1: Troubleshooting tips and FAQ for Sudo
2: =====================================
3:
4: Q) When I run configure, it says "C compiler cannot create executables".
5: A) This usually means you either don't have a working compiler. This
6: could be due to the lack of a license or that some component of the
7: compiler suite could not be found. Check config.log for clues as
8: to why this is happening. On many systems, compiler components live
9: in /usr/ccs/bin which may not be in your PATH environment variable.
10:
11: Q) When I run configure, it says "sudo requires the 'ar' utility to build".
12: A) As part of the build process, sudo creates a temporary library containing
13: objects that are shared amongst the different sudo executables.
14: On Unix systems, the "ar" utility is used to do this. This error
15: indicates that "ar" is missing on your system. On Solaris systems,
16: you may need to install the SUNWbtool package. On other systems
17: "ar" may be included in the GNU binutils package.
18:
19: Q) Sudo compiles and installs OK but when I try to run it I get:
20: /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set
21: A) Sudo must be setuid root to do its work. Either /usr/local/bin/sudo
22: is not owned by uid 0 or the setuid bit is not set. This should have
23: been done for you by "make install" but you can fix it manually by
24: running the following as root:
25: # chown root /usr/local/bin/sudo; chmod 4111 /usr/local/bin/sudo
26:
27: Q) Sudo compiles and installs OK but when I try to run it I get:
28: effective uid is not 0, is /usr/local/bin/sudo on a file system with the
29: 'nosuid' option set or an NFS file system without root privileges?
30: A) The owner and permissions on the sudo binary appear to be OK but when
31: sudo ran, the setuid bit did not have an effect. There are two common
32: causes for this. The first is that the file system the sudo binary
33: is located on is mounted with the 'nosuid' mount option, which disables
34: setuid binaries. The other is that sudo is installed on an NFS-mounted
35: file system that is exported without root privileges. By default, NFS
36: file systems are exported with uid 0 mapped to a non-privileged uid
37: (usually -2).
38:
39: You need to do something like
40: `chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides
41: on must *not* be mounted (or exported) with the nosuid option or sudo
42: will not be able to work. Another possibility is you may have '.' in
43: your $PATH before the directory containing sudo. If you are going
44: to have '.' in your path you should make sure it is at the end.
45:
46: Q) Sudo never gives me a chance to enter a password using PAM, it just
47: says 'Sorry, try again.' three times and exits.
48: A) You didn't setup PAM to work with sudo. On RedHat Linux or Fedora
49: Core this generally means installing sample.pam as /etc/pam.d/sudo.
50: See the sample.pam file for hints on what to use for other Linux
51: systems.
52:
53: Q) Sudo says 'Account expired or PAM config lacks an "account"
54: section for sudo, contact your system administrator' and exits
55: but I know my account has not expired.
56: A) Your PAM config lacks an "account" specification. On Linux this
57: usually means you are missing a line like:
58: account required pam_unix.so
59: in /etc/pam.d/sudo.
60:
61: Q) Sudo is setup to log via syslog(3) but I'm not getting any log
62: messages.
63: A) Make sure you have an entry in your syslog.conf file to save
64: the sudo messages (see the sample.syslog.conf file). The default
65: log facility is authpriv (changeable via configure or in sudoers).
66: Don't forget to send a SIGHUP to your syslogd so that it re-reads
67: its conf file. Also, remember that syslogd does *not* create
68: log files, you need to create the file before syslogd will log
69: to it (ie: touch /var/log/sudo).
70: Note: the facility (e.g. "auth.debug") must be separated from the
71: destination (e.g. "/var/log/auth" or "@loghost") by
72: tabs, *not* spaces. This is a common error.
73:
74: Q) When sudo asks me for my password it never accepts what I enter even
75: though I know I entered my password correctly.
76: A) If you are not using pam and your system uses shadow passwords,
77: it is possible that sudo didn't properly detect that shadow
78: passwords are in use. Take a look at the generated config.h
79: file and verify that the C function used for shadow password
80: look ups was detected. For instance, for SVR4-style shadow
81: passwords, HAVE_GETSPNAM should be defined (you can search for
82: the string "shadow passwords" in config.h with your editor).
83: Note that there is no define for 4.4BSD-based shadow passwords
84: since that just uses the standard getpw* routines.
85:
86: Q) Can sudo use the ssh agent for authentication instead of asking
87: for the user's Unix password?
88: A) Not directly, but you can use a PAM module like pam_ssh_agent_auth
89: or pam_ssh for this purpose.
90:
91: Q) I don't want the sudoers file in /etc, how can I specify where it
92: should go?
