Re: sudoers tty defaults (Re: Changing Users in a script)
On Mon, Aug 15, 2011 at 3:51 PM, Walter Hurry <walterhurry@lavabit.com> wrote:
> On Mon, 15 Aug 2011 13:12:04 -0600, Bob Proulx wrote:
>> Tom H wrote:
>>> Both are set by default.
>>
>> Just tty_tickets is set by default. requiretty is off by default.
>>
>> $ man 5 sudoers
>>
>> tty_tickets If set, users must authenticate on a per-tty
>> basis.
>> With this flag enabled, sudo will use a file
>> named for the tty the user is logged in on in the
>> user's time stamp directory. If disabled, the
>> time stamp of the directory is used instead.
>> This flag is on by default.
>>
>> requiretty If set, sudo will only run when the user is
>> logged in
>> to a real tty. When this flag is set, sudo can
>> only be run from a login session and not via
>> other means such as cron(8) or cgi-bin scripts.
>> This flag is off by default.
>>
>> Best would be to run 'sudo -l' and see what flags are actually set at
>> the time. And remember that /etc/sudoers.d/* is a directory of
>> additional snippets that are also included into the configuration.
>
> For what it is worth, I'm not sure that that man page is up to date.
> Squeeze here (up to date), and I have done nothing directly with the
> supplied /etc/sudoers; only used visudo to add myself.
>
> It has neither tty-tickets nor requiretty. I note by the way, that this
> differs from RHEL and derivatives, which include requiretty by default.
"sudo -L" lists the full list of "Defaults". I'd be very surprised if
even one of these isn't set.
"sudo -l" lists the commands that the invoking user can run as well
whatever's explicitly set on the "Defaults" line.
Reply to: