[sudo-users] disable logging to /var/log/messages

Russell Van Tassell russell+sudo-users at loosenut.com
Mon Aug 29 15:21:46 EDT 2005

On Sun, Aug 28, 2005 at 10:28:06AM +0200, Francesco Turco wrote:
> Matthew Stier ha scritto:
> >Not a feature most people would want in a security program.
> >
> >Are you sure you need to run it as 'root'.
> >Does a 'group' have "read" permissions to that device?  Have you 
> >considered setting the executable set group ID to that group?
> fctk at thorium ~ $ ls -l /dev/hda
> brw-rw----  1 root root 3, 0 28 ago  2005 /dev/hda
> fctk at thorium ~ $ ls -l /usr/sbin/hddtemp
> -rwxr-xr-x  1 root root 21504 16 ago 20:30 /usr/sbin/hddtemp
> how can i do to realize what you suggested?

Just run:

	sudo chmod g+s /usr/sbin/hddtemp

...then it'll be setgid, which should have read access to /dev/hda and
then shouldn't need root (though technically it'll be running under GID
root, which opens up a few other possible holes, too).

You *might* also be able to do something like the following for your
monitoring user (in the sudoers file) so-as to avoid logging:

Defaults>monuser          !syslog=local7

...then make sure that facility is logging to /dev/null.  The caveat
with this (other than the fact that it may *not* work, there) is that
you will now lose *all* messages generated by that user (so you can miss
attacks like someone trying to chain sudo to acquire root).

But, perhaps a sillier question... why are you running the command every
second?  Most trending routines (much less efficient monitoring systems
won't like any delta under a minute, much less five).  Sorry, just a
random passing thought...

Russell M. Van Tassell
russell at loosenut.com

"I love deadlines.  I especially like the whooshing sound they make as
 they go flying by."

More information about the sudo-users mailing list