192 lines
8.7 KiB
Plaintext
192 lines
8.7 KiB
Plaintext
Troubleshooting tips and FAQ for Sudo
|
|
=====================================
|
|
|
|
Q) When I run configure, it says "C compiler cannot create executables".
|
|
A) This usually means you either don't have a working compiler. This
|
|
could be due to the lack of a license or that some component of the
|
|
compiler suite could not be found. Check config.log for clues as
|
|
to why this is happening. On many systems, compiler components live
|
|
in /usr/ccs/bin which may not be in your PATH environment variable.
|
|
|
|
Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
|
|
and sudo quits.
|
|
A) Sudo must be setuid root to do its work. You need to do something like
|
|
`chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides
|
|
on must *not* be mounted (or exported) with the nosuid option or sudo
|
|
will not be able to work. Another possibility is you may have '.' in
|
|
your $PATH before the directory containing sudo. If you are going
|
|
to have '.' in your path you should make sure it is at the end.
|
|
|
|
Q) Sudo never gives me a chance to enter a password using PAM, it just
|
|
says 'Sorry, try again.' three times and exits.
|
|
A) You didn't setup PAM to work with sudo. On Redhat Linux or Fedora
|
|
Core this generally means installing sample.pam as /etc/pam.d/sudo.
|
|
See the sample.pam file for hints on what to use for other Linux
|
|
systems.
|
|
|
|
Q) Sudo says 'Account expired or PAM config lacks an "account"
|
|
section for sudo, contact your system administrator' and exits
|
|
but I know my account has not expired.
|
|
A) Your PAM config lacks an "account" specification. On Linux this
|
|
usually means you are missing a line like:
|
|
account required pam_unix.so
|
|
in /etc/pam.d/sudo.
|
|
|
|
Q) Sudo is setup to log via syslog(3) but I'm not getting any log
|
|
messages.
|
|
A) Make sure you have an entry in your syslog.conf file to save
|
|
the sudo messages (see the sample.syslog.conf file). The default
|
|
log facility is authpriv (changeable via configure or in sudoers).
|
|
Don't forget to send a SIGHUP to your syslogd so that it re-reads
|
|
its conf file. Also, remember that syslogd does *not* create
|
|
log files, you need to create the file before syslogd will log
|
|
to it (ie: touch /var/log/sudo).
|
|
Note: the facility (e.g. "auth.debug") must be separated from the
|
|
destination (e.g. "/var/log/auth" or "@loghost") by
|
|
tabs, *not* spaces. This is a common error.
|
|
|
|
Q) When sudo asks me for my password it never accepts what I enter even
|
|
though I know I entered my password correctly.
|
|
A) If your system uses shadow passwords, it is possible that sudo
|
|
didn't detect this. Take a look at the generated config.h file
|
|
and verify that the C function used for shadow password lookups
|
|
was detected. For instance, for SVR4-style shadow passwords,
|
|
HAVE_GETSPNAM should be defined (you can search for the string
|
|
"shadow passwords" in config.h with your editor). Note that
|
|
there is no define for 4.4BSD-based shadow passwords since that
|
|
just uses the standard getpw* routines.
|
|
|
|
Q) I don't want the sudoers file in /etc, how can I specify where it
|
|
should go?
|
|
A) Use the --sysconfdir option to configure. Ie:
|
|
configure --sysconfdir=/dir/you/want/sudoers/in
|
|
|
|
Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
|
|
copy on each machine?
|
|
A) There is no support for making an NIS/NIS+ map/table out of
|
|
the sudoers file at this time. A good way to distribute the
|
|
sudoers file is via rdist(1). It is also possible to NFS-mount
|
|
the sudoers file.
|
|
|
|
Q) I don't run sendmail on my machine. Does this mean that I cannot
|
|
use sudo?
|
|
A) No, you just need to run use the --without-sendmail argument to configure
|
|
or add "!mailerpath" to the Defaults line in /etc/sudoers.
|
|
|
|
Q) When I run visudo it uses vi as the editor and I hate vi. How
|
|
can I make it use another editor?
|
|
A) Your best bet is to run configure with the --with-env-editor switch.
|
|
This will make visudo use the editor specified by the user's
|
|
EDITOR environment variable. Alternately, you can run configure
|
|
with the --with-editor=/path/to/another/editor.
|
|
|
|
Q) Sudo appears to be removing some variables from my environment, why?
|
|
A) Sudo removes the following "dangerous" environment variables
|
|
to guard against shared library spoofing, shell voodoo, and
|
|
kerberos server spoofing.
