[screen-devel] [bug #39712] su actions not properly logged

Tue, 06 Aug 2013 20:25:31 -0700 

URL:
  <http://savannah.gnu.org/bugs/?39712>

                 Summary: su actions not properly logged
                 Project: GNU Screen
            Submitted by: None
            Submitted on: Wed 07 Aug 2013 03:24:34 AM UTC
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 4.0.3
           Fixed Release: None
         Planned Release: None
           Work Required: None

    _______________________________________________________

Details:

We're seeing an issue where su actions are not properly recorded when the user
is in a screen session.  What's interesting is that this appears to work
properly on Ubuntu 12.04.2 running screen 4.00.03jw4 (FAU) 2-May-06 but does
not work correctly on CentOS 6.04 running screen (FAU) 23-Oct-06.  So maybe
this is packaging related, but thought we'd start here.

When a user in a scree session runs "sudo su" the following appears in the
Ubuntu logs:

Aug  6 16:26:06 delta sudo:   chrish : TTY=pts/5 ; PWD=/home/chrish ;
USER=root ; COMMAND=/bin/su
Aug  6 16:26:06 delta sudo: pam_unix(sudo:session): session opened for user
root by chrish(uid=1000)
Aug  6 16:26:06 delta su[27840]: Successful su for root by root
Aug  6 16:26:06 delta su[27840]: + /dev/pts/5 root:root
Aug  6 16:26:06 delta su[27840]: pam_unix(su:session): session opened for user
root by chrish(uid=0)
Aug  6 16:26:19 delta su[27840]: pam_unix(su:session): session closed for user
root
Aug  6 16:26:19 delta sudo: pam_unix(sudo:session): session closed for user
root


In the CentOS log we get:

Aug  6 16:38:03 epsilon sudo:   chrish : TTY=pts/8 ; PWD=/home/chrish ;
USER=root ; COMMAND=/bin/su
Aug  6 16:38:03 epsilon su: pam_unix(su:session): session opened for user root
by (uid=0)
Aug  6 16:38:04 epsilon su: pam_unix(su:session): session closed for user
root


Notice that the second line does not indicate the name of the user which
performed the sudo like we do in Ubuntu.  Without this data, our logs are
incomplete and log monitoring utilities do not properly fire.

Possible this is related to packaging or another part of the OS, possibly
PAM?

Additional notes, includes showing that it does not work in tmux on either OS,
are available here: https://gist.github.com/chrishas35/972fc8febad14bad1ae4.




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?39712>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

Reply via email to