Bug 786 – log_output prematurely terminates remote scripts

Bug 786 - log_output prematurely terminates remote scripts


Summary:	log_output prematurely terminates remote scripts

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.19
Hardware:	PC Linux

Importance:	low low
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-05-05 12:46 MDT by Marcin Deranek
Modified:	2017-05-10 14:36 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcin Deranek 2017-05-05 12:46:00 MDT

While trying to remotely run scripts using:

ssh user@host bash -s << EOF
script content
...
EOF

I noticed that that scripts were misbehaving. The 'culprit' turned out to be 'log_output' (or other options which allocate pseudo-tty eg. use_pty) options. For example:

* log_output disabled:
$ echo -e 'echo line1\nsudo echo line2\necho line3' | ssh -x localhost bash -s
line1
line2
line3

* log_output enabled:
$ echo -e 'echo line1\nsudo echo line2\necho line3' | ssh -x localhost bash -s
line1
line2

Considering log_output option is meant for logging purposes it should not impact execution of the script. Is there any way we could fix this ?

Comment 1 Todd C. Miller 2017-05-05 14:29:16 MDT

When sudo runs the command in a pty it passes all input to the pty.  Due to buffering of the pty, there is no way for sudo to tell whether the command actually *wants* the input.  In this case, the subsequent lines of the standard input are being consumed by sudo and not by the parent shell.

If you enable log_input in sudoers you will can see that the rest of stdin is logged to the stdin I/O log.  In this example, the stdin file consists of the line:

echo line3

This is why your script on stdin doesn't finish.

For interactive command you can usually work around this by setting the following in sudoers:

Defaults exec_background

which will run the command in the background and thus be notified via SIGTTIN when it needs to read input.

However, that only works when there is a tty present, which is not the case here.

As long as input logging is not enabled sudo doesn't actually need to interpose itself and read stdin.

I've made the following commit: https://www.sudo.ws/repos/sudo/rev/a79edafdd307

which fixes the problem for me:

$ echo -e 'echo line1\nsudo echo line2\necho line3' | ssh -x localhost bash -s
line1
line2
line3

Comment 2 Marcin Deranek 2017-05-06 01:13:22 MDT

I tried to apply the patch against 1.8.19p2,but seems there were too many changes in the meantime, so I had to build the latest and indeed the latest version fixes the problem. Thank you.

Comment 3 Todd C. Miller 2017-05-10 10:34:04 MDT

Fixed in sudo 1.8.20, available now.

Comment 4 Marcin Deranek 2017-05-10 14:36:12 MDT

Thank you.