[sudo-users] Why does sudo return success for bad password?

Todd C. Miller Todd.Miller at sudo.ws
Sat Mar 21 05:57:01 MDT 2020

On Sat, 21 Mar 2020 00:30:41 -0400, Jeffrey Walton wrote:

> I'm trying to smoke test an optional user password in a script. The
> script can be long running, so testing the user's password before hand
> makes for a good UI experience.
> The following is reporting success even with a bad password:
>     if [ -n "$SUDO_PASSWORD" ]
>     then
>         if printf "%s\n" "$SUDO_PASSWORD" | sudo -S ls 2>&1;
>         then
>             :
>         else
>             echo "It appears the sudo password is incorrect"
>             ...
>         fi
>     fi
> As I understand things, the exit status of the pipeline is the exit
> status of the last command in the pipeline.

What version of sudo are you running?  Sudo has traditionally used
an exit value of 1 for an authentication error.

Your script works as expected for me but note that if the user has
used sudo recently you can get a false positive since sudo won't
require the password again for 5 minutes. If all you care about is
whether or not the user can run a command with sudo this is probably
not important, but for testing purposes you probably want to run
"sudo -k" first.

One security note, I would be careful using printf here since it
is not a built-in command in all shells and the password could thus
show up in a ps listing.  You could use echo or a here document
instead, for example:

    if [ -n "$SUDO_PASSWORD" ]; then
        sudo -Skv <<EOF
        if [ $? -ne 0 ]; then
            echo "It appears the sudo password is incorrect"

Here I'm using "sudo -v" to just validate the password without
running a command "sudo -k" to ignore the time stamp record.  That
will avoid the false positive during testing.  Older versions of
sudo may not support using the -k flag in conjunction with a command.

 - todd

More information about the sudo-users mailing list