1: Troubleshooting tips and FAQ for Sudo
2: =====================================
3:
4: Q) When I run configure, it says "C compiler cannot create executables".
5: A) This usually means you either don't have a working compiler. This
6: could be due to the lack of a license or that some component of the
7: compiler suite could not be found. Check config.log for clues as
8: to why this is happening. On many systems, compiler components live
9: in /usr/ccs/bin which may not be in your PATH environment variable.
10:
11: Q) When I run configure, it says "sudo requires the 'ar' utility to build".
12: A) As part of the build process, sudo creates a temporary library containing
13: objects that are shared amongst the different sudo executables.
14: On Unix systems, the "ar" utility is used to do this. This error
15: indicates that "ar" is missing on your system. On Solaris systems,
16: you may need to install the SUNWbtool package. On other systems
17: "ar" may be included in the GNU binutils package.
18:
19: Q) Sudo compiles and installs OK but when I try to run it I get:
20: /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set
21: A) Sudo must be setuid root to do its work. Either /usr/local/bin/sudo
22: is not owned by uid 0 or the setuid bit is not set. This should have
23: been done for you by "make install" but you can fix it manually by
24: running the following as root:
25: # chown root /usr/local/bin/sudo; chmod 4755 /usr/local/bin/sudo
26:
27: Q) Sudo compiles and installs OK but when I try to run it I get:
28: effective uid is not 0, is /usr/local/bin/sudo on a file system with the
29: 'nosuid' option set or an NFS file system without root privileges?
30: A) The owner and permissions on the sudo binary appear to be OK but when
31: sudo ran, the setuid bit did not have an effect. There are two common
32: causes for this. The first is that the file system the sudo binary
33: is located on is mounted with the 'nosuid' mount option, which disables
34: setuid binaries. The output of the "mount" command should tell you if
35: the file system is mounted with the 'nosuid' option. The other possible
36: cause is that sudo is installed on an NFS-mounted file system that is
37: exported without root privileges. By default, NFS file systems are
38: exported with uid 0 mapped to a non-privileged uid (usually -2). You
39: should be able to determine whether sudo is located on an NFS-mounted
40: filesystem by running "df `which sudo'".
41:
42: Q) Sudo never gives me a chance to enter a password using PAM, it just
43: says 'Sorry, try again.' three times and exits.
44: A) You didn't setup PAM to work with sudo. On RedHat Linux or Fedora
45: Core this generally means installing sample.pam as /etc/pam.d/sudo.
46: See the sample.pam file for hints on what to use for other Linux
47: systems.
48:
49: Q) Sudo says 'Account expired or PAM config lacks an "account"
50: section for sudo, contact your system administrator' and exits
51: but I know my account has not expired.
52: A) Your PAM config lacks an "account" specification. On Linux this
53: usually means you are missing a line like:
54: account required pam_unix.so
55: in /etc/pam.d/sudo.
56:
57: Q) Sudo is setup to log via syslog(3) but I'm not getting any log
58: messages.
59: A) Make sure you have an entry in your syslog.conf file to save
60: the sudo messages (see the sample.syslog.conf file). The default
61: log facility is authpriv (changeable via configure or in sudoers).
62: Don't forget to send a SIGHUP to your syslogd so that it re-reads
63: its conf file. Also, remember that syslogd does *not* create
64: log files, you need to create the file before syslogd will log
65: to it (ie: touch /var/log/sudo).
66: Note: the facility (e.g. "auth.debug") must be separated from the
67: destination (e.g. "/var/log/auth" or "@loghost") by
68: tabs, *not* spaces. This is a common error.
69:
70: Q) When sudo asks me for my password it never accepts what I enter even
71: though I know I entered my password correctly.
72: A) If you are not using pam and your system uses shadow passwords,
73: it is possible that sudo didn't properly detect that shadow
74: passwords are in use. Take a look at the generated config.h
75: file and verify that the C function used for shadow password
76: look ups was detected. For instance, for SVR4-style shadow
77: passwords, HAVE_GETSPNAM should be defined (you can search for
78: the string "shadow passwords" in config.h with your editor).
79: Note that there is no define for 4.4BSD-based shadow passwords
80: since that just uses the standard getpw* routines.
81:
82: Q) Can sudo use the ssh agent for authentication instead of asking
83: for the user's Unix password?
84: A) Not directly, but you can use a PAM module like pam_ssh_agent_auth
85: or pam_ssh for this purpose.
86:
87: Q) I don't want the sudoers file in /etc, how can I specify where it
88: should go?
