2 * SPDX-License-Identifier: ISC
4 * Copyright (c) 2009-2019 Todd C. Miller <Todd.Miller@sudo.ws>
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 * This is an open source non-commercial project. Dear PVS-Studio, please check it.
21 * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
26 #include <sys/types.h>
30 #include <sys/ioctl.h>
33 #if defined(HAVE_STDINT_H)
35 #elif defined(HAVE_INTTYPES_H)
36 # include <inttypes.h>
40 #endif /* HAVE_STRING_H */
43 #endif /* HAVE_STRINGS_H */
54 # include "compat/stdbool.h"
55 #endif /* HAVE_STDBOOL_H */
60 #include <pathnames.h>
62 #include "sudo_gettext.h" /* must be included before sudo_compat.h */
64 #include "sudo_compat.h"
65 #include "sudo_fatal.h"
68 #include "iolog_files.h"
69 #include "sudo_queue.h"
70 #include "sudo_plugin.h"
71 #include "sudo_conf.h"
72 #include "sudo_debug.h"
73 #include "sudo_event.h"
74 #include "sudo_util.h"
76 #ifdef HAVE_GETOPT_LONG
79 # include "compat/getopt.h"
80 #endif /* HAVE_GETOPT_LONG */
82 struct replay_closure {
83 struct sudo_event_base *evbase;
84 struct sudo_event *delay_ev;
85 struct sudo_event *keyboard_ev;
86 struct sudo_event *output_ev;
87 struct sudo_event *sighup_ev;
88 struct sudo_event *sigint_ev;
89 struct sudo_event *sigquit_ev;
90 struct sudo_event *sigterm_ev;
91 struct sudo_event *sigtstp_ev;
92 struct timing_closure timing;
96 unsigned int len; /* buffer length (how much produced) */
97 unsigned int off; /* write position (how much already consumed) */
98 unsigned int toread; /* how much remains to be read */
99 int lastc; /* last char written */
105 * Handle expressions like:
106 * ( user millert or user root ) and tty console and command /bin/sh
108 STAILQ_HEAD(search_node_list, search_node);
110 STAILQ_ENTRY(search_node) entries;
115 #define ST_RUNASUSER 5
116 #define ST_RUNASGROUP 6
117 #define ST_FROMDATE 7
131 struct search_node_list expr;
136 static struct search_node_list search_expr = STAILQ_HEAD_INITIALIZER(search_expr);
138 static double speed_factor = 1.0;
140 static const char *session_dir = _PATH_SUDO_IO_LOGDIR;
142 static bool terminal_can_resize, terminal_was_resized;
144 static int terminal_rows, terminal_cols;
146 static int ttyfd = -1;
148 static const char short_opts[] = "d:f:hlm:nRSs:V";
149 static struct option long_opts[] = {
150 { "directory", required_argument, NULL, 'd' },
151 { "filter", required_argument, NULL, 'f' },
152 { "help", no_argument, NULL, 'h' },
153 { "list", no_argument, NULL, 'l' },
154 { "max-wait", required_argument, NULL, 'm' },
155 { "non-interactive", no_argument, NULL, 'n' },
156 { "no-resize", no_argument, NULL, 'R' },
157 { "suspend-wait", no_argument, NULL, 'S' },
158 { "speed", required_argument, NULL, 's' },
159 { "version", no_argument, NULL, 'V' },
160 { NULL, no_argument, NULL, '\0' },
163 /* XXX move to separate header? (currently in sudoers.h) */
164 extern char *get_timestr(time_t, int);
165 extern time_t get_date(char *);
167 static int list_sessions(int, char **, const char *, const char *, const char *);
168 static int open_io_fd(char *path, int len, struct io_log_file *iol);
169 static int parse_expr(struct search_node_list *, char **, bool);
170 static void read_keyboard(int fd, int what, void *v);
171 static void help(void) __attribute__((__noreturn__));
172 static int replay_session(struct timespec *max_wait, const char *decimal, bool interactive, bool suspend_wait);
173 static void sudoreplay_cleanup(void);
174 static void usage(int);
175 static void write_output(int fd, int what, void *v);
176 static void restore_terminal_size(void);
177 static void setup_terminal(struct log_info *li, bool interactive, bool resize);
179 #define VALID_ID(s) (isalnum((unsigned char)(s)[0]) && \
180 isalnum((unsigned char)(s)[1]) && isalnum((unsigned char)(s)[2]) && \
181 isalnum((unsigned char)(s)[3]) && isalnum((unsigned char)(s)[4]) && \
182 isalnum((unsigned char)(s)[5]) && (s)[6] == '\0')
184 #define IS_IDLOG(s) ( \
185 isalnum((unsigned char)(s)[0]) && isalnum((unsigned char)(s)[1]) && \
187 isalnum((unsigned char)(s)[3]) && isalnum((unsigned char)(s)[4]) && \
189 isalnum((unsigned char)(s)[6]) && isalnum((unsigned char)(s)[7]) && \
190 (s)[8] == '/' && (s)[9] == 'l' && (s)[10] == 'o' && (s)[11] == 'g' && \
193 __dso_public int main(int argc, char *argv[]);
196 main(int argc, char *argv[])
198 int ch, i, plen, exitcode = 0;
199 bool def_filter = true, listonly = false;
200 bool interactive = true, suspend_wait = false, resize = true;
201 const char *decimal, *id, *user = NULL, *pattern = NULL, *tty = NULL;
202 char *cp, *ep, path[PATH_MAX];
