diff -up ./doc/sudoers.cat.manpage ./doc/sudoers.cat
--- ./doc/sudoers.cat.manpage 2017-09-11 15:16:47.443869930 +0200
+++ ./doc/sudoers.cat 2017-09-11 15:42:15.140500826 +0200
@@ -1088,13 +1088,19 @@ SSUUDDOOEERRSS OOPPTTIIOONN
connected to the user's tty, due to I/O redirection or
because the command is part of a pipeline, that input
is also captured and stored in a separate log file.
- For more information, see the _I_/_O _L_O_G _F_I_L_E_S section.
- This flag is _o_f_f by default.
+ Anything sent to the standard input will be consumed,
+ regardless of whether or not the command run via ssuuddoo
+ is actually reading the standard input. This may have
+ unexpected results when using ssuuddoo in a shell script
+ that expects to process the standard input. For more
+ information about I/O logging, see the _I_/_O _L_O_G _F_I_L_E_S
+ section. This flag is _o_f_f by default.
log_output If set, ssuuddoo will run the command in a pseudo-tty and
log all output that is sent to the screen, similar to
- the script(1) command. For more information, see the
- _I_/_O _L_O_G _F_I_L_E_S section. This flag is _o_f_f by default.
+ the script(1) command. For more information about I/O
+ logging, see the _I_/_O _L_O_G _F_I_L_E_S section. This flag is
+ _o_f_f by default.
log_year If set, the four-digit year will be logged in the (non-
syslog) ssuuddoo log file. This flag is _o_f_f by default.
@@ -1396,13 +1402,18 @@ SSUUDDOOEERRSS OOPPTTIIOONN
not needed, this option can be disabled to reduce the
load on the LDAP server. This flag is _o_n by default.
- use_pty If set, ssuuddoo will run the command in a pseudo-pty even
- if no I/O logging is being gone. A malicious program
- run under ssuuddoo could conceivably fork a background
- process that retains to the user's terminal device
- after the main program has finished executing. Use of
- this option will make that impossible. This flag is
- _o_f_f by default.
+ use_pty If set, and ssuuddoo is running in a terminal, the command
+ will be run in a pseudo-pty (even if no I/O logging is
+ being done). If the ssuuddoo process is not attached to a
+ terminal, _u_s_e___p_t_y has no effect.
+
+ A malicious program run under ssuuddoo may be capable of
+ injecting injecting commands into the user's terminal
+ or running a background process that retains access to
+ the user's terminal device even after the main program
+ has finished executing. By running the command in a
+ separate pseudo-pty, this attack is no longer possible.
+ This flag is _o_f_f by default.
utmp_runas If set, ssuuddoo will store the name of the runas user when
updating the utmp (or utmpx) file. By default, ssuuddoo
@@ -2135,11 +2146,11 @@ LLOOGG FFOORRMMAATT
II//OO LLOOGG FFIILLEESS
When I/O logging is enabled, ssuuddoo will run the command in a pseudo-tty
- and log all user input and/or output. I/O is logged to the directory
- specified by the _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a
- unique session ID that is included in the ssuuddoo log line, prefixed with
- ``TSID=''. The _i_o_l_o_g___f_i_l_e option may be used to control the format of
- the session ID.
+ and log all user input and/or output, depending on which options are
+ are enabled. I/O is logged to the directory specified by the _i_o_l_o_g___d_i_r
+ option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is
+ included in the ssuuddoo log line, prefixed with "TSID=". The _i_o_l_o_g___f_i_l_e
+ option may be used to control the format of the session ID.
Each I/O log is stored in a separate directory that contains the
following files:
diff -up ./doc/sudoers.man.in.manpage ./doc/sudoers.man.in
--- ./doc/sudoers.man.in.manpage 2017-09-11 15:16:47.444869925 +0200
+++ ./doc/sudoers.man.in 2017-09-11 15:16:47.456869864 +0200
@@ -2300,7 +2300,14 @@ will run the command in a pseudo-tty and
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
-For more information, see the
+Anything sent to the standard input will be consumed, regardless of
+whether or not the command run via
+\fBsudo\fR
+is actually reading the standard input.
