Bug 966

Summary: log diffs on visudo invocation
Product: Sudo Reporter: Marc Haber <mh+sudo-bugzilla>
Component: VisudoAssignee: Todd C. Miller <Todd.Miller>
Status: NEW ---    
Severity: enhancement    
Priority: low    
Version: 1.9.5   
Hardware: PC   
OS: Linux   
URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446361

Description Marc Haber 2021-02-25 11:49:40 MST 
This is a forwarded issue from Martin F. Krafft from the Debian BTS:

It would be awesome if visudo could put a diff of changes into
/var/log/sudo. Should be trivial, since we have /etc/sudoers.tmp
anyway, so when the editor finishes and the syntax check passed,
something along the following logic would do:

LOGDIR=/var/log/sudo
TIMESTAMP=$(/bin/date +'%Y.%m.%d.%H.%M.%S')
LOGNAME=${SUDO_USER:-$USER}
# include pts somehow?
LOGFILE=${LOGDIR}/lsh.${TIMESTAMP}.${LOGNAME}
# non-racy check for logfile existence
diff -abBdEtuw /etc/sudoers /etc/sudoers.tmp > $LOGFILE
Comment 1 Todd C. Miller 2021-02-25 11:52:15 MST 
Integration with a revision control system (e.g. git) might be a better solution.
Comment 2 Marc Haber 2021-02-25 12:20:13 MST 
Putting sudoers under version control is too big a hammer for the issue. Generating a diff and dumping it to a file or syslog is a pretty small change and this way all systems having sudo installed will profit. Have to agree with Martin here.