Bug 867 – sudo modifies command output, showing "Last login: ..." info

Bug 867 - sudo modifies command output, showing "Last login: ..." info


Summary:	sudo modifies command output, showing "Last login: ..." info

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudoers
Version:	1.8.26
Hardware:	All Linux

Importance:	low normal
Assigned To:	Larrymuters0

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-01-05 15:50 MST by Nir Soffer
Modified:	2019-07-11 06:35 MDT (History)
CC List:	1 user (show)

See Also:

Attachments
0001-Avoid-pam_lastlog-prompts-in-non-interactive-mode.patch (3.03 KB, patch) 2019-01-05 15:50 MST, Nir Soffer	Details \| Diff
v2-0001-Avoid-pam_lastlog-prompts-unless-running-a-shell.patch (3.12 KB, patch) 2019-01-06 15:25 MST, Nir Soffer	Details \| Diff
Software change (29 bytes, text/plain) 2019-07-11 06:35 MDT, Larrymuters0	Details
Show Obsolete (2) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nir Soffer 2019-01-05 15:50:34 MST

Created attachment 520 [details]
0001-Avoid-pam_lastlog-prompts-in-non-interactive-mode.patch

If sudo is configured to include session system-auth:

    $ cat /etc/pam.d/sudo
    ... 
    session    include      system-auth

And system-auth is using pam_lastlog plugin:

    $ cat /etc/pam.d/system-auth
    ... 
    session     required      pam_lastlog.so showfailed

This configuration probably try to satisfy:
http://people.redhat.com/swells/scap-security-guide/tables/table-rhel7-nistrefs-ospp-rhel7.html
(See CCE-27275-7 Set Last Logon/Access Notification) 

Running a command in non-interactive mode will add the last login
info in the command stdout:

    $ echo "expected-output" | sudo -n cat 
    Last login: Tue Jan  1 23:31:22 IST 2019 on pts/1
    expected-output

This breaks use cases when command output is consumed by another
program. An example real use case is running LVM commands using sudo.
LVM output is built to be consumed by programs and programs assume
that sudo is not modifying the output in any way.

Here is example failure caused by this issue:
https://bugzilla.redhat.com/1662449

$ sudo --version
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23

I could not find where to send patches, so I'm attaching a patch here.
The patch was Tested on CentOS 7.6.

Comment 1 Todd C. Miller 2019-01-05 19:23:42 MST

I think it would be best to always pass PAM_SILENT to pam_open_session()
unless a shell is being run (sudo -s or sudo -i).  It doesn't seem reasonable to expect people to use the -n flag any time they run sudo in a pipeline.

Comment 2 Nir Soffer 2019-01-06 13:06:15 MST

I agree, it would be more friendly like that. Working on the next
version.

Comment 3 Nir Soffer 2019-01-06 15:25:02 MST

Created attachment 521 [details]
v2-0001-Avoid-pam_lastlog-prompts-unless-running-a-shell.patch

Changes in v2:
- Be silent by default, unless running an actual shell.

Comment 4 Todd C. Miller 2019-01-07 09:53:17 MST

Slightly different fix committed:
https://www.sudo.ws/repos/sudo/rev/b8b5d3445a3c

There's no need to check for MODE_IMPLIED_SHELL, it is only set in addition to MODE_SHELL.

Comment 5 Todd C. Miller 2019-01-12 10:03:14 MST

Fixed in sudo 1.8.27, out now.

Comment 6 Larrymuters0 2019-07-11 06:35:24 MDT

Created attachment 528 [details]
Software change