1 Troubleshooting tips and FAQ for Sudo
2 =====================================
4 Q) When I run configure, it says "C compiler cannot create executables".
5 A) This usually means you either don't have a working compiler. This
6 could be due to the lack of a license or that some component of the
7 compiler suite could not be found. Check config.log for clues as
8 to why this is happening. On many systems, compiler components live
9 in /usr/ccs/bin which may not be in your PATH environment variable.
11 Q) When I run configure, it says "sudo requires the 'ar' utility to build".
12 A) As part of the build process, sudo creates a temporary library containing
13 objects that are shared amongst the different sudo executables.
14 On Unix systems, the "ar" utility is used to do this. This error
15 indicates that "ar" is missing on your system. On Solaris systems,
16 you may need to install the SUNWbtool package. On other systems
17 "ar" may be included in the GNU binutils package.
19 Q) Sudo compiles and installs OK but when I try to run it I get:
20 /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set
21 A) Sudo must be setuid root to do its work. Either /usr/local/bin/sudo
22 is not owned by uid 0 or the setuid bit is not set. This should have
23 been done for you by "make install" but you can fix it manually by
24 running the following as root:
25 # chown root /usr/local/bin/sudo; chmod 4111 /usr/local/bin/sudo
27 Q) Sudo compiles and installs OK but when I try to run it I get:
28 effective uid is not 0, is /usr/local/bin/sudo on a file system with the
29 'nosuid' option set or an NFS file system without root privileges?
30 A) The owner and permissions on the sudo binary appear to be OK but when
31 sudo ran, the setuid bit did not have an effect. There are two common
32 causes for this. The first is that the file system the sudo binary
33 is located on is mounted with the 'nosuid' mount option, which disables
34 setuid binaries. The other is that sudo is installed on an NFS-mounted
35 file system that is exported without root privileges. By default, NFS
36 file systems are exported with uid 0 mapped to a non-privileged uid
39 You need to do something like
40 `chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides
41 on must *not* be mounted (or exported) with the nosuid option or sudo
42 will not be able to work. Another possibility is you may have '.' in
43 your $PATH before the directory containing sudo. If you are going
44 to have '.' in your path you should make sure it is at the end.
46 Q) Sudo never gives me a chance to enter a password using PAM, it just
47 says 'Sorry, try again.' three times and exits.
48 A) You didn't setup PAM to work with sudo. On RedHat Linux or Fedora
49 Core this generally means installing sample.pam as /etc/pam.d/sudo.
50 See the sample.pam file for hints on what to use for other Linux
53 Q) Sudo says 'Account expired or PAM config lacks an "account"
54 section for sudo, contact your system administrator' and exits
55 but I know my account has not expired.
56 A) Your PAM config lacks an "account" specification. On Linux this
57 usually means you are missing a line like:
58 account required pam_unix.so
61 Q) Sudo is setup to log via syslog(3) but I'm not getting any log
63 A) Make sure you have an entry in your syslog.conf file to save
64 the sudo messages (see the sample.syslog.conf file). The default
65 log facility is authpriv (changeable via configure or in sudoers).
66 Don't forget to send a SIGHUP to your syslogd so that it re-reads
67 its conf file. Also, remember that syslogd does *not* create
68 log files, you need to create the file before syslogd will log
69 to it (ie: touch /var/log/sudo).
70 Note: the facility (e.g. "auth.debug") must be separated from the
71 destination (e.g. "/var/log/auth" or "@loghost") by
72 tabs, *not* spaces. This is a common error.
74 Q) When sudo asks me for my password it never accepts what I enter even
75 though I know I entered my password correctly.
76 A) If you are not using pam and your system uses shadow passwords,
77 it is possible that sudo didn't properly detect that shadow
78 passwords are in use. Take a look at the generated config.h
79 file and verify that the C function used for shadow password
80 look ups was detected. For instance, for SVR4-style shadow
81 passwords, HAVE_GETSPNAM should be defined (you can search for
82 the string "shadow passwords" in config.h with your editor).
83 Note that there is no define for 4.4BSD-based shadow passwords
84 since that just uses the standard getpw* routines.
86 Q) Can sudo use the ssh agent for authentication instead of asking
87 for the user's Unix password?
88 A) Not directly, but you can use a PAM module like pam_ssh_agent_auth
89 or pam_ssh for this purpose.
91 Q) I don't want the sudoers file in /etc, how can I specify where it
93 A) Use the --sysconfdir option to configure. Ie:
94 configure --sysconfdir=/dir/you/want/sudoers/in
96 Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
98 A) There is no support for making an NIS/NIS+ map/table out of
99 the sudoers file at this time. You can distribute the sudoers
100 file via rsync or rdist. It is also possible to NFS-mount the
101 sudoers file. If you use LDAP at your site you may be interested
102 in sudo's LDAP sudoers support, see the README.LDAP file and the
105 Q) I don't run sendmail on my machine. Does this mean that I cannot
107 A) No, you just need to disable mailing with a line like:
109 in your sudoers file or run configure with the --without-sendmail
112 Q) When I run visudo it uses vi as the editor and I hate vi. How
113 can I make it use another editor?
114 A) You can specify the editor to use in visudo in the sudoers file.
115 See the "editor" and "env_editor" entries in the sudoers manual.
116 The defaults can also be set at configure time using the
117 --with-editor and --with-env-editor configure options.
119 Q) Sudo appears to be removing some variables from my environment, why?
120 A) Sudo removes the following "dangerous" environment variables
121 to guard against shared library spoofing, shell voodoo, and
122 kerberos server spoofing.
135 LC_ (if it contains a '/' or '%')
136 LANG (if it contains a '/' or '%')
137 LANGUAGE (if it contains a '/' or '%')
140 SHLIB_PATH (HP-UX only)
142 KRB5_CONFIG (kerb5 only)
143 VAR_ACE (SecurID only)
144 USR_ACE (SecurID only)
145 DLC_ACE (SecurID only)
147 Q) How can I keep sudo from asking for a password?
148 A) To specify this on a per-user (and per-command) basis, use the
149 'NOPASSWD' tag right before the command list in sudoers. See
150 the sudoers man page and sample.sudoers for details. To disable
151 passwords completely, add !authenticate" to the Defaults line
152 in /etc/sudoers. You can also turn off authentication on a
153 per-user or per-host basis using a user or host-specific Defaults
154 entry in sudoers. To hard-code the global default, you can
155 configure with the --without-passwd option.
157 Q) When I run configure, it dies with the following error:
158 "no acceptable cc found in $PATH".
159 A) /usr/ucb/cc was the only C compiler that configure could find.
160 You need to tell configure the path to the "real" C compiler
161 via the --with-CC option. On Solaris, the path is probably
162 something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
165 Q) When I run configure, it dies with the following error:
166 Fatal Error: config.cache exists from another platform!
167 Please remove it and re-run configure.
168 A) configure caches the results of its tests in a file called
169 config.cache to make re-running configure speedy. However,
170 if you are building sudo for a different platform the results
171 in config.cache will be wrong so you need to remove config.cache.
172 You can do this by "rm config.cache" or "make realclean".
173 Note that "make realclean" will also remove any object files
174 and configure temp files that are laying around as well.
176 Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
177 doesn't work on Solaris <= 2.5.1. Why?
178 A) Starting with Solaris 2.6, snprintf(3) is included in the standard
179 C library. To build a version of sudo on a >= 2.6 machine that
180 will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
181 #define HAVE_SNPRINTF 1
182 #define HAVE_VSNPRINTF 1
185 Q) I built sudo on a Solaris 11 (or higher) machine but the resulting
186 binary doesn't work older Solaris versions. Why?
188 A) Starting with Solaris 11, asprintf(3) is included in the standard
189 C library. To build a version of sudo on a Solaris 11 machine that
190 will run on an older Solaris release, edit config.h and comment out
192 #define HAVE_ASPRINTF 1
193 #define HAVE_VASPRINTF 1
196 Q) When I run "visudo" it says "sudoers file busy, try again later."
197 and doesn't do anything.
198 A) Someone else is currently editing the sudoers file with visudo.
200 Q) When I try to use "cd" with sudo it says "cd: command not found".
201 A) "cd" is a shell built-in command, you can't run it as a command
202 since a child process (sudo) cannot affect the current working
203 directory of the parent (your shell).
205 Q) When I try to use "cd" with sudo the command completes without
206 errors but nothing happens.
