Public bug reported:
PAM_TTY is not properly computed by sudo-rs when input redirection or IO
streams are unset or closed.
With this minimal reproducer (that simulates what sshuttle does):
```
#!/usr/bin/env python3
import shutil
import socket
import subprocess
import sys
def main() -> int:
sudo = shutil.which("sudo") or "sudo"
#sudo = "/home/user-sudo/sudo"
sudo = "/usr/lib/cargo/bin/sudo"
#sudo = "/usr/bin/sudo.ws"
cmd = [sudo, "-p", "[local sudo] Password: ", "id"]
s1, s2 = socket.socketpair()
def setup() -> None:
s2.close()
# Match sshuttle default behavior: do not pass stdin, inherit it.
#proc = subprocess.Popen(cmd, stdout=s1, preexec_fn=setup)
proc = subprocess.Popen(cmd, stdin=subprocess.DEVNULL, stdout=s1,
preexec_fn=setup)
s1.close()
output = s2.makefile("rb").read()
if output:
sys.stdout.buffer.write(output)
rc = proc.wait()
s2.close()
return rc
if __name__ == "__main__":
raise SystemExit(main())
```
Modify /etc/pam.d/sudo so that it contains:
auth optional pam_exec.so stdout /usr/bin/env
When using sudo.ws:
PAM_SERVICE=sudo
PAM_USER=user-sudo
PAM_TTY=/dev/pts/1
PAM_RUSER=user-sudo
PAM_TYPE=auth
When using sudo-rs:
PAM_SERVICE=sudo
PAM_USER=user-sudo
PAM_RUSER=user-sudo
PAM_TYPE=auth
So PAM_TTY is missing, even though we are in a terminal. This may make
PAM modules not to properly handle things in the right way, and in
particular authd will not run the right client for the conversation.
See also https://github.com/canonical/authd/issues/901
** Affects: rust-sudo-rs (Ubuntu)
Importance: High
Assignee: Marco Trevisan (Treviño) (3v1n0)
Status: In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2153817
Title:
PAM_TTY is wrongly computed by sudo-rs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2153817/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
