I'm trying to enable the sudo lecture every time someone executes sudo, but I can't seem to get it working at all.
I found a similar question here, in which someone states that if you don't see any results when executing strings /usr/bin/sudo | grep -A4 -i "lecture", then sudo lecture isn't enabled, and I don't see any results, so now I'm trying to enable it.
I created a /etc/sudoers.d/lecture file with the following content:
Defaults lecture = always
Defaults lecture_file = /etc/sudoers.lecture
And made sure my /etc/sudoers file included the /etc/sudoers.d directory. Heres the content of my sudoers file:
Defaults requiretty
Defaults !visiblepw
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD:ALL
#includedir /etc/sudoers.d
I was thinking the # in front of the includedir was commenting it out, but when I "uncommented" it, I got an error whenever I would sudo. So after looking in the manual, I found this line:
Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
So apparently the # is NOT a comment… weird.
So now that the /etc/sudoers.d/lecture file references /etc/sudoers.lecture, I created that, with a simple "Hello World" as its only contents.
However, I still don't see any lecture when I sudo, and still don't see any lecture string in strings /usr/bin/sudo … I have to be doing something wrong, I just can't find it.
Update
Thomas N suggested I use sudo -k to clear any cached authentication credentials being recycled:
[Fri May 06 12:25:33]{1} root@web-stg-a01:~(✓)# cat /etc/sudoers
Defaults requiretty
Defaults !visiblepw
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD:ALL
#includedir /etc/sudoers.d
[Fri May 06 12:25:37]{2} root@web-stg-a01:~(✓)# cat /etc/sudoers.d/lecture
Defaults lecture = always
Defaults lecture_file = /etc/sudoers.lecture
[Fri May 06 12:25:42]{3} root@web-stg-a01:~(✓)# cat /etc/sudoers.lecture
TEST...
[Fri May 06 12:25:47]{4} root@web-stg-a01:~(✓)# exit
logout
[Fri May 06 12:25:51]{15} cymedica@web-stg-a01:~(✓)$ sudo -k su -
Last login: Fri May 6 12:25:33 MST 2016 on pts/1
[Fri May 06 12:25:56]{1} root@web-stg-a01:~(✓)#
That wasn't it though.
Best Answer
This is probably the result of cached authentication credentials being recycled in your
sudoinvocations. Try usingand see if that gets you the behavior you expect.