Ubuntu: Who are incidents really reported to, and how can a sudo user access the reports?



Question:

When my non-sudo account tries to run a sudo command:

nonsudo@Hairy14:$ sudo hello  

An incident is reported:

[sudo] password for nonsudo:   nonsudo is not in the sudoers file.  This incident will be reported.  

I'm guessing it's not really Father Christmas, so who is it reported to (or where) and how can I access it?

Incident

(From xkcd, by Randall Munroe)


Solution:1

The Title of the image might give us a clue:

He sees you when you're sleeping, he knows when you're awake, he's copied on /var/spool/mail/root, so be good for goodness' sake.

What does /var/spool/mail/root contain? Uhh, for me nothing as a normal user:

cat: /var/spool/mail/root: No such file or directory  

And the same with sudo. For me, there is no /var/spool/mail/root


It turns out, Ubuntu is different - by default root's mail goes to /dev/null, or the black hole in your computer.

To find our logs, we need to look in

/var/log/auth.log  

And lo and behold, a sudo cat gives us this line:

Jun 25 22:45:07 Hairy14 sudo:  nonsudo : user NOT in sudoers ; TTY=pts/21 ; PWD=/home/tim ; USER=root ; COMMAND=/usr/bin/hello  

Note that sometimes (e.g. if your account has no password, is disabled) it will simply not let you run the command - but it will still be reported in the same way:

Jun 25 22:44:17 Hairy14 sudo:  nonsudo : user NOT in sudoers ; TTY=pts/21 ; PWD=/home/tim ; USER=root ; COMMAND=/usr/bin/hello  

Note that there is a lot of other text along with the "naughty" reports. You may need to grep.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »