Bug 966 – log diffs on visudo invocation

Bug 966 - log diffs on visudo invocation


Summary:	log diffs on visudo invocation

Status:	NEW

Product:	Sudo
Classification:	Unclassified
Component:	Visudo
Version:	1.9.5
Hardware:	PC Linux

Importance:	low enhancement
Assigned To:	Todd C. Miller

URL:	https://bugs.debian.org/cgi-bin/bugre...

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-02-25 11:49 MST by Marc Haber
Modified:	2021-02-25 12:20 MST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marc Haber 2021-02-25 11:49:40 MST

This is a forwarded issue from Martin F. Krafft from the Debian BTS:

It would be awesome if visudo could put a diff of changes into
/var/log/sudo. Should be trivial, since we have /etc/sudoers.tmp
anyway, so when the editor finishes and the syntax check passed,
something along the following logic would do:

LOGDIR=/var/log/sudo
TIMESTAMP=$(/bin/date +'%Y.%m.%d.%H.%M.%S')
LOGNAME=${SUDO_USER:-$USER}
# include pts somehow?
LOGFILE=${LOGDIR}/lsh.${TIMESTAMP}.${LOGNAME}
# non-racy check for logfile existence
diff -abBdEtuw /etc/sudoers /etc/sudoers.tmp > $LOGFILE

Comment 1 Todd C. Miller 2021-02-25 11:52:15 MST

Integration with a revision control system (e.g. git) might be a better solution.

Comment 2 Marc Haber 2021-02-25 12:20:13 MST

Putting sudoers under version control is too big a hammer for the issue. Generating a diff and dumping it to a file or syslog is a pretty small change and this way all systems having sudo installed will profit. Have to agree with Martin here.