[sudo-users] excluding a user from all sudo logging
Todd C. Miller
Todd.Miller at sudo.ws
Fri Sep 13 06:25:17 MDT 2019
On Fri, 13 Sep 2019 05:07:45 -0000, Peter Smith wrote:
> Matching Defaults entries for servicenow on this host:
> !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNA
> ME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
> LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUR
> EMENT
> LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TEL
> EPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !syslog, !log_output, !log_inp
> ut,
> log_output, log_input
>
> User servicenow may run the following commands on this host:
> (root) NOPASSWD: /<hidden>
>
>
> Hmmm. So I guess the latter "log_output, log_input", trumps the previous "!lo
> g_output, !log_input" ?
Yes, in sudoers the last match wins. For Defaults entries you need
to order things from least specific to most specific.
The output of "sudo -l" shows the order of sudoers entries as sudo
will actually evaluate them.
- todd
More information about the sudo-users
mailing list