[sudo-users] aix sudo 1.8.11-2 with defaults of mail_always in /etc/sudoers also mails sudo -l access; older version did not
Sharon.Hawthorne at sharp.com
Tue Jan 20 15:26:06 MST 2015
There has been a change in the way sudo processes the "mail_always" default. I am not sure in what version this behavior changed, but will be trying back versions & the newest development version.
AIX version 6.1
# ls -l sudo*.rpm
-rw-rw-r-- 1 root system 1726265 Oct 24 14:37 sudo-1.8.11-2.aix53.lam.rpm
Previously, with the setup in /etc/sudoers including:
User_Alias LOGGERS = user1, user2,...
Defaults:LOGGERS timestamp_timeout=0, mail_always, \
mailsub="[I][SECURITY][AIX/%h] SUDO access by user: %u"
A user in the "LOGGERS" list would cause an email to be sent for all sudo commands except grep. But a simple sudo -l command would NOT send this email in prior versions.
Now an email with a body looking like:
<hostname> : Jan 20 12:19:03 : slkh : TTY=pts/2 ; PWD=/home/slkh ; USER=root ; COMMAND=list
is received every time the user issues the sudo -l (sudo -list) command.
Since "list" is not a command with a path, there is no way I have found, similar to the way email was shut off for /usr/bin/grep in the above snippet, to turn off mail_always for the "list" command.
We have - unfortunately - vendor scripts, which issue a sudo -l command thousands of times a day, so turning off this behavior is essential. We cannot modify these scripts.
I tried using a command alias of LIST, which had the command "/opt/freeware/bin/sudo -l" and "/opt/freeware/bin/sudo -list" and Defaults!LIST !mail_always, but as expected, this did not work, since the command logged is "list" not "sudo list".
Any advice is appreciated. I will in the meanwhile test other versions of sudo to determine when the change may have occurred, can't find in the changelog.
A method to turn off mail_always for list would be the preferred solution. Otherwise I think I may file a bug report for this behavior. Feature request?
More information about the sudo-users