Bug 497 – When LOG_INPUT and/or LOG_OUTPUT is used, the original userid is set to the effective userid

Bug 497 - When LOG_INPUT and/or LOG_OUTPUT is used, the original userid is set to the effective userid


Summary:	When LOG_INPUT and/or LOG_OUTPUT is used, the original userid is set to the e...

Status:	RESOLVED WONTFIX

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.4
Hardware:	IBM AIX

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-06-08 08:45 MDT by Peter-Paul Noordhuis
Modified:	2011-06-08 09:07 MDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter-Paul Noordhuis 2011-06-08 08:45:08 MDT

When the options LOG_INPUT and/or LOG_OUTPUT is used, to capture the output used sudo command, I noticed that the original userid has been reset to the effective userid and an additional pseudo terminal is created. 

We have individual history logging, so we can see, who has performed what under each account, because a lot of users are using the root account (or any other shared account).
So when we use the i/o logging within sudo, all history logging is placed into one file and messes-up the individual history logging greatly.

----------------------------------------------------------------
AN EXAMPLE:
NO use of LOG_INPUT and/or LOG_OUTPUT:
peterp@server(/home/peterp)$ who am i
peterp    pts/0       Jun  8 11:22     (thinkpad)
peterp@server(/home/peterp)$ sudo su -
Password:
root@server(/home/root)# whoami                 # <<< effective userid
root
root@server(/home/root)# who am i               # <<< Original userid
peterp    pts/0       Jun 08 11:22     (thinkpad)

root@server(/home/root)# cat /etc/sudoers |grep CMD_SUDO_ROOT
Cmnd_Alias     CMD_SUDO_ROOT = /usr/bin/su -
%rootgrp       ALL = (ALL) CMD_SUDO_ROOT
root@server(/home/root)#
----------------------------------------------------------------

----------------------------------------------------------------
An example, with the use of LOG_INPUT and/or LOG_OUTPUT:

peterp@server(/home/peterp)$ 
Connection to server closed.
peterp@thinkpad(/home/peterp)$ ssh server
peterp@server(/home/peterp)$ whoami
peterp
peterp@server(/home/peterp)$ sudo su -
Password:
root@server(/home/root)# whoami                 # <<< effective userid
root
root@server(/home/root)# who am i               # <<< Original userid
root      pts/1 
root@server(/home/root)# cat /etc/sudoers |grep CMD_SUDO_ROOT
Cmnd_Alias     CMD_SUDO_ROOT = /usr/bin/su -
%rootgrp       ALL = (ALL) LOG_INPUT: LOG_OUTPUT: CMD_SUDO_ROOT
root@server(/home/root)#
----------------------------------------------------------------

Comment 1 Todd C. Miller 2011-06-08 09:07:06 MDT

The "who" command uses the utmp file to determine the user name.  What you are seeing is due to sudo not creating a utmp entry for the pseudo terminal the command is being run in.

This will not be changed in sudo 1.7.x as that branch only receive critical bug fixes.  Upgrading to sudo 1.8.1p2 should resolve the issue for you as it will create a utmp entry for the pty that the command runs in.