Skip to content

Propagate all error kinds from pam::converse not just timeouts #1346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Propagate all error kinds from pam::converse not just timeouts #1346

wants to merge 6 commits into from

Conversation

@bjorn3
Copy link
Collaborator

@bjorn3 bjorn3 commented Nov 19, 2025

This way they rather than silently discarding the error message and doing another authentication attempt, they properly report the error message and cause sudo to exit. This way for example pam_faillock won't cause a persistent error like incorrect SUDO_ASKPASS value (once implemented) to be treated as multiple successive failed password attempts.

@bjorn3 bjorn3 requested a review from squell November 19, 2025 12:38
@bjorn3 bjorn3 added this to the askpass milestone Nov 19, 2025
@bjorn3 bjorn3 marked this pull request as draft November 19, 2025 13:34
@bjorn3 bjorn3 force-pushed the pam_propagate_error branch 3 times, most recently from 779da35 to ac1f3bf Compare November 24, 2025 12:32
@bjorn3 bjorn3 marked this pull request as ready for review November 24, 2025 12:35
squell
squell reviewed Nov 25, 2025
View reviewed changes
Copy link
Member

@squell squell left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The one thing I'm looking at is the capitalization of error messages. In the main error module I think we go for "lower case" (as ogsudo), but the PAM module capitalizes error messages. We should probably make this consistent, but I feel that is better handled as part of the main l10n work. (Which I do think this PR probably also helps with). I.e. that can be left as-is in this PR.

But, Is it possible to write a compliance test for this? E.g. read the password from stdin, make sure there is nothing on stdin, and then verifying that both ogsudo and sudo-rs only give one error message?

@bjorn3
Copy link
Collaborator Author

bjorn3 commented Nov 25, 2025

E.g. read the password from stdin, make sure there is nothing on stdin, and then verifying that both ogsudo and sudo-rs only give one error message?

og-sudo gives multiple error messages: without tty sudo ls gives:

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

while echo -n | sudo -S ls gives:

sudo: no password was provided
sudo: a password is required

@squell
Copy link
Member

squell commented Nov 25, 2025

E.g. read the password from stdin, make sure there is nothing on stdin, and then verifying that both ogsudo and sudo-rs only give one error message?

og-sudo gives multiple error messages: without tty sudo ls gives:

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

while echo -n | sudo -S ls gives:

sudo: no password was provided
sudo: a password is required

What I'm particularly interested in, this PR changes behaviour, and it would be nice to have a e2e-test (or preferably: a compliance test) for that; I'm guessing that right now we give something like "Maximum 3 incorrect authentication attempts" in the echo -n | sudo -S ls case.

This can then act as a regression test going forward.

@squell
Copy link
Member

squell commented Nov 25, 2025

Needless to say the rest of the changes LGTM.

@bjorn3
Copy link
Collaborator Author

bjorn3 commented Nov 25, 2025

Turns out the EOF handling was incorrect. It only worked for literal ctrl-d, not for a broken pipe. Pushed a commit to fix this and update all tests.

@bjorn3 bjorn3 force-pushed the pam_propagate_error branch from 2910eee to 654a8c5 Compare November 26, 2025 09:21
@bjorn3 bjorn3 mentioned this pull request Nov 26, 2025
Draft
@bjorn3
Propagate all error kinds from pam::converse not just timeouts
79a7938 
This way they rather than silently discarding the error message and
doing another authentication attempt, they properly report the error
message and cause sudo to exit. This way for example pam_faillock won't
cause a persistent error like incorrect SUDO_ASKPASS value (once
implemented) to be treated as multiple successive failed password
attempts.
@bjorn3
Error fixes
01480db
@bjorn3
Don't retry authentication on password input error
551fecc 
For example a timeout or ctrl+d. In addition don't allow PAM to ask for
another password when an input error happened. We will still retry if
the password that was entered was incorrect of course. This matches the
behavior of og sudo.
@bjorn3
Move timeout error conversion into rpassword
402f1dc
@bjorn3
Review comment
38f95ea
@bjorn3
Fix handling of EOF other than as caused by Ctrl-D
e48db36
@bjorn3 bjorn3 force-pushed the pam_propagate_error branch from 654a8c5 to e48db36 Compare November 26, 2025 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@squell squell squell left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

askpass

Development

Successfully merging this pull request may close these issues.

2 participants

@bjorn3 @squell