Annotation of embedaddon/sudo/doc/TROUBLESHOOTING, revision 1.1
1.1 ! misho 1: Troubleshooting tips and FAQ for Sudo
! 2: =====================================
! 3:
! 4: Q) When I run configure, it says "C compiler cannot create executables".
! 5: A) This usually means you either don't have a working compiler. This
! 6: could be due to the lack of a license or that some component of the
! 7: compiler suite could not be found. Check config.log for clues as
! 8: to why this is happening. On many systems, compiler components live
! 9: in /usr/ccs/bin which may not be in your PATH environment variable.
! 10:
! 11: Q) When I run configure, it says "sudo requires the 'ar' utility to build".
! 12: A) As part of the build process, sudo creates a temporary library containing
! 13: objects that are shared amongst the different sudo executables.
! 14: On Unix systems, the "ar" utility is used to do this. This error
! 15: indicates that "ar" is missing on your system. On Solaris systems,
! 16: you may need to install the SUNWbtool package. On other systems
! 17: "ar" may be included in the GNU binutils package.
! 18:
! 19: Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
! 20: and sudo quits.
! 21: A) Sudo must be setuid root to do its work. You need to do something like
! 22: `chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides
! 23: on must *not* be mounted (or exported) with the nosuid option or sudo
! 24: will not be able to work. Another possibility is you may have '.' in
! 25: your $PATH before the directory containing sudo. If you are going
! 26: to have '.' in your path you should make sure it is at the end.
! 27:
! 28: Q) Sudo never gives me a chance to enter a password using PAM, it just
! 29: says 'Sorry, try again.' three times and exits.
! 30: A) You didn't setup PAM to work with sudo. On RedHat Linux or Fedora
! 31: Core this generally means installing sample.pam as /etc/pam.d/sudo.
! 32: See the sample.pam file for hints on what to use for other Linux
! 33: systems.
! 34:
! 35: Q) Sudo says 'Account expired or PAM config lacks an "account"
! 36: section for sudo, contact your system administrator' and exits
! 37: but I know my account has not expired.
! 38: A) Your PAM config lacks an "account" specification. On Linux this
! 39: usually means you are missing a line like:
! 40: account required pam_unix.so
! 41: in /etc/pam.d/sudo.
! 42:
! 43: Q) Sudo is setup to log via syslog(3) but I'm not getting any log
! 44: messages.
! 45: A) Make sure you have an entry in your syslog.conf file to save
! 46: the sudo messages (see the sample.syslog.conf file). The default
! 47: log facility is authpriv (changeable via configure or in sudoers).
! 48: Don't forget to send a SIGHUP to your syslogd so that it re-reads
! 49: its conf file. Also, remember that syslogd does *not* create
! 50: log files, you need to create the file before syslogd will log
! 51: to it (ie: touch /var/log/sudo).
! 52: Note: the facility (e.g. "auth.debug") must be separated from the
! 53: destination (e.g. "/var/log/auth" or "@loghost") by
! 54: tabs, *not* spaces. This is a common error.
! 55:
! 56: Q) When sudo asks me for my password it never accepts what I enter even
! 57: though I know I entered my password correctly.
! 58: A) If you are not using pam and your system uses shadow passwords,
! 59: it is possible that sudo didn't properly detect that shadow
! 60: passwords are in use. Take a look at the generated config.h
! 61: file and verify that the C function used for shadow password
! 62: look ups was detected. For instance, for SVR4-style shadow
! 63: passwords, HAVE_GETSPNAM should be defined (you can search for
! 64: the string "shadow passwords" in config.h with your editor).
! 65: Note that there is no define for 4.4BSD-based shadow passwords
! 66: since that just uses the standard getpw* routines.
! 67:
! 68: Q) Can sudo use the ssh agent for authentication instead of asking
! 69: for the user's Unix password?
! 70: A) Not directly, but you can use a PAM module like pam_ssh_agent_auth
! 71: or pam_ssh for this purpose.
! 72:
! 73: Q) I don't want the sudoers file in /etc, how can I specify where it
! 74: should go?
! 75: A) Use the --sysconfdir option to configure. Ie:
! 76: configure --sysconfdir=/dir/you/want/sudoers/in
! 77:
! 78: Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
! 79: copy on each machine?
! 80: A) There is no support for making an NIS/NIS+ map/table out of
! 81: the sudoers file at this time. You can distribute the sudoers
! 82: file via rsync or rdist. It is also possible to NFS-mount the
! 83: sudoers file. If you use LDAP at your site you may be interested
! 84: in sudo's LDAP sudoers support, see the README.LDAP file and the
! 85: sudoers.ldap manual.
! 86:
! 87: Q) I don't run sendmail on my machine. Does this mean that I cannot
! 88: use sudo?
! 89: A) No, you just need to disable mailing with a line like:
! 90: Defaults !mailerpath
! 91: in your sudoers file or run configure with the --without-sendmail
! 92: option.
! 93:
! 94: Q) When I run visudo it uses vi as the editor and I hate vi. How
! 95: can I make it use another editor?
! 96: A) You can specify the editor to use in visudo in the sudoers file.
! 97: See the "editor" and "env_editor" entries in the sudoers manual.
! 98: The defaults can also be set at configure time using the
! 99: --with-editor and --with-env-editor configure options.
! 100:
! 101: Q) Sudo appears to be removing some variables from my environment, why?
