#446361 log diffs on visudo invocation

Package:
sudo
Source:
sudo
Description:
Provide limited super user privileges to specific users
Submitter:
martin f krafft
Date:
2026-02-10 19:03:06 UTC
Severity:
wishlist
Tags:
#446361#3
Date:
2007-10-12 13:35:52 UTC
From:
To:
It would be awesome if visudo could put a diff of changes into
/var/log/sudo. Should be trivial, since we have /etc/sudoers.tmp
anyway, so when the editor finishes and the syntax check passed,
something along the following logic would do:

LOGDIR=/var/log/sudo
TIMESTAMP=$(/bin/date +'%Y.%m.%d.%H.%M.%S')
LOGNAME=${SUDO_USER:-$USER}
# include pts somehow?
LOGFILE=${LOGDIR}/lsh.${TIMESTAMP}.${LOGNAME}
# non-racy check for logfile existence
diff -abBdEtuw /etc/sudoers /etc/sudoers.tmp > $LOGFILE

Thanks,

#446361#12
Date:
2022-03-14 21:55:07 UTC
From:
To:
Here is upstream's answer on their bugzilla:

I objected, but don't expect anything to happen here soon.

Greetings
Marc

#446361#15
Date:
2022-03-14 21:55:07 UTC
From:
To:
Here is upstream's answer on their bugzilla:

I objected, but don't expect anything to happen here soon.

Greetings
Marc

#446361#22
Date:
2026-02-10 19:00:30 UTC
From:
To:
Maybe this is a good idea for some person who wants this to happen to
chime in, fork https://github.com/sudo-project/sudo and file a PR: Keep
in mind that whatever you're doing in sudo and visudo happens as root.
Dropping privileges after reading the new file state (and having old
file state already in memory) might be a good idea.

Greetings
Marc