204 struct timespec max_delay_storage, *max_delay = NULL;
206 debug_decl(main, SUDO_DEBUG_MAIN)
208 #if defined(SUDO_DEVEL) && defined(__OpenBSD__)
210 extern char *malloc_options;
211 malloc_options = "S";
215 initprogname(argc > 0 ? argv[0] : "sudoreplay");
216 setlocale(LC_ALL, "");
217 decimal = localeconv()->decimal_point;
218 bindtextdomain("sudoers", LOCALEDIR); /* XXX - should have sudoreplay domain */
219 textdomain("sudoers");
221 /* Register fatal/fatalx callback. */
222 sudo_fatal_callback_register(sudoreplay_cleanup);
224 /* Read sudo.conf and initialize the debug subsystem. */
225 if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) == -1)
227 sudo_debug_register(getprogname(), NULL, NULL,
228 sudo_conf_debug_files(getprogname()));
230 while ((ch = getopt_long(argc, argv, short_opts, long_opts, NULL)) != -1) {
233 session_dir = optarg;
236 /* Set the replay filter. */
238 for (cp = strtok_r(optarg, ",", &ep); cp; cp = strtok_r(NULL, ",", &ep)) {
239 if (strcmp(cp, "stdin") == 0)
240 io_log_files[IOFD_STDIN].enabled = true;
241 else if (strcmp(cp, "stdout") == 0)
242 io_log_files[IOFD_STDOUT].enabled = true;
243 else if (strcmp(cp, "stderr") == 0)
244 io_log_files[IOFD_STDERR].enabled = true;
245 else if (strcmp(cp, "ttyin") == 0)
246 io_log_files[IOFD_TTYIN].enabled = true;
247 else if (strcmp(cp, "ttyout") == 0)
248 io_log_files[IOFD_TTYOUT].enabled = true;
250 sudo_fatalx(U_("invalid filter option: %s"), optarg);
261 dval = strtod(optarg, &ep);
262 if (*ep != '\0' || errno != 0)
263 sudo_fatalx(U_("invalid max wait: %s"), optarg);
265 sudo_timespecclear(&max_delay_storage);
267 max_delay_storage.tv_sec = dval;
268 max_delay_storage.tv_nsec =
269 (dval - max_delay_storage.tv_sec) * 1000000000.0;
271 max_delay = &max_delay_storage;
284 speed_factor = strtod(optarg, &ep);
285 if (*ep != '\0' || errno != 0)
286 sudo_fatalx(U_("invalid speed factor: %s"), optarg);
289 (void) printf(_("%s version %s\n"), getprogname(), PACKAGE_VERSION);
301 exitcode = list_sessions(argc, argv, pattern, user, tty);
308 /* By default we replay stdout, stderr and ttyout. */
310 io_log_files[IOFD_STDOUT].enabled = true;
311 io_log_files[IOFD_STDERR].enabled = true;
312 io_log_files[IOFD_TTYOUT].enabled = true;
315 /* 6 digit ID in base 36, e.g. 01G712AB or free-form name */
318 plen = snprintf(path, sizeof(path), "%s/%.2s/%.2s/%.2s/timing",
319 session_dir, id, &id[2], &id[4]);
320 if (plen < 0 || plen >= ssizeof(path))
321 sudo_fatalx(U_("%s/%.2s/%.2s/%.2s/timing: %s"), session_dir,
322 id, &id[2], &id[4], strerror(ENAMETOOLONG));
323 } else if (id[0] == '/') {
324 plen = snprintf(path, sizeof(path), "%s/timing", id);
325 if (plen < 0 || plen >= ssizeof(path))
326 sudo_fatalx(U_("%s/timing: %s"), id, strerror(ENAMETOOLONG));
328 plen = snprintf(path, sizeof(path), "%s/%s/timing", session_dir, id);
329 if (plen < 0 || plen >= ssizeof(path))
330 sudo_fatalx(U_("%s/%s/timing: %s"), session_dir, id,
331 strerror(ENAMETOOLONG));
335 /* Open files for replay, applying replay filter for the -f flag. */
336 for (i = 0; i < IOFD_MAX; i++) {
337 if (open_io_fd(path, plen, &io_log_files[i]) == -1)
338 sudo_fatal(U_("unable to open %s"), path);
341 /* Parse log file. */
343 strlcat(path, "/log", sizeof(path));
344 if ((li = parse_logfile(path)) == NULL)
346 printf(_("Replaying sudo session: %s"), li->cmd);
348 /* Setup terminal if appropriate. */
349 if (!isatty(STDIN_FILENO) || !isatty(STDOUT_FILENO))
351 setup_terminal(li, interactive, resize);
355 /* Done with parsed log file. */
359 /* Replay session corresponding to io_log_files[]. */
360 exitcode = replay_session(max_delay, decimal, interactive, suspend_wait);
362 restore_terminal_size();
363 sudo_term_restore(ttyfd, true);
365 sudo_debug_exit_int(__func__, __FILE__, __LINE__, sudo_debug_subsys, exitcode);
370 * Call gzread() or fread() for the I/O log file in question.
371 * Return 0 for EOF or -1 on error.
374 io_log_read(union io_fd ifd, char *buf, size_t nbytes)
377 debug_decl(io_log_read, SUDO_DEBUG_UTIL)
379 if (nbytes > INT_MAX) {
381 debug_return_ssize_t(-1);
384 nread = gzread(ifd.g, buf, nbytes);
386 nread = (ssize_t)fread(buf, 1, nbytes, ifd.f);
387 if (nread == 0 && ferror(ifd.f))
390 debug_return_ssize_t(nread);
394 io_log_eof(union io_fd ifd)
397 debug_decl(io_log_eof, SUDO_DEBUG_UTIL)
404 debug_return_int(ret);
408 io_log_gets(union io_fd ifd, char *buf, size_t nbytes)
411 debug_decl(io_log_gets, SUDO_DEBUG_UTIL)
414 str = gzgets(ifd.g, buf, nbytes);
416 str = fgets(buf, nbytes, ifd.f);
418 debug_return_str(str);
422 * List of terminals that support xterm-like resizing.
