summaryrefslogtreecommitdiffstats
path: root/doc/TROUBLESHOOTING
blob: 3bb6f14b752574ca2a6475223ad4b4cb11bf5b3c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
Troubleshooting tips and FAQ for Sudo
=====================================

Q) When I run configure, it says "C compiler cannot create executables".
A) This usually means you either don't have a working compiler.  This
   could be due to the lack of a license or that some component of the
   compiler suite could not be found.  Check config.log for clues as
   to why this is happening.  On many systems, compiler components live
   in /usr/ccs/bin which may not be in your PATH environment variable.

Q) When I run configure, it says "sudo requires the 'ar' utility to build".
A) As part of the build process, sudo creates a temporary library containing
   objects that are shared amongst the different sudo executables.
   On Unix systems, the "ar" utility is used to do this.  This error
   indicates that "ar" is missing on your system.  On Solaris systems,
   you may need to install the SUNWbtool package.  On other systems
   "ar" may be included in the GNU binutils package.

Q) Sudo compiles and installs OK but when I try to run it I get:
   /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set
A) Sudo must be setuid root to do its work.  Either /usr/local/bin/sudo
   is not owned by uid 0 or the setuid bit is not set.  This should have
   been done for you by "make install" but you can fix it manually by
   running the following as root:
    # chown root /usr/local/bin/sudo; chmod 4755 /usr/local/bin/sudo

Q) Sudo compiles and installs OK but when I try to run it I get:
    effective uid is not 0, is /usr/local/bin/sudo on a file system with the
    'nosuid' option set or an NFS file system without root privileges?
A) The owner and permissions on the sudo binary appear to be OK but when
   sudo ran, the setuid bit did not have an effect.  There are two common
   causes for this.  The first is that the file system the sudo binary
   is located on is mounted with the 'nosuid' mount option, which disables
   setuid binaries.  The output of the "mount" command should tell you if
   the file system is mounted with the 'nosuid' option.  The other possible
   cause is that sudo is installed on an NFS-mounted file system that is
   exported without root privileges.  By default, NFS file systems are
   exported with uid 0 mapped to a non-privileged uid (usually -2).  You
   should be able to determine whether sudo is located on an NFS-mounted
   filesystem by running "df `which sudo'".

Q) Sudo never gives me a chance to enter a password using PAM, it just
   says 'Sorry, try again.' three times and exits.
A) You didn't setup PAM to work with sudo.  On RedHat Linux or Fedora
   Core this generally means installing the sample pam.conf file as
   /etc/pam.d/sudo.  See the example pam.conf file for hints on what
   to use for other Linux systems.

Q) Sudo says 'Account expired or PAM config lacks an "account"
   section for sudo, contact your system administrator' and exits
   but I know my account has not expired.
A) Your PAM config lacks an "account" specification.  On Linux this
   usually means you are missing a line like:
	account    required    pam_unix.so
   in /etc/pam.d/sudo.

Q) Sudo is setup to log via syslog(3) but I'm not getting any log
   messages.
A) Make sure you have an entry in your syslog.conf file to save
   the sudo messages (see the example syslog.conf file).  The default
   log facility is authpriv (changeable via configure or in sudoers).
   Don't forget to send a SIGHUP to your syslogd so that it re-reads
   its conf file.  Also, remember that syslogd does *not* create
   log files, you need to create the file before syslogd will log
   to it (ie: touch /var/log/sudo).
   Note:  the facility (e.g. "auth.debug") must be separated from the
	  destination (e.g. "/var/log/auth" or "@loghost") by
	  tabs, *not* spaces.  This is a common error.

Q) When sudo asks me for my password it never accepts what I enter even
   though I know I entered my password correctly.
A) If you are not using pam and your system uses shadow passwords,
   it is possible that sudo didn't properly detect that shadow
   passwords are in use.  Take a look at the generated config.h
   file and verify that the C function used for shadow password
   look ups was detected.  For instance, for SVR4-style shadow
   passwords, HAVE_GETSPNAM should be defined (you can search for
   the string "shadow passwords" in config.h with your editor).
   Note that there is no define for 4.4BSD-based shadow passwords
   since that just uses the standard getpw* routines.

Q) Can sudo use the ssh agent for authentication instead of asking
   for the user's Unix password?
A) Not directly, but you can use a PAM module like pam_ssh_agent_auth
   or pam_ssh for this purpose.

