From 83dd2f48347868deb5d40622356ac6009b6f3d77 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 4 Mar 2008 10:28:10 +0000 Subject: [PATCH] audit support improvement --- sudo-1.6.9p13-audit.patch | 161 +++++++++++++------------------------- sudo.spec | 5 +- 2 files changed, 60 insertions(+), 106 deletions(-) diff --git a/sudo-1.6.9p13-audit.patch b/sudo-1.6.9p13-audit.patch index eef7ac3..909d8a7 100644 --- a/sudo-1.6.9p13-audit.patch +++ b/sudo-1.6.9p13-audit.patch @@ -1,6 +1,6 @@ diff -up sudo-1.6.9p13/set_perms.c.audit sudo-1.6.9p13/set_perms.c --- sudo-1.6.9p13/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100 -+++ sudo-1.6.9p13/set_perms.c 2008-02-21 14:03:02.000000000 +0100 ++++ sudo-1.6.9p13/set_perms.c 2008-03-04 11:18:45.000000000 +0100 @@ -53,6 +53,10 @@ #ifdef HAVE_LOGIN_CAP_H # include @@ -67,8 +67,8 @@ diff -up sudo-1.6.9p13/set_perms.c.audit sudo-1.6.9p13/set_perms.c case PERM_SUDOERS: /* assume euid == ROOT_UID, ruid == user */ diff -up sudo-1.6.9p13/sudo.c.audit sudo-1.6.9p13/sudo.c ---- sudo-1.6.9p13/sudo.c.audit 2008-02-21 14:03:02.000000000 +0100 -+++ sudo-1.6.9p13/sudo.c 2008-02-21 14:03:02.000000000 +0100 +--- sudo-1.6.9p13/sudo.c.audit 2008-03-04 11:18:45.000000000 +0100 ++++ sudo-1.6.9p13/sudo.c 2008-03-04 11:21:54.000000000 +0100 @@ -100,6 +100,10 @@ # include #endif @@ -91,119 +91,54 @@ diff -up sudo-1.6.9p13/sudo.c.audit sudo-1.6.9p13/sudo.c /* * Look up the timestamp dir owner if one is specified. */ -@@ -305,9 +313,13 @@ main(argc, argv, envp) - pw = getpwuid(atoi(def_timestampowner + 1)); - else - pw = getpwnam(def_timestampowner); -- if (!pw) -+ if (!pw) { -+#if defined(WITH_AUDIT) -+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); -+#endif - log_error(0, "timestamp owner (%s): No such user", - def_timestampowner); -+ } - timestamp_uid = pw->pw_uid; - } - -@@ -317,15 +329,22 @@ main(argc, argv, envp) - exit(0); - } - -- if (ISSET(validated, VALIDATE_ERROR)) -+ if (ISSET(validated, VALIDATE_ERROR)) { -+#if defined(WITH_AUDIT) -+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); -+#endif - log_error(0, "parse error in %s near line %d", _PATH_SUDOERS, - errorlineno); -+ } - - /* Is root even allowed to run sudo? */ - if (user_uid == 0 && !def_root_sudo) { - (void) fprintf(stderr, - "Sorry, %s has been configured to not allow root to run it.\n", - getprogname()); -+#if defined(WITH_AUDIT) -+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); -+#endif - exit(1); - } - -@@ -339,8 +358,12 @@ main(argc, argv, envp) - - /* Bail if a tty is required and we don't have one. */ - if (def_requiretty) { -- if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) -+ if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) { -+#if defined(WITH_AUDIT) -+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); -+#endif - log_error(NO_MAIL, "sorry, you must have a tty to run sudo"); -+ } - else - (void) close(fd); - } -@@ -373,17 +396,27 @@ main(argc, argv, envp) - /* Finally tell the user if the command did not exist. */ - if (cmnd_status == NOT_FOUND_DOT) { - warnx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd); -+#if defined(WITH_AUDIT) -+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); -+#endif - exit(1); - } else if (cmnd_status == NOT_FOUND) { - warnx("%s: command not found", user_cmnd); -+#if defined(WITH_AUDIT) -+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); -+#endif - exit(1); - } - - /* If user specified env vars make sure sudoers allows it. */ - if (ISSET(sudo_mode, MODE_RUN) && !ISSET(validated, FLAG_SETENV)) { -- if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) -+ if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) { -+#if defined(WITH_AUDIT) -+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); -+#endif - log_error(NO_MAIL, - "sorry, you are not allowed to preserve the environment"); -+ } - else - validate_env_vars(sudo_user.env_vars); - } -@@ -442,6 +475,17 @@ main(argc, argv, envp) +@@ -442,6 +450,17 @@ main(argc, argv, envp) (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); (void) sigaction(SIGCHLD, &saved_sa_chld, NULL); + if (access(safe_cmnd, X_OK) != 0) { + warn ("unable to execute %s", safe_cmnd); +#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 0); ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); +#endif + exit(127); + } +#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 1); ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1); +#endif + #ifndef PROFILING if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) exit(0); -@@ -465,6 +509,9 @@ main(argc, argv, envp) +@@ -465,10 +484,16 @@ main(argc, argv, envp) NewArgv[1] = safe_cmnd; execve(_PATH_BSHELL, NewArgv, environ); } +#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 0); ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); +#endif warn("unable to execute %s", safe_cmnd); exit(127); } else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) { + log_auth(validated, 1); ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); ++#endif + exit(1); + } else if (ISSET(validated, VALIDATE_NOT_OK)) { + if (def_path_info) { +@@ -489,6 +514,9 @@ main(argc, argv, envp) + /* Just tell the user they are not allowed to run foo. */ + log_auth(validated, 1); + } ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); ++#endif + exit(1); + } else { + /* should never get here */ diff -up sudo-1.6.9p13/configure.in.audit sudo-1.6.9p13/configure.in ---- sudo-1.6.9p13/configure.in.audit 2008-02-21 14:03:02.000000000 +0100 -+++ sudo-1.6.9p13/configure.in 2008-02-21 14:03:02.000000000 +0100 +--- sudo-1.6.9p13/configure.in.audit 2008-03-04 11:18:45.000000000 +0100 ++++ sudo-1.6.9p13/configure.in 2008-03-04 11:18:45.000000000 +0100 @@ -166,6 +166,10 @@ dnl dnl Options for --with dnl @@ -243,8 +178,8 @@ diff -up sudo-1.6.9p13/configure.in.audit sudo-1.6.9p13/configure.in dnl diff -up /dev/null sudo-1.6.9p13/audit_help.c --- /dev/null 2008-02-05 17:16:01.642928004 +0100 -+++ sudo-1.6.9p13/audit_help.c 2008-02-21 14:20:56.000000000 +0100 -@@ -0,0 +1,124 @@ ++++ sudo-1.6.9p13/audit_help.c 2008-03-04 11:21:15.000000000 +0100 +@@ -0,0 +1,140 @@ +/* + * Audit helper functions used throughout sudo + * @@ -285,6 +220,7 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c +#include +#include +#include ++#include +#include +#include + @@ -314,22 +250,36 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c + * + * type - type of message: AUDIT_USER_CMD + * command - the command being logged ++ * params - parames of the command + * result - 1 is "success" and 0 is "failed" + * + */ -+void audit_logger (int type, const char *command, int result) ++void audit_logger (int type, const char *command, const char *params, int result) +{ + int err; ++ char *msg; + -+ if (audit_fd < 0) ++ if( audit_fd < 0 ) + return; + else { -+ err = audit_log_user_command (audit_fd, type, command, NULL, result); -+ /* The kernel supports auditing and we had ++ ++ if( params ) ++ err = asprintf(&msg, "%s %s", command, params); ++ else ++ err = asprintf(&msg, "%s", command); ++ if (err < 0) { ++ fprintf (stderr, "Memory allocation for audit message wasn’t possible.\n"); ++ return; ++ } ++ ++ err = audit_log_user_command (audit_fd, type, msg, NULL, result); ++ /* The kernel supports auditing and we had + enough privilege to write to the socket. */ -+ if( err <= 0 && !(errno == EPERM && getuid() != 0) ) { -+ perror("audit_log_user_command()"); -+ } ++ if( err <= 0 && !(errno == EPERM && getuid() != 0) ) { ++ perror("audit_log_user_command()"); ++ } ++ ++ free(msg); + } +} + @@ -353,6 +303,7 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c + + rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, + msg, NULL, NULL, ttyn, success); ++ + if (rc <= 0) { + fprintf(stderr, "Error sending audit message.\n"); + rc = -1; @@ -371,7 +322,7 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c + diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in --- sudo-1.6.9p13/Makefile.in.audit 2008-02-19 19:13:10.000000000 +0100 -+++ sudo-1.6.9p13/Makefile.in 2008-02-21 14:03:02.000000000 +0100 ++++ sudo-1.6.9p13/Makefile.in 2008-03-04 11:18:45.000000000 +0100 @@ -120,11 +120,13 @@ HDRS = compat.h def_data.h defaults.h in AUTH_OBJS = sudo_auth.o @AUTH_OBJS@ @@ -398,8 +349,8 @@ diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in @rm -f $(srcdir)/$@ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ ) diff -up sudo-1.6.9p13/sudo.h.audit sudo-1.6.9p13/sudo.h ---- sudo-1.6.9p13/sudo.h.audit 2008-02-21 14:03:02.000000000 +0100 -+++ sudo-1.6.9p13/sudo.h 2008-02-21 14:03:02.000000000 +0100 +--- sudo-1.6.9p13/sudo.h.audit 2008-03-04 11:18:45.000000000 +0100 ++++ sudo-1.6.9p13/sudo.h 2008-03-04 11:18:45.000000000 +0100 @@ -23,6 +23,8 @@ #ifndef _SUDO_SUDO_H #define _SUDO_SUDO_H @@ -416,7 +367,7 @@ diff -up sudo-1.6.9p13/sudo.h.audit sudo-1.6.9p13/sudo.h +#ifdef WITH_AUDIT +extern int audit_fd; +extern void audit_help_open (void); -+extern void audit_logger (int, const char *, int); ++extern void audit_logger (int, const char *, const char *, int); +#endif + #endif /* _SUDO_SUDO_H */ diff --git a/sudo.spec b/sudo.spec index d45b69b..e41ea43 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.6.9p13 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -129,6 +129,9 @@ rm -rf $RPM_BUILD_ROOT /bin/chmod 0440 /etc/sudoers || : %changelog +* Tue Mar 04 2008 Peter Vrabec 1.6.9p13-2 +- audit support improvement + * Thu Feb 21 2008 Peter Vrabec 1.6.9p13-1 - upgrade to the latest upstream release