Annotation of src/usr.bin/sudo/TROUBLESHOOTING, Revision 1.12
1.3 millert 1: Troubleshooting tips and FAQ for Sudo
1.1 millert 2: =====================================
3:
1.3 millert 4: Q) When I run configure, it says "C compiler cannot create executables".
5: A) This usually means you either don't have a working compiler. This
6: could be due to the lack of a license or that some component of the
7: compiler suite could not be found. Check config.log for clues as
8: to why this is happening. On many systems, compiler components live
9: in /usr/ccs/bin which may not be in your PATH environment variable.
10:
1.1 millert 11: Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
12: and sudo quits.
13: A) Sudo must be setuid root to do its work. You need to do something like
1.7 millert 14: `chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides
15: on must *not* be mounted (or exported) with the nosuid option or sudo
16: will not be able to work. Another possibility is you may have '.' in
1.1 millert 17: your $PATH before the directory containing sudo. If you are going
18: to have '.' in your path you should make sure it is at the end.
19:
1.2 millert 20: Q) Sudo never gives me a chance to enter a password using PAM, it just
1.8 millert 21: says 'Sorry, try again.' three times and exits.
22: A) You didn't setup PAM to work with sudo. On Redhat Linux or Fedora
23: Core this generally means installing sample.pam as /etc/pam.d/sudo.
24: See the sample.pam file for hints on what to use for other Linux
25: systems.
26:
27: Q) Sudo says 'Account expired or PAM config lacks an "account"
28: section for sudo, contact your system administrator' and exits
29: but I know my account has not expired.
30: A) Your PAM config lacks an "account" specification. On Linux this
31: usually means you are missing a line like:
32: account required pam_unix.so
33: in /etc/pam.d/sudo.
1.2 millert 34:
1.1 millert 35: Q) Sudo is setup to log via syslog(3) but I'm not getting any log
36: messages.
37: A) Make sure you have an entry in your syslog.conf file to save
38: the sudo messages (see the sample.syslog.conf file). The default
39: log facility is local2 (changeable via configure). Don't forget
40: to send a SIGHUP to your syslogd so that it re-reads its conf file.
41: Also, remember that syslogd does *not* create log files, you need to
42: create the file before syslogd will log to it (ie: touch /var/log/sudo).
43: Note: the facility ("local2.debug") must be separated from the
44: destination ("/var/adm/sudo.log" or "@loghost") by
45: tabs, *not* spaces. This is a common error.
46:
47: Q) When sudo asks me for my password it never accepts what I enter even
48: though I know I entered my password correctly.
49: A) If your system uses shadow passwords, it is possible that sudo
50: didn't detect this. Take a look at the generated config.h file
51: and verify that the C function used for shadow password lookups
52: was detected. For instance, for SVR4-style shadow passwords,
53: HAVE_GETSPNAM should be defined (you can search for the string
54: "shadow passwords" in config.h with your editor). Note that
55: there is no define for 4.4BSD-based shadow passwords since that
56: just uses the standard getpw* routines.
57:
58: Q) I don't want the sudoers file in /etc, how can I specify where it
59: should go?
60: A) Use the --sysconfdir option to configure. Ie:
61: configure --sysconfdir=/dir/you/want/sudoers/in
62:
63: Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
64: copy on each machine?
65: A) There is no support for making an NIS/NIS+ map/table out of
66: the sudoers file at this time. A good way to distribute the
67: sudoers file is via rdist(1). It is also possible to NFS-mount
68: the sudoers file.
69:
70: Q) I don't run sendmail on my machine. Does this mean that I cannot
71: use sudo?
72: A) No, you just need to run use the --without-sendmail argument to configure
73: or add "!mailerpath" to the Defaults line in /etc/sudoers.
74:
75: Q) When I run visudo it uses vi as the editor and I hate vi. How
76: can I make it use another editor?
77: A) Your best bet is to run configure with the --with-env-editor switch.
78: This will make visudo use the editor specified by the user's
79: EDITOR environment variable. Alternately, you can run configure
80: with the --with-editor=/path/to/another/editor.
81:
82: Q) Sudo appears to be removing some variables from my environment, why?
83: A) Sudo removes the following "dangerous" environment variables
84: to guard against shared library spoofing, shell voodoo, and
85: kerberos server spoofing.
