audit support improvement
This commit is contained in:
parent
0fe071d2e4
commit
83dd2f4834
@ -1,6 +1,6 @@
|
|||||||
diff -up sudo-1.6.9p13/set_perms.c.audit sudo-1.6.9p13/set_perms.c
|
diff -up sudo-1.6.9p13/set_perms.c.audit sudo-1.6.9p13/set_perms.c
|
||||||
--- sudo-1.6.9p13/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100
|
--- sudo-1.6.9p13/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100
|
||||||
+++ sudo-1.6.9p13/set_perms.c 2008-02-21 14:03:02.000000000 +0100
|
+++ sudo-1.6.9p13/set_perms.c 2008-03-04 11:18:45.000000000 +0100
|
||||||
@@ -53,6 +53,10 @@
|
@@ -53,6 +53,10 @@
|
||||||
#ifdef HAVE_LOGIN_CAP_H
|
#ifdef HAVE_LOGIN_CAP_H
|
||||||
# include <login_cap.h>
|
# include <login_cap.h>
|
||||||
@ -67,8 +67,8 @@ diff -up sudo-1.6.9p13/set_perms.c.audit sudo-1.6.9p13/set_perms.c
|
|||||||
case PERM_SUDOERS:
|
case PERM_SUDOERS:
|
||||||
/* assume euid == ROOT_UID, ruid == user */
|
/* assume euid == ROOT_UID, ruid == user */
|
||||||
diff -up sudo-1.6.9p13/sudo.c.audit sudo-1.6.9p13/sudo.c
|
diff -up sudo-1.6.9p13/sudo.c.audit sudo-1.6.9p13/sudo.c
|
||||||
--- sudo-1.6.9p13/sudo.c.audit 2008-02-21 14:03:02.000000000 +0100
|
--- sudo-1.6.9p13/sudo.c.audit 2008-03-04 11:18:45.000000000 +0100
|
||||||
+++ sudo-1.6.9p13/sudo.c 2008-02-21 14:03:02.000000000 +0100
|
+++ sudo-1.6.9p13/sudo.c 2008-03-04 11:21:54.000000000 +0100
|
||||||
@@ -100,6 +100,10 @@
|
@@ -100,6 +100,10 @@
|
||||||
# include <selinux/selinux.h>
|
# include <selinux/selinux.h>
|
||||||
#endif
|
#endif
|
||||||
@ -91,119 +91,54 @@ diff -up sudo-1.6.9p13/sudo.c.audit sudo-1.6.9p13/sudo.c
|
|||||||
/*
|
/*
|
||||||
* Look up the timestamp dir owner if one is specified.
|
* Look up the timestamp dir owner if one is specified.
|
||||||
*/
|
*/
|
||||||
@@ -305,9 +313,13 @@ main(argc, argv, envp)
|
@@ -442,6 +450,17 @@ main(argc, argv, envp)
|
||||||
pw = getpwuid(atoi(def_timestampowner + 1));
|
|
||||||
else
|
|
||||||
pw = getpwnam(def_timestampowner);
|
|
||||||
- if (!pw)
|
|
||||||
+ if (!pw) {
|
|
||||||
+#if defined(WITH_AUDIT)
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
|
||||||
+#endif
|
|
||||||
log_error(0, "timestamp owner (%s): No such user",
|
|
||||||
def_timestampowner);
|
|
||||||
+ }
|
|
||||||
timestamp_uid = pw->pw_uid;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -317,15 +329,22 @@ main(argc, argv, envp)
|
|
||||||
exit(0);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (ISSET(validated, VALIDATE_ERROR))
|
|
||||||
+ if (ISSET(validated, VALIDATE_ERROR)) {
|
|
||||||
+#if defined(WITH_AUDIT)
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
|
||||||
+#endif
|
|
||||||
log_error(0, "parse error in %s near line %d", _PATH_SUDOERS,
|
|
||||||
errorlineno);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* Is root even allowed to run sudo? */
|
|
||||||
if (user_uid == 0 && !def_root_sudo) {
|
|
||||||
(void) fprintf(stderr,
|
|
||||||
"Sorry, %s has been configured to not allow root to run it.\n",
|
|
||||||
getprogname());
|
|
||||||
+#if defined(WITH_AUDIT)
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
|
||||||
+#endif
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -339,8 +358,12 @@ main(argc, argv, envp)
|
|
||||||
|
|
||||||
/* Bail if a tty is required and we don't have one. */
|
|
||||||
if (def_requiretty) {
|
|
||||||
- if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1)
|
|
||||||
+ if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) {
|
|
||||||
+#if defined(WITH_AUDIT)
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
|
||||||
+#endif
|
|
||||||
