[sudo-workers] use_pty option is broken

Radovan Sroka rsroka at redhat.com
Wed Sep 6 10:10:50 MDT 2017

I think that we are talking about two different things. But I have to do
some other checks and I let you know.

On Wed, Sep 6, 2017 at 5:43 PM Todd C. Miller <Todd.Miller at courtesan.com>

> This only appeared to work in sudo 1.8.19p2.  If you run, for example:
>     ssh root at localhost "sudo tty > /tmp/ttyname"
> you'll find that the contents of /tmp/ttyname is "not a tty" in
> both sudo versions.  In contrast:
>     ssh -t root at localhost "tty > /tmp/ttyname"
> shows that standard input is connected to a pty.
> Previously, sudo would use a pipe to connect stdin, stdout and
> stderr in this case.  As a fix for bug #786 it no longer does so:
>     https://bugzilla.sudo.ws/show_bug.cgi?id=786
> A goal for a future sudo release is to make use_pty the default
> while matching the behavior of !use_pty as closely as possible.
> The idea is to avoid the security issues that come from running
> a command as another user on the same tty.
> Rather than change the use_pty behavior I'd rather add a "fork_pty"
> option if users want to force the use of a pty when a terminal is
> not otherwise in use.
>  - todd

Radovan Sroka
Associate Software Engineer | Security Technologies | Red hat, Inc.

More information about the sudo-workers mailing list