From 67e328d6f8e37b8dcdd8a3ced5a37642d4c511b6 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 10 Jan 2024 13:54:41 -0700 Subject: [PATCH] Only log "a password is required" for "sudo -n" if a command is specified. This means that it is not logged for "sudo -nv" and "sudo -nl". We only log this message when sudo's -n flag is specified (and not when the user presses ^C at the password prompt) so that there is a record of failed non-interactive commands. --- plugins/sudoers/logging.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c index c30ec5f6aa..e88a6681e6 100644 --- a/plugins/sudoers/logging.c +++ b/plugins/sudoers/logging.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 1994-1996, 1998-2023 Todd C. Miller + * Copyright (c) 1994-1996, 1998-2024 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -507,9 +507,14 @@ log_auth_failure(const struct sudoers_context *ctx, unsigned int status, /* Do auditing first (audit_failure() handles the locale itself). */ audit_failure(ctx, ctx->runas.argv, "%s", N_("authentication failure")); - /* If sudoers denied the command we'll log that separately. */ - if (!ISSET(status, FLAG_BAD_PASSWORD|FLAG_NO_USER_INPUT)) + if (ISSET(status, FLAG_NO_USER_INPUT)) { + /* For "sudo -n", only log the entry if an actual command was run. */ + if (ISSET(ctx->mode, MODE_LIST|MODE_VALIDATE)) + logit = false; + } else if (!ISSET(status, FLAG_BAD_PASSWORD)) { + /* Autheticated OK, sudoers denials are logged separately. */ logit = false; + } /* * Do we need to send mail?