log/sudo). |
Note: the facility (e.g. "auth.debug") must be separated from the | Note: the facility (e.g. "auth.debug") must be separated from the |
destination (e.g. "/var/log/auth" or "@loghost") by |
destination (e.g. "/var/log/auth" or "@loghost") by |
tabs, *not* spaces. This is a common error. |
tabs, *not* spaces. This is a common error. |
|
|
Line 121 A) Sudo removes the following "dangerous" environment
|
Line 139 A) Sudo removes the following "dangerous" environment
|
_RLD_* |
_RLD_* |
SHLIB_PATH (HP-UX only) |
SHLIB_PATH (HP-UX only) |
LIBPATH (AIX only) |
LIBPATH (AIX only) |
KRB_CONF (kerb4 only) |
|
KRBCONFDIR (kerb4 only) |
|
KRBTKFILE (kerb4 only) |
|
KRB5_CONFIG (kerb5 only) |
KRB5_CONFIG (kerb5 only) |
VAR_ACE (SecurID only) |
VAR_ACE (SecurID only) |
USR_ACE (SecurID only) |
USR_ACE (SecurID only) |
Line 167 A) Starting with Solaris 2.6, snprintf(3) is included
|
Line 182 A) Starting with Solaris 2.6, snprintf(3) is included
|
#define HAVE_VSNPRINTF 1 |
#define HAVE_VSNPRINTF 1 |
and run make. |
and run make. |
|
|
|
Q) I built sudo on a Solaris 11 (or higher) machine but the resulting |
|
binary doesn't work older Solaris versions. Why? |
|
|
|
A) Starting with Solaris 11, asprintf(3) is included in the standard |
|
C library. To build a version of sudo on a Solaris 11 machine that |
|
will run on an older Solaris release, edit config.h and comment out |
|
the lines: |
|
#define HAVE_ASPRINTF 1 |
|
#define HAVE_VASPRINTF 1 |
|
and run make. |
|
|
Q) When I run "visudo" it says "sudoers file busy, try again later." |
Q) When I run "visudo" it says "sudoers file busy, try again later." |
and doesn't do anything. |
and doesn't do anything. |
A) Someone else is currently editing the sudoers file with visudo. |
A) Someone else is currently editing the sudoers file with visudo. |
Line 204 A) ssh does not allocate a tty by default when running
|
Line 230 A) ssh does not allocate a tty by default when running
|
You can use ssh's "-t" option to force it to allocate a tty. |
You can use ssh's "-t" option to force it to allocate a tty. |
Alternately, if you do not mind your password being echoed to the |
Alternately, if you do not mind your password being echoed to the |
screen, you can use the "visiblepw" sudoers option to allow this. |
screen, you can use the "visiblepw" sudoers option to allow this. |
|
|
|
Q) When I try to use SSL-enabled LDAP with sudo I get an error: |
|
unable to initialize SSL cert and key db: security library: bad database. |
|
you must set TLS_CERT in /etc/ldap.conf to use SSL |
|
A) On systems that use a Mozilla-derived LDAP SDK there must be a |
|
certificate database in place to use SSL-encrypted LDAP connections. |
|
This file is usually /var/ldap/cert8.db or /etc/ldap/cert8.db. |
|
The actual number after "cert" will vary, depending on the version |
|
of the LDAP SDK that is being used. If you do not have a certificate |
|
database you can either copy one from a mozilla-derived browser, such |
|
as firefox, or create one using the "certutil" command. You can run |
|
"certutil" as follows and press the <return> (or <enter>) key at the |
|
password prompt: |
|
# certutil -N -d /var/ldap |
|
Enter a password which will be used to encrypt your keys. |
|
The password should be at least 8 characters long, |
|
and should contain at least one non-alphabetic character. |
|
|
|
Enter new password: <return> |
|
Re-enter password: <return> |
|
|
|
Q) On HP-UX, when I run command via sudo it displays information |
|
about the last successful login and last authentication failure |
|
for every command. How can I fix this? |
|
A) This output comes from /usr/lib/security/libpam_hpsec.so.1. |
|
To suppress it, add a line like the following to /etc/pam.conf: |
|
sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login |
|
|
|
Q) On HP-UX, the umask setting in sudoers has no effect. |
|
A) If your /etc/pam.conf file has the libpam_hpsec.so.1 session module |
|
enabled, you may need to a add line like the following to pam.conf: |
|
sudo session required libpam_hpsec.so.1 bypass_umask |
|
|
|
Q) When I run sudo on AIX I get the following error: |
|
setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted. |
|
A) AIX's Enhanced RBAC is preventing sudo from running. To fix |
|
this, add the following entry to /etc/security/privcmds (adjust |
|
the path to sudo as needed) and run the setkst command as root: |
|
|
|
/usr/local/bin/sudo: |
|
accessauths = ALLOW_ALL |
|
innateprivs = PV_DAC_GID,PV_DAC_O,PV_DAC_R,PV_DAC_UID,PV_DAC_W,PV_DAC_X,PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC |
|
secflags = FSF_EPS |
|
|
|
Q) Sudo configures and builds without error but when I run it I get |
|
a Segmentation fault. |
|
A) If you are on a Linux system, the first thing to try is to run |
|
configure with the --disable-pie option, then "make clean" and |
|
"make". If that fixes the problem then your operating system |
|
does not properly support position independent executables. |
|
Please send a message to sudo@sudo.ws with system details such |
|
as the Linux distro, kernel version and CPU architecture. |
|
|
|
Q) When I run configure I get the following error: |
|
dlopen present but libtool doesn't appear to support your platform. |
|
A) Libtool doesn't know how to support dynamic linking on the operating |
|
system you are building for. If you are cross-compiling, you need to |
|
specify the operating system, not just the CPU type. For example: |
|
--host powerpc-unknown-linux |
|
instead of just: |
|
--host powerpc |
|
|
Q) How do you pronounce `sudo'? |
Q) How do you pronounce `sudo'? |
A) The official pronunciation is soo-doo (for su "do"). However, an |
A) The official pronunciation is soo-doo (for su "do"). However, an |