[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudoers tty defaults (Re: Changing Users in a script)

On Mon, Aug 15, 2011 at 3:51 PM, Walter Hurry <walterhurry@lavabit.com> wrote:
> On Mon, 15 Aug 2011 13:12:04 -0600, Bob Proulx wrote:
>> Tom H wrote:
>>> Both are set by default.
>> Just tty_tickets is set by default.  requiretty is off by default.
>>   $ man 5 sudoers
>>        tty_tickets     If set, users must authenticate on a per-tty
>>        basis.
>>                        With this flag enabled, sudo will use a file
>>                        named for the tty the user is logged in on in the
>>                        user's time stamp directory.  If disabled, the
>>                        time stamp of the directory is used instead.
>>                        This flag is on by default.
>>        requiretty      If set, sudo will only run when the user is
>>        logged in
>>                        to a real tty.  When this flag is set, sudo can
>>                        only be run from a login session and not via
>>                        other means such as cron(8) or cgi-bin scripts.
>>                        This flag is off by default.
>> Best would be to run 'sudo -l' and see what flags are actually set at
>> the time.  And remember that /etc/sudoers.d/* is a directory of
>> additional snippets that are also included into the configuration.
> For what it is worth, I'm not sure that that man page is up to date.
> Squeeze here (up to date), and I have done nothing directly with the
> supplied /etc/sudoers; only used visudo to add myself.
> It has neither tty-tickets nor requiretty. I note by the way, that this
> differs from RHEL and derivatives, which include requiretty by default.

"sudo -L" lists the full list of "Defaults". I'd be very surprised if
even one of these isn't set.

"sudo -l" lists the commands that the invoking user can run as well
whatever's explicitly set on the "Defaults" line.

Reply to: