for integrating linux audit support.
PROGS = @PROGS@
-SRCS = aix.c alias.c alloc.c bsm_audit.c check.c closefrom.c def_data.c \
- defaults.c env.c error.c fileops.c find_path.c fnmatch.c getcwd.c \
- getprogname.c getspwuid.c gettime.c glob.c goodpath.c gram.c gram.y \
- interfaces.c isblank.c lbuf.c ldap.c list.c logging.c match.c mkstemp.c \
- memrchr.c parse.c pwutil.c set_perms.c sigaction.c snprintf.c \
- strcasecmp.c strerror.c strlcat.c strlcpy.c sudo.c sudo_noexec.c \
- sudo_edit.c sudo_nss.c term.c testsudoers.c tgetpass.c toke.c toke.l \
- tsgetgrpw.c utimes.c visudo.c zero_bytes.c redblack.c selinux.c sesh.c \
- $(AUTH_SRCS)
+SRCS = aix.c alias.c alloc.c audit.c bsm_audit.c check.c closefrom.c \
+ def_data.c defaults.c env.c error.c fileops.c find_path.c fnmatch.c \
+ getcwd.c getprogname.c getspwuid.c gettime.c glob.c goodpath.c gram.c \
+ gram.y interfaces.c isblank.c lbuf.c ldap.c list.c logging.c match.c \
+ mkstemp.c memrchr.c parse.c pwutil.c set_perms.c sigaction.c \
+ snprintf.c strcasecmp.c strerror.c strlcat.c strlcpy.c sudo.c \
+ sudo_noexec.c sudo_edit.c sudo_nss.c term.c testsudoers.c tgetpass.c \
+ toke.c toke.l tsgetgrpw.c utimes.c visudo.c zero_bytes.c redblack.c \
+ selinux.c sesh.c $(AUTH_SRCS)
AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \
auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \
COMMON_OBJS = gram.o alias.o alloc.o defaults.o error.o list.o match.o \
toke.o redblack.o zero_bytes.o
-SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ check.o env.o \
+SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ audit.o check.o env.o \
getspwuid.o gettime.o goodpath.o fileops.o find_path.o \
interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o \
sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alias.c
alloc.o: $(srcdir)/alloc.c $(SUDODEP)
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alloc.c
+audit.o: $(srcdir)/audit.c $(SUDODEP)
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/audit.c
bsm_audit.o: $(srcdir)/bsm_audit.c $(SUDODEP) bsm_audit.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/bsm_audit.c
check.o: $(srcdir)/check.c $(SUDODEP)
--- /dev/null
+/*
+ * Copyright (c) 2009 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <stdio.h>
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+# include <stdlib.h>
+# endif
+#endif /* STDC_HEADERS */
+#ifdef __STDC__
+# include <stdarg.h>
+#else
+# include <varargs.h>
+#endif
+
+#include "logging.h"
+
+#ifdef HAVE_BSM_AUDIT
+# include "bsm_audit.h"
+#endif
+
+void
+#ifdef __STDC__
+audit_success(char **exec_args)
+#else
+audit_success(exec_args)
+ const char **exec_args;
+#endif
+{
+#ifdef HAVE_BSM_AUDIT
+ bsm_audit_success(exec_args);
+#endif
+}
+
+void
+#ifdef __STDC__
+audit_failure(char **exec_args, char const *const fmt, ...)
+#else
+audit_failure(exec_args, fmt, va_alist)
+ const char **exec_args;
+ char const *const fmt;
+ va_dcl;
+#endif
+{
+ va_list ap;
+
+#ifdef __STDC__
+ va_start(ap, fmt);
+#else
+ va_start(ap);
+#endif
+#ifdef HAVE_BSM_AUDIT
+ bsm_audit_failure(exec_args, fmt, ap);
+#endif
+ va_end(ap);
+}
#include <errno.h>
#include <unistd.h>
-#include "logging.h"
+void log_error(int flags, const char *fmt, ...) __attribute__((__noreturn__));
static int
audit_sudo_selected(int sf)
}
void
-audit_success(const char **exec_args)
+bsm_audit_success(char **exec_args)
{
auditinfo_addr_t ainfo_addr;
auditinfo_t ainfo;
}
void
-audit_failure(const char **exec_args, char const *const fmt, ...)