Q) I don't want the sudoers file in /etc, how can I specify where it
   should go?
A) Use the --sysconfdir option to configure.  Ie:
   configure --sysconfdir=/dir/you/want/sudoers/in

Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
   copy on each machine?
A) There is no support for making an NIS/NIS+ map/table out of
   the sudoers file at this time.  You can distribute the sudoers
   file via rsync or rdist.  It is also possible to NFS-mount the
   sudoers file.  If you use LDAP at your site you may be interested
   in sudo's LDAP sudoers support, see the README.LDAP file and the
   sudoers.ldap manual.

Q) I don't run sendmail on my machine.  Does this mean that I cannot
   use sudo?
A) No, you just need to disable mailing with a line like:
	Defaults !mailerpath
   in your sudoers file or run configure with the --without-sendmail
   option.

Q) When I run visudo it uses vi as the editor and I hate vi.  How
   can I make it use another editor?
A) You can specify the editor to use in visudo in the sudoers file.
   See the "editor" and "env_editor" entries in the sudoers manual.
   The defaults can also be set at configure time using the
   --with-editor and --with-env-editor configure options.

Q) Sudo appears to be removing some variables from my environment, why?
A) By default, sudo runs commands with  new, minimal environment.
   It is possible to control what environment variables are copied
   from the invoking user's environment using the "env_keep" setting
   in sudoers.  Another, less secure, option is to disable the
   "env_reset" setting to copy all variables from the invoking
   user's environment that are not considered "dangerous".  See the
   "Command Environment" section of the sudoers manual for more
   information.

Q) How can I keep sudo from asking for a password?
A) To specify this on a per-user (and per-command) basis, use the
   'NOPASSWD' tag right before the command list in sudoers.  See
   the sudoers man page and examples/sudoers for details.  To disable
   passwords completely, add !authenticate" to the Defaults line
   in /etc/sudoers.  You can also turn off authentication on a
   per-user or per-host basis using a user or host-specific Defaults
   entry in sudoers.  To hard-code the global default, you can
   configure with the --without-passwd option.

Q) When I run configure, it dies with the following error:
   "no acceptable cc found in $PATH".
A) /usr/ucb/cc was the only C compiler that configure could find.
   You need to tell configure the path to the "real" C compiler
   via the --with-CC option.  On Solaris, the path is probably
   something like "/opt/SUNWspro/SC4.0/bin/cc".  If you have gcc
   that will also work.

Q) When I run configure, it dies with the following error:
   Fatal Error: config.cache exists from another platform!
   Please remove it and re-run configure.
A) configure caches the results of its tests in a file called
   config.cache to make re-running configure speedy.  However,
   if you are building sudo for a different platform the results
   in config.cache will be wrong so you need to remove config.cache.
   You can do this by "rm config.cache" or "make realclean".
   Note that "make realclean" will also remove any object files
   and configure temp files that are laying around as well.

Q) I built sudo on a Solaris 11 (or higher) machine but the resulting
   binary doesn't work older Solaris versions.  Why?
A) Starting with Solaris 11, asprintf(3) is included in the standard
   C library.  To build a version of sudo on a Solaris 11 machine that
   will run on an older Solaris release, edit config.h and comment out
   the lines:
	#define HAVE_ASPRINTF 1
	#define HAVE_VASPRINTF 1
   and run make.

Q) When I run "visudo" it says "sudoers file busy, try again later."
   and doesn't do anything.
A) Someone else is currently editing the sudoers file with visudo.

Q) When I try to use "cd" with sudo it says "cd: command not found".
A) "cd" is a shell built-in command, you can't run it as a command
   since a child process (sudo) cannot affect the current working
   directory of the parent (your shell).

Q) When I try to use "cd" with sudo the command completes without
   errors but nothing happens.
A) Even though "cd" is a shell built-in command, some operating systems
   include a /usr/bin/cd command for some reason.  A standalone
   "cd" command is totally useless since a child process (cd) cannot
   affect the current working directory of the parent (your shell).
   Thus, "sudo cd /foo" will start a child process, change the
   directory and immediately exit without doing anything useful.

Q) When I run sudo it says I am not allowed to run the command as root
   but I don't want to run it as root, I want to run it as another user.
   My sudoers file entry looks like:
    bob	ALL=(oracle) ALL
A) The default user sudo tries to run things as is always root, even if
   the invoking user can only run commands as a single, specific user.
   This may change in the future but at the present time you have to
   work around this using the 'runas_default' option in sudoers.
   For example:
    Defaults:bob	runas_default=oracle
   would achieve the desired result for the preceding sudoers fragment.

