Bug 445

Summary: Always prompts for password when run without a tty
Product: Sudo Reporter: cheetah-sudo
Component: SudoersAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.7.4   
Hardware: PC   
OS: Linux   
Attachments: Patch to honor timestamp file when targetpw is set

Description cheetah-sudo 2010-10-07 12:56:16 MDT
Using sudo 1.7.4p4 on Debian, I've found that, if a sudo invocation doesn't match a NOPASSWD rule, sudo now always prompts for a password when run without a tty, even if tty_tickets is not enabled and the current ticket is valid.

Digging through things, the problem seems to be in check.c, introduced in changeset 4606:5880200c5f6b.  Part of that changeset includes a bit (~ line 499) that skips the ticket timestamp checking if there is no tty.  That is of course appropriate if tty_tickets is enabled, but the code neglects to check whether it is in fact enabled at that point.

That line of code still exists in plugins/sudoers/check.c in the latest hg tree, but I don't know if other changes in the surrounding code might have tweaked its behavior.

I don't know how much of a problem this is for people generally, but for me personally it causes issues in scripts that prompt the user to create/renew their sudo ticket at the start and then attempt to use sudo non-interactively several times shortly thereafter.
Comment 1 Todd C. Miller 2010-10-07 14:18:20 MDT
Created attachment 296 [details]
Patch to honor timestamp file when targetpw is set

It used to be the case that the timestamp file was only used when tty tickets were in use.  Now, however, it is also used when targetpw is set in sudoers.  I've attached a patch that should address this.
Comment 2 cheetah-sudo 2010-10-07 16:54:39 MDT
Patch works for me, thank you.
Comment 3 Todd C. Miller 2010-10-07 18:07:12 MDT
Excellent.  The patch will be part of sudo 1.7.5 which should be out in 3 weeks or so.
Comment 4 Todd C. Miller 2011-01-15 12:20:30 MST
Fixed in sudo 1.7.4p5