[sudo-workers] Feature request: always prompt for password with -S option

Kris Kowal cowbertvonmoo at gmail.com
Thu Aug 3 20:13:16 EDT 2006


I presume that the intended purpose of the -S option in sudo is to
avoid opening /dev/tty on systems where it is not available.  However,
I find that people commonly use the option to authenticate from a file
or echo in scripts.  While this is a security feaux pas, I can think
of situations where it might be acceptable.

There is however a problem with using sudo in this way.  After the
first time a script authenticates, following uses of sudo -S will not
be prompted for a password.  In most cases this is acceptable, but on
one hand it is a security problem, and on the other makes valid uses
difficult.  It is a security problem because in these cases, the user
might pass their password to the underlying sudoed command's input
stream.  It is a correctness problem because whether the password is
eaten by sudo or the resultant command is indeterminate.

I recommend that the -S option by default require a password, ignoring
the timestamp of the last use of sudo.  Since this would hinder people
using sudo to avoid /dev/tty, it might be desirable to just add an
option that causes sudo to unconditionally require a password.

If there is concensus on the issue, I'll consider participating in the
patch-making process.  Please CC me in responses (sometimes automatic
with "reply to all" in your mail client).

Kris Kowal.

More information about the sudo-workers mailing list