log_error(NO_MAIL, "sorry, you must have a tty to run sudo");
|
|
||||||
+ }
|
|
||||||
else
|
|
||||||
(void) close(fd);
|
|
||||||
}
|
|
||||||
@@ -373,17 +396,27 @@ main(argc, argv, envp)
|
|
||||||
/* Finally tell the user if the command did not exist. */
|
|
||||||
if (cmnd_status == NOT_FOUND_DOT) {
|
|
||||||
warnx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd);
|
|
||||||
+#if defined(WITH_AUDIT)
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
|
||||||
+#endif
|
|
||||||
exit(1);
|
|
||||||
} else if (cmnd_status == NOT_FOUND) {
|
|
||||||
warnx("%s: command not found", user_cmnd);
|
|
||||||
+#if defined(WITH_AUDIT)
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
|
||||||
+#endif
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* If user specified env vars make sure sudoers allows it. */
|
|
||||||
if (ISSET(sudo_mode, MODE_RUN) && !ISSET(validated, FLAG_SETENV)) {
|
|
||||||
- if (ISSET(sudo_mode, MODE_PRESERVE_ENV))
|
|
||||||
+ if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) {
|
|
||||||
+#if defined(WITH_AUDIT)
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
|
||||||
+#endif
|
|
||||||
log_error(NO_MAIL,
|
|
||||||
"sorry, you are not allowed to preserve the environment");
|
|
||||||
+ }
|
|
||||||
else
|
|
||||||
validate_env_vars(sudo_user.env_vars);
|
|
||||||
}
|
|
||||||
@@ -442,6 +475,17 @@ main(argc, argv, envp)
|
|
||||||
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
|
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
|
||||||
(void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
|
(void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
|
||||||
|
|
||||||
+ if (access(safe_cmnd, X_OK) != 0) {
|
+ if (access(safe_cmnd, X_OK) != 0) {
|
||||||
+ warn ("unable to execute %s", safe_cmnd);
|
+ warn ("unable to execute %s", safe_cmnd);
|
||||||
+#ifdef WITH_AUDIT
|
+#ifdef WITH_AUDIT
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 0);
|
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
||||||
+#endif
|
+#endif
|
||||||
+ exit(127);
|
+ exit(127);
|
||||||
+ }
|
+ }
|
||||||
+#ifdef WITH_AUDIT
|
+#ifdef WITH_AUDIT
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 1);
|
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1);
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
#ifndef PROFILING
|
#ifndef PROFILING
|
||||||
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
|
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
|
||||||
exit(0);
|
exit(0);
|
||||||
@@ -465,6 +509,9 @@ main(argc, argv, envp)
|
@@ -465,10 +484,16 @@ main(argc, argv, envp)
|
||||||
NewArgv[1] = safe_cmnd;
|
NewArgv[1] = safe_cmnd;
|
||||||
execve(_PATH_BSHELL, NewArgv, environ);
|
execve(_PATH_BSHELL, NewArgv, environ);
|
||||||
}
|
}
|
||||||
+#ifdef WITH_AUDIT
|
+#ifdef WITH_AUDIT
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 0);
|
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
||||||
+#endif
|
+#endif
|
||||||
warn("unable to execute %s", safe_cmnd);
|
warn("unable to execute %s", safe_cmnd);
|
||||||
exit(127);
|
exit(127);
|
||||||
} else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {
|
} else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {
|
||||||
|
log_auth(validated, 1);
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
||||||
|
+#endif
|
||||||
|
exit(1);
|
||||||
|
} else if (ISSET(validated, VALIDATE_NOT_OK)) {
|
||||||
|
if (def_path_info) {
|
||||||
|
@@ -489,6 +514,9 @@ main(argc, argv, envp)
|
||||||
|
/* Just tell the user they are not allowed to run foo. */
|
||||||
|
log_auth(validated, 1);
|
||||||
|
}
