[sudo-users] sudoreplay "best practice" questions

Divan Santana dsantana at fnb.co.za
Fri Jan 13 01:15:34 MST 2017

Divan Santana <divan at santanas.co.za> writes:

> Todd C. Miller <Todd.Miller at courtesan.com> writes:
>> On Wed, 05 Oct 2016 11:14:41 +0200, Divan Santana wrote:
>>> Is it possible to configure sudo in such a way that if the log directory
>>> is full or unaccessible (remote share goes down) for sudo subsystem to
>>> continue functioning?
>> In sudo 1.8.18 there is a new sudoers setting, ignore_iolog_errors,
>> that will allow sudo to continue running when the I/O log cannot
>> be written to.

I've tested this ignore_iolog_errors though it's not working as I'd
expect (very) unfortunately. :(

It works if the /var/log/sudo-io is a local FS and has filled up.

If /var/log/sudo-io is a NFS share goes down I see this:
sudo: unable to open /var/log/sudo-io/seq: Stale NFS file handle

And most importantly sudo fails to work. I'd expect the error and for
sudo to continue working.

Similarly I have tested like this, which also breaks sudo despite
ignore_iolog_errors being set:
[root at testnode:/root]# rm -rf /var/log/sudo-io
[root at testnode:/root]# touch /var/log/sudo-io
username at testnode:~ » sudo su -
[sudo] password for username:
sudo: /var/log/sudo-io exists but is not a directory (0100644)
username at testnode:~ »

This is with version 1.8.18p1.

Secondly and separately:

I'm looking at nfs backing /var/log/sudo-io as I need these logs
remotely for obvious security reasons. I wish I could use another
mechanism other then nfs, specifically syslog, to ship these logs
remotely, but it seems that's not possible.

Unless there is a better way to get these logs remotely?
To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: 

If you are unable to access the Disclaimer, send a blank e-mail to
firstrandbankdisclaimer at fnb.co.za and we will send you a copy of the Disclaimer.

More information about the sudo-users mailing list