I need to know what deamon process is using sudo.

I tried writing a quick bash wrapper:
Then setting it executable, owned by root, and turning the sticky bit on.

When I tried using this script as a normal user I just get permission denied.

Any ideas?

Do that with /var/log/secure and fsck up the syslog timestamps: use 'logger' and provide the right facility and priority instead.


Setuid doesn't work with scripts.


It all boils down to this: why?


The process replaces Sudo so AFAIK there's no way searching for it afterwards: you'll have to get in right before that. A script might work if your "daemon process" runs in a single-user-per-group way, then maybe you could search the process space for that user: those processes won't share UID (obviously) but they'll share SID. Better would be to get in right before that but using syscall logging. For instance Auditd will show the PID of the resulting process and the original UID. I hope that's enough leads to try 'n play "connect the dots".

It was mostly a hack

ya, apparently the kernel ignores setuid for scripts for security reasons.

I'm on a dev machine and was trying to figure out what process was misbehaving.

I just replaced /usr/bin/sudo with my script, setting normal 755 permissions. This was good enough to figure out which process; Not really a working solution for anything longterm, but good enough for my needs. Thanks for the response.