I'm currently doing a project for my school aimed at creating a server in a VM.
One of the requirements of the subject was to install sudo on an emulated Debian Linux, with the following field in the sudoers config file:
Defaults requiretty
The subject line requiring me to set this:
I know that tty is a command which prints the filename of a terminal that is currently connected to the standard input. However, what I can't see is how this ensures more security for the server.
When requiretty is set, sudo must be run from a logged-in terminal session (a tty). This prevents sudo from being used from daemons or other detached processes like cronjobs or webserver plugins. It also means you can't run it directly from an ssh call without setting up a terminal session.
This can prevent certain kinds of escalation attacks. For example, if I have a way to modify the crontab for a user who has NOPASSWD sudo permissions, I could use that to kick off a job as root. With requiretty, I can't do that...
...easily. This restriction is not particularly hard to circumvent, and so generally isn't all that useful compared to the valid use cases it breaks. Red Hat used to use it, but removed it a few years ago.