[sudo-users] Sudo with SSSD !requiretty being ignored

Todd C. Miller Todd.Miller at sudo.ws
Thu Aug 2 17:31:10 MDT 2018

The bug I fixed related to this was not in code present in sudo

I just tried this out on my sssd test vm running Centos 7.
Here's what I see:

bash-4.2$ rpm -qa sudo

bash-4.2$ sudo -ll
Matching Defaults entries for testuser1 on ipa-test:

User testuser1 may run the following commands on ipa-test:

SSSD Role: new_sudo_rule
    RunAsUsers: testuser1
    Options: !requiretty, !authenticate

So requiretty is in the global defaults and it gets overridden via
the testuser1 role.  If I login via ssh without a tty, I get this:

bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.2$ tty
not a tty
bash-4.2$ sudo id
sudo id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

And just to show that requiretty is active when that role is not in effect:

bash-4.2$ sudo -ll
sudo -ll
sudo: sorry, you must have a tty to run sudo

I'm not sure why you are getting different behavior.  If you'd
like to send me the debug output I will take a look.  A line like
the following in /etc/sudo.conf should do the trick:

Debug sudoers.so /var/log/sudoers_debug all at debug

You should be able to see where "!requiretty" is parsed.

 - todd

More information about the sudo-users mailing list