| Troubleshooting tips and FAQ for Sudo |
| ===================================== |
| |
| Q) When I run configure, it says "C compiler cannot create executables". |
| A) This usually means you either don't have a working compiler. This |
| could be due to the lack of a license or that some component of the |
| compiler suite could not be found. Check config.log for clues as |
| to why this is happening. On many systems, compiler components live |
| in /usr/ccs/bin which may not be in your PATH environment variable. |
| |
| Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root." |
| and sudo quits. |
| A) Sudo must be setuid root to do its work. You need to do something like |
| `chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides |
| on must *not* be mounted (or exported) with the nosuid option or sudo |
| will not be able to work. Another possibility is you may have '.' in |
| your $PATH before the directory containing sudo. If you are going |
| to have '.' in your path you should make sure it is at the end. |
| |
| Q) Sudo never gives me a chance to enter a password using PAM, it just |
| says 'Sorry, try again.' three times and exits. |
| A) You didn't setup PAM to work with sudo. On Redhat Linux or Fedora |
| Core this generally means installing sample.pam as /etc/pam.d/sudo. |
| See the sample.pam file for hints on what to use for other Linux |
| systems. |
| |
| Q) Sudo says 'Account expired or PAM config lacks an "account" |
| section for sudo, contact your system administrator' and exits |
| but I know my account has not expired. |
| A) Your PAM config lacks an "account" specification. On Linux this |
| usually means you are missing a line like: |
| account required pam_unix.so |
| in /etc/pam.d/sudo. |
| |
| Q) Sudo is setup to log via syslog(3) but I'm not getting any log |
| messages. |
| A) Make sure you have an entry in your syslog.conf file to save |
| the sudo messages (see the sample.syslog.conf file). The default |
| log facility is authpriv (changeable via configure or in sudoers). |
| Don't forget to send a SIGHUP to your syslogd so that it re-reads |
| its conf file. Also, remember that syslogd does *not* create |
| log files, you need to create the file before syslogd will log |
| to it (ie: touch /var/log/sudo). |
| Note: the facility (e.g. "auth.debug") must be separated from the |
| destination (e.g. "/var/log/auth" or "@loghost") by |
| tabs, *not* spaces. This is a common error. |
| |
| Q) When sudo asks me for my password it never accepts what I enter even |
| though I know I entered my password correctly. |
| A) If your system uses shadow passwords, it is possible that sudo |
| didn't detect this. Take a look at the generated config.h file |
| and verify that the C function used for shadow password lookups |
| was detected. For instance, for SVR4-style shadow passwords, |
| HAVE_GETSPNAM should be defined (you can search for the string |
| "shadow passwords" in config.h with your editor). Note that |
| there is no define for 4.4BSD-based shadow passwords since that |
| just uses the standard getpw* routines. |
| |
| Q) I don't want the sudoers file in /etc, how can I specify where it |
| should go? |
| A) Use the --sysconfdir option to configure. Ie: |
| configure --sysconfdir=/dir/you/want/sudoers/in |
| |
| Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a |
| copy on each machine? |
| A) There is no support for making an NIS/NIS+ map/table out of |
| the sudoers file at this time. A good way to distribute the |
| sudoers file is via rdist(1). It is also possible to NFS-mount |
| the sudoers file. |
| |
| Q) I don't run sendmail on my machine. Does this mean that I cannot |
| use sudo? |
| A) No, you just need to run use the --without-sendmail argument to configure |
| or add "!mailerpath" to the Defaults line in /etc/sudoers. |
| |
| Q) When I run visudo it uses vi as the editor and I hate vi. How |
| can I make it use another editor? |
| A) Your best bet is to run configure with the --with-env-editor switch. |
| This will make visudo use the editor specified by the user's |
| EDITOR environment variable. Alternately, you can run configure |
| with the --with-editor=/path/to/another/editor. |
| |
| Q) Sudo appears to be removing some variables from my environment, why? |
| A) Sudo removes the following "dangerous" environment variables |
| to guard against shared library spoofing, shell voodoo, and |
| kerberos server spoofing. |
| IFS |
| LOCALDOMAIN |
| RES_OPTIONS |
| HOSTALIASES |
| NLSPATH |
| PATH_LOCALE |
| TERMINFO |
| TERMINFO_DIRS |
| TERMPATH |
| TERMCAP |
