[sudo-users] Sudo with SSSD !requiretty being ignored
Todd C. Miller
Todd.Miller at sudo.ws
Thu Aug 2 17:31:10 MDT 2018
The bug I fixed related to this was not in code present in sudo
1.8.19.
I just tried this out on my sssd test vm running Centos 7.
Here's what I see:
bash-4.2$ rpm -qa sudo
sudo-1.8.19p2-14.el7_5.x86_64
bash-4.2$ sudo -ll
Matching Defaults entries for testuser1 on ipa-test:
requiretty
User testuser1 may run the following commands on ipa-test:
SSSD Role: new_sudo_rule
RunAsUsers: testuser1
Options: !requiretty, !authenticate
Commands:
ALL
So requiretty is in the global defaults and it gets overridden via
the testuser1 role. If I login via ssh without a tty, I get this:
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.2$ tty
tty
not a tty
bash-4.2$ sudo id
sudo id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bash-4.2$
And just to show that requiretty is active when that role is not in effect:
bash-4.2$ sudo -ll
sudo -ll
sudo: sorry, you must have a tty to run sudo
bash-4.2$
I'm not sure why you are getting different behavior. If you'd
like to send me the debug output I will take a look. A line like
the following in /etc/sudo.conf should do the trick:
Debug sudoers.so /var/log/sudoers_debug all at debug
You should be able to see where "!requiretty" is parsed.
- todd
More information about the sudo-users
mailing list