Blob Blame Raw
diff -up ./doc/sudoers.cat.manpage ./doc/sudoers.cat
--- ./doc/sudoers.cat.manpage	2017-09-11 15:16:47.443869930 +0200
+++ ./doc/sudoers.cat	2017-09-11 15:42:15.140500826 +0200
@@ -1088,13 +1088,19 @@ SSUUDDOOEERRSS OOPPTTIIOONN
                        connected to the user's tty, due to I/O redirection or
                        because the command is part of a pipeline, that input
                        is also captured and stored in a separate log file.
-                       For more information, see the _I_/_O _L_O_G _F_I_L_E_S section.
-                       This flag is _o_f_f by default.
+                       Anything sent to the standard input will be consumed,
+                       regardless of whether or not the command run via ssuuddoo
+                       is actually reading the standard input.  This may have
+                       unexpected results when using ssuuddoo in a shell script
+                       that expects to process the standard input.  For more
+                       information about I/O logging, see the _I_/_O _L_O_G _F_I_L_E_S
+                       section.  This flag is _o_f_f by default.
 
      log_output        If set, ssuuddoo will run the command in a pseudo-tty and
                        log all output that is sent to the screen, similar to
-                       the script(1) command.  For more information, see the
-                       _I_/_O _L_O_G _F_I_L_E_S section.  This flag is _o_f_f by default.
+                       the script(1) command.  For more information about I/O
+                       logging, see the _I_/_O _L_O_G _F_I_L_E_S section.  This flag is
+                       _o_f_f by default.
 
      log_year          If set, the four-digit year will be logged in the (non-
                        syslog) ssuuddoo log file.  This flag is _o_f_f by default.
@@ -1396,13 +1402,18 @@ SSUUDDOOEERRSS OOPPTTIIOONN
                        not needed, this option can be disabled to reduce the
                        load on the LDAP server.  This flag is _o_n by default.
 
-     use_pty           If set, ssuuddoo will run the command in a pseudo-pty even
-                       if no I/O logging is being gone.  A malicious program
-                       run under ssuuddoo could conceivably fork a background
-                       process that retains to the user's terminal device
-                       after the main program has finished executing.  Use of
-                       this option will make that impossible.  This flag is
-                       _o_f_f by default.
+     use_pty           If set, and ssuuddoo is running in a terminal, the command
+                       will be run in a pseudo-pty (even if no I/O logging is
+                       being done).  If the ssuuddoo process is not attached to a
+                       terminal, _u_s_e___p_t_y has no effect.
+
+                       A malicious program run under ssuuddoo may be capable of
+                       injecting injecting commands into the user's terminal
+                       or running a background process that retains access to
+                       the user's terminal device even after the main program
+                       has finished executing.  By running the command in a
+                       separate pseudo-pty, this attack is no longer possible.
+                       This flag is _o_f_f by default.
 
      utmp_runas        If set, ssuuddoo will store the name of the runas user when
                        updating the utmp (or utmpx) file.  By default, ssuuddoo
@@ -2135,11 +2146,11 @@ LLOOGG FFOORRMMAATT
 
 II//OO LLOOGG FFIILLEESS
      When I/O logging is enabled, ssuuddoo will run the command in a pseudo-tty
-     and log all user input and/or output.  I/O is logged to the directory
-     specified by the _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
-     unique session ID that is included in the ssuuddoo log line, prefixed with
-     ``TSID=''.  The _i_o_l_o_g___f_i_l_e option may be used to control the format of
-     the session ID.
+     and log all user input and/or output, depending on which options are
+     are enabled. I/O is logged to the directory specified by the _i_o_l_o_g___d_i_r 
+     option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is 
+     included in the ssuuddoo log line, prefixed with "TSID=". The _i_o_l_o_g___f_i_l_e
+     option may be used to control the format of the session ID.
 
