rpms/sudo
5
0
Fork 0
Code Issues Pull Requests Releases Activity

audit support improvement

Browse Source
This commit is contained in:
Peter Vrabec 2008-03-04 10:28:10 +00:00
parent 0fe071d2e4
commit 83dd2f4834
2 changed files with 60 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
sudo-1.6.9p13-audit.patch
View File

@ -1,6 +1,6 @@
diff -up sudo-1.6.9p13/set_perms.c.audit sudo-1.6.9p13/set_perms.c diff -up sudo-1.6.9p13/set_perms.c.audit sudo-1.6.9p13/set_perms.c
--- sudo-1.6.9p13/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100 --- sudo-1.6.9p13/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100
+++ sudo-1.6.9p13/set_perms.c 2008-02-21 14:03:02.000000000 +0100 +++ sudo-1.6.9p13/set_perms.c 2008-03-04 11:18:45.000000000 +0100
@@ -53,6 +53,10 @@ @@ -53,6 +53,10 @@
#ifdef HAVE_LOGIN_CAP_H #ifdef HAVE_LOGIN_CAP_H
# include <login_cap.h> # include <login_cap.h>
@ -67,8 +67,8 @@ diff -up sudo-1.6.9p13/set_perms.c.audit sudo-1.6.9p13/set_perms.c
case PERM_SUDOERS: case PERM_SUDOERS:
/* assume euid == ROOT_UID, ruid == user */ /* assume euid == ROOT_UID, ruid == user */
diff -up sudo-1.6.9p13/sudo.c.audit sudo-1.6.9p13/sudo.c diff -up sudo-1.6.9p13/sudo.c.audit sudo-1.6.9p13/sudo.c
--- sudo-1.6.9p13/sudo.c.audit 2008-02-21 14:03:02.000000000 +0100 --- sudo-1.6.9p13/sudo.c.audit 2008-03-04 11:18:45.000000000 +0100
+++ sudo-1.6.9p13/sudo.c 2008-02-21 14:03:02.000000000 +0100 +++ sudo-1.6.9p13/sudo.c 2008-03-04 11:21:54.000000000 +0100
@@ -100,6 +100,10 @@ @@ -100,6 +100,10 @@
# include <selinux/selinux.h> # include <selinux/selinux.h>
#endif #endif
@ -91,119 +91,54 @@ diff -up sudo-1.6.9p13/sudo.c.audit sudo-1.6.9p13/sudo.c
/* /*
* Look up the timestamp dir owner if one is specified. * Look up the timestamp dir owner if one is specified.
*/ */
@@ -305,9 +313,13 @@ main(argc, argv, envp) @@ -442,6 +450,17 @@ main(argc, argv, envp)
pw = getpwuid(atoi(def_timestampowner + 1));
else
pw = getpwnam(def_timestampowner);
- if (!pw)
+ if (!pw) {
+#if defined(WITH_AUDIT)
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
+#endif
log_error(0, "timestamp owner (%s): No such user",
def_timestampowner);
+ }
timestamp_uid = pw->pw_uid;
}
@@ -317,15 +329,22 @@ main(argc, argv, envp)
exit(0);
}
- if (ISSET(validated, VALIDATE_ERROR))
+ if (ISSET(validated, VALIDATE_ERROR)) {
+#if defined(WITH_AUDIT)
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
+#endif
log_error(0, "parse error in %s near line %d", _PATH_SUDOERS,
errorlineno);
+ }
/* Is root even allowed to run sudo? */
if (user_uid == 0 && !def_root_sudo) {
(void) fprintf(stderr,
"Sorry, %s has been configured to not allow root to run it.\n",
getprogname());
+#if defined(WITH_AUDIT)
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
+#endif
exit(1);
}
@@ -339,8 +358,12 @@ main(argc, argv, envp)
/* Bail if a tty is required and we don't have one. */
if (def_requiretty) {
- if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1)
+ if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) {
+#if defined(WITH_AUDIT)
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
+#endif
log_error(NO_MAIL, "sorry, you must have a tty to run sudo");
+ }
else
(void) close(fd);
}
@@ -373,17 +396,27 @@ main(argc, argv, envp)
/* Finally tell the user if the command did not exist. */
if (cmnd_status == NOT_FOUND_DOT) {
warnx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd);
+#if defined(WITH_AUDIT)
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
+#endif
exit(1);
} else if (cmnd_status == NOT_FOUND) {
warnx("%s: command not found", user_cmnd);
+#if defined(WITH_AUDIT)
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
+#endif
exit(1);
}
/* If user specified env vars make sure sudoers allows it. */
if (ISSET(sudo_mode, MODE_RUN) && !ISSET(validated, FLAG_SETENV)) {
- if (ISSET(sudo_mode, MODE_PRESERVE_ENV))
+ if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) {
+#if defined(WITH_AUDIT)
