Not quite sure why I can't find an answer on this, It's got to have been seen before.
Question:
I'm getting "sudo: no tty present and no askpass program specified" when deploying patches through OEM 12C with all of the correct documented SUDO commands enabled...but allowing full SUDO fixes the issue. Anyone know the correct SUDO settings for patching Linux systems that does not require full open SUDO rights?
Detals:
Just setting up Linux Patching through OEM 12C (Oracle Enterprise Manager Cloud Control 12c) and running into a problem with patch deployment. Everything sets up fine, except when I go to actually deploy patches, I get the following:
"sudo: no tty present and no askpass program specified"
The Oracle Documentation on SUDO requirements for linux patching are:
(Section 42.4.1 Prerequisites for Using the Linux Patching Feature in the official documentation)
Enable the following commands through SUDO:
/bin/cp
/bin/rm
/bin/chmod
/sbin/chkconfig
yum
up2date
sed
rpm
Along with OEM Client installation, my SUDOER's stanza for my OEM User looks like the following (where *user* is my OEM account user)
# *user* Commands
User_Alias OEMUSR = *user*
Cmnd_Alias OEMCMDS = /usr/bin/id, /bin/chmod, /bin/cp, /bin/mkdir, /bin/rm, /bin/tar, /usr/bin/yum, /usr/sbin/up2date, /bin/sed, /sbin/chkconfig, /bin/rpm, /opt/emagent/agent_inst/bin/emctl, /opt/emagent/core/12.1.0.1.0/sysman/install/agentDeploy.sh, /opt/emagent/core/12.1.0.2.0/oui/bin/runInstaller, /opt/emagent/core/12.1.0.2.0/bin/unzip, /opt/emagent/core/*/unzipTmp/unzip, /opt/emagent/*/agentdeployroot.sh, /opt/emagent/*/agentDeploy.sh, /opt/emagent/agent_inst/bin/nmosudo
OEMUSR ALL = NOPASSWD: OEMCMDS
The other answers delivered by Google (all Linux OS based and not OEM based) all talk about this being an issue with SUDO and console, and recommend some setting of "requiretty" (some docs say to !requiretty, such as Defaults:*user* !requiretty, others say requiretty is needed). However, this seems to have NO effect. I've tried both iterations of the !requiretty setting to no effect.
Further, when I put the following stanza into /etc/sudoers:
# *user* Commands
User_Alias OEMUSR = *user*
OEMUSR ALL = (ALL) NOPASSWD: ALL
The issue disappears and patching happens successfully.
Given that when I open up the account to full root level permissions it works, I have a tough time believing that the real issue has anything to do with lacking a TTY. Obviously, allowing full, unmitigated SUDO to the OEM user on every server is NOT something that's going to pass audit.
Other things I've tried:
* "sudo -l" with the first stanza enabled shows me what I would expect.
* "ssh -l" does NOT throw a TTY Error at me on a command such as "ssh -l *user* myhost.oracle.com /usr/bin/sudo -u root date". Whether or not I add a -t to that makes no difference.
* I also tried setting the -S switch to the SUDO command as identified in one of the Oracle Knowledge Base articles I found (relating to installing Cloud Control Agent) which also did not fix the issue (at that point SUDO wouldn't work at all...kept getting a password issue).
Anyone out there know the RIGHT command set for SUDO for patching or has experienced this and solved it? What am I missing?