Why my text output on screen will shift to the right side on a ksh environment?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux
  • sudoers
  • ksh

Issue

  • The impact of "use_pty" on /etc/sudoers and /etc/sudoers.d/* for printing text on the ksh environment.
  • My output text is always aligned to the right side when I use sudo -u <otheruser> to switch a user to execute a script on the ksh environment.

Resolution

  • Confirm whether your user is enabling use_pty on /etc/sudoers or /etc/sudoers.d/*.
    Use the below command to check:
sudo -l

For example:

$ sudo -l
Matching Defaults entries for testuser on node-0:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty, use_pty  <<<##### ensure there is no "use_pty" or just "!use_pty".

If use_pty is enabled, please disable it.

Please note that if any files on "/etc/sudoers.d/*" contain "Default use_pty", it will be recognized as a global parameter, not a parameter for the user, the user's sudo parameter setting should be like this:

Default:<username> <parameter> # such as Default:testuser use_pty

OR

  • Don't use a pipeline such as |tee command.

Root Cause

The description of use_pty from man sudoers:

     use_pty           If set, and sudo is running in a terminal, the command will be run in a pseudo-terminal (even if no I/O logging is being done).  If the sudo process is not attached to a terminal,
                       use_pty has no effect.

                       A malicious program run under sudo may be capable of injecting commands into the user's terminal or running a background process that retains access to the user's terminal device
                       even after the main program has finished executing.  By running the command in a separate pseudo-terminal, this attack is no longer possible.  This flag is off by default.

Diagnostic Steps

Reproduced steps:

  1. create a user with the sudoer setting below:
# cat /etc/sudoers.d/testuser
Defaults:testuser use_pty
testuser ALL=(ALL)  NOPASSWD: ALL
  1. create a script that belongs to another user containing the echo or printf command.
# cat /home/testuser2/testecho.sh 
#!/bin/bash
for i in `seq 0 5`;do
  echo "this is $i loop"
done
  1. switch to the user which enables "use_pty" and enter the ksh environment to use sudo -u <otheruser> to execute script.
[testuser@node-0 ~]$ sudo -l
Matching Defaults entries for testuser on node-0:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty, use_pty

User testuser may run the following commands on node-0:
    (ALL) NOPASSWD: ALL

[testuser@node-0 ~]$ ksh
$ echo $0
ksh

$ sudo -u testuser2 /home/testuser2/testecho.sh | tee /tmp/output1
this is 0 loop
              this is 1 loop
                            this is 2 loop
                                          this is 3 loop
                                                        this is 4 loop
                                                                      this is 5 loop
                                                                                    $
  1. When disable the use_pty or without |tee pipeline, the text output will be normal.
# without "|tee" pipeline.
$ sudo -l|grep use_pty
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty, use_pty
$ sudo -u testuser2 /home/testuser2/testecho.sh                   
this is 0 loop
this is 1 loop
this is 2 loop
this is 3 loop
this is 4 loop
this is 5 loop

# without "use_pty".
$ sudo -l|grep use_pty                         
$ sudo -u testuser2 /home/testuser2/testecho.sh | tee /tmp/output1
this is 0 loop
this is 1 loop
this is 2 loop
this is 3 loop
this is 4 loop
this is 5 loop

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments