Fix handling of EOF other than as caused by Ctrl-D

bjorn3 · bjorn3 · commit 2910eee37b29 · 2025-11-25T17:50:51.000+01:00
diff --git a/src/pam/rpassword.rs b/src/pam/rpassword.rs
@@ -128,18 +128,11 @@ fn read_unbuffered(
         })?;
 
         if read_byte == b'\n' || read_byte == b'\r' {
-            break;
+            return Ok(password);
         }
 
         if let Hidden::Yes(input) | Hidden::WithFeedback(input) = hide_input {
             if read_byte == input.term_orig.c_cc[VEOF] {
-                if state.pw_len == 0 {
-                    // In case of Ctrl-D we don't want to ask for a password a second time, so
-                    // return an error.
-                    return Err(PamError::NeedsPassword);
-                }
-
-                password.fill(0);
                 break;
             }
 
@@ -175,7 +168,13 @@ fn read_unbuffered(
         }
     }
 
-    Ok(password)
+    if state.pw_len == 0 {
+        // In case of EOF or Ctrl-D we don't want to ask for a password a second
+        // time, so return an error.
+        return Err(PamError::NeedsPassword);
+    } else {
+        Ok(password)
+    }
 }
 
 /// Write something and immediately flush
diff --git a/test-framework/sudo-compliance-tests/src/su.rs b/test-framework/sudo-compliance-tests/src/su.rs
@@ -98,7 +98,7 @@ fn required_password_is_target_users_fail() {
     let diagnostic = if sudo_test::is_original_sudo() {
         "Authentication failure"
     } else {
-        "Maximum 3 incorrect authentication attempts"
+        "Authentication failed, try again."
     };
     assert_contains!(output.stderr(), diagnostic);
 }
@@ -131,7 +131,7 @@ fn password_is_required_when_target_user_is_self() {
     let diagnostic = if sudo_test::is_original_sudo() {
         "Authentication failure"
     } else {
-        "Maximum 3 incorrect authentication attempts"
+        "Password is required"
     };
     assert_contains!(output.stderr(), diagnostic);
 }
diff --git a/test-framework/sudo-compliance-tests/src/su/syslog.rs b/test-framework/sudo-compliance-tests/src/su/syslog.rs
@@ -85,19 +85,16 @@ fn logs_every_failed_authentication_attempt() {
 
     eprintln!("\n--- /var/log/auth.log ---\n{auth_log}\n--- /var/log/auth.log ---\n");
 
-    if sudo_test::is_original_sudo() {
-        assert_contains!(
-            auth_log,
-            format!("su: pam_unix(su:auth): auth could not identify password for [{target_user}]")
-        );
+    assert_contains!(
+        auth_log,
+        format!("su: pam_unix(su:auth): auth could not identify password for [{target_user}]")
+    );
 
+    if sudo_test::is_original_sudo() {
         let tty = "none";
         assert_contains!(
             auth_log,
             format!("FAILED SU (to {target_user}) {invoking_user} on {tty}")
         );
-    } else {
-        let tty = "";
-        assert_contains!(auth_log, format!("su: pam_unix(su:auth): authentication failure; logname= uid={invoking_userid} euid=0 tty={tty} ruser={invoking_user} rhost=  user={target_user}"));
     }
 }
diff --git a/test-framework/sudo-compliance-tests/src/sudo/nopasswd.rs b/test-framework/sudo-compliance-tests/src/sudo/nopasswd.rs
@@ -141,9 +141,6 @@ fn v_flag_without_pwd_fails_if_nopasswd_is_not_set_for_all_users_entries() {
             );
         }
     } else {
-        assert_contains!(
-            stderr,
-            "[sudo: authenticate] Password: \nsudo: Authentication failed, try again.\n[sudo: authenticate] Password: \nsudo: Authentication failed, try again.\n[sudo: authenticate] Password: \nsudo: Maximum 3 incorrect authentication attempts"
-        );
+        assert_contains!(stderr, "Password is required");
     }
 }
diff --git a/test-framework/sudo-compliance-tests/src/sudo/pass_auth/stdin.rs b/test-framework/sudo-compliance-tests/src/sudo/pass_auth/stdin.rs
@@ -34,7 +34,7 @@ fn incorrect_password() {
     let diagnostic = if sudo_test::is_original_sudo() {
         "incorrect password attempt"
     } else {
-        "incorrect authentication attempt"
+        "Authentication failed, try again."
     };
     assert_contains!(output.stderr(), diagnostic);
 }
@@ -54,7 +54,7 @@ fn no_password() {
     let diagnostic = if sudo_test::is_original_sudo() {
         "no password was provided"
     } else {
-        "incorrect authentication attempt"
+        "Password is required"
     };
     assert_contains!(output.stderr(), diagnostic);
 }
diff --git a/test-framework/sudo-compliance-tests/src/sudo/passwd.rs b/test-framework/sudo-compliance-tests/src/sudo/passwd.rs
@@ -48,6 +48,6 @@ fn explicit_passwd_overrides_nopasswd() {
     if sudo_test::is_original_sudo() {
         assert_snapshot!(stderr);
     } else {
-        assert_contains!(stderr, "Maximum 3 incorrect authentication attempts");
+        assert_contains!(stderr, "Password is required");
     }
 }
diff --git a/test-framework/sudo-compliance-tests/src/sudo/password_retry.rs b/test-framework/sudo-compliance-tests/src/sudo/password_retry.rs
@@ -202,3 +202,32 @@ it could be that the image defaults to a high retry delay value; \
 you may want to increase NEW_DELAY_MICROS"
     );
 }
+
+#[test]
+fn no_password_retry_on_empty_stdin() {
+    let env = Env(format!("{USERNAME} ALL=(ALL:ALL) ALL"))
+        .user(User(USERNAME).password(PASSWORD))
+        .build();
+
+    let output = Command::new("sh")
+        .arg("-c")
+        .arg(format!("echo -n | sudo -S true"))
+        .as_user(USERNAME)
+        .output(&env);
+
+    output.assert_exit_code(1);
+
+    if sudo_test::is_original_sudo() {
+        assert_eq!(
+            output.stderr(),
+            "[sudo] password for ferris: \n\
+sudo: no password was provided\n\
+sudo: a password is required"
+        );
+    } else {
+        assert_eq!(
+            output.stderr(),
+            "[sudo: authenticate] Password: \nsudo: Password is required"
+        );
+    }
+}
diff --git a/test-framework/sudo-compliance-tests/src/sudo/sudoers.rs b/test-framework/sudo-compliance-tests/src/sudo/sudoers.rs
@@ -167,7 +167,7 @@ fn user_specifications_evaluated_bottom_to_top() {
     let diagnostic = if sudo_test::is_original_sudo() {
         "no password was provided"
     } else {
-        "incorrect authentication attempt"
+        "Password is required"
     };
     assert_contains!(output.stderr(), diagnostic);
 
