[sudo-workers] [patch] sudo: when searching for processes' tty bindings, also check for parent process

Zdenek Behan zbehan at chromium.org
Mon Jan 2 08:22:39 EST 2012


Hey folks,


In automated builds in ChromiumOS using buildbot, we ran into a problem
when doing in/out pipe redirections to/from a sudo running process.
Long version: crosbug.com/18393
Short version:
Sudo identifies processes by, amongst others, a tty binding, and it uses
the calling processes' stdin/out/err to find out which one is that.
Buildbot passes the output of processes it runs into a file via
stdout/stderr redirection. This is fine if stdin remains intact, but breaks
as soon as you do something like `echo "foo" | sudo tee file'.

The simplest way to reproduce the problem is running: `sudo true' vs. `echo
| sudo true &> /dev/null'.
Depending on the sudo version and settings, the latter may either not ask
for a password, ask for a second password indepedently of any sudo tickets
acquired by the former, or ask for a password every time.

The attached patch introduces a little more permissive approach by also
looking at the tty of the parent process and using that.

As a side note, I have also considered an approach to traverse all parent
processes all the way to 1, but there doesn't seem to be a 100% portable
approach to figuring out the ppid of a given process, as opposed to own
ppid. Also, that seems like unnecessary overkill, but is fairly easy to
extend that way if ever needed.


Zdenek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sudo-1.8-track-parent-tty.patch
Type: text/x-patch
Size: 2345 bytes
Desc: not available
URL: </pipermail/sudo-workers/attachments/20120102/1983be72/attachment.bin>


More information about the sudo-workers mailing list