Sudo: Difference between revisions

From CLONWiki
Jump to navigation Jump to search
Boiarino (talk | contribs)
No edit summary
Boiarino (talk | contribs)
No edit summary
Line 46: Line 46:
   create the file before syslogd will log to it (ie: touch /var/log/sudo).
   create the file before syslogd will log to it (ie: touch /var/log/sudo).
   Note:  the facility ("local2.debug") must be separated from the  
   Note:  the facility ("local2.debug") must be separated from the  
  destination ("/var/adm/sudo.log" or "@loghost") by
  destination ("/var/adm/sudo.log" or "@loghost") by
  tabs, *not* spaces.  This is a common error.
  tabs, *not* spaces.  This is a common error.
  Q) When sudo asks me for my password it never accepts what I enter even
  Q) When sudo asks me for my password it never accepts what I enter even
   though I know I entered my password correctly.
   though I know I entered my password correctly.
Line 138: Line 138:
   C library.  To build a version of sudo on a >= 2.6 machine that
   C library.  To build a version of sudo on a >= 2.6 machine that
   will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
   will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
#define HAVE_SNPRINTF 1
#define HAVE_SNPRINTF 1
#define HAVE_VSNPRINTF 1
#define HAVE_VSNPRINTF 1
   and run make.
   and run make.
  Q) When I run "visudo" it says "sudoers file busy, try again later."
  Q) When I run "visudo" it says "sudoers file busy, try again later."

Revision as of 17:55, 3 November 2007

On Solaris use /opt/sfw/bin/sudo, and config file /opt/sfw/etc/sudoers. Usually sudo comes with following mode

---x--x--x   1 root     root      102128 Oct  4  2006 /opt/sfw/bin/sudo

and sudo will not work. To fix it run command

chmod 4111 /opt/sfw/bin/sudo

it will set appropriate mode:

---s--x--x   1 root     root      102128 Oct  4  2006 /opt/sfw/bin/sudo

Good review from web:

