[Bug 2120708] Re: Incompatible/Missing requiretty setting

Christian Ehrhardt 2120708 at bugs.launchpad.net
Mon Aug 18 09:10:46 UTC 2025 

Thank you Wesley!

Indeed the case suggests to just drop this considering this setting an
old artifact.

On one hand we have your pretty good argument of the default of
`requiretty` being false in classic sudo and `!requiretty` means setting
it to false. So dropping it should be no functional change.

Further we have discussed and tracked this change to come from the very first days of cinder as a package.
In 2012 there is "* debian/{cinder_sudoers, rules, cinder-common.install}: Install proper cinder_sudoers."
No one seems to just remember why it was added.

But a bit more archaeology made me find [1]
And that made me suspicious which made me find [2]
And similar [3] into [4]

So they all add it the same way, but later resolve and drop the respective options [4].
They also use other options but that is for another day to be considered.
We can take away from is that others showed it working without !requiretty for a while already which is another +1 on dropping it here.

So with the breakage present, the fact that it should be a no-op, and others showing it seems to work without - I think it is time to drop this line.
Adding a Cinder bug task to please do so unblocking many things waiting for these tests.


[1]: https://build.opensuse.org/projects/Cloud:OpenStack:Zed/packages/openstack-cinder/files/openstack-cinder.sudoers?expand=1
[2]: https://opendev.org/openstack/rpm-packaging/src/commit/f7bf23466a2bd5c6153cca0dec96f8886405e1d5/openstack/cinder/openstack-cinder.sudoers
[3]: https://opendev.org/openstack/rpm-packaging/commit/51df718d14773d1c06274b07d60a2842c9483471
[4]: https://opendev.org/openstack/rpm-packaging/commit/2283414ad6e5fa1192e72358268c24b026b76e4f

** Also affects: cinder (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rust-sudo-rs in Ubuntu.
https://bugs.launchpad.net/bugs/2120708

Title:
  Incompatible/Missing requiretty setting

Status in cinder package in Ubuntu:
  New
Status in rust-sudo-rs package in Ubuntu:
  New

Bug description:
  The requiretty [1] option is set in openstack setups as tested in autopkgtest.
  They recently all perma-fail with issues like

  134s Setting up cinder-scheduler (2:26.1.0+git2025070714.27373d61f-0ubuntu2) ...
  ...
  138s /etc/sudoers.d/cinder_sudoers:1:18: 'requiretty' cannot be used in a boolean context
  138s Defaults:cinder !requiretty
  138s                  ^~~~~~~~~~
  153s autopkgtest [06:19:25]: ERROR: "sh -ec dpkg-query --show -f '${Package}\t${Version}\n' > /tmp/autopkgtest.anZxE7/cinder-daemons-packages.all" failed with stderr "/etc/sudoers.d/cinder_sudoers:1:18: 'requiretty' cannot be used in a boolean context
  153s Defaults:cinder !requiretty
  153s                  ^~~~~~~~~~

  This is true across all architectures and affects cinder [2] and
  glance [3].

  Here the example config of that file:

  ```
  $ cat /etc/sudoers.d/cinder_sudoers
  Defaults:cinder !requiretty

  cinder ALL = (root) NOPASSWD: /usr/bin/cinder-rootwrap  /etc/cinder/rootwrap.conf *
  ```

  Even simpler repro without the package install:

  
  $ echo 'Defaults:testuser !requiretty' > /etc/sudoers.d/test
  # good case
  $ sudo ls
  # bad case
  $ sudo-rs ls
  /etc/sudoers.d/test:1:20: 'requiretty' cannot be used in a boolean context
  Defaults:testuser !requiretty
                     ^~~~~~~~~~

  per man sudors ! is a normal logical negation
  And requiretty is listed under "Boolean Flags:".

  The same hits other booleran settings, for example
  root at p:~# sudo-rs ls
  /etc/sudoers.d/test:1:20: 'exec_background' cannot be used in a boolean context
  Defaults:testuser !exec_background
                     ^~~~~~~~~~~~~~~

  I found that without the negation one can check if sudo-rs has the
  feature at all.

  $ cat /etc/sudoers.d/test
  Defaults:testuser requiretty
  $ sudo-rs ls
  /etc/sudoers.d/test:1:19: unknown setting: 'requiretty'
  Defaults:testuser requiretty
                    ^~~~~~~~~~

  AFAICS there is nothing open about it [4], so it might take a while.
  How do we want to deal with that?

  
  BTW a very crude but quick check based on the man page of sudoers gave me this list confirming that many others would be victim to the same.

