[sudo-users] proposed mail_always behavior change

Todd C. Miller Todd.Miller at courtesan.com
Mon Feb 2 13:44:14 MST 2015

Currently, when the mail_always option is enabled, mail will be
sent even for non-commands like "sudo -l", "sudo -l command" and
"sudo -v".  This can lead to a bunch of useless messages if what
you really want is to see when someone runs an actual command.

I propose that "mail_always" only send mail when an actual command
(or sudoedit) is attempted, or when the user fails to authenticate
themselves.  This should more useful behavior but I wanted to see
if anyone on the list actually uses mail_always and depends on
seeing mail for the the "list" and "validate" operations.

Unless I hear otherwise, I plan to make the change in sudo 1.8.12.
The new description is as follows:

  mail_always	Send mail to the mailto user every time a user
                attempts to run a command via sudo.  Mail will be
                sent for both successful and unsuccessful attempts.
                No mail will be sent if the user runs sudo with the
                -l or -v option unless there is an authentication
                error.  This flag is off by default.

 - todd

More information about the sudo-users mailing list