207 A) Even though "cd" is a shell built-in command, some operating systems
208 include a /usr/bin/cd command for some reason. A standalone
209 "cd" command is totally useless since a child process (cd) cannot
210 affect the current working directory of the parent (your shell).
211 Thus, "sudo cd /foo" will start a child process, change the
212 directory and immediately exit without doing anything useful.
214 Q) When I run sudo it says I am not allowed to run the command as root
215 but I don't want to run it as root, I want to run it as another user.
216 My sudoers file entry looks like:
218 A) The default user sudo tries to run things as is always root, even if
219 the invoking user can only run commands as a single, specific user.
220 This may change in the future but at the present time you have to
221 work around this using the 'runas_default' option in sudoers.
223 Defaults:bob runas_default=oracle
224 would achieve the desired result for the preceding sudoers fragment.
226 Q) When I try to run sudo via ssh, I get the error:
227 sudo: no tty present and no askpass program specified
228 A) ssh does not allocate a tty by default when running a remote command.
229 Without a tty, sudo cannot disable echo when prompting for a password.
230 You can use ssh's "-t" option to force it to allocate a tty.
231 Alternately, if you do not mind your password being echoed to the
232 screen, you can use the "visiblepw" sudoers option to allow this.
234 Q) When I try to use SSL-enabled LDAP with sudo I get an error:
235 unable to initialize SSL cert and key db: security library: bad database.
236 you must set TLS_CERT in /etc/ldap.conf to use SSL
237 A) On systems that use a Mozilla-derived LDAP SDK there must be a
238 certificate database in place to use SSL-encrypted LDAP connections.
239 This file is usually /var/ldap/cert8.db or /etc/ldap/cert8.db.
240 The actual number after "cert" will vary, depending on the version
241 of the LDAP SDK that is being used. If you do not have a certificate
242 database you can either copy one from a mozilla-derived browser, such
243 as firefox, or create one using the "certutil" command. You can run
244 "certutil" as follows and press the <return> (or <enter>) key at the
246 # certutil -N -d /var/ldap
247 Enter a password which will be used to encrypt your keys.
248 The password should be at least 8 characters long,
249 and should contain at least one non-alphabetic character.
251 Enter new password: <return>
252 Re-enter password: <return>
254 Q) On HP-UX, when I run command via sudo it displays information
255 about the last successful login and last authentication failure
256 for every command. How can I fix this?
257 A) This output comes from /usr/lib/security/libpam_hpsec.so.1.
258 To suppress it, add a line like the following to /etc/pam.conf:
259 sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login
261 Q) On HP-UX, the umask setting in sudoers has no effect.
262 A) If your /etc/pam.conf file has the libpam_hpsec.so.1 session module
263 enabled, you may need to a add line like the following to pam.conf:
264 sudo session required libpam_hpsec.so.1 bypass_umask
266 Q) When I run sudo on AIX I get the following error:
267 setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted.
268 A) AIX's Enhanced RBAC is preventing sudo from running. To fix
269 this, add the following entry to /etc/security/privcmds (adjust
270 the path to sudo as needed) and run the setkst command as root:
273 accessauths = ALLOW_ALL
274 innateprivs = PV_DAC_GID,PV_DAC_O,PV_DAC_R,PV_DAC_UID,PV_DAC_W,PV_DAC_X,PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
277 Q) Sudo configures and builds without error but when I run it I get
278 a Segmentation fault.
279 A) If you are on a Linux system, the first thing to try is to run
280 configure with the --disable-pie option, then "make clean" and
281 "make". If that fixes the problem then your operating system
282 does not properly support position independent executables.
283 Please send a message to sudo@sudo.ws with system details such
284 as the Linux distro, kernel version and CPU architecture.
286 Q) When I run configure I get the following error:
287 dlopen present but libtool doesn't appear to support your platform.
288 A) Libtool doesn't know how to support dynamic linking on the operating
289 system you are building for. If you are cross-compiling, you need to
290 specify the operating system, not just the CPU type. For example:
291 --host powerpc-unknown-linux
295 Q) How do you pronounce `sudo'?
296 A) The official pronunciation is soo-doo (for su "do"). However, an
297 alternate pronunciation, a homophone of "pseudo", is also common.