423 * This is not an exhaustive list.
424 * For a list of VT100 style escape codes, see:
425 * http://invisible-island.net/xterm/ctlseqs/ctlseqs.html#VT100%20Mode
430 } compatible_terms[] = {
443 struct getsize_closure {
449 struct sudo_event *ev;
450 struct timespec timeout;
455 #define NEW_NUMBER 0x01
458 #define READCHAR 0x10
461 * Callback for reading the terminal size response.
462 * We use an event for this to support timeouts.
465 getsize_cb(int fd, int what, void *v)
467 struct getsize_closure *gc = v;
468 unsigned char ch = '\0';
469 debug_decl(getsize_cb, SUDO_DEBUG_UTIL)
472 if (gc->cp[0] == '\0') {
476 if (ISSET(gc->state, READCHAR)) {
477 ssize_t nread = read(ttyfd, &ch, 1);
486 CLR(gc->state, READCHAR);
492 if (ch == 0233 && gc->cp[0] == '\033') {
493 /* meta escape, equivalent to ESC[ */
497 if (gc->cp[0] == '%' && gc->cp[1] == 'd') {
498 gc->state = NEW_NUMBER;
501 if (gc->cp[0] != ch) {
502 sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
503 "got %d, expected %d", ch, gc->cp[0]);
506 sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
508 SET(gc->state, READCHAR);
512 sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
517 if (gc->nums_depth > gc->nums_maxdepth)
519 gc->nums[gc->nums_depth] = 0;
524 /* done with number, reparse ch */
525 sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
526 "number %d (ch %d)", gc->nums[gc->nums_depth], ch);
531 sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
533 if (gc->nums[gc->nums_depth] > INT_MAX / 10)
535 gc->nums[gc->nums_depth] *= 10;
536 gc->nums[gc->nums_depth] += (ch - '0');
537 SET(gc->state, READCHAR);
543 if (sudo_ev_add(NULL, gc->ev, &gc->timeout, false) == -1)
544 sudo_fatal(U_("unable to add event to queue"));
551 * Get the terminal size using vt100 terminal escapes.
554 xterm_get_size(int *new_rows, int *new_cols)
556 struct sudo_event_base *evbase;
557 struct getsize_closure gc;
558 const char getsize_request[] = "\0337\033[r\033[999;999H\033[6n";
559 const char getsize_response[] = "\033[%d;%dR";
561 debug_decl(xterm_get_size, SUDO_DEBUG_UTIL)
563 /* request the terminal's size */
564 if (write(ttyfd, getsize_request, strlen(getsize_request)) == -1) {
565 sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
566 "%s: error writing xterm size request", __func__);
571 * Callback info for reading back the size with a 10 second timeout.
572 * We expect two numbers (rows and cols).
574 gc.state = INITIAL|READCHAR;
576 gc.nums_maxdepth = 1;
577 gc.cp = getsize_response;
578 gc.timeout.tv_sec = 10;
579 gc.timeout.tv_nsec = 0;
581 /* Setup an event for reading the terminal size */
582 evbase = sudo_ev_base_alloc();
584 sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
585 gc.ev = sudo_ev_alloc(ttyfd, SUDO_EV_READ, getsize_cb, &gc);
587 sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
589 /* Read back terminal size response */
590 if (sudo_ev_add(evbase, gc.ev, &gc.timeout, false) == -1)
591 sudo_fatal(U_("unable to add event to queue"));
592 sudo_ev_dispatch(evbase);
594 if (gc.state == GOTSIZE) {
595 sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
596 "terminal size %d x %x", gc.nums[0], gc.nums[1]);
597 *new_rows = gc.nums[0];
598 *new_cols = gc.nums[1];
602 sudo_ev_base_free(evbase);
606 debug_return_bool(ret);
610 * Set the size of the text area to rows and cols.
611 * Depending on the terminal implementation, the window itself may
612 * or may not shrink to a smaller size.
