Along side the question “Username is not in the sudoers file. This incident will be reported” that explained the programical aspects of the error and suggested some workarounds, I want to know: what does this error mean?
X is not in the sudoers file. This incident will be reported.
The former part of the error explains, clearly, the error. But the second part says that “This error will be reported”?! But why? Why the error will be reported and where? To whom? I’m both user and administrator and didn’t receive any report :)!
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
The administrator(s) of a system are likely to want to know when a non-privileged user tries but fails to execute commands using
sudo. If this happens, it could be a sign of
- a curious legitimate user just trying things out, or
- a hacker trying to do “bad things”.
sudo by itself can not distinguish between these, failed attempts to use
sudo are brought to the attention of the admins.
Depending on how
sudo is configured on your system, any attempt (successful or not) to use
sudo will be logged. Successful attempts are logged for audit purposes (to be able to keep track of who did what when), and failed attempts for security.
On a fairly vanilla Ubuntu setup that I have, this is logged in
If a user gives the wrong password three times, or if they are not in the
sudoers file, an email is sent to root (depending on the configuration of
sudo, see below). This is what’s meant by “this incident will be reported”.
The email will have a prominent subject:
Subject: *** SECURITY information for thehostname ***
The body of the message contains the relevant lines from the logfile, for example
thehostname : Jun 22 07:07:44 : nobody : user NOT in sudoers ; TTY=console ; PWD=/some/path ; USER=root ; COMMAND=/bin/ls
(Here, the user
nobodytried to run
sudoas root, but failed since they were not in the
No email is sent if (local) mail has not been set up on the system.
All of these things are configurable as well, and that local variations in the default configuration may differ between Unix variants.
Have a look at the
mail_no_user setting (and related
mail_* settings) in the
sudoers manual (my emphasis below):
If set, mail will be sent to the mailto user if the invoking user is not in the
sudoersfile. This flag is on by default.
In Debian and its derivatives, the
sudo incident reports are logged to
/var/log/auth.log which contains system authorization information, including user logins and authentication mechanisms that were used:
$ sudo su [sudo] password for regularjohn: regularjohn is not in the sudoers file. This incident will be reported. [as root] $ tail -n 1 /var/log/auth.log Jun 21 16:30:26 marvin sudo: regularjohn : user NOT in sudoers ; TTY=pts/19 ; PWD=/home/regularjohn ; USER=root ; COMMAND=/bin/su
This log file is typically only accessible to users in the
admgroup, i.e. users with access to system monitoring tasks:
$ ls -la /var/log/auth.log -rw-r----- 1 syslog adm 76189 Jun 21 16:30 /var/log/auth.log
From the Debian Wiki:
Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.
Users in the
adm group are usually administrators, and this group permission is intended to allow them to read log files without having to
sudo uses the Syslog
auth facility for logging.
sudo‘s logging behavior can be modified using the
syslog options in
logfileoption sets the path to the
syslogoption sets the Syslog facility when
syslog(3)is being used for logging.
auth facility is redirected to
etc/syslog.conf by the presence of the following configuration stanza:
Technically, it doesn’t mean anything much. Many (if not all) other software logs logins, failed or otherwise. For example
Jun 21 17:52:22 somehost sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=root Jun 21 17:52:22 somehost sshd: Failed password for root from ::1 port 37268 ssh2 Jun 21 17:52:23 somehost sshd: Connection closed by ::1 port 37268 [preauth] Jun 21 17:52:28 somehost su: pam_unix(su:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/15 ruser=someuser rhost= user=root Jun 21 17:52:28 somehost su: pam_authenticate: Authentication failure Jun 21 17:52:28 somehost su: FAILED su for root by someuser
Also, many systems have some sort of automation for detecting excessive authentication errors to be able to deal with possible brute-force attempts, or just use the information to reconstruct events after problems appear.
sudo doesn’t do anything especially exceptional here. All the message means is that the author of
sudo appears to have taken a somewhat aggressive philosophy in communicating with users that happen to run commands they cannot use.
It simply means that someone tried to use the
sudo command (to access admin privileges), who doesn’t have authorization to use it (because they aren’t listed in the sudoers file). This could be a hacking attempt or some other sort of security risk, so the message is saying that the attempted use of
sudo will be reported to the system administrator, so they can investigate.