From 8660b5ea35a55b6fdae011548d2aa085530ca48c Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 22 Jul 2010 17:50:21 -0400 Subject: [PATCH] Change the default syslog facility from local2 to authpriv (or auth if the operating system doesn't support authpriv). --- NEWS | 3 ++ configure | 67 ++++++++++++++++++++++++++---------------- configure.in | 16 ++++++---- doc/TROUBLESHOOTING | 13 ++++---- doc/UPGRADE | 5 ++++ doc/sample.syslog.conf | 17 ++++++----- doc/sudoers.cat | 2 +- 7 files changed, 78 insertions(+), 45 deletions(-) diff --git a/NEWS b/NEWS index e54b9542e..7c00d9a76 100644 --- a/NEWS +++ b/NEWS @@ -58,6 +58,9 @@ What's new in Sudo 1.7.4? * Sudo will now fork(2) and wait until the command has completed before calling pam_close_session(). + * The default syslog facility is now "authpriv" if the operating system + supports it, else "auth". + What's new in Sudo 1.7.3? * Support for logging I/O for the command being run. diff --git a/configure b/configure index 781cf6cc0..1aef054d9 100755 --- a/configure +++ b/configure @@ -1690,7 +1690,7 @@ Optional Packages: --with-project enable Solaris project support --without-lecture don't print lecture for first-time sudoer --with-logging log via syslog, file, or both - --with-logfac syslog facility to log with (default is "local2") + --with-logfac syslog facility to log with (default is "auth") --with-goodpri syslog priority for commands (def is "notice") --with-badpri syslog priority for failures (def is "alert") --with-logpath path to the sudo log file @@ -2794,7 +2794,7 @@ sudo_umask=0022 passprompt="Password:" long_otp_prompt=off lecture=once -logfac=local2 +logfac=auth goodpri=notice badpri=alert loglen=80 @@ -4170,8 +4170,6 @@ $as_echo "syslog" >&6; } fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking which syslog facility sudo should log with" >&5 -$as_echo_n "checking which syslog facility sudo should log with... " >&6; } # Check whether --with-logfac was given. if test "${with_logfac+set}" = set; then : @@ -4188,13 +4186,6 @@ esac fi -cat >>confdefs.h <<_ACEOF -#define LOGFAC "$logfac" -_ACEOF - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $logfac" >&5 -$as_echo "$logfac" >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: checking at which syslog priority to log commands" >&5 $as_echo_n "checking at which syslog priority to log commands... " >&6; } @@ -6572,13 +6563,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:6575: $ac_compile\"" >&5) + (eval echo "\"\$as_me:6566: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:6578: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:6569: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:6581: output\"" >&5) + (eval echo "\"\$as_me:6572: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -7783,7 +7774,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 7786 "configure"' > conftest.$ac_ext + echo '#line 7777 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9175,11 +9166,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9178: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9169: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9182: \$? = $ac_status" >&5 + echo "$as_me:9173: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9514,11 +9505,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9517: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9508: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9521: \$? = $ac_status" >&5 + echo "$as_me:9512: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9619,11 +9610,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9622: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9613: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9626: \$? = $ac_status" >&5 + echo "$as_me:9617: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9674,11 +9665,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9677: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9668: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9681: \$? = $ac_status" >&5 + echo "$as_me:9672: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12041,7 +12032,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12044 "configure" +#line 12035 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12137,7 +12128,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12140 "configure" +#line 12131 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -13491,6 +13482,32 @@ $as_echo "not found" >&6; } fi fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking which syslog facility sudo should log with" >&5 +$as_echo_n "checking which syslog facility sudo should log with... " >&6; } +if test X"$with_logfac" = X""; then + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +int i = LOG_AUTHPRIV; (void)i; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + logfac=authpriv +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +cat >>confdefs.h <<_ACEOF +#define LOGFAC "$logfac" +_ACEOF + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $logfac" >&5 +$as_echo "$logfac" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 $as_echo_n "checking for ANSI C header files... " >&6; } if test "${ac_cv_header_stdc+set}" = set; then : diff --git a/configure.in b/configure.in index d198a3f08..05782f185 100644 --- a/configure.in +++ b/configure.in @@ -108,7 +108,7 @@ sudo_umask=0022 