Return to TROUBLESHOOTING CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc

sudo

    1: Troubleshooting tips and FAQ for Sudo
    2: =====================================
    3: 
    4: Q) When I run configure, it says "C compiler cannot create executables".
    5: A) This usually means you either don't have a working compiler.  This
    6:    could be due to the lack of a license or that some component of the
    7:    compiler suite could not be found.  Check config.log for clues as
    8:    to why this is happening.  On many systems, compiler components live
    9:    in /usr/ccs/bin which may not be in your PATH environment variable.
   10: 
   11: Q) When I run configure, it says "sudo requires the 'ar' utility to build".
   12: A) As part of the build process, sudo creates a temporary library containing
   13:    objects that are shared amongst the different sudo executables.
   14:    On Unix systems, the "ar" utility is used to do this.  This error
   15:    indicates that "ar" is missing on your system.  On Solaris systems,
   16:    you may need to install the SUNWbtool package.  On other systems
   17:    "ar" may be included in the GNU binutils package.
   18: 
   19: Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
   20:    and sudo quits.
   21: A) Sudo must be setuid root to do its work.  You need to do something like
   22:    `chmod 4111 /usr/local/bin/sudo'.  Also, the file system sudo resides
   23:    on must *not* be mounted (or exported) with the nosuid option or sudo
   24:    will not be able to work.  Another possibility is you may have '.' in
   25:    your $PATH before the directory containing sudo.  If you are going
   26:    to have '.' in your path you should make sure it is at the end.
   27: 
   28: Q) Sudo never gives me a chance to enter a password using PAM, it just
   29:    says 'Sorry, try again.' three times and exits.
   30: A) You didn't setup PAM to work with sudo.  On RedHat Linux or Fedora
   31:    Core this generally means installing sample.pam as /etc/pam.d/sudo.
   32:    See the sample.pam file for hints on what to use for other Linux
   33:    systems.
   34: 
   35: Q) Sudo says 'Account expired or PAM config lacks an "account"
   36:    section for sudo, contact your system administrator' and exits
   37:    but I know my account has not expired.
   38: A) Your PAM config lacks an "account" specification.  On Linux this
   39:    usually means you are missing a line like:
   40: 	account    required    pam_unix.so
   41:    in /etc/pam.d/sudo.
   42: 
   43: Q) Sudo is setup to log via syslog(3) but I'm not getting any log
   44:    messages.
   45: A) Make sure you have an entry in your syslog.conf file to save
   46:    the sudo messages (see the sample.syslog.conf file).  The default
   47:    log facility is authpriv (changeable via configure or in sudoers).
   48:    Don't forget to send a SIGHUP to your syslogd so that it re-reads
   49:    its conf file.  Also, remember that syslogd does *not* create
   50:    log files, you need to create the file before syslogd will log
   51:    to it (ie: touch /var/log/sudo).
   52:    Note:  the facility (e.g. "auth.debug") must be separated from the 
   53: 	  destination (e.g. "/var/log/auth" or "@loghost") by
   54: 	  tabs, *not* spaces.  This is a common error.
   55: 
   56: Q) When sudo asks me for my password it never accepts what I enter even
   57:    though I know I entered my password correctly.
   58: A) If you are not using pam and your system uses shadow passwords,
   59:    it is possible that sudo didn't properly detect that shadow
   60:    passwords are in use.  Take a look at the generated config.h
   61:    file and verify that the C function used for shadow password
   62:    look ups was detected.  For instance, for SVR4-style shadow
   63:    passwords, HAVE_GETSPNAM should be defined (you can search for
   64:    the string "shadow passwords" in config.h with your editor).
   65:    Note that there is no define for 4.4BSD-based shadow passwords
   66:    since that just uses the standard getpw* routines.
   67: 
   68: Q) Can sudo use the ssh agent for authentication instead of asking
   69:    for the user's Unix password?
   70: A) Not directly, but you can use a PAM module like pam_ssh_agent_auth
   71:    or pam_ssh for this purpose.
   72: 
   73: Q) I don't want the sudoers file in /etc, how can I specify where it
   74:    should go?
   75: A) Use the --sysconfdir option to configure.  Ie:
   76:    configure --sysconfdir=/dir/you/want/sudoers/in
   77: 
   78: Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
   79:    copy on each machine?
   80: A) There is no support for making an NIS/NIS+ map/table out of
   81:    the sudoers file at this time.  You can distribute the sudoers
   82:    file via rsync or rdist.  It is also possible to NFS-mount the
   83:    sudoers file.  If you use LDAP at your site you may be interested
   84:    in sudo's LDAP sudoers support, see the README.LDAP file and the
   85:    sudoers.ldap manual.
   86: 
   87: Q) I don't run sendmail on my machine.  Does this mean that I cannot
   88:    use sudo?
   89: A) No, you just need to disable mailing with a line like:
   90: 	Defaults !mailerpath
   91:    in your sudoers file or run configure with the --without-sendmail
   92:    option.
   93: 
   94: Q) When I run visudo it uses vi as the editor and I hate vi.  How
   95:    can I make it use another editor?
   96: A) You can specify the editor to use in visudo in the sudoers file.
   97:    See the "editor" and "env_editor" entries in the sudoers manual.
   98:    The defaults can also be set at configure time using the
   99:    --with-editor and --with-env-editor configure options.
  100: 
  101: Q) Sudo appears to be removing some variables from my environment, why?
