Actually, a typical invocation of sudo does not read the password from stdin at all. Instead, sudo will directly access the controlling terminal (a tty or pty, via the /dev/tty special file) and output the prompt and read characters directly. This can be seen in the tgetpass.c file in the sudo source.
There are a few other scenarios:
- If an
askpassprogram is specified, e.g. in the-Aparam, that program will be invoked. - Otherwise, if you specifically request
sudoto read fromstdin, e.g. with the-Sflag -- and it will also write the prompt tostderr. This is the case where MadHatter's answerMadHatter's answer applies. - Otherwise, if there is no
ttyavailable - If password echo is disabled (it is by default, controlled by the
visiblepwflag insudoers),sudowill report an error:no tty present and no askpass program specified - Otherwise,
sudowill fall back to usingstdinandstderreven if it was not specifically requested. MadHatter's answerMadHatter's answer will also apply here.