86: IFS
87: LOCALDOMAIN
88: RES_OPTIONS
89: HOSTALIASES
1.3 millert 90: NLSPATH
91: PATH_LOCALE
92: TERMINFO
93: TERMINFO_DIRS
94: TERMPATH
95: TERMCAP
1.1 millert 96: ENV
97: BASH_ENV
1.3 millert 98: LC_ (if it contains a '/' or '%')
99: LANG (if it contains a '/' or '%')
100: LANGUAGE (if it contains a '/' or '%')
1.1 millert 101: LD_*
102: _RLD_*
103: SHLIB_PATH (HP-UX only)
1.3 millert 104: LIBPATH (AIX only)
1.1 millert 105: KRB_CONF (kerb4 only)
1.3 millert 106: KRBCONFDIR (kerb4 only)
107: KRBTKFILE (kerb4 only)
1.1 millert 108: KRB5_CONFIG (kerb5 only)
1.3 millert 109: VAR_ACE (SecurID only)
110: USR_ACE (SecurID only)
111: DLC_ACE (SecurID only)
1.1 millert 112:
113: Q) How can I keep sudo from asking for a password?
114: A) To specify this on a per-user (and per-command) basis, use the 'NOPASSWD'
115: tag right before the command list in sudoers. See the sudoers man page
116: and sample.sudoers for details. To disable passwords completely,
117: run configure with the --without-passwd option or add "!authenticate"
118: to the Defaults line in /etc/sudoers. You can also turn off authentication
119: on a per-user or per-host basis using a user or host-specific Defaults
120: entry in sudoers.
121:
122: Q) When I run configure, it dies with the following error:
123: "no acceptable cc found in $PATH".
124: A) /usr/ucb/cc was the only C compiler that configure could find.
125: You need to tell configure the path to the "real" C compiler
126: via the --with-CC option. On Solaris, the path is probably
127: something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
128: that will also work.
129:
130: Q) When I run configure, it dies with the following error:
131: Fatal Error: config.cache exists from another platform!
132: Please remove it and re-run configure.
133: A) configure caches the results of its tests in a file called
134: config.cache to make re-running configure speedy. However,
135: if you are building sudo for a different platform the results
136: in config.cache will be wrong so you need to remove config.cache.
137: You can do this by "rm config.cache" or "make realclean".
138: Note that "make realclean" will also remove any object files
139: and configure temp files that are laying around as well.
140:
141: Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
142: doesn't work on Solaris <= 2.5.1. Why?
143: A) Starting with Solaris 2.6, snprintf(3) is included in the standard
144: C library. To build a version of sudo on a >= 2.6 machine that
145: will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
146: #define HAVE_SNPRINTF 1
147: #define HAVE_VSNPRINTF 1
148: and run make.
149:
150: Q) When I run "visudo" it says "sudoers file busy, try again later."
151: and doesn't do anything.
152: A) Someone else is currently editing the sudoers file with visudo.
153:
154: Q) When I try to use "cd" with sudo it says "cd: command not found".
1.6 millert 155: A) "cd" is a shell built-in command, you can't run it as a command
156: since a child process (sudo) cannot affect the current working
157: directory of the parent (your shell).
1.1 millert 158:
159: Q) When I try to use "cd" with sudo the command completes without
160: errors but nothing happens.
1.11 millert 161: A) Even though "cd" is a shell built-in command, some operating systems
162: include a /usr/bin/cd command for some reason. A standalone
163: "cd" command is totally useless since a child process (cd) cannot
164: affect the current working directory of the parent (your shell).
165: Thus, "sudo cd /foo" will start a child process, change the
166: directory and immediately exit without doing anything useful.
1.3 millert 167:
1.10 millert 168: Q) When I run sudo it says I am not allowed to run the command as root
1.3 millert 169: but I don't want to run it as root, I want to run it as another user.
170: My sudoers file entry looks like:
171: bob ALL=(oracle) ALL
172: A) The default user sudo tries to run things as is always root, even if
173: the invoking user can only run commands as a single, specific user.
174: This may change in the future but at the present time you have to
175: work around this using the 'runas_default' option in sudoers.
176: For example:
177: Defaults:bob runas_default=oracle
178: would achieve the desired result ofr the preceding sudoers fragment.
1.1 millert 179:
1.12 ! millert 180: Q) When I try to run sudo via ssh, I get the error:
! 181: sudo: no tty present and no askpass program specified
! 182: A) ssh does not allocate a tty by default when running a remote command.
! 183: Without a tty, sudo cannot disable echo when prompting for a password.
! 184: You can use ssh's "-t" option to force it to allocate a tty.
! 185: Alternately, if you do not mind your password being echoed to the
! 186: screen, you can use the "visiblepw" sudoers option to allow this.
! 187:
1.1 millert 188: Q) How do you pronounce `sudo'?
1.9 millert 189: A) The official pronunciation is soo-doo (for su "do"). However, an
190: alternate pronunciation, a homophone of "pseudo", is also common.