Change the default syslog facility from local2 to authpriv (or auth

if the operating system doesn't support authpriv).

--HG--
branch : 1.7

diff --git a/NEWS b/NEWS
index 1d5999297dc9e85a417e09ef94520b9a27d58f84..21d4e611454b46ad6bce4463d655242707835eb3 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -50,6 +50,9 @@ What's new in Sudo 1.7.4?
  * Sudo will now fork(2) and wait until the command has completed before
    calling pam_close_session().
 
+ * The default syslog facility is now "authpriv" if the operating system
+   supports it, else "auth".
+
 What's new in Sudo 1.7.3?
 
  * Support for logging I/O for the command being run.

diff --git a/TROUBLESHOOTING b/TROUBLESHOOTING
index 8ca20805808201dea810c452b058b2031bb59c13..57e20127b4cb84bbf766c9eaa1ec85bc065fb94e 100644 (file)
--- a/TROUBLESHOOTING
+++ b/TROUBLESHOOTING
@@ -36,12 +36,13 @@ Q) Sudo is setup to log via syslog(3) but I'm not getting any log
    messages.
 A) Make sure you have an entry in your syslog.conf file to save
    the sudo messages (see the sample.syslog.conf file).  The default
-   log facility is local2 (changeable via configure).  Don't forget
-   to send a SIGHUP to your syslogd so that it re-reads its conf file.
-   Also, remember that syslogd does *not* create log files, you need to
-   create the file before syslogd will log to it (ie: touch /var/log/sudo).
-   Note:  the facility ("local2.debug") must be separated from the 
-         destination ("/var/adm/sudo.log" or "@loghost") by
+   log facility is authpriv (changeable via configure or in sudoers).
+   Don't forget to send a SIGHUP to your syslogd so that it re-reads
+   its conf file.  Also, remember that syslogd does *not* create
+   log files, you need to create the file before syslogd will log
+   to it (ie: touch /var/log/sudo).
+   Note:  the facility (e.g. "auth.debug") must be separated from the 
+         destination (e.g. "/var/log/auth" or "@loghost") by
          tabs, *not* spaces.  This is a common error.
 
 Q) When sudo asks me for my password it never accepts what I enter even

diff --git a/UPGRADE b/UPGRADE
index 8d4740da99328eb1fc8967c8db3e852500f87ce3..c3aab26a80ebf995b3a7ba84c011a0a397bf4774 100644 (file)
--- a/UPGRADE
+++ b/UPGRADE
@@ -29,6 +29,11 @@ o Upgrading from a version prior to 1.7.4:
     use when searching for configuration files.  Adding HOME to env_keep
     may enable a user to run unrestricted commands via sudo.
 
+    The default syslog facility has changed from "local2" or "authpriv"
+    (or "auth" if the operating system doesn't have "authpriv").
+    The --with-logfac configure option can be used to change this
+    or it can be changed in the sudoers file.
+
 o Upgrading from a version prior to 1.7.0:
 
     Starting with sudo 1.7.0, comments in the sudoers file must not

diff --git a/configure b/configure
index a749c98f2cb7ad0798543a370c1366943e95e6c5..21e3549f702dbd0b14d21a8a93084488198032d8 100755 (executable)
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.65 for sudo 1.7.4b4.
+# Generated by GNU Autoconf 2.65 for sudo 1.7.4.
 #
 # Report bugs to <http://www.sudo.ws/bugs/>.
 #
@@ -701,8 +701,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='sudo'
 PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.7.4b4'
-PACKAGE_STRING='sudo 1.7.4b4'
+PACKAGE_VERSION='1.7.4'
+PACKAGE_STRING='sudo 1.7.4'
 PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/'
 PACKAGE_URL=''
 
@@ -1551,7 +1551,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures sudo 1.7.4b4 to adapt to many kinds of systems.
+\`configure' configures sudo 1.7.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1616,7 +1616,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of sudo 1.7.4b4:";;
+     short | recursive ) echo "Configuration of sudo 1.7.4:";;
    esac
   cat <<\_ACEOF
 
