3

On my Arch system, failed attempts to run sudo cause a line like this to be added to the logs (note the USER=root):

Nov 20 14:59:31 oregano sudo[191472]:      bob : user NOT in sudoers ; TTY=pts/26 ; PWD=/home/bob ; USER=root ; COMMAND=/sbin/ls

In this case, as the user bob who isn't in sudoers, I had run:

$ sudo ls
bob is not in the sudoers file.

I was wondering what the USER=root means. Is it always the user that I tried to switch to? When I ran sudo -iu bob to (successfully) become the bob user, I got (here, USER=bob):

Nov 20 14:59:28 oregano sudo[191408]:   terdon : TTY=pts/25 ; PWD=/home/bob ; USER=bob ; COMMAND=/bin/bash

So it looks like it is indeed reporting sudo's target user. Is it as simple as that though? Where is this documented? How can I see exactly what USER= is supposed to show? My test suggests it's as I describe, but I would like to confirm it somehow.

Improve this question

1 Answer 1

Reset to default
5

This is documented in the sudoers manpage, section "Event Logging":

Commands that sudo runs are logged using the following format (split into multiple lines for readability):

date hostname progname: username : TTY=ttyname ; CHROOT=chroot ; \
    PWD=cwd ; USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
    ENV=env_vars COMMAND=command

Where the fields are as follows:

[...]

runasuser
The user the command was run as.
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.