+This may have unexpected results when using
+\fBsudo\fR
+in a shell script that expects to process the standard input.
+For more information about I/O logging, see the
\fII/O LOG FILES\fR
section.
This flag is
@@ -2314,7 +2321,7 @@ will run the command in a pseudo-tty and
to the screen, similar to the
script(1)
command.
-For more information, see the
+For more information about I/O logging, see the
\fII/O LOG FILES\fR
section.
This flag is
@@ -2934,14 +2941,24 @@ This flag is
by default.
.TP 18n
use_pty
-If set,
+If set, and
\fBsudo\fR
-will run the command in a pseudo-pty even if no I/O logging is being gone.
+is running in a terminal, the command will be run in a pseudo-pty
+(even if no I/O logging is being done).
+If the
+\fBsudo\fR
+process is not attached to a terminal,
+\fIuse_pty\fR
+has no effect.
+.sp
A malicious program run under
\fBsudo\fR
-could conceivably fork a background process that retains to the user's
-terminal device after the main program has finished executing.
-Use of this option will make that impossible.
+may be capable of injecting injecting commands into the user's
+terminal or running a background process that retains access to the
+user's terminal device even after the main program has finished
+executing.
+By running the command in a separate pseudo-pty, this attack is
+no longer possible.
This flag is
\fIoff\fR
by default.
@@ -4281,7 +4298,8 @@ word wrap will be disabled.
.SH "I/O LOG FILES"
When I/O logging is enabled,
\fBsudo\fR
-will run the command in a pseudo-tty and log all user input and/or output.
+will run the command in a pseudo-tty and log all user input and/or output,
+depending on which options are enabled.
I/O is logged to the directory specified by the
\fIiolog_dir\fR
option
diff -up ./doc/sudoers.mdoc.in.manpage ./doc/sudoers.mdoc.in
--- ./doc/sudoers.mdoc.in.manpage 2017-09-11 15:16:47.445869920 +0200
+++ ./doc/sudoers.mdoc.in 2017-09-11 15:16:47.456869864 +0200
@@ -2155,7 +2155,14 @@ will run the command in a pseudo-tty and
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
-For more information, see the
+Anything sent to the standard input will be consumed, regardless of
+whether or not the command run via
+.Nm sudo
+is actually reading the standard input.
+This may have unexpected results when using
+.Nm sudo
+in a shell script that expects to process the standard input.
+For more information about I/O logging, see the
.Sx "I/O LOG FILES"
section.
This flag is
@@ -2168,7 +2175,7 @@ will run the command in a pseudo-tty and
to the screen, similar to the
.Xr script 1
command.
-For more information, see the
+For more information about I/O logging, see the
.Sx "I/O LOG FILES"
section.
This flag is
@@ -2752,14 +2759,24 @@ This flag is
.Em on
by default.
.It use_pty
-If set,
+If set, and
.Nm sudo
-will run the command in a pseudo-pty even if no I/O logging is being gone.
+is running in a terminal, the command will be run in a pseudo-pty
+(even if no I/O logging is being done).
+If the
+.Nm sudo
+process is not attached to a terminal,
+.Em use_pty
+has no effect.
+.Pp
A malicious program run under
.Nm sudo
-could conceivably fork a background process that retains to the user's
-terminal device after the main program has finished executing.
-Use of this option will make that impossible.
+may be capable of injecting injecting commands into the user's
+terminal or running a background process that retains access to the
+user's terminal device even after the main program has finished
+executing.
+By running the command in a separate pseudo-pty, this attack is
+no longer possible.
This flag is
.Em off
by default.
@@ -3976,7 +3993,8 @@ word wrap will be disabled.
.Sh I/O LOG FILES
When I/O logging is enabled,
.Nm sudo
-will run the command in a pseudo-tty and log all user input and/or output.
+will run the command in a pseudo-tty and log all user input and/or output,
+depending on which options are enabled.
I/O is logged to the directory specified by the
.Em iolog_dir
option