Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   sudoers    ( 5 )

плагин политики безопасности sudo по умолчанию (default sudo security policy plugin)

LOG FORMAT

sudoers can log events in either JSON or sudo format, this section
     describes the sudo log format.  Depending on sudoers configuration,
     sudoers can log events via syslog(3), to a local log file, or both.
     The log format is almost identical in both cases.

Accepted command log entries Commands that sudo runs are logged using the following format (split into multiple lines for readability):

date hostname progname: username : TTY=ttyname ; PWD=cwd ; \ USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \ ENV=env_vars COMMAND=command

Where the fields are as follows:

date The date the command was run. Typically, this is in the format 'MMM, DD, HH:MM:SS'. If logging via syslog(3), the actual date format is controlled by the syslog daemon. If logging to a file and the log_year option is enabled, the date will also include the year.

hostname The name of the host sudo was run on. This field is only present when logging via syslog(3).

progname The name of the program, usually sudo or sudoedit. This field is only present when logging via syslog(3).

username The login name of the user who ran sudo.

ttyname The short name of the terminal (e.g., 'console', 'tty01', or 'pts/0') sudo was run on, or 'unknown' if there was no terminal present.

cwd The current working directory that sudo was run in.

runasuser The user the command was run as.

runasgroup The group the command was run as if one was specified on the command line.

logid An I/O log identifier that can be used to replay the command's output. This is only present when the log_input or log_output option is enabled.

env_vars A list of environment variables specified on the command line, if specified.

command The actual command that was executed.

Messages are logged using the locale specified by sudoers_locale, which defaults to the 'C' locale.

Denied command log entries If the user is not allowed to run the command, the reason for the denial will follow the user name. Possible reasons include:

user NOT in sudoers The user is not listed in the sudoers file.

user NOT authorized on host The user is listed in the sudoers file but is not allowed to run commands on the host.

command not allowed The user is listed in the sudoers file for the host but they are not allowed to run the specified command.

3 incorrect password attempts The user failed to enter their password after 3 tries. The actual number of tries will vary based on the number of failed attempts and the value of the passwd_tries option.

a password is required The -n option was specified but a password was required.

sorry, you are not allowed to set the following environment variables The user specified environment variables on the command line that were not allowed by sudoers.

Error log entries If an error occurs, sudoers will log a message and, in most cases, send a message to the administrator via email. Possible errors include:

parse error in /etc/sudoers near line N sudoers encountered an error when parsing the specified file. In some cases, the actual error may be one line above or below the line number listed, depending on the type of error.

problem with defaults entries The sudoers file contains one or more unknown Defaults settings. This does not prevent sudo from running, but the sudoers file should be checked using visudo.

timestamp owner (username): No such user The time stamp directory owner, as specified by the timestampowner setting, could not be found in the password database.

unable to open/read /etc/sudoers The sudoers file could not be opened for reading. This can happen when the sudoers file is located on a remote file system that maps user-ID 0 to a different value. Normally, sudoers tries to open the sudoers file using group permissions to avoid this problem. Consider either changing the ownership of /etc/sudoers or adding an argument like 'sudoers_uid=N' (where 'N' is the user-ID that owns the sudoers file) to the end of the sudoers Plugin line in the sudo.conf(5) file.

unable to stat /etc/sudoers The /etc/sudoers file is missing.

/etc/sudoers is not a regular file The /etc/sudoers file exists but is not a regular file or symbolic link.

/etc/sudoers is owned by uid N, should be 0 The sudoers file has the wrong owner. If you wish to change the sudoers file owner, please add 'sudoers_uid=N' (where 'N' is the user-ID that owns the sudoers file) to the sudoers Plugin line in the sudo.conf(5) file.

/etc/sudoers is world writable The permissions on the sudoers file allow all users to write to it. The sudoers file must not be world-writable, the default file mode is 0440 (readable by owner and group, writable by none). The default mode may be changed via the 'sudoers_mode' option to the sudoers Plugin line in the sudo.conf(5) file.

/etc/sudoers is owned by gid N, should be 1 The sudoers file has the wrong group ownership. If you wish to change the sudoers file group ownership, please add 'sudoers_gid=N' (where 'N' is the group-ID that owns the sudoers file) to the sudoers Plugin line in the sudo.conf(5) file.

unable to open /run/sudo/ts/username sudoers was unable to read or create the user's time stamp file. This can happen when timestampowner is set to a user other than root and the mode on /run/sudo is not searchable by group or other. The default mode for /run/sudo is 0711.

unable to write to /run/sudo/ts/username sudoers was unable to write to the user's time stamp file.

/run/sudo/ts is owned by uid X, should be Y The time stamp directory is owned by a user other than timestampowner. This can occur when the value of timestampowner has been changed. sudoers will ignore the time stamp directory until the owner is corrected.

/run/sudo/ts is group writable The time stamp directory is group-writable; it should be writable only by timestampowner. The default mode for the time stamp directory is 0700. sudoers will ignore the time stamp directory until the mode is corrected.

Notes on logging via syslog By default, sudoers logs messages via syslog(3). The date, hostname, and progname fields are added by the system's syslog() function, not sudoers itself. As such, they may vary in format on different systems.

The maximum size of syslog messages varies from system to system. The syslog_maxlen setting can be used to change the maximum syslog message size from the default value of 980 bytes. For more information, see the description of syslog_maxlen.

Notes on logging to a file If the logfile option is set, sudoers will log to a local file, such as /var/log/sudo. When logging to a file, sudoers uses a format similar to syslog(3), with a few important differences:

1. The progname and hostname fields are not present.

2. If the log_year option is enabled, the date will also include the year.

3. Lines that are longer than loglinelen characters (80 by default) are word-wrapped and continued on the next line with a four character indent. This makes entries easier to read for a human being, but makes it more difficult to use grep(1) on the log files. If the loglinelen option is set to 0 (or negated with a '!'), word wrap will be disabled.