SUDO requiring tty

Question

On Amazon Linux 2018.03, I have a process running as an unprivileged user and calls sudo to run a command. I'm getting the message:

sudo: sorry, you must have a tty to run sudo

The unprivileged user (xymon) is allowed to run the command in question without password

Cmnd_Alias YUM = /usr/bin/yum
xymon   ALL=(ALL)               NOPASSWD: YUM

The command is being called from a perl script executed by the local xymon client process via the following lines:

my $YumCmd  = 'sudo yum check-update  2>&1' ;
@Lines = `$YumCmd` ;

In /etc/sudoers, I have supposedly disabled the tty requirement with:

Defaults    !requiretty

No luck. None of the includes set requiretty.

sudo -ll as the xymon user is below:

Matching Defaults entries for xymon on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", !requiretty, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, requiretty, !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", !authenticate

User xymon may run the following commands on this host:

Sudoers entry:
RunAsUsers: ALL
Commands:
    NOPASSWD: /usr/bin/yum

I notice that requiretty does appear in the output but does not appear to be overridden by my Defaults !requiretty directive. Placing the Defaults !requiretty directive at the very end of the sudoers file places it just before the requiretty listed in sudo -ll. No idea where this is coming from.

Using a pseudo-tty with ssh does work using the following command:

my $YumCmd  = 'ssh -tt -i ~/.ssh/id_rsa localhost sudo yum check-update  2>&1' ;

This is not a good option given the large amount of setup needed for the many servers to run this script (Xymon script). Any suggestions for getting this to work with sudo or is this a bug?

check the answer of this Q. https://unix.stackexchange.com/questions/79960/how-to-disable-requiretty-for-a-single-command-in-sudoers — Michael D., May 10 '18 at 21:44
I've updated my question to answer the query from @dsstorefile1 — JohnA, May 10 '18 at 21:45
@Michael D. - I had previously read the Q. that you recommended and tried all of those things. No luck. — JohnA, May 10 '18 at 21:47
@Michael D. The sudo-ll output has been added to the Q. !requiretty shows up. Odd. — JohnA, May 10 '18 at 22:11
@roaima - apologies for not including that info. The Q. is updated. The script is called by the local xymon client process. — JohnA, May 10 '18 at 22:33
I see both !requiretty and requiretty in your sudo -ll output. Later rules usually win. Can you track down where the second one is coming by from? — Mark Plotnick, May 10 '18 at 22:41
@MarkPlotnick excellent catch. I'd looked but missed the second instance. — Chris Davies, May 10 '18 at 23:21
Does /etc/sudoers.d/ directory exist? If it exists, are there any files in it that contain more Defaults settings? — telcoM, May 11 '18 at 06:52
/etc/sudoers.d/ does exist, but no files there have Defaults settings. I'm thinking that the requiretty must be baked into this distro of sudo. — JohnA, May 11 '18 at 14:44

score 2 · Answer 1 · answered May 11 '18 at 16:38

2

Issue solved. I had included requiretty in my LDAP.

cn=defaults,OU=SUDOers sudoOption requiretty changed to !requiretty and all works properly.

I will now limit !requiretty to just the affected user.

answered May 11 '18 at 16:38

JohnA

204

SUDO requiring tty

1 Answers1