[sudo-users] aix sudo 1.8.11-2 with defaults of mail_always in /etc/sudoers also mails sudo -l access; older version did not

Sharon Hawthorne Sharon.Hawthorne at sharp.com
Tue Jan 20 15:26:06 MST 2015


There has been a change in the way sudo processes the "mail_always" default.  I am not sure in what version this behavior changed, but will be trying back versions & the newest development version.

Our environment:

AIX version 6.1
# ls -l sudo*.rpm
...
-rw-rw-r--    1 root     system      1726265 Oct 24 14:37 sudo-1.8.11-2.aix53.lam.rpm

Previously, with the setup in /etc/sudoers including:

User_Alias      LOGGERS = user1, user2,...
Defaults:LOGGERS timestamp_timeout=0, mail_always, \
                           mailto="<mail-address>", \
                           mailsub="[I][SECURITY][AIX/%h] SUDO access by user: %u"

Defaults!/usr/bin/grep  !mail_always

A user in the "LOGGERS" list would cause an email to be sent for all sudo commands except grep. But a simple sudo -l command would NOT send this email in prior versions.

Now an email with a body  looking like:

<hostname> : Jan 20 12:19:03 : slkh : TTY=pts/2 ; PWD=/home/slkh ; USER=root ; COMMAND=list

is received every time the user issues the sudo -l (sudo -list) command.

Since "list" is not a command with a path, there is no way I have found, similar to the way email was shut off for /usr/bin/grep in the above snippet, to turn off mail_always for the "list" command.

We have - unfortunately - vendor scripts, which issue a sudo -l command thousands of times a day, so turning off this behavior is essential. We cannot modify these scripts.

I tried using a command alias of LIST, which had the command "/opt/freeware/bin/sudo -l"  and "/opt/freeware/bin/sudo -list" and Defaults!LIST !mail_always, but as expected, this did not work, since the command logged is "list" not "sudo list".

Any advice is appreciated. I will in the meanwhile test other versions of sudo to determine when the change may have occurred, can't find in the changelog.

A method to turn off mail_always for list would be the preferred solution. Otherwise I think I may file a bug report for this behavior. Feature request?

Thank you.






More information about the sudo-users mailing list