      Each I/O log is stored in a separate directory that contains the
      following files:
diff -up ./doc/sudoers.man.in.manpage ./doc/sudoers.man.in
--- ./doc/sudoers.man.in.manpage	2017-09-11 15:16:47.444869925 +0200
+++ ./doc/sudoers.man.in	2017-09-11 15:16:47.456869864 +0200
@@ -2300,7 +2300,14 @@ will run the command in a pseudo-tty and
 If the standard input is not connected to the user's tty, due to
 I/O redirection or because the command is part of a pipeline, that
 input is also captured and stored in a separate log file.
-For more information, see the
+Anything sent to the standard input will be consumed, regardless of
+whether or not the command run via
+\fBsudo\fR
+is actually reading the standard input.
+This may have unexpected results when using
+\fBsudo\fR
+in a shell script that expects to process the standard input.
+For more information about I/O logging, see the
 \fII/O LOG FILES\fR
 section.
 This flag is
@@ -2314,7 +2321,7 @@ will run the command in a pseudo-tty and
 to the screen, similar to the
 script(1)
 command.
-For more information, see the
+For more information about I/O logging, see the
 \fII/O LOG FILES\fR
 section.
 This flag is
@@ -2934,14 +2941,24 @@ This flag is
 by default.
 .TP 18n
 use_pty
-If set,
+If set, and
 \fBsudo\fR
-will run the command in a pseudo-pty even if no I/O logging is being gone.
+is running in a terminal, the command will be run in a pseudo-pty
+(even if no I/O logging is being done).
+If the
+\fBsudo\fR
+process is not attached to a terminal,
+\fIuse_pty\fR
+has no effect.
+.sp
 A malicious program run under
 \fBsudo\fR
-could conceivably fork a background process that retains to the user's
-terminal device after the main program has finished executing.
-Use of this option will make that impossible.
+may be capable of injecting injecting commands into the user's
+terminal or running a background process that retains access to the
+user's terminal device even after the main program has finished
+executing.
+By running the command in a separate pseudo-pty, this attack is
+no longer possible.
 This flag is
 \fIoff\fR
 by default.
@@ -4281,7 +4298,8 @@ word wrap will be disabled.
 .SH "I/O LOG FILES"
 When I/O logging is enabled,
 \fBsudo\fR
-will run the command in a pseudo-tty and log all user input and/or output.
+will run the command in a pseudo-tty and log all user input and/or output,
+depending on which options are enabled.
 I/O is logged to the directory specified by the
 \fIiolog_dir\fR
 option
diff -up ./doc/sudoers.mdoc.in.manpage ./doc/sudoers.mdoc.in
--- ./doc/sudoers.mdoc.in.manpage	2017-09-11 15:16:47.445869920 +0200
+++ ./doc/sudoers.mdoc.in	2017-09-11 15:16:47.456869864 +0200
@@ -2155,7 +2155,14 @@ will run the command in a pseudo-tty and
 If the standard input is not connected to the user's tty, due to
 I/O redirection or because the command is part of a pipeline, that
 input is also captured and stored in a separate log file.
-For more information, see the
+Anything sent to the standard input will be consumed, regardless of
+whether or not the command run via
+.Nm sudo
+is actually reading the standard input.
+This may have unexpected results when using
+.Nm sudo
+in a shell script that expects to process the standard input.
+For more information about I/O logging, see the
 .Sx "I/O LOG FILES"
 section.
 This flag is
@@ -2168,7 +2175,7 @@ will run the command in a pseudo-tty and
 to the screen, similar to the
 .Xr script 1
 command.
-For more information, see the
+For more information about I/O logging, see the
 .Sx "I/O LOG FILES"
 section.
 This flag is
@@ -2752,14 +2759,24 @@ This flag is
 .Em on
 by default.
 .It use_pty
-If set,
+If set, and
 .Nm sudo
-will run the command in a pseudo-pty even if no I/O logging is being gone.
+is running in a terminal, the command will be run in a pseudo-pty
+(even if no I/O logging is being done).
+If the
+.Nm sudo
+process is not attached to a terminal,
+.Em use_pty
+has no effect.
+.Pp
 A malicious program run under
 .Nm sudo
-could conceivably fork a background process that retains to the user's
-terminal device after the main program has finished executing.
-Use of this option will make that impossible.
+may be capable of injecting injecting commands into the user's
+terminal or running a background process that retains access to the
+user's terminal device even after the main program has finished
+executing.
+By running the command in a separate pseudo-pty, this attack is
+no longer possible.
 This flag is
 .Em off
 by default.
@@ -3976,7 +3993,8 @@ word wrap will be disabled.
 .Sh I/O LOG FILES
 When I/O logging is enabled,
 .Nm sudo
-will run the command in a pseudo-tty and log all user input and/or output.
+will run the command in a pseudo-tty and log all user input and/or output,
+depending on which options are enabled.
 I/O is logged to the directory specified by the
 .Em iolog_dir
 option