Change the default syslog facility from local2 to authpriv (or auth

if the operating system doesn't support authpriv).

NEWS

@@ -58,6 +58,9 @@ What's new in Sudo 1.7.4?
  * Sudo will now fork(2) and wait until the command has completed before
    calling pam_close_session().
 
+ * The default syslog facility is now "authpriv" if the operating system
+   supports it, else "auth".
+
 What's new in Sudo 1.7.3?
 
  * Support for logging I/O for the command being run.

configure

@@ -1690,7 +1690,7 @@ Optional Packages:
   --with-project          enable Solaris project support
   --without-lecture       don't print lecture for first-time sudoer
   --with-logging          log via syslog, file, or both
-  --with-logfac           syslog facility to log with (default is "local2")
+  --with-logfac           syslog facility to log with (default is "auth")
   --with-goodpri          syslog priority for commands (def is "notice")
   --with-badpri           syslog priority for failures (def is "alert")
   --with-logpath          path to the sudo log file
@@ -2794,7 +2794,7 @@ sudo_umask=0022
 passprompt="Password:"
 long_otp_prompt=off
 lecture=once
-logfac=local2
+logfac=auth
 goodpri=notice
 badpri=alert
 loglen=80
@@ -4170,8 +4170,6 @@ $as_echo "syslog" >&6; }
 fi
 
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking which syslog facility sudo should log with" >&5
-$as_echo_n "checking which syslog facility sudo should log with... " >&6; }
 
 # Check whether --with-logfac was given.
 if test "${with_logfac+set}" = set; then :
@@ -4188,13 +4186,6 @@ esac
 fi
 
 
-cat >>confdefs.h <<_ACEOF
-#define LOGFAC "$logfac"
-_ACEOF
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $logfac" >&5
-$as_echo "$logfac" >&6; }
-
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking at which syslog priority to log commands" >&5
 $as_echo_n "checking at which syslog priority to log commands... " >&6; }
 
@@ -6572,13 +6563,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:6575: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:6566: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6578: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:6569: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6581: output\"" >&5)
+  (eval echo "\"\$as_me:6572: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -7783,7 +7774,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 7786 "configure"' > conftest.$ac_ext
+  echo '#line 7777 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9175,11 +9166,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9178: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9169: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9182: \$? = $ac_status" >&5
+   echo "$as_me:9173: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9514,11 +9505,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9517: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9508: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9521: \$? = $ac_status" >&5
+   echo "$as_me:9512: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9619,11 +9610,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9622: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9613: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9626: \$? = $ac_status" >&5
+   echo "$as_me:9617: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9674,11 +9665,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9677: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9668: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9681: \$? = $ac_status" >&5
+   echo "$as_me:9672: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12041,7 +12032,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12044 "configure"
+#line 12035 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12137,7 +12128,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12140 "configure"
+#line 12131 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13491,6 +13482,32 @@ $as_echo "not found" >&6; }
 fi
 
 fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking which syslog facility sudo should log with" >&5
+$as_echo_n "checking which syslog facility sudo should log with... " >&6; }
+if test X"$with_logfac" = X""; then
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <syslog.h>
+int
+main ()
+{
+int i = LOG_AUTHPRIV; (void)i;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  logfac=authpriv
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define LOGFAC "$logfac"
+_ACEOF
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $logfac" >&5
+$as_echo "$logfac" >&6; }
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
 $as_echo_n "checking for ANSI C header files... " >&6; }
 if test "${ac_cv_header_stdc+set}" = set; then :

configure.in

@@ -108,7 +108,7 @@ sudo_umask=0022
 passprompt="Password:"
 long_otp_prompt=off
 lecture=once
-logfac=local2
+logfac=auth
 goodpri=notice
 badpri=alert
 loglen=80
@@ -525,8 +525,7 @@ AC_ARG_WITH(logging, [AS_HELP_STRING([--with-logging], [log via syslog, file, or
 		;;
 esac], [AC_DEFINE(LOGGING, SLOG_SYSLOG) AC_MSG_RESULT(syslog)])
 
-AC_MSG_CHECKING(which syslog facility sudo should log with)
+AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log with (default is "auth")])],
-AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log with (default is "local2")])],
 [case $with_logfac in
     yes)	AC_MSG_ERROR(["must give --with-logfac an argument."])
 		;;
@@ -537,8 +536,6 @@ AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log wit
     *)		AC_MSG_ERROR(["$with_logfac is not a supported syslog facility."])
 		;;
 esac])
-AC_DEFINE_UNQUOTED(LOGFAC, "$logfac", [The syslog facility sudo will use.])
-AC_MSG_RESULT($logfac)
 
