For those wondering where the reports go, under systemd-based linux distributions ideally you can get them with this:
sudo journalctl /bin/sudo
Historically speaking however the sysadmin with access to the 'mail' command would be able to run that and see mail delivered to root@localhost for these reports. I think at least OpenBSD still does things this way [1], but they moved away from sudo YEARS ago now [2]
Yeah, I kind of lament them removing this warning if I'm going to be honest. It feels like something such as that should be more common best practice.
Of course decent log collection/monitoring should also be able to catch authlog stuff and alert accordingly and I'm sure most organizations rely on solutions like that instead of letting things get lost in email
This is a pretty short diff and it clearly does NOT do that, unless you're saying they went back later in another commit to add this. They removed the message in all situations. The string "This incident will be reported" has been removed from the source code; it could not possibly print that message now.
Is there more to the change than the linked commit? Because if not, looking at the code change I don't see how you could possibly be correct. There is no additional logic/branching that could be checking whether sudo sends mail or not, just a string change.
I feel like that warning comes right out of the era of multi-user machines with unprivileged shell accounts. That era is largely gone. Today, someone, possibly a less knowledgeable user, runs sudo on their single user laptop that they completely own outright, and may get confused who they're being "reported" to.
But there is a renewed focus on corporate laptops to remove admin rights on windows. Not really because the user is not being trusted, but because malware has a lot more options for bypassing EDR/antimalware and persistence when it runs with admin rights.
I'm sure this will come to Linux too at some point.
I've always felt it was a very bad practice not to do it.
In a lot of companies but one they avoided it for fear of receiving emails. On that only company that did it, we made sure that mailbox was clean by actually having a look when cron scripts were crapping out or when users failed sudo repeatedly and contacted the users. It was a much better housekeeping than log on a box and see there are hundreds of unread emails but dismissing it like most do.
I think it's a fear of _sending_ emails. You could accidentally trigger a cronjob that sends a bunch of emails and gets you put on spam filters. Error reporting for cron is, of course, important; but the builtin email reporting is best used for the local machine/network. A more flexible and robust solution calls out to an API that handles transactional emails/push notifications with debouncing, escalation policies, etc.
Well, it depends! Because what you need to see more often is errors. You don't want successful notifications "spam" more often than error notifications.
I think this is mostly relevant to how confused and sometimes downright mortified it makes new users of sudo when they encounter it
In other words, don't think well-configured ansible playbooks are most people's first exposure to linux although it does sound like you're doing things right which is nice to hear
I haven't used journalctl in a while - do you mind explaining how it works with a binary path? Does it report all system logging that came from that executable, as if it were a service file?
The systemd journal logs not only raw strings and priorities (like legacy syslog), but a large number of metadata fields for each message. One of these fields is the name of the executable which generated the message. The command
[1] https://man.openbsd.org/security.8
[2] https://man.openbsd.org/doas