! 102: A) Sudo removes the following "dangerous" environment variables
! 103: to guard against shared library spoofing, shell voodoo, and
! 104: kerberos server spoofing.
! 105: IFS
! 106: LOCALDOMAIN
! 107: RES_OPTIONS
! 108: HOSTALIASES
! 109: NLSPATH
! 110: PATH_LOCALE
! 111: TERMINFO
! 112: TERMINFO_DIRS
! 113: TERMPATH
! 114: TERMCAP
! 115: ENV
! 116: BASH_ENV
! 117: LC_ (if it contains a '/' or '%')
! 118: LANG (if it contains a '/' or '%')
! 119: LANGUAGE (if it contains a '/' or '%')
! 120: LD_*
! 121: _RLD_*
! 122: SHLIB_PATH (HP-UX only)
! 123: LIBPATH (AIX only)
! 124: KRB_CONF (kerb4 only)
! 125: KRBCONFDIR (kerb4 only)
! 126: KRBTKFILE (kerb4 only)
! 127: KRB5_CONFIG (kerb5 only)
! 128: VAR_ACE (SecurID only)
! 129: USR_ACE (SecurID only)
! 130: DLC_ACE (SecurID only)
! 131:
! 132: Q) How can I keep sudo from asking for a password?
! 133: A) To specify this on a per-user (and per-command) basis, use the
! 134: 'NOPASSWD' tag right before the command list in sudoers. See
! 135: the sudoers man page and sample.sudoers for details. To disable
! 136: passwords completely, add !authenticate" to the Defaults line
! 137: in /etc/sudoers. You can also turn off authentication on a
! 138: per-user or per-host basis using a user or host-specific Defaults
! 139: entry in sudoers. To hard-code the global default, you can
! 140: configure with the --without-passwd option.
! 141:
! 142: Q) When I run configure, it dies with the following error:
! 143: "no acceptable cc found in $PATH".
! 144: A) /usr/ucb/cc was the only C compiler that configure could find.
! 145: You need to tell configure the path to the "real" C compiler
! 146: via the --with-CC option. On Solaris, the path is probably
! 147: something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
! 148: that will also work.
! 149:
! 150: Q) When I run configure, it dies with the following error:
! 151: Fatal Error: config.cache exists from another platform!
! 152: Please remove it and re-run configure.
! 153: A) configure caches the results of its tests in a file called
! 154: config.cache to make re-running configure speedy. However,
! 155: if you are building sudo for a different platform the results
! 156: in config.cache will be wrong so you need to remove config.cache.
! 157: You can do this by "rm config.cache" or "make realclean".
! 158: Note that "make realclean" will also remove any object files
! 159: and configure temp files that are laying around as well.
! 160:
! 161: Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
! 162: doesn't work on Solaris <= 2.5.1. Why?
! 163: A) Starting with Solaris 2.6, snprintf(3) is included in the standard
! 164: C library. To build a version of sudo on a >= 2.6 machine that
! 165: will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
! 166: #define HAVE_SNPRINTF 1
! 167: #define HAVE_VSNPRINTF 1
! 168: and run make.
! 169:
! 170: Q) When I run "visudo" it says "sudoers file busy, try again later."
! 171: and doesn't do anything.
! 172: A) Someone else is currently editing the sudoers file with visudo.
! 173:
! 174: Q) When I try to use "cd" with sudo it says "cd: command not found".
! 175: A) "cd" is a shell built-in command, you can't run it as a command
! 176: since a child process (sudo) cannot affect the current working
! 177: directory of the parent (your shell).
! 178:
! 179: Q) When I try to use "cd" with sudo the command completes without
! 180: errors but nothing happens.
! 181: A) Even though "cd" is a shell built-in command, some operating systems
! 182: include a /usr/bin/cd command for some reason. A standalone
! 183: "cd" command is totally useless since a child process (cd) cannot
! 184: affect the current working directory of the parent (your shell).
! 185: Thus, "sudo cd /foo" will start a child process, change the
! 186: directory and immediately exit without doing anything useful.
! 187:
! 188: Q) When I run sudo it says I am not allowed to run the command as root
! 189: but I don't want to run it as root, I want to run it as another user.
! 190: My sudoers file entry looks like:
! 191: bob ALL=(oracle) ALL
! 192: A) The default user sudo tries to run things as is always root, even if
! 193: the invoking user can only run commands as a single, specific user.
! 194: This may change in the future but at the present time you have to
! 195: work around this using the 'runas_default' option in sudoers.
! 196: For example:
! 197: Defaults:bob runas_default=oracle
! 198: would achieve the desired result for the preceding sudoers fragment.
! 199:
! 200: Q) When I try to run sudo via ssh, I get the error:
! 201: sudo: no tty present and no askpass program specified
! 202: A) ssh does not allocate a tty by default when running a remote command.
! 203: Without a tty, sudo cannot disable echo when prompting for a password.
! 204: You can use ssh's "-t" option to force it to allocate a tty.
! 205: Alternately, if you do not mind your password being echoed to the
! 206: screen, you can use the "visiblepw" sudoers option to allow this.
! 207:
! 208: Q) How do you pronounce `sudo'?
! 209: A) The official pronunciation is soo-doo (for su "do"). However, an
! 210: alternate pronunciation, a homophone of "pseudo", is also common.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to TROUBLESHOOTING CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc