[sudo-workers] syslog facility changed in 1.7.4 ?
Todd C. Miller
Todd.Miller at courtesan.com
Wed Aug 4 08:40:48 EDT 2010
In message <OFDD6B533B.B5C8D3C0-ON85257775.0001A80D-85257775.0002D148 at ca.ibm.co
so spake (yaberger):
> Have you changed the default syslog facility in 1.7.4?
> I used the same configure option in 1.7.3 and 1.7.4 but the facility
> changed to local2 to authpriv
Yes, here is all the info from the 1.7.4 UPGRADE file:
Starting with sudo 1.7.4, the time stamp files have moved from
/var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo.
The directories are checked for existence in that order. This
prevents users from receiving the sudo lecture every time the
system reboots. Time stamp files older than the boot time are
ignored on systems where it is possible to determine this.
Additionally, the tty_tickets sudoers option is now enabled by
default. To restore the old behavior (single time stamp per user),
add a line like:
to sudoers or use the --without-tty-tickets configure option.
The HOME and MAIL environment variables are now reset based on the
target user's password database entry when the env_reset sudoers option
is enabled (which is the case in the default configuration). Users
wishing to preserve the original values should use a sudoers entry like:
Defaults env_keep += HOME
to preserve the old value of HOME and
Defaults env_keep += MAIL
to preserve the old value of MAIL.
NOTE: preserving HOME has security implications since many programs
use when searching for configuration files. Adding HOME to env_keep
may enable a user to run unrestricted commands via sudo.
The default syslog facility has changed from "local2" to "authpriv"
(or "auth" if the operating system doesn't have "authpriv").
The --with-logfac configure option can be used to change this
or it can be changed in the sudoers file.
> If it's intended, can you fix the man pages if it's not already done and
> update http://www.sudo.ws/sudo/sudoers.man.html ?
The man pages are already up to date. I've regenerated the online
manuals to match.
More information about the sudo-workers