1Troubleshooting tips and FAQ for Sudo 2===================================== 3 4Q) When I run configure, it says "C compiler cannot create executables". 5A) This usually means you either don't have a working compiler. This 6 could be due to the lack of a license or that some component of the 7 compiler suite could not be found. Check config.log for clues as 8 to why this is happening. On many systems, compiler components live 9 in /usr/ccs/bin which may not be in your PATH environment variable. 10 11Q) When I run configure, it says "sudo requires the 'ar' utility to build". 12A) As part of the build process, sudo creates a temporary library containing 13 objects that are shared amongst the different sudo executables. 14 On Unix systems, the "ar" utility is used to do this. This error 15 indicates that "ar" is missing on your system. On Solaris systems, 16 you may need to install the SUNWbtool package. On other systems 17 "ar" may be included in the GNU binutils package. 18 19Q) Sudo compiles and installs OK but when I try to run it I get: 20 /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set 21A) Sudo must be setuid root to do its work. Either /usr/local/bin/sudo 22 is not owned by uid 0 or the setuid bit is not set. This should have 23 been done for you by "make install" but you can fix it manually by 24 running the following as root: 25 # chown root /usr/local/bin/sudo; chmod 4111 /usr/local/bin/sudo 26 27Q) Sudo compiles and installs OK but when I try to run it I get: 28 effective uid is not 0, is /usr/local/bin/sudo on a file system with the 29 'nosuid' option set or an NFS file system without root privileges? 30A) The owner and permissions on the sudo binary appear to be OK but when 31 sudo ran, the setuid bit did not have an effect. There are two common 32 causes for this. The first is that the file system the sudo binary 33 is located on is mounted with the 'nosuid' mount option, which disables 34 setuid binaries. The other is that sudo is installed on an NFS-mounted 35 file system that is exported without root privileges. By default, NFS 36 file systems are exported with uid 0 mapped to a non-privileged uid 37 (usually -2). 38 39You need to do something like 40 `chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides 41 on must *not* be mounted (or exported) with the nosuid option or sudo 42 will not be able to work. Another possibility is you may have '.' in 43 your $PATH before the directory containing sudo. If you are going 44 to have '.' in your path you should make sure it is at the end. 45 46Q) Sudo never gives me a chance to enter a password using PAM, it just 47 says 'Sorry, try again.' three times and exits. 48A) You didn't setup PAM to work with sudo. On RedHat Linux or Fedora 49 Core this generally means installing sample.pam as /etc/pam.d/sudo. 50 See the sample.pam file for hints on what to use for other Linux 51 systems. 52 53Q) Sudo says 'Account expired or PAM config lacks an "account" 54 section for sudo, contact your system administrator' and exits 55 but I know my account has not expired. 56A) Your PAM config lacks an "account" specification. On Linux this 57 usually means you are missing a line like: 58 account required pam_unix.so 59 in /etc/pam.d/sudo. 60 61Q) Sudo is setup to log via syslog(3) but I'm not getting any log 62 messages. 63A) Make sure you have an entry in your syslog.conf file to save 64 the sudo messages (see the sample.syslog.conf file). The default 65 log facility is authpriv (changeable via configure or in sudoers). 66 Don't forget to send a SIGHUP to your syslogd so that it re-reads 67 its conf file. Also, remember that syslogd does *not* create 68 log files, you need to create the file before syslogd will log 69 to it (ie: touch /var/log/sudo). 70 Note: the facility (e.g. "auth.debug") must be separated from the 71 destination (e.g. "/var/log/auth" or "@loghost") by 72 tabs, *not* spaces. This is a common error. 73 74Q) When sudo asks me for my password it never accepts what I enter even 75 though I know I entered my password correctly. 76A) If you are not using pam and your system uses shadow passwords, 77 it is possible that sudo didn't properly detect that shadow 78 passwords are in use. Take a look at the generated config.h 79 file and verify that the C function used for shadow password 80 look ups was detected. For instance, for SVR4-style shadow 81 passwords, HAVE_GETSPNAM should be defined (you can search for 82 the string "shadow passwords" in config.h with your editor). 