[Bug 2153817] Re: PAM_TTY is wrongly computed by sudo-rs

Marco Trevisan (TreviƱo) 2153817 at bugs.launchpad.net
Thu May 21 18:46:29 UTC 2026 

Upstream fix proposed at https://github.com/trifectatechfoundation/sudo-
rs/pull/1591

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rust-sudo-rs in Ubuntu.
https://bugs.launchpad.net/bugs/2153817

Title:
  PAM_TTY is wrongly computed by sudo-rs

Status in rust-sudo-rs package in Ubuntu:
  In Progress

Bug description:
  PAM_TTY is not properly computed by sudo-rs when input redirection or
  IO streams are unset or closed.

  With this minimal reproducer (that simulates what sshuttle does):

  ```
  #!/usr/bin/env python3

  import shutil
  import socket
  import subprocess
  import sys

  
  def main() -> int:
      sudo = shutil.which("sudo") or "sudo"
      #sudo = "/home/user-sudo/sudo"
      sudo = "/usr/lib/cargo/bin/sudo"
      #sudo = "/usr/bin/sudo.ws"
      cmd = [sudo, "-p", "[local sudo] Password: ", "id"]

      s1, s2 = socket.socketpair()

      def setup() -> None:
          s2.close()

      # Match sshuttle default behavior: do not pass stdin, inherit it.
      #proc = subprocess.Popen(cmd, stdout=s1, preexec_fn=setup)
      proc = subprocess.Popen(cmd, stdin=subprocess.DEVNULL, stdout=s1, preexec_fn=setup)
      s1.close()

      output = s2.makefile("rb").read()
      if output:
          sys.stdout.buffer.write(output)

      rc = proc.wait()
      s2.close()
      return rc

  
  if __name__ == "__main__":
      raise SystemExit(main())
  ```

  Modify /etc/pam.d/sudo so that it contains:

    auth optional pam_exec.so stdout /usr/bin/env

  When using sudo.ws:

  PAM_SERVICE=sudo
  PAM_USER=user-sudo
  PAM_TTY=/dev/pts/1
  PAM_RUSER=user-sudo
  PAM_TYPE=auth

  When using sudo-rs:

  PAM_SERVICE=sudo
  PAM_USER=user-sudo
  PAM_RUSER=user-sudo
  PAM_TYPE=auth

  So PAM_TTY is missing, even though we are in a terminal. This may make
  PAM modules not to properly handle things in the right way, and in
  particular authd will not run the right client for the conversation.

  See also https://github.com/canonical/authd/issues/901

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2153817/+subscriptions

More information about the foundations-bugs mailing list