diff --git a/test-framework/sudo-compliance-tests/src/sudo/syslog.rs b/test-framework/sudo-compliance-tests/src/sudo/syslog.rs
@@ -39,10 +39,5 @@ fn sudo_logs_every_failed_authentication_attempt() {
     assert!(!output.status().success());
 
     let auth_log = rsyslog.auth_log();
-    let diagnostic = if sudo_test::is_original_sudo() {
-        "auth could not identify password"
-    } else {
-        "authentication failure"
-    };
-    assert_contains!(auth_log, diagnostic);
+    assert_contains!(auth_log, "auth could not identify password");
 }
diff --git a/test-framework/sudo-compliance-tests/src/sudo/timestamp.rs b/test-framework/sudo-compliance-tests/src/sudo/timestamp.rs
@@ -141,7 +141,7 @@ fn cached_credential_not_shared_with_target_user_that_are_not_self() {
     let diagnostic = if sudo_test::is_original_sudo() {
         "a password is required"
     } else {
-        "Maximum 3 incorrect authentication attempts"
+        "Password is required"
     };
 
     assert_contains!(output.stderr(), diagnostic);
diff --git a/test-framework/sudo-compliance-tests/src/sudo/timestamp/remove.rs b/test-framework/sudo-compliance-tests/src/sudo/timestamp/remove.rs
@@ -56,7 +56,7 @@ fn has_a_user_global_effect() {
     let diagnostic = if sudo_test::is_original_sudo() {
         "1 incorrect password attempt"
     } else {
-        "incorrect authentication attempt"
+        "Authentication failed, try again."
     };
     assert_contains!(output.stderr(), diagnostic);
 }

Original file line number	Diff line number	Diff line change
`@@ -128,18 +128,11 @@ fn read_unbuffered(`
`128`	`128`	`})?;`
`129`	`129`
`130`	`130`	`if read_byte == b'\n' \|\| read_byte == b'\r' {`
`131`		`- break;`
	`131`	`+ return Ok(password);`
`132`	`132`	`}`
`133`	`133`
`134`	`134`	`if let Hidden::Yes(input) \| Hidden::WithFeedback(input) = hide_input {`
`135`	`135`	`if read_byte == input.term_orig.c_cc[VEOF] {`
`136`		`- if state.pw_len == 0 {`
`137`		`- // In case of Ctrl-D we don't want to ask for a password a second time, so`
`138`		`- // return an error.`
`139`		`- return Err(PamError::NeedsPassword);`
`140`		`- }`
`141`		`-`
`142`		`- password.fill(0);`
`143`	`136`	`break;`
`144`	`137`	`}`
`145`	`138`
`@@ -175,7 +168,13 @@ fn read_unbuffered(`
`175`	`168`	`}`
`176`	`169`	`}`
`177`	`170`
`178`		`- Ok(password)`
	`171`	`+ if state.pw_len == 0 {`
	`172`	`+ // In case of EOF or Ctrl-D we don't want to ask for a password a second`
	`173`	`+ // time, so return an error.`
	`174`	`+ return Err(PamError::NeedsPassword);`
	`175`	`+ } else {`
	`176`	`+ Ok(password)`
	`177`	`+ }`
`179`	`178`	`}`
`180`	`179`
`181`	`180`	`/// Write something and immediately flush`
Original file line number	Diff line number	Diff line change
`@@ -141,9 +141,6 @@ fn v_flag_without_pwd_fails_if_nopasswd_is_not_set_for_all_users_entries() {`
`141`	`141`	`);`
`142`	`142`	`}`
`143`	`143`	`} else {`
`144`		`- assert_contains!(`
`145`		`- stderr,`
`146`		`- "[sudo: authenticate] Password: \nsudo: Authentication failed, try again.\n[sudo: authenticate] Password: \nsudo: Authentication failed, try again.\n[sudo: authenticate] Password: \nsudo: Maximum 3 incorrect authentication attempts"`
`147`		`- );`
	`144`	`+ assert_contains!(stderr, "Password is required");`
`148`	`145`	`}`
`149`	`146`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,6 @@ fn explicit_passwd_overrides_nopasswd() {`
`48`	`48`	`if sudo_test::is_original_sudo() {`
`49`	`49`	`assert_snapshot!(stderr);`
`50`	`50`	`} else {`
`51`		`- assert_contains!(stderr, "Maximum 3 incorrect authentication attempts");`
	`51`	`+ assert_contains!(stderr, "Password is required");`
`52`	`52`	`}`
`53`	`53`	`}`