615 xterm_set_size(int rows, int cols)
617 const char setsize_fmt[] = "\033[8;%d;%dt";
618 int len, new_rows, new_cols;
621 debug_decl(xterm_set_size, SUDO_DEBUG_UTIL)
623 /* XXX - save cursor and position restore after resizing */
624 len = snprintf(buf, sizeof(buf), setsize_fmt, rows, cols);
625 if (len < 0 || len >= ssizeof(buf)) {
626 /* not possible due to size of buf */
627 sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
628 "%s: internal error, buffer too small?", __func__);
631 if (write(ttyfd, buf, strlen(buf)) == -1) {
632 sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
633 "%s: error writing xterm resize request", __func__);
636 /* XXX - keyboard input will interfere with this */
637 if (!xterm_get_size(&new_rows, &new_cols))
639 if (rows == new_rows && cols == new_cols)
643 debug_return_bool(ret);
647 setup_terminal(struct log_info *li, bool interactive, bool resize)
650 debug_decl(check_terminal, SUDO_DEBUG_UTIL)
654 /* Open fd for /dev/tty and set to raw mode. */
656 ttyfd = open(_PATH_TTY, O_RDWR);
657 while (!sudo_term_raw(ttyfd, 1)) {
659 sudo_fatal(U_("unable to set tty to raw mode"));
660 kill(getpid(), SIGTTOU);
664 /* Find terminal size if the session has size info. */
665 if (li->rows == 0 && li->cols == 0) {
666 /* no tty size info, hope for the best... */
670 if (resize && ttyfd != -1) {
671 term = getenv("TERM");
672 if (term != NULL && *term != '\0') {
673 struct term_names *tn;
675 for (tn = compatible_terms; tn->name != NULL; tn++) {
676 if (strncmp(term, tn->name, tn->len) == 0) {
677 /* xterm-like terminals can resize themselves. */
678 if (xterm_get_size(&terminal_rows, &terminal_cols))
679 terminal_can_resize = true;
686 if (!terminal_can_resize) {
687 /* either not xterm or not interactive */
688 sudo_get_ttysize(&terminal_rows, &terminal_cols);
691 if (li->rows == terminal_rows && li->cols == terminal_cols) {
692 /* nothing to change */
696 if (terminal_can_resize) {
697 /* session terminal size is different, try to resize ours */
698 if (xterm_set_size(li->rows, li->cols)) {
700 sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
701 "resized terminal to %d x %x", li->rows, li->cols);
702 terminal_was_resized = true;
705 /* resize failed, don't try again */
706 terminal_can_resize = false;
709 if (li->rows > terminal_rows || li->cols > terminal_cols) {
710 fputs(_("Warning: your terminal is too small to properly replay the log.\n"), stdout);
711 printf(_("Log geometry is %d x %d, your terminal's geometry is %d x %d."), li->rows, li->cols, terminal_rows, terminal_cols);
717 resize_terminal(int rows, int cols)
719 debug_decl(resize_terminal, SUDO_DEBUG_UTIL)
721 if (terminal_can_resize) {
722 if (xterm_set_size(rows, cols))
723 terminal_was_resized = true;
725 terminal_can_resize = false;
732 restore_terminal_size(void)
734 debug_decl(restore_terminal, SUDO_DEBUG_UTIL)
736 if (terminal_was_resized) {
737 /* We are still in raw mode, hence the carriage return. */
739 fputs(U_("Replay finished, press any key to restore the terminal."),
743 xterm_set_size(terminal_rows, terminal_cols);
752 * Read the next record from the timing file and schedule a delay
753 * event with the specified timeout.
754 * Return 0 on success, 1 on EOF and -1 on error.
757 read_timing_record(struct replay_closure *closure)
759 struct timespec timeout;
761 debug_decl(read_timing_record, SUDO_DEBUG_UTIL)
763 /* Read next record from timing file. */
764 if (io_log_gets(io_log_files[IOFD_TIMING].fd, buf, sizeof(buf)) == NULL) {
765 /* EOF or error reading timing file, we are done. */
766 debug_return_int(io_log_eof(io_log_files[IOFD_TIMING].fd) ? 1 : -1);
769 /* Parse timing file record. */
770 buf[strcspn(buf, "\n")] = '\0';
771 if (!parse_timing(buf, &timeout, &closure->timing))
772 sudo_fatalx(U_("invalid timing file line: %s"), buf);
774 /* Record number bytes to read. */
775 /* XXX - remove timing->nbytes? */
776 if (closure->timing.event != IO_EVENT_WINSIZE &&
777 closure->timing.event != IO_EVENT_SUSPEND) {
778 closure->iobuf.len = 0;
779 closure->iobuf.off = 0;
780 closure->iobuf.lastc = '\0';
781 closure->iobuf.toread = closure->timing.u.nbytes;
784 /* Adjust delay using speed factor and max_delay. */
785 adjust_delay(&timeout, closure->timing.max_delay, speed_factor);
787 /* Schedule the delay event. */
788 if (sudo_ev_add(closure->evbase, closure->delay_ev, &timeout, false) == -1)
789 sudo_fatal(U_("unable to add event to queue"));
795 * Read next timing record.
796 * Exits the event loop on EOF, breaks out on error.
799 next_timing_record(struct replay_closure *closure)
801 debug_decl(next_timing_record, SUDO_DEBUG_UTIL)
804 switch (read_timing_record(closure)) {
807 if (closure->timing.event == IO_EVENT_SUSPEND &&
808 closure->timing.u.signo == SIGCONT && !closure->suspend_wait) {
809 /* Ignore time spent suspended. */
815 sudo_ev_loopexit(closure->evbase);
819 sudo_ev_loopbreak(closure->evbase);
826 fill_iobuf(struct replay_closure *closure)
828 const size_t space = sizeof(closure->iobuf.buf) - closure->iobuf.len;
829 const struct timing_closure *timing = &closure->timing;
830 debug_decl(fill_iobuf, SUDO_DEBUG_UTIL)
832 if (closure->iobuf.toread != 0 && space != 0) {
834 closure->iobuf.toread < space ? closure->iobuf.toread : space;
835 ssize_t nread = io_log_read(timing->fd,
836 closure->iobuf.buf + closure->iobuf.off, len);
839 sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
840 "%s: premature EOF, expected %u bytes",
841 io_log_files[timing->event].suffix, closure->iobuf.toread);
843 sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO|SUDO_DEBUG_LINENO,
844 "%s: read error", io_log_files[timing->event].suffix);
846 sudo_warnx(U_("unable to read %s"),
847 io_log_files[timing->event].suffix);
848 debug_return_bool(false);
850 closure->iobuf.toread -= nread;
851 closure->iobuf.len += nread;
854 debug_return_bool(true);
858 * Called when the inter-record delay has expired.
859 * Depending on the record type, either reads the next
860 * record or changes window size.
