Red Hat Bugzilla – Bug 1270927
ksu doesn't properly log auth failures
Last modified: 2018-06-01 14:36:56 EDT
Description of problem:
I'm looking to switch from sudo to .k5users, but the logging is reduced
sudo: riehecky : TTY=pts/2 ; PWD=/home/riehecky ; USER=root ;
ksu: pam_unix(ksu:session): session opened for user root by
Can the logging be increased so that the command and its arguments is
Version-Release number of selected component (if applicable):krb5-1.12.2-15.el7_1
Steps to Reproduce:
1.grant 'someuser' sudo rights to run /bin/ls
2.echo 'someuser@EXAMPLE.COM /bin/ls' /root/.k5users
4.ksu -e /bin/ls
sudo logs command executed
ksu logs as though the user acquired a full shell
ksu log action performed in a similar manner to sudo
My read of the current state is:
- If the source user is root, no message will be logged.
- If the source user is not root and there's no cmd, a successful or failed auth message is logged.
- If the source user is not root, there's a command, and auth succeds, a message is logged (syslog at NOTICE) which says something like
"Account TARGET: authorization for CLIENT for execution of CMD successful".
- If the source user is not root, there's a command, and auth fails, a message is logged (syslog at WARNING) which says something like
"Account TARGET: authorization for CLIENT for execution of CMD failed".
Does that match what you're seeing? And if so, what part of that (if any) are you requesting improvement in?
I'm not seeing the second two (Account TARGET:...) appear in syslog.
$ ksu testuser -e /bin/ls
account testuser: authorization failed
However, I don't show anything logged to secure or messages for execution for non-root target accounts.
I do show a success message for running as root:
$ ksu -e /bin/ls
Account root: authorization for riehecky@FNAL.GOV for execution of
==> messages <==
Apr 12 08:18:30 test ksu: Account root: authorization for riehecky@FNAL.GOV for execution of /bin/ls successful
I definitely see the non-root success:
may 07 14:50:16 freeipa.rharwood.biz ksu: 'ksu left' authenticated right@RHARWOOD.BIZ for right on /dev/pts/0
may 07 14:50:16 freeipa.rharwood.biz ksu: Account left: authorization for right@RHARWOOD.BIZ for execution of /bin/ls successful
Failures for non-root users (regardless of whether they're running a command, or their target user) don't seem to show up.
Let me see what I can do.
Just to double-check - the non-root success and failure logging as described in comment#4 would meet your requirements, right? And currently the only missing part of that is the failure logging?
That is all correct.