  102: A) Sudo removes the following "dangerous" environment variables
  103:    to guard against shared library spoofing, shell voodoo, and
  104:    kerberos server spoofing.
  105:      IFS
  106:      LOCALDOMAIN
  107:      RES_OPTIONS
  108:      HOSTALIASES
  109:      NLSPATH
  110:      PATH_LOCALE
  111:      TERMINFO
  112:      TERMINFO_DIRS
  113:      TERMPATH
  114:      TERMCAP
  115:      ENV
  116:      BASH_ENV
  117:      LC_ (if it contains a '/' or '%')
  118:      LANG (if it contains a '/' or '%')
  119:      LANGUAGE (if it contains a '/' or '%')
  120:      LD_*
  121:      _RLD_*
  122:      SHLIB_PATH (HP-UX only)
  123:      LIBPATH (AIX only)
  124:      KRB_CONF (kerb4 only)
  125:      KRBCONFDIR (kerb4 only)
  126:      KRBTKFILE (kerb4 only)
  127:      KRB5_CONFIG (kerb5 only)
  128:      VAR_ACE (SecurID only)
  129:      USR_ACE (SecurID only)
  130:      DLC_ACE (SecurID only)
  131: 
  132: Q) How can I keep sudo from asking for a password?
  133: A) To specify this on a per-user (and per-command) basis, use the
  134:    'NOPASSWD' tag right before the command list in sudoers.  See
  135:    the sudoers man page and sample.sudoers for details.  To disable
  136:    passwords completely, add !authenticate" to the Defaults line
  137:    in /etc/sudoers.  You can also turn off authentication on a
  138:    per-user or per-host basis using a user or host-specific Defaults
  139:    entry in sudoers.  To hard-code the global default, you can
  140:    configure with the --without-passwd option.
  141: 
  142: Q) When I run configure, it dies with the following error:
  143:    "no acceptable cc found in $PATH".
  144: A) /usr/ucb/cc was the only C compiler that configure could find.
  145:    You need to tell configure the path to the "real" C compiler
  146:    via the --with-CC option.  On Solaris, the path is probably
  147:    something like "/opt/SUNWspro/SC4.0/bin/cc".  If you have gcc
  148:    that will also work.
  149: 
  150: Q) When I run configure, it dies with the following error:
  151:    Fatal Error: config.cache exists from another platform!
  152:    Please remove it and re-run configure.
  153: A) configure caches the results of its tests in a file called
  154:    config.cache to make re-running configure speedy.  However,
  155:    if you are building sudo for a different platform the results
  156:    in config.cache will be wrong so you need to remove config.cache.
  157:    You can do this by "rm config.cache" or "make realclean".
  158:    Note that "make realclean" will also remove any object files
  159:    and configure temp files that are laying around as well.
  160: 
  161: Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
  162:    doesn't work on Solaris <= 2.5.1.  Why?
  163: A) Starting with Solaris 2.6, snprintf(3) is included in the standard
  164:    C library.  To build a version of sudo on a >= 2.6 machine that
  165:    will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
  166: 	#define HAVE_SNPRINTF 1
  167: 	#define HAVE_VSNPRINTF 1
  168:    and run make.
  169: 
  170: Q) When I run "visudo" it says "sudoers file busy, try again later."
  171:    and doesn't do anything.
  172: A) Someone else is currently editing the sudoers file with visudo.
  173: 
  174: Q) When I try to use "cd" with sudo it says "cd: command not found".
  175: A) "cd" is a shell built-in command, you can't run it as a command
  176:    since a child process (sudo) cannot affect the current working
  177:    directory of the parent (your shell).
  178: 
  179: Q) When I try to use "cd" with sudo the command completes without
  180:    errors but nothing happens.
  181: A) Even though "cd" is a shell built-in command, some operating systems
  182:    include a /usr/bin/cd command for some reason.  A standalone
  183:    "cd" command is totally useless since a child process (cd) cannot
  184:    affect the current working directory of the parent (your shell).
  185:    Thus, "sudo cd /foo" will start a child process, change the
  186:    directory and immediately exit without doing anything useful.
  187: 
  188: Q) When I run sudo it says I am not allowed to run the command as root
  189:    but I don't want to run it as root, I want to run it as another user.
  190:    My sudoers file entry looks like:
  191:     bob	ALL=(oracle) ALL
  192: A) The default user sudo tries to run things as is always root, even if
  193:    the invoking user can only run commands as a single, specific user.
  194:    This may change in the future but at the present time you have to
  195:    work around this using the 'runas_default' option in sudoers.
  196:    For example:
  197:     Defaults:bob	runas_default=oracle
  198:    would achieve the desired result for the preceding sudoers fragment.
  199: 
  200: Q) When I try to run sudo via ssh, I get the error:
  201:     sudo: no tty present and no askpass program specified
  202: A) ssh does not allocate a tty by default when running a remote command.
  203:    Without a tty, sudo cannot disable echo when prompting for a password.
  204:    You can use ssh's "-t" option to force it to allocate a tty.
  205:    Alternately, if you do not mind your password being echoed to the
  206:    screen, you can use the "visiblepw" sudoers option to allow this.
  207: 
  208: Q) How do you pronounce `sudo'?
  209: A) The official pronunciation is soo-doo (for su "do").  However, an
  210:    alternate pronunciation, a homophone of "pseudo", is also common.