[sudo-workers] syslog facility changed in 1.7.4 ?

Todd C. Miller Todd.Miller at courtesan.com
Wed Aug 4 08:40:48 EDT 2010


In message <OFDD6B533B.B5C8D3C0-ON85257775.0001A80D-85257775.0002D148 at ca.ibm.co
m>
	so spake  (yaberger):

> Have you changed the default syslog facility in 1.7.4?
> I used the same configure option in 1.7.3 and 1.7.4 but the facility 
> changed to local2 to authpriv

Yes, here is all the info from the 1.7.4 UPGRADE file:

    Starting with sudo 1.7.4, the time stamp files have moved from
    /var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo.
    The directories are checked for existence in that order.  This
    prevents users from receiving the sudo lecture every time the
    system reboots.  Time stamp files older than the boot time are
    ignored on systems where it is possible to determine this.

    Additionally, the tty_tickets sudoers option is now enabled by
    default.  To restore the old behavior (single time stamp per user),
    add a line like:
	Defaults !tty_tickets
    to sudoers or use the --without-tty-tickets configure option.

    The HOME and MAIL environment variables are now reset based on the
    target user's password database entry when the env_reset sudoers option
    is enabled (which is the case in the default configuration).  Users
    wishing to preserve the original values should use a sudoers entry like:
        Defaults env_keep += HOME
    to preserve the old value of HOME and
        Defaults env_keep += MAIL
    to preserve the old value of MAIL.

    NOTE: preserving HOME has security implications since many programs
    use when searching for configuration files.  Adding HOME to env_keep
    may enable a user to run unrestricted commands via sudo.

    The default syslog facility has changed from "local2" to "authpriv"
    (or "auth" if the operating system doesn't have "authpriv").
    The --with-logfac configure option can be used to change this
    or it can be changed in the sudoers file.

> If it's intended, can you fix the man pages if it's not already done and 
> update http://www.sudo.ws/sudo/sudoers.man.html ?

The man pages are already up to date.  I've regenerated the online
manuals to match.

 - todd



More information about the sudo-workers mailing list