[sudo-users] Why does sudo return success for bad password?
Todd C. Miller
Todd.Miller at sudo.ws
Sat Mar 21 05:57:01 MDT 2020
On Sat, 21 Mar 2020 00:30:41 -0400, Jeffrey Walton wrote:
> I'm trying to smoke test an optional user password in a script. The
> script can be long running, so testing the user's password before hand
> makes for a good UI experience.
>
> The following is reporting success even with a bad password:
>
> if [ -n "$SUDO_PASSWORD" ]
> then
> if printf "%s\n" "$SUDO_PASSWORD" | sudo -S ls 2>&1;
> then
> :
> else
> echo "It appears the sudo password is incorrect"
> ...
> fi
> fi
>
> As I understand things, the exit status of the pipeline is the exit
> status of the last command in the pipeline.
What version of sudo are you running? Sudo has traditionally used
an exit value of 1 for an authentication error.
Your script works as expected for me but note that if the user has
used sudo recently you can get a false positive since sudo won't
require the password again for 5 minutes. If all you care about is
whether or not the user can run a command with sudo this is probably
not important, but for testing purposes you probably want to run
"sudo -k" first.
One security note, I would be careful using printf here since it
is not a built-in command in all shells and the password could thus
show up in a ps listing. You could use echo or a here document
instead, for example:
if [ -n "$SUDO_PASSWORD" ]; then
sudo -Skv <<EOF
$SUDO_PASSWORD
EOF
if [ $? -ne 0 ]; then
echo "It appears the sudo password is incorrect"
...
fi
fi
Here I'm using "sudo -v" to just validate the password without
running a command "sudo -k" to ignore the time stamp record. That
will avoid the false positive during testing. Older versions of
sudo may not support using the -k flag in conjunction with a command.
- todd
More information about the sudo-users
mailing list