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
||||||
|
+#endif
|
||||||
|
exit(1);
|
||||||
|
} else {
|
||||||
|
/* should never get here */
|
||||||
diff -up sudo-1.6.9p13/configure.in.audit sudo-1.6.9p13/configure.in
|
diff -up sudo-1.6.9p13/configure.in.audit sudo-1.6.9p13/configure.in
|
||||||
--- sudo-1.6.9p13/configure.in.audit 2008-02-21 14:03:02.000000000 +0100
|
--- sudo-1.6.9p13/configure.in.audit 2008-03-04 11:18:45.000000000 +0100
|
||||||
+++ sudo-1.6.9p13/configure.in 2008-02-21 14:03:02.000000000 +0100
|
+++ sudo-1.6.9p13/configure.in 2008-03-04 11:18:45.000000000 +0100
|
||||||
@@ -166,6 +166,10 @@ dnl
|
@@ -166,6 +166,10 @@ dnl
|
||||||
dnl Options for --with
|
dnl Options for --with
|
||||||
dnl
|
dnl
|
||||||
@ -243,8 +178,8 @@ diff -up sudo-1.6.9p13/configure.in.audit sudo-1.6.9p13/configure.in
|
|||||||
dnl
|
dnl
|
||||||
diff -up /dev/null sudo-1.6.9p13/audit_help.c
|
diff -up /dev/null sudo-1.6.9p13/audit_help.c
|
||||||
--- /dev/null 2008-02-05 17:16:01.642928004 +0100
|
--- /dev/null 2008-02-05 17:16:01.642928004 +0100
|
||||||
+++ sudo-1.6.9p13/audit_help.c 2008-02-21 14:20:56.000000000 +0100
|
+++ sudo-1.6.9p13/audit_help.c 2008-03-04 11:21:15.000000000 +0100
|
||||||
@@ -0,0 +1,124 @@
|
@@ -0,0 +1,140 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Audit helper functions used throughout sudo
|
+ * Audit helper functions used throughout sudo
|
||||||
+ *
|
+ *
|
||||||
@ -285,6 +220,7 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c
|
|||||||
+#include <libaudit.h>
|
+#include <libaudit.h>
|
||||||
+#include <errno.h>
|
+#include <errno.h>
|
||||||
+#include <stdio.h>
|
+#include <stdio.h>
|
||||||
|
+#include <string.h>
|
||||||
+#include <unistd.h>
|
+#include <unistd.h>
|
||||||
+#include <sys/types.h>
|
+#include <sys/types.h>
|
||||||
+
|
+
|
||||||
@ -314,22 +250,36 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c
|
|||||||
+ *
|
+ *
|
||||||
+ * type - type of message: AUDIT_USER_CMD
|
+ * type - type of message: AUDIT_USER_CMD
|
||||||
+ * command - the command being logged
|
+ * command - the command being logged
|
||||||
|
+ * params - parames of the command
|
||||||
+ * result - 1 is "success" and 0 is "failed"
|
+ * result - 1 is "success" and 0 is "failed"
|
||||||
+ *
|
+ *
|
||||||
+ */
|
+ */
|
||||||
+void audit_logger (int type, const char *command, int result)
|
+void audit_logger (int type, const char *command, const char *params, int result)
|
||||||
+{
|
+{
|
||||||
+ int err;
|
+ int err;
|
||||||
|
+ char *msg;
|
||||||
+
|
+
|
||||||
+ if (audit_fd < 0)
|
+ if( audit_fd < 0 )
|
||||||
+ return;
|
+ return;
|
||||||
+ else {
|
+ else {
|
||||||
+ err = audit_log_user_command (audit_fd, type, command, NULL, result);
|
+
|
||||||
+ /* The kernel supports auditing and we had
|
+ if( params )
|
||||||
|
+ err = asprintf(&msg, "%s %s", command, params);
|
||||||
|
+ else
|
||||||
|
+ err = asprintf(&msg, "%s", command);
|
||||||
|
+ if (err < 0) {
|
||||||
|
+ fprintf (stderr, "Memory allocation for audit message wasn’t possible.\n");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ err = audit_log_user_command (audit_fd, type, msg, NULL, result);
|
||||||
|
+ /* The kernel supports auditing and we had
|
||||||
+ enough privilege to write to the socket. */
|
+ enough privilege to write to the socket. */
|
||||||
+ if( err <= 0 && !(errno == EPERM && getuid() != 0) ) {
|
+ if( err <= 0 && !(errno == EPERM && getuid() != 0) ) {
|
||||||
+ perror("audit_log_user_command()");
|
+ perror("audit_log_user_command()");
|
||||||
+ }
|
+ }
|
||||||
|
+
|
||||||
|
+ free(msg);
|
