From: Todd C. Miller Date: Thu, 7 Sep 2017 20:59:37 +0000 (-0600) Subject: More accurately describe the use_pty option now that its behavior X-Git-Tag: SUDO_1_8_22^2~84 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7e78fbccfd6a22cfb0c26bc5aa80179c14495290;p=sudo More accurately describe the use_pty option now that its behavior has changed with respect to interposition with a pipe. Also describe some caveats with log_input. --- diff --git a/doc/sudoers.cat b/doc/sudoers.cat index b4be9ede4..755364aea 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -1149,13 +1149,19 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that input is also captured and stored in a separate log file. - For more information, see the _I_/_O _L_O_G _F_I_L_E_S section. - This flag is _o_f_f by default. + Anything sent to the standard input will be consumed, + regardless of whether or not the command run via ssuuddoo + is actually reading the standard input. This may have + unexpected results when using ssuuddoo in a shell script + that expects to process the standard input. For more + information about I/O logging, see the _I_/_O _L_O_G _F_I_L_E_S + section. This flag is _o_f_f by default. log_output If set, ssuuddoo will run the command in a pseudo-tty and log all output that is sent to the screen, similar to - the script(1) command. For more information, see the - _I_/_O _L_O_G _F_I_L_E_S section. This flag is _o_f_f by default. + the script(1) command. For more information about I/O + logging, see the _I_/_O _L_O_G _F_I_L_E_S section. This flag is + _o_f_f by default. log_year If set, the four-digit year will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. @@ -1464,13 +1470,18 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS not needed, this option can be disabled to reduce the load on the LDAP server. This flag is _o_n by default. - use_pty If set, ssuuddoo will run the command in a pseudo-pty even - if no I/O logging is being gone. A malicious program - run under ssuuddoo could conceivably fork a background - process that retains to the user's terminal device - after the main program has finished executing. Use of - this option will make that impossible. This flag is - _o_f_f by default. + use_pty If set, and ssuuddoo is running in a terminal, the command + will be run in a pseudo-pty (even if no I/O logging is + being done). If the ssuuddoo process is not attached to a + terminal, _u_s_e___p_t_y has no effect. + + A malicious program run under ssuuddoo may be capable of + injecting injecting commands into the user's terminal + or running a background process that retains access to + the user's terminal device even after the main program + has finished executing. By running the command in a + separate pseudo-pty, this attack is no longer possible. + This flag is _o_f_f by default. user_command_timeouts If set, the user may specify a timeout on the command @@ -2328,11 +2339,11 @@ LLOOGG FFOORRMMAATT II//OO LLOOGG FFIILLEESS When I/O logging is enabled, ssuuddoo will run the command in a pseudo-tty - and log all user input and/or output. I/O is logged to the directory - specified by the _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a - unique session ID that is included in the ssuuddoo log line, prefixed with - "TSID=". The _i_o_l_o_g___f_i_l_e option may be used to control the format of the - session ID. + and log all user input and/or output, depending on which options are + enabled. I/O is logged to the directory specified by the _i_o_l_o_g___d_i_r + option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is + included in the ssuuddoo log line, prefixed with "TSID=". The _i_o_l_o_g___f_i_l_e + option may be used to control the format of the session ID. Each I/O log is stored in a separate directory that contains the following files: @@ -2868,4 +2879,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.21 August 4, 2017 Sudo 1.8.21 +Sudo 1.8.21 September 7, 2017 Sudo 1.8.21 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index aa7435bd8..e84357fc3 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "5" "August 4, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "5" "September 7, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -2425,7 +2425,14 @@ will run the command in a pseudo-tty and log all user input. If the standard input is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that input is also captured and stored in a separate log file. -For more information, see the +Anything sent to the standard input will be consumed, regardless of +whether or not the command run via +\fBsudo\fR +is actually reading the standard input. +This may have unexpected results when using +\fBsudo\fR +in a shell script that expects to process the standard input. +For more information about I/O logging, see the \fII/O LOG FILES\fR section. This flag is @@ -2439,7 +2446,7 @@ will run the command in a pseudo-tty and log all output that is sent to the screen, similar to the script(1) command. -For more information, see the +For more information about I/O logging, see the \fII/O LOG FILES\fR section. This flag is @@ -3066,14 +3073,24 @@ This flag is by default. .TP 18n use_pty -If set, +If set, and +\fBsudo\fR +is running in a terminal, the command will be run in a pseudo-pty +(even if no I/O logging is being done). +If the \fBsudo\fR -will run the command in a pseudo-pty even if no I/O logging is being gone. +process is not attached to a terminal, +\fIuse_pty\fR +has no effect. +.sp A malicious program run under \fBsudo\fR -could conceivably fork a background process that retains to the user's -terminal device after the main program has finished executing. -Use of this option will make that impossible. +may be capable of injecting injecting commands into the user's +terminal or running a background process that retains access to the +user's terminal device even after the main program has finished +executing. +By running the command in a separate pseudo-pty, this attack is +no longer possible. This flag is \fIoff\fR by default. @@ -4616,7 +4633,8 @@ word wrap will be disabled. .SH "I/O LOG FILES" When I/O logging is enabled, \fBsudo\fR -will run the command in a pseudo-tty and log all user input and/or output. +will run the command in a pseudo-tty and log all user input and/or output, +depending on which options are enabled. I/O is logged to the directory specified by the \fIiolog_dir\fR option diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index f411a59e6..026884452 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd August 4, 2017 +.Dd September 7, 2017 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -2277,7 +2277,14 @@ will run the command in a pseudo-tty and log all user input. If the standard input is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that input is also captured and stored in a separate log file. -For more information, see the +Anything sent to the standard input will be consumed, regardless of +whether or not the command run via +.Nm sudo +is actually reading the standard input. +This may have unexpected results when using +.Nm sudo +in a shell script that expects to process the standard input. +For more information about I/O logging, see the .Sx "I/O LOG FILES" section. This flag is @@ -2290,7 +2297,7 @@ will run the command in a pseudo-tty and log all output that is sent to the screen, similar to the .Xr script 1 command. -For more information, see the +For more information about I/O logging, see the .Sx "I/O LOG FILES" section. This flag is @@ -2880,14 +2887,24 @@ This flag is .Em on by default. .It use_pty -If set, +If set, and +.Nm sudo +is running in a terminal, the command will be run in a pseudo-pty +(even if no I/O logging is being done). +If the .Nm sudo -will run the command in a pseudo-pty even if no I/O logging is being gone. +process is not attached to a terminal, +.Em use_pty +has no effect. +.Pp A malicious program run under .Nm sudo -could conceivably fork a background process that retains to the user's -terminal device after the main program has finished executing. -Use of this option will make that impossible. +may be capable of injecting injecting commands into the user's +terminal or running a background process that retains access to the +user's terminal device even after the main program has finished +executing. +By running the command in a separate pseudo-pty, this attack is +no longer possible. This flag is .Em off by default. @@ -4292,7 +4309,8 @@ word wrap will be disabled. .Sh I/O LOG FILES When I/O logging is enabled, .Nm sudo -will run the command in a pseudo-tty and log all user input and/or output. +will run the command in a pseudo-tty and log all user input and/or output, +depending on which options are enabled. I/O is logged to the directory specified by the .Em iolog_dir option