Sudo will now refuse to run if no tty is present unless the new

visiblepw sudoers flag is set.

diff --git a/def_data.c b/def_data.c
index da859e89451e0c3ad2cf534f6fe4e67384e71802..72c14c9f1f3f5de22b5489cc2a9941a0aee3e532 100644 (file)
--- a/def_data.c
+++ b/def_data.c
@@ -298,6 +298,10 @@ struct sudo_defs_types sudo_defs_table[] = {
        "sudoers_locale", T_STR,
        "Locale to use while parsing sudoers: %s",
        NULL,
+    }, {
+       "visiblepw", T_FLAG,
+       "Allow sudo to prompt for a password even if it would be visisble",
+       NULL,
     }, {
        NULL, 0, NULL
     }

diff --git a/def_data.h b/def_data.h
index 72d793eab975dd93d3310860fdc8d26ae83b1126..afa78e0b5fc29b6f8ded5c4d491a22942a454465 100644 (file)
--- a/def_data.h
+++ b/def_data.h
@@ -136,6 +136,8 @@
 #define I_ENV_FILE              67
 #define def_sudoers_locale      (sudo_defs_table[68].sd_un.str)
 #define I_SUDOERS_LOCALE        68
+#define def_visiblepw           (sudo_defs_table[69].sd_un.flag)
+#define I_VISIBLEPW             69
 
 enum def_tupple {
        never,

diff --git a/def_data.in b/def_data.in
index f92c631167b93c4bae4f7fa3757c8853e5f086ed..0a0a3b86deb6a741121cc306f15e67c69191a539 100644 (file)
--- a/def_data.in
+++ b/def_data.in
@@ -220,3 +220,6 @@ env_file
 sudoers_locale
        T_STR
        "Locale to use while parsing sudoers: %s"
+visiblepw
+       T_FLAG
+       "Allow sudo to prompt for a password even if it would be visisble"

diff --git a/sudo.c b/sudo.c
index 4246c6dd0a286216d025a420a7279c0ec2086ff1..0a5b9a719109eee74d3aadf9628b5991a2a4ed85 100644 (file)
--- a/sudo.c
+++ b/sudo.c
@@ -399,9 +399,14 @@ main(argc, argv, envp)
                "no askpass program specified, try setting SUDO_ASKPASS");
     } else {
        /* If no tty but DISPLAY is set, use askpass if we have it. */
-       if (user_askpass && !ISSET(tgetpass_flags, TGP_STDIN) &&
-           !user_ttypath && user_display && *user_display != '\0')
-           SET(tgetpass_flags, TGP_ASKPASS);
+       if (!user_ttypath && !ISSET(tgetpass_flags, TGP_STDIN)) {
+           if (user_askpass && user_display && *user_display != '\0') {
+               SET(tgetpass_flags, TGP_ASKPASS);
+           } else if (!def_visiblepw) {
+               log_error(NO_MAIL,
+                   "no tty present and no askpass program specified");
+           }
+       }
     }
 
     /* User may have overriden environment resetting via the -E flag. */

diff --git a/sudoers.pod b/sudoers.pod
index a561be415530b9cb3bb047de96c8306cf962fffd..077ee3ab79db5b632591707bf4dc3edd256085f2 100644 (file)
--- a/sudoers.pod
+++ b/sudoers.pod
@@ -662,11 +662,9 @@ user.  This flag is I<off> by default.
 =item requiretty
 
 If set, B<sudo> will only run when the user is logged in to a real
-tty.  This will disallow things like C<"rsh somehost sudo ls"> since
-L<rsh(1)> does not allocate a tty.  Because it is not possible to turn
-off echo when there is no tty present, some sites may wish to set
-this flag to prevent a user from entering a visible password.  This
-flag is I<off> by default.
+tty.  When this flag is set, B<sudo> can only be run from a login
+session and not via other means such as L<cron(8)> or cgi-bin scripts.
+This flag is I<off> by default.
 
 =item root_sudo
 
@@ -758,6 +756,15 @@ If set, B<sudo> will apply the defaults specified for the target user's
 login class if one exists.  Only available if B<sudo> is configured with
 the --with-logincap option.  This flag is I<off> by default.
 
+=item visiblepw
+
+By default, B<sudo> will refuse to run if the user must enter a
+password but it is not possible to disable echo on the terminal.
+If the I<visiblepw> flag is set, B<sudo> will prompt for a password
+even when it would be visible on the screen.  This makes it possible
+to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does
+not allocate a tty.  This flag is I<off> by default.
+
 =back
 
 B<Integers>: