1Troubleshooting tips and FAQ for Sudo
2=====================================
3
4Q) When I run configure, it says "C compiler cannot create executables".
5A) This usually means you either don't have a working compiler.  This
6   could be due to the lack of a license or that some component of the
7   compiler suite could not be found.  Check config.log for clues as
8   to why this is happening.  On many systems, compiler components live
9   in /usr/ccs/bin which may not be in your PATH environment variable.
10
11Q) When I run configure, it says "sudo requires the 'ar' utility to build".
12A) As part of the build process, sudo creates a temporary library containing
13   objects that are shared amongst the different sudo executables.
14   On Unix systems, the "ar" utility is used to do this.  This error
15   indicates that "ar" is missing on your system.  On Solaris systems,
16   you may need to install the SUNWbtool package.  On other systems
17   "ar" may be included in the GNU binutils package.
18
19Q) Sudo compiles and installs OK but when I try to run it I get:
20   /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set
21A) Sudo must be setuid root to do its work.  Either /usr/local/bin/sudo
22   is not owned by uid 0 or the setuid bit is not set.  This should have
23   been done for you by "make install" but you can fix it manually by
24   running the following as root:
25    # chown root /usr/local/bin/sudo; chmod 4111 /usr/local/bin/sudo
26
27Q) Sudo compiles and installs OK but when I try to run it I get:
28    effective uid is not 0, is /usr/local/bin/sudo on a file system with the
29    'nosuid' option set or an NFS file system without root privileges?
30A) The owner and permissions on the sudo binary appear to be OK but when
31   sudo ran, the setuid bit did not have an effect.  There are two common
32   causes for this.  The first is that the file system the sudo binary
33   is located on is mounted with the 'nosuid' mount option, which disables
34   setuid binaries.  The other is that sudo is installed on an NFS-mounted
35   file system that is exported without root privileges.  By default, NFS
36   file systems are exported with uid 0 mapped to a non-privileged uid
37   (usually -2).
38
39You need to do something like
40   `chmod 4111 /usr/local/bin/sudo'.  Also, the file system sudo resides
41   on must *not* be mounted (or exported) with the nosuid option or sudo
42   will not be able to work.  Another possibility is you may have '.' in
43   your $PATH before the directory containing sudo.  If you are going
44   to have '.' in your path you should make sure it is at the end.
45
46Q) Sudo never gives me a chance to enter a password using PAM, it just
47   says 'Sorry, try again.' three times and exits.
48A) You didn't setup PAM to work with sudo.  On RedHat Linux or Fedora
49   Core this generally means installing sample.pam as /etc/pam.d/sudo.
50   See the sample.pam file for hints on what to use for other Linux
51   systems.
52
53Q) Sudo says 'Account expired or PAM config lacks an "account"
54   section for sudo, contact your system administrator' and exits
55   but I know my account has not expired.
56A) Your PAM config lacks an "account" specification.  On Linux this
57   usually means you are missing a line like:
58	account    required    pam_unix.so
59   in /etc/pam.d/sudo.
60
61Q) Sudo is setup to log via syslog(3) but I'm not getting any log
62   messages.
63A) Make sure you have an entry in your syslog.conf file to save
64   the sudo messages (see the sample.syslog.conf file).  The default
65   log facility is authpriv (changeable via configure or in sudoers).
66   Don't forget to send a SIGHUP to your syslogd so that it re-reads
67   its conf file.  Also, remember that syslogd does *not* create
68   log files, you need to create the file before syslogd will log
69   to it (ie: touch /var/log/sudo).
70   Note:  the facility (e.g. "auth.debug") must be separated from the
71	  destination (e.g. "/var/log/auth" or "@loghost") by
72	  tabs, *not* spaces.  This is a common error.
73
74Q) When sudo asks me for my password it never accepts what I enter even
75   though I know I entered my password correctly.
76A) If you are not using pam and your system uses shadow passwords,
77   it is possible that sudo didn't properly detect that shadow
78   passwords are in use.  Take a look at the generated config.h
79   file and verify that the C function used for shadow password
80   look ups was detected.  For instance, for SVR4-style shadow
81   passwords, HAVE_GETSPNAM should be defined (you can search for
82   the string "shadow passwords" in config.h with your editor).