83 Note that there is no define for 4.4BSD-based shadow passwords 84 since that just uses the standard getpw* routines. 85 86Q) Can sudo use the ssh agent for authentication instead of asking 87 for the user's Unix password? 88A) Not directly, but you can use a PAM module like pam_ssh_agent_auth 89 or pam_ssh for this purpose. 90 91Q) I don't want the sudoers file in /etc, how can I specify where it 92 should go? 93A) Use the --sysconfdir option to configure. Ie: 94 configure --sysconfdir=/dir/you/want/sudoers/in 95 96Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a 97 copy on each machine? 98A) There is no support for making an NIS/NIS+ map/table out of 99 the sudoers file at this time. You can distribute the sudoers 100 file via rsync or rdist. It is also possible to NFS-mount the 101 sudoers file. If you use LDAP at your site you may be interested 102 in sudo's LDAP sudoers support, see the README.LDAP file and the 103 sudoers.ldap manual. 104 105Q) I don't run sendmail on my machine. Does this mean that I cannot 106 use sudo? 107A) No, you just need to disable mailing with a line like: 108 Defaults !mailerpath 109 in your sudoers file or run configure with the --without-sendmail 110 option. 111 112Q) When I run visudo it uses vi as the editor and I hate vi. How 113 can I make it use another editor? 114A) You can specify the editor to use in visudo in the sudoers file. 115 See the "editor" and "env_editor" entries in the sudoers manual. 116 The defaults can also be set at configure time using the 117 --with-editor and --with-env-editor configure options. 118 119Q) Sudo appears to be removing some variables from my environment, why? 120A) Sudo removes the following "dangerous" environment variables 121 to guard against shared library spoofing, shell voodoo, and 122 kerberos server spoofing. 123 IFS 124 LOCALDOMAIN 125 RES_OPTIONS 126 HOSTALIASES 127 NLSPATH 128 PATH_LOCALE 129 TERMINFO 130 TERMINFO_DIRS 131 TERMPATH 132 TERMCAP 133 ENV 134 BASH_ENV 135 LC_ (if it contains a '/' or '%') 136 LANG (if it contains a '/' or '%') 137 LANGUAGE (if it contains a '/' or '%') 138 LD_* 139 _RLD_* 140 SHLIB_PATH (HP-UX only) 141 LIBPATH (AIX only) 142 KRB_CONF (kerb4 only) 143 KRBCONFDIR (kerb4 only) 144 KRBTKFILE (kerb4 only) 145 KRB5_CONFIG (kerb5 only) 146 VAR_ACE (SecurID only) 147 USR_ACE (SecurID only) 148 DLC_ACE (SecurID only) 149 150Q) How can I keep sudo from asking for a password? 151A) To specify this on a per-user (and per-command) basis, use the 152 'NOPASSWD' tag right before the command list in sudoers. See 153 the sudoers man page and sample.sudoers for details. To disable 154 passwords completely, add !authenticate" to the Defaults line 155 in /etc/sudoers. You can also turn off authentication on a 156 per-user or per-host basis using a user or host-specific Defaults 157 entry in sudoers. To hard-code the global default, you can 158 configure with the --without-passwd option. 159 160Q) When I run configure, it dies with the following error: 161 "no acceptable cc found in $PATH". 162A) /usr/ucb/cc was the only C compiler that configure could find. 163 You need to tell configure the path to the "real" C compiler 164 via the --with-CC option. On Solaris, the path is probably 165 something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc 166 that will also work. 167 168Q) When I run configure, it dies with the following error: 169 Fatal Error: config.cache exists from another platform! 170 Please remove it and re-run configure. 171A) configure caches the results of its tests in a file called 172 config.cache to make re-running configure speedy. However, 173 if you are building sudo for a different platform the results 174 in config.cache will be wrong so you need to remove config.cache. 175 You can do this by "rm config.cache" or "make realclean". 176 Note that "make realclean" will also remove any object files 177 and configure temp files that are laying around as well. 178 179Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary 180 doesn't work on Solaris <= 2.5.1. Why? 181A) Starting with Solaris 2.6, snprintf(3) is included in the standard 182 C library. To build a version of sudo on a >= 2.6 machine that 183 will run on a <= 2.5.1 machine, edit config.h and comment out the lines: 184 #define HAVE_SNPRINTF 1 185 #define HAVE_VSNPRINTF 1 186 and run make. 187 188Q) When I run "visudo" it says "sudoers file busy, try again later." 