Bug 292

Summary: Don't requiretty for NOPASSWD
Product: Sudo Reporter: Phil Dumont <phil>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: normal    
Priority: low    
Version: 1.6.8   
Hardware: PC   
OS: Linux   

Description Phil Dumont 2008-06-27 09:12:29 MDT 
As far as I can tell from my (admittedly limited) perusal of the code and /etc/sudoers comments, the primary purpose of requiretty is to avoid a situation where an entered password would show up on the screen in the clear.

Given that, it seems silly to require a tty when attempting to run a NOPASSWD command through sudo.

Would it be reasonable to forgo the check for a controlling tty (regardless of requiretty value) for the NOPASSWD case?

This is causing me minor problems when I try to run a sudo NOPASSWD command from a cron job.  Cron, of course, has no controlling tty (nor does it set one up for the jobs it spawns) and so my script fails at the sudo.

I've worked around it by turning off requiretty for my login.  This is reasonable for my current configuration, because the only jobs my login is configured for in sudo are all NOPASSWD.  But if I had a mixture of PASSWD and NOPASSWD, it would be harder to come up with the "right" configuration.

I'm running on CentOS5 (an RHEL5 clone), so has all their patches.  (That's why I even saw the problem, because one of their patches is to make requiretty the default in /etc/sudoers.)
Comment 1 Todd C. Miller 2008-11-06 07:19:11 MST 
The requiretty option was originally intended to prevent sudo from being run from a non-login context.  E.g., from cron or a web server.
Comment 2 Phil Dumont 2008-11-06 08:42:42 MST 
Well, that's another good reason for requiretty.  Too bad the docs don't mention it.

Be that as it may, the reason given by the sudoers man page for the requiretty option, though it may not have been the original motivation for the option, is still valid.  To wit, under some circumstances (like "rsh somehost sudo somecommand"), if prompted for a passwd and there is no tty, the passwd will show up in the clear.

So as it is now, I have a choice to make.  I can turn off requiretty, which will let me run my NOPASSWD command from cron, but opens the risk of passwd-in-the-clear for my other sudo commands which require a PASSWD.  Or I can turn on requiretty, which will close the passwd-in-the-clear risk, but prevents cron runs.  I can't (as far as I can tell) have both.  I'd like to.

Maybe tying a turning off of requiretty to NOPASSWD is not the right solution.  But it would be nice if requiretty had a per-command resolution, like NOPASSWD, instead of it's current coarser resolution of per-user.
Comment 3 Todd C. Miller 2008-11-07 09:33:53 MST 
I've fixed up the docs for 1.7.0, which will no longer prompt for a password when echo cannot be disabled unless explicitly configured to do so.