93: A) Use the --sysconfdir option to configure. Ie:
94: configure --sysconfdir=/dir/you/want/sudoers/in
95:
96: Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
97: copy on each machine?
98: A) There is no support for making an NIS/NIS+ map/table out of
99: the sudoers file at this time. You can distribute the sudoers
100: file via rsync or rdist. It is also possible to NFS-mount the
101: sudoers file. If you use LDAP at your site you may be interested
102: in sudo's LDAP sudoers support, see the README.LDAP file and the
103: sudoers.ldap manual.
104:
105: Q) I don't run sendmail on my machine. Does this mean that I cannot
106: use sudo?
107: A) No, you just need to disable mailing with a line like:
108: Defaults !mailerpath
109: in your sudoers file or run configure with the --without-sendmail
110: option.
111:
112: Q) When I run visudo it uses vi as the editor and I hate vi. How
113: can I make it use another editor?
114: A) You can specify the editor to use in visudo in the sudoers file.
115: See the "editor" and "env_editor" entries in the sudoers manual.
116: The defaults can also be set at configure time using the
117: --with-editor and --with-env-editor configure options.
118:
119: Q) Sudo appears to be removing some variables from my environment, why?
120: A) Sudo removes the following "dangerous" environment variables
121: to guard against shared library spoofing, shell voodoo, and
122: kerberos server spoofing.
123: IFS
124: LOCALDOMAIN
125: RES_OPTIONS
126: HOSTALIASES
127: NLSPATH
128: PATH_LOCALE
129: TERMINFO
130: TERMINFO_DIRS
131: TERMPATH
132: TERMCAP
133: ENV
134: BASH_ENV
135: LC_ (if it contains a '/' or '%')
136: LANG (if it contains a '/' or '%')
137: LANGUAGE (if it contains a '/' or '%')
138: LD_*
139: _RLD_*
140: SHLIB_PATH (HP-UX only)
141: LIBPATH (AIX only)
142: KRB5_CONFIG (kerb5 only)
143: VAR_ACE (SecurID only)
144: USR_ACE (SecurID only)
145: DLC_ACE (SecurID only)
146:
147: Q) How can I keep sudo from asking for a password?
148: A) To specify this on a per-user (and per-command) basis, use the
149: 'NOPASSWD' tag right before the command list in sudoers. See
150: the sudoers man page and sample.sudoers for details. To disable
151: passwords completely, add !authenticate" to the Defaults line
152: in /etc/sudoers. You can also turn off authentication on a
153: per-user or per-host basis using a user or host-specific Defaults
154: entry in sudoers. To hard-code the global default, you can
155: configure with the --without-passwd option.
156:
157: Q) When I run configure, it dies with the following error:
158: "no acceptable cc found in $PATH".
159: A) /usr/ucb/cc was the only C compiler that configure could find.
160: You need to tell configure the path to the "real" C compiler
161: via the --with-CC option. On Solaris, the path is probably
162: something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
163: that will also work.
164:
165: Q) When I run configure, it dies with the following error:
166: Fatal Error: config.cache exists from another platform!
167: Please remove it and re-run configure.
168: A) configure caches the results of its tests in a file called
169: config.cache to make re-running configure speedy. However,
170: if you are building sudo for a different platform the results
171: in config.cache will be wrong so you need to remove config.cache.
172: You can do this by "rm config.cache" or "make realclean".
173: Note that "make realclean" will also remove any object files
174: and configure temp files that are laying around as well.
175:
176: Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
177: doesn't work on Solaris <= 2.5.1. Why?
178: A) Starting with Solaris 2.6, snprintf(3) is included in the standard
179: C library. To build a version of sudo on a >= 2.6 machine that
180: will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
181: #define HAVE_SNPRINTF 1
182: #define HAVE_VSNPRINTF 1
183: and run make.
184:
185: Q) I built sudo on a Solaris 11 (or higher) machine but the resulting
186: binary doesn't work older Solaris versions. Why?
187:
188: A) Starting with Solaris 11, asprintf(3) is included in the standard
189: C library. To build a version of sudo on a Solaris 11 machine that
190: will run on an older Solaris release, edit config.h and comment out
191: the lines:
192: #define HAVE_ASPRINTF 1
193: #define HAVE_VASPRINTF 1
194: and run make.
195:
196: Q) When I run "visudo" it says "sudoers file busy, try again later."
197: and doesn't do anything.
198: A) Someone else is currently editing the sudoers file with visudo.
199:
200: Q) When I try to use "cd" with sudo it says "cd: command not found".
201: A) "cd" is a shell built-in command, you can't run it as a command
202: since a child process (sudo) cannot affect the current working
203: directory of the parent (your shell).
204:
205: Q) When I try to use "cd" with sudo the command completes without
206: errors but nothing happens.
207: A) Even though "cd" is a shell built-in command, some operating systems
208: include a /usr/bin/cd command for some reason. A standalone
209: "cd" command is totally useless since a child process (cd) cannot
210: affect the current working directory of the parent (your shell).
211: Thus, "sudo cd /foo" will start a child process, change the
212: directory and immediately exit without doing anything useful.
213:
214: Q) When I run sudo it says I am not allowed to run the command as root
215: but I don't want to run it as root, I want to run it as another user.
216: My sudoers file entry looks like:
217: bob ALL=(oracle) ALL
218: A) The default user sudo tries to run things as is always root, even if
219: the invoking user can only run commands as a single, specific user.
220: This may change in the future but at the present time you have to
221: work around this using the 'runas_default' option in sudoers.
222: For example:
223: Defaults:bob runas_default=oracle
224: would achieve the desired result for the preceding sudoers fragment.
225:
226: Q) When I try to run sudo via ssh, I get the error:
227: sudo: no tty present and no askpass program specified
228: A) ssh does not allocate a tty by default when running a remote command.
229: Without a tty, sudo cannot disable echo when prompting for a password.
230: You can use ssh's "-t" option to force it to allocate a tty.
231: Alternately, if you do not mind your password being echoed to the
232: screen, you can use the "visiblepw" sudoers option to allow this.
233:
234: Q) When I try to use SSL-enabled LDAP with sudo I get an error:
235: unable to initialize SSL cert and key db: security library: bad database.
236: you must set TLS_CERT in /etc/ldap.conf to use SSL
237: A) On systems that use a Mozilla-derived LDAP SDK there must be a
238: certificate database in place to use SSL-encrypted LDAP connections.
239: This file is usually /var/ldap/cert8.db or /etc/ldap/cert8.db.
240: The actual number after "cert" will vary, depending on the version
241: of the LDAP SDK that is being used. If you do not have a certificate
242: database you can either copy one from a mozilla-derived browser, such
243: as firefox, or create one using the "certutil" command. You can run
244: "certutil" as follows and press the <return> (or <enter>) key at the
245: password prompt:
246: # certutil -N -d /var/ldap
247: Enter a password which will be used to encrypt your keys.
248: The password should be at least 8 characters long,
249: and should contain at least one non-alphabetic character.
250:
251: Enter new password: <return>
252: Re-enter password: <return>
253:
254: Q) On HP-UX, when I run command via sudo it displays information
255: about the last successful login and last authentication failure
256: for every command. How can I fix this?
257: A) This output comes from /usr/lib/security/libpam_hpsec.so.1.
258: To suppress it, add a line like the following to /etc/pam.conf:
259: sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login
260:
261: Q) On HP-UX, the umask setting in sudoers has no effect.
262: A) If your /etc/pam.conf file has the libpam_hpsec.so.1 session module
263: enabled, you may need to a add line like the following to pam.conf:
264: sudo session required libpam_hpsec.so.1 bypass_umask
265:
266: Q) When I run sudo on AIX I get the following error:
267: setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted.
268: A) AIX's Enhanced RBAC is preventing sudo from running. To fix
269: this, add the following entry to /etc/security/privcmds (adjust
270: the path to sudo as needed) and run the setkst command as root:
271:
272: /usr/local/bin/sudo:
273: accessauths = ALLOW_ALL
274: innateprivs = PV_DAC_GID,PV_DAC_O,PV_DAC_R,PV_DAC_UID,PV_DAC_W,PV_DAC_X,PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
275: secflags = FSF_EPS
276:
277: Q) Sudo configures and builds without error but when I run it I get
278: a Segmentation fault.
279: A) If you are on a Linux system, the first thing to try is to run
280: configure with the --disable-pie option, then "make clean" and
281: "make". If that fixes the problem then your operating system
282: does not properly support position independent executables.
283: Please send a message to sudo@sudo.ws with system details such
284: as the Linux distro, kernel version and CPU architecture.
285:
286: Q) When I run configure I get the following error:
287: dlopen present but libtool doesn't appear to support your platform.
288: A) Libtool doesn't know how to support dynamic linking on the operating
289: system you are building for. If you are cross-compiling, you need to
290: specify the operating system, not just the CPU type. For example:
291: --host powerpc-unknown-linux
292: instead of just:
293: --host powerpc
294:
295: Q) How do you pronounce `sudo'?
296: A) The official pronunciation is soo-doo (for su "do"). However, an
297: alternate pronunciation, a homophone of "pseudo", is also common.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>