[sudo-users] excluding commands from log_output
Divan Santana
divan at santanas.co.za
Mon Nov 14 00:18:42 MST 2016
Todd C. Miller <Todd.Miller at courtesan.com> writes:
> On Sun, 13 Nov 2016 01:16:16 +0200, Divan Santana wrote:
>
>> I've enabled log_output but would like to prevent certain commands from
>> being logged, like top for example.
>
> You can create a Cmnd_Alias containing the commands for which you
> want to disable I/O logging. For example:
>
> Cmnd_Alias NOIOLOG = /ust/bin/top, /usr/bin/ps
> Defaults!NOIOLOG !log_output
Ah - cool.
>> Lastly, would the above work in this scenario:
>> bob at host:$ sudo su - root
>> root at host:# top
>>
>> Ie, when one invokes the top command sometime after sudo, during the
>> sudo "session".
>
> No, that won't work since sudo would log the entire "su" session.
Ah, that's probably why my brief testing didn't work. I thought that
might be the case. That's OK.
> Note that top is not entirely benign, however, since you can use
> it to kill or renice arbitrary processes.
I suspected that might be the case. As is often the case with some
programs.
Thanks a ton as always Todd. :)
More information about the sudo-users
mailing list