Linux Sudo Issue?

GEEK ALERT
This post will make sense to probably about eight people on the planet. Posting here just in case I forget or so perhaps it can help explain this problem to the other seven people.

I just stumbled across this odd sudo issue on a couple of my servers when trying to do a password-less sudo through SSH. I want to be able to have a local user called sysadmin sudo a command (apt-get) to update the sources list and, if possible, run an automatic update without any interaction. We have 240 servers, so any sort of automation to make this easier is a good thing. (note: Landscape is not an option for us).

So, the basic thinking was that we would just add a NOPASSWD option to /etc/sudoers for the relevant command on every member server then from a management system (with appropriately-shared SSH keys, of course) we would just issue an SSH to that server followed by the appropriate sudo command, thus:

ssh sysadmin@someserver sudo apt-get update

On most of our systems, that works fine. But on a few, I keep seeing this:

sudo: no tty present and no askpass program specified

Well, that makes a little bit of sense. There’s no interactive TTY when using a one-shot through SSH like we’re doing. But if we add the needed ‘-t’ option to SSH, then we still get prompted for a password, which is contrary to what we put in /etc/sudoers on all of the member servers:

sysadmin        ALL=(ALL) NOPASSWD: /usr/bin/apt-get

So everything looks perfectly fine there, but then I got to thinking about it and remembered a feature of sudoers and started looking a bit closer. I realized that the affected systems had a few additional entries beneath this one. One of them is the Ubuntu-defined “%admin” group:

%admin ALL=(ALL) ALL

Well, sysadmin is a member of “admin”. And the %admin entry says that its members are allowed to run anything with elevated rights as long as a password is entered.

Ah-ha!

That little feature in /etc/sudoers is that entries are processed first to last. That is, if there’s another entry that applies later in the file, it always takes priority. In this case, the “sysadmin” account was a member of the local “admin” group and, because %admin was after sysadmin in sudoers, sudo was requiring that sysadmin enter a password to continue.

Our solution? Simply move the sysadmin entry to the bottom of the file, save, then try kicking off the command again.

Fixed.

I suppose it helps to understand the function you’re using.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.