Bugzilla – Bug 442
sudo not reporting correctly to /var/adm/sulog
Last modified: 2010-09-27 14:29:58 MDT
Running AIX 6.1 TL05 SP1 (6100-05-01-1016) and sudo version 1.6.9p15. When using sudo to su to root, the entry in /var/adm/sulog shows as root-root eventhough it was from a user account. The entry also shows the time as 7 hours advanced which aligns to UTC time. SU 09/17 14:55 + pts/0 bob-root SU 09/17 21:55 + pts/0 root-root The first entry is from "su -". The second entry is from "sudo su -". We have tested this on various versions of sudo and other AIX versions with the same results. Taking one step further, we looked at the syslog and found that it is reporting correctly to the log. Sep 17 14:55:39 pstech3 local2:notice sudo: bob : TTY=pts/0 ; PWD=/home/bob ; USER=root ; COMMAND=/usr/bin/su - We have looked at other platforms (Linux and Sun) and the sulog entries are correct. Reporting incorrect time in sulog and not displaying correct user does not allow (very easily) us to determine who su'd or when the entry happened. Thank you. Bob Poirrier
Created attachment 294 [details] Patch to set userinfo on AIX
My guess is that su on AIX uses the "userinfo" that it set by the login program. I've attached a patch backported from sudo 1.7.x to set this in sudo as well. As far as the timezone goes, you may not be preserving the TZ environment variable. This should be preserved by default, but if you set the env_keep Defaults option in the sudoers file to a value that doesn't include TZ that would explain this.
Sorry, I misread the bug report; that patch will not help you. The problem is that when you run "sudo su", by the time su is run the process is already root, so it logs "root-root". That's not really something that can be "fixed" in sudo as, for all intents and purposes, you are running su as root. Sudo itself will log which user ran su, but su itself has no way of knowing. It is possible that su on other platforms look in the utmp file or use some other mechanism for determining the original. However, there's really little reason to run su via sudo. In most cases, running "sudo -i" will behave similarly and sudo does its own logging.
(In reply to comment #3) > Sorry, I misread the bug report; that patch will not help you. The problem is > that when you run "sudo su", by the time su is run the process is already root, > so it logs "root-root". That's not really something that can be "fixed" in > sudo as, for all intents and purposes, you are running su as root. Sudo itself > will log which user ran su, but su itself has no way of knowing. It is > possible that su on other platforms look in the utmp file or use some other > mechanism for determining the original. > > However, there's really little reason to run su via sudo. In most cases, > running "sudo -i" will behave similarly and sudo does its own logging. Thank you very much for your analysis. Yes, adding the TZ variable to env_keep fixed that problem. Didn't realize I needed to add it since TZ showed in listing under Environment variables to preserve.
TZ is indeed in the default env_keep list, but if you assign env_keep to a new value (as opposed to just adding to it), you lose the old contents. For example: # This overrides old env_keep value Defaults env_keep = "ODMDIR" # This just adds to env_keep Defaults env_keep += "ODMDIR"