I've got a Cento 6.2 server I'm putting together that will become a mailserver. It will have on it MailScanner and MailWatch for MailScanner. I'm using the latest stuff available and have run into a problem with changes I need to make in the /etc/sudoers file. It doesn't seem to take affect after I make the changes, so either the syntax within the file has changed or the way Centos 6.2 actives changes is different, but it's saying that "sudo: sorry, you must have a tty to run sudo". I'm trying to enable the user "apache" to have the ability to run an executable from a web page. One of the common solutions is to do the following: Defaults:apache !requiretty apache ALL = NOPASSWD:/program.name also tried: Defaults !requiretty Defaults visiblepw Anyone have a suggestion? I've got to research the tty stuff for now to ensure there is one available, but beyond that, I'm stumped. Thanks for any help. steve campbell
From: Steve Campbell <campbell at cnpapers.com>> Defaults:apache? !requiretty > apache? ? ALL = NOPASSWD:/program.name > also tried: > Defaults? ? !requiretty > Defaults? ? visiblepw > Anyone have a suggestion? I've got to research the tty stuff for now to > ensure there is one available, but beyond that, I'm stumped.I use this (nagios example) on my 6.2: Defaults:nagios !requiretty JD
Le mer 25 jan 2012 08:09:50 CET, Steve Campbell a ?crit:> ... > I'm trying to enable the user "apache" to have the ability to run an > executable from a web page. One of the common solutions is to do the > following: > > Defaults:apache !requiretty > apache ALL = NOPASSWD:/program.name > > also tried: > > Defaults !requiretty > Defaults visiblepw > > Anyone have a suggestion? I've got to research the tty stuff for now to > ensure there is one available, but beyond that, I'm stumped.Have you checked (grep sudo /var/log/secure) that the user and the command are exactly what you have in /etc/sudoers ? And how is your SELinux ? This works for me in /etc/sudoers : Defaults requiretty User_Alias TARTUFFE=naudin Defaults:TARTUFFE !requiretty -- Philippe Naudin
On 01/25/2012 05:09 AM, Steve Campbell wrote:> it's saying that "sudo: sorry, you must have a tty to > run sudo". > > I'm trying to enable the user "apache" to have the ability to run an > executable from a web page. One of the common solutions is to do the > following: > > Defaults:apache !requiretty > apache ALL = NOPASSWD:/program.nameJust had a look at this... I don't see a way to use sudo with SELinux enabled, so we have to assume that you've disabled it or set it to permissive. That'd be useful information to include. If you've done so, the next question would be whether your CGI is actually running as apache, or whether you've got it SUID to some other user. I've confirmed on my system that a simple CGI can run sudo with the following entries in sudoers: Defaults:apache !requiretty, visiblepw Cmnd_Alias ROUTER = /usr/local/bin/set-shorewall-gateway apache ALL=(ALL) NOPASSWD: ROUTER If it's not working for you, first run "visudo", make a change to the file, then save and exit. If you have the syntax broken somewhere, visudo will tell you. If you don't get warnings, watch the logs while you try to use the web application: tail -f /var/log/messages /var/log/secure /var/log/httpd/error_log (or ssl_error_log) Include the log entries that you see in your reply.