[sudo-users] Solaris 10 SPARC : New directory /usr/local/var/run/ts after update from Sudo 1.8.8 to 1.8.11p2

Stefan.Schmid at isc-ejpd.admin.ch Stefan.Schmid at isc-ejpd.admin.ch
Sun Mar 29 06:13:43 MDT 2015 

Solaris 10 SPARC:

After upgrading Sudo from Sudo 1.8.8 to 1.8.11p2 new files are created or updated after each < sudo su - > issued by a local non-root user.
In the following examples, the local users are isc-aym, isc-fmi, isc-hmm, isc-scn

# ls -al /usr/local/var/run/ts
total 12
(..)
-rw-------   1 root     bs-tb         56 Mar 27 13:14 isc-aym
-rw-------   1 root     bs-tb        140 Mar 27 12:09 isc-fmi
-rw-------   1 root     bs-tb         28 Mar 25 16:30 isc-hmm
-rw-------   1 root     bs-tb         56 Mar 29 13:55 isc-scn
(..)


It seems that the files are caused by the following setting in 1.8.11p2

(..)
Path to authentication timestamp dir: /usr/local/var/run/ts
(..)


This setting does not seem to exist in Sudo 1.8.8.
As the files below /usr/local/var/run/ts are often updated (md5 sum changes), our
file and directory integrity checker (AIDE) reports a change.


Questions:
Is it possible to disable the sudo feature in 1.8.11p2 which creates/updates file below /usr/local/var/run/ts  ?


# sudo -V
Sudo version 1.8.8
Sudoers policy plugin version 1.8.6p8
Sudoers file grammar version 42
Sudoers I/O plugin version 1.8.6p8


# sudo -V
Sudo version 1.8.11p2
Configure options: --prefix=/usr/local --sysconfdir=/usr/local/etc --localstatedir=/usr/local/var --with-pam --with-vardir=/usr/local/var/lib/sudo --with-rundir=/usr/local/var/run
Sudoers policy plugin version 1.8.11p2
Sudoers file grammar version 43

Sudoers path: /usr/local/etc/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: auth
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to lecture status dir: /usr/local/var/lib/sudo/lectured
Path to authentication timestamp dir: /usr/local/var/run/ts
Default password prompt: %u's password:
Default user to run commands as: root
Path to the editor for use by visudo: /usr/bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
        TERM
        LINGUAS
        LC_*
        LANGUAGE
        LANG
        COLORTERM
Environment variables to remove:
        BASH_FUNC_*
        RUBYOPT
        RUBYLIB
        PYTHONUSERBASE
        PYTHONINSPECT
        PYTHONPATH
        PYTHONHOME
        TMPPREFIX
        ZDOTDIR
        READNULLCMD
        NULLCMD
        FPATH
        PERL5DB
        PERL5OPT
        PERL5LIB
        PERLLIB
        PERLIO_DEBUG
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        GLOBIGNORE
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Environment variables to preserve:
        XAUTHORIZATION
        XAUTHORITY
        TZ
        PS2
        PS1
        PATH
        LS_COLORS
        KRB5CCNAME
        HOSTNAME
        DISPLAY
        COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
PAM service name to use
PAM service name to use for login shells
Attempt to establish PAM credentials for the target user
Create a new PAM session for the command to run in
Maximum I/O log sequence number: 0
Enable sudoers netgroup support

Local IP address and netmask pairs:
        1xx.nn.235.2/255.255.252.0
        nn.1.xx.130/255.255.254.0
        169.uu.182.xx/255.255.255.0

Sudoers I/O plugin version 1.8.11p2



Kind regards

Stefan

More information about the sudo-users mailing list