Page 1 of 1

Default sudoers file

Posted: 2017/10/12 17:46:40
by jsm3031
Hello,

I have two CentOS VMs I used for certain tasks when I need them. I ran into an issue with running sudo from a script and I found the solution was to uncomment the "requiretty" option in the sudoers file.

What I'm puzzled about is when I went to apply the change in the other VM, it did not have this option.

The first VM has the following in its sudoers file

Code: Select all

# Defaults specification

# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

#
# Refuse to run if unable to disable echo on the tty. This setting should also be
# changed in order to be able to use sudo without a tty. See requiretty above.
#
Defaults   !visiblepw


while the other has this

Code: Select all

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw


So the first is completely missing the requiretty line. I'm just really hung up on how they could have different sudoers files. I installed them both from CentOS-7-x86_64-Minimal-1611.iso. I've checked co-workers VMs and also an AWS instance and they all have the version without requiretty. Maybe a package I installed changed the sudoers file? I'd find that surprising...my last guess of what could cause this is choosing a different security policy during installation, but I really don't remember doing that.

If someone can confirm how this could have happened I'd appreciate it.

Thanks

Re: Default sudoers file

Posted: 2017/11/06 17:12:58
by pjsr2
You can verify if a file is changed with the rpm command. The file /etc/sudoers belongs to the sudo package, so:

Code: Select all

rpm --verify sudo


The packaged /etc/sudoers file does not contain "requiretty". The default value for "requiretty" is "off".

When you want to change configuration for sudo, the recommended way is not to change /etc/sudoers, but instead to create a new file in the /etc/sudoers.d directory that contains your modifications. This avoids conflicts when for some reason an update of the sudo rpm package modifies the /etc/sudoers file.

If someone can confirm how this could have happened I'd appreciate it.

If one of the readers on this forum could confirm that, you have serious security problem. :)

Re: Default sudoers file

Posted: 2017/11/20 18:58:17
by jsm3031
Thanks for your reply.

By "confirm how it happened" I thought maybe someone knew, oh yeah if you install in such and such a way you get this configuration...I was just very curious how this one instance got the requiretty line in the sudoers file, complete with a comment that makes it appear as if it was packaged this way.

I understand the way it should be by default well enough now, I can get over it and move on.

Thanks again!