Bug 867

Summary: sudo modifies command output, showing "Last login: ..." info
Product: Sudo Reporter: Nir Soffer <nsoffer>
Component: SudoersAssignee: Larrymuters0
Status: RESOLVED FIXED    
Severity: normal CC: Larrymuters0
Priority: low    
Version: 1.8.26   
Hardware: All   
OS: Linux   
Attachments: 0001-Avoid-pam_lastlog-prompts-in-non-interactive-mode.patch
v2-0001-Avoid-pam_lastlog-prompts-unless-running-a-shell.patch
Software change

Description Nir Soffer 2019-01-05 15:50:34 MST 
Created attachment 520 [details]
0001-Avoid-pam_lastlog-prompts-in-non-interactive-mode.patch

If sudo is configured to include session system-auth:

    $ cat /etc/pam.d/sudo
    ... 
    session    include      system-auth

And system-auth is using pam_lastlog plugin:

    $ cat /etc/pam.d/system-auth
    ... 
    session     required      pam_lastlog.so showfailed

This configuration probably try to satisfy:
http://people.redhat.com/swells/scap-security-guide/tables/table-rhel7-nistrefs-ospp-rhel7.html
(See CCE-27275-7 Set Last Logon/Access Notification) 

Running a command in non-interactive mode will add the last login
info in the command stdout:

    $ echo "expected-output" | sudo -n cat 
    Last login: Tue Jan  1 23:31:22 IST 2019 on pts/1
    expected-output

This breaks use cases when command output is consumed by another
program. An example real use case is running LVM commands using sudo.
LVM output is built to be consumed by programs and programs assume
that sudo is not modifying the output in any way.

Here is example failure caused by this issue:
https://bugzilla.redhat.com/1662449

$ sudo --version
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23

I could not find where to send patches, so I'm attaching a patch here.
The patch was Tested on CentOS 7.6.
Comment 1 Todd C. Miller 2019-01-05 19:23:42 MST 
I think it would be best to always pass PAM_SILENT to pam_open_session()
unless a shell is being run (sudo -s or sudo -i).  It doesn't seem reasonable to expect people to use the -n flag any time they run sudo in a pipeline.
Comment 2 Nir Soffer 2019-01-06 13:06:15 MST 
I agree, it would be more friendly like that. Working on the next
version.
Comment 3 Nir Soffer 2019-01-06 15:25:02 MST 
Created attachment 521 [details]
v2-0001-Avoid-pam_lastlog-prompts-unless-running-a-shell.patch

Changes in v2:
- Be silent by default, unless running an actual shell.
Comment 4 Todd C. Miller 2019-01-07 09:53:17 MST 
Slightly different fix committed:
https://www.sudo.ws/repos/sudo/rev/b8b5d3445a3c

There's no need to check for MODE_IMPLIED_SHELL, it is only set in addition to MODE_SHELL.
Comment 5 Todd C. Miller 2019-01-12 10:03:14 MST 
Fixed in sudo 1.8.27, out now.
Comment 6 Larrymuters0 2019-07-11 06:35:24 MDT 
Created attachment 528 [details]
Software change