||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
@ -353,6 +303,7 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c
|
|||||||
+
|
+
|
||||||
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
|
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
|
||||||
+ msg, NULL, NULL, ttyn, success);
|
+ msg, NULL, NULL, ttyn, success);
|
||||||
|
+
|
||||||
+ if (rc <= 0) {
|
+ if (rc <= 0) {
|
||||||
+ fprintf(stderr, "Error sending audit message.\n");
|
+ fprintf(stderr, "Error sending audit message.\n");
|
||||||
+ rc = -1;
|
+ rc = -1;
|
||||||
@ -371,7 +322,7 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c
|
|||||||
+
|
+
|
||||||
diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in
|
diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in
|
||||||
--- sudo-1.6.9p13/Makefile.in.audit 2008-02-19 19:13:10.000000000 +0100
|
--- sudo-1.6.9p13/Makefile.in.audit 2008-02-19 19:13:10.000000000 +0100
|
||||||
+++ sudo-1.6.9p13/Makefile.in 2008-02-21 14:03:02.000000000 +0100
|
+++ sudo-1.6.9p13/Makefile.in 2008-03-04 11:18:45.000000000 +0100
|
||||||
@@ -120,11 +120,13 @@ HDRS = compat.h def_data.h defaults.h in
|
@@ -120,11 +120,13 @@ HDRS = compat.h def_data.h defaults.h in
|
||||||
|
|
||||||
AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
|
AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
|
||||||
@ -398,8 +349,8 @@ diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in
|
|||||||
@rm -f $(srcdir)/$@
|
@rm -f $(srcdir)/$@
|
||||||
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
|
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
|
||||||
diff -up sudo-1.6.9p13/sudo.h.audit sudo-1.6.9p13/sudo.h
|
diff -up sudo-1.6.9p13/sudo.h.audit sudo-1.6.9p13/sudo.h
|
||||||
--- sudo-1.6.9p13/sudo.h.audit 2008-02-21 14:03:02.000000000 +0100
|
--- sudo-1.6.9p13/sudo.h.audit 2008-03-04 11:18:45.000000000 +0100
|
||||||
+++ sudo-1.6.9p13/sudo.h 2008-02-21 14:03:02.000000000 +0100
|
+++ sudo-1.6.9p13/sudo.h 2008-03-04 11:18:45.000000000 +0100
|
||||||
@@ -23,6 +23,8 @@
|
@@ -23,6 +23,8 @@
|
||||||
#ifndef _SUDO_SUDO_H
|
#ifndef _SUDO_SUDO_H
|
||||||
#define _SUDO_SUDO_H
|
#define _SUDO_SUDO_H
|
||||||
@ -416,7 +367,7 @@ diff -up sudo-1.6.9p13/sudo.h.audit sudo-1.6.9p13/sudo.h
|
|||||||
+#ifdef WITH_AUDIT
|
+#ifdef WITH_AUDIT
|
||||||
+extern int audit_fd;
|
+extern int audit_fd;
|
||||||
+extern void audit_help_open (void);
|
+extern void audit_help_open (void);
|
||||||
+extern void audit_logger (int, const char *, int);
|
+extern void audit_logger (int, const char *, const char *, int);
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
#endif /* _SUDO_SUDO_H */
|
#endif /* _SUDO_SUDO_H */
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
Summary: Allows restricted root access for specified users
|
Summary: Allows restricted root access for specified users
|
||||||
Name: sudo
|
Name: sudo
|
||||||
Version: 1.6.9p13
|
Version: 1.6.9p13
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
URL: http://www.courtesan.com/sudo/
|
URL: http://www.courtesan.com/sudo/
|
||||||
@ -129,6 +129,9 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
/bin/chmod 0440 /etc/sudoers || :
|
/bin/chmod 0440 /etc/sudoers || :
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-2
|
||||||
|
- audit support improvement
|
||||||
|
|
||||||
* Thu Feb 21 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-1
|
* Thu Feb 21 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-1
|
||||||
- upgrade to the latest upstream release
|
- upgrade to the latest upstream release
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user