Home > Mac administration, Mac OS X, macOS, Unix > tty_tickets option now on by default for macOS Sierra’s sudo tool

tty_tickets option now on by default for macOS Sierra’s sudo tool

While working on some documentation, I noticed a behavioral change in macOS Sierra’s sudo tool that was different from how sudo behaves on OS X El Capitan.

El Capitan

if you run sudo in one Terminal session and authenticate with your password, then open another Terminal session and run sudo, you won’t be prompted for your password in either Terminal session until the normal sudo authentication timeout. To see what this behavior looks like, please see the video below:

Sierra

If you run sudo in one Terminal session and authenticate with your password, then open another Terminal session and run sudo, you’ll get asked for your password in the second Terminal session too. Meanwhile, in the first Terminal session, you won’t get prompted again until the normal sudo authentication timeout. To see what this behavior looks like, please see the video below:

The difference is that Apple has compiled sudo on Sierra to include the tty_tickets option, which ensures that users need to authenticate on a per-Terminal session basis.

Screen Shot 2016 09 21 at 3 06 19 PM

 

This option had not been included in sudo on OS X El Capitan and earlier, which had been viewed as a privilege escalation vulnerability.

If you want sudo to return to using the pre-Sierra behavior on macOS Sierra, edit /etc/sudoers to add the following option:

Defaults !tty_tickets

view raw
gistfile1.txt
hosted with ❤ by GitHub

 

Screen Shot 2016 09 21 at 2 25 38 PM 

  1. April 9, 2017 at 9:43 pm

    We were just asked about the behavior change. What are your thoughts on editing /etc/sudoers directly vs dropping into /etc/sudoers.d/ directory?

  2. Neal Sofge
    November 30, 2020 at 10:00 pm

    How could you tell that was compiled in? Deduction from the manpages, or is there an option to coax sudo to tell you its internal configuration?

  3. Neal Sofge
    November 30, 2020 at 10:03 pm

    I’m necro-posting here because Catalina appears to have imposed the requiretty directive the same way Sierra did tty_tickets.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: