has changed with respect to interposition with a pipe.
Also describe some caveats with log_input.
connected to the user's tty, due to I/O redirection or
because the command is part of a pipeline, that input
is also captured and stored in a separate log file.
- For more information, see the _\bI_\b/_\bO _\bL_\bO_\bG _\bF_\bI_\bL_\bE_\bS section.
- This flag is _\bo_\bf_\bf by default.
+ Anything sent to the standard input will be consumed,
+ regardless of whether or not the command run via s\bsu\bud\bdo\bo
+ is actually reading the standard input. This may have
+ unexpected results when using s\bsu\bud\bdo\bo in a shell script
+ that expects to process the standard input. For more
+ information about I/O logging, see the _\bI_\b/_\bO _\bL_\bO_\bG _\bF_\bI_\bL_\bE_\bS
+ section. This flag is _\bo_\bf_\bf by default.
log_output If set, s\bsu\bud\bdo\bo will run the command in a pseudo-tty and
log all output that is sent to the screen, similar to
- the script(1) command. For more information, see the
- _\bI_\b/_\bO _\bL_\bO_\bG _\bF_\bI_\bL_\bE_\bS section. This flag is _\bo_\bf_\bf by default.
+ the script(1) command. For more information about I/O
+ logging, see the _\bI_\b/_\bO _\bL_\bO_\bG _\bF_\bI_\bL_\bE_\bS section. This flag is
+ _\bo_\bf_\bf by default.
log_year If set, the four-digit year will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
not needed, this option can be disabled to reduce the
load on the LDAP server. This flag is _\bo_\bn by default.
- use_pty If set, s\bsu\bud\bdo\bo will run the command in a pseudo-pty even
- if no I/O logging is being gone. A malicious program
- run under s\bsu\bud\bdo\bo could conceivably fork a background
- process that retains to the user's terminal device
- after the main program has finished executing. Use of
- this option will make that impossible. This flag is
- _\bo_\bf_\bf by default.
+ use_pty If set, and s\bsu\bud\bdo\bo is running in a terminal, the command
+ will be run in a pseudo-pty (even if no I/O logging is
+ being done). If the s\bsu\bud\bdo\bo process is not attached to a
+ terminal, _\bu_\bs_\be_\b__\bp_\bt_\by has no effect.
+
+ A malicious program run under s\bsu\bud\bdo\bo may be capable of
+ injecting injecting commands into the user's terminal
+ or running a background process that retains access to
+ the user's terminal device even after the main program
+ has finished executing. By running the command in a
+ separate pseudo-pty, this attack is no longer possible.
+ This flag is _\bo_\bf_\bf by default.
user_command_timeouts
If set, the user may specify a timeout on the command
I\bI/\b/O\bO L\bLO\bOG\bG F\bFI\bIL\bLE\bES\bS
When I/O logging is enabled, s\bsu\bud\bdo\bo will run the command in a pseudo-tty
- and log all user input and/or output. I/O is logged to the directory
- specified by the _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
- unique session ID that is included in the s\bsu\bud\bdo\bo log line, prefixed with
- "TSID=". The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be option may be used to control the format of the
- session ID.
+ and log all user input and/or output, depending on which options are
+ enabled. I/O is logged to the directory specified by the _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br
+ option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a unique session ID that is
+ included in the s\bsu\bud\bdo\bo log line, prefixed with "TSID=". The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be
+ option may be used to control the format of the session ID.
Each I/O log is stored in a separate directory that contains the
following files:
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.21 August 4, 2017 Sudo 1.8.21
+Sudo 1.8.21 September 7, 2017 Sudo 1.8.21
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "5" "August 4, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "September 7, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
-For more information, see the
+Anything sent to the standard input will be consumed, regardless of
+whether or not the command run via
+\fBsudo\fR
+is actually reading the standard input.
+This may have unexpected results when using
+\fBsudo\fR
+in a shell script that expects to process the standard input.
+For more information about I/O logging, see the
\fII/O LOG FILES\fR
section.
This flag is
to the screen, similar to the
script(1)
command.
-For more information, see the
+For more information about I/O logging, see the
\fII/O LOG FILES\fR
section.
This flag is
by default.
.TP 18n
use_pty
-If set,
+If set, and
+\fBsudo\fR
+is running in a terminal, the command will be run in a pseudo-pty
+(even if no I/O logging is being done).
+If the
\fBsudo\fR
-will run the command in a pseudo-pty even if no I/O logging is being gone.
+process is not attached to a terminal,
+\fIuse_pty\fR
+has no effect.
+.sp
A malicious program run under
\fBsudo\fR
-could conceivably fork a background process that retains to the user's
-terminal device after the main program has finished executing.
-Use of this option will make that impossible.
+may be capable of injecting injecting commands into the user's
+terminal or running a background process that retains access to the
+user's terminal device even after the main program has finished
+executing.
+By running the command in a separate pseudo-pty, this attack is
+no longer possible.
This flag is
\fIoff\fR
by default.
.SH "I/O LOG FILES"
When I/O logging is enabled,
\fBsudo\fR
-will run the command in a pseudo-tty and log all user input and/or output.
+will run the command in a pseudo-tty and log all user input and/or output,
+depending on which options are enabled.
I/O is logged to the directory specified by the
\fIiolog_dir\fR
option
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd August 4, 2017
+.Dd September 7, 2017
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
-For more information, see the
+Anything sent to the standard input will be consumed, regardless of
+whether or not the command run via
+.Nm sudo
+is actually reading the standard input.
+This may have unexpected results when using
+.Nm sudo
+in a shell script that expects to process the standard input.
+For more information about I/O logging, see the
.Sx "I/O LOG FILES"
section.
This flag is
to the screen, similar to the
.Xr script 1
command.
-For more information, see the
+For more information about I/O logging, see the
.Sx "I/O LOG FILES"
section.
This flag is
.Em on
by default.
.It use_pty
-If set,
+If set, and
+.Nm sudo
+is running in a terminal, the command will be run in a pseudo-pty
+(even if no I/O logging is being done).
+If the
.Nm sudo
-will run the command in a pseudo-pty even if no I/O logging is being gone.
+process is not attached to a terminal,
+.Em use_pty
+has no effect.
+.Pp
A malicious program run under
.Nm sudo
-could conceivably fork a background process that retains to the user's
-terminal device after the main program has finished executing.
-Use of this option will make that impossible.
+may be capable of injecting injecting commands into the user's
+terminal or running a background process that retains access to the
+user's terminal device even after the main program has finished
+executing.
+By running the command in a separate pseudo-pty, this attack is
+no longer possible.
This flag is
.Em off
by default.
.Sh I/O LOG FILES
When I/O logging is enabled,
.Nm sudo
-will run the command in a pseudo-tty and log all user input and/or output.
+will run the command in a pseudo-tty and log all user input and/or output,
+depending on which options are enabled.
I/O is logged to the directory specified by the
.Em iolog_dir
option
projects / sudo / commitdiff