Say sudo -K
, then retry your test. If it starts asking again, all that was happening is that you had sudo
configured to remember your password for some time.
On top of this, Ubuntu's default sudo
configuration makes it remember your credentials across tty
s. This affects ssh
sessions, as you've discovered, since each new ssh
connection looks like a new terminal to the low-level OS code.
This also affects things like the graphical Terminal app. If you authenticate with sudo
, then create a new tab with Ctrl-Shift-T, you'll find that you don't need to give a password to sudo
again in that tab, despite the fact that it also creates a new tty
. You can even close the Terminal app entirely, and as long as you restart it within the normal password timeout, sudo
will run without requiring you to re-enter your password. This behavior may be enough to make you decide you want to keep this feature enabled.
Mac OS X works this way these days, too.
Not all *ixes do. Red Hat Enterprise Linux (and derivatives like CentOS) insist on getting the password on each new tty
.
You can disable both behaviors by changing the Defaults
line in /etc/sudoers
to something like this:
Defaults=env_reset,timestamp_timeout=0,tty_tickets
The env_reset
bit should be there already, and isn't relevant here
The timestamp_timeout
directive tells it to immediately time out each sudo
session. It's like saying sudo -K
after every normal sudo
command.
The tty_tickets
directive ensures that it associates credentials with the tty
they were used on, not just the user name. This is supposed to be the default already, and is documented as such on Ubuntu, but they must have built their distribution of sudo
to disable this option, for the convenience reasons given above.
Then answer is that sudo
has a bug. First, the workaround: I put this in my /etc/sudoers.d/zabbix file
:
zabbix ALL=(root) NOPASSWD: /bin/env SHELL=/bin/sh /usr/local/bin/zabbix_raid_discovery
and now subcommands called from zabbix_raid_discovery
work.
A patch to fix this will be in sudo 1.8.15. From the maintainer, Todd Miller:
This is just a case of "it's always been like that". There's not
really a good reason for it. The diff below should make the behavior
match the documentation.
- todd
diff -r adb927ad5e86 plugins/sudoers/env.c
--- a/plugins/sudoers/env.c Tue Oct 06 09:33:27 2015 -0600
+++ b/plugins/sudoers/env.c Tue Oct 06 10:04:03 2015 -0600
@@ -939,8 +939,6 @@
CHECK_SETENV2("USERNAME", runas_pw->pw_name,
ISSET(didvar, DID_USERNAME), true);
} else {
- if (!ISSET(didvar, DID_SHELL))
- CHECK_SETENV2("SHELL", sudo_user.pw->pw_shell, false, true);
/* We will set LOGNAME later in the def_set_logname case. */
if (!def_set_logname) {
if (!ISSET(didvar, DID_LOGNAME))
@@ -984,6 +982,8 @@
if (!env_should_delete(*ep)) {
if (strncmp(*ep, "SUDO_PS1=", 9) == 0)
ps1 = *ep + 5;
+ else if (strncmp(*ep, "SHELL=", 6) == 0)
+ SET(didvar, DID_SHELL);
else if (strncmp(*ep, "PATH=", 5) == 0)
SET(didvar, DID_PATH);
else if (strncmp(*ep, "TERM=", 5) == 0)
@@ -1039,7 +1039,9 @@
if (reset_home)
CHECK_SETENV2("HOME", runas_pw->pw_dir, true, true);
- /* Provide default values for $TERM and $PATH if they are not set. */
+ /* Provide default values for $SHELL, $TERM and $PATH if not set. */
+ if (!ISSET(didvar, DID_SHELL))
+ CHECK_SETENV2("SHELL", runas_pw->pw_shell, false, false);
if (!ISSET(didvar, DID_TERM))
CHECK_PUTENV("TERM=unknown", false, false);
if (!ISSET(didvar, DID_PATH))
Best Answer
From a quick read of
sudo(8)
And for the doubters:
Tested thusly:
So an
alias
forsudo
for these folks would likely do the trick, to prevent the password prompt. Now why this requires custom compilingsudo
, I don't know, I just read the manual.