1: Troubleshooting tips and FAQ for Sudo
2: =====================================
3:
4: Q) When I run configure, it says "C compiler cannot create executables".
5: A) This usually means you either don't have a working compiler. This
6: could be due to the lack of a license or that some component of the
7: compiler suite could not be found. Check config.log for clues as
8: to why this is happening. On many systems, compiler components live
9: in /usr/ccs/bin which may not be in your PATH environment variable.
10:
11: Q) When I run configure, it says "sudo requires the 'ar' utility to build".
12: A) As part of the build process, sudo creates a temporary library containing
13: objects that are shared amongst the different sudo executables.
14: On Unix systems, the "ar" utility is used to do this. This error
15: indicates that "ar" is missing on your system. On Solaris systems,
16: you may need to install the SUNWbtool package. On other systems
17: "ar" may be included in the GNU binutils package.
18:
19: Q) Sudo compiles and installs OK but when I try to run it I get:
20: /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set
21: A) Sudo must be setuid root to do its work. Either /usr/local/bin/sudo
22: is not owned by uid 0 or the setuid bit is not set. This should have
23: been done for you by "make install" but you can fix it manually by
24: running the following as root:
25: # chown root /usr/local/bin/sudo; chmod 4111 /usr/local/bin/sudo
26:
27: Q) Sudo compiles and installs OK but when I try to run it I get:
28: effective uid is not 0, is /usr/local/bin/sudo on a file system with the
29: 'nosuid' option set or an NFS file system without root privileges?
30: A) The owner and permissions on the sudo binary appear to be OK but when
31: sudo ran, the setuid bit did not have an effect. There are two common
32: causes for this. The first is that the file system the sudo binary
33: is located on is mounted with the 'nosuid' mount option, which disables
34: setuid binaries. The other is that sudo is installed on an NFS-mounted
35: file system that is exported without root privileges. By default, NFS
36: file systems are exported with uid 0 mapped to a non-privileged uid
37: (usually -2).
38:
39: You need to do something like
40: `chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides
41: on must *not* be mounted (or exported) with the nosuid option or sudo
42: will not be able to work. Another possibility is you may have '.' in
43: your $PATH before the directory containing sudo. If you are going
44: to have '.' in your path you should make sure it is at the end.
45:
46: Q) Sudo never gives me a chance to enter a password using PAM, it just
47: says 'Sorry, try again.' three times and exits.
48: A) You didn't setup PAM to work with sudo. On RedHat Linux or Fedora
49: Core this generally means installing sample.pam as /etc/pam.d/sudo.
50: See the sample.pam file for hints on what to use for other Linux
51: systems.
52:
53: Q) Sudo says 'Account expired or PAM config lacks an "account"
54: section for sudo, contact your system administrator' and exits
55: but I know my account has not expired.
56: A) Your PAM config lacks an "account" specification. On Linux this
57: usually means you are missing a line like:
58: account required pam_unix.so
59: in /etc/pam.d/sudo.
60:
61: Q) Sudo is setup to log via syslog(3) but I'm not getting any log
62: messages.
63: A) Make sure you have an entry in your syslog.conf file to save
64: the sudo messages (see the sample.syslog.conf file). The default
65: log facility is authpriv (changeable via configure or in sudoers).
66: Don't forget to send a SIGHUP to your syslogd so that it re-reads
67: its conf file. Also, remember that syslogd does *not* create
68: log files, you need to create the file before syslogd will log
69: to it (ie: touch /var/log/sudo).
70: Note: the facility (e.g. "auth.debug") must be separated from the
71: destination (e.g. "/var/log/auth" or "@loghost") by
72: tabs, *not* spaces. This is a common error.
73:
74: Q) When sudo asks me for my password it never accepts what I enter even
75: though I know I entered my password correctly.
76: A) If you are not using pam and your system uses shadow passwords,
77: it is possible that sudo didn't properly detect that shadow
78: passwords are in use. Take a look at the generated config.h
79: file and verify that the C function used for shadow password
80: look ups was detected. For instance, for SVR4-style shadow
81: passwords, HAVE_GETSPNAM should be defined (you can search for
82: the string "shadow passwords" in config.h with your editor).
83: Note that there is no define for 4.4BSD-based shadow passwords
84: since that just uses the standard getpw* routines.
85:
86: Q) Can sudo use the ssh agent for authentication instead of asking
87: for the user's Unix password?
88: A) Not directly, but you can use a PAM module like pam_ssh_agent_auth
89: or pam_ssh for this purpose.
90:
91: Q) I don't want the sudoers file in /etc, how can I specify where it
92: should go?
93: A) Use the --sysconfdir option to configure. Ie:
94: configure --sysconfdir=/dir/you/want/sudoers/in
95:
96: Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
97: copy on each machine?
98: A) There is no support for making an NIS/NIS+ map/table out of
99: the sudoers file at this time. You can distribute the sudoers
100: file via rsync or rdist. It is also possible to NFS-mount the
101: sudoers file. If you use LDAP at your site you may be interested
102: in sudo's LDAP sudoers support, see the README.LDAP file and the
103: sudoers.ldap manual.
104:
105: Q) I don't run sendmail on my machine. Does this mean that I cannot
106: use sudo?
107: A) No, you just need to disable mailing with a line like:
108: Defaults !mailerpath
109: in your sudoers file or run configure with the --without-sendmail
110: option.
111:
112: Q) When I run visudo it uses vi as the editor and I hate vi. How
113: can I make it use another editor?
114: A) You can specify the editor to use in visudo in the sudoers file.
115: See the "editor" and "env_editor" entries in the sudoers manual.
116: The defaults can also be set at configure time using the
117: --with-editor and --with-env-editor configure options.
118:
119: Q) Sudo appears to be removing some variables from my environment, why?
120: A) Sudo removes the following "dangerous" environment variables
121: to guard against shared library spoofing, shell voodoo, and
122: kerberos server spoofing.
123: IFS
124: LOCALDOMAIN
125: RES_OPTIONS
126: HOSTALIASES
127: NLSPATH
128: PATH_LOCALE
129: TERMINFO
130: TERMINFO_DIRS
131: TERMPATH
132: TERMCAP
133: ENV
134: BASH_ENV
135: LC_ (if it contains a '/' or '%')
136: LANG (if it contains a '/' or '%')
137: LANGUAGE (if it contains a '/' or '%')
138: LD_*
139: _RLD_*
140: SHLIB_PATH (HP-UX only)
141: LIBPATH (AIX only)
142: KRB5_CONFIG (kerb5 only)
143: VAR_ACE (SecurID only)
144: USR_ACE (SecurID only)
145: DLC_ACE (SecurID only)
146:
147: Q) How can I keep sudo from asking for a password?
148: A) To specify this on a per-user (and per-command) basis, use the
149: 'NOPASSWD' tag right before the command list in sudoers. See
150: the sudoers man page and sample.sudoers for details. To disable
151: passwords completely, add !authenticate" to the Defaults line
152: in /etc/sudoers. You can also turn off authentication on a
153: per-user or per-host basis using a user or host-specific Defaults
154: entry in sudoers. To hard-code the global default, you can
155: configure with the --without-passwd option.
156:
157: Q) When I run configure, it dies with the following error:
158: "no acceptable cc found in $PATH".
159: A) /usr/ucb/cc was the only C compiler that configure could find.
160: You need to tell configure the path to the "real" C compiler
161: via the --with-CC option. On Solaris, the path is probably
162: something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
163: that will also work.
164:
165: Q) When I run configure, it dies with the following error:
166: Fatal Error: config.cache exists from another platform!
167: Please remove it and re-run configure.
168: A) configure caches the results of its tests in a file called
169: config.cache to make re-running configure speedy. However,
170: if you are building sudo for a different platform the results
171: in config.cache will be wrong so you need to remove config.cache.
172: You can do this by "rm config.cache" or "make realclean".
173: Note that "make realclean" will also remove any object files
174: and configure temp files that are laying around as well.
175:
176: Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
177: doesn't work on Solaris <= 2.5.1. Why?
178: A) Starting with Solaris 2.6, snprintf(3) is included in the standard
179: C library. To build a version of sudo on a >= 2.6 machine that
180: will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
181: #define HAVE_SNPRINTF 1
182: #define HAVE_VSNPRINTF 1
183: and run make.