863 delay_cb(int fd, int what, void *v)
865 struct replay_closure *closure = v;
866 struct timing_closure *timing = &closure->timing;
867 debug_decl(delay_cb, SUDO_DEBUG_UTIL)
869 switch (timing->event) {
870 case IO_EVENT_WINSIZE:
871 resize_terminal(timing->u.winsize.rows, timing->u.winsize.cols);
874 if (io_log_files[IOFD_STDIN].enabled)
875 timing->fd = io_log_files[IOFD_STDIN].fd;
877 case IO_EVENT_STDOUT:
878 if (io_log_files[IOFD_STDOUT].enabled)
879 timing->fd = io_log_files[IOFD_STDOUT].fd;
881 case IO_EVENT_STDERR:
882 if (io_log_files[IOFD_STDERR].enabled)
883 timing->fd = io_log_files[IOFD_STDERR].fd;
886 if (io_log_files[IOFD_TTYIN].enabled)
887 timing->fd = io_log_files[IOFD_TTYIN].fd;
889 case IO_EVENT_TTYOUT:
890 if (io_log_files[IOFD_TTYOUT].enabled)
891 timing->fd = io_log_files[IOFD_TTYOUT].fd;
895 if (timing->fd.v != NULL) {
896 /* If the stream is open, enable the write event. */
897 if (sudo_ev_add(closure->evbase, closure->output_ev, NULL, false) == -1)
898 sudo_fatal(U_("unable to add event to queue"));
900 /* Not replaying, get the next timing record and continue. */
901 next_timing_record(closure);
908 replay_closure_free(struct replay_closure *closure)
911 * Free events and event base, then the closure itself.
913 sudo_ev_free(closure->delay_ev);
914 sudo_ev_free(closure->keyboard_ev);
915 sudo_ev_free(closure->output_ev);
916 sudo_ev_free(closure->sighup_ev);
917 sudo_ev_free(closure->sigint_ev);
918 sudo_ev_free(closure->sigquit_ev);
919 sudo_ev_free(closure->sigterm_ev);
920 sudo_ev_free(closure->sigtstp_ev);
921 sudo_ev_base_free(closure->evbase);
926 signal_cb(int signo, int what, void *v)
928 struct replay_closure *closure = v;
929 debug_decl(signal_cb, SUDO_DEBUG_UTIL)
936 /* Free the event base and restore signal handlers. */
937 replay_closure_free(closure);
939 /* Restore the terminal and die. */
940 sudoreplay_cleanup();
941 kill(getpid(), signo);
944 /* Ignore ^Z since we have no way to restore the screen. */
951 static struct replay_closure *
952 replay_closure_alloc(struct timespec *max_delay, const char *decimal,
953 bool interactive, bool suspend_wait)
955 struct replay_closure *closure;
956 debug_decl(replay_closure_alloc, SUDO_DEBUG_UTIL)
958 if ((closure = calloc(1, sizeof(*closure))) == NULL)
959 debug_return_ptr(NULL);
961 closure->interactive = interactive;
962 closure->suspend_wait = suspend_wait;
963 closure->timing.max_delay = max_delay;
964 closure->timing.decimal = decimal;
967 * Setup event base and delay, input and output events.
968 * If interactive, take input from and write to /dev/tty.
969 * If not interactive there is no input event.
971 closure->evbase = sudo_ev_base_alloc();
972 if (closure->evbase == NULL)
974 closure->delay_ev = sudo_ev_alloc(-1, SUDO_EV_TIMEOUT, delay_cb, closure);
975 if (closure->delay_ev == NULL)
978 closure->keyboard_ev = sudo_ev_alloc(ttyfd, SUDO_EV_READ|SUDO_EV_PERSIST,
979 read_keyboard, closure);
980 if (closure->keyboard_ev == NULL)
982 if (sudo_ev_add(closure->evbase, closure->keyboard_ev, NULL, false) == -1)
983 sudo_fatal(U_("unable to add event to queue"));
985 closure->output_ev = sudo_ev_alloc(interactive ? ttyfd : STDOUT_FILENO,
986 SUDO_EV_WRITE, write_output, closure);
987 if (closure->output_ev == NULL)
991 * Setup signal events, we need to restore the terminal if killed.
993 closure->sighup_ev = sudo_ev_alloc(SIGHUP, SUDO_EV_SIGNAL, signal_cb,
995 if (closure->sighup_ev == NULL)
997 if (sudo_ev_add(closure->evbase, closure->sighup_ev, NULL, false) == -1)
998 sudo_fatal(U_("unable to add event to queue"));
1000 closure->sigint_ev = sudo_ev_alloc(SIGINT, SUDO_EV_SIGNAL, signal_cb,
1002 if (closure->sigint_ev == NULL)
1004 if (sudo_ev_add(closure->evbase, closure->sigint_ev, NULL, false) == -1)
1005 sudo_fatal(U_("unable to add event to queue"));
1007 closure->sigquit_ev = sudo_ev_alloc(SIGQUIT, SUDO_EV_SIGNAL, signal_cb,
1009 if (closure->sigquit_ev == NULL)
1011 if (sudo_ev_add(closure->evbase, closure->sigquit_ev, NULL, false) == -1)
1012 sudo_fatal(U_("unable to add event to queue"));
1014 closure->sigterm_ev = sudo_ev_alloc(SIGTERM, SUDO_EV_SIGNAL, signal_cb,
1016 if (closure->sigterm_ev == NULL)
1018 if (sudo_ev_add(closure->evbase, closure->sigterm_ev, NULL, false) == -1)
1019 sudo_fatal(U_("unable to add event to queue"));
1021 closure->sigtstp_ev = sudo_ev_alloc(SIGTSTP, SUDO_EV_SIGNAL, signal_cb,
1023 if (closure->sigtstp_ev == NULL)
1025 if (sudo_ev_add(closure->evbase, closure->sigtstp_ev, NULL, false) == -1)
1026 sudo_fatal(U_("unable to add event to queue"));
1028 debug_return_ptr(closure);
1030 replay_closure_free(closure);
1031 debug_return_ptr(NULL);
1035 replay_session(struct timespec *max_delay, const char *decimal,
1036 bool interactive, bool suspend_wait)
1038 struct replay_closure *closure;
1040 debug_decl(replay_session, SUDO_DEBUG_UTIL)
1042 /* Allocate the delay closure and read the first timing record. */
1043 closure = replay_closure_alloc(max_delay, decimal, interactive,
1045 if (read_timing_record(closure) != 0) {
1050 /* Run event loop. */
1051 sudo_ev_dispatch(closure->evbase);
1052 if (sudo_ev_got_break(closure->evbase))
1056 /* Clean up and return. */
1057 replay_closure_free(closure);
1058 debug_return_int(ret);
1062 open_io_fd(char *path, int len, struct io_log_file *iol)
1064 debug_decl(open_io_fd, SUDO_DEBUG_UTIL)
1067 debug_return_int(0);
1070 strlcat(path, iol->suffix, PATH_MAX);
1072 iol->fd.g = gzopen(path, "r");
1074 iol->fd.f = fopen(path, "r");
1076 if (iol->fd.v == NULL) {
1077 iol->enabled = false;
1078 debug_return_int(-1);
1080 debug_return_int(0);
1084 * Write the I/O buffer.
1087 write_output(int fd, int what, void *v)
1089 struct replay_closure *closure = v;
1090 const struct timing_closure *timing = &closure->timing;
1091 struct io_buffer *iobuf = &closure->iobuf;
1092 unsigned iovcnt = 1;
1093 struct iovec iov[2];
1094 bool added_cr = false;
1095 size_t nbytes, nwritten;
1096 debug_decl(write_output, SUDO_DEBUG_UTIL)
1098 /* Refill iobuf if there is more to read and buf is empty. */
1099 if (!fill_iobuf(closure)) {
1100 sudo_ev_loopbreak(closure->evbase);
1104 nbytes = iobuf->len - iobuf->off;
1105 iov[0].iov_base = iobuf->buf + iobuf->off;
1106 iov[0].iov_len = nbytes;
1108 if (closure->interactive &&
1109 (timing->event == IO_EVENT_STDOUT || timing->event == IO_EVENT_STDERR)) {
1113 * We may need to insert a carriage return before the newline.
1114 * Note that the carriage return may have already been written.
1116 nl = memchr(iov[0].iov_base, '\n', iov[0].iov_len);
1118 size_t len = (size_t)(nl - (char *)iov[0].iov_base);
1119 if ((nl == iov[0].iov_base && iobuf->lastc != '\r') ||
1120 (nl != iov[0].iov_base && nl[-1] != '\r')) {
1121 iov[0].iov_len = len;
1122 iov[1].iov_base = "\r\n";
1125 nbytes = iov[0].iov_len + iov[1].iov_len;
1131 nwritten = writev(fd, iov, iovcnt);
1132 switch ((ssize_t)nwritten) {
1134 if (errno != EINTR && errno != EAGAIN)
1135 sudo_fatal(U_("unable to write to %s"), "stdout");
1138 /* Should not happen. */
1141 if (added_cr && nwritten >= nbytes - 1) {
1142 /* The last char written was either '\r' or '\n'. */
1143 iobuf->lastc = nwritten == nbytes ? '\n' : '\r';
1145 /* Stash the last char written. */
1146 iobuf->lastc = *((char *)iov[0].iov_base + nwritten);
1149 /* Subtract one for the carriage return we added above. */
1152 iobuf->off += nwritten;
1156 if (iobuf->off == iobuf->len) {
1157 /* Write complete, go to next timing entry if possible. */
1158 switch (read_timing_record(closure)) {
1164 sudo_ev_loopexit(closure->evbase);
1168 sudo_ev_loopbreak(closure->evbase);
1172 /* Reschedule event to write remainder. */
1173 if (sudo_ev_add(NULL, closure->output_ev, NULL, false) == -1)
1174 sudo_fatal(U_("unable to add event to queue"));
1180 * Build expression list from search args
1183 parse_expr(struct search_node_list *head, char *argv[], bool sub_expr)
1185 bool or = false, not = false;
1186 struct search_node *sn;
1188 debug_decl(parse_expr, SUDO_DEBUG_UTIL)
1190 for (av = argv; *av != NULL; av++) {
1192 case 'a': /* and (ignore) */
1193 if (strncmp(*av, "and", strlen(*av)) != 0)
1197 if (strncmp(*av, "or", strlen(*av)) != 0)
1201 case '!': /* negate */
1202 if (av[0][1] != '\0')
1206 case 'c': /* cwd or command */
1207 if (av[0][1] == '\0')
1208 sudo_fatalx(U_("ambiguous expression \"%s\""), *av);
1209 if (strncmp(*av, "cwd", strlen(*av)) == 0)
1211 else if (strncmp(*av, "command", strlen(*av)) == 0)
1216 case 'f': /* from date */
1217 if (strncmp(*av, "fromdate", strlen(*av)) != 0)
1221 case 'g': /* runas group */
1222 if (strncmp(*av, "group", strlen(*av)) != 0)
1224 type = ST_RUNASGROUP;
1226 case 'r': /* runas user */
1227 if (strncmp(*av, "runas", strlen(*av)) != 0)
1229 type = ST_RUNASUSER;
1231 case 't': /* tty or to date */
1232 if (av[0][1] == '\0')
1233 sudo_fatalx(U_("ambiguous expression \"%s\""), *av);
1234 if (strncmp(*av, "todate", strlen(*av)) == 0)
1236 else if (strncmp(*av, "tty", strlen(*av)) == 0)
1241 case 'u': /* user */
1242 if (strncmp(*av, "user", strlen(*av)) != 0)
1246 case '(': /* start sub-expression */
1247 if (av[0][1] != '\0')
1251 case ')': /* end sub-expression */
1252 if (av[0][1] != '\0')
1255 sudo_fatalx(U_("unmatched ')' in expression"));
1256 debug_return_int(av - argv + 1);
1259 sudo_fatalx(U_("unknown search term \"%s\""), *av);
1263 /* Allocate new search node */
1264 if ((sn = calloc(1, sizeof(*sn))) == NULL)
1265 sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
1269 if (type == ST_EXPR) {
1270 STAILQ_INIT(&sn->u.expr);
1271 av += parse_expr(&sn->u.expr, av + 1, true);
1273 if (*(++av) == NULL)
1274 sudo_fatalx(U_("%s requires an argument"), av[-1]);
1275 if (type == ST_PATTERN) {
1276 if (regcomp(&sn->u.cmdre, *av, REG_EXTENDED|REG_NOSUB) != 0)
