Apache Error - sudo: sorry, you must have a tty to run sudo

Apache Error - sudo: sorry, you must have a tty to run sudo

por James Skevington -
Número de respuestas: 9

I have found an odd issue where Apache is printing out the below whenever a question is posed to jobe:

sudo: sorry, you must have a tty to run sudo

I saw that someone else was having a similar issue regarding the sudoers files not having #includedir /etc/sudoers.d within their sudoers file. In this case, the sudoers.d config is present and the jobe-sudoers file is present with all various sudo commands in place.

I have tried increasing apache's log level to debug but it doesn't expand upon the error message. Questions appear to be working correctly, I'm just curious to know what is happening.

Thanks in advance
En respuesta a James Skevington

Re: Apache Error - sudo: sorry, you must have a tty to run sudo

por Richard Lobb -

I'm puzzled that you're getting that message but questions are still being marked correctly. I'd have expected it to be a show-stopper. But ... some things to look at:

What OS is Jobe running on? I read here that some Linux distros including RedHat have Defaults requiretty in either /etc/sudoers or one of the included files. 

If that's not the problem, can you give us the output from

ls -l /etc/sudoers
ls -l /etc/sudoers.d
cat /etc/sudoers

please? All need to be run as root.

En respuesta a Richard Lobb

Re: Apache Error - sudo: sorry, you must have a tty to run sudo

por Richard Lobb -

Also, I'm assuming that message is in the Apache error log file?

En respuesta a Richard Lobb

Re: Apache Error - sudo: sorry, you must have a tty to run sudo

por James Skevington -

Hi Richard

These errors were found in the apache error log on a Ubuntu 16.04 system rather than CentOS/RedHat system. Reading the man, the requiretty "flag is off by default", which I guess is correct for this use case ( please correct me if I'm wrong here ).

Thanks

James

ls -l /etc/sudoers

-r--r----- 1 root root 755 Oct 23 12:14 /etc/sudoers

ls -l /etc/sudoers.d

-r--r----- 1 root root 3691 Oct 30  2017 jobe-sudoers

sudo cat /etc/sudoers

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
sudo cat /etc/sudoers.d/jobe-sudoers 
www-data ALL=(root) NOPASSWD: /var/www/jobe/runguard/runguard
www-data ALL=(root) NOPASSWD: /bin/rm -R /home/jobe/runs/*
www-data ALL=(root) NOPASSWD: /usr/bin/pkill -9 -u jobe00
www-data ALL=(root) NOPASSWD: /usr/bin/find /tmp/ -user jobe00 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/tmp/ -user jobe00 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/crash/ -user jobe00 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /run/lock/ -user jobe00 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/pkill -9 -u jobe01
www-data ALL=(root) NOPASSWD: /usr/bin/find /tmp/ -user jobe01 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/tmp/ -user jobe01 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/crash/ -user jobe01 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /run/lock/ -user jobe01 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/pkill -9 -u jobe02
www-data ALL=(root) NOPASSWD: /usr/bin/find /tmp/ -user jobe02 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/tmp/ -user jobe02 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/crash/ -user jobe02 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /run/lock/ -user jobe02 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/pkill -9 -u jobe03
www-data ALL=(root) NOPASSWD: /usr/bin/find /tmp/ -user jobe03 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/tmp/ -user jobe03 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/crash/ -user jobe03 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /run/lock/ -user jobe03 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/pkill -9 -u jobe04
www-data ALL=(root) NOPASSWD: /usr/bin/find /tmp/ -user jobe04 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/tmp/ -user jobe04 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/crash/ -user jobe04 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /run/lock/ -user jobe04 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/pkill -9 -u jobe05
www-data ALL=(root) NOPASSWD: /usr/bin/find /tmp/ -user jobe05 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/tmp/ -user jobe05 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/crash/ -user jobe05 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /run/lock/ -user jobe05 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/pkill -9 -u jobe06
www-data ALL=(root) NOPASSWD: /usr/bin/find /tmp/ -user jobe06 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/tmp/ -user jobe06 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/crash/ -user jobe06 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /run/lock/ -user jobe06 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/pkill -9 -u jobe07
www-data ALL=(root) NOPASSWD: /usr/bin/find /tmp/ -user jobe07 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/tmp/ -user jobe07 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/crash/ -user jobe07 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /run/lock/ -user jobe07 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/pkill -9 -u jobe08
www-data ALL=(root) NOPASSWD: /usr/bin/find /tmp/ -user jobe08 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/tmp/ -user jobe08 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/crash/ -user jobe08 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /run/lock/ -user jobe08 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/pkill -9 -u jobe09
www-data ALL=(root) NOPASSWD: /usr/bin/find /tmp/ -user jobe09 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/tmp/ -user jobe09 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /var/crash/ -user jobe09 -delete
www-data ALL=(root) NOPASSWD: /usr/bin/find /run/lock/ -user jobe09 -delete

En respuesta a James Skevington

Re: Apache Error - sudo: sorry, you must have a tty to run sudo

por Richard Lobb -

Everything seems to be in order there.

Do you get that message in the log file once for every run or did you just happen to notice one or two such messages? If the latter, is it possible that a student was trying to bust security somehow? It might be interesting to look at the access log to match up the time of the sudo error with an actual job.

The only other possibility I can think of is that there's some sort of house-keeping job taking place, for which I haven't set up an appropriate jobe sudoers entry. We have no such errors being logged in our own production jobe servers. Could the problem be related to your other message about disk space? Jobe runs a cache cleaner if the disk gets full but it never actually happens on our jobe server as we make very little use of student attachments. Perhaps it's happening on yours and that's where the errors occur?

En respuesta a Richard Lobb

Re: Apache Error - sudo: sorry, you must have a tty to run sudo

por James Skevington -

I'm certain this wasn't any type of malicious hack attempt, I had been working through the simpletest.py script on the python cli. I was triggering a specific call to push a python hello world message to the Jobe server while tailing the apache error log.

I just remembered that the auth.log actually records any use of sudo and lists the command that is triggered. I looks like it is struggling to delete the temporary locations post execution.

www-data : command not allowed ; TTY=unknown ; PWD=/tmp/jobe_5OQKoQ ; USER=root ; COMMAND=/bin/rm -R /tmp/jobe_5OQKoQ

I appear to have a lot of jobe directories in /tmp folder.  I think we really need to update the OS and Jobe software to what ever is the latest, we'll need some quiet time to go through this. I'll be sure to report back if this problem persists.

Thanks again!

En respuesta a James Skevington

Re: Apache Error - sudo: sorry, you must have a tty to run sudo

por Richard Lobb -

Good detective work! You're definitely onto it. I remember the problem of Jobe servers creating all their jobs in /tmp. I've seen it several times but not recently and I'm afraid I can't remember the exact details. However, I'm almost certain that it occurs when the attempt to mkdir a working directory in the /home/jobe/runs directory fails - it lands up in /tmp instead. I'd check the existence of /home/jobe/runs first, then the access to it. Perhaps that's enough to let you track it down?

In case it helps, on our production server /home/jobe/runs is owned by jobe, group www-data, mode drwxrwx--x. 

Richard

En respuesta a Richard Lobb

Re: Apache Error - sudo: sorry, you must have a tty to run sudo

por James Skevington -

A-ha! great information, the permissions are currently u:jobe g:jobe on the run directory. 

Currently a fair amount of people using the system so I'm loath to change anything right now while its working.

Thanks for the tip! Have a great weekend!

En respuesta a Richard Lobb

Re: Apache Error - sudo: sorry, you must have a tty to run sudo

por James Skevington -
Hi Richard
This problem seems to have been from some previous trouble shooting. The run directory hadn't been re-created with the correction permissions, I could see a previous directory called runOld which did have the correct permissions.

The correct ownership and permissions bits have been assigned to the run directory and sudo error is no longer appearing within the apache error log.

Thanks again for you help.
James