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
+#endif
log_error(NO_MAIL,
"sorry, you are not allowed to preserve the environment");
+ }
else
validate_env_vars(sudo_user.env_vars);
}
@@ -442,6 +475,17 @@ main(argc, argv, envp)
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
(void) sigaction(SIGCHLD, &saved_sa_chld, NULL); (void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
+ if (access(safe_cmnd, X_OK) != 0) { + if (access(safe_cmnd, X_OK) != 0) {
+ warn ("unable to execute %s", safe_cmnd); + warn ("unable to execute %s", safe_cmnd);
+#ifdef WITH_AUDIT +#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 0); + audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif +#endif
+ exit(127); + exit(127);
+ } + }
+#ifdef WITH_AUDIT +#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 1); + audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1);
+#endif +#endif
+ +
#ifndef PROFILING #ifndef PROFILING
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
exit(0); exit(0);
@@ -465,6 +509,9 @@ main(argc, argv, envp) @@ -465,10 +484,16 @@ main(argc, argv, envp)
NewArgv[1] = safe_cmnd; NewArgv[1] = safe_cmnd;
execve(_PATH_BSHELL, NewArgv, environ); execve(_PATH_BSHELL, NewArgv, environ);
} }
+#ifdef WITH_AUDIT +#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 0); + audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif +#endif
warn("unable to execute %s", safe_cmnd); warn("unable to execute %s", safe_cmnd);
exit(127); exit(127);
} else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) { } else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {
log_auth(validated, 1);
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
exit(1);
} else if (ISSET(validated, VALIDATE_NOT_OK)) {
if (def_path_info) {
@@ -489,6 +514,9 @@ main(argc, argv, envp)
/* Just tell the user they are not allowed to run foo. */
log_auth(validated, 1);
}
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
exit(1);
} else {
/* should never get here */
diff -up sudo-1.6.9p13/configure.in.audit sudo-1.6.9p13/configure.in diff -up sudo-1.6.9p13/configure.in.audit sudo-1.6.9p13/configure.in
--- sudo-1.6.9p13/configure.in.audit 2008-02-21 14:03:02.000000000 +0100 --- sudo-1.6.9p13/configure.in.audit 2008-03-04 11:18:45.000000000 +0100
+++ sudo-1.6.9p13/configure.in 2008-02-21 14:03:02.000000000 +0100 +++ sudo-1.6.9p13/configure.in 2008-03-04 11:18:45.000000000 +0100
@@ -166,6 +166,10 @@ dnl @@ -166,6 +166,10 @@ dnl
dnl Options for --with dnl Options for --with
dnl dnl
@ -243,8 +178,8 @@ diff -up sudo-1.6.9p13/configure.in.audit sudo-1.6.9p13/configure.in
dnl dnl
diff -up /dev/null sudo-1.6.9p13/audit_help.c diff -up /dev/null sudo-1.6.9p13/audit_help.c
--- /dev/null 2008-02-05 17:16:01.642928004 +0100 --- /dev/null 2008-02-05 17:16:01.642928004 +0100
+++ sudo-1.6.9p13/audit_help.c 2008-02-21 14:20:56.000000000 +0100 +++ sudo-1.6.9p13/audit_help.c 2008-03-04 11:21:15.000000000 +0100
@@ -0,0 +1,124 @@ @@ -0,0 +1,140 @@
+/* +/*
+ * Audit helper functions used throughout sudo + * Audit helper functions used throughout sudo
+ * + *
@ -285,6 +220,7 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c
+#include <libaudit.h> +#include <libaudit.h>
+#include <errno.h> +#include <errno.h>
+#include <stdio.h> +#include <stdio.h>
+#include <string.h>
+#include <unistd.h> +#include <unistd.h>
+#include <sys/types.h> +#include <sys/types.h>
+ +
@ -314,22 +250,36 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c
+ * + *
+ * type - type of message: AUDIT_USER_CMD + * type - type of message: AUDIT_USER_CMD
+ * command - the command being logged + * command - the command being logged
+ * params - parames of the command
+ * result - 1 is "success" and 0 is "failed" + * result - 1 is "success" and 0 is "failed"
+ * + *
+ */ + */
+void audit_logger (int type, const char *command, int result) +void audit_logger (int type, const char *command, const char *params, int result)
+{ +{
+ int err; + int err;
+ char *msg;
+ +
+ if (audit_fd < 0) + if( audit_fd < 0 )
+ return; + return;
+ else { + else {
+ err = audit_log_user_command (audit_fd, type, command, NULL, result); +
+ if( params )
+ err = asprintf(&msg, "%s %s", command, params);
+ else
+ err = asprintf(&msg, "%s", command);
+ if (err < 0) {
+ fprintf (stderr, "Memory allocation for audit message wasnt possible.\n");
+ return;
+ }
+
+ err = audit_log_user_command (audit_fd, type, msg, NULL, result);
+ /* The kernel supports auditing and we had + /* The kernel supports auditing and we had
+ enough privilege to write to the socket. */ + enough privilege to write to the socket. */
+ if( err <= 0 && !(errno == EPERM && getuid() != 0) ) { + if( err <= 0 && !(errno == EPERM && getuid() != 0) ) {
+ perror("audit_log_user_command()"); + perror("audit_log_user_command()");
+ } + }
+
+ free(msg);
+ } + }
+} +}
+ +
@ -353,6 +303,7 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c
+ +
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, + rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
+ msg, NULL, NULL, ttyn, success); + msg, NULL, NULL, ttyn, success);
+
+ if (rc <= 0) { + if (rc <= 0) {
+ fprintf(stderr, "Error sending audit message.\n"); + fprintf(stderr, "Error sending audit message.\n");
+ rc = -1; + rc = -1;
@ -371,7 +322,7 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c
+ +
diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in
--- sudo-1.6.9p13/Makefile.in.audit 2008-02-19 19:13:10.000000000 +0100 --- sudo-1.6.9p13/Makefile.in.audit 2008-02-19 19:13:10.000000000 +0100
+++ sudo-1.6.9p13/Makefile.in 2008-02-21 14:03:02.000000000 +0100 +++ sudo-1.6.9p13/Makefile.in 2008-03-04 11:18:45.000000000 +0100
@@ -120,11 +120,13 @@ HDRS = compat.h def_data.h defaults.h in @@ -120,11 +120,13 @@ HDRS = compat.h def_data.h defaults.h in
AUTH_OBJS = sudo_auth.o @AUTH_OBJS@ AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
@ -398,8 +349,8 @@ diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in
@rm -f $(srcdir)/$@ @rm -f $(srcdir)/$@
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ ) ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
diff -up sudo-1.6.9p13/sudo.h.audit sudo-1.6.9p13/sudo.h diff -up sudo-1.6.9p13/sudo.h.audit sudo-1.6.9p13/sudo.h
--- sudo-1.6.9p13/sudo.h.audit 2008-02-21 14:03:02.000000000 +0100 --- sudo-1.6.9p13/sudo.h.audit 2008-03-04 11:18:45.000000000 +0100
+++ sudo-1.6.9p13/sudo.h 2008-02-21 14:03:02.000000000 +0100 +++ sudo-1.6.9p13/sudo.h 2008-03-04 11:18:45.000000000 +0100
@@ -23,6 +23,8 @@ @@ -23,6 +23,8 @@
#ifndef _SUDO_SUDO_H #ifndef _SUDO_SUDO_H
#define _SUDO_SUDO_H #define _SUDO_SUDO_H
@ -416,7 +367,7 @@ diff -up sudo-1.6.9p13/sudo.h.audit sudo-1.6.9p13/sudo.h
+#ifdef WITH_AUDIT +#ifdef WITH_AUDIT
+extern int audit_fd; +extern int audit_fd;
+extern void audit_help_open (void); +extern void audit_help_open (void);
+extern void audit_logger (int, const char *, int); +extern void audit_logger (int, const char *, const char *, int);
+#endif +#endif
+ +
#endif /* _SUDO_SUDO_H */ #endif /* _SUDO_SUDO_H */

5
sudo.spec
View File

@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users Summary: Allows restricted root access for specified users
Name: sudo Name: sudo
Version: 1.6.9p13 Version: 1.6.9p13
Release: 1%{?dist} Release: 2%{?dist}
License: BSD License: BSD
Group: Applications/System Group: Applications/System
URL: http://www.courtesan.com/sudo/ URL: http://www.courtesan.com/sudo/
@ -129,6 +129,9 @@ rm -rf $RPM_BUILD_ROOT
/bin/chmod 0440 /etc/sudoers || : /bin/chmod 0440 /etc/sudoers || :
%changelog %changelog
* Tue Mar 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-2
- audit support improvement
* Thu Feb 21 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-1 * Thu Feb 21 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-1
- upgrade to the latest upstream release - upgrade to the latest upstream release