83   Note that there is no define for 4.4BSD-based shadow passwords
84   since that just uses the standard getpw* routines.
85
86Q) Can sudo use the ssh agent for authentication instead of asking
87   for the user's Unix password?
88A) Not directly, but you can use a PAM module like pam_ssh_agent_auth
89   or pam_ssh for this purpose.
90
91Q) I don't want the sudoers file in /etc, how can I specify where it
92   should go?
93A) Use the --sysconfdir option to configure.  Ie:
94   configure --sysconfdir=/dir/you/want/sudoers/in
95
96Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
97   copy on each machine?
98A) There is no support for making an NIS/NIS+ map/table out of
99   the sudoers file at this time.  You can distribute the sudoers
100   file via rsync or rdist.  It is also possible to NFS-mount the
101   sudoers file.  If you use LDAP at your site you may be interested
102   in sudo's LDAP sudoers support, see the README.LDAP file and the
103   sudoers.ldap manual.
104
105Q) I don't run sendmail on my machine.  Does this mean that I cannot
106   use sudo?
107A) No, you just need to disable mailing with a line like:
108	Defaults !mailerpath
109   in your sudoers file or run configure with the --without-sendmail
110   option.
111
112Q) When I run visudo it uses vi as the editor and I hate vi.  How
113   can I make it use another editor?
114A) You can specify the editor to use in visudo in the sudoers file.
115   See the "editor" and "env_editor" entries in the sudoers manual.
116   The defaults can also be set at configure time using the
117   --with-editor and --with-env-editor configure options.
118
119Q) Sudo appears to be removing some variables from my environment, why?
120A) Sudo removes the following "dangerous" environment variables
121   to guard against shared library spoofing, shell voodoo, and
122   kerberos server spoofing.
123     IFS
124     LOCALDOMAIN
125     RES_OPTIONS
126     HOSTALIASES
127     NLSPATH
128     PATH_LOCALE
129     TERMINFO
130     TERMINFO_DIRS
131     TERMPATH
132     TERMCAP
133     ENV
134     BASH_ENV
135     LC_ (if it contains a '/' or '%')
136     LANG (if it contains a '/' or '%')
137     LANGUAGE (if it contains a '/' or '%')
138     LD_*
139     _RLD_*
140     SHLIB_PATH (HP-UX only)
141     LIBPATH (AIX only)
142     KRB_CONF (kerb4 only)
143     KRBCONFDIR (kerb4 only)
144     KRBTKFILE (kerb4 only)
145     KRB5_CONFIG (kerb5 only)
146     VAR_ACE (SecurID only)
147     USR_ACE (SecurID only)
148     DLC_ACE (SecurID only)
149
150Q) How can I keep sudo from asking for a password?
151A) To specify this on a per-user (and per-command) basis, use the
152   'NOPASSWD' tag right before the command list in sudoers.  See
153   the sudoers man page and sample.sudoers for details.  To disable
154   passwords completely, add !authenticate" to the Defaults line
155   in /etc/sudoers.  You can also turn off authentication on a
156   per-user or per-host basis using a user or host-specific Defaults
157   entry in sudoers.  To hard-code the global default, you can
158   configure with the --without-passwd option.
159
160Q) When I run configure, it dies with the following error:
161   "no acceptable cc found in $PATH".
162A) /usr/ucb/cc was the only C compiler that configure could find.
163   You need to tell configure the path to the "real" C compiler
164   via the --with-CC option.  On Solaris, the path is probably
165   something like "/opt/SUNWspro/SC4.0/bin/cc".  If you have gcc
166   that will also work.
167
168Q) When I run configure, it dies with the following error:
169   Fatal Error: config.cache exists from another platform!
170   Please remove it and re-run configure.
171A) configure caches the results of its tests in a file called
172   config.cache to make re-running configure speedy.  However,
173   if you are building sudo for a different platform the results
174   in config.cache will be wrong so you need to remove config.cache.
175   You can do this by "rm config.cache" or "make realclean".
176   Note that "make realclean" will also remove any object files
177   and configure temp files that are laying around as well.
178
179Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
180   doesn't work on Solaris <= 2.5.1.  Why?
181A) Starting with Solaris 2.6, snprintf(3) is included in the standard
182   C library.  To build a version of sudo on a >= 2.6 machine that
183   will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
184	#define HAVE_SNPRINTF 1
185	#define HAVE_VSNPRINTF 1
186   and run make.