passprompt="Password:" long_otp_prompt=off lecture=once -logfac=local2 +logfac=auth goodpri=notice badpri=alert loglen=80 @@ -525,8 +525,7 @@ AC_ARG_WITH(logging, [AS_HELP_STRING([--with-logging], [log via syslog, file, or ;; esac], [AC_DEFINE(LOGGING, SLOG_SYSLOG) AC_MSG_RESULT(syslog)]) -AC_MSG_CHECKING(which syslog facility sudo should log with) -AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log with (default is "local2")])], +AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log with (default is "auth")])], [case $with_logfac in yes) AC_MSG_ERROR(["must give --with-logfac an argument."]) ;; @@ -537,8 +536,6 @@ AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log wit *) AC_MSG_ERROR(["$with_logfac is not a supported syslog facility."]) ;; esac]) -AC_DEFINE_UNQUOTED(LOGFAC, "$logfac", [The syslog facility sudo will use.]) -AC_MSG_RESULT($logfac) AC_MSG_CHECKING(at which syslog priority to log commands) AC_ARG_WITH(goodpri, [AS_HELP_STRING([--with-goodpri], [syslog priority for commands (def is "notice")])], @@ -1856,6 +1853,15 @@ if test -z "$with_editor"; then SUDO_PROG_VI fi dnl +dnl Check for authpriv support in syslog +dnl +AC_MSG_CHECKING(which syslog facility sudo should log with) +if test X"$with_logfac" = X""; then + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include ]], [[int i = LOG_AUTHPRIV; (void)i;]])], [logfac=authpriv]) +fi +AC_DEFINE_UNQUOTED(LOGFAC, "$logfac", [The syslog facility sudo will use.]) +AC_MSG_RESULT($logfac) +dnl dnl Header file checks dnl AC_HEADER_STDC diff --git a/doc/TROUBLESHOOTING b/doc/TROUBLESHOOTING index 8ca208058..57e20127b 100644 --- a/doc/TROUBLESHOOTING +++ b/doc/TROUBLESHOOTING @@ -36,12 +36,13 @@ Q) Sudo is setup to log via syslog(3) but I'm not getting any log messages. A) Make sure you have an entry in your syslog.conf file to save the sudo messages (see the sample.syslog.conf file). The default - log facility is local2 (changeable via configure). Don't forget - to send a SIGHUP to your syslogd so that it re-reads its conf file. - Also, remember that syslogd does *not* create log files, you need to - create the file before syslogd will log to it (ie: touch /var/log/sudo). - Note: the facility ("local2.debug") must be separated from the - destination ("/var/adm/sudo.log" or "@loghost") by + log facility is authpriv (changeable via configure or in sudoers). + Don't forget to send a SIGHUP to your syslogd so that it re-reads + its conf file. Also, remember that syslogd does *not* create + log files, you need to create the file before syslogd will log + to it (ie: touch /var/log/sudo). + Note: the facility (e.g. "auth.debug") must be separated from the + destination (e.g. "/var/log/auth" or "@loghost") by tabs, *not* spaces. This is a common error. Q) When sudo asks me for my password it never accepts what I enter even diff --git a/doc/UPGRADE b/doc/UPGRADE index 8d4740da9..c3aab26a8 100644 --- a/doc/UPGRADE +++ b/doc/UPGRADE @@ -29,6 +29,11 @@ o Upgrading from a version prior to 1.7.4: use when searching for configuration files. Adding HOME to env_keep may enable a user to run unrestricted commands via sudo. + The default syslog facility has changed from "local2" or "authpriv" + (or "auth" if the operating system doesn't have "authpriv"). + The --with-logfac configure option can be used to change this + or it can be changed in the sudoers file. + o Upgrading from a version prior to 1.7.0: Starting with sudo 1.7.0, comments in the sudoers file must not diff --git a/doc/sample.syslog.conf b/doc/sample.syslog.conf index 2effbab72..686cd1931 100644 --- a/doc/sample.syslog.conf +++ b/doc/sample.syslog.conf @@ -1,10 +1,9 @@ # This is a sample syslog.conf fragment for use with Sudo. # -# Sudo logs to local2 by default, but this is changable via the -# --with-logfac configure option. To see what syslog facility -# a sudo binary uses, run `sudo -V' as *root*. You may have -# to check /usr/include/syslog.h to map the facility number to -# a name. +# By default, sudo logs to "authpriv" if your system supports it, else it +# uses "auth". The facility can be set via the --with-logfac configure +# option or in the sudoers file. +# To see what syslog facility a sudo binary uses, run `sudo -V' as *root*. # # NOTES: # The whitespace in the following line is made up of @@ -17,9 +16,11 @@ # create the file before syslogd will log to it. Eg. # 'touch /var/log/sudo' -# This logs successful and failed sudo attempts to the file /var/log/sudo -local2.debug /var/log/sudo +# This logs successful and failed sudo attempts to the file /var/log/auth +# If your system has the authpriv syslog facility, use authpriv.debug +auth.debug /var/log/auth # To log to a remote machine, use something like the following, # where "loghost" is the name of the remote machine. -local2.debug @loghost +# If your system has the authpriv syslog facility, use authpriv.debug +auth.debug @loghost diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 80766754f..abf16e78e 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -1390,7 +1390,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - to disable syslog logging). Defaults to local2. + to disable syslog logging). Defaults to auth. verifypw This option controls when a password will be required when a user runs ssuuddoo with the --vv option. It has the following