A common use of sudo (especially in scripts) is to use it with redirection. E.g.:

sudo privileged-command > results.txt

or:

sudo privileged-command | process-output-of-privileged-command

The problem is that this wide-spread pattern is wrong, and will produce unexpected results on certain systems.

The reason for that is that sudo may invoke PAM modules which use the PAM conversation API with SUDO_CONV_INFO_MSG. The canonical implementation of handling SUDO_CONV_INFO_MSG, and the one which sudo also uses, is to print the message to standard output. However, by doing so, the message from the PAM module will end up mixed with the output of the executed command.

An example (and possibly the most common cause) of this is the pam_fprintd module, which prints the message "Swipe your finger across the fingerprint reader" using PAM_TEXT_INFO. Here is the downstream bug report filed against my project: https://github.com/CyberShadow/aconfmgr/issues/14

In principle, one could say that redirecting the output of sudo was never supported, and should never be done. However, the fact that this works on most systems, and that it is already a common practice, puts us in a bad situation where people are likely to continue using this pattern oblivious to that it is technically incorrect and will not work for users of pam_fprintd and other modules which use PAM_TEXT_INFO. The default behavior of closing file descriptors >=3 also makes working around this issue more tedious (files or named fifos need to be used instead to separate sudo/PAM output from output of executed command).

Perhaps it is possible to improve the situation with a change to sudo. I noticed that sudo implements its own PAM conversation hook (sudo_conversation in src/conversation.c). Would it be reasonable to make SUDO_CONV_PREFER_TTY the default behavior, or at least, default for the sudoers plugin?