embedaddon/sudo/doc/TROUBLESHOOTING - diff

Return to TROUBLESHOOTING CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc

Diff for /embedaddon/sudo/doc/TROUBLESHOOTING between versions 1.1 and 1.1.1.3

-version 1.1, 2012/02/21 16:23:02
+version 1.1.1.3, 2013/07/22 10:46:11
  Line 16  A) As part of the build process, sudo creates a tempor
     you may need to install the SUNWbtool package.  On other systems
     "ar" may be included in the GNU binutils package.
-Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
+Q) Sudo compiles and installs OK but when I try to run it I get:
-   and sudo quits.
+   /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set
-A) Sudo must be setuid root to do its work.  You need to do something like
+A) Sudo must be setuid root to do its work.  Either /usr/local/bin/sudo
+   is not owned by uid 0 or the setuid bit is not set.  This should have
+   been done for you by "make install" but you can fix it manually by
+   running the following as root:
+    # chown root /usr/local/bin/sudo; chmod 4111 /usr/local/bin/sudo
+Q) Sudo compiles and installs OK but when I try to run it I get:
+    effective uid is not 0, is /usr/local/bin/sudo on a file system with the
+    'nosuid' option set or an NFS file system without root privileges?
+A) The owner and permissions on the sudo binary appear to be OK but when
+   sudo ran, the setuid bit did not have an effect.  There are two common
+   causes for this.  The first is that the file system the sudo binary
+   is located on is mounted with the 'nosuid' mount option, which disables
+   setuid binaries.  The other is that sudo is installed on an NFS-mounted
+   file system that is exported without root privileges.  By default, NFS
+   file systems are exported with uid 0 mapped to a non-privileged uid
+   (usually -2).
+You need to do something like
     `chmod 4111 /usr/local/bin/sudo'.  Also, the file system sudo resides
     on must *not* be mounted (or exported) with the nosuid option or sudo
     will not be able to work.  Another possibility is you may have '.' in
- Line 49  A) Make sure you have an entry in your syslog.conf fil
+ Line 67  A) Make sure you have an entry in your syslog.conf fil
     its conf file.  Also, remember that syslogd does *not* create
     log files, you need to create the file before syslogd will log
     to it (ie: touch /var/log/sudo).
    Note:  the facility (e.g. "auth.debug") must be separated from the
            destination (e.g. "/var/log/auth" or "@loghost") by
            tabs, *not* spaces.  This is a common error.
- Line 121  A) Sudo removes the following "dangerous" environment
+ Line 139  A) Sudo removes the following "dangerous" environment
       _RLD_*
       SHLIB_PATH (HP-UX only)
       LIBPATH (AIX only)
-      KRB_CONF (kerb4 only)
-      KRBCONFDIR (kerb4 only)
-      KRBTKFILE (kerb4 only)
       KRB5_CONFIG (kerb5 only)
       VAR_ACE (SecurID only)
       USR_ACE (SecurID only)
- Line 167  A) Starting with Solaris 2.6, snprintf(3) is included
+ Line 182  A) Starting with Solaris 2.6, snprintf(3) is included
          #define HAVE_VSNPRINTF 1
     and run make.
+ Q) I built sudo on a Solaris 11 (or higher) machine but the resulting
+    binary doesn't work older Solaris versions.  Why?
+ A) Starting with Solaris 11, asprintf(3) is included in the standard
+    C library.  To build a version of sudo on a Solaris 11 machine that
+    will run on an older Solaris release, edit config.h and comment out
+    the lines:
+         #define HAVE_ASPRINTF 1
+         #define HAVE_VASPRINTF 1
+    and run make.
  Q) When I run "visudo" it says "sudoers file busy, try again later."
     and doesn't do anything.
  A) Someone else is currently editing the sudoers file with visudo.
- Line 204  A) ssh does not allocate a tty by default when running
+ Line 230  A) ssh does not allocate a tty by default when running
     You can use ssh's "-t" option to force it to allocate a tty.
     Alternately, if you do not mind your password being echoed to the
     screen, you can use the "visiblepw" sudoers option to allow this.
+ Q) When I try to use SSL-enabled LDAP with sudo I get an error:
+     unable to initialize SSL cert and key db: security library: bad database.
+     you must set TLS_CERT in /etc/ldap.conf to use SSL
+ A) On systems that use a Mozilla-derived LDAP SDK there must be a
+    certificate database in place to use SSL-encrypted LDAP connections.
+    This file is usually /var/ldap/cert8.db or /etc/ldap/cert8.db.
+    The actual number after "cert" will vary, depending on the version
+    of the LDAP SDK that is being used.  If you do not have a certificate
+    database you can either copy one from a mozilla-derived browser, such
+    as firefox, or create one using the "certutil" command.  You can run
+    "certutil" as follows and press the <return> (or <enter>) key at the
+    password prompt:
+     # certutil -N -d /var/ldap
+     Enter a password which will be used to encrypt your keys.
+     The password should be at least 8 characters long,
+     and should contain at least one non-alphabetic character.
+     Enter new password: <return>
+     Re-enter password: <return>
+ Q) On HP-UX, when I run command via sudo it displays information
+    about the last successful login and last authentication failure
+    for every command.  How can I fix this?
+ A) This output comes from /usr/lib/security/libpam_hpsec.so.1.
+    To suppress it, add a line like the following to /etc/pam.conf:
+    sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login
+ Q) On HP-UX, the umask setting in sudoers has no effect.
+ A) If your /etc/pam.conf file has the libpam_hpsec.so.1 session module
+    enabled, you may need to a add line like the following to pam.conf:
+    sudo session required libpam_hpsec.so.1 bypass_umask
+ Q) When I run sudo on AIX I get the following error:
+     setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted.
+ A) AIX's Enhanced RBAC is preventing sudo from running.  To fix
+    this, add the following entry to /etc/security/privcmds (adjust
+    the path to sudo as needed) and run the setkst command as root:
+     /usr/local/bin/sudo:
+             accessauths = ALLOW_ALL
+             innateprivs = PV_DAC_GID,PV_DAC_O,PV_DAC_R,PV_DAC_UID,PV_DAC_W,PV_DAC_X,PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
+             secflags = FSF_EPS
+ Q) Sudo configures and builds without error but when I run it I get
+    a Segmentation fault.
+ A) If you are on a Linux system, the first thing to try is to run
+    configure with the --disable-pie option, then "make clean" and
+    "make".  If that fixes the problem then your operating system
+    does not properly support position independent executables.
+    Please send a message to sudo@sudo.ws with system details such
+    as the Linux distro, kernel version and CPU architecture.
+ Q) When I run configure I get the following error:
+     dlopen present but libtool doesn't appear to support your platform.
+ A) Libtool doesn't know how to support dynamic linking on the operating
+    system you are building for.  If you are cross-compiling, you need to
+    specify the operating system, not just the CPU type.  For example:
+         --host powerpc-unknown-linux
+    instead of just:
+         --host powerpc
  Q) How do you pronounce `sudo'?
  A) The official pronunciation is soo-doo (for su "do").  However, an

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.1
changed lines
	Added in v.1.1.1.3