Skip to content

Implement askpass support #1354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

Implement askpass support #1354

wants to merge 11 commits into from

Conversation

@bjorn3
Copy link
Collaborator

@bjorn3 bjorn3 commented Nov 26, 2025

This is still missing tests.

Fixes #1249
Based on #1346

@bjorn3 bjorn3 added this to the askpass milestone Nov 26, 2025
bjorn3 added 11 commits November 26, 2025 17:40
@bjorn3
Propagate all error kinds from pam::converse not just timeouts
79a7938 
This way they rather than silently discarding the error message and
doing another authentication attempt, they properly report the error
message and cause sudo to exit. This way for example pam_faillock won't
cause a persistent error like incorrect SUDO_ASKPASS value (once
implemented) to be treated as multiple successive failed password
attempts.
@bjorn3
Error fixes
01480db
@bjorn3
Don't retry authentication on password input error
551fecc 
For example a timeout or ctrl+d. In addition don't allow PAM to ask for
another password when an input error happened. We will still retry if
the password that was entered was incorrect of course. This matches the
behavior of og sudo.
@bjorn3
Move timeout error conversion into rpassword
402f1dc
@bjorn3
Review comment
38f95ea
@bjorn3
Fix handling of EOF other than as caused by Ctrl-D
e48db36
@bjorn3
Remove duplication of option names in reject_all
fd75330 
This makes it slightly easier to add options in the future.
@bjorn3
Add missing mark_fds_as_cloexec call for sudoedit
5aed156 
In practice I didn't observe any dangerous fds leaking to the editor
process. Only the sockets used for communication with the parent process
got leaked. The parent process already does not blindly trust writes to
those sockets, so leaking them is fine. Still as a defence-in-depth when
for example a PAM module forgets to close a file, add the missing
mark_fds_as_cloexec anyway.
@bjorn3
Add --askpass cli option
beda887
@bjorn3
Pass askpass option through the Context
e9c5eb3
@bjorn3
Implement askpass support
d637392
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

askpass

Development

Successfully merging this pull request may close these issues.

Add support for -A (askpass) commandline switch

1 participant

@bjorn3