1Troubleshooting tips and FAQ for Sudo
2=====================================
3
4Q) When I run configure, it says "C compiler cannot create executables".
5A) This usually means you either don't have a working compiler.  This
6   could be due to the lack of a license or that some component of the
7   compiler suite could not be found.  Check config.log for clues as
8   to why this is happening.  On many systems, compiler components live
9   in /usr/ccs/bin which may not be in your PATH environment variable.
10
11Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
12   and sudo quits.
13A) Sudo must be setuid root to do its work.  You need to do something like
14   `chmod 4111 /usr/local/bin/sudo'.  Also, the file system sudo resides
15   on must *not* be mounted (or exported) with the nosuid option or sudo
16   will not be able to work.  Another possibility is you may have '.' in
17   your $PATH before the directory containing sudo.  If you are going
18   to have '.' in your path you should make sure it is at the end.
19
20Q) Sudo compiles but when I run it I get "seteuid(0) failed, your operating
21   system may have broken POSIX saved ID support\nTry running configure with
22   --disable-saved-ids" and sudo quits.
23A) The operating system you are running probably has broken support for
24   POSIX saved IDs.  You should run configure with the "--disable-saved-ids"
25   option and rebuild sudo.
26
27Q) Sudo never gives me a chance to enter a password using PAM, it just
28   says 'Sorry, try again.' three times and exits.
29A) You didn't setup PAM to work with sudo.  On Redhat Linux or Fedora
30   Core this generally means installing sample.pam as /etc/pam.d/sudo.
31   See the sample.pam file for hints on what to use for other Linux
32   systems.
33
34Q) Sudo says 'Account expired or PAM config lacks an "account"
35   section for sudo, contact your system administrator' and exits
36   but I know my account has not expired.
37A) Your PAM config lacks an "account" specification.  On Linux this
38   usually means you are missing a line like:
39	account    required    pam_unix.so
40   in /etc/pam.d/sudo.
41
42Q) Sudo is setup to log via syslog(3) but I'm not getting any log
43   messages.
44A) Make sure you have an entry in your syslog.conf file to save
45   the sudo messages (see the sample.syslog.conf file).  The default
46   log facility is local2 (changeable via configure).  Don't forget
47   to send a SIGHUP to your syslogd so that it re-reads its conf file.
48   Also, remember that syslogd does *not* create log files, you need to
49   create the file before syslogd will log to it (ie: touch /var/log/sudo).
50   Note:  the facility ("local2.debug") must be separated from the
51	  destination ("/var/adm/sudo.log" or "@loghost") by
52	  tabs, *not* spaces.  This is a common error.
53
54Q) When sudo asks me for my password it never accepts what I enter even
55   though I know I entered my password correctly.
56A) If your system uses shadow passwords, it is possible that sudo
57   didn't detect this.  Take a look at the generated config.h file
58   and verify that the C function used for shadow password lookups
59   was detected.  For instance, for SVR4-style shadow passwords,
60   HAVE_GETSPNAM should be defined (you can search for the string
61   "shadow passwords" in config.h with your editor).  Note that
62   there is no define for 4.4BSD-based shadow passwords since that
63   just uses the standard getpw* routines.
64
65Q) I don't want the sudoers file in /etc, how can I specify where it
66   should go?
67A) Use the --sysconfdir option to configure.  Ie:
68   configure --sysconfdir=/dir/you/want/sudoers/in
69
70Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
71   copy on each machine?
72A) There is no support for making an NIS/NIS+ map/table out of
73   the sudoers file at this time.  A good way to distribute the
74   sudoers file is via rdist(1).  It is also possible to NFS-mount
75   the sudoers file.
76
77Q) I don't run sendmail on my machine.  Does this mean that I cannot
78   use sudo?
79A) No, you just need to run use the --without-sendmail argument to configure
80   or add "!mailerpath" to the Defaults line in /etc/sudoers.
81
82Q) When I run visudo it uses vi as the editor and I hate vi.  How
83   can I make it use another editor?
84A) Your best bet is to run configure with the --with-env-editor switch.
85   This will make visudo use the editor specified by the user's
86   EDITOR environment variable.  Alternately, you can run configure
87   with the --with-editor=/path/to/another/editor.
