The requiretty setting in sudoers is a security feature that forces sudo commands to be executed from an actual terminal session. While useful for security, it can block legitimate automation scripts and CI/CD pipelines.
Most documentation shows group-based approaches:
# Common group-based approach
Defaults:%support !requiretty
But what if you need finer control for specific commands?
Here's the syntax to disable requiretty for a specific command:
# Format
Cmnd_Alias SPECIAL_CMDS = /path/to/command
Defaults!SPECIAL_CMDS !requiretty
# Example for restarting Apache
Cmnd_Alias APACHE_RESTART = /usr/sbin/apachectl restart
Defaults!APACHE_RESTART !requiretty
For a deployment script that needs to run without TTY:
# Allow non-TTY execution for deployment scripts
Cmnd_Alias DEPLOY_SCRIPTS = /opt/scripts/deploy.sh, /opt/scripts/rollback.sh
Defaults!DEPLOY_SCRIPTS !requiretty
# Corresponding sudoers entry
%deployers ALL=(root) NOPASSWD: DEPLOY_SCRIPTS
When disabling requiretty:
- Always specify exact command paths
- Limit to specific users/groups
- Combine with other restrictions like
NOEXECwhere possible - Audit regularly for unexpected usage
If it's not working:
# Check effective sudo permissions
sudo -l
# Test with forced non-TTY context
ssh user@host "sudo -n /your/command"
When automating tasks or running commands through scripts, the requiretty sudo option can become a significant obstacle. By default, sudo requires a terminal (tty) for security reasons, but there are legitimate cases where we need to bypass this for specific commands.
The sudoers file allows configuration through Defaults directives. While the common approach is to disable requiretty for entire groups (as shown in the example), finer control is often needed:
# Common group-based approach
Defaults:%support !requiretty
For precise control over individual commands, we can combine command aliases with defaults:
# Define command alias
Cmnd_Alias NO_TTY_CMDS = /usr/bin/particular_command
# Apply !requiretty only to these commands
Defaults!NO_TTY_CMDS !requiretty
Here's a complete sudoers configuration example for allowing a backup script to run without tty:
# Define command alias for backup operations
Cmnd_Alias BACKUP_CMDS = /usr/local/bin/backup_script.sh, \
/usr/bin/rsync
# Allow these commands without tty
Defaults!BACKUP_CMDS !requiretty
# Grant specific user permissions
backupuser ALL=(root) NOPASSWD: BACKUP_CMDS
When disabling requiretty, consider these security best practices:
- Always restrict to specific commands
- Use full paths in command definitions
- Combine with NOPASSWD cautiously
- Limit to specific users when possible
If your configuration isn't working:
- Verify sudo syntax with
visudo -c - Check for conflicting defaults in sudoers
- Ensure command paths are exact matches
- Test with
sudo -lto verify effective permissions