[sudo-users] Does NOT result in the creation of sudo IO log directories by user name in /var/log/sudo-io as described in the sudoers manual

Simon K k_simon78 at yahoo.com
Fri Sep 28 03:12:02 EDT 2012


Hi All ,

Machine : HP-UX

Architecture : 11.31

Sudo Version : 1.7.10b1


 
I
have  compiled and installed Sudo version 1.7.10b1 on HP-UX machine  and have observed the following behaviors that I believe
are NOT in keeping with the design of the tool:
 
setting
the following in sudoers:
Defaults
iolog_dir=/var/log/sudo-io/%{user}
 
does
NOT result in the creation of sudo IO log directories by user name in
/var/log/sudo-io as described in the sudoers manual found here: http://www.gratisoft.us/sudo/man/1.8.6/sudoers.man.html
 
iolog_dir
The
top-level directory to use when constructing the path name for the input/output
log directory. Only used if the log_input or log_output options are enabled or when
the LOG_INPUT or LOG_OUTPUT tags are present for a command. The session
sequence number, if any, is stored in the directory. The default is
/var/log/sudo-io.
The
following percent (‘%’) escape sequences are supported:
...
%{user}
expanded
to the invoking user's login name
...
 
As
an example, if a user with the username smitty su's to another username via
sudo with the above setting configured in sudoers, sudo should create a
directory (if it doesn't exist) of /var/log/sudo-io/smitty.  The only
thing that gets created in the /var/log/sudo-io directory is a directory called
%{user}.  If the directory already exists, I would expect sudo would write
log information to it.  The current Sudo implementation does NOT appear
to do either of these things, so I'm wondering if this is a result of some
missing configuration on my part, or if this is an actual known problem with
the Sudo product?  Is there some non-standard setting I need to make
somewhere that will enable this to work properly?
 
Additionally, Sudo does not adequately filter out the information provided by the
DISPLAY_LAST_LOGIN variable in /etc/default/security and also corrupts the
formatting of the output of the command being run when non-su-like commands are
run through sudo. 

Example:
 
# sudo ls /stand
Last
successful login:       Mon Sep 24 10:31:14 MDT
2012
                                                           
Last authentication failure: Fri Aug 24 07:02:23 MDT 2012
user-xxxx-yyy.com
                              
.kc.lock         
current          
last_install      vmunix
backup           
ext_ioconfig     
lost+found        vpdb
boot.sys         
ext_ioconfig.lkg 
nextboot          vpdb.100608
bootconf         
ioconfig          rootconf         
vpdb.b4.upgrade
bootfs           
ioconfig.lkg     
system            vpmon
crashconfig      
krs              
system.prev
 
Note
the printing of the last login information AND the formatting problems on the
2nd and 3rd lines of output - all for an ls command, which is not a command for
which one would need to see last login information.  The only way I can
'fix' this is to disable the DISPLAY_LAST_LOGIN setting in
/etc/default/security, which is really little more than a band-aid fix for the
real problem.  This does not occur on other flavors of UNIX, so this is
apparently something specific to HP-UX.  Is this a by-design feature with
the Sudo tool, or is there some plan to fix this?
 
Here
is my current sudoers configuration:
Defaults
env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
Defaults
log_output
Defaults
log_input
Defaults
iolog_dir=/var/log/sudo-io/%{user}
Defaults!/usr/bin/sudoreplay
!log_output
Defaults!/usr/local/bin/sudoreplay
!log_output
Defaults!/sbin/reboot
!log_output
Defaults
always_set_home
Defaults
env_reset
Defaults
syslog=auth
Defaults
loglinelen=0
Defaults
!lecture
Defaults
!authenticate
Defaults
log_year, log_host, logfile=/var/adm/sudo/sudo.log
 
root
ALL=(ALL) ALL
 
ALL
ALL=(ALL) NOPASSWD: ALL
 
 

If
you have any guidance you could lend, I would greatly appreciate the
assistance. 


Waiting for the response.

Thanks & Regards,
Simon K

 
Thank
you for your time,


More information about the sudo-users mailing list