— LiveStream

To install sudo on AIX 6.1 from an IBM-packaged BFF fileset, you download sudo.x.x.x.aix51.bff, copy it to the server, remove any conflicting RPM build of sudo, then apply the fileset with installp (via smitty installp). This guide walks through the full procedure for sudo 1.8.15.0, including the classic pitfall where AIX refuses to install the BFF because an older RPM version is already present.

The example below upgrades a host from the bundled sudo-1.6.9p23 RPM to sudo.rte 1.8.15.0. The same workflow applies to any AIX 6.1 / 7.1 / 7.2 system and to newer sudo filesets.

Why install sudo on AIX from a BFF fileset?

AIX ships sudo in two completely separate packaging formats, and mixing them is the number-one cause of failed installs:

• RPM packages (from the AIX Toolbox for Linux Applications) install under /opt/freeware and are managed with rpm. Many systems come with an old RPM build such as sudo-1.6.9p23.
• BFF filesets (Backup File Format, IBM's native packaging) are managed with installp / smitty and tracked in the system's installed-software database. The fileset is named sudo.rte.

Because the BFF and RPM builds register in different databases but write to overlapping paths, AIX deliberately blocks a BFF install while an RPM build of sudo is present. You must remove the RPM first. The BFF fileset is preferred on managed AIX estates because it integrates with lslpp, instfix, and your standard patch tooling.

Prerequisites before you install sudo on AIX

• Root access on the target server (or an existing sudo rule that lets you run installp).
• A few MB free in /tmp and in /opt/freeware (the BFF still installs under the freeware prefix).
• The correct fileset for your AIX level. The aix51 in the filename refers to the minimum AIX build level it was compiled against — it installs cleanly on AIX 6.1, 7.1 and 7.2.
• A maintenance window if other admins rely on sudo, since the binary is briefly replaced.

Modern note: sudo 1.8.15.0 dates from 2015 and is well past end of life. The 1.8.x branch is no longer maintained and has known CVEs (for example the Baron Samedit heap overflow, CVE-2021-3156, affects 1.8.2 through 1.8.31p2). For new builds, obtain the current sudo 1.9.x fileset from IBM's AIX Toolbox rather than 1.8.15.0. The installation procedure is identical — only the version string in the filename changes.

Step-by-step: install sudo 1.8.15.0 on AIX 6.1

Follow these steps in order. Commands are shown from a root prompt; the host in this example is hwunic06.

1. Download the fileset. Pull the sudo BFF for AIX from a trusted IBM source — today that is the AIX Toolbox for Open Source Software on IBM's site. (The old sudo.ws download page never hosted the IBM-packaged .bff; it serves source and other platform builds.) Save the gzipped fileset, for example sudo-1.8.15.0.aix.bff.gz, to a staging area.
2. Stage it on a distribution host (optional). On larger estates, copy the archive to a software repository directory such as /dtisw/Sudo/1.8.15.0 so every server pulls from the same vetted copy.
3. Copy the archive to the target server using scp:
   scp sudo-1.8.15.0.aix.bff.gz root@hwunic06:/tmp
4. Uncompress it on the target. The installer needs the raw .bff, not the .gz:
   cd /tmp
gunzip sudo-1.8.15.0.aix.bff.gz
5. Check the currently installed sudo. Identify whether it is an RPM or a fileset:
   rpm -qa | grep -i sudo → e.g. sudo-1.6.9p23-2 (an RPM build)
   lslpp -l | grep -i sudo → lists sudo.rte if a BFF fileset is already present
6. Back up the sudoers file before touching anything. Date-stamp the copy so it is obvious when it was taken:
   cp -p /etc/sudoers /etc/sudoers.$(date +%Y%m%d)
   Note the lowercase, correctly spelled path is /etc/sudoers — not sudeors.
7. Run a preview install first. Open the installp menu against the directory holding the BFF:
   cd /tmp
smitty installp
   Choose Install Software, set INPUT device / directory for software to . (the current directory), and set PREVIEW only? to yes. Press Enter. A preview never changes the system — it just reports what would happen.
8. Read the preview output. If an RPM build of sudo is installed, the preview fails with a message like: "Another version of sudo is currently installed via rpm. Please either uninstall the rpm version of sudo by running 'rpm -e sudo', or upgrade the existing version using the .rpm package instead of the .bff package." This is expected — proceed to the next step.
9. Remove the old RPM build of sudo.
   rpm -e sudo
   If this fails with cannot remove /var/run/sudo - directory not empty, that error is harmless: the package was de-registered but a runtime directory survived. Clear it and continue:
   rm -rf /var/run/sudo
   Confirm sudo is gone from the RPM database: rpm -qa | grep -i sudo should now return nothing.
10. Run the real install. Return to smitty installp → Install Software, INPUT directory ., and this time set PREVIEW only? to no. Recommended flag values:
    • COMMIT software updates? → no and SAVE replaced files? → yes — this APPLIES the fileset but keeps a rollback path so you can reject it later if needed.
    • AUTOMATICALLY install requisite software? → yes
    • EXTEND file systems if space needed? → yes
    • OVERWRITE same or newer versions? → no
    • ACCEPT new license agreements? → yes
    Press Enter, confirm, and let it run.
11. Confirm a clean install summary. A successful run ends with an installation summary showing both parts applied:
    sudo.rte 1.8.15.0 USR APPLY SUCCESS
sudo.rte 1.8.15.0 ROOT APPLY SUCCESS
12. Restore your sudoers file. The new fileset may drop a fresh default /etc/sudoers. Put your backed-up policy back:
    cp -p /etc/sudoers.$(date +%Y%m%d) /etc/sudoers
13. Validate the sudoers syntax before relying on it. Never edit sudoers directly — always use the locking, syntax-checking editor:
    visudo
    To only check syntax without editing: visudo -c

