97 lines
4.3 KiB
Plaintext
97 lines
4.3 KiB
Plaintext
FAQ and troubleshooting tips for CU sudo
|
|
========================================
|
|
|
|
Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
|
|
and sudo quits.
|
|
A) Sudo must be setuid root to do its work. You need to do something like
|
|
`chmod 4111 /usr/local/bin/sudo'. Also, the filesystem sudo resides
|
|
on must *not* be mounted with the nosuid mount option or sudo will
|
|
not be able to work.
|
|
|
|
Q) Sudo is setup to log via syslog(3) but I'm not getting any log
|
|
messages.
|
|
A) Make sure you have an entry in your syslog.conf file to save
|
|
the sudo messages. The default log facility is local2
|
|
(configurable in options.h) so you would want something like:
|
|
local2.debug /var/adm/sudo.log
|
|
or
|
|
local2.debug @loghost
|
|
depending whether you want to forward the messages to another
|
|
host or keep them locally.
|
|
|
|
Q) When sudo asks me for my password it never accepts what I enter even
|
|
though I know I entered my password correctly.
|
|
A) Try running configure with the --with-getpass option. After this
|
|
when you build sudo it will use the system's getpass() routine instead
|
|
of sudo's own version. If that doesn't work, and your OS uses shadow
|
|
passwords, re-run configure and add the --with-C2 option. Configure
|
|
tries to guess whether or not you are using shadow passwords but
|
|
it is not bulletproof.
|
|
(see the INSTALL doc for a list of OS's that sudo knows how to get
|
|
shadow password info for).
|
|
|
|
Q) Sudo says that it cannot read the sudoers file even though the
|
|
path it says is correct.
|
|
A) If the sudoers file lives on an NFS-mounted partition that partition
|
|
needs to be exported as root to the host in question unless you
|
|
have set SUDOERS_OWNER to something other than root. An easy test
|
|
is to see if "cat /path/to/sudoers" works as root. If not, then
|
|
you have the aforementioned problem. See the entry for SUDOERS_OWNER
|
|
in the OPTIONS file.
|
|
|
|
Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
|
|
copy on each machine?
|
|
A) There is no support for making an NIS/NIS+ map/table out of
|
|
the sudoers file at this time. A good way to distribute the
|
|
sudoers file is via rdist(1). It is also possible to
|
|
NFS-mount the sudoers file. However, please read the previous
|
|
TROUBLESHOOTING entry for info on this.
|
|
|
|
Q) I don't run sendmail on my machine. Does this mean that I cannot
|
|
use sudo?
|
|
A) No, you just need to comment out the MAILER #define in options.h.
|
|
|
|
Q) When I run visudo it uses vi as the editor and I hate vi. How
|
|
can I make it use another editor?
|
|
A) Your best bet is to enable the ENV_EDITOR option in options.h.
|
|
This will make visudo use the editor specified by the user's
|
|
EDITOR environmental variable. Alternately, you can change the
|
|
default editor by setting the EDITOR macro in options.h to
|
|
the editor of your choice.
|
|
|
|
Q) Sudo appears to be removing some variables from my environment, why?
|
|
A) Sudo removes the following "dangerous" environmental variables
|
|
to guard against shared library spoofing, shell voodoo, and
|
|
kerberos server spoofing.
|
|
IFS
|
|
LD_*
|
|
_RLD_*
|
|
SHLIB_PATH (HP-UX only)
|
|
LIB_PATH (AIX only)
|
|
KRB_CONF (kerberos only)
|
|
|
|
Q) I can't get the s/key support to work, whatever I do sudo won't
|
|
accept my key. I had to run configure with --with-getpass,
|
|
could that have something to do with it?
|
|
A) Yes, the s/key support requires that you use tgetpass() since
|
|
most system getpass()'s only grab eight characters or so
|
|
and s/key needs much mroe than that. It should be possible
|
|
to get tgetpass() to work, send mail to sudo-bugs@cs.colorado.edu
|
|
if you need help.
|
|
|
|
Q) My C compiler complains about:
|
|
"./options.h", line xx "/*" detected in comment
|
|
Should I be worried?
|
|
A) No, this is due to the way options are commented out in options.h.
|
|
Some ANSI compilers are just a bit too protective.
|
|
If anyone have a better way to that is just as easy to uncomment
|
|
and that doesn't produce a similar warning, please let me know.
|
|
|
|
Q) I modified parse.lex but the Makefile is not generating a new
|
|
lex.yy.c.
|
|
A) You need to uncomment the rule in Makefile (or Makefile.in)
|
|
that generates lex.yy.c from parse.lex. This is not enable
|
|
by default since sudo comes with a pre-flex'd parse.lex.
|
|
May sure you are using flex version 2.5.2 or higher--the
|
|
lex that came with your OS may not like parse.lex.
|