33

Along side the question "Username is not in the sudoers file. This incident will be reported" that explained the programical aspects of the error and suggested some workarounds, I want to know: what does this error mean? 

X is not in the sudoers file.  This incident will be reported.

The former part of the error explains, clearly, the error. But the second part says that "This error will be reported"?! But why? Why the error will be reported and where? To whom? I'm both user and administrator and didn't receive any report :)!

Mazdak
  • 933
  • 13
    Philosophically?!? Or technically? – Jeff Schaller Jun 21 '18 at 12:30
  • 65
    obligatory xkcd – steeldriver Jun 21 '18 at 12:55
  • 9
    A (good) system silently logs lots of stuff. Lots and lots of stuff. Especially errors. Especially if it consider them to be ill-intentioned. I think that by asking about "philosophically", OP is asking why this specific concrete error warns you in such an intimidating way about the reporting, while most other failures are reported silently. It might just be what the original coder wrote at the moment, but after many version it has never got changed and there could be a deeper meaning. Or maybe not. If this is the focus, I think this is a great question I've wondered quite a few times. – xDaizu Jun 21 '18 at 15:46
  • @steeldriver :)) That Santa makes me feel more like I'm getting fooled. – Mazdak Jun 21 '18 at 17:55
  • 4
    This presumably dates back to when you had a whole building using 1 computer and an admin/operator looked after the computer as a full-time job. – user253751 Jun 22 '18 at 01:28
  • 2
    Years ago when I was in university and before sudo was a thing, I was trying to do something as root on my personal Linux box. So, I ran su. When it rejected my password, I tried again several times thinking I had mistyped my password. Eventually I realized that that terminal was logged into the school's email server. Not long after that, the email server sysadmin asked me why I had tried to get root on his system. So there clearly was some sort of reporting even though it was in the pre-sudo days. – Scott Severance Jun 22 '18 at 17:16
  • @ScottSeverance Wow that's really interesting! Thanks for sharing your experience. Actually, after I saw that message for the first time I was hoping that someone will call me or send me a message or something threatening me for what I did and then story begins like what happened at the beginning of the Matrix movie to Neo! :-)) – Mazdak Jun 22 '18 at 17:37
  • @immibis I work in a place with several multi-user systems. At any point in time, there may be between 10 and 50 people logged in to one of several login nodes. This is not uncommon nor old fashioned. – Kusalananda Jun 22 '18 at 22:04
  • The philosophical choice also includes the lecture (which may have been disabled when sudo was compiled). – Dennis Williamson Jun 22 '18 at 22:25
  • @DennisWilliamson I wouldn't use the term "philosophical choice" but that's a useful thing for keeping users on their toes. – Mazdak Jun 23 '18 at 05:25

4 Answers4

39

The administrator(s) of a system are likely to want to know when a non-privileged user tries but fails to execute commands using sudo. If this happens, it could be a sign of

  1. a curious legitimate user just trying things out, or
  2. a hacker trying to do "bad things".

Since sudo by itself can not distinguish between these, failed attempts to use sudo are brought to the attention of the admins.

Depending on how sudo is configured on your system, any attempt (successful or not) to use sudo will be logged. Successful attempts are logged for audit purposes (to be able to keep track of who did what when), and failed attempts for security.

On a fairly vanilla Ubuntu setup that I have, this is logged in /var/log/auth.log.

If a user gives the wrong password three times, or if they are not in the sudoers file, an email is sent to root (depending on the configuration of sudo, see below). This is what's meant by "this incident will be reported".

The email will have a prominent subject:

Subject: *** SECURITY information for thehostname ***

The body of the message contains the relevant lines from the logfile, for example

thehostname : Jun 22 07:07:44 : nobody : user NOT in sudoers ; TTY=console ; PWD=/some/path ; USER=root ; COMMAND=/bin/ls

(Here, the user nobody tried to run ls through sudo as root, but failed since they were not in the sudoers file).

No email is sent if (local) mail has not been set up on the system.

All of these things are configurable as well, and that local variations in the default configuration may differ between Unix variants.

