If I do:
sudo cat /etc/resolv.conf | less
It will prompt me for the password, even though less (presumably) takes stdin. Over what fd's is the password prompt shown and how does it get the input back?
Add a comment
|
2 Answers
Actually, a typical invocation of sudo does not read the password from stdin at all. Instead, sudo will directly access the controlling terminal (a tty or pty, via the /dev/tty special file) and output the prompt and read characters directly. This can be seen in the tgetpass.c file in the sudo source.
There are a few other scenarios:
- If an
askpassprogram is specified, e.g. in the-Aparam, that program will be invoked. - Otherwise, if you specifically request
sudoto read fromstdin, e.g. with the-Sflag -- and it will also write the prompt tostderr. This is the case where MadHatter's answer applies. - Otherwise, if there is no
ttyavailable- If password echo is disabled (it is by default, controlled by the
visiblepwflag insudoers),sudowill report an error:no tty present and no askpass program specified - Otherwise,
sudowill fall back to usingstdinandstderreven if it was not specifically requested. MadHatter's answer will also apply here.
- If password echo is disabled (it is by default, controlled by the
The pipe connects sudo cat's stdout to less's stdin, so sudo cat's stdin is unaffected, and able to receive the password.
As for the prompt, it goes out on sudo cat's stderr; in bash, try redirecting that along with stdout, using
sudo cat /etc/resolv.conf |& less
and see how different the response is.
answered Oct 27, 2015 at 8:37
-
16While this answer is correct in that
sudo's stdin is still connected to the terminal with the example command, that's not directly relevant to how it gets its password: by defaultsudowill not request passwords via stdin nor will it show the prompt viastderr-- you can try2>/dev/nullto confirm that. Instead,sudodirectly accesses the tty.– BobOct 27, 2015 at 13:01