1: Troubleshooting tips and FAQ for Sudo
2: =====================================
3:
4: Q) When I run configure, it says "C compiler cannot create executables".
5: A) This usually means you either don't have a working compiler. This
6: could be due to the lack of a license or that some component of the
7: compiler suite could not be found. Check config.log for clues as
8: to why this is happening. On many systems, compiler components live
9: in /usr/ccs/bin which may not be in your PATH environment variable.
10:
11: Q) When I run configure, it says "sudo requires the 'ar' utility to build".
12: A) As part of the build process, sudo creates a temporary library containing
13: objects that are shared amongst the different sudo executables.
14: On Unix systems, the "ar" utility is used to do this. This error
15: indicates that "ar" is missing on your system. On Solaris systems,
16: you may need to install the SUNWbtool package. On other systems
17: "ar" may be included in the GNU binutils package.
18:
19: Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
20: and sudo quits.
21: A) Sudo must be setuid root to do its work. You need to do something like
22: `chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides
23: on must *not* be mounted (or exported) with the nosuid option or sudo
24: will not be able to work. Another possibility is you may have '.' in
25: your $PATH before the directory containing sudo. If you are going
26: to have '.' in your path you should make sure it is at the end.
27:
28: Q) Sudo never gives me a chance to enter a password using PAM, it just
29: says 'Sorry, try again.' three times and exits.
30: A) You didn't setup PAM to work with sudo. On RedHat Linux or Fedora
31: Core this generally means installing sample.pam as /etc/pam.d/sudo.
32: See the sample.pam file for hints on what to use for other Linux
33: systems.
34:
35: Q) Sudo says 'Account expired or PAM config lacks an "account"
36: section for sudo, contact your system administrator' and exits
37: but I know my account has not expired.
38: A) Your PAM config lacks an "account" specification. On Linux this
39: usually means you are missing a line like:
40: account required pam_unix.so
41: in /etc/pam.d/sudo.
42:
43: Q) Sudo is setup to log via syslog(3) but I'm not getting any log
44: messages.
45: A) Make sure you have an entry in your syslog.conf file to save
46: the sudo messages (see the sample.syslog.conf file). The default
47: log facility is authpriv (changeable via configure or in sudoers).
48: Don't forget to send a SIGHUP to your syslogd so that it re-reads
49: its conf file. Also, remember that syslogd does *not* create
50: log files, you need to create the file before syslogd will log
51: to it (ie: touch /var/log/sudo).
52: Note: the facility (e.g. "auth.debug") must be separated from the
53: destination (e.g. "/var/log/auth" or "@loghost") by
54: tabs, *not* spaces. This is a common error.
55:
56: Q) When sudo asks me for my password it never accepts what I enter even
57: though I know I entered my password correctly.
58: A) If you are not using pam and your system uses shadow passwords,
59: it is possible that sudo didn't properly detect that shadow
60: passwords are in use. Take a look at the generated config.h
61: file and verify that the C function used for shadow password
62: look ups was detected. For instance, for SVR4-style shadow
63: passwords, HAVE_GETSPNAM should be defined (you can search for
64: the string "shadow passwords" in config.h with your editor).
65: Note that there is no define for 4.4BSD-based shadow passwords
66: since that just uses the standard getpw* routines.
67:
68: Q) Can sudo use the ssh agent for authentication instead of asking
69: for the user's Unix password?
70: A) Not directly, but you can use a PAM module like pam_ssh_agent_auth
71: or pam_ssh for this purpose.
72:
73: Q) I don't want the sudoers file in /etc, how can I specify where it
74: should go?
75: A) Use the --sysconfdir option to configure. Ie:
76: configure --sysconfdir=/dir/you/want/sudoers/in
77:
78: Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
79: copy on each machine?
80: A) There is no support for making an NIS/NIS+ map/table out of
81: the sudoers file at this time. You can distribute the sudoers
82: file via rsync or rdist. It is also possible to NFS-mount the
83: sudoers file. If you use LDAP at your site you may be interested
84: in sudo's LDAP sudoers support, see the README.LDAP file and the
85: sudoers.ldap manual.
86:
87: Q) I don't run sendmail on my machine. Does this mean that I cannot
88: use sudo?
89: A) No, you just need to disable mailing with a line like:
90: Defaults !mailerpath
91: in your sudoers file or run configure with the --without-sendmail
92: option.
93:
94: Q) When I run visudo it uses vi as the editor and I hate vi. How
95: can I make it use another editor?
96: A) You can specify the editor to use in visudo in the sudoers file.
97: See the "editor" and "env_editor" entries in the sudoers manual.
98: The defaults can also be set at configure time using the
99: --with-editor and --with-env-editor configure options.
100:
101: Q) Sudo appears to be removing some variables from my environment, why?
