Description of problem:
I'm looking to switch from sudo to .k5users, but the logging is reduced
sudo: riehecky : TTY=pts/2 ; PWD=/home/riehecky ; USER=root ;
ksu: pam_unix(ksu:session): session opened for user root by
Can the logging be increased so that the command and its arguments is
Version-Release number of selected component (if applicable):krb5-1.12.2-15.el7_1
Steps to Reproduce:
1.grant 'someuser' sudo rights to run /bin/ls
2.echo 'someuser /bin/ls' /root/.k5users
4.ksu -e /bin/ls
sudo logs command executed
ksu logs as though the user acquired a full shell
ksu log action performed in a similar manner to sudo
My read of the current state is:
- If the source user is root, no message will be logged.
- If the source user is not root and there's no cmd, a successful or failed auth message is logged.
- If the source user is not root, there's a command, and auth succeds, a message is logged (syslog at NOTICE) which says something like
"Account TARGET: authorization for CLIENT for execution of CMD successful".
- If the source user is not root, there's a command, and auth fails, a message is logged (syslog at WARNING) which says something like
"Account TARGET: authorization for CLIENT for execution of CMD failed".
Does that match what you're seeing? And if so, what part of that (if any) are you requesting improvement in?
I'm not seeing the second two (Account TARGET:...) appear in syslog.
$ ksu testuser -e /bin/ls
account testuser: authorization failed
However, I don't show anything logged to secure or messages for execution for non-root target accounts.
I do show a success message for running as root:
$ ksu -e /bin/ls
Account root: authorization for riehecky for execution of
==> messages <==
Apr 12 08:18:30 test ksu: Account root: authorization for riehecky for execution of /bin/ls successful
I definitely see the non-root success:
may 07 14:50:16 freeipa.rharwood.biz ksu: 'ksu left' authenticated right for right on /dev/pts/0
may 07 14:50:16 freeipa.rharwood.biz ksu: Account left: authorization for right for execution of /bin/ls successful
Failures for non-root users (regardless of whether they're running a command, or their target user) don't seem to show up.
Let me see what I can do.
Just to double-check - the non-root success and failure logging as described in comment#4 would meet your requirements, right? And currently the only missing part of that is the failure logging?
That is all correct.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.