1 Troubleshooting tips and FAQ for Sudo
2 =====================================
4 Q) When I run configure, it says "C compiler cannot create executables".
5 A) This usually means you either don't have a working compiler. This
6 could be due to the lack of a license or that some component of the
7 compiler suite could not be found. Check config.log for clues as
8 to why this is happening. On many systems, compiler components live
9 in /usr/ccs/bin which may not be in your PATH environment variable.
11 Q) When I run configure, it says "sudo requires the 'ar' utility to build".
12 A) As part of the build process, sudo creates a temporary library containing
13 objects that are shared amongst the different sudo executables.
14 On Unix systems, the "ar" utility is used to do this. This error
15 indicates that "ar" is missing on your system. On Solaris systems,
16 you may need to install the SUNWbtool package. On other systems
17 "ar" may be included in the GNU binutils package.
19 Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
21 A) Sudo must be setuid root to do its work. You need to do something like
22 `chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides
23 on must *not* be mounted (or exported) with the nosuid option or sudo
24 will not be able to work. Another possibility is you may have '.' in
25 your $PATH before the directory containing sudo. If you are going
26 to have '.' in your path you should make sure it is at the end.
28 Q) Sudo never gives me a chance to enter a password using PAM, it just
29 says 'Sorry, try again.' three times and exits.
30 A) You didn't setup PAM to work with sudo. On RedHat Linux or Fedora
31 Core this generally means installing sample.pam as /etc/pam.d/sudo.
32 See the sample.pam file for hints on what to use for other Linux
35 Q) Sudo says 'Account expired or PAM config lacks an "account"
36 section for sudo, contact your system administrator' and exits
37 but I know my account has not expired.
38 A) Your PAM config lacks an "account" specification. On Linux this
39 usually means you are missing a line like:
40 account required pam_unix.so
43 Q) Sudo is setup to log via syslog(3) but I'm not getting any log
45 A) Make sure you have an entry in your syslog.conf file to save
46 the sudo messages (see the sample.syslog.conf file). The default
47 log facility is authpriv (changeable via configure or in sudoers).
48 Don't forget to send a SIGHUP to your syslogd so that it re-reads
49 its conf file. Also, remember that syslogd does *not* create
50 log files, you need to create the file before syslogd will log
51 to it (ie: touch /var/log/sudo).
52 Note: the facility (e.g. "auth.debug") must be separated from the
53 destination (e.g. "/var/log/auth" or "@loghost") by
54 tabs, *not* spaces. This is a common error.
56 Q) When sudo asks me for my password it never accepts what I enter even
57 though I know I entered my password correctly.
58 A) If you are not using pam and your system uses shadow passwords,
59 it is possible that sudo didn't properly detect that shadow
60 passwords are in use. Take a look at the generated config.h
61 file and verify that the C function used for shadow password
62 look ups was detected. For instance, for SVR4-style shadow
63 passwords, HAVE_GETSPNAM should be defined (you can search for
64 the string "shadow passwords" in config.h with your editor).
65 Note that there is no define for 4.4BSD-based shadow passwords
66 since that just uses the standard getpw* routines.
68 Q) Can sudo use the ssh agent for authentication instead of asking
69 for the user's Unix password?
70 A) Not directly, but you can use a PAM module like pam_ssh_agent_auth
71 or pam_ssh for this purpose.
73 Q) I don't want the sudoers file in /etc, how can I specify where it
75 A) Use the --sysconfdir option to configure. Ie:
76 configure --sysconfdir=/dir/you/want/sudoers/in
78 Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
80 A) There is no support for making an NIS/NIS+ map/table out of
81 the sudoers file at this time. You can distribute the sudoers
82 file via rsync or rdist. It is also possible to NFS-mount the
83 sudoers file. If you use LDAP at your site you may be interested
84 in sudo's LDAP sudoers support, see the README.LDAP file and the
87 Q) I don't run sendmail on my machine. Does this mean that I cannot
89 A) No, you just need to disable mailing with a line like:
91 in your sudoers file or run configure with the --without-sendmail
94 Q) When I run visudo it uses vi as the editor and I hate vi. How
95 can I make it use another editor?
96 A) You can specify the editor to use in visudo in the sudoers file.
97 See the "editor" and "env_editor" entries in the sudoers manual.
98 The defaults can also be set at configure time using the
99 --with-editor and --with-env-editor configure options.