|
|
IFS
|
|
LOCALDOMAIN
|
|
RES_OPTIONS
|
|
HOSTALIASES
|
|
NLSPATH
|
|
PATH_LOCALE
|
|
TERMINFO
|
|
TERMINFO_DIRS
|
|
TERMPATH
|
|
TERMCAP
|
|
ENV
|
|
BASH_ENV
|
|
LC_ (if it contains a '/' or '%')
|
|
LANG (if it contains a '/' or '%')
|
|
LANGUAGE (if it contains a '/' or '%')
|
|
LD_*
|
|
_RLD_*
|
|
SHLIB_PATH (HP-UX only)
|
|
LIBPATH (AIX only)
|
|
KRB_CONF (kerb4 only)
|
|
KRBCONFDIR (kerb4 only)
|
|
KRBTKFILE (kerb4 only)
|
|
KRB5_CONFIG (kerb5 only)
|
|
VAR_ACE (SecurID only)
|
|
USR_ACE (SecurID only)
|
|
DLC_ACE (SecurID only)
|
|
|
|
Q) How can I keep sudo from asking for a password?
|
|
A) To specify this on a per-user (and per-command) basis, use the 'NOPASSWD'
|
|
tag right before the command list in sudoers. See the sudoers man page
|
|
and sample.sudoers for details. To disable passwords completely,
|
|
run configure with the --without-passwd option or add "!authenticate"
|
|
to the Defaults line in /etc/sudoers. You can also turn off authentication
|
|
on a per-user or per-host basis using a user or host-specific Defaults
|
|
entry in sudoers.
|
|
|
|
Q) When I run configure, it dies with the following error:
|
|
"no acceptable cc found in $PATH".
|
|
A) /usr/ucb/cc was the only C compiler that configure could find.
|
|
You need to tell configure the path to the "real" C compiler
|
|
via the --with-CC option. On Solaris, the path is probably
|
|
something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
|
|
that will also work.
|
|
|
|
Q) When I run configure, it dies with the following error:
|
|
Fatal Error: config.cache exists from another platform!
|
|
Please remove it and re-run configure.
|
|
A) configure caches the results of its tests in a file called
|
|
config.cache to make re-running configure speedy. However,
|
|
if you are building sudo for a different platform the results
|
|
in config.cache will be wrong so you need to remove config.cache.
|
|
You can do this by "rm config.cache" or "make realclean".
|
|
Note that "make realclean" will also remove any object files
|
|
and configure temp files that are laying around as well.
|
|
|
|
Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
|
|
doesn't work on Solaris <= 2.5.1. Why?
|
|
A) Starting with Solaris 2.6, snprintf(3) is included in the standard
|
|
C library. To build a version of sudo on a >= 2.6 machine that
|
|
will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
|
|
#define HAVE_SNPRINTF 1
|
|
#define HAVE_VSNPRINTF 1
|
|
and run make.
|
|
|
|
Q) When I run "visudo" it says "sudoers file busy, try again later."
|
|
and doesn't do anything.
|
|
A) Someone else is currently editing the sudoers file with visudo.
|
|
|
|
Q) When I try to use "cd" with sudo it says "cd: command not found".
|
|
A) "cd" is a shell built-in command, you can't run it as a command
|
|
since a child process (sudo) cannot affect the current working
|
|
directory of the parent (your shell).
|
|
|
|
Q) When I try to use "cd" with sudo the command completes without
|
|
errors but nothing happens.
|
|
A) Even though "cd" is a shell built-in command, some operating systems
|
|
include a /usr/bin/cd command for some reason. A standalone
|
|
"cd" command is totally useless since a child process (cd) cannot
|
|
affect the current working directory of the parent (your shell).
|
|
Thus, "sudo cd /foo" will start a child process, change the
|
|
directory and immediately exit without doing anything useful.
|
|
|
|
Q) When I run sudo it says I am not allowed to run the command as root
|
|
but I don't want to run it as root, I want to run it as another user.
|
|
My sudoers file entry looks like:
|
|
bob ALL=(oracle) ALL
|
|
A) The default user sudo tries to run things as is always root, even if
|
|
the invoking user can only run commands as a single, specific user.
|
|
This may change in the future but at the present time you have to
|
|
work around this using the 'runas_default' option in sudoers.
|
|
For example:
|
|
Defaults:bob runas_default=oracle
|
|
would achieve the desired result ofr the preceding sudoers fragment.
|
|
|
|
Q) When I try to run sudo via ssh, I get the error:
|
|
sudo: no tty present and no askpass program specified
|
|
A) ssh does not allocate a tty by default when running a remote command.
|
|
Without a tty, sudo cannot disable echo when prompting for a password.
|
|
You can use ssh's "-t" option to force it to allocate a tty.
|
|
Alternately, if you do not mind your password being echoed to the
|
|
screen, you can use the "visiblepw" sudoers option to allow this.
|
|
|
|
Q) How do you pronounce `sudo'?
|
|
A) The official pronunciation is soo-doo (for su "do"). However, an
|
|
alternate pronunciation, a homophone of "pseudo", is also common.
|