Q) When I try to run sudo via ssh, I get the error:
    sudo: no tty present and no askpass program specified
A) ssh does not allocate a tty by default when running a remote command.
   Without a tty, sudo cannot disable echo when prompting for a password.
   You can use ssh's "-t" option to force it to allocate a tty.
   Alternately, if you do not mind your password being echoed to the
   screen, you can use the "visiblepw" sudoers option to allow this.

Q) When I try to use SSL-enabled LDAP with sudo I get an error:
    unable to initialize SSL cert and key db: security library: bad database.
    you must set TLS_CERT in /etc/ldap.conf to use SSL
A) On systems that use a Mozilla-derived LDAP SDK there must be a
   certificate database in place to use SSL-encrypted LDAP connections.
   This file is usually /var/ldap/cert8.db or /etc/ldap/cert8.db.
   The actual number after "cert" will vary, depending on the version
   of the LDAP SDK that is being used.  If you do not have a certificate
   database you can either copy one from a mozilla-derived browser, such
   as firefox, or create one using the "certutil" command.  You can run
   "certutil" as follows and press the <return> (or <enter>) key at the
   password prompt:
    # certutil -N -d /var/ldap
    Enter a password which will be used to encrypt your keys.
    The password should be at least 8 characters long,
    and should contain at least one non-alphabetic character.

    Enter new password: <return>
    Re-enter password: <return>

Q) On Solaris, when I run command via sudo it displays information
   about the last login for every command.  How can I fix this?
A) This output comes from /usr/lib/security/pam_unix_session.so.1.
   To suppress it, first create /etc/pam.d/sudo if it doesn't exist:
    cp /etc/pam.d/other /etc/pam.d/sudo
   Then add "nowarn" to the end of the pam_unix_session.so.1 line:
    session required pam_unix_session.so.1 nowarm

Q) On HP-UX, when I run command via sudo it displays information
   about the last successful login and last authentication failure
   for every command.  How can I fix this?
A) This output comes from /usr/lib/security/libpam_hpsec.so.1.
   To suppress it, add a line like the following to /etc/pam.conf:
   sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login

Q) On HP-UX, the umask setting in sudoers has no effect.
A) If your /etc/pam.conf file has the libpam_hpsec.so.1 session module
   enabled, you may need to a add line like the following to pam.conf:
   sudo session required libpam_hpsec.so.1 bypass_umask

Q) When I run "sudo -i shell_alias" I get "command not found" even
   though the alias is defined in my shell startup files.
A) Commands run via "sudo -i" are executed by the shell in
   non-interactive mode.  The bash shell will ony parse aliases in
   interactive mode unless the "expand_aliases" shell option is
   set.  If you add "shopt -s expand_aliases" to your .bash_profile
   (or .profile if using that instead) the aliases should now be
   available to "sudo -i".

Q) When I run sudo on AIX I get the following error:
    setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted.
A) AIX's Enhanced RBAC is preventing sudo from running.  To fix
   this, add the following entry to /etc/security/privcmds (adjust
   the path to sudo as needed) and run the setkst command as root:

    /usr/local/bin/sudo:
	    accessauths = ALLOW_ALL
	    innateprivs = PV_DAC_GID,PV_DAC_R,PV_DAC_UID,PV_DAC_X,PV_FS_CHOWN,PV_PROC_PRIO,PV_NET_PORT,PV_NET_CNTL,PV_SU_UID
	    secflags = FSF_EPS

Q) Sudo configures and builds without error but when I run it I get
   a Segmentation fault.
A) If you are on a Linux system, the first thing to try is to run
   configure with the --disable-pie option, then "make clean" and
   "make".  If that fixes the problem then your operating system
   does not properly support position independent executables.
   Please send a message to sudo@sudo.ws with system details such
   as the Linux distro, kernel version and CPU architecture.

Q) When I run configure I get the following error:
    dlopen present but libtool doesn't appear to support your platform.
A) Libtool doesn't know how to support dynamic linking on the operating
   system you are building for.  If you are cross-compiling, you need to
   specify the operating system, not just the CPU type.  For example:
	--host powerpc-unknown-linux
   instead of just:
	--host powerpc

Q) How do you pronounce `sudo'?
A) The official pronunciation is soo-doo (for su "do").  However, an
   alternate pronunciation, a homophone of "pseudo", is also common.