Troubleshooting tips and FAQ for Sudo
=====================================
Q) When I run configure, it says "C compiler cannot create executables".
A) This usually means you either don't have a working compiler.  This
  could be due to the lack of a license or that some component of the
  compiler suite could not be found.  Check config.log for clues as
  to why this is happening.  On many systems, compiler components live
  in /usr/ccs/bin which may not be in your PATH environment variable.
Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
  and sudo quits.
A) Sudo must be setuid root to do its work.  You need to do something like
  `chmod 4111 /usr/local/bin/sudo'.  Also, the file system sudo resides
  on must *not* be mounted (or exported) with the nosuid option or sudo
  will not be able to work.  Another possibility is you may have '.' in
  your $PATH before the directory containing sudo.  If you are going
  to have '.' in your path you should make sure it is at the end.
Q) Sudo never gives me a chance to enter a password using PAM, it just
  says 'Sorry, try again.' three times and exits.
A) You didn't setup PAM to work with sudo.  On Redhat Linux or Fedora
  Core this generally means installing sample.pam as /etc/pam.d/sudo.
  See the sample.pam file for hints on what to use for other Linux
  systems.
Q) Sudo says 'Account expired or PAM config lacks an "account"
  section for sudo, contact your system administrator' and exits
  but I know my account has not expired.
A) Your PAM config lacks an "account" specification.  On Linux this
  usually means you are missing a line like:
	account    required    pam_unix.so
  in /etc/pam.d/sudo.
Q) Sudo is setup to log via syslog(3) but I'm not getting any log
  messages.
A) Make sure you have an entry in your syslog.conf file to save
  the sudo messages (see the sample.syslog.conf file).  The default
  log facility is local2 (changeable via configure).  Don't forget
  to send a SIGHUP to your syslogd so that it re-reads its conf file.
  Also, remember that syslogd does *not* create log files, you need to
  create the file before syslogd will log to it (ie: touch /var/log/sudo).
  Note:  the facility ("local2.debug") must be separated from the 
	  destination ("/var/adm/sudo.log" or "@loghost") by
	  tabs, *not* spaces.  This is a common error.
Q) When sudo asks me for my password it never accepts what I enter even
  though I know I entered my password correctly.
A) If your system uses shadow passwords, it is possible that sudo
  didn't detect this.  Take a look at the generated config.h file
  and verify that the C function used for shadow password lookups
  was detected.  For instance, for SVR4-style shadow passwords,
  HAVE_GETSPNAM should be defined (you can search for the string
  "shadow passwords" in config.h with your editor).  Note that
  there is no define for 4.4BSD-based shadow passwords since that
  just uses the standard getpw* routines.
Q) I don't want the sudoers file in /etc, how can I specify where it
  should go?
A) Use the --sysconfdir option to configure.  Ie:
  configure --sysconfdir=/dir/you/want/sudoers/in
Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
  copy on each machine?
A) There is no support for making an NIS/NIS+ map/table out of
  the sudoers file at this time.  A good way to distribute the
  sudoers file is via rdist(1).  It is also possible to NFS-mount
  the sudoers file.
Q) I don't run sendmail on my machine.  Does this mean that I cannot
  use sudo?
A) No, you just need to run use the --without-sendmail argument to configure
  or add "!mailerpath" to the Defaults line in /etc/sudoers.
Q) When I run visudo it uses vi as the editor and I hate vi.  How
  can I make it use another editor?
A) Your best bet is to run configure with the --with-env-editor switch.
  This will make visudo use the editor specified by the user's
  EDITOR environment variable.  Alternately, you can run configure
  with the --with-editor=/path/to/another/editor.
Q) Sudo appears to be removing some variables from my environment, why?
A) Sudo removes the following "dangerous" environment variables
  to guard against shared library spoofing, shell voodoo, and
  kerberos server spoofing.
    IFS
    LOCALDOMAIN
    RES_OPTIONS
    HOSTALIASES
    NLSPATH
    PATH_LOCALE
    TERMINFO
    TERMINFO_DIRS
    TERMPATH
    TERMCAP
    ENV
    BASH_ENV
    LC_ (if it contains a '/' or '%')
    LANG (if it contains a '/' or '%')
    LANGUAGE (if it contains a '/' or '%')
    LD_*
    _RLD_*
    SHLIB_PATH (HP-UX only)
    LIBPATH (AIX only)
    KRB_CONF (kerb4 only)
    KRBCONFDIR (kerb4 only)
    KRBTKFILE (kerb4 only)
    KRB5_CONFIG (kerb5 only)
    VAR_ACE (SecurID only)
    USR_ACE (SecurID only)
    DLC_ACE (SecurID only)
Q) How can I keep sudo from asking for a password?
A) To specify this on a per-user (and per-command) basis, use the 'NOPASSWD'
  tag right before the command list in sudoers.  See the sudoers man page
  and sample.sudoers for details.  To disable passwords completely,
  run configure with the --without-passwd option or add "!authenticate"
  to the Defaults line in /etc/sudoers.  You can also turn off authentication
  on a per-user or per-host basis using a user or host-specific Defaults
  entry in sudoers.
Q) When I run configure, it dies with the following error:
  "no acceptable cc found in $PATH".
A) /usr/ucb/cc was the only C compiler that configure could find.
  You need to tell configure the path to the "real" C compiler
  via the --with-CC option.  On Solaris, the path is probably
  something like "/opt/SUNWspro/SC4.0/bin/cc".  If you have gcc
  that will also work.
Q) When I run configure, it dies with the following error:
  Fatal Error: config.cache exists from another platform!
  Please remove it and re-run configure.
A) configure caches the results of its tests in a file called
  config.cache to make re-running configure speedy.  However,
  if you are building sudo for a different platform the results
  in config.cache will be wrong so you need to remove config.cache.
  You can do this by "rm config.cache" or "make realclean".
  Note that "make realclean" will also remove any object files
  and configure temp files that are laying around as well.
Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
  doesn't work on Solaris <= 2.5.1.  Why?
A) Starting with Solaris 2.6, snprintf(3) is included in the standard
  C library.  To build a version of sudo on a >= 2.6 machine that
  will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
	#define HAVE_SNPRINTF 1
	#define HAVE_VSNPRINTF 1
  and run make.
Q) When I run "visudo" it says "sudoers file busy, try again later."
  and doesn't do anything.
A) Someone else is currently editing the sudoers file with visudo.
Q) When I try to use "cd" with sudo it says "cd: command not found".
A) "cd" is a shell built-in command, you can't run it as a command
  since a child process (sudo) cannot affect the current working
  directory of the parent (your shell).
Q) When I try to use "cd" with sudo the command completes without
  errors but nothing happens.
A) Some SVR4-derived OS's include a /usr/bin/cd command for reasons
  unfathomable.  A "cd" command is totally useless since a child process
  cannot affect the current working directory of the parent (your shell).
Q) When I run sudo it says I am not allowed to run the command as root
  but I don't want to run it as root, I want to run it as another user.
  My sudoers file entry looks like:
   bob	ALL=(oracle) ALL
A) The default user sudo tries to run things as is always root, even if
  the invoking user can only run commands as a single, specific user.
  This may change in the future but at the present time you have to
  work around this using the 'runas_default' option in sudoers.
  For example:
   Defaults:bob	runas_default=oracle
  would achieve the desired result ofr the preceding sudoers fragment.
Q) How do you pronounce `sudo'?
A) The official pronunciation is soo-doo (for su "do").  However, an
  alternate pronunciation, a homophone of "pseudo", is also common.