1277 sudo_fatalx(U_("invalid regular expression: %s"), *av);
1278 } else if (type == ST_TODATE || type == ST_FROMDATE) {
1279 sn->u.tstamp = get_date(*av);
1280 if (sn->u.tstamp == -1)
1281 sudo_fatalx(U_("could not parse date \"%s\""), *av);
1286 not = or = false; /* reset state */
1287 STAILQ_INSERT_TAIL(head, sn, entries);
1290 sudo_fatalx(U_("unmatched '(' in expression"));
1292 sudo_fatalx(U_("illegal trailing \"or\""));
1294 sudo_fatalx(U_("illegal trailing \"!\""));
1296 debug_return_int(av - argv);
1300 match_expr(struct search_node_list *head, struct log_info *log, bool last_match)
1302 struct search_node *sn;
1303 bool res = false, matched = last_match;
1305 debug_decl(match_expr, SUDO_DEBUG_UTIL)
1307 STAILQ_FOREACH(sn, head, entries) {
1310 res = match_expr(&sn->u.expr, log, matched);
1313 res = strcmp(sn->u.cwd, log->cwd) == 0;
1316 res = strcmp(sn->u.tty, log->tty) == 0;
1319 if (log->runas_group != NULL)
1320 res = strcmp(sn->u.runas_group, log->runas_group) == 0;
1323 res = strcmp(sn->u.runas_user, log->runas_user) == 0;
1326 res = strcmp(sn->u.user, log->user) == 0;
1329 rc = regexec(&sn->u.cmdre, log->cmd, 0, NULL, 0);
1330 if (rc && rc != REG_NOMATCH) {
1332 regerror(rc, &sn->u.cmdre, buf, sizeof(buf));
1333 sudo_fatalx("%s", buf);
1335 res = rc == REG_NOMATCH ? 0 : 1;
1338 res = log->tstamp >= sn->u.tstamp;
1341 res = log->tstamp <= sn->u.tstamp;
1344 sudo_fatalx(U_("unknown search type %d"), sn->type);
1349 matched = sn->or ? (res || last_match) : (res && last_match);
1350 last_match = matched;
1352 debug_return_bool(matched);
1356 list_session(char *logfile, regex_t *re, const char *user, const char *tty)
1358 char idbuf[7], *idstr, *cp;
1359 const char *timestr;
1360 struct log_info *li;
1362 debug_decl(list_session, SUDO_DEBUG_UTIL)
1364 if ((li = parse_logfile(logfile)) == NULL)
1367 /* Match on search expression if there is one. */
1368 if (!STAILQ_EMPTY(&search_expr) && !match_expr(&search_expr, li, true))
1371 /* Convert from /var/log/sudo-sessions/00/00/01/log to 000001 */
1372 cp = logfile + strlen(session_dir) + 1;
1383 /* Not an id, just use the iolog_file portion. */
1384 cp[strlen(cp) - 4] = '\0';
1387 /* XXX - print rows + cols? */
1388 timestr = get_timestr(li->tstamp, 1);
1389 printf("%s : %s : TTY=%s ; CWD=%s ; USER=%s ; ",
1390 timestr ? timestr : "invalid date",
1391 li->user, li->tty, li->cwd, li->runas_user);
1392 if (li->runas_group)
1393 printf("GROUP=%s ; ", li->runas_group);
1394 printf("TSID=%s ; COMMAND=%s\n", idstr, li->cmd);
1400 debug_return_int(ret);
1404 session_compare(const void *v1, const void *v2)
1406 const char *s1 = *(const char **)v1;
1407 const char *s2 = *(const char **)v2;
1408 return strcmp(s1, s2);
1411 /* XXX - always returns 0, calls sudo_fatal() on failure */
1413 find_sessions(const char *dir, regex_t *re, const char *user, const char *tty)
1418 size_t sdlen, sessions_len = 0, sessions_size = 0;
1421 char pathbuf[PATH_MAX], **sessions = NULL;
1422 #ifdef HAVE_STRUCT_DIRENT_D_TYPE
1423 bool checked_type = true;
1425 const bool checked_type = false;
1427 debug_decl(find_sessions, SUDO_DEBUG_UTIL)
1431 sudo_fatal(U_("unable to open %s"), dir);
1433 /* XXX - would be faster to use openat() and relative names */
1434 sdlen = strlcpy(pathbuf, dir, sizeof(pathbuf));
1435 if (sdlen + 1 >= sizeof(pathbuf)) {
1436 errno = ENAMETOOLONG;
1437 sudo_fatal("%s/", dir);
1439 pathbuf[sdlen++] = '/';
1440 pathbuf[sdlen] = '\0';
1442 /* Store potential session dirs for sorting. */
1443 while ((dp = readdir(d)) != NULL) {
1444 /* Skip "." and ".." */
1445 if (dp->d_name[0] == '.' && (dp->d_name[1] == '\0' ||
1446 (dp->d_name[1] == '.' && dp->d_name[2] == '\0')))
1448 #ifdef HAVE_STRUCT_DIRENT_D_TYPE
1450 if (dp->d_type != DT_DIR) {
1451 /* Not all file systems support d_type. */
1452 if (dp->d_type != DT_UNKNOWN)
1454 checked_type = false;
1459 /* Add name to session list. */
1460 if (sessions_len + 1 > sessions_size) {
1461 if (sessions_size == 0)
1462 sessions_size = 36 * 36 / 2;
1463 sessions = reallocarray(sessions, sessions_size, 2 * sizeof(char *));