101 Q) Sudo appears to be removing some variables from my environment, why?
102 A) Sudo removes the following "dangerous" environment variables
103 to guard against shared library spoofing, shell voodoo, and
104 kerberos server spoofing.
117 LC_ (if it contains a '/' or '%')
118 LANG (if it contains a '/' or '%')
119 LANGUAGE (if it contains a '/' or '%')
122 SHLIB_PATH (HP-UX only)
124 KRB5_CONFIG (kerb5 only)
125 VAR_ACE (SecurID only)
126 USR_ACE (SecurID only)
127 DLC_ACE (SecurID only)
129 Q) How can I keep sudo from asking for a password?
130 A) To specify this on a per-user (and per-command) basis, use the
131 'NOPASSWD' tag right before the command list in sudoers. See
132 the sudoers man page and sample.sudoers for details. To disable
133 passwords completely, add !authenticate" to the Defaults line
134 in /etc/sudoers. You can also turn off authentication on a
135 per-user or per-host basis using a user or host-specific Defaults
136 entry in sudoers. To hard-code the global default, you can
137 configure with the --without-passwd option.
139 Q) When I run configure, it dies with the following error:
140 "no acceptable cc found in $PATH".
141 A) /usr/ucb/cc was the only C compiler that configure could find.
142 You need to tell configure the path to the "real" C compiler
143 via the --with-CC option. On Solaris, the path is probably
144 something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
147 Q) When I run configure, it dies with the following error:
148 Fatal Error: config.cache exists from another platform!
149 Please remove it and re-run configure.
150 A) configure caches the results of its tests in a file called
151 config.cache to make re-running configure speedy. However,
152 if you are building sudo for a different platform the results
153 in config.cache will be wrong so you need to remove config.cache.
154 You can do this by "rm config.cache" or "make realclean".
155 Note that "make realclean" will also remove any object files
156 and configure temp files that are laying around as well.
158 Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
159 doesn't work on Solaris <= 2.5.1. Why?
160 A) Starting with Solaris 2.6, snprintf(3) is included in the standard
161 C library. To build a version of sudo on a >= 2.6 machine that
162 will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
163 #define HAVE_SNPRINTF 1
164 #define HAVE_VSNPRINTF 1
167 Q) When I run "visudo" it says "sudoers file busy, try again later."
168 and doesn't do anything.
169 A) Someone else is currently editing the sudoers file with visudo.
171 Q) When I try to use "cd" with sudo it says "cd: command not found".
172 A) "cd" is a shell built-in command, you can't run it as a command
173 since a child process (sudo) cannot affect the current working
174 directory of the parent (your shell).
176 Q) When I try to use "cd" with sudo the command completes without
177 errors but nothing happens.
178 A) Even though "cd" is a shell built-in command, some operating systems
179 include a /usr/bin/cd command for some reason. A standalone
180 "cd" command is totally useless since a child process (cd) cannot
181 affect the current working directory of the parent (your shell).
182 Thus, "sudo cd /foo" will start a child process, change the
183 directory and immediately exit without doing anything useful.
185 Q) When I run sudo it says I am not allowed to run the command as root
186 but I don't want to run it as root, I want to run it as another user.
187 My sudoers file entry looks like:
189 A) The default user sudo tries to run things as is always root, even if
190 the invoking user can only run commands as a single, specific user.
191 This may change in the future but at the present time you have to
192 work around this using the 'runas_default' option in sudoers.
194 Defaults:bob runas_default=oracle
195 would achieve the desired result for the preceding sudoers fragment.
197 Q) When I try to run sudo via ssh, I get the error:
198 sudo: no tty present and no askpass program specified
199 A) ssh does not allocate a tty by default when running a remote command.
200 Without a tty, sudo cannot disable echo when prompting for a password.
201 You can use ssh's "-t" option to force it to allocate a tty.
202 Alternately, if you do not mind your password being echoed to the
203 screen, you can use the "visiblepw" sudoers option to allow this.
205 Q) When I run sudo on AIX I get the following error:
206 setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted.
207 A) AIX's Enhanced RBAC is preventing sudo from running. To fix
208 this, add the following entry to /etc/security/privcmds (adjust
209 the path to sudo as needed) and run the setkst command as root:
212 accessauths = ALLOW_ALL
213 innateprivs = PV_DAC_UID,PV_DAC_GID
216 Q) How do you pronounce `sudo'?
217 A) The official pronunciation is soo-doo (for su "do"). However, an
218 alternate pronunciation, a homophone of "pseudo", is also common.