Home / ubuntu / Questions / 641049
Accepted
Tim
Asked: 2015-06-26 14:09:31 +0800 CST

Who are incidents really reported to, and how can a sudo user access the reports?

  • 772

When my non-sudo account tries to run a sudo command:

nonsudo@Hairy14:$ sudo hello

An incident is reported:

[sudo] password for nonsudo: 
nonsudo is not in the sudoers file.  This incident will be reported.

I'm guessing it's not really Father Christmas, so who is it reported to (or where) and how can I access it?

Incident

(From xkcd, by Randall Munroe)

sudo

2 Answers

  1. Best Answer

    The Title of the image might give us a clue:

    He sees you when you're sleeping, he knows when you're awake, he's copied on /var/spool/mail/root, so be good for goodness' sake.

    What does /var/spool/mail/root contain? Uhh, for me nothing as a normal user:

    cat: /var/spool/mail/root: No such file or directory

    And the same with sudo. For me, there is no /var/spool/mail/root

    It turns out, Ubuntu is different - by default root's mail goes to /dev/null, or the black hole in your computer.

    To find our logs, we need to look in

    /var/log/auth.log

    And lo and behold, a sudo cat gives us this line:

    Jun 25 22:45:07 Hairy14 sudo:  nonsudo : user NOT in sudoers ; TTY=pts/21 ; PWD=/home/tim ; USER=root ; COMMAND=/usr/bin/hello

    Note that sometimes (e.g. if your account has no password, is disabled) it will simply not let you run the command - but it will still be reported in the same way:

    Jun 25 22:44:17 Hairy14 sudo:  nonsudo : user NOT in sudoers ; TTY=pts/21 ; PWD=/home/tim ; USER=root ; COMMAND=/usr/bin/hello

    Note that there is a lot of other text along with the "naughty" reports. You may need to grep.

    • 52

  2. The journalctl method

    One method involves looking through the journalctl output. journalctl /usr/bin/sudo will list all messages related to that specific executable path, and the reported incident will be highlighted in a nice, noticeable red color like so:

    journalctl -f /usr/bin/sudo will show only the most recent journal entries, and continuously print new entries as they are appended to the journal. It's only helpful if the reported incident has happened just recently.

    GNOME Logs

    Another way to find such incidents is to use the default Logs application, which is installed by default on recent Ubuntu releases. A short screencast showcasing how it can be done through GNOME Logs: https://webm.red/view/yc0w.webm

    1. open the application;
    2. select "All" from the list of categories on the left-side;
    3. invoke the search bar and
    4. just type in "sudo".

    It lacks the highlighting of the journalctl, though.

    • 1