1464 if (sessions == NULL)
1465 sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
1468 if ((sessions[sessions_len] = strdup(dp->d_name)) == NULL)
1469 sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
1474 /* Sort and list the sessions. */
1475 if (sessions != NULL) {
1476 qsort(sessions, sessions_len, sizeof(char *), session_compare);
1477 for (i = 0; i < sessions_len; i++) {
1478 len = snprintf(&pathbuf[sdlen], sizeof(pathbuf) - sdlen,
1479 "%s/log", sessions[i]);
1480 if (len < 0 || (size_t)len >= sizeof(pathbuf) - sdlen) {
1481 errno = ENAMETOOLONG;
1482 sudo_fatal("%s/%s/log", dir, sessions[i]);
1486 /* Check for dir with a log file. */
1487 if (lstat(pathbuf, &sb) == 0 && S_ISREG(sb.st_mode)) {
1488 list_session(pathbuf, re, user, tty);
1490 /* Strip off "/log" and recurse if a dir. */
1491 pathbuf[sdlen + len - 4] = '\0';
1493 (lstat(pathbuf, &sb) == 0 && S_ISDIR(sb.st_mode)))
1494 find_sessions(pathbuf, re, user, tty);
1500 debug_return_int(0);
1503 /* XXX - always returns 0, calls sudo_fatal() on failure */
1505 list_sessions(int argc, char **argv, const char *pattern, const char *user,
1508 regex_t rebuf, *re = NULL;
1509 debug_decl(list_sessions, SUDO_DEBUG_UTIL)
1511 /* Parse search expression if present */
1512 parse_expr(&search_expr, argv, false);
1514 /* optional regex */
1517 if (regcomp(re, pattern, REG_EXTENDED|REG_NOSUB) != 0)
1518 sudo_fatalx(U_("invalid regular expression: %s"), pattern);
1521 debug_return_int(find_sessions(session_dir, re, user, tty));
1525 * Check keyboard for ' ', '<', '>', return
1526 * pause, slow, fast, next
1529 read_keyboard(int fd, int what, void *v)
1531 struct replay_closure *closure = v;
1532 static bool paused = false;
1536 debug_decl(read_keyboard, SUDO_DEBUG_UTIL)
1538 nread = read(fd, &ch, 1);
1541 if (errno != EINTR && errno != EAGAIN)
1542 sudo_fatal(U_("unable to read %s"), "stdin");
1549 /* Any key will unpause, run the delay callback directly. */
1551 delay_cb(-1, SUDO_EV_TIMEOUT, closure);
1557 /* Disable the delay event until we unpause. */
1558 sudo_ev_del(closure->evbase, closure->delay_ev);
1562 sudo_ev_get_timeleft(closure->delay_ev, &ts);
1563 if (sudo_timespecisset(&ts)) {
1564 /* Double remaining timeout. */
1567 if (ts.tv_nsec >= 1000000000) {
1569 ts.tv_nsec -= 1000000000;
1571 if (sudo_ev_add(NULL, closure->delay_ev, &ts, false) == -1) {
1572 sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
1573 "failed to double remaining delay timeout");
1579 sudo_ev_get_timeleft(closure->delay_ev, &ts);
1580 if (sudo_timespecisset(&ts)) {
1581 /* Halve remaining timeout. */
1583 ts.tv_nsec += 500000000;
1586 if (sudo_ev_add(NULL, closure->delay_ev, &ts, false) == -1) {
1587 sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
1588 "failed to halve remaining delay timeout");
1594 /* Cancel existing delay, run callback directly. */
1595 sudo_ev_del(closure->evbase, closure->delay_ev);
1596 delay_cb(-1, SUDO_EV_TIMEOUT, closure);
1599 /* Unknown key, nothing to do. */
1610 fprintf(fatal ? stderr : stdout,
1611 _("usage: %s [-hnRS] [-d dir] [-m num] [-s num] ID\n"),
1613 fprintf(fatal ? stderr : stdout,
1614 _("usage: %s [-h] [-d dir] -l [search expression]\n"),
1623 (void) printf(_("%s - replay sudo session logs\n\n"), getprogname());
1625 (void) puts(_("\nOptions:\n"
1626 " -d, --directory=dir specify directory for session logs\n"
1627 " -f, --filter=filter specify which I/O type(s) to display\n"
1628 " -h, --help display help message and exit\n"
1629 " -l, --list list available session IDs, with optional expression\n"
1630 " -m, --max-wait=num max number of seconds to wait between events\n"
1631 " -n, --non-interactive no prompts, session is sent to the standard output\n"
1632 " -R, --no-resize do not attempt to re-size the terminal\n"
1633 " -S, --suspend-wait wait while the command was suspended\n"
1634 " -s, --speed=num speed up or slow down output\n"
1635 " -V, --version display version information and exit"));
1640 * Cleanup hook for sudo_fatal()/sudo_fatalx()
1643 sudoreplay_cleanup(void)
1645 restore_terminal_size();
1646 sudo_term_restore(ttyfd, false);