89: A) Use the --sysconfdir option to configure. Ie:
90: configure --sysconfdir=/dir/you/want/sudoers/in
91:
92: Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
93: copy on each machine?
94: A) There is no support for making an NIS/NIS+ map/table out of
95: the sudoers file at this time. You can distribute the sudoers
96: file via rsync or rdist. It is also possible to NFS-mount the
97: sudoers file. If you use LDAP at your site you may be interested
98: in sudo's LDAP sudoers support, see the README.LDAP file and the
99: sudoers.ldap manual.
100:
101: Q) I don't run sendmail on my machine. Does this mean that I cannot
102: use sudo?
103: A) No, you just need to disable mailing with a line like:
104: Defaults !mailerpath
105: in your sudoers file or run configure with the --without-sendmail
106: option.
107:
108: Q) When I run visudo it uses vi as the editor and I hate vi. How
109: can I make it use another editor?
110: A) You can specify the editor to use in visudo in the sudoers file.
111: See the "editor" and "env_editor" entries in the sudoers manual.
112: The defaults can also be set at configure time using the
113: --with-editor and --with-env-editor configure options.
114:
115: Q) Sudo appears to be removing some variables from my environment, why?
116: A) Sudo removes the following "dangerous" environment variables
117: to guard against shared library spoofing, shell voodoo, and
118: kerberos server spoofing.
119: IFS
120: LOCALDOMAIN
121: RES_OPTIONS
122: HOSTALIASES
123: NLSPATH
124: PATH_LOCALE
125: TERMINFO
126: TERMINFO_DIRS
127: TERMPATH
128: TERMCAP
129: ENV
130: BASH_ENV
131: LC_ (if it contains a '/' or '%')
132: LANG (if it contains a '/' or '%')
133: LANGUAGE (if it contains a '/' or '%')
134: LD_*
135: _RLD_*
136: SHLIB_PATH (HP-UX only)
137: LIBPATH (AIX only)
138: KRB5_CONFIG (kerb5 only)
139: VAR_ACE (SecurID only)
140: USR_ACE (SecurID only)
141: DLC_ACE (SecurID only)
142:
143: Q) How can I keep sudo from asking for a password?
144: A) To specify this on a per-user (and per-command) basis, use the
145: 'NOPASSWD' tag right before the command list in sudoers. See
146: the sudoers man page and sample.sudoers for details. To disable
147: passwords completely, add !authenticate" to the Defaults line
148: in /etc/sudoers. You can also turn off authentication on a
149: per-user or per-host basis using a user or host-specific Defaults
150: entry in sudoers. To hard-code the global default, you can
151: configure with the --without-passwd option.
152:
153: Q) When I run configure, it dies with the following error:
154: "no acceptable cc found in $PATH".
155: A) /usr/ucb/cc was the only C compiler that configure could find.
156: You need to tell configure the path to the "real" C compiler
157: via the --with-CC option. On Solaris, the path is probably
158: something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
159: that will also work.
160:
161: Q) When I run configure, it dies with the following error:
162: Fatal Error: config.cache exists from another platform!
163: Please remove it and re-run configure.
164: A) configure caches the results of its tests in a file called
165: config.cache to make re-running configure speedy. However,
166: if you are building sudo for a different platform the results
167: in config.cache will be wrong so you need to remove config.cache.
168: You can do this by "rm config.cache" or "make realclean".
169: Note that "make realclean" will also remove any object files
170: and configure temp files that are laying around as well.
171:
172: Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
173: doesn't work on Solaris <= 2.5.1. Why?
174: A) Starting with Solaris 2.6, snprintf(3) is included in the standard
175: C library. To build a version of sudo on a >= 2.6 machine that
176: will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
177: #define HAVE_SNPRINTF 1
178: #define HAVE_VSNPRINTF 1
179: and run make.
180:
181: Q) I built sudo on a Solaris 11 (or higher) machine but the resulting
182: binary doesn't work older Solaris versions. Why?
183:
184: A) Starting with Solaris 11, asprintf(3) is included in the standard
185: C library. To build a version of sudo on a Solaris 11 machine that
186: will run on an older Solaris release, edit config.h and comment out
187: the lines:
188: #define HAVE_ASPRINTF 1
189: #define HAVE_VASPRINTF 1
190: and run make.
191:
192: Q) When I run "visudo" it says "sudoers file busy, try again later."
193: and doesn't do anything.
194: A) Someone else is currently editing the sudoers file with visudo.
195:
196: Q) When I try to use "cd" with sudo it says "cd: command not found".
197: A) "cd" is a shell built-in command, you can't run it as a command
198: since a child process (sudo) cannot affect the current working
199: directory of the parent (your shell).
