#70: "audit_log_user_command(): Connection refused" when using sudo in CentOS 5

Solved!
On every invocation of sudo in CentOS 5.3, whether successful or not, there is an echo to terminal of:

audit_log_user_command(): Connection refused

This does not appear to affect any serious functionality, but is incredibly annoying.

Recompile sudo from source package and patch auditing code

2
As cited in references, this is due to the stock CentOS 5.3 kernel not being compiled with the proper support for auditing. RedHat offers more advanced auditing support in its version of sudo as a custom patch, but the patch is applied whether the kernel has proper support for auditing or not. I don't really need any auditing code in this install, and I don't want to recompile my kernel either.

In this solution, I'm going to change the audit patch as per the RedHat Bugzilla suggests.

If you go to the CentOS RPM repository, you can pick up the source package for sudo. Unpack the SPRM with:

sudo rpm -i sudo-[blah blah].src.rpm

cd on to over to /usr/src/redhat/SPECS, where you'll find the compilation spec sudo.spec. Either follow RedHat Bugzilla by changing the lines as so:
- if( err <= 0 && !(errno == EPERM && getuid() != 0) ) + if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED )
Or
By commenting out all references to patch5, the audit patch added to sudo by RedHat:
# Patch5: sudo-1.6.9p13-audit.patch #... # %patch5 -p1 -b .audit

I chose the second method, as I didn't see much value in taking the audit features. YMMV.

Once you're done with that, build the SPRM:
sudo rpmbuild -bb sudo.spec

And install:
rpm --force -i /usr/src/redhat/RPMS/[arch]/sudo-[blah blah].rpm

Note that this will overwrite your system sudo with your custom compiled version, so keep a root shell open or enable your root user until you're sure that your new sudo works. Also, keep in mind that system updates to sudo may overwrite your existing installation. YMMV. This is but one solution of many.

But ah, finally, silence from sudo, behaving as Unix tools should be.

Comments

  1. I found that there is a missing parenthesis in this patch and that the messages still show without it.

    if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED )

    should be:

    if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ))

    mike on January 07, 2010, 09:08 PM UTC
  2. I just ran into this problem and found that my CentOS had been compiled with sudo version 1.6.9. Another version, 1.7.2, was already available in yum. A simple yum remove of the current sudo and yum add of the new sudo fixed the problem.

    kirkjared on April 10, 2011, 04:07 PM UTC
  3. Yeah, at the time there was no better option. Pretty sure the problem is solved now with the latest sudo.

    yliu on April 10, 2011, 07:01 PM UTC

Think you've got a better solution? Help 92049143cabb7ba896d7c06e19906303_small yliu out by posting your solution

Bug 401201 – sudo complains: audit_log_user_command(): Connection refused

https://bugzilla.redhat.com/show_bug.cgi?id=401201 - found by 92049143cabb7ba896d7c06e19906303_small yliu on November 04, 2009, 01:28 AM UTC

a way to fix this

Tags: Linux patch sudo

Linux Blog » audit_log_user_command(): Connection refused

http://www.linuxblog.org/audit_log_user_command-connection-refused/ - found by 92049143cabb7ba896d7c06e19906303_small yliu on November 04, 2009, 01:26 AM UTC

Appears that this is simply a failure to compile in a kernel option for audit functionality

Tags: kernel Linux audit