| ENV |
| BASH_ENV |
| LC_ (if it contains a '/' or '%') |
| LANG (if it contains a '/' or '%') |
| LANGUAGE (if it contains a '/' or '%') |
| LD_* |
| _RLD_* |
| SHLIB_PATH (HP-UX only) |
| LIBPATH (AIX only) |
| KRB_CONF (kerb4 only) |
| KRBCONFDIR (kerb4 only) |
| KRBTKFILE (kerb4 only) |
| KRB5_CONFIG (kerb5 only) |
| VAR_ACE (SecurID only) |
| USR_ACE (SecurID only) |
| DLC_ACE (SecurID only) |
| |
| Q) How can I keep sudo from asking for a password? |
| A) To specify this on a per-user (and per-command) basis, use the 'NOPASSWD' |
| tag right before the command list in sudoers. See the sudoers man page |
| and sample.sudoers for details. To disable passwords completely, |
| run configure with the --without-passwd option or add "!authenticate" |
| to the Defaults line in /etc/sudoers. You can also turn off authentication |
| on a per-user or per-host basis using a user or host-specific Defaults |
| entry in sudoers. |
| |
| Q) When I run configure, it dies with the following error: |
| "no acceptable cc found in $PATH". |
| A) /usr/ucb/cc was the only C compiler that configure could find. |
| You need to tell configure the path to the "real" C compiler |
| via the --with-CC option. On Solaris, the path is probably |
| something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc |
| that will also work. |
| |
| Q) When I run configure, it dies with the following error: |
| Fatal Error: config.cache exists from another platform! |
| Please remove it and re-run configure. |
| A) configure caches the results of its tests in a file called |
| config.cache to make re-running configure speedy. However, |
| if you are building sudo for a different platform the results |
| in config.cache will be wrong so you need to remove config.cache. |
| You can do this by "rm config.cache" or "make realclean". |
| Note that "make realclean" will also remove any object files |
| and configure temp files that are laying around as well. |
| |
| Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary |
| doesn't work on Solaris <= 2.5.1. Why? |
| A) Starting with Solaris 2.6, snprintf(3) is included in the standard |
| C library. To build a version of sudo on a >= 2.6 machine that |
| will run on a <= 2.5.1 machine, edit config.h and comment out the lines: |
| #define HAVE_SNPRINTF 1 |
| #define HAVE_VSNPRINTF 1 |
| and run make. |
| |
| Q) When I run "visudo" it says "sudoers file busy, try again later." |
| and doesn't do anything. |
| A) Someone else is currently editing the sudoers file with visudo. |
| |
| Q) When I try to use "cd" with sudo it says "cd: command not found". |
| A) "cd" is a shell built-in command, you can't run it as a command |
| since a child process (sudo) cannot affect the current working |
| directory of the parent (your shell). |
| |
| Q) When I try to use "cd" with sudo the command completes without |
| errors but nothing happens. |
| A) Even though "cd" is a shell built-in command, some operating systems |
| include a /usr/bin/cd command for some reason. A standalone |
| "cd" command is totally useless since a child process (cd) cannot |
| affect the current working directory of the parent (your shell). |
| Thus, "sudo cd /foo" will start a child process, change the |
| directory and immediately exit without doing anything useful. |
| |
| Q) When I run sudo it says I am not allowed to run the command as root |
| but I don't want to run it as root, I want to run it as another user. |
| My sudoers file entry looks like: |
| bob ALL=(oracle) ALL |
| A) The default user sudo tries to run things as is always root, even if |
| the invoking user can only run commands as a single, specific user. |
| This may change in the future but at the present time you have to |
| work around this using the 'runas_default' option in sudoers. |
| For example: |
| Defaults:bob runas_default=oracle |
| would achieve the desired result ofr the preceding sudoers fragment. |
| |
| Q) When I try to run sudo via ssh, I get the error: |
| sudo: no tty present and no askpass program specified |
| A) ssh does not allocate a tty by default when running a remote command. |
| Without a tty, sudo cannot disable echo when prompting for a password. |
| You can use ssh's "-t" option to force it to allocate a tty. |
| Alternately, if you do not mind your password being echoed to the |
| screen, you can use the "visiblepw" sudoers option to allow this. |
| |
| Q) How do you pronounce `sudo'? |
| A) The official pronunciation is soo-doo (for su "do"). However, an |
| alternate pronunciation, a homophone of "pseudo", is also common. |