Default sudoers file

Support for security such as Firewalls and securing linux
jsm3031
Posts: 2
Joined: 2017/10/12 16:30:30

Default sudoers file

Postby jsm3031 » 2017/10/12 17:46:40

Hello,

I have two CentOS VMs I used for certain tasks when I need them. I ran into an issue with running sudo from a script and I found the solution was to uncomment the "requiretty" option in the sudoers file.

What I'm puzzled about is when I went to apply the change in the other VM, it did not have this option.

The first VM has the following in its sudoers file

Code: Select all

# Defaults specification

# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

#
# Refuse to run if unable to disable echo on the tty. This setting should also be
# changed in order to be able to use sudo without a tty. See requiretty above.
#
Defaults   !visiblepw


while the other has this

Code: Select all

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw


So the first is completely missing the requiretty line. I'm just really hung up on how they could have different sudoers files. I installed them both from CentOS-7-x86_64-Minimal-1611.iso. I've checked co-workers VMs and also an AWS instance and they all have the version without requiretty. Maybe a package I installed changed the sudoers file? I'd find that surprising...my last guess of what could cause this is choosing a different security policy during installation, but I really don't remember doing that.

If someone can confirm how this could have happened I'd appreciate it.

Thanks

pjsr2
Posts: 190
Joined: 2014/03/27 20:11:07

Re: Default sudoers file

Postby pjsr2 » 2017/11/06 17:12:58

You can verify if a file is changed with the rpm command. The file /etc/sudoers belongs to the sudo package, so:

Code: Select all

rpm --verify sudo


The packaged /etc/sudoers file does not contain "requiretty". The default value for "requiretty" is "off".

When you want to change configuration for sudo, the recommended way is not to change /etc/sudoers, but instead to create a new file in the /etc/sudoers.d directory that contains your modifications. This avoids conflicts when for some reason an update of the sudo rpm package modifies the /etc/sudoers file.

If someone can confirm how this could have happened I'd appreciate it.

If one of the readers on this forum could confirm that, you have serious security problem. :)

jsm3031
Posts: 2
Joined: 2017/10/12 16:30:30

Re: Default sudoers file

Postby jsm3031 » 2017/11/20 18:58:17

Thanks for your reply.

By "confirm how it happened" I thought maybe someone knew, oh yeah if you install in such and such a way you get this configuration...I was just very curious how this one instance got the requiretty line in the sudoers file, complete with a comment that makes it appear as if it was packaged this way.

I understand the way it should be by default well enough now, I can get over it and move on.

Thanks again!