[Bug 2153817] Re: PAM_TTY is wrongly computed by sudo-rs

Treviño Tue, 09 Jun 2026 11:41:03 -0700

** Description changed:

  PAM_TTY is not properly computed by sudo-rs when input redirection or IO
  streams are unset or closed.
  
  With this minimal reproducer (that simulates what sshuttle does):
  
  ```
  #!/usr/bin/env python3
  
  import shutil
  import socket
  import subprocess
  import sys
  
+ def main() -> int:
+     sudo = shutil.which("sudo") or "sudo"
+     #sudo = "/usr/lib/cargo/bin/sudo"
+     #sudo = "/usr/bin/sudo.ws"
+     cmd = [sudo, "-p", "[local sudo] Password: ", "id"]
  
- def main() -> int:
-     sudo = shutil.which("sudo") or "sudo"
-     #sudo = "/home/user-sudo/sudo"
-     sudo = "/usr/lib/cargo/bin/sudo"
-     #sudo = "/usr/bin/sudo.ws"
-     cmd = [sudo, "-p", "[local sudo] Password: ", "id"]
+     s1, s2 = socket.socketpair()
  
-     s1, s2 = socket.socketpair()
+     def setup() -> None:
+         s2.close()
  
-     def setup() -> None:
-         s2.close()
+     # Match sshuttle default behavior: do not pass stdin, inherit it.
+     #proc = subprocess.Popen(cmd, stdout=s1, preexec_fn=setup)
+     proc = subprocess.Popen(cmd, stdin=subprocess.DEVNULL, stdout=s1, 
preexec_fn=setup)
+     s1.close()
  
-     # Match sshuttle default behavior: do not pass stdin, inherit it.
-     #proc = subprocess.Popen(cmd, stdout=s1, preexec_fn=setup)
-     proc = subprocess.Popen(cmd, stdin=subprocess.DEVNULL, stdout=s1, 
preexec_fn=setup)
-     s1.close()
+     output = s2.makefile("rb").read()
+     if output:
+         sys.stdout.buffer.write(output)
  
-     output = s2.makefile("rb").read()
-     if output:
-         sys.stdout.buffer.write(output)
- 
-     rc = proc.wait()
-     s2.close()
-     return rc
- 
+     rc = proc.wait()
+     s2.close()
+     return rc
  
  if __name__ == "__main__":
-     raise SystemExit(main())
+     raise SystemExit(main())
  ```
  
  Modify /etc/pam.d/sudo so that it contains:
  
-   auth optional pam_exec.so stdout /usr/bin/env
+   auth optional pam_exec.so stdout /usr/bin/env
  
  When using sudo.ws:
  
  PAM_SERVICE=sudo
  PAM_USER=user-sudo
  PAM_TTY=/dev/pts/1
  PAM_RUSER=user-sudo
  PAM_TYPE=auth
  
  When using sudo-rs:
  
  PAM_SERVICE=sudo
  PAM_USER=user-sudo
  PAM_RUSER=user-sudo
  PAM_TYPE=auth
  
  So PAM_TTY is missing, even though we are in a terminal. This may make
  PAM modules not to properly handle things in the right way, and in
  particular authd will not run the right client for the conversation.
  
  See also https://github.com/canonical/authd/issues/901


** Tags added: rls-ss-incoming

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2153817

Title:
  PAM_TTY is wrongly computed by sudo-rs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2153817/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2153817] Re: PAM_TTY is wrongly computed by sudo-rs

Reply via email to