From: Todd C. Miller Date: Mon, 2 Feb 2015 22:01:06 +0000 (-0700) Subject: Don't send mail about pseudo-command failure unless it is an X-Git-Tag: SUDO_1_8_12^2~19 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ed4ffa626538037592ad86589e68063d9a7a3929;p=sudo Don't send mail about pseudo-command failure unless it is an authentication failure. --- diff --git a/NEWS b/NEWS index 49828e02a..e4769e46d 100644 --- a/NEWS +++ b/NEWS @@ -61,6 +61,9 @@ What's new in Sudo 1.8.12 `+' prefix and checking whether the user is a member of any of the returned netgroups. + * The mail_always sudoers option no longer sends mail for "sudo -l" + or "sudo -v" unless the user is unable to authenticate themselves. + What's new in Sudo 1.8.11p2 * Fixed a bug where dynamic shared objects loaded from a plugin diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 68822a8ab..8261801a3 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -75,9 +75,12 @@ DDEESSCCRRIIPPTTIIOONN mail is configurable via the _m_a_i_l_t_o Defaults entry (described later) and defaults to root. - Note that mail will not be sent if an unauthorized user tries to run ssuuddoo - with the --ll or --vv option. This allows users to determine for themselves - whether or not they are allowed to use ssuuddoo. + Note that no mail will be sent if an unauthorized user tries to run ssuuddoo + with the --ll or --vv option unless there is an authentication error and + either the _m_a_i_l___a_l_w_a_y_s or _m_a_i_l___b_a_d_p_a_s_s flags are enabled. This allows + users to determine for themselves whether or not they are allowed to use + ssuuddoo. All attempts to run ssuuddoo (successful or not) will be logged, + regardless of whether or not mail is sent. If ssuuddoo is run by root and the SUDO_USER environment variable is set, the _s_u_d_o_e_r_s policy will use this value to determine who the actual user is. @@ -174,7 +177,7 @@ DDEESSCCRRIIPPTTIIOONN _e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME, MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX (and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are - also included. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled, + also included. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s flag is enabled, the _p_a_t_h and _s_e_t_e_n_v variables in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All other environment variables are removed. @@ -1047,8 +1050,12 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS some people find it more convenient. This flag is _o_f_f by default. - mail_always Send mail to the _m_a_i_l_t_o user every time a user runs - ssuuddoo. This flag is _o_f_f by default. + mail_always Send mail to the _m_a_i_l_t_o user every time a user attempts + to run a command via ssuuddoo. Mail will be sent for both + successful and unsuccessful attempts. No mail will be + sent if the user runs ssuuddoo with the --ll or --vv option + unless there is an authentication error. This flag is + _o_f_f by default. mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo does not enter the correct password. If the command @@ -2356,4 +2363,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/license.html for complete details. -Sudo 1.8.12 December 4, 2014 Sudo 1.8.12 +Sudo 1.8.12 January 21, 2015 Sudo 1.8.12 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index d6896f6fe..dca9897a1 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -1,7 +1,7 @@ .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in .\" -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2014 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "5" "December 4, 2014" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "5" "January 21, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -172,17 +172,25 @@ Defaults entry (described later) and defaults to \fR@mailto@\fR. .PP -Note that mail will not be sent if an unauthorized user tries to -run +Note that no mail will be sent if an unauthorized user tries to run \fBsudo\fR with the \fB\-l\fR or \fB\-v\fR -option. +option unless there is an authentication error and +either the +\fImail_always\fR +or +\fImail_badpass\fR +flags are enabled. This allows users to determine for themselves whether or not they are allowed to use \fBsudo\fR. +All attempts to run +\fBsudo\fR +(successful or not) +will be logged, regardless of whether or not mail is sent. .PP If \fBsudo\fR @@ -440,7 +448,7 @@ are also included. On BSD systems, if the \fIuse_loginclass\fR -option is +flag is enabled, the \fIpath\fR and @@ -2218,8 +2226,16 @@ by default. mail_always Send mail to the \fImailto\fR -user every time a user runs +user every time a user attempts to run a command via \fBsudo\fR. +Mail will be sent for both successful and unsuccessful attempts. +No mail will be sent if the user runs +\fBsudo\fR +with the +\fB\-l\fR +or +\fB\-v\fR +option unless there is an authentication error. This flag is \fIoff\fR by default. diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index d2cab447c..41b74c2dc 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -1,5 +1,5 @@ .\" -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2014 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd December 4, 2014 +.Dd January 21, 2015 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -160,17 +160,25 @@ Defaults entry (described later) and defaults to .Li @mailto@ . .Pp -Note that mail will not be sent if an unauthorized user tries to -run +Note that no mail will be sent if an unauthorized user tries to run .Nm sudo with the .Fl l or .Fl v -option. +option unless there is an authentication error and +either the +.Em mail_always +or +.Em mail_badpass +flags are enabled. This allows users to determine for themselves whether or not they are allowed to use .Nm sudo . +All attempts to run +.Nm sudo +(successful or not) +will be logged, regardless of whether or not mail is sent. .Pp If .Nm sudo @@ -426,7 +434,7 @@ are also included. On BSD systems, if the .Em use_loginclass -option is +flag is enabled, the .Em path and @@ -2075,8 +2083,16 @@ by default. .It mail_always Send mail to the .Em mailto -user every time a user runs +user every time a user attempts to run a command via .Nm sudo . +Mail will be sent for both successful and unsuccessful attempts. +No mail will be sent if the user runs +.Nm sudo +with the +.Fl l +or +.Fl v +option unless there is an authentication error. This flag is .Em off by default. diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c index 8b4c5bf18..2b6693178 100644 --- a/plugins/sudoers/logging.c +++ b/plugins/sudoers/logging.c @@ -364,7 +364,7 @@ log_auth_failure(int status, unsigned int tries) SET(flags, SLOG_SEND_MAIL); } else { /* Command denied, auth failed; make sure we don't send mail twice. */ - if (def_mail_badpass && !should_mail(status)) + if ((def_mail_badpass || def_mail_always) && !should_mail(status)) SET(flags, SLOG_SEND_MAIL); /* Don't log the bad password message, we'll log a denial instead. */ SET(flags, SLOG_NO_LOG); @@ -756,6 +756,10 @@ should_mail(int status) { debug_decl(should_mail, SUDOERS_DEBUG_LOGGING) + /* Never send mail about the "sudo -l" and "sudo -v" pseudo-commands. */ + if (ISSET(sudo_mode, (MODE_VALIDATE|MODE_CHECK|MODE_LIST))) + debug_return_bool(false); + debug_return_bool(def_mail_always || (def_mail_no_user && ISSET(status, FLAG_NO_USER)) || (def_mail_no_host && ISSET(status, FLAG_NO_HOST)) ||