Bug 620

Summary: When using -S option, always read first line of stdin
Product: Sudo Reporter: bugzilla
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: security    
Priority: low    
Version: 1.8.7   
Hardware: PC   
OS: Other   

Description bugzilla 2013-11-07 17:22:24 MST 
When using sudo in a script with the -S option, it consumes the first line of input if the user is not already authenticated, but doesn't consume it if a password was not required. This can cause the password to be revealed if the command that sudo executes unexpectedly gets the password and publishes it somewhere.
Comment 1 Todd C. Miller 2013-11-07 20:13:58 MST 
If you always want sudo to consume the password you should use the -k option in conjunction with -S.  For example, the following will always consume the password:

$ echo test123 | sudo -Sk id

Using the -k option along with a command should work for sudo versions 1.7.1 and higher.