Question & Answer
Question
How can you disable tty within the sudoers file for a single user?
Cause
TADDM is designed to use non-interactive shell which means discovery does not have any TTY assigned. It just executes commands remotely.
Some of them require sudo (like dmidecode or lsof). Everything is fine as long as sudoers file does not have following option enabled:
#Defaults requiretty
Answer
If it does then any command executed by sensor through sudo will fail. Unfortunately the error returned by system is send to stderr and it is not possible to see this inside logs.
This can be checked by using dist/support/bin/testssh.py script. For example:
./testssh.py -u administrator -p password 192.168.1.2 "sudo dmidecode | grep UUID"
2011-04-06 09:22:27,020 [main] DEBUG session.SshSessionClient - Command stdout:
UUID: 3A4E5AF5-1D6C-3AA7-AA75-6BFC400A8D74
If the requiretty option is enabled then same query will return:
2011-04-06 09:23:40,116 [SSH2TransportRX] WARN cdb.stderr - sudo:
2011-04-06 09:23:40,116 [SSH2TransportRX] WARN cdb.stderr - sorry, you must have a tty to run sudo
2011-04-06 09:23:40,116 [main] DEBUG session.SshSessionClient - Command stdout:
The answer for this problem was always to disable requiretty option. It is possible to disable tty only for particular user (in this case TADDM discovery account):
Defaults:taddmusr !requiretty
Such setting reduces potential security risk and it will be easier to convince security / Unix teams to change it instead of exposing remote commands execution to everyone.
Product Synonym
TADDM
Was this topic helpful?
Document Information
Modified date:
25 June 2018
UID
swg21605056