200:
201: Q) When I try to use "cd" with sudo the command completes without
202: errors but nothing happens.
203: A) Even though "cd" is a shell built-in command, some operating systems
204: include a /usr/bin/cd command for some reason. A standalone
205: "cd" command is totally useless since a child process (cd) cannot
206: affect the current working directory of the parent (your shell).
207: Thus, "sudo cd /foo" will start a child process, change the
208: directory and immediately exit without doing anything useful.
209:
210: Q) When I run sudo it says I am not allowed to run the command as root
211: but I don't want to run it as root, I want to run it as another user.
212: My sudoers file entry looks like:
213: bob ALL=(oracle) ALL
214: A) The default user sudo tries to run things as is always root, even if
215: the invoking user can only run commands as a single, specific user.
216: This may change in the future but at the present time you have to
217: work around this using the 'runas_default' option in sudoers.
218: For example:
219: Defaults:bob runas_default=oracle
220: would achieve the desired result for the preceding sudoers fragment.
221:
222: Q) When I try to run sudo via ssh, I get the error:
223: sudo: no tty present and no askpass program specified
224: A) ssh does not allocate a tty by default when running a remote command.
225: Without a tty, sudo cannot disable echo when prompting for a password.
226: You can use ssh's "-t" option to force it to allocate a tty.
227: Alternately, if you do not mind your password being echoed to the
228: screen, you can use the "visiblepw" sudoers option to allow this.
229:
230: Q) When I try to use SSL-enabled LDAP with sudo I get an error:
231: unable to initialize SSL cert and key db: security library: bad database.
232: you must set TLS_CERT in /etc/ldap.conf to use SSL
233: A) On systems that use a Mozilla-derived LDAP SDK there must be a
234: certificate database in place to use SSL-encrypted LDAP connections.
235: This file is usually /var/ldap/cert8.db or /etc/ldap/cert8.db.
236: The actual number after "cert" will vary, depending on the version
237: of the LDAP SDK that is being used. If you do not have a certificate
238: database you can either copy one from a mozilla-derived browser, such
239: as firefox, or create one using the "certutil" command. You can run
240: "certutil" as follows and press the <return> (or <enter>) key at the
241: password prompt:
242: # certutil -N -d /var/ldap
243: Enter a password which will be used to encrypt your keys.
244: The password should be at least 8 characters long,
245: and should contain at least one non-alphabetic character.
246:
247: Enter new password: <return>
248: Re-enter password: <return>
249:
250: Q) On HP-UX, when I run command via sudo it displays information
251: about the last successful login and last authentication failure
252: for every command. How can I fix this?
253: A) This output comes from /usr/lib/security/libpam_hpsec.so.1.
254: To suppress it, add a line like the following to /etc/pam.conf:
255: sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login
256:
257: Q) On HP-UX, the umask setting in sudoers has no effect.
258: A) If your /etc/pam.conf file has the libpam_hpsec.so.1 session module
259: enabled, you may need to a add line like the following to pam.conf:
260: sudo session required libpam_hpsec.so.1 bypass_umask
261:
262: Q) When I run sudo on AIX I get the following error:
263: setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted.
264: A) AIX's Enhanced RBAC is preventing sudo from running. To fix
265: this, add the following entry to /etc/security/privcmds (adjust
266: the path to sudo as needed) and run the setkst command as root:
267:
268: /usr/local/bin/sudo:
269: accessauths = ALLOW_ALL
270: innateprivs = PV_DAC_GID,PV_DAC_O,PV_DAC_R,PV_DAC_UID,PV_DAC_W,PV_DAC_X,PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
271: secflags = FSF_EPS
272:
273: Q) Sudo configures and builds without error but when I run it I get
274: a Segmentation fault.
275: A) If you are on a Linux system, the first thing to try is to run
276: configure with the --disable-pie option, then "make clean" and
277: "make". If that fixes the problem then your operating system
278: does not properly support position independent executables.
279: Please send a message to sudo@sudo.ws with system details such
280: as the Linux distro, kernel version and CPU architecture.
281:
282: Q) When I run configure I get the following error:
283: dlopen present but libtool doesn't appear to support your platform.
284: A) Libtool doesn't know how to support dynamic linking on the operating
285: system you are building for. If you are cross-compiling, you need to
286: specify the operating system, not just the CPU type. For example:
287: --host powerpc-unknown-linux
288: instead of just:
289: --host powerpc
290:
291: Q) How do you pronounce `sudo'?
292: A) The official pronunciation is soo-doo (for su "do"). However, an
293: alternate pronunciation, a homophone of "pseudo", is also common.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>