From: Todd C. Miller Date: Mon, 12 Nov 2001 18:13:03 +0000 (+0000) Subject: Add mail_badpass option X-Git-Tag: SUDO_1_6_4~160 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=de9d655ea62beec53c78befb95854cb1d8e06faf;p=sudo Add mail_badpass option Also modify mail_always behavior to also send mail when the password is wrong --- diff --git a/auth/sudo_auth.c b/auth/sudo_auth.c index ce8614b9a..06ca9c9be 100644 --- a/auth/sudo_auth.c +++ b/auth/sudo_auth.c @@ -99,9 +99,10 @@ verify_user(pw, prompt) struct passwd *pw; char *prompt; { - short counter = def_ival(I_PASSWD_TRIES) + 1; - short success = AUTH_FAILURE; - short status; + int counter = def_ival(I_PASSWD_TRIES) + 1; + int success = AUTH_FAILURE; + int status; + int flags; char *p; sudo_auth *auth; @@ -213,7 +214,11 @@ cleanup: case AUTH_SUCCESS: return; case AUTH_FAILURE: - log_error(NO_MAIL, "%d incorrect password attempt%s", + if (def_flag(I_MAIL_BADPASS) || def_flag(I_MAIL_ALWAYS)) + flags = 0; + else + flags = NO_MAIL; + log_error(flags, "%d incorrect password attempt%s", def_ival(I_PASSWD_TRIES) - counter, (def_ival(I_PASSWD_TRIES) - counter == 1) ? "" : "s"); case AUTH_FATAL: diff --git a/def_data.c b/def_data.c index 348bce817..7c757a08c 100644 --- a/def_data.c +++ b/def_data.c @@ -26,6 +26,9 @@ struct sudo_defs_types sudo_defs_table[] = { }, { "mail_always", T_FLAG, "Always send mail when sudo is run" + }, { + "mail_badpass", T_FLAG, + "Send mail if user authentication fails" }, { "mail_no_user", T_FLAG, "Send mail if the user is not in sudoers" @@ -149,6 +152,9 @@ struct sudo_defs_types sudo_defs_table[] = { }, { "editor", T_STR|T_PATH, "Path to the editor for use by visudo: %s" + }, { + "env_delete", T_STR|T_BOOL, + "Environment variables to remove: %s" }, { "env_keep", T_STR|T_BOOL, "Environment variables to preserve: %s" diff --git a/def_data.h b/def_data.h index 7146aaca1..1b9fafb8d 100644 --- a/def_data.h +++ b/def_data.h @@ -7,49 +7,51 @@ #define I_LONG_OTP_PROMPT 6 #define I_IGNORE_DOT 7 #define I_MAIL_ALWAYS 8 -#define I_MAIL_NO_USER 9 -#define I_MAIL_NO_HOST 10 -#define I_MAIL_NO_PERMS 11 -#define I_TTY_TICKETS 12 -#define I_LECTURE 13 -#define I_AUTHENTICATE 14 -#define I_ROOT_SUDO 15 -#define I_LOG_HOST 16 -#define I_LOG_YEAR 17 -#define I_SHELL_NOARGS 18 -#define I_SET_HOME 19 -#define I_ALWAYS_SET_HOME 20 -#define I_PATH_INFO 21 -#define I_FQDN 22 -#define I_INSULTS 23 -#define I_REQUIRETTY 24 -#define I_ENV_EDITOR 25 -#define I_ROOTPW 26 -#define I_RUNASPW 27 -#define I_TARGETPW 28 -#define I_USE_LOGINCLASS 29 -#define I_SET_LOGNAME 30 -#define I_STAY_SETUID 31 -#define I_ENV_RESET 32 -#define I_LOGLINELEN 33 -#define I_TIMESTAMP_TIMEOUT 34 -#define I_PASSWD_TIMEOUT 35 -#define I_PASSWD_TRIES 36 -#define I_UMASK 37 -#define I_LOGFILE 38 -#define I_MAILERPATH 39 -#define I_MAILERFLAGS 40 -#define I_MAILTO 41 -#define I_MAILSUB 42 -#define I_BADPASS_MESSAGE 43 -#define I_TIMESTAMPDIR 44 -#define I_EXEMPT_GROUP 45 -#define I_PASSPROMPT 46 -#define I_RUNAS_DEFAULT 47 -#define I_SECURE_PATH 48 -#define I_EDITOR 49 -#define I_ENV_KEEP 50 -#define I_LISTPW_I 51 -#define I_VERIFYPW_I 52 -#define I_LISTPW 53 -#define I_VERIFYPW 54 +#define I_MAIL_BADPASS 9 +#define I_MAIL_NO_USER 10 +#define I_MAIL_NO_HOST 11 +#define I_MAIL_NO_PERMS 12 +#define I_TTY_TICKETS 13 +#define I_LECTURE 14 +#define I_AUTHENTICATE 15 +#define I_ROOT_SUDO 16 +#define I_LOG_HOST 17 +#define I_LOG_YEAR 18 +#define I_SHELL_NOARGS 19 +#define I_SET_HOME 20 +#define I_ALWAYS_SET_HOME 21 +#define I_PATH_INFO 22 +#define I_FQDN 23 +#define I_INSULTS 24 +#define I_REQUIRETTY 25 +#define I_ENV_EDITOR 26 +#define I_ROOTPW 27 +#define I_RUNASPW 28 +#define I_TARGETPW 29 +#define I_USE_LOGINCLASS 30 +#define I_SET_LOGNAME 31 +#define I_STAY_SETUID 32 +#define I_ENV_RESET 33 +#define I_LOGLINELEN 34 +#define I_TIMESTAMP_TIMEOUT 35 +#define I_PASSWD_TIMEOUT 36 +#define I_PASSWD_TRIES 37 +#define I_UMASK 38 +#define I_LOGFILE 39 +#define I_MAILERPATH 40 +#define I_MAILERFLAGS 41 +#define I_MAILTO 42 +#define I_MAILSUB 43 +#define I_BADPASS_MESSAGE 44 +#define I_TIMESTAMPDIR 45 +#define I_EXEMPT_GROUP 46 +#define I_PASSPROMPT 47 +#define I_RUNAS_DEFAULT 48 +#define I_SECURE_PATH 49 +#define I_EDITOR 50 +#define I_ENV_DELETE 51 +#define I_ENV_KEEP 52 +#define I_LISTPW_I 53 +#define I_VERIFYPW_I 54 +#define I_LISTPW 55 +#define I_VERIFYPW 56 diff --git a/def_data.in b/def_data.in index 42cec09fd..47a80a264 100644 --- a/def_data.in +++ b/def_data.in @@ -33,6 +33,9 @@ ignore_dot mail_always T_FLAG "Always send mail when sudo is run" +mail_badpass + T_FLAG + "Send mail if user authentication fails" mail_no_user T_FLAG "Send mail if the user is not in sudoers" @@ -156,6 +159,9 @@ secure_path editor T_STR|T_PATH "Path to the editor for use by visudo: %s" +env_delete + T_STR|T_BOOL + "Environment variables to remove: %s" env_keep T_STR|T_BOOL "Environment variables to preserve: %s" diff --git a/sudoers.pod b/sudoers.pod index a6eb4cb24..e6da24196 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -244,6 +244,11 @@ flag is I<@ignore_dot@> by default. Send mail to the I user every time a users runs B. This flag is I by default. +=item mail_badpass + +Send mail to the I user if the user running sudo does not +enter the correct password. This flag is I by default. + =item mail_no_user If set, mail will be sent to the I user if the invoking