+bsm_audit_failure(char **exec_args, char const *const fmt, va_list ap)
{
auditinfo_addr_t ainfo_addr;
auditinfo_t ainfo;
token_t *tok;
long au_cond;
au_id_t auid;
- va_list ap;
pid_t pid;
int aufd;
if (tok == NULL)
log_error(0, "au_to_exec_args: failed");
au_write(aufd, tok);
- va_start(ap, fmt);
(void) vsnprintf(text, sizeof(text), fmt, ap);
- va_end(ap);
tok = au_to_text(text);
if (tok == NULL)
log_error(0, "au_to_text: failed");
#ifndef _SUDO_BSM_AUDIT_H
#define _SUDO_BSM_AUDIT_H
-void audit_success(const char **);
-void audit_failure(const char **, char const * const, ...);
+void bsm_audit_success(char **);
+void bsm_audit_failure(char **, char const * const, va_list);
#endif /* _SUDO_BSM_AUDIT_H */
# define MAXSYSLOGLEN 960
#endif
+void audit_success __P((char **));
+void audit_failure __P((char **, char const * const, ...));
void log_allowed __P((int));
void log_denial __P((int, int));
void log_error __P((int flags, const char *fmt, ...))
#include "interfaces.h"
#include "version.h"
-#ifdef HAVE_BSM_AUDIT
-# include "bsm_audit.h"
-#endif
-
#ifndef lint
__unused static const char rcsid[] = "$Sudo$";
#endif /* lint */
/* Bail if a tty is required and we don't have one. */
if (def_requiretty) {
if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) {
-#ifdef HAVE_BSM_AUDIT
audit_failure(NewArgv, "no tty");
-#endif
log_error(NO_MAIL, "sorry, you must have a tty to run sudo");
} else
(void) close(fd);
if (ISSET(validated, VALIDATE_OK)) {
/* Finally tell the user if the command did not exist. */
if (cmnd_status == NOT_FOUND_DOT) {
-#ifdef HAVE_BSM_AUDIT
audit_failure(NewArgv, "command in current directory");
-#endif
errorx(1, "ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd);
} else if (cmnd_status == NOT_FOUND) {
-#ifdef HAVE_BSM_AUDIT
audit_failure(NewArgv, "%s: command not found", user_cmnd);
-#endif
errorx(1, "%s: command not found", user_cmnd);
}
#ifndef PROFILING
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) {
-#ifdef HAVE_BSM_AUDIT
- syslog(LOG_AUTH|LOG_ERR, "fork");
+ syslog(LOG_AUTH|LOG_ERR, "fork");
audit_success(NewArgv);
-#endif
exit(0);
} else {
#ifdef HAVE_SELINUX
selinux_exec(user_role, user_type, NewArgv,
ISSET(sudo_mode, MODE_LOGIN_SHELL));
#endif
-#ifdef HAVE_BSM_AUDIT
audit_success(NewArgv);
-#endif
execv(safe_cmnd, NewArgv);
}
#else
} warning("unable to execute %s", safe_cmnd);
exit(127);
} else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) {
-#ifdef HAVE_BSM_AUDIT
audit_failure(NewArgv, "No user or host");
-#endif
log_denial(validated, 1);
exit(1);
} else {
/* Just tell the user they are not allowed to run foo. */
log_denial(validated, 1);
}
-#ifdef HAVE_BSM_AUDIT
audit_failure(NewArgv, "validation failure");
-#endif
exit(1);
}
exit(0); /* not reached */
runas_pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0);
} else {
if ((runas_pw = sudo_getpwnam(user)) == NULL) {
-#ifdef HAVE_BSM_AUDIT
audit_failure(NewArgv, "unknown user: %s", user);
-#endif
log_error(NO_MAIL|MSG_ONLY, "unknown user: %s", user);
}
}
projects / sudo / commitdiff