[sudo-users] Why does sudo return success for bad password?
gtaylor at tnetconsulting.net
Sat Mar 21 00:14:39 MDT 2020
On 3/20/20 10:30 PM, Jeffrey Walton wrote:
> Hi Everyone,
> Subject: Why does sudo return success for bad password?
Returning one thing for a good password and something else for a bad
password can be used as an information leak.
I expect that sudo purposefully returns the same thing for success and exit.
> I'm trying to smoke test an optional user password in a script. The
> script can be long running, so testing the user's password before
> hand makes for a good UI experience.
I understand and appreciate your motivation.
> As I understand things, the exit status of the pipeline is the exit
> status of the last command in the pipeline.
That is my understanding too.
> How can I obtain an accurate result of the 'sudo ls' command?
Try something like "sudo exit 5" (or some other high number). See if
you end up with different exit statuses for a good password (5) and a
bad password (0). (This is an untested guess.)
Grant. . . .
unix || die
More information about the sudo-users