Bug 980

Summary: Log exit status of command run by sudo
Product: Sudo Reporter: Opty 77 <opty77>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: normal    
Version: 1.9.7   
Hardware: PC   
OS: Linux   

Description Opty 77 2021-07-01 05:50:26 MDT 
Please log exit status of a command run by sudo in sudoers_policy_close() so one can find out how it ended when reading the log.

Temporary workaround for bash:

# exit status logging sudo
esudo() {
    (sleep 1 && exec sudo $@) &
    
    local sudo_pid=$!
    
    fg
    
    local sudo_exit_status=$?
    
    logger --id=$sudo_pid -t sudo --rfc5424=notq -p authpriv.notice "COMMAND exited with $sudo_exit_status"
    
    return $sudo_exit_status
}
Comment 1 Todd C. Miller 2021-07-01 07:46:51 MDT 
The policy close function already receives the program exit status so this would not be difficult to add.  It will need to be configurable though.
Comment 2 Opty 77 2021-07-04 14:25:51 MDT 
Yes, hence the reference. :-)

What about log_command_exit_status?

BTW, I opened issue on GitHub first (https://github.com/sudo-project/sudo/issues/107) but it seems you prefer Bugzilla?
Comment 3 Todd C. Miller 2021-07-10 15:29:31 MDT 
I decided on "log_exit_status" for the option in sudoers.  What I have right now will log lines like this when the command exits.

sudo[17752]: millert : TTY=ttyp8 ; PWD=/home/millert ; USER=root ; COMMAND=/bin/echo testing ; EXIT=0

Basically it is the same as the log message when the command is accepted but with an EXIT= field for the exit value.  For commands interrupted by a signal it would look like this:

sudo[17752]: millert : TTY=ttyp8 ; PWD=/home/miller ; USER=root ; COMMAND=/bin/sleep 60 ; SIGNAL=QUIT ; EXIT=131

I suppose I could just log the exit value + signal and rely on the process ID to match it to the command that was run, but since we have the info it seemed reasonable to just display it all.

The JSON version of the logs now uses a UUID to match the exit log record to the accept log record.
Comment 4 Opty 77 2021-07-12 06:28:33 MDT 
I was thinking about just log_exit_status too but unsure about disambiguousity.

I chose PID in my workaround because COMMAND may become big when using something like "sudo grep something /var/log/secure*" on plenty of logs. But you have to use syslog_pid.

I like you added the SIGNAL.
Comment 5 Todd C. Miller 2021-09-13 10:29:45 MDT 
Sudo 1.9.8 will now log exit records if the log_exit_status option is enabled.
Comment 6 Opty 77 2021-12-05 04:43:07 MST 
Works, thanks!