Annotation of src/usr.bin/sudo/TROUBLESHOOTING, Revision 1.2.6.1
1.2.6.1 ! millert 1: Troubleshooting tips and FAQ for Sudo
1.1 millert 2: =====================================
3:
1.2.6.1 ! millert 4: Q) When I run configure, it says "C compiler cannot create executables".
! 5: A) This usually means you either don't have a working compiler. This
! 6: could be due to the lack of a license or that some component of the
! 7: compiler suite could not be found. Check config.log for clues as
! 8: to why this is happening. On many systems, compiler components live
! 9: in /usr/ccs/bin which may not be in your PATH environment variable.
! 10:
1.1 millert 11: Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
12: and sudo quits.
13: A) Sudo must be setuid root to do its work. You need to do something like
14: `chmod 4111 /usr/local/bin/sudo'. Also, the filesystem sudo resides
15: on must *not* be mounted with the nosuid mount option or sudo will
16: not be able to work. Another possibility is you may have '.' in
17: your $PATH before the directory containing sudo. If you are going
18: to have '.' in your path you should make sure it is at the end.
19:
1.2.6.1 ! millert 20: Q) Sudo compiles but when I run it I get "seteuid(0): Operation not permitted"
! 21: and sudo quits.
! 22: A) The operating system you are running probably has broken support for
! 23: POSIX saved IDs. You should run configure with the "--disable-saved-ids"
! 24: option and rebuild sudo.
! 25:
1.2 millert 26: Q) Sudo never gives me a chance to enter a password using PAM, it just
27: says 'Sorry, try again.' three times and quits.
28: A) You didn't setup PAM to work with sudo. On Linux this generally
29: means installing sample.pam as /etc/pam.d/sudo.
30:
1.1 millert 31: Q) Sudo is setup to log via syslog(3) but I'm not getting any log
32: messages.
33: A) Make sure you have an entry in your syslog.conf file to save
34: the sudo messages (see the sample.syslog.conf file). The default
35: log facility is local2 (changeable via configure). Don't forget
36: to send a SIGHUP to your syslogd so that it re-reads its conf file.
37: Also, remember that syslogd does *not* create log files, you need to
38: create the file before syslogd will log to it (ie: touch /var/log/sudo).
39: Note: the facility ("local2.debug") must be separated from the
40: destination ("/var/adm/sudo.log" or "@loghost") by
41: tabs, *not* spaces. This is a common error.
42:
43: Q) When sudo asks me for my password it never accepts what I enter even
44: though I know I entered my password correctly.
45: A) If your system uses shadow passwords, it is possible that sudo
46: didn't detect this. Take a look at the generated config.h file
47: and verify that the C function used for shadow password lookups
48: was detected. For instance, for SVR4-style shadow passwords,
49: HAVE_GETSPNAM should be defined (you can search for the string
50: "shadow passwords" in config.h with your editor). Note that
51: there is no define for 4.4BSD-based shadow passwords since that
52: just uses the standard getpw* routines.
53:
54: Q) I don't want the sudoers file in /etc, how can I specify where it
55: should go?
56: A) Use the --sysconfdir option to configure. Ie:
57: configure --sysconfdir=/dir/you/want/sudoers/in
58:
59: Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
60: copy on each machine?
61: A) There is no support for making an NIS/NIS+ map/table out of
62: the sudoers file at this time. A good way to distribute the
63: sudoers file is via rdist(1). It is also possible to NFS-mount
64: the sudoers file.
65:
66: Q) I don't run sendmail on my machine. Does this mean that I cannot
67: use sudo?
68: A) No, you just need to run use the --without-sendmail argument to configure
69: or add "!mailerpath" to the Defaults line in /etc/sudoers.
70:
71: Q) When I run visudo it uses vi as the editor and I hate vi. How
72: can I make it use another editor?
73: A) Your best bet is to run configure with the --with-env-editor switch.
74: This will make visudo use the editor specified by the user's
75: EDITOR environment variable. Alternately, you can run configure
76: with the --with-editor=/path/to/another/editor.
77:
78: Q) Sudo appears to be removing some variables from my environment, why?
79: A) Sudo removes the following "dangerous" environment variables
80: to guard against shared library spoofing, shell voodoo, and
81: kerberos server spoofing.
82: IFS
83: LOCALDOMAIN
84: RES_OPTIONS
85: HOSTALIASES
1.2.6.1 ! millert 86: NLSPATH
! 87: PATH_LOCALE
! 88: TERMINFO
! 89: TERMINFO_DIRS
! 90: TERMPATH
! 91: TERMCAP
1.1 millert 92: ENV
93: BASH_ENV
1.2.6.1 ! millert 94: LC_ (if it contains a '/' or '%')
! 95: LANG (if it contains a '/' or '%')
! 96: LANGUAGE (if it contains a '/' or '%')
1.1 millert 97: LD_*
98: _RLD_*
99: SHLIB_PATH (HP-UX only)
1.2.6.1 ! millert 100: LIBPATH (AIX only)
1.1 millert 101: KRB_CONF (kerb4 only)
1.2.6.1 ! millert 102: KRBCONFDIR (kerb4 only)
! 103: KRBTKFILE (kerb4 only)
1.1 millert 104: KRB5_CONFIG (kerb5 only)
1.2.6.1 ! millert 105: VAR_ACE (SecurID only)
! 106: USR_ACE (SecurID only)
! 107: DLC_ACE (SecurID only)
1.1 millert 108:
109: Q) How can I keep sudo from asking for a password?
110: A) To specify this on a per-user (and per-command) basis, use the 'NOPASSWD'
111: tag right before the command list in sudoers. See the sudoers man page
112: and sample.sudoers for details. To disable passwords completely,
113: run configure with the --without-passwd option or add "!authenticate"
114: to the Defaults line in /etc/sudoers. You can also turn off authentication
115: on a per-user or per-host basis using a user or host-specific Defaults
116: entry in sudoers.
117:
118: Q) When I run configure, it dies with the following error:
119: "no acceptable cc found in $PATH".
120: A) /usr/ucb/cc was the only C compiler that configure could find.
121: You need to tell configure the path to the "real" C compiler
122: via the --with-CC option. On Solaris, the path is probably
123: something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
124: that will also work.
125:
126: Q) When I run configure, it dies with the following error:
127: Fatal Error: config.cache exists from another platform!
128: Please remove it and re-run configure.
129: A) configure caches the results of its tests in a file called
130: config.cache to make re-running configure speedy. However,
131: if you are building sudo for a different platform the results
132: in config.cache will be wrong so you need to remove config.cache.
133: You can do this by "rm config.cache" or "make realclean".
134: Note that "make realclean" will also remove any object files
135: and configure temp files that are laying around as well.
136:
137: Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
138: doesn't work on Solaris <= 2.5.1. Why?
139: A) Starting with Solaris 2.6, snprintf(3) is included in the standard
140: C library. To build a version of sudo on a >= 2.6 machine that
141: will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
142: #define HAVE_SNPRINTF 1
143: #define HAVE_VSNPRINTF 1
144: and run make.
145:
146: Q) When I run "visudo" it says "sudoers file busy, try again later."
147: and doesn't do anything.
148: A) Someone else is currently editing the sudoers file with visudo.
149:
150: Q) When I try to use "cd" with sudo it says "cd: command not found".
151: A) "cd" is a shell builtin, you can't run it as a command since
152: a child process (sudo) cannot affect the current working directory
153: of the parent (your shell).
154:
155: Q) When I try to use "cd" with sudo the command completes without
156: errors but nothing happens.
157: A) Some SVR4-derived OS's include a /usr/bin/cd command for reasons
158: unfathomable. A "cd" command is totally useless since a child process
159: cannot affect the current working directory of the parent (your shell).
1.2.6.1 ! millert 160:
! 161: Q) When I run sudo it says I am not alllowed to run the command as root
! 162: but I don't want to run it as root, I want to run it as another user.
! 163: My sudoers file entry looks like:
! 164: bob ALL=(oracle) ALL
! 165: A) The default user sudo tries to run things as is always root, even if
! 166: the invoking user can only run commands as a single, specific user.
! 167: This may change in the future but at the present time you have to
! 168: work around this using the 'runas_default' option in sudoers.
! 169: For example:
! 170: Defaults:bob runas_default=oracle
! 171: would achieve the desired result ofr the preceding sudoers fragment.
1.1 millert 172:
173: Q) How do you pronounce `sudo'?
174: A) soo-doo (for superuser do).