Bug 507

Summary: When used within a seteuid daemon, sudo always says "sudo: sorry, you must have a tty to run sudo"
Product: Sudo Reporter: dwtrusty
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: REOPENED ---    
Severity: normal CC: keanu1031, thomas.cottier
Priority: low    
Version: 1.8.2   
Hardware: PC   
OS: Linux   
Attachments: Perl program which reproduces the error

Description dwtrusty 2011-08-23 14:45:35 MDT 
When run from a seteuid daemon, the sudo command always returns
"sudo: sorry, you must have a tty to run sudo".

The sequence is:

1. As root, the program calls seteuid to a non-privileged user.
2. The program execs sudo
3. Sudo rejects all requests, even though the configuration file
allows the requests.  It even rejects 'sudo -l'.

An attached small perl program reproduces the error.

Note: you will need the Perl Proc::UID and Proc::Daemon modules
in order to run this test program.
Comment 1 dwtrusty 2011-08-23 14:46:37 MDT 
Created attachment 314 [details]
Perl program which reproduces the error
Comment 2 Todd C. Miller 2011-08-23 15:00:27 MDT 
Your sudoers file has the "requiretty" setting enabled, which tells sudo to only run if there is a tty attached.  Since the daemon has no tty (it is not an interactive session), it cannot use sudo when "requiretty" is set.  If you remove that from your sudoers file it should work as you expect.
Comment 3 dwtrusty 2011-08-25 10:27:09 MDT 
The sudoers file is like this:

Defaults    requiretty
...
Defaults:wwwrun !requiretty  # XOP

Where 'wwwrun' is the user that the daemon is being set to.
So, the default is being overridden, but the override is being
ignored.
Comment 4 Thomas Cottier 2015-04-30 07:17:04 MDT 
Hello,

I had this problem too:

When I have a sudoers file like:

Defaults requiretty
...
Defaults:user !requiretty

The first option override the second. A logical behavior would be the second one overriding the first.
Comment 5 Todd C. Miller 2015-08-08 16:25:37 MDT 
The problem is that sudo uses the *real* uid when looking up the user but you are only setting the *effective* uid.  That is why the user is not matching.