@@ -1682,7 +1682,7 @@ Optional Packages:
   --with-project          enable Solaris project support
   --without-lecture       don't print lecture for first-time sudoer
   --with-logging          log via syslog, file, or both
-  --with-logfac           syslog facility to log with (default is "local2")
+  --with-logfac           syslog facility to log with (default is "auth")
   --with-goodpri          syslog priority for commands (def is "notice")
   --with-badpri           syslog priority for failures (def is "alert")
   --with-logpath          path to the sudo log file
@@ -1826,7 +1826,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-sudo configure 1.7.4b4
+sudo configure 1.7.4
 generated by GNU Autoconf 2.65
 
 Copyright (C) 2009 Free Software Foundation, Inc.
@@ -2347,7 +2347,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by sudo $as_me 1.7.4b4, which was
+It was created by sudo $as_me 1.7.4, which was
 generated by GNU Autoconf 2.65.  Invocation command line was
 
   $ $0 $@
@@ -2781,7 +2781,7 @@ sudo_umask=0022
 passprompt="Password:"
 long_otp_prompt=off
 lecture=once
-logfac=local2
+logfac=auth
 goodpri=notice
 badpri=alert
 loglen=80
@@ -4159,8 +4159,6 @@ $as_echo "syslog" >&6; }
 fi
 
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking which syslog facility sudo should log with" >&5
-$as_echo_n "checking which syslog facility sudo should log with... " >&6; }
 
 # Check whether --with-logfac was given.
 if test "${with_logfac+set}" = set; then :
@@ -4177,13 +4175,6 @@ esac
 fi
 
 
-cat >>confdefs.h <<_ACEOF
-#define LOGFAC "$logfac"
-_ACEOF
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $logfac" >&5
-$as_echo "$logfac" >&6; }
-
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking at which syslog priority to log commands" >&5
 $as_echo_n "checking at which syslog priority to log commands... " >&6; }
 
@@ -6586,13 +6577,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:6589: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:6580: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6592: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:6583: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6595: output\"" >&5)
+  (eval echo "\"\$as_me:6586: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -7797,7 +7788,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 7800 "configure"' > conftest.$ac_ext
+  echo '#line 7791 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9190,11 +9181,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9193: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9184: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9197: \$? = $ac_status" >&5
+   echo "$as_me:9188: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9529,11 +9520,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9532: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9523: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9536: \$? = $ac_status" >&5
+   echo "$as_me:9527: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9634,11 +9625,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9637: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9628: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9641: \$? = $ac_status" >&5
+   echo "$as_me:9632: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9689,11 +9680,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9692: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9683: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9696: \$? = $ac_status" >&5
+   echo "$as_me:9687: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12056,7 +12047,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12059 "configure"
+#line 12050 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12152,7 +12143,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12155 "configure"
+#line 12146 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13505,6 +13496,32 @@ $as_echo "not found" >&6; }
 fi
 
 fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking which syslog facility sudo should log with" >&5
+$as_echo_n "checking which syslog facility sudo should log with... " >&6; }
+if test X"$with_logfac" = X""; then
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <syslog.h>
+int
+main ()
+{
+int i = LOG_AUTHPRIV; (void)i;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  logfac=authpriv
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define LOGFAC "$logfac"
+_ACEOF
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $logfac" >&5
+$as_echo "$logfac" >&6; }
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
 $as_echo_n "checking for ANSI C header files... " >&6; }
 if test "${ac_cv_header_stdc+set}" = set; then :
@@ -18706,7 +18723,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by sudo $as_me 1.7.4b4, which was
+This file was extended by sudo $as_me 1.7.4, which was
 generated by GNU Autoconf 2.65.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -18772,7 +18789,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-sudo config.status 1.7.4b4
+sudo config.status 1.7.4
 configured by $0, generated by GNU Autoconf 2.65,
   with options \\"\$ac_cs_config\\"
 

diff --git a/configure.in b/configure.in
index fcdf2d768c433f2431b45fcac02b508068b5af37..9c007bec62272e021a52fba38909427b90b2ca79 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -3,7 +3,7 @@ dnl Process this file with GNU autoconf to produce a configure script.
 dnl
 dnl Copyright (c) 1994-1996,1998-2010 Todd C. Miller <Todd.Miller@courtesan.com>
 dnl
-AC_INIT([sudo], [1.7.4b4], [http://www.sudo.ws/bugs/], [sudo])
+AC_INIT([sudo], [1.7.4], [http://www.sudo.ws/bugs/], [sudo])
 AC_CONFIG_HEADER(config.h pathnames.h)
 dnl
 dnl This won't work before AC_INIT
@@ -99,7 +99,7 @@ sudo_umask=0022
 passprompt="Password:"
 long_otp_prompt=off
 lecture=once
-logfac=local2
+logfac=auth
 goodpri=notice
 badpri=alert
 loglen=80
@@ -515,8 +515,7 @@ AC_ARG_WITH(logging, [AS_HELP_STRING([--with-logging], [log via syslog, file, or
                ;;
 esac], [AC_DEFINE(LOGGING, SLOG_SYSLOG) AC_MSG_RESULT(syslog)])
 