Verify the sudo installation on AIX

After you install sudo on AIX, confirm both the version and that the policy works:

1. Check the version and build options:
   sudo -V | more
   You should see Sudo version 1.8.15, the Sudoers policy plugin version 1.8.15, and Sudoers file grammar version 45. The configure line confirms the AIX build defaults, including --prefix=/opt/freeware, --with-logging=syslog, --with-logfac=auth, and --with-editor=/usr/bin/vi.
2. Confirm the fileset is registered with AIX software inventory:
   lslpp -l sudo.rte
lslpp -h sudo.rte (shows the APPLY/COMMIT history)
3. Run a harmless privileged command as an authorized user to prove the policy is active:
   sudo -l (lists what the current user may run)
   sudo lsattr -El sys0 (any benign root command)
4. Tail the auth log to confirm sudo events are recorded. With --with-logfac=auth, entries go to whatever syslog routes the auth facility to — check your /etc/syslog.conf destination.

Common pitfalls when you install sudo on AIX

APPLY vs COMMIT — know the difference

On AIX, an applied fileset is installed but reversible: the previous version's files are saved, so you can roll back with installp -r sudo.rte (reject). A committed fileset is permanent — the saved files are deleted and you can no longer reject it. Until you are confident the new sudo behaves, install with COMMIT = no, SAVE = yes. Once verified, commit it: installp -c sudo.rte or smitty commit.

Removing or downgrading sudo later

To uninstall the BFF fileset entirely (if it was applied, not committed):

• Reject (roll back to the saved version): installp -r sudo.rte
• Force-remove an applied or committed fileset: installp -u sudo.rte

Do not mix this with rpm -e — once you are on the BFF fileset, manage it only with installp / smitty.

Keeping /etc/sudoers safe across upgrades

The most common operational mistake during a sudo upgrade is losing a carefully tuned policy. Two habits prevent it: always take a dated backup (cp -p preserves permissions and timestamps), and always validate with visudo -c before logging out of your root session. If a bad edit locks you out, your live root shell is your safety net — keep it open until verification passes. For repeatable estates, store the canonical /etc/sudoers in version control or a config-management tool and push it after each install.

Key Takeaways

• RPM and BFF builds of sudo conflict on AIX — remove the old RPM with rpm -e sudo before installing the sudo.rte fileset with installp.
• The cannot remove /var/run/sudo error is harmless — clear the directory with rm -rf /var/run/sudo and continue.
• Always back up /etc/sudoers first and validate with visudo -c after restoring it.
• Install with COMMIT = no, SAVE = yes so you can roll back with installp -r before committing permanently.
• sudo 1.8.15.0 is end of life — for production, install the current sudo 1.9.x fileset from IBM's AIX Toolbox using this same procedure.

Frequently Asked Questions

How do I check which version of sudo is installed on AIX?

Run sudo -V for the binary's version (e.g. Sudo version 1.8.15). To see how it was packaged, run lslpp -l sudo.rte for a BFF fileset or rpm -qa | grep -i sudo for an RPM build. A clean system shows it under only one of the two.

Why does installp say sudo is already installed via RPM?

AIX tracks BFF filesets and RPM packages in separate databases but they write to overlapping paths under /opt/freeware. To avoid a corrupted install, AIX blocks the BFF while an RPM build exists. Uninstall it with rpm -e sudo, then re-run smitty installp.

Where does sudo install its files on AIX?

The AIX build uses the prefix /opt/freeware, so the binary is /opt/freeware/bin/sudo and man pages live under /opt/freeware/man. The policy file is the standard /etc/sudoers, edited only through visudo.

Is sudo 1.8.15.0 still safe to run?

No — the 1.8.x branch is unmaintained and carries known vulnerabilities such as CVE-2021-3156 (Baron Samedit). Use it only on isolated legacy systems, and migrate to a current sudo 1.9.x fileset whenever possible. The install steps in this guide are unchanged for newer versions.

For more AIX, Linux and DevOps walkthroughs, subscribe to Explore NY Stream on YouTube @explorenystream.