Have a look at the mail_no_user setting (and related mail_* settings) in the sudoers manual (my emphasis below):

mail_no_user

If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.

Community
  • 1
Kusalananda
  • 333,661
17

In Debian and its derivatives, the sudo incident reports are logged to /var/log/auth.log which contains system authorization information, including user logins and authentication mechanisms that were used: 

$ sudo su
[sudo] password for regularjohn: 
regularjohn is not in the sudoers file.  This incident will be reported.

[as root]

$ tail -n 1 /var/log/auth.log
Jun 21 16:30:26 marvin sudo: regularjohn : user NOT in sudoers ; TTY=pts/19 ; PWD=/home/regularjohn ; USER=root ; COMMAND=/bin/su

This log file is typically only accessible to users in the adm group, i.e. users with access to system monitoring tasks:

$ ls -la /var/log/auth.log
-rw-r----- 1 syslog adm 76189 Jun 21 16:30 /var/log/auth.log

From the Debian Wiki:

Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.

Users in the adm group are usually administrators, and this group permission is intended to allow them to read log files without having to su.

By default sudo uses the Syslog auth facility for logging. sudo's logging behavior can be modified using the logfile or syslog options in /etc/sudoers or /etc/sudoers.d:

  • The logfile option sets the path to the sudo log file.
  • The syslog option sets the Syslog facility when syslog(3) is being used for logging.

The Syslog auth facility is redirected to /var/log/auth.log in etc/syslog.conf by the presence of the following configuration stanza:

auth,authpriv.*         /var/log/auth.log
Thomas Nyman
  • 30,502
8

Technically, it doesn't mean anything much. Many (if not all) other software logs logins, failed or otherwise. For example sshd and su:

Jun 21 17:52:22 somehost sshd[25807]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1  user=root
Jun 21 17:52:22 somehost sshd[25807]: Failed password for root from ::1 port 37268 ssh2
Jun 21 17:52:23 somehost sshd[25807]: Connection closed by ::1 port 37268 [preauth]
Jun 21 17:52:28 somehost su[25809]: pam_unix(su:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/15 ruser=someuser rhost=  user=root
Jun 21 17:52:28 somehost su[25809]: pam_authenticate: Authentication failure
Jun 21 17:52:28 somehost su[25809]: FAILED su for root by someuser

Also, many systems have some sort of automation for detecting excessive authentication errors to be able to deal with possible brute-force attempts, or just use the information to reconstruct events after problems appear.

sudo doesn't do anything especially exceptional here. All the message means is that the author of sudo appears to have taken a somewhat aggressive philosophy in communicating with users that happen to run commands they cannot use.

ilkkachu
  • 138,973
6

It simply means that someone tried to use the sudo command (to access admin privileges), who doesn't have authorization to use it (because they aren't listed in the sudoers file). This could be a hacking attempt or some other sort of security risk, so the message is saying that the attempted use of sudo will be reported to the system administrator, so they can investigate.

Time4Tea
  • 2,366
  • 1
    Well in my local machine I'm the only user and administrator and I can tell you that I didn't receive any report! – Mazdak Jun 21 '18 at 12:50
  • 4
    @Kasramvd you probably did, in some file somewhere. I'm not exactly sure where sudo sends the report. In your situation, with only one user, it probably isn't very important. – Time4Tea Jun 21 '18 at 12:54
  • 2
    @Kasramvd have you checked for an email to the root user? Also, you're the administrator but you don't have sudo for your account? How do you handle privilege escalation? – doneal24 Jun 21 '18 at 13:22
  • @Kasramvd It was not reported to you.... – Thorbjørn Ravn Andersen Jun 21 '18 at 17:11
  • 2
    @Kasramvd You THINK you are the administrator. The OS is clearly telling you that you don't have permission to act as an administrator - you're the hardware's owner at best but that does not necessarily make you an admin – slebetman Jun 21 '18 at 18:04
  • @slebetman Yes, that's right. It means that the incident will be "reported" too root. But when you see the word report you think of a email/message or something. But it seems that it's just a log. – Mazdak Jun 21 '18 at 18:10