-AC_MSG_CHECKING(which syslog facility sudo should log with)
-AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log with (default is "local2")])],
+AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log with (default is "auth")])],
 [case $with_logfac in
     yes)       AC_MSG_ERROR(["must give --with-logfac an argument."])
                ;;
@@ -527,8 +526,6 @@ AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log wit
     *)         AC_MSG_ERROR(["$with_logfac is not a supported syslog facility."])
                ;;
 esac])
-AC_DEFINE_UNQUOTED(LOGFAC, "$logfac", [The syslog facility sudo will use.])
-AC_MSG_RESULT($logfac)
 
 AC_MSG_CHECKING(at which syslog priority to log commands)
 AC_ARG_WITH(goodpri, [AS_HELP_STRING([--with-goodpri], [syslog priority for commands (def is "notice")])],
@@ -1842,6 +1839,15 @@ if test -z "$with_editor"; then
     SUDO_PROG_VI
 fi
 dnl
+dnl Check for authpriv support in syslog
+dnl
+AC_MSG_CHECKING(which syslog facility sudo should log with)
+if test X"$with_logfac" = X""; then
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <syslog.h>]], [[int i = LOG_AUTHPRIV; (void)i;]])], [logfac=authpriv])
+fi
+AC_DEFINE_UNQUOTED(LOGFAC, "$logfac", [The syslog facility sudo will use.])
+AC_MSG_RESULT($logfac)
+dnl
 dnl Header file checks
 dnl
 AC_HEADER_STDC

diff --git a/sample.syslog.conf b/sample.syslog.conf
index 2effbab72aad76e385191006a4eb2ed87da5e4e8..686cd19311174febd062c30c86f6877e77507256 100644 (file)
--- a/sample.syslog.conf
+++ b/sample.syslog.conf
@@ -1,10 +1,9 @@
 # This is a sample syslog.conf fragment for use with Sudo.
 #
-# Sudo logs to local2 by default, but this is changable via the
-# --with-logfac configure option.  To see what syslog facility
-# a sudo binary uses, run `sudo -V' as *root*.  You may have
-# to check /usr/include/syslog.h to map the facility number to
-# a name.
+# By default, sudo logs to "authpriv" if your system supports it, else it
+# uses "auth".  The facility can be set via the --with-logfac configure
+# option or in the sudoers file.
+# To see what syslog facility a sudo binary uses, run `sudo -V' as *root*.
 #
 # NOTES:
 #      The whitespace in the following line is made up of <TAB>
@@ -17,9 +16,11 @@
 #      create the file before syslogd will log to it.  Eg.
 #      'touch /var/log/sudo'
 
-# This logs successful and failed sudo attempts to the file /var/log/sudo
-local2.debug                                   /var/log/sudo
+# This logs successful and failed sudo attempts to the file /var/log/auth
+# If your system has the authpriv syslog facility, use authpriv.debug
+auth.debug                                     /var/log/auth
 
 # To log to a remote machine, use something like the following,
 # where "loghost" is the name of the remote machine.
-local2.debug                                   @loghost
+# If your system has the authpriv syslog facility, use authpriv.debug
+auth.debug                                     @loghost

diff --git a/sudoers.cat b/sudoers.cat
index 0ad1b77bdecb6757fef1b8ce47bf57ee90102ea1..1649855355e81738e90abccde5cbc42c7c7dcdee 100644 (file)
--- a/sudoers.cat
+++ b/sudoers.cat
@@ -1258,7 +1258,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
-                   to disable syslog logging).  Defaults to local2.
+                   to disable syslog logging).  Defaults to auth.
 
        verifypw    This option controls when a password will be required when
                    a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option.  It has the following