102: A) Sudo removes the following "dangerous" environment variables
103: to guard against shared library spoofing, shell voodoo, and
104: kerberos server spoofing.
105: IFS
106: LOCALDOMAIN
107: RES_OPTIONS
108: HOSTALIASES
109: NLSPATH
110: PATH_LOCALE
111: TERMINFO
112: TERMINFO_DIRS
113: TERMPATH
114: TERMCAP
115: ENV
116: BASH_ENV
117: LC_ (if it contains a '/' or '%')
118: LANG (if it contains a '/' or '%')
119: LANGUAGE (if it contains a '/' or '%')
120: LD_*
121: _RLD_*
122: SHLIB_PATH (HP-UX only)
123: LIBPATH (AIX only)
124: KRB_CONF (kerb4 only)
125: KRBCONFDIR (kerb4 only)
126: KRBTKFILE (kerb4 only)
127: KRB5_CONFIG (kerb5 only)
128: VAR_ACE (SecurID only)
129: USR_ACE (SecurID only)
130: DLC_ACE (SecurID only)
131:
132: Q) How can I keep sudo from asking for a password?
133: A) To specify this on a per-user (and per-command) basis, use the
134: 'NOPASSWD' tag right before the command list in sudoers. See
135: the sudoers man page and sample.sudoers for details. To disable
136: passwords completely, add !authenticate" to the Defaults line
137: in /etc/sudoers. You can also turn off authentication on a
138: per-user or per-host basis using a user or host-specific Defaults
139: entry in sudoers. To hard-code the global default, you can
140: configure with the --without-passwd option.
141:
142: Q) When I run configure, it dies with the following error:
143: "no acceptable cc found in $PATH".
144: A) /usr/ucb/cc was the only C compiler that configure could find.
145: You need to tell configure the path to the "real" C compiler
146: via the --with-CC option. On Solaris, the path is probably
147: something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
148: that will also work.
149:
150: Q) When I run configure, it dies with the following error:
151: Fatal Error: config.cache exists from another platform!
152: Please remove it and re-run configure.
153: A) configure caches the results of its tests in a file called
154: config.cache to make re-running configure speedy. However,
155: if you are building sudo for a different platform the results
156: in config.cache will be wrong so you need to remove config.cache.
157: You can do this by "rm config.cache" or "make realclean".
158: Note that "make realclean" will also remove any object files
159: and configure temp files that are laying around as well.
160:
161: Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
162: doesn't work on Solaris <= 2.5.1. Why?
163: A) Starting with Solaris 2.6, snprintf(3) is included in the standard
164: C library. To build a version of sudo on a >= 2.6 machine that
165: will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
166: #define HAVE_SNPRINTF 1
167: #define HAVE_VSNPRINTF 1
168: and run make.
169:
170: Q) When I run "visudo" it says "sudoers file busy, try again later."
171: and doesn't do anything.
172: A) Someone else is currently editing the sudoers file with visudo.
173:
174: Q) When I try to use "cd" with sudo it says "cd: command not found".
175: A) "cd" is a shell built-in command, you can't run it as a command
176: since a child process (sudo) cannot affect the current working
177: directory of the parent (your shell).
178:
179: Q) When I try to use "cd" with sudo the command completes without
180: errors but nothing happens.
181: A) Even though "cd" is a shell built-in command, some operating systems
182: include a /usr/bin/cd command for some reason. A standalone
183: "cd" command is totally useless since a child process (cd) cannot
184: affect the current working directory of the parent (your shell).
185: Thus, "sudo cd /foo" will start a child process, change the
186: directory and immediately exit without doing anything useful.
187:
188: Q) When I run sudo it says I am not allowed to run the command as root
189: but I don't want to run it as root, I want to run it as another user.
190: My sudoers file entry looks like:
191: bob ALL=(oracle) ALL
192: A) The default user sudo tries to run things as is always root, even if
193: the invoking user can only run commands as a single, specific user.
194: This may change in the future but at the present time you have to
195: work around this using the 'runas_default' option in sudoers.
196: For example:
197: Defaults:bob runas_default=oracle
198: would achieve the desired result for the preceding sudoers fragment.
199:
200: Q) When I try to run sudo via ssh, I get the error:
201: sudo: no tty present and no askpass program specified
202: A) ssh does not allocate a tty by default when running a remote command.
203: Without a tty, sudo cannot disable echo when prompting for a password.
204: You can use ssh's "-t" option to force it to allocate a tty.
205: Alternately, if you do not mind your password being echoed to the
206: screen, you can use the "visiblepw" sudoers option to allow this.
207:
208: Q) How do you pronounce `sudo'?
209: A) The official pronunciation is soo-doo (for su "do"). However, an
210: alternate pronunciation, a homophone of "pseudo", is also common.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>