[sudo-users] Sudo with SSSD !requiretty being ignored

Paul Cantle paul at cantle.me
Fri Aug 3 03:10:25 MDT 2018


Hi Todd,

I must apologise for wasting your time. I think the issue was relating to SSSD caching. This morning I put requiretty back in the defaults container restarted SSSD across 2 machines (a few times). Then initiated a ssh <machine> sudo ls / and it worked fine. I removed !requiretty from the container containing my user and it gave me the "sudo: sorry, you must have a tty to run sudo" msg. 

I must not have restarted it on the machine I wanted it to run on after I made my changes.

Thanks again.

Paul

On 03/08/2018, 00:31, "Todd C. Miller" <Todd.Miller at sudo.ws> wrote:

    The bug I fixed related to this was not in code present in sudo
    1.8.19.
    
    I just tried this out on my sssd test vm running Centos 7.
    Here's what I see:
    
    bash-4.2$ rpm -qa sudo
    sudo-1.8.19p2-14.el7_5.x86_64
    
    bash-4.2$ sudo -ll
    Matching Defaults entries for testuser1 on ipa-test:
        requiretty
    
    User testuser1 may run the following commands on ipa-test:
    
    SSSD Role: new_sudo_rule
        RunAsUsers: testuser1
        Options: !requiretty, !authenticate
        Commands:
            ALL
    
    So requiretty is in the global defaults and it gets overridden via
    the testuser1 role.  If I login via ssh without a tty, I get this:
    
    bash: cannot set terminal process group (-1): Inappropriate ioctl for device
    bash: no job control in this shell
    bash-4.2$ tty
    tty
    not a tty
    bash-4.2$ sudo id
    sudo id
    uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    bash-4.2$
    
    And just to show that requiretty is active when that role is not in effect:
    
    bash-4.2$ sudo -ll
    sudo -ll
    sudo: sorry, you must have a tty to run sudo
    bash-4.2$
    
    I'm not sure why you are getting different behavior.  If you'd
    like to send me the debug output I will take a look.  A line like
    the following in /etc/sudo.conf should do the trick:
    
    Debug sudoers.so /var/log/sudoers_debug all at debug
    
    You should be able to see where "!requiretty" is parsed.
    
     - todd
    



More information about the sudo-users mailing list