Red Hat Bugzilla – Bug 170160
Sudo display password entry when AT&T ksh is login shell
Last modified: 2007-11-30 17:07:08 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051004 Firefox/1.0.7 (Ubuntu package 1.0.7)
Description of problem:
When users with ksh as their login shell use sudo their password entry is displayed on the screen instead of being blanked out like it normally is.
Behavior does not occur with ksh as a non-login shell, but is seen with either their shell in /etc/passwd is ksh or if they invoke ksh with 'ksh -l'. i386 boxes with the same version of ksh don't seem to have this problem.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. ksh -l
2. sudo ls /root
3. Type things in the password prompt
Actual Results: You see the characters you typed on the screen
Expected Results: Characters should have been blanked out to protect password
I've installed RHEL-3_x86_64 U6 on my system and cannot reproduce this problem.
Did you encounter this on the console or while using KDE/Gnome ?
Which terminal and which language settings did you use ?
- echo $TERM
- echo $LANG
I see this behavior from the console or when I ssh in (I've seen it with both
Linux openssh clients and Windows FSecure and putty). The box is a server so I
don't have X installed on it.
From my linux client:
$ echo $TERM
PID TTY TIME CMD
21856 pts/5 00:00:00 ksh
21877 pts/5 00:00:00 ps
$ echo $LANG
$ sudo bash
The output is basically the same from the other locations, except the $TERM is
linux from the console and vt100 from the Windows SSH clients.
I still cannot reproduce this with the same TERM and LANG settings. Any ideas from
the sudo maintainer ? I always thought that sudo would disable echoing the
password input altogether and not just make it 'invisible', so I'm not sure
what is happening here.
Created attachment 119830 [details]
testcase with tgetpass() from RHEL3 sudo
Please, try this attachment on your system.
$ gcc -g -O2 -Wall -o tgetpass tgetpass.c
Type any text:
your text: "qwer"
Note that it's same code as the sudo uses for password reading. Please, I would
like to see "strace ./tgetpass", if you're able reproduce the "echoing" problem
with this test. Thanks.
Created attachment 119839 [details]
strace of tgetpass
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.