How to Disable requiretty for Specific Users in sudoers Without Global Changes


2 views

The requiretty setting in /etc/sudoers enforces that sudo commands must be executed from a real terminal. While this enhances security by preventing non-interactive sudo usage, it can break legitimate automation workflows.

Instead of commenting out the global Defaults requiretty line, you can create per-user exceptions using these methods:

Method 1: User-Specific Defaults

# Add this after the global requiretty directive
Defaults:automation_user !requiretty

Method 2: Command-Specific Exception

# Allow specific commands without TTY
automation_user ALL=(ALL) NOPASSWD: NOEXEC: /usr/bin/rsync, /usr/bin/backup_script

For a CI/CD user needing non-interactive package updates:

# /etc/sudoers.d/10_cicd_exceptions
Defaults:jenkins !requiretty
jenkins ALL=(ALL) NOPASSWD: /usr/bin/apt update, /usr/bin/apt upgrade

After making changes, verify the configuration:

sudo -U jenkins -l  # Check effective privileges
sudo -u jenkins sudo -k -n true  # Test non-interactive execution

When implementing TTY exceptions:

  • Always prefer command-specific over user-wide exceptions
  • Combine with NOPASSWD only when absolutely necessary
  • Consider using NOEXEC to prevent shell escapes
  • Monitor /var/log/auth.log for suspicious activity

Many Linux distributions include this default setting in /etc/sudoers:

Defaults    requiretty

This security measure prevents sudo commands from being executed without an attached terminal. While generally good practice, it becomes problematic when:

  • Running automated scripts via cron
  • Using CI/CD pipelines
  • Executing remote commands

Instead of globally disabling requiretty (which weakens security), you can create exceptions for specific users:

Defaults:username !requiretty

Replace username with the actual username needing the exception.

Here's the proper way to modify sudoers:

# Use visudo for safe editing
sudo visudo

# Add this line after any global requiretty setting
Defaults:jenkins !requiretty
Defaults:deploy-user !requiretty

Test the configuration with:

sudo -u username -s "echo Test" < /dev/null

If properly configured, this should execute without requiring a TTY.

For managing multiple users:

# Create a sudoers group
%notty-users ALL=(ALL) NOPASSWD: ALL
Defaults:%notty-users !requiretty

Common issues and solutions:

  • Syntax errors: Always use visudo to prevent locking yourself out
  • Order matters: User-specific settings should come after global defaults
  • SSH commands: Remember to use -t flag when needed