88
89Q) Sudo appears to be removing some variables from my environment, why?
90A) Sudo removes the following "dangerous" environment variables
91   to guard against shared library spoofing, shell voodoo, and
92   kerberos server spoofing.
93     IFS
94     LOCALDOMAIN
95     RES_OPTIONS
96     HOSTALIASES
97     NLSPATH
98     PATH_LOCALE
99     TERMINFO
100     TERMINFO_DIRS
101     TERMPATH
102     TERMCAP
103     ENV
104     BASH_ENV
105     LC_ (if it contains a '/' or '%')
106     LANG (if it contains a '/' or '%')
107     LANGUAGE (if it contains a '/' or '%')
108     LD_*
109     _RLD_*
110     SHLIB_PATH (HP-UX only)
111     LIBPATH (AIX only)
112     KRB_CONF (kerb4 only)
113     KRBCONFDIR (kerb4 only)
114     KRBTKFILE (kerb4 only)
115     KRB5_CONFIG (kerb5 only)
116     VAR_ACE (SecurID only)
117     USR_ACE (SecurID only)
118     DLC_ACE (SecurID only)
119
120Q) How can I keep sudo from asking for a password?
121A) To specify this on a per-user (and per-command) basis, use the 'NOPASSWD'
122   tag right before the command list in sudoers.  See the sudoers man page
123   and sample.sudoers for details.  To disable passwords completely,
124   run configure with the --without-passwd option or add "!authenticate"
125   to the Defaults line in /etc/sudoers.  You can also turn off authentication
126   on a per-user or per-host basis using a user or host-specific Defaults
127   entry in sudoers.
128
129Q) When I run configure, it dies with the following error:
130   "no acceptable cc found in $PATH".
131A) /usr/ucb/cc was the only C compiler that configure could find.
132   You need to tell configure the path to the "real" C compiler
133   via the --with-CC option.  On Solaris, the path is probably
134   something like "/opt/SUNWspro/SC4.0/bin/cc".  If you have gcc
135   that will also work.
136
137Q) When I run configure, it dies with the following error:
138   Fatal Error: config.cache exists from another platform!
139   Please remove it and re-run configure.
140A) configure caches the results of its tests in a file called
141   config.cache to make re-running configure speedy.  However,
142   if you are building sudo for a different platform the results
143   in config.cache will be wrong so you need to remove config.cache.
144   You can do this by "rm config.cache" or "make realclean".
145   Note that "make realclean" will also remove any object files
146   and configure temp files that are laying around as well.
147
148Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
149   doesn't work on Solaris <= 2.5.1.  Why?
150A) Starting with Solaris 2.6, snprintf(3) is included in the standard
151   C library.  To build a version of sudo on a >= 2.6 machine that
152   will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
153	#define HAVE_SNPRINTF 1
154	#define HAVE_VSNPRINTF 1
155   and run make.
156
157Q) When I run "visudo" it says "sudoers file busy, try again later."
158   and doesn't do anything.
159A) Someone else is currently editing the sudoers file with visudo.
160
161Q) When I try to use "cd" with sudo it says "cd: command not found".
162A) "cd" is a shell built-in command, you can't run it as a command
163   since a child process (sudo) cannot affect the current working
164   directory of the parent (your shell).
165
166Q) When I try to use "cd" with sudo the command completes without
167   errors but nothing happens.
168A) Some SVR4-derived OS's include a /usr/bin/cd command for reasons
169   unfathomable.  A "cd" command is totally useless since a child process
170   cannot affect the current working directory of the parent (your shell).
171
172Q) When I run sudo it says I am not alllowed to run the command as root
173   but I don't want to run it as root, I want to run it as another user.
174   My sudoers file entry looks like:
175    bob	ALL=(oracle) ALL
176A) The default user sudo tries to run things as is always root, even if
177   the invoking user can only run commands as a single, specific user.
178   This may change in the future but at the present time you have to
179   work around this using the 'runas_default' option in sudoers.
180   For example:
181    Defaults:bob	runas_default=oracle
182   would achieve the desired result ofr the preceding sudoers fragment.
183
184Q) How do you pronounce `sudo'?
185A) soo-doo (for superuser do).
186