Clarify how the variable prompt options interact with each other

and PAM.

diff --git a/doc/sudo.cat b/doc/sudo.cat
index 747f72b7126068755798167d39ee8e601d01c078..a689a951c734af3da8021074f755c99f0de0554c 100644 (file)
--- a/doc/sudo.cat
+++ b/doc/sudo.cat
@@ -261,9 +261,11 @@ D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
                  %%  two consecutive `%' characters are collapsed into a
                      single `%' character
 
-                 The custom prompt will override the system password prompt on
-                 systems that support PAM unless the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag
-                 is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+                 The custom prompt will override the default prompt specified
+                 by either the security policy or the SUDO_PROMPT environment
+                 variable.  On systems that use PAM, the custom prompt will
+                 also override the prompt specified by a PAM module unless the
+                 _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
 
      -\b-r\br _\br_\bo_\bl_\be, -\b--\b-r\bro\bol\ble\be=_\br_\bo_\bl_\be
                  Run the command with an SELinux security context that
@@ -629,4 +631,4 @@ D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
      file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.21                      July 20, 2017                     Sudo 1.8.21
+Sudo 1.8.21                      July 21, 2017                     Sudo 1.8.21

diff --git a/doc/sudo.man.in b/doc/sudo.man.in
index d43654bfc1ae8c2be8c05ecdf8eac5f697277799..699aa3508d7a28f3bcc5b5c477dcd37edf3cf19b 100644 (file)
--- a/doc/sudo.man.in
+++ b/doc/sudo.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDO" "8" "July 20, 2017" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDO" "8" "July 21, 2017" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -518,8 +518,12 @@ characters are collapsed into a single
 \(oq%\(cq
 character
 .PP
-The custom prompt will override the system password prompt on systems that
-support PAM unless the
+The custom prompt will override the default prompt specified by either
+the security policy or the
+\fRSUDO_PROMPT\fR
+environment variable.
+On systems that use PAM, the custom prompt will also override the prompt
+specified by a PAM module unless the
 \fIpassprompt_override\fR
 flag is disabled in
 \fIsudoers\fR.

diff --git a/doc/sudo.mdoc.in b/doc/sudo.mdoc.in
index 4f3ff9da91ac2f7734ec93153e2b90b85e4fb321..e995264d6afcd7d4b717488514288ef102900890 100644 (file)
--- a/doc/sudo.mdoc.in
+++ b/doc/sudo.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd July 20, 2017
+.Dd July 21, 2017
 .Dt SUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -467,8 +467,12 @@ characters are collapsed into a single
 character
 .El
 .Pp
-The custom prompt will override the system password prompt on systems that
-support PAM unless the
+The custom prompt will override the default prompt specified by either
+the security policy or the
+.Ev SUDO_PROMPT
+environment variable.
+On systems that use PAM, the custom prompt will also override the prompt
+specified by a PAM module unless the
 .Em passprompt_override
 flag is disabled in
 .Em sudoers .

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index bd9750ec153108739b9200f890df7322fa77122e..237c71979aa01f4f22808282be12c1a952b8d3bf 100644 (file)
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -1279,11 +1279,11 @@ S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
                        higher.
 
      passprompt_override
-                       The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
-                       normally only be used if the password prompt provided
-                       by systems such as PAM matches the string "Password:".
-                       If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always
-                       be used.  This flag is _\bo_\bf_\bf by default.
+                       If set, the prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt or the
+                       SUDO_PROMPT environment variable will always be used
+                       and will replace the prompt provided by a PAM module or
+                       other authentication method.  This flag is _\bo_\bf_\bf by
+                       default.
 
      path_info         Normally, s\bsu\bud\bdo\bo will tell the user when a command could
                        not be found in their PATH environment variable.  Some
@@ -1778,7 +1778,15 @@ S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
                        %%    two consecutive % characters are collapsed into a
                              single % character
 
-                       The default value is "Password:".
+                       On systems that use PAM for authentication, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt
+                       will only be used if the prompt provided by the PAM
+                       module matches the string "Password: " or "username's
+                       Password: ".  This ensures that the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt setting
+                       does not interfere with challenge-response style
+                       authentication.  The _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag can be
+                       used to change this behavior.
+
+                       The default value is "Password: ".
 
      privs             The default Solaris privileges to use when constructing
                        a new privilege set for a command.  This is passed to
@@ -2823,4 +2831,4 @@ D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
      file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.21                      July 20, 2017                     Sudo 1.8.21
+Sudo 1.8.21                      July 21, 2017                     Sudo 1.8.21

diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index d5c82704f90658bc62fbbafd020a0b0b0e5ce467..193b2e18e1a9a8021aab1583e34ba7b4128276fd 100644 (file)
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "July 20, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "July 21, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -2677,16 +2677,12 @@ by default.
 This setting is only supported by version 1.8.8 or higher.
 .TP 18n
 passprompt_override
-The password prompt specified by
+If set, the prompt specified by
 \fIpassprompt\fR
-will normally only be used if the password prompt provided by systems
-such as PAM matches the string
-\(LqPassword:\(Rq.
-If
-\fIpassprompt_override\fR
-is set,
-\fIpassprompt\fR
-will always be used.
+or the
+\fRSUDO_PROMPT\fR
+environment variable will always be used and will replace the
+prompt provided by a PAM module or other authentication method.
 This flag is
 \fIoff\fR
 by default.
@@ -3575,6 +3571,19 @@ characters are collapsed into a single
 \fR%\fR
 character
 .PP
+On systems that use PAM for authentication,
+\fIpassprompt\fR
+will only be used if the prompt provided by the PAM module matches the string
+\(LqPassword: \(Rq
+or
+\(Lqusername's Password: \(Rq.
+This ensures that the
+\fIpassprompt\fR
+setting does not interfere with challenge-response style authentication.
+The
+\fIpassprompt_override\fR
+flag can be used to change this behavior.
+.sp
 The default value is
 \(Lq\fR@passprompt@\fR\(Rq.
 .RE

diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index 69c1ef9741dc19e6eb3672ac3c3503df94b0b721..532adfa8a905a674178b416bfaa21eb71ef943f9 100644 (file)
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd July 20, 2017
+.Dd July 21, 2017
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -2514,16 +2514,12 @@ by default.
 .Pp
 This setting is only supported by version 1.8.8 or higher.
 .It passprompt_override
-The password prompt specified by
+If set, the prompt specified by
 .Em passprompt
-will normally only be used if the password prompt provided by systems
-such as PAM matches the string
-.Dq Password: .
-If
-.Em passprompt_override
-is set,
-.Em passprompt
-will always be used.
+or the
+.Ev SUDO_PROMPT
+environment variable will always be used and will replace the
+prompt provided by a PAM module or other authentication method.
 This flag is
 .Em off
 by default.
@@ -3348,8 +3344,21 @@ characters are collapsed into a single
 character
 .El
 .Pp
+On systems that use PAM for authentication,
+.Em passprompt
+will only be used if the prompt provided by the PAM module matches the string
+.Dq "Password: "
+or
+.Dq "username's Password: " .
+This ensures that the
+.Em passprompt
+setting does not interfere with challenge-response style authentication.
+The
+.Em passprompt_override
+flag can be used to change this behavior.
+.Pp
 The default value is
-.Dq Li @passprompt@ .
+.Dq Li "@passprompt@" .
 .It privs
 The default Solaris privileges to use when constructing a new
 privilege set for a command.