1 Troubleshooting tips and FAQ for Sudo
2 =====================================
4 Q) When I run configure, it says "C compiler cannot create executables".
5 A) This usually means you either don't have a working compiler. This
6 could be due to the lack of a license or that some component of the
7 compiler suite could not be found. Check config.log for clues as
8 to why this is happening. On many systems, compiler components live
9 in /usr/ccs/bin which may not be in your PATH environment variable.
11 Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
13 A) Sudo must be setuid root to do its work. You need to do something like
14 `chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides
15 on must *not* be mounted (or exported) with the nosuid option or sudo
16 will not be able to work. Another possibility is you may have '.' in
17 your $PATH before the directory containing sudo. If you are going
18 to have '.' in your path you should make sure it is at the end.
20 Q) Sudo never gives me a chance to enter a password using PAM, it just
21 says 'Sorry, try again.' three times and exits.
22 A) You didn't setup PAM to work with sudo. On Redhat Linux or Fedora
23 Core this generally means installing sample.pam as /etc/pam.d/sudo.
24 See the sample.pam file for hints on what to use for other Linux
27 Q) Sudo says 'Account expired or PAM config lacks an "account"
28 section for sudo, contact your system administrator' and exits
29 but I know my account has not expired.
30 A) Your PAM config lacks an "account" specification. On Linux this
31 usually means you are missing a line like:
32 account required pam_unix.so
35 Q) Sudo is setup to log via syslog(3) but I'm not getting any log
37 A) Make sure you have an entry in your syslog.conf file to save
38 the sudo messages (see the sample.syslog.conf file). The default
39 log facility is local2 (changeable via configure). Don't forget
40 to send a SIGHUP to your syslogd so that it re-reads its conf file.
41 Also, remember that syslogd does *not* create log files, you need to
42 create the file before syslogd will log to it (ie: touch /var/log/sudo).
43 Note: the facility ("local2.debug") must be separated from the
44 destination ("/var/adm/sudo.log" or "@loghost") by
45 tabs, *not* spaces. This is a common error.
47 Q) When sudo asks me for my password it never accepts what I enter even
48 though I know I entered my password correctly.
49 A) If your system uses shadow passwords, it is possible that sudo
50 didn't detect this. Take a look at the generated config.h file
51 and verify that the C function used for shadow password lookups
52 was detected. For instance, for SVR4-style shadow passwords,
53 HAVE_GETSPNAM should be defined (you can search for the string
54 "shadow passwords" in config.h with your editor). Note that
55 there is no define for 4.4BSD-based shadow passwords since that
56 just uses the standard getpw* routines.
58 Q) I don't want the sudoers file in /etc, how can I specify where it
60 A) Use the --sysconfdir option to configure. Ie:
61 configure --sysconfdir=/dir/you/want/sudoers/in
63 Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
65 A) There is no support for making an NIS/NIS+ map/table out of
66 the sudoers file at this time. A good way to distribute the
67 sudoers file is via rdist(1). It is also possible to NFS-mount
70 Q) I don't run sendmail on my machine. Does this mean that I cannot
72 A) No, you just need to run use the --without-sendmail argument to configure
73 or add "!mailerpath" to the Defaults line in /etc/sudoers.
75 Q) When I run visudo it uses vi as the editor and I hate vi. How
76 can I make it use another editor?
77 A) Your best bet is to run configure with the --with-env-editor switch.
78 This will make visudo use the editor specified by the user's
79 EDITOR environment variable. Alternately, you can run configure
80 with the --with-editor=/path/to/another/editor.
82 Q) Sudo appears to be removing some variables from my environment, why?
83 A) Sudo removes the following "dangerous" environment variables
84 to guard against shared library spoofing, shell voodoo, and
85 kerberos server spoofing.
98 LC_ (if it contains a '/' or '%')
99 LANG (if it contains a '/' or '%')
100 LANGUAGE (if it contains a '/' or '%')
103 SHLIB_PATH (HP-UX only)
105 KRB_CONF (kerb4 only)
106 KRBCONFDIR (kerb4 only)
107 KRBTKFILE (kerb4 only)
108 KRB5_CONFIG (kerb5 only)
109 VAR_ACE (SecurID only)
110 USR_ACE (SecurID only)
111 DLC_ACE (SecurID only)
113 Q) How can I keep sudo from asking for a password?
114 A) To specify this on a per-user (and per-command) basis, use the 'NOPASSWD'
115 tag right before the command list in sudoers. See the sudoers man page
116 and sample.sudoers for details. To disable passwords completely,
117 run configure with the --without-passwd option or add "!authenticate"
118 to the Defaults line in /etc/sudoers. You can also turn off authentication
119 on a per-user or per-host basis using a user or host-specific Defaults
122 Q) When I run configure, it dies with the following error:
123 "no acceptable cc found in $PATH".
124 A) /usr/ucb/cc was the only C compiler that configure could find.
125 You need to tell configure the path to the "real" C compiler
126 via the --with-CC option. On Solaris, the path is probably
127 something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
130 Q) When I run configure, it dies with the following error:
131 Fatal Error: config.cache exists from another platform!
132 Please remove it and re-run configure.
133 A) configure caches the results of its tests in a file called
134 config.cache to make re-running configure speedy. However,
135 if you are building sudo for a different platform the results
136 in config.cache will be wrong so you need to remove config.cache.
137 You can do this by "rm config.cache" or "make realclean".
138 Note that "make realclean" will also remove any object files
139 and configure temp files that are laying around as well.
141 Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
142 doesn't work on Solaris <= 2.5.1. Why?
143 A) Starting with Solaris 2.6, snprintf(3) is included in the standard
144 C library. To build a version of sudo on a >= 2.6 machine that
145 will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
146 #define HAVE_SNPRINTF 1
147 #define HAVE_VSNPRINTF 1
150 Q) When I run "visudo" it says "sudoers file busy, try again later."
151 and doesn't do anything.
152 A) Someone else is currently editing the sudoers file with visudo.
154 Q) When I try to use "cd" with sudo it says "cd: command not found".
155 A) "cd" is a shell built-in command, you can't run it as a command
156 since a child process (sudo) cannot affect the current working
157 directory of the parent (your shell).
159 Q) When I try to use "cd" with sudo the command completes without
160 errors but nothing happens.
161 A) Some SVR4-derived OS's include a /usr/bin/cd command for reasons
162 unfathomable. A "cd" command is totally useless since a child process
163 cannot affect the current working directory of the parent (your shell).
165 Q) When I run sudo it says I am not allowed to run the command as root
166 but I don't want to run it as root, I want to run it as another user.
167 My sudoers file entry looks like:
169 A) The default user sudo tries to run things as is always root, even if
170 the invoking user can only run commands as a single, specific user.
171 This may change in the future but at the present time you have to
172 work around this using the 'runas_default' option in sudoers.
174 Defaults:bob runas_default=oracle
175 would achieve the desired result ofr the preceding sudoers fragment.
177 Q) How do you pronounce `sudo'?
178 A) The official pronunciation is soo-doo (for su "do"). However, an
179 alternate pronunciation, a homophone of "pseudo", is also common.