187
188Q) When I run "visudo" it says "sudoers file busy, try again later."
189   and doesn't do anything.
190A) Someone else is currently editing the sudoers file with visudo.
191
192Q) When I try to use "cd" with sudo it says "cd: command not found".
193A) "cd" is a shell built-in command, you can't run it as a command
194   since a child process (sudo) cannot affect the current working
195   directory of the parent (your shell).
196
197Q) When I try to use "cd" with sudo the command completes without
198   errors but nothing happens.
199A) Even though "cd" is a shell built-in command, some operating systems
200   include a /usr/bin/cd command for some reason.  A standalone
201   "cd" command is totally useless since a child process (cd) cannot
202   affect the current working directory of the parent (your shell).
203   Thus, "sudo cd /foo" will start a child process, change the
204   directory and immediately exit without doing anything useful.
205
206Q) When I run sudo it says I am not allowed to run the command as root
207   but I don't want to run it as root, I want to run it as another user.
208   My sudoers file entry looks like:
209    bob	ALL=(oracle) ALL
210A) The default user sudo tries to run things as is always root, even if
211   the invoking user can only run commands as a single, specific user.
212   This may change in the future but at the present time you have to
213   work around this using the 'runas_default' option in sudoers.
214   For example:
215    Defaults:bob	runas_default=oracle
216   would achieve the desired result for the preceding sudoers fragment.
217
218Q) When I try to run sudo via ssh, I get the error:
219    sudo: no tty present and no askpass program specified
220A) ssh does not allocate a tty by default when running a remote command.
221   Without a tty, sudo cannot disable echo when prompting for a password.
222   You can use ssh's "-t" option to force it to allocate a tty.
223   Alternately, if you do not mind your password being echoed to the
224   screen, you can use the "visiblepw" sudoers option to allow this.
225
226Q) When I try to use SSL-enabled LDAP with sudo I get an error:
227    unable to initialize SSL cert and key db: security library: bad database.
228    you must set TLS_CERT in /etc/ldap.conf to use SSL
229A) On systems that use a Mozilla-derived LDAP SDK there must be a
230   certificate database in place to use SSL-encrypted LDAP connections.
231   This file is usually /var/ldap/cert8.db or /etc/ldap/cert8.db.
232   The actual number after "cert" will vary, depending on the version
233   of the LDAP SDK that is being used.  If you do not have a certificate
234   database you can either copy one from a mozilla-derived browser, such
235   as firefox, or create one using the "certutil" command.  You can run
236   "certutil" as follows and press the <return> (or <enter>) key at the
237   password prompt:
238    # certutil -N -d /var/ldap
239    Enter a password which will be used to encrypt your keys.
240    The password should be at least 8 characters long,
241    and should contain at least one non-alphabetic character.
242
243    Enter new password: <return>
244    Re-enter password: <return>
245
246Q) On HP-UX, when I run command via sudo it displays information
247   about the last successful login and last authentication failure
248   for every command.  How can I fix this?
249A) This output comes from /usr/lib/security/libpam_hpsec.so.1.
250   To suppress it, add a line like the following to /etc/pam.conf:
251   sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login
252
253Q) On HP-UX, the umask setting in sudoers has no effect.
254A) If your /etc/pam.conf file has the libpam_hpsec.so.1 session module
255   enabled, you may need to a add line like the following to pam.conf:
256   sudo session required libpam_hpsec.so.1 bypass_umask
257
258Q) When I run sudo on AIX I get the following error:
259    sudo: unable to change to sudoers gid: Operation not permitted.
260A) AIX's Enhanced RBAC is preventing sudo from running.  To fix
261   this, add the following entry to /etc/security/privcmds (adjust
262   the path to sudo as needed) and run the setkst command as root:
263
264    /usr/local/bin/sudo:
265	    accessauths = ALLOW_ALL
266	    innateprivs = PV_DAC_GID,PV_DAC_O,PV_DAC_R,PV_DAC_UID,PV_DAC_W,PV_DAC_X,PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
267	    secflags = FSF_EPS
268
269Q) How do you pronounce `sudo'?
270A) The official pronunciation is soo-doo (for su "do").  However, an
271   alternate pronunciation, a homophone of "pseudo", is also common.
272