 AC_MSG_CHECKING(at which syslog priority to log commands)
 AC_ARG_WITH(goodpri, [AS_HELP_STRING([--with-goodpri], [syslog priority for commands (def is "notice")])],
@@ -1856,6 +1853,15 @@ if test -z "$with_editor"; then
     SUDO_PROG_VI
 fi
 dnl
+dnl Check for authpriv support in syslog
+dnl
+AC_MSG_CHECKING(which syslog facility sudo should log with)
+if test X"$with_logfac" = X""; then
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <syslog.h>]], [[int i = LOG_AUTHPRIV; (void)i;]])], [logfac=authpriv])
+fi
+AC_DEFINE_UNQUOTED(LOGFAC, "$logfac", [The syslog facility sudo will use.])
+AC_MSG_RESULT($logfac)
+dnl
 dnl Header file checks
 dnl
 AC_HEADER_STDC

doc/TROUBLESHOOTING

@@ -36,12 +36,13 @@ Q) Sudo is setup to log via syslog(3) but I'm not getting any log
    messages.
 A) Make sure you have an entry in your syslog.conf file to save
    the sudo messages (see the sample.syslog.conf file).  The default
-   log facility is local2 (changeable via configure).  Don't forget
+   log facility is authpriv (changeable via configure or in sudoers).
-   to send a SIGHUP to your syslogd so that it re-reads its conf file.
+   Don't forget to send a SIGHUP to your syslogd so that it re-reads
-   Also, remember that syslogd does *not* create log files, you need to
+   its conf file.  Also, remember that syslogd does *not* create
-   create the file before syslogd will log to it (ie: touch /var/log/sudo).
+   log files, you need to create the file before syslogd will log
-   Note:  the facility ("local2.debug") must be separated from the 
+   to it (ie: touch /var/log/sudo).
-	  destination ("/var/adm/sudo.log" or "@loghost") by
+   Note:  the facility (e.g. "auth.debug") must be separated from the 
+	  destination (e.g. "/var/log/auth" or "@loghost") by
 	  tabs, *not* spaces.  This is a common error.
 
 Q) When sudo asks me for my password it never accepts what I enter even

doc/UPGRADE

@@ -29,6 +29,11 @@ o Upgrading from a version prior to 1.7.4:
     use when searching for configuration files.  Adding HOME to env_keep
     may enable a user to run unrestricted commands via sudo.
 
+    The default syslog facility has changed from "local2" or "authpriv"
+    (or "auth" if the operating system doesn't have "authpriv").
+    The --with-logfac configure option can be used to change this
+    or it can be changed in the sudoers file.
+
 o Upgrading from a version prior to 1.7.0:
 
     Starting with sudo 1.7.0, comments in the sudoers file must not

doc/sample.syslog.conf

@@ -1,10 +1,9 @@
 # This is a sample syslog.conf fragment for use with Sudo.
 #
-# Sudo logs to local2 by default, but this is changable via the
+# By default, sudo logs to "authpriv" if your system supports it, else it
-# --with-logfac configure option.  To see what syslog facility
+# uses "auth".  The facility can be set via the --with-logfac configure
-# a sudo binary uses, run `sudo -V' as *root*.  You may have
+# option or in the sudoers file.
-# to check /usr/include/syslog.h to map the facility number to
+# To see what syslog facility a sudo binary uses, run `sudo -V' as *root*.
-# a name.
 #
 # NOTES:
 #	The whitespace in the following line is made up of <TAB>
@@ -17,9 +16,11 @@
 #	create the file before syslogd will log to it.  Eg.
 #	'touch /var/log/sudo'
 
-# This logs successful and failed sudo attempts to the file /var/log/sudo
+# This logs successful and failed sudo attempts to the file /var/log/auth
-local2.debug					/var/log/sudo
+# If your system has the authpriv syslog facility, use authpriv.debug
+auth.debug					/var/log/auth
 
 # To log to a remote machine, use something like the following,
 # where "loghost" is the name of the remote machine.
-local2.debug					@loghost
+# If your system has the authpriv syslog facility, use authpriv.debug
+auth.debug					@loghost

doc/sudoers.cat

@@ -1390,7 +1390,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
-                   to disable syslog logging).  Defaults to local2.
+                   to disable syslog logging).  Defaults to auth.
 
        verifypw    This option controls when a password will be required when
                    a user runs ssuuddoo with the --vv option.  It has the following