Bug 620 – When using -S option, always read first line of stdin

Bug 620 - When using -S option, always read first line of stdin


Summary:	When using -S option, always read first line of stdin

Status:	RESOLVED INVALID

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.7
Hardware:	PC Other

Importance:	low security
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-11-07 17:22 MST by bugzilla
Modified:	2013-11-07 20:13 MST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description bugzilla 2013-11-07 17:22:24 MST

When using sudo in a script with the -S option, it consumes the first line of input if the user is not already authenticated, but doesn't consume it if a password was not required. This can cause the password to be revealed if the command that sudo executes unexpectedly gets the password and publishes it somewhere.

Comment 1 Todd C. Miller 2013-11-07 20:13:58 MST

If you always want sudo to consume the password you should use the -k option in conjunction with -S.  For example, the following will always consume the password:

$ echo test123 | sudo -Sk id

Using the -k option along with a command should work for sudo versions 1.7.1 and higher.