This flag is _\bo_\bf_\bf by default.
+ ignore_audit_errors
+ Allow commands to be run even if s\bsu\bud\bdo\boe\ber\brs\bs cannot write
+ to the audit log. If enabled, an audit log write
+ failure is not treated as a fatal error. If disabled,
+ a command may only be run after the audit event is
+ successfully written. This flag is only effective on
+ systems for which s\bsu\bud\bdo\boe\ber\brs\bs supports audit logging,
+ including FreeBSD, Linux, Mac OS X and Solaris. This
+ flag is _\bo_\bn by default.
+
ignore_dot If set, s\bsu\bud\bdo\bo will ignore "." or "" (both denoting
current directory) in the PATH environment variable;
the PATH itself is not modified. This flag is _\bo_\bf_\bf by
default.
+ ignore_iolog_errors
+ Allow commands to be run even if s\bsu\bud\bdo\boe\ber\brs\bs cannot write
+ to the I/O log. If enabled, an I/O log write failure
+ is not treated as a fatal error. If disabled, the
+ command will be terminated if the I/O log cannot be
+ written to. This flag is _\bo_\bf_\bf by default.
+
+ ignore_logfile_errors
+ Allow commands to be run even if s\bsu\bud\bdo\boe\ber\brs\bs cannot write
+ to the log file. If enabled, a log file write failure
+ is not treated as a fatal error. If disabled, a
+ command may only be run after the log file entry is
+ successfully written. This flag only has an effect
+ when s\bsu\bud\bdo\boe\ber\brs\bs is configured to use file-based logging
+ via the _\bl_\bo_\bg_\bf_\bi_\bl_\be option. This flag is _\bo_\bn by default.
+
ignore_local_sudoers
If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
skipped. This is intended for Enterprises that wish to
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.18 August 10, 2016 Sudo 1.8.18
+Sudo 1.8.18 August 17, 2016 Sudo 1.8.18
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "5" "August 10, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "August 17, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
by default.
.RE
.TP 18n
+ignore_audit_errors
+Allow commands to be run even if
+\fBsudoers\fR
+cannot write to the audit log.
+If enabled, an audit log write failure is not treated as a fatal error.
+If disabled, a command may only be run after the audit event is successfully
+written.
+This flag is only effective on systems for which
+\fBsudoers\fR
+supports audit logging, including FreeBSD, Linux, Mac OS X and Solaris.
+This flag is
+\fIon\fR
+by default.
+.TP 18n
ignore_dot
If set,
\fBsudo\fR
\fI@ignore_dot@\fR
by default.
.TP 18n
+ignore_iolog_errors
+Allow commands to be run even if
+\fBsudoers\fR
+cannot write to the I/O log.
+If enabled, an I/O log write failure is not treated as a fatal error.
+If disabled, the command will be terminated if the I/O log cannot be written to.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+ignore_logfile_errors
+Allow commands to be run even if
+\fBsudoers\fR
+cannot write to the log file.
+If enabled, a log file write failure is not treated as a fatal error.
+If disabled, a command may only be run after the log file entry is successfully
+written.
+This flag only has an effect when
+\fBsudoers\fR
+is configured to use file-based logging via the
+\fIlogfile\fR
+option.
+This flag is
+\fIon\fR
+by default.
+.TP 18n
ignore_local_sudoers
If set via LDAP, parsing of
\fI@sysconfdir@/sudoers\fR
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd August 10, 2016
+.Dd August 17, 2016
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
This flag is
.Em @fqdn@
by default.
+.It ignore_audit_errors
+Allow commands to be run even if
+.Nm
+cannot write to the audit log.
+If enabled, an audit log write failure is not treated as a fatal error.
+If disabled, a command may only be run after the audit event is successfully
+written.
+This flag is only effective on systems for which
+.Nm
+supports audit logging, including FreeBSD, Linux, Mac OS X and Solaris.
+This flag is
+.Em on
+by default.
.It ignore_dot
If set,
.Nm sudo
This flag is
.Em @ignore_dot@
by default.
+.It ignore_iolog_errors
+Allow commands to be run even if
+.Nm
+cannot write to the I/O log.
+If enabled, an I/O log write failure is not treated as a fatal error.
+If disabled, the command will be terminated if the I/O log cannot be written to.
+This flag is
+.Em off
+by default.
+.It ignore_logfile_errors
+Allow commands to be run even if
+.Nm
+cannot write to the log file.
+If enabled, a log file write failure is not treated as a fatal error.
+If disabled, a command may only be run after the log file entry is successfully
+written.
