82

When my non-sudo account tries to run a sudo command:

nonsudo@Hairy14:$ sudo hello

An incident is reported:

[sudo] password for nonsudo: 
nonsudo is not in the sudoers file.  This incident will be reported.

I'm guessing it's not really Father Christmas, so who is it reported to (or where) and how can I access it?

Incident

(From xkcd, by Randall Munroe)

Tim
  • 32,861
  • 27
  • 118
  • 178

2 Answers2

61

The Title of the image might give us a clue:

He sees you when you're sleeping, he knows when you're awake, he's copied on /var/spool/mail/root, so be good for goodness' sake.

What does /var/spool/mail/root contain? Uhh, for me nothing as a normal user:

cat: /var/spool/mail/root: No such file or directory

And the same with sudo. For me, there is no /var/spool/mail/root

It turns out, Ubuntu is different - by default root's mail goes to /dev/null, or the black hole in your computer.

To find our logs, we need to look in

/var/log/auth.log

And lo and behold, a sudo cat gives us this line:

Jun 25 22:45:07 Hairy14 sudo:  nonsudo : user NOT in sudoers ; TTY=pts/21 ; PWD=/home/tim ; USER=root ; COMMAND=/usr/bin/hello

Note that sometimes (e.g. if your account has no password, is disabled) it will simply not let you run the command - but it will still be reported in the same way:

Jun 25 22:44:17 Hairy14 sudo:  nonsudo : user NOT in sudoers ; TTY=pts/21 ; PWD=/home/tim ; USER=root ; COMMAND=/usr/bin/hello

Note that there is a lot of other text along with the "naughty" reports. You may need to grep.

kinokijuf
  • 111
Tim
  • 32,861
  • 27
  • 118
  • 178
  • 4
    It's not that Ubuntu is special, but that mail simply isn't configured. One of the first things I do when I setup a server is to configure sudo to start mailing (mail_badpass is the option, IIRC), and setup root's mail to go to the admins' mailing list. – muru Jun 25 '15 at 22:13
  • @muru yes, i've edited to explain the difference. – Tim Jun 25 '15 at 22:21
  • 2
    @Tim is there any way to get the mail, that goes to /dev/null, to an actual domain (Gmail or similar)? – Jarwin Dec 22 '15 at 17:25
3

The journalctl method

One method involves looking through the journalctl output. journalctl /usr/bin/sudo will list all messages related to that specific executable path, and the reported incident will be highlighted in a nice, noticeable red color like so:

journalctl -f /usr/bin/sudo will show only the most recent journal entries, and continuously print new entries as they are appended to the journal. It's only helpful if the reported incident has happened just recently.

GNOME Logs

Another way to find such incidents is to use the default Logs application, which is installed by default on recent Ubuntu releases. A short screencast showcasing how it can be done through GNOME Logs: https://webm.red/view/yc0w.webm

  1. Open the application;
  2. Select "All" from the list of categories on the left-side;
  3. Invoke the search bar and
  4. Just type in "sudo".

It lacks the highlighting of the journalctl, though.

Pablo Bianchi
  • 15,657
Akbarkhon Variskhanov
  • 172
  • 2
    Thanks for your answer! Please could you summarise the contents of the video you linked. This is helpful because it keeps the answer self contained, and protects against the video being removed. (I’m also unable to watch that video: the same might apply to other people?) – Tim Oct 02 '21 at 08:56
  • Sorry, I did not realize it was Q&A-style question. I could delete my answer if it's redundant. As for the screencast, it basically showcases how it can be done through GNOME Logs: open the application, select "All" from the list of categories on the left-side, invoke the search bar and just type in "sudo". It lacks the highlighting of the journalctl, though. – Akbarkhon Variskhanov Oct 02 '21 at 15:11
  • it’s a great answer with the details you’ve given - it would just be good to summarise the video!Welcome to the site! – Tim Oct 02 '21 at 15:14
  • Sorry, edited my answer to you. Hastily pressed "Enter" and it got sent to you before I was able to finish it. – Akbarkhon Variskhanov Oct 02 '21 at 15:16
  • would you be able to [edit] that into the main answer? Also the [tour] would be helpful to introduce you to how the site works! – Tim Oct 02 '21 at 15:17
  • Done! Are you able to watch the recording? – Akbarkhon Variskhanov Oct 02 '21 at 18:29
  • hmm I’m not (maybe my phone is acting up), but you having added the description is perfect! +1! – Tim Oct 02 '21 at 19:36