Bug 1038

Summary: sudo drops command output
Product: Sudo Reporter: bob.schwartz
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.9.11   
Hardware: PC   
OS: Linux   

Description bob.schwartz 2022-08-10 15:18:19 MDT 
With logging enabled certain script output drops.  Here's how we've duplicated the problem:

Test script (call it tst.sh):

#!/bin/bash
echo"start script"
sudo ls
echo "end script"

running "bash -s < tst.sh"

output:

start script
(output of ls)

when the following options are enabled:


Defaults log_servers = logserver:30344(tls)
Defaults log_output
Defaults log_input
Defaults log_server_cabundle = /etc/ssl/sudo/cacert.pem
Defaults log_server_peer_cert = /etc/ssl/sudo/certs/client_cert.pem
Defaults log_server_peer_key = /etc/ssl/sudo/private/client_key.pem
Defaults log_server_verify
Defaults log_subcmds
Defaults ignore_iolog_errors


If the log_input line is commented out the output of the above command is

start script
(output of ls)
end script

This is on a linux server running 1.9.11p3
Comment 1 Todd C. Miller 2022-08-10 15:57:48 MDT 
This happens because you are passing the script to bash on the standard input.  When "sudo ls" runs, because log_input it enabled, it will read from the standard input in order to log it.  However, this means that sudo will read (and log) the standard input passed to the shell.  As a result, after sudo finishes the shell reads end of file instead of the next command.  Sudo has no way to distinguish between input meant for the parent shell and input meant for the command being run.

If you check the input log for the command you should see the rest of the shell script there.  For example, in my case:

# cat /var/log/sudo-io/00/00/IQ/stdin
echo "end script"

As a work-around you can either:

1. make the script executable and run it directly instead of passing to bash on standard input.  In other words:

   chmod 755 tst.sh
   ./tst.sh

2. redirect standard input for the sudo command from /dev/null.  For example:

    #!/bin/bash
    echo "start script"
    sudo ls < /dev/null
    echo "end script"

will work with:

    bash -s < ./tst.sh

because "sudo ls" will get EOF reading from standard input.

3. Disable log_input in sudoers for commands you know will never read from standard input.  For example:

    Cmnd_Alias      NO_INPUT = /usr/bin/ls, /usr/bin/echo, /usr/bin/printf
    Defaults!NO_INPUT !log_input

A future version of sudo may include finer-grained controls for logging input and output that should make it possible to opt out of logging standard input or standard output while still logging terminal input/output.
Comment 2 Todd C. Miller 2022-10-23 09:16:03 MDT 
Sudo 1.9.12 includes support for logging terminal input/output without also consuming the standard input, output or error.