From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Sun, 10 May 2009 11:59:53 +0000 (+0000)
Subject: Must call audit_success before we change uids.
X-Git-Tag: SUDO_1_7_2~31
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c0ac222c3fa42c48652751ad68a63542a91d235b;p=sudo

Must call audit_success before we change uids.
---

diff --git a/sudo.c b/sudo.c
index 1f4f236e3..a3594b215 100644
--- a/sudo.c
+++ b/sudo.c
@@ -482,6 +482,9 @@ main(argc, argv, envp)
 	(void) setrlimit(RLIMIT_CORE, &corelimit);
 #endif /* RLIMIT_CORE && !SUDO_DEVEL */
 
+	/* Must audit before uid change. */
+	audit_success(NewArgv);
+
 	/* Become specified user or root if executing a command. */
 	if (ISSET(sudo_mode, MODE_RUN))
 	    set_perms(PERM_FULL_RUNAS);
@@ -529,7 +532,6 @@ main(argc, argv, envp)
 #ifndef PROFILING
 	if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) {
 	    syslog(LOG_AUTH|LOG_ERR, "fork");
-	    audit_success(NewArgv);
 	    exit(0);
 	} else {
 #ifdef HAVE_SELINUX
@@ -537,7 +539,6 @@ main(argc, argv, envp)
 		selinux_exec(user_role, user_type, NewArgv,
 		    ISSET(sudo_mode, MODE_LOGIN_SHELL));
 #endif
-	    audit_success(NewArgv);
 	    execv(safe_cmnd, NewArgv);
 	}
 #else