[sudo-users] Sudo with SSSD !requiretty being ignored
paul at cantle.me
Fri Aug 3 03:10:25 MDT 2018
I must apologise for wasting your time. I think the issue was relating to SSSD caching. This morning I put requiretty back in the defaults container restarted SSSD across 2 machines (a few times). Then initiated a ssh <machine> sudo ls / and it worked fine. I removed !requiretty from the container containing my user and it gave me the "sudo: sorry, you must have a tty to run sudo" msg.
I must not have restarted it on the machine I wanted it to run on after I made my changes.
On 03/08/2018, 00:31, "Todd C. Miller" <Todd.Miller at sudo.ws> wrote:
The bug I fixed related to this was not in code present in sudo
I just tried this out on my sssd test vm running Centos 7.
Here's what I see:
bash-4.2$ rpm -qa sudo
bash-4.2$ sudo -ll
Matching Defaults entries for testuser1 on ipa-test:
User testuser1 may run the following commands on ipa-test:
SSSD Role: new_sudo_rule
Options: !requiretty, !authenticate
So requiretty is in the global defaults and it gets overridden via
the testuser1 role. If I login via ssh without a tty, I get this:
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
not a tty
bash-4.2$ sudo id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
And just to show that requiretty is active when that role is not in effect:
bash-4.2$ sudo -ll
sudo: sorry, you must have a tty to run sudo
I'm not sure why you are getting different behavior. If you'd
like to send me the debug output I will take a look. A line like
the following in /etc/sudo.conf should do the trick:
Debug sudoers.so /var/log/sudoers_debug all at debug
You should be able to see where "!requiretty" is parsed.
More information about the sudo-users