A patch to force prompting for password

Tom May tom at you-bastards.com
Fri Nov 3 03:48:42 EST 2000


I have been burned too many times by sudo's inconsistent user
interface of sometimes prompting for my password and sometimes not.
It gets wired into my fingers to type my password since that is the
usual case, and then when someone is looking over my shoulder sudo
decides not to prompt me but I automatically type my password anyway
and they get to see it, and furthermore since I usually do something
like "sudo ssh somewhere" my password ends up in .bash_history and I
have to clean it up.

Sure I can arrange to do "sudo -k; sudo" but then I get the lecture
every time which is not pretty.

So, here's a patch to sudo-1.6.3p5 to add a -f switch to force
password prompting which gives me a consistent and clean user
interface.  Maybe I'm a complete idiot and there's already a way to do
it, but if there is I couldn't find it.  There's got to be a way to do
it, since I can't believe sudo has been around so long without it.
Maybe sysadmins are supposed to configure it so it always prompts, but
if they don't, then people like me are screwed.  This patch gives some
control back to the lowly user so we don't leak our passwords.  Look,
I even did the man page via sudo.pod!  Who could ask for anything
more?

diff -ur sudo-1.6.3p5.orig/check.c sudo-1.6.3p5/check.c
--- sudo-1.6.3p5.orig/check.c	Wed May 10 20:24:50 2000
+++ sudo-1.6.3p5/check.c	Fri Nov  3 00:02:58 2000
@@ -94,7 +94,7 @@
 
     build_timestamp(&timestampdir, &timestampfile);
     status = timestamp_status(timestampdir, timestampfile, user_name, TRUE);
-    if (status != TS_CURRENT) {
+    if (status != TS_CURRENT || force_prompt) {
 	if (status == TS_MISSING || status == TS_ERROR)
 	    lecture();		/* first time through they get a lecture */
 
diff -ur sudo-1.6.3p5.orig/sudo.c sudo-1.6.3p5/sudo.c
--- sudo-1.6.3p5.orig/sudo.c	Fri Aug 11 12:44:54 2000
+++ sudo-1.6.3p5/sudo.c	Fri Nov  3 00:05:32 2000
@@ -576,6 +576,9 @@
 	}
 
 	switch (NewArgv[0][1]) {
+	    case 'f':
+		force_prompt = 1;
+		break;
 	    case 'p':
 		/* Must have an associated prompt. */
 		if (NewArgv[1] == NULL)
@@ -1215,7 +1218,7 @@
     int exit_val;
 {
     (void) fprintf(stderr,
-	"usage: %s -V | -h | -L | -l | -v | -k | -K | [-H] [-S] [-b]\n%*s",
+	"usage: %s -V | -h | -L | -l | -v | -k | -K | [-H] [-S] [-b] [-f]\n%*s",
 	Argv[0], (int) strlen(Argv[0]) + 8, " ");
 #ifdef HAVE_LOGINCAP
     (void) fprintf(stderr, "[-p prompt] [-u username/#uid] [-c class] -s | <command>\n");
diff -ur sudo-1.6.3p5.orig/sudo.h sudo-1.6.3p5/sudo.h
--- sudo-1.6.3p5.orig/sudo.h	Wed May 10 20:24:50 2000
+++ sudo-1.6.3p5/sudo.h	Thu Nov  2 23:59:14 2000
@@ -57,6 +57,7 @@
     char *cmnd;
     char *cmnd_args;
     char *class_name;
+    int force_prompt;
 };
 
 /*
@@ -131,6 +132,7 @@
 #define user_shost		(sudo_user.shost)
 #define safe_cmnd		(sudo_user.cmnd_safe)
 #define login_class		(sudo_user.class_name)
+#define force_prompt		(sudo_user.force_prompt)
 
 /*
  * We used to use the system definition of PASS_MAX or _PASSWD_LEN,
diff -ur sudo-1.6.3p5.orig/sudo.pod sudo-1.6.3p5/sudo.pod
--- sudo-1.6.3p5.orig/sudo.pod	Sun Mar 26 19:26:23 2000
+++ sudo-1.6.3p5/sudo.pod	Fri Nov  3 00:37:36 2000
@@ -42,7 +42,7 @@
 =head1 SYNOPSIS
 
 B<sudo> B<-V> | B<-h> | B<-l> | B<-L> | B<-v> | B<-k> | B<-K> | B<-s> |
-[ B<-H> ] [B<-S> ] [ B<-b> ] | [ B<-p> prompt ] [ B<-c> class|- ]
+[ B<-H> ] [B<-S> ] [ B<-b> ] | [ B<-f> ] | [ B<-p> prompt ] [ B<-c> class|- ]
 [ B<-u> username/#uid ] I<command>
 
 =head1 DESCRIPTION
@@ -122,6 +122,14 @@
 
 The C<-K> (sure I<kill>) option to B<sudo> removes the user's timestamp
 entirely.  This option does not require a password.
+
+=item -f
+
+The C<-f> (I<force prompt>) option forces B<sudo> to prompt
+for a password regardless of the user's timestamp.  This is useful
+to give sudo a consistent interface and prevents you from inadvertently
+typing your password when other people are watching and you're not paying
+attention to the fact that sudo may not have prompted you for a password.
 
 =item -b
 



That's all for now.
Tom.



More information about the sudo-workers mailing list