+This flag only has an effect when
+.Nm
+is configured to use file-based logging via the
+.Em logfile
+option.
+This flag is
+.Em on
+by default.
.It ignore_local_sudoers
If set via LDAP, parsing of
.Pa @sysconfdir@/sudoers
"netgroup_tuple", T_FLAG,
N_("Match netgroups based on the entire tuple: user, host and domain"),
NULL,
+ }, {
+ "ignore_audit_errors", T_FLAG,
+ N_("Allow commands to be run even if sudo cannot write to the audit log"),
+ NULL,
+ }, {
+ "ignore_iolog_errors", T_FLAG,
+ N_("Allow commands to be run even if sudo cannot write to the I/O log"),
+ NULL,
+ }, {
+ "ignore_logfile_errors", T_FLAG,
+ N_("Allow commands to be run even if sudo cannot write to the log file"),
+ NULL,
}, {
NULL, 0, NULL
}
#define I_ALWAYS_QUERY_GROUP_PLUGIN93
#define def_netgroup_tuple (sudo_defs_table[94].sd_un.flag)
#define I_NETGROUP_TUPLE 94
+#define def_ignore_audit_errors (sudo_defs_table[95].sd_un.flag)
+#define I_IGNORE_AUDIT_ERRORS 95
+#define def_ignore_iolog_errors (sudo_defs_table[96].sd_un.flag)
+#define I_IGNORE_IOLOG_ERRORS 96
+#define def_ignore_logfile_errors (sudo_defs_table[97].sd_un.flag)
+#define I_IGNORE_LOGFILE_ERRORS 97
enum def_tuple {
never,
netgroup_tuple
T_FLAG
"Match netgroups based on the entire tuple: user, host and domain"
+ignore_audit_errors
+ T_FLAG
+ "Allow commands to be run even if sudo cannot write to the audit log"
+ignore_iolog_errors
+ T_FLAG
+ "Allow commands to be run even if sudo cannot write to the I/O log"
+ignore_logfile_errors
+ T_FLAG
+ "Allow commands to be run even if sudo cannot write to the log file"
#ifdef HAVE_ZLIB_H
def_compress_io = true;
#endif
+ def_ignore_audit_errors = true;
+ def_ignore_iolog_errors = false;
+ def_ignore_logfile_errors = true;
/* Now do the strings */
if ((def_mailto = strdup(MAILTO)) == NULL)
static void
sudoers_io_close(int exit_status, int error)
{
+ const char *errstr = NULL;
int i;
debug_decl(sudoers_io_close, SUDOERS_DEBUG_PLUGIN)
if (io_log_files[i].fd.v == NULL)
continue;
#ifdef HAVE_ZLIB_H
- if (iolog_compress)
- gzclose(io_log_files[i].fd.g);
- else
+ if (iolog_compress) {
+ int errnum;
+
+ if (gzclose(io_log_files[i].fd.g) != Z_OK)
+ errstr = gzerror(io_log_files[i].fd.g, &errnum);
+ } else
#endif
- fclose(io_log_files[i].fd.f);
+ if (fclose(io_log_files[i].fd.f) != 0)
+ errstr = strerror(errno);
}
+ if (errstr != NULL)
+ sudo_warnx(U_("unable to write to I/O log file: %s"), errstr);
+
sudoers_debug_deregister();
return;
sudoers_io_log(const char *buf, unsigned int len, int idx)
{
struct timeval now, delay;
+ static bool warned = false;
+ const char *errstr = NULL;
int rval = true;
debug_decl(sudoers_io_version, SUDOERS_DEBUG_PLUGIN)
#ifdef HAVE_ZLIB_H
if (iolog_compress) {
- if (gzwrite(io_log_files[idx].fd.g, (const voidp)buf, len) != (int)len)
+ if (gzwrite(io_log_files[idx].fd.g, (const voidp)buf, len) != (int)len) {
+ int errnum;
+
+ errstr = gzerror(io_log_files[idx].fd.g, &errnum);
rval = -1;
+ }
} else
#endif
{
- if (fwrite(buf, 1, len, io_log_files[idx].fd.f) != len)
+ if (fwrite(buf, 1, len, io_log_files[idx].fd.f) != len) {
+ errstr = strerror(errno);
rval = -1;
+ }
}
sudo_timevalsub(&now, &last_time, &delay);
#ifdef HAVE_ZLIB_H
if (iolog_compress) {
if (gzprintf(io_log_files[IOFD_TIMING].fd.g, "%d %f %u\n", idx,
- delay.tv_sec + ((double)delay.tv_usec / 1000000), len) == 0)
+ delay.tv_sec + ((double)delay.tv_usec / 1000000), len) == 0) {
+ int errnum;
+
+ errstr = gzerror(io_log_files[IOFD_TIMING].fd.g, &errnum);
rval = -1;
+ }
} else
#endif
{
if (fprintf(io_log_files[IOFD_TIMING].fd.f, "%d %f %u\n", idx,
- delay.tv_sec + ((double)delay.tv_usec / 1000000), len) < 0)
+ delay.tv_sec + ((double)delay.tv_usec / 1000000), len) < 0) {
+ errstr = strerror(errno);
rval = -1;
+ }
}
last_time.tv_sec = now.tv_sec;
last_time.tv_usec = now.tv_usec;
+ if (errstr != NULL && !warned) {
+ /* Only warn about I/O log file errors once. */
+ sudo_warnx(U_("unable to write to I/O log file: %s"), errstr);
+ warned = true;
+ }
+
debug_return_int(rval);
}
if (asprintf(&command_info[info_len++], "closefrom=%d", def_closefrom) == -1)
goto oom;
}
+ if (def_ignore_iolog_errors) {
+ if ((command_info[info_len++] = strdup("ignore_iolog_errors=true")) == NULL)
+ goto oom;
+ }
if (def_noexec) {
if ((command_info[info_len++] = strdup("noexec=true")) == NULL)
goto oom;
}
}
- if (!log_allowed(validated))
+ if (!log_allowed(validated) && !def_ignore_logfile_errors)
goto bad;
switch (sudo_mode & MODE_MASK) {
goto done;
goto bad;
}
- if (audit_success(edit_argc, edit_argv) != 0)
+ if (audit_success(edit_argc, edit_argv) != 0 && !def_ignore_audit_errors)
goto done;
/* We want to run the editor with the unmodified environment. */
env_swap_old();
} else {
- if (audit_success(NewArgc, NewArgv) != 0)
+ if (audit_success(NewArgc, NewArgv) != 0 && !def_ignore_audit_errors)
goto done;
}
static pid_t ppgrp, cmnd_pgrp, mon_pgrp;
static sigset_t ttyblock;
static struct io_buffer_list iobufs;
+static bool ignore_iolog_errors;
static void del_io_events(bool nonblocking);
static int exec_monitor(struct command_details *details, int backchannel);
/* Error: disable plugin's I/O function. */
plugin->u.io->log_ttyin = NULL;
}
- rval = false;
+ if (!ignore_iolog_errors)
+ rval = false;
break;
}
}
/* Error: disable plugin's I/O function. */
plugin->u.io->log_stdin = NULL;
}
- rval = false;
+ if (!ignore_iolog_errors)
+ rval = false;
break;
}
}
/* Error: disable plugin's I/O function. */
plugin->u.io->log_ttyout = NULL;
}
- rval = false;
+ if (!ignore_iolog_errors)
+ rval = false;
break;
}
}
/* Error: disable plugin's I/O function. */
plugin->u.io->log_stdout = NULL;
}
- rval = false;
+ if (!ignore_iolog_errors)
+ rval = false;
break;
}
}
/* Error: disable plugin's I/O function. */
plugin->u.io->log_stderr = NULL;
}
- rval = false;
+ if (!ignore_iolog_errors)
+ rval = false;
break;
}
}
}
static void
-io_buf_new(int rfd, int wfd, bool (*action)(const char *, unsigned int, struct io_buffer *),
+io_buf_new(int rfd, int wfd,
+ bool (*action)(const char *, unsigned int, struct io_buffer *),
struct io_buffer_list *head)
{
int n;
sigaddset(&ttyblock, SIGTTIN);
sigaddset(&ttyblock, SIGTTOU);
+ /*
+ * The security policy may tell us to ignore errors from the
+ * I/O log functions.
+ */
+ if (!ISSET(details->flags, CD_IGNORE_IOLOG_ERRS))
+ ignore_iolog_errors = true;
+
/*
* Setup stdin/stdout/stderr for child, to be duped after forking.
* In background mode there is no stdin.
break;
}
break;
+ case 'i':
+ SET_FLAG("ignore_iolog_errors=", CD_IGNORE_IOLOG_ERRS)
+ break;
case 'l':
SET_STRING("login_class=", login_class)
break;
#define CD_SUDOEDIT_FOLLOW 0x10000
#define CD_SUDOEDIT_CHECKDIR 0x20000
#define CD_SET_GROUPS 0x40000
+#define CD_IGNORE_IOLOG_ERRS 0x80000
struct preserved_fd {
TAILQ_ENTRY(preserved_fd) entries;
projects / sudo / commitdiff