As a rule in the Debian 10 hardening guide, and various other audit guides of the Center for Internet Security (CIS), setting the use_pty sudoers option is recommended for the following rationale:
Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing.
In the sudoers man page, it is described that running a background process that retains access to the user's terminal after the main process has finished executing is no longer possible when the commands are run in a separate pseudo-terminal.
I don't really grasp the nuance here. What does it mean to run the sudo command in a separate pseudo-terminal, and why is the background process attack no longer possible when this flag is set?
What other ramifications does setting use_pty have?
Thank you!