  $ for flag in $(grep '^\s\s\s\s\s\s\s[a-z]' /tmp/foo  | awk '{print $1}'); do echo "Defaults:testuser $flag" > /etc/sudoers.d/test; sudo-rs /usr/bin/ls 2>/tmp/bar >/dev/null; if grep -q "unknown setting" /tmp/bar; then echo "Unknown setting $flag"; else echo "Known setting $flag"; fi; done | sort 
  Known setting always_query_group_plugin
  Known setting always_set_home
  Known setting env_check
  Known setting env_delete
  Known setting env_editor
  Known setting env_keep
  Known setting env_reset
  Known setting fqdn
  Known setting lecture
  Known setting mail_badpass
  Known setting mailerpath
  Known setting match_group_by_gid
  Known setting passwd_tries
  Known setting pwfeedback
  Known setting rootpw
  Known setting secure_path
  Known setting timestamp_timeout
  Known setting use_pty
  Known setting verifypw
  Known setting visiblepw
  Unknown setting admin_flag
  Unknown setting apparmor_profile
  Unknown setting authenticate
  Unknown setting authfail_message
  Unknown setting badpass_message
  Unknown setting case_insensitive_group
  Unknown setting case_insensitive_user
  Unknown setting closefrom
  Unknown setting closefrom_override
  Unknown setting cmddenial_message
  Unknown setting command_timeout
  Unknown setting compress_io
  Unknown setting editor
  Unknown setting env_file
  Unknown setting exec_background
  Unknown setting exempt_group
  Unknown setting fast_glob
  Unknown setting fdexec
  Unknown setting group_plugin
  Unknown setting ignore_audit_errors
  Unknown setting ignore_dot
  Unknown setting ignore_iolog_errors
  Unknown setting ignore_local_sudoers
  Unknown setting ignore_logfile_errors
  Unknown setting ignore_unknown_defaults
  Unknown setting insults
  Unknown setting intercept
  Unknown setting intercept_allow_setid
  Unknown setting intercept_authenticate
  Unknown setting intercept_type
  Unknown setting intercept_verify
  Unknown setting iolog_dir
  Unknown setting iolog_file
  Unknown setting iolog_flush
  Unknown setting iolog_group
  Unknown setting iolog_mode
  Unknown setting iolog_user
  Unknown setting lecture_file
  Unknown setting lecture_status_dir
  Unknown setting listpw
  Unknown setting log_allowed
  Unknown setting log_denied
  Unknown setting log_exit_status
  Unknown setting log_format
  Unknown setting log_host
  Unknown setting log_input
  Unknown setting log_output
  Unknown setting log_passwords
  Unknown setting log_server_cabundle
  Unknown setting log_server_keepalive
  Unknown setting log_server_peer_cert
  Unknown setting log_server_peer_key
  Unknown setting log_server_timeout
  Unknown setting log_server_verify
  Unknown setting log_servers
  Unknown setting log_stderr
  Unknown setting log_stdin
  Unknown setting log_stdout
  Unknown setting log_subcmds
  Unknown setting log_ttyin
  Unknown setting log_ttyout
  Unknown setting log_year
  Unknown setting logfile
  Unknown setting loglinelen
  Unknown setting long_otp_prompt
  Unknown setting mail_all_cmnds
  Unknown setting mail_always
  Unknown setting mail_no_host
  Unknown setting mail_no_perms
  Unknown setting mail_no_user
  Unknown setting mailerflags
  Unknown setting mailfrom
  Unknown setting mailsub
  Unknown setting mailto
  Unknown setting maxseq
  Unknown setting netgroup_tuple
  Unknown setting noexec
  Unknown setting noexec_file
  Unknown setting noninteractive_auth
  Unknown setting pam_acct_mgmt
  Unknown setting pam_askpass_service
  Unknown setting pam_login_service
  Unknown setting pam_rhost
  Unknown setting pam_ruser
  Unknown setting pam_service
  Unknown setting pam_session
  Unknown setting pam_setcred
  Unknown setting pam_silent
  Unknown setting passprompt
  Unknown setting passprompt_override
  Unknown setting passprompt_regex
  Unknown setting passwd_timeout
  Unknown setting path_info
  Unknown setting preserve_groups
  Unknown setting requiretty
  Unknown setting restricted_env_file
  Unknown setting rlimit_as
  Unknown setting rlimit_core
  Unknown setting rlimit_cpu
  Unknown setting rlimit_data
  Unknown setting rlimit_fsize
  Unknown setting rlimit_locks
  Unknown setting rlimit_memlock
  Unknown setting rlimit_nofile
  Unknown setting rlimit_nproc
  Unknown setting rlimit_rss
  Unknown setting rlimit_stack
  Unknown setting role
  Unknown setting root_sudo
  Unknown setting runas_allow_unknown_id
  Unknown setting runas_check_shell
  Unknown setting runas_default
  Unknown setting runaspw
  Unknown setting runchroot
  Unknown setting runcwd
  Unknown setting selinux
  Unknown setting set_home
  Unknown setting set_logname
  Unknown setting set_utmp
  Unknown setting setenv
  Unknown setting shell_noargs
  Unknown setting stay_setuid
  Unknown setting sudoedit_checkdir
  Unknown setting sudoedit_follow
  Unknown setting sudoers_locale
  Unknown setting syslog
  Unknown setting syslog_badpri
  Unknown setting syslog_goodpri
  Unknown setting syslog_maxlen
  Unknown setting syslog_pid
  Unknown setting targetpw
  Unknown setting timestamp_type
  Unknown setting timestampdir
  Unknown setting timestampowner
  Unknown setting tty_tickets
  Unknown setting type
  Unknown setting umask
  Unknown setting umask_override
  Unknown setting use_netgroups
  Unknown setting user_command_timeouts
  Unknown setting utmp_runas

  [1]: https://www.baeldung.com/linux/sudo-requiretty-option
  [2]: https://autopkgtest.ubuntu.com/packages/c/cinder/questing/amd64
  [3]: https://autopkgtest.ubuntu.com/packages/c/glance/questing/amd64
  [4]: https://github.com/trifectatechfoundation/sudo-rs/issues?q=is%3Aissue%20state%3Aopen%20requiretty

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cinder/+bug/2120708/+subscriptions

More information about the foundations-bugs mailing list