[sudo-workers] use_pty option is broken
Radovan Sroka
rsroka at redhat.com
Wed Sep 6 10:10:50 MDT 2017
I think that we are talking about two different things. But I have to do
some other checks and I let you know.
On Wed, Sep 6, 2017 at 5:43 PM Todd C. Miller <Todd.Miller at courtesan.com>
wrote:
> This only appeared to work in sudo 1.8.19p2. If you run, for example:
>
> ssh root at localhost "sudo tty > /tmp/ttyname"
>
> you'll find that the contents of /tmp/ttyname is "not a tty" in
> both sudo versions. In contrast:
>
> ssh -t root at localhost "tty > /tmp/ttyname"
>
> shows that standard input is connected to a pty.
>
> Previously, sudo would use a pipe to connect stdin, stdout and
> stderr in this case. As a fix for bug #786 it no longer does so:
> https://bugzilla.sudo.ws/show_bug.cgi?id=786
>
> A goal for a future sudo release is to make use_pty the default
> while matching the behavior of !use_pty as closely as possible.
> The idea is to avoid the security issues that come from running
> a command as another user on the same tty.
>
> Rather than change the use_pty behavior I'd rather add a "fork_pty"
> option if users want to force the use of a pty when a terminal is
> not otherwise in use.
>
> - todd
>
--
--
---------------------------------------------------------
Radovan Sroka
Associate Software Engineer | Security Technologies | Red hat, Inc.
More information about the sudo-workers
mailing list