How to disable requiretty for a single command in sudoers?

Question

I want to disable requiretty so that I can sudo within scripts, but I'd rather only disable it for a single command rather than everything. Is that possible within the sudoers config?

score 60 · Accepted Answer · answered Jun 20 '13 at 16:08

You can override the default setting for options such as requiretty for a specific user or for a specific command (or for a specific run-as-user or host), but not for a specific command when executed as a specific user.

For example, assuming that requiretty is set in the compile-default options, the following sudoers file allows both artbristol and bob to execute /path/to/program as root from a script. artbristol needs no password whereas bob must have to enter a password (presumably tty_tickets is off and bob entered his password on some terminal recently).

artbristol ALL = (root) NOPASSWD: /path/to/program
bob ALL = (root) /path/to/program
Defaults!/path/to/program !requiretty

If you want to change the setting for a command with specific arguments, you need to use a command alias (this is a syntax limitation). For example, the following fragment allows artbristol to run /path/to/program --option in a script, but not /path/to/program with other arguments.

Cmnd_Alias MYPROGRAM = /path/to/program --option  
artbristol ALL = (root) /path/to/program
artbristol ALL = (root) NOPASSWD: MYPROGRAM
Defaults!MYPROGRAM !requiretty

The one with the argument might need a wildcard in the end as well(?): If a Cmnd has associated command line arguments, then the arguments in the Cmnd must match exactly those given by the user on the command line (or match the wildcards if there are any). — aderchox, Nov 29 '21 at 08:10
@aderchox The point of my example was to show how to allow only a specific argument list. — Gilles 'SO- stop being evil', Nov 29 '21 at 08:54

score 35 · Answer 2 · edited Nov 26 '13 at 19:26

35

Something like this:

myuser    ALL=(ALL)    NOPASSWD:/usr/local/bin/mycmd
Defaults:myuser        !requiretty

edited Nov 26 '13 at 19:26

terdon

242,166

answered Jun 19 '13 at 12:01

JRFerguson

14,740

This might work in /etc/sudoers but does not appear to work in a /etc/sudoers.d/ file – 8bitjunkie Nov 14 '15 at 00:33
For what it's worth, for me, this edit did work when added to a /etc/sudoers.d/ file. CentOS 7.1 – John Erck Aug 05 '16 at 16:17
It doesn't work for me when using /etc/sudoers.d/. CentOS 7.5 :( – Stefan Lasiewski Sep 15 '18 at 00:02

score 4 · Answer 3 · edited Nov 16 '15 at 22:17

I found it works fine for me using a file in /etc/sudoers.d. It is quite simple to verify.

First, I created /etc/sudoers.d/01build with the contents:

build    ALL=(ALL)    NOPASSWD:/bin/date
Defaults:build !requiretty

Then tested that it works:

ssh host sudo -n /bin/date
Mon Nov 16 16:04:27 CST 2015

Then I modified /etc/sudoers.d/01build and deleted the Defaults: line, and after that, I get:

ssh host sudo -n /bin/date
sudo: sorry, you must have a tty to run sudo

How to disable requiretty for a single command in sudoers?

3 Answers3

Linked

Related