189 and doesn't do anything. 190A) Someone else is currently editing the sudoers file with visudo. 191 192Q) When I try to use "cd" with sudo it says "cd: command not found". 193A) "cd" is a shell built-in command, you can't run it as a command 194 since a child process (sudo) cannot affect the current working 195 directory of the parent (your shell). 196 197Q) When I try to use "cd" with sudo the command completes without 198 errors but nothing happens. 199A) Even though "cd" is a shell built-in command, some operating systems 200 include a /usr/bin/cd command for some reason. A standalone 201 "cd" command is totally useless since a child process (cd) cannot 202 affect the current working directory of the parent (your shell). 203 Thus, "sudo cd /foo" will start a child process, change the 204 directory and immediately exit without doing anything useful. 205 206Q) When I run sudo it says I am not allowed to run the command as root 207 but I don't want to run it as root, I want to run it as another user. 208 My sudoers file entry looks like: 209 bob ALL=(oracle) ALL 210A) The default user sudo tries to run things as is always root, even if 211 the invoking user can only run commands as a single, specific user. 212 This may change in the future but at the present time you have to 213 work around this using the 'runas_default' option in sudoers. 214 For example: 215 Defaults:bob runas_default=oracle 216 would achieve the desired result for the preceding sudoers fragment. 217 218Q) When I try to run sudo via ssh, I get the error: 219 sudo: no tty present and no askpass program specified 220A) ssh does not allocate a tty by default when running a remote command. 221 Without a tty, sudo cannot disable echo when prompting for a password. 222 You can use ssh's "-t" option to force it to allocate a tty. 223 Alternately, if you do not mind your password being echoed to the 224 screen, you can use the "visiblepw" sudoers option to allow this. 225 226Q) When I try to use SSL-enabled LDAP with sudo I get an error: 227 unable to initialize SSL cert and key db: security library: bad database. 228 you must set TLS_CERT in /etc/ldap.conf to use SSL 229A) On systems that use a Mozilla-derived LDAP SDK there must be a 230 certificate database in place to use SSL-encrypted LDAP connections. 231 This file is usually /var/ldap/cert8.db or /etc/ldap/cert8.db. 232 The actual number after "cert" will vary, depending on the version 233 of the LDAP SDK that is being used. If you do not have a certificate 234 database you can either copy one from a mozilla-derived browser, such 235 as firefox, or create one using the "certutil" command. You can run 236 "certutil" as follows and press the <return> (or <enter>) key at the 237 password prompt: 238 # certutil -N -d /var/ldap 239 Enter a password which will be used to encrypt your keys. 240 The password should be at least 8 characters long, 241 and should contain at least one non-alphabetic character. 242 243 Enter new password: <return> 244 Re-enter password: <return> 245 246Q) On HP-UX, when I run command via sudo it displays information 247 about the last successful login and last authentication failure 248 for every command. How can I fix this? 249A) This output comes from /usr/lib/security/libpam_hpsec.so.1. 250 To suppress it, add a line like the following to /etc/pam.conf: 251 sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login 252 253Q) On HP-UX, the umask setting in sudoers has no effect. 254A) If your /etc/pam.conf file has the libpam_hpsec.so.1 session module 255 enabled, you may need to a add line like the following to pam.conf: 256 sudo session required libpam_hpsec.so.1 bypass_umask 257 258Q) When I run sudo on AIX I get the following error: 259 sudo: unable to change to sudoers gid: Operation not permitted. 260A) AIX's Enhanced RBAC is preventing sudo from running. To fix 261 this, add the following entry to /etc/security/privcmds (adjust 262 the path to sudo as needed) and run the setkst command as root: 263 264 /usr/local/bin/sudo: 265 accessauths = ALLOW_ALL 266 innateprivs = PV_DAC_GID,PV_DAC_O,PV_DAC_R,PV_DAC_UID,PV_DAC_W,PV_DAC_X,PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC 267 secflags = FSF_EPS 268 269Q) How do you pronounce `sudo'? 270A) The official pronunciation is soo-doo (for su "do"). However, an 271 alternate pronunciation, a homophone of "pseudo", is also common. 272