Package: sudo
Version: 1.9.16p2-3
Severity: minor

Hello,

looking at the default Email options in sudo I was wondering about the
rationale behind them.

Currently we have this:
Defaults        mail_badpass

On multi user systems with an MTA configured in a way that mail to root will
end up somewhere reasonable this will Email the Admin everytime a user
enters a false password but will not Email the Admin in case some automated
script checks if something like "sudo -s" works.

This is why I use mail_no_perms on my systems.

Regarding the sudo manpage *mail_badpass* is off by default so this seems to
be a Debian default to enable this option.

My personal opinion is that all mail should be off by default (like e.g.  in
the package unattended-upgrades) because nowerdays most systems do likely
not even have an MTA configured in a way which will direct mail to root to a
reasonable target.

However with real multi-user systems in mind where such mails are probably
desired for security reasons the better default whould then be arguably
mail_no_perms instead of mail_badpass.

Regards

Sven


-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel

Kernel: Linux 6.12.41+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sudo depends on:
ii  init-system-helpers  1.69~deb13u1
ii  libapparmor1         4.1.0-1
ii  libaudit1            1:4.0.2-2+b2
ii  libc6                2.41-12
ii  libpam-modules       1.7.0-5
ii  libpam0g             1.7.0-5
ii  libselinux1          3.8.1-1
ii  libssl3t64           3.5.1-1
ii  zlib1g               1:1.3.dfsg+really1.3.1-1+b1

sudo recommends no packages.

sudo suggests no packages.

-- Configuration Files:
/etc/pam.d/sudo-i [file not found]
/etc/sudoers [Errno 13] Keine Berechtigung: '/etc/sudoers'
/etc/sudoers.d/README [Errno 13] Keine Berechtigung: '/etc/sudoers.d/README'

-- debconf-show failed

Reply via email to