Bugzilla – Bug 180
sudo does not respect -p or $SUDO_PROMPT if PAM prompt is non-standard
Last modified: 2007-12-03 05:59:17 MST
sudo does not respect the -p or $SUDO_PROMPT options if the PAM prompt does not match 'Password :'. This does not seem to be correct behavior -- you ought to be able to override it regardless of whether it's standard or not. This also breaks certain tools such as gksudo when sudo is configured to use (for example) pam_krb5. This tool depends on being able to set the prompt to a specified string.
Created attachment 37 [details] patch -- don't use PAM prompt if user_prompt is set. The attached patch fixes this behavior. This changes sudo to override the PAM prompt if user_prompt is set. If it's not set, then it will have the existing behavior.
This is going to cause serious problems if you use authentcation types such a skey or other challenge/ response systems.
Hmm...good point. Though I suppose if you're using '-p' or $SUDO_PROMPT then you should be expected to know what you're doing. Another idea might be to introduce an 'append to prompt' option. Then gksudo could do something like: --ap GNOME_SUDO_PROMPT Then it would present something like: 'Password: GNOME_SUDO_PROMPT' The calling program could then strip off the last part and present the former to the user. This would allow gksudo to work even with stuff like skey as the user could see the info from the PAM prompt.
Created attachment 38 [details] pach that implements a append-prompt mode I attached a patch that adds a simple "append-promtp" flag to sudo. If sudo is called with -x (in addition to -p) it will append the PROMPT at the end of the prompt it gets from PAM. This should help tools like gksudo to find out what it should prompt to the user. I have not a lot of knowledge about the sudo code internals, I hope the patch is not too bad. What do you think? Cheers, Michael
Sorry if I look impatient, but did someone from the sudo team had a chance to look at the append-prompt patch? It would make it possible to implement support for pam_krb5 in gksudo cleanly. Thanks, Michael
*** Bug 270 has been marked as a duplicate of this bug. ***
This has become much more pressing in 1.6.9, since this enables setlocale() by default and thus PAM uses localized password prompts. See http://www.gratisoft.us/bugzilla/show_bug.cgi?id=270#c2 for details.
For the locale issue this is probably best solved by sudo using gettext() and looking up "Password: " in the current locale and using that to do the comparison.
Indeed, using something like dgettext("Linux-PAM", "Password: ") should do the trick.
Sudo 1.6.9p9 now localizes "Password: " before checking against the PAM prompt. Furthermore, a new sudoers option, passprompt_override exists to force the sudo prompt to be used regardless. This option is now set by default if the -p flag is specified.