184:
185: Q) When I run "visudo" it says "sudoers file busy, try again later."
186: and doesn't do anything.
187: A) Someone else is currently editing the sudoers file with visudo.
188:
189: Q) When I try to use "cd" with sudo it says "cd: command not found".
190: A) "cd" is a shell built-in command, you can't run it as a command
191: since a child process (sudo) cannot affect the current working
192: directory of the parent (your shell).
193:
194: Q) When I try to use "cd" with sudo the command completes without
195: errors but nothing happens.
196: A) Even though "cd" is a shell built-in command, some operating systems
197: include a /usr/bin/cd command for some reason. A standalone
198: "cd" command is totally useless since a child process (cd) cannot
199: affect the current working directory of the parent (your shell).
200: Thus, "sudo cd /foo" will start a child process, change the
201: directory and immediately exit without doing anything useful.
202:
203: Q) When I run sudo it says I am not allowed to run the command as root
204: but I don't want to run it as root, I want to run it as another user.
205: My sudoers file entry looks like:
206: bob ALL=(oracle) ALL
207: A) The default user sudo tries to run things as is always root, even if
208: the invoking user can only run commands as a single, specific user.
209: This may change in the future but at the present time you have to
210: work around this using the 'runas_default' option in sudoers.
211: For example:
212: Defaults:bob runas_default=oracle
213: would achieve the desired result for the preceding sudoers fragment.
214:
215: Q) When I try to run sudo via ssh, I get the error:
216: sudo: no tty present and no askpass program specified
217: A) ssh does not allocate a tty by default when running a remote command.
218: Without a tty, sudo cannot disable echo when prompting for a password.
219: You can use ssh's "-t" option to force it to allocate a tty.
220: Alternately, if you do not mind your password being echoed to the
221: screen, you can use the "visiblepw" sudoers option to allow this.
222:
223: Q) When I try to use SSL-enabled LDAP with sudo I get an error:
224: unable to initialize SSL cert and key db: security library: bad database.
225: you must set TLS_CERT in /etc/ldap.conf to use SSL
226: A) On systems that use a Mozilla-derived LDAP SDK there must be a
227: certificate database in place to use SSL-encrypted LDAP connections.
228: This file is usually /var/ldap/cert8.db or /etc/ldap/cert8.db.
229: The actual number after "cert" will vary, depending on the version
230: of the LDAP SDK that is being used. If you do not have a certificate
231: database you can either copy one from a mozilla-derived browser, such
232: as firefox, or create one using the "certutil" command. You can run
233: "certutil" as follows and press the <return> (or <enter>) key at the
234: password prompt:
235: # certutil -N -d /var/ldap
236: Enter a password which will be used to encrypt your keys.
237: The password should be at least 8 characters long,
238: and should contain at least one non-alphabetic character.
239:
240: Enter new password: <return>
241: Re-enter password: <return>
242:
243: Q) When I run sudo on AIX I get the following error:
244: setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted.
245: A) AIX's Enhanced RBAC is preventing sudo from running. To fix
246: this, add the following entry to /etc/security/privcmds (adjust
247: the path to sudo as needed) and run the setkst command as root:
248:
249: /usr/local/bin/sudo:
250: accessauths = ALLOW_ALL
251: innateprivs = PV_DAC_GID,PV_DAC_O,PV_DAC_R,PV_DAC_UID,PV_DAC_W,PV_DAC_X,PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
252: secflags = FSF_EPS
253:
254: Q) When I run configure I get the following error:
255: dlopen present but libtool doesn't appear to support your platform.
256: A) Libtool doesn't know how to support dynamic linking on the operating
257: system you are building for. If you are cross-compiling, you need to
258: specify the operating system, not just the CPU type. For example:
259: --host powerpc-unknown-linux
260: instead of just:
261: --host powerpc
262:
263: Q) How do you pronounce `sudo'?
264: A) The official pronunciation is soo-doo (for su "do"). However, an
265: alternate pronunciation, a homophone of "pseudo", is also common.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to TROUBLESHOOTING CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc