Ubuntu 18.04 - sudo: no tty present and no askpass program specified

Before telling me about /etc/sudoers file here it is:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
jenkins ALL=(ALL) NOPASSWD: ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

In the beginning I was trying to run a sudo command remotely. I edited the sudoers file with visudo to let jenkins user the ability to run sudo commands with no password asked.

once i realized that I have another problem I even tried to run (when I logged on as jenkins user) the following : ssh localhost "sudo w" even that doesn't work.

getting this error : sudo: no tty present and no askpass program specified

any ideas?

thanks!

EDIT:

  1. I'm trying to run bash sudo commands from jenkins master machine on slave machine in post step job (done it alredy with other slave).

  2. When I run the job it failed with error : sudo: no tty present and no askpass program specified. from my debugging, it seems that the problem not relating to the master, because I tried to send sudo command over ssh within the slave machine and got the same error.

  3. My expectation is to make it work. the way it already worked on a different salve machine. (which i also test the same logic within the other salve machine by sending sudo command over ssh pointing localhost --- worked just fine

it seems like there is no tty for sudo command over ssh... I'm not an expert of TTY or SSH. Maybe I'm missing something...

SOLVED!I think it is a BUG...

I moved the this line to the end of the /etc/sudoers and it works!

jenkins ALL=(ALL) NOPASSWD: ALL

so the file looks like this:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
jenkins ALL=(ALL) NOPASSWD: ALL
9

1 Answer

The issue us that the file is read in order. See the "SUDOERS FILE FORMAT" section of man sudoers:

When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

So, first it reads this line:

jenkins ALL=(ALL) NOPASSWD: ALL

And allows jenkins to run sudo command with no password (this seems like an absolutely horrible idea, by the way, but let's leave security out of it for now). Then, it continues reading the file and finds:

%sudo ALL=(ALL:ALL) ALL

Since jenkins is part of the sudo group, this applies to jenkins as well and overwrites the NOPASSWD command.

2

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like