Enable the use_pty option by default for sudo 1.9.14.

GitHub issue #258

Author: millert

docs/UPGRADE.md

@@ -1,6 +1,30 @@
 Notes on upgrading from an older release
 ========================================
 
+ * Upgrading from a version prior to 1.9.14:
+
+   Sudo now runs commands in a new pseudo-terminal by default.  This
+   can prevent a malicious program run via sudo from accessing the
+   user's terminal device after the command completes.
+
+   When sudo runs a command in a new pseudo-terminal, an additional
+   process is created to monitor the command's status and pass
+   terminal control signals between the two terminals.  See the
+   "Process model" subsection in the sudo manual and the description
+   of the "use_pty" option in the sudoers manual for more information.
+
+   A side effect of running the command in a new pseudo-terminal
+   is that sudo must pass input from the user's terminal to the
+   pseudo-terminal, even if the command being run does not require
+   the input.  The "exec_background" option in sudoers can be used
+   to prevent this, but some screen-oriented commands may not operate
+   properly when run as a background process.
+
+   To restore the historic behavior where a command is run in the
+   user's terminal, add the following line to the sudoers file:
+
+       Defaults !use_pty
+
  * Upgrading from a version prior to 1.9.13:
 
    Sudo now builds AIX-style shared libraries and dynamic shared
@@ -166,7 +190,6 @@ Notes on upgrading from an older release
    those names, sudo, and visudo will report a syntax error with a
    message like "syntax error: unexpected TIMEOUT, expecting ALIAS".
 
-   Starting with version 1.9.3, sudoers rules must end in either
    Prior to version 1.8.20, when log_input, log_output, or use_pty
    were enabled, if any of the standard input, output, or error
    were not connected to a terminal, sudo would use a pipe.  The

docs/sudoers.man.in

@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "March 28, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "April 6, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -4214,8 +4214,7 @@ by default.
 use_pty
 If set, and
 \fBsudo\fR
-is running in a terminal, the command will be run in a pseudo-terminal
-(even if no I/O logging is being done).
+is running in a terminal, the command will be run in a new pseudo-terminal.
 If the
 \fBsudo\fR
 process is not attached to a terminal,
@@ -4231,7 +4230,7 @@ executing.
 By running the command in a separate pseudo-terminal, this attack is
 no longer possible.
 This flag is
-\fIoff\fR
+\fIon\fR
 by default.
 .TP 18n
 user_command_timeouts

docs/sudoers.mdoc.in

@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd March 28, 2023
+.Dd April 6, 2023
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -3988,8 +3988,7 @@ by default.
 .It use_pty
 If set, and
 .Nm sudo
-is running in a terminal, the command will be run in a pseudo-terminal
-(even if no I/O logging is being done).
+is running in a terminal, the command will be run in a new pseudo-terminal.
 If the
 .Nm sudo
 process is not attached to a terminal,
@@ -4005,7 +4004,7 @@ executing.
 By running the command in a separate pseudo-terminal, this attack is
 no longer possible.
 This flag is
-.Em off
+.Em on
 by default.
 .It user_command_timeouts
 If set, the user may specify a timeout on the command line.

plugins/sudoers/defaults.c

@@ -559,6 +559,7 @@ init_defaults(void)
     def_log_format = sudo;
     def_runas_allow_unknown_id = false;
     def_noninteractive_auth = false;
+    def_use_pty = true;
 
     /* Syslog options need special care since they both strings and ints */
 #if (LOGGING & SLOG_SYSLOG)