From 00f5e9dc6124753edfd333749ad7c7ba23847875 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 10 Dec 2010 14:33:30 -0500 Subject: [PATCH] Make the iolog dir configurable in sudoers --HG-- branch : 1.7 --- aclocal.m4 | 14 ++++++-------- configure | 51 +++++++++++++++++++++++++-------------------------- configure.in | 7 ++++--- def_data.c | 4 ++++ def_data.h | 2 ++ def_data.in | 3 +++ defaults.c | 1 + iolog.c | 20 ++++++++++---------- sudoers.pod | 9 ++++++++- 9 files changed, 63 insertions(+), 48 deletions(-) diff --git a/aclocal.m4 b/aclocal.m4 index d2807f30e..57cf8d3d0 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -124,18 +124,16 @@ dnl AC_DEFUN(SUDO_IO_LOGDIR, [ AC_MSG_CHECKING(for I/O log dir location) if test "${with_iologdir-yes}" != "yes"; then - : + iolog_dir="$with_iologdir": elif test -d "/var/log"; then - with_iologdir="/var/log/sudo-io" + iolog_dir="/var/log/sudo-io" elif test -d "/var/adm"; then - with_iologdir="/var/adm/sudo-io" + iolog_dir="/var/adm/sudo-io" else - with_iologdir="/usr/adm/sudo-io" + iolog_dir="/usr/adm/sudo-io" fi - if test "${with_iologdir-yes}" != "no"; then - SUDO_DEFINE_UNQUOTED(_PATH_SUDO_IO_LOGDIR, "$with_iologdir") - fi - AC_MSG_RESULT($with_iologdir) + SUDO_DEFINE_UNQUOTED(_PATH_SUDO_IO_LOGDIR, "$iolog_dir") + AC_MSG_RESULT($iolog_dir) ])dnl dnl diff --git a/configure b/configure index 499e02d34..690887f1f 100755 --- a/configure +++ b/configure @@ -816,6 +816,7 @@ sudo_umask password_timeout timeout timedir +iolog_dir CONFIGURE_ARGS ZLIB_DEP ZLIB @@ -2963,6 +2964,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;} # # Begin initial values for man page substitution # +iolog_dir=/var/log/sudo-io timedir=/var/adm/sudo timeout=5 password_timeout=5 @@ -3927,8 +3929,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu # Check whether --with-linux-audit was given. if test "${with_linux_audit+set}" = set; then : withval=$with_linux_audit; case $with_linux_audit in - yes) - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + yes) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int @@ -6792,13 +6793,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:6795: $ac_compile\"" >&5) + (eval echo "\"\$as_me:6796: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:6798: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:6799: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:6801: output\"" >&5) + (eval echo "\"\$as_me:6802: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -8003,7 +8004,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8006 "configure"' > conftest.$ac_ext + echo '#line 8007 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9396,11 +9397,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9399: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9400: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9403: \$? = $ac_status" >&5 + echo "$as_me:9404: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9735,11 +9736,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9738: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9739: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9742: \$? = $ac_status" >&5 + echo "$as_me:9743: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9840,11 +9841,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9843: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9844: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9847: \$? = $ac_status" >&5 + echo "$as_me:9848: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9895,11 +9896,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9898: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9899: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9902: \$? = $ac_status" >&5 + echo "$as_me:9903: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12262,7 +12263,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12265 "configure" +#line 12266 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12358,7 +12359,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12361 "configure" +#line 12362 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -18552,22 +18553,20 @@ EOF { $as_echo "$as_me:${as_lineno-$LINENO}: checking for I/O log dir location" >&5 $as_echo_n "checking for I/O log dir location... " >&6; } if test "${with_iologdir-yes}" != "yes"; then - : + iolog_dir="$with_iologdir": elif test -d "/var/log"; then - with_iologdir="/var/log/sudo-io" + iolog_dir="/var/log/sudo-io" elif test -d "/var/adm"; then - with_iologdir="/var/adm/sudo-io" + iolog_dir="/var/adm/sudo-io" else - with_iologdir="/usr/adm/sudo-io" + iolog_dir="/usr/adm/sudo-io" fi - if test "${with_iologdir-yes}" != "no"; then - cat >>confdefs.h <>confdefs.h <&5 -$as_echo "$with_iologdir" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $iolog_dir" >&5 +$as_echo "$iolog_dir" >&6; } if test "${with_iologdir-yes}" != "no"; then diff --git a/configure.in b/configure.in index 6d47c7695..06618dc07 100644 --- a/configure.in +++ b/configure.in @@ -6,7 +6,7 @@ dnl AC_INIT([sudo], [1.7.5b2], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER(config.h pathnames.h zlib/zconf.h) dnl -dnl This won't work before AC_INIT +dnl Note: this must come after AC_INIT dnl AC_MSG_NOTICE([Configuring Sudo version $PACKAGE_VERSION]) dnl @@ -58,6 +58,7 @@ AC_SUBST([CONFIGURE_ARGS]) dnl dnl Variables that get substituted in docs (not overridden by environment) dnl +AC_SUBST([iolog_dir])dnl real initial value from SUDO_IO_LOGDIR AC_SUBST([timedir])dnl real initial value from SUDO_TIMEDIR AC_SUBST([timeout]) AC_SUBST([password_timeout]) @@ -94,6 +95,7 @@ AC_SUBST([editor]) # # Begin initial values for man page substitution # +iolog_dir=/var/log/sudo-io timedir=/var/adm/sudo timeout=5 password_timeout=5 @@ -249,8 +251,7 @@ dnl Handle Linux auditing support. dnl AC_ARG_WITH(linux-audit, [AS_HELP_STRING([--with-linux-audit], [enable Linux audit support])], [case $with_linux_audit in - yes) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include ]], [[int i = AUDIT_USER_CMD; (void)i;]])], [ + yes) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include ]], [[int i = AUDIT_USER_CMD; (void)i;]])], [ AC_DEFINE(HAVE_LINUX_AUDIT) SUDO_LIBS="${SUDO_LIBS} -laudit" SUDO_OBJS="${SUDO_OBJS} linux_audit.o" diff --git a/def_data.c b/def_data.c index fbdc0c791..c63d59588 100644 --- a/def_data.c +++ b/def_data.c @@ -330,6 +330,10 @@ struct sudo_defs_types sudo_defs_table[] = { "use_pty", T_FLAG, "Always run commands in a pseudo-tty", NULL, + }, { + "iolog_dir", T_STR|T_PATH, + "Directory in which to store input/output logs", + NULL, }, { NULL, 0, NULL } diff --git a/def_data.h b/def_data.h index e868d3226..0996ec8f5 100644 --- a/def_data.h +++ b/def_data.h @@ -152,6 +152,8 @@ #define I_COMPRESS_IO 75 #define def_use_pty (sudo_defs_table[76].sd_un.flag) #define I_USE_PTY 76 +#define def_iolog_dir (sudo_defs_table[77].sd_un.str) +#define I_IOLOG_DIR 77 enum def_tupple { never, diff --git a/def_data.in b/def_data.in index d903cfaee..4a7ae9672 100644 --- a/def_data.in +++ b/def_data.in @@ -244,3 +244,6 @@ compress_io use_pty T_FLAG "Always run commands in a pseudo-tty" +iolog_dir + T_STR|T_PATH + "Directory in which to store input/output logs" diff --git a/defaults.c b/defaults.c index d390a5a23..c63590457 100644 --- a/defaults.c +++ b/defaults.c @@ -439,6 +439,7 @@ init_defaults() #ifdef _PATH_SUDO_ASKPASS def_askpass = estrdup(_PATH_SUDO_ASKPASS); #endif + def_iolog_dir = _PATH_SUDO_IO_LOGDIR; def_sudoers_locale = estrdup("C"); def_env_reset = TRUE; def_set_logname = TRUE; diff --git a/iolog.c b/iolog.c index 4e492b601..e15b51dcc 100644 --- a/iolog.c +++ b/iolog.c @@ -96,20 +96,20 @@ io_nextid() char pathbuf[PATH_MAX]; /* - * Create _PATH_SUDO_IO_LOGDIR if it doesn't already exist. + * Create I/O log directory if it doesn't already exist. */ - if (stat(_PATH_SUDO_IO_LOGDIR, &sb) != 0) { - if (mkdir(_PATH_SUDO_IO_LOGDIR, S_IRWXU) != 0) - log_error(USE_ERRNO, "Can't mkdir %s", _PATH_SUDO_IO_LOGDIR); + if (stat(def_iolog_dir, &sb) != 0) { + if (mkdir(def_iolog_dir, S_IRWXU) != 0) + log_error(USE_ERRNO, "Can't mkdir %s", def_iolog_dir); } else if (!S_ISDIR(sb.st_mode)) { log_error(0, "%s exists but is not a directory (0%o)", - _PATH_SUDO_IO_LOGDIR, (unsigned int) sb.st_mode); + def_iolog_dir, (unsigned int) sb.st_mode); } /* * Open sequence file */ - len = snprintf(pathbuf, sizeof(pathbuf), "%s/seq", _PATH_SUDO_IO_LOGDIR); + len = snprintf(pathbuf, sizeof(pathbuf), "%s/seq", def_iolog_dir); if (len <= 0 || len >= sizeof(pathbuf)) { errno = ENAMETOOLONG; log_error(USE_ERRNO, "%s/seq", pathbuf); @@ -163,14 +163,14 @@ build_idpath(pathbuf, pathsize) log_error(0, "tried to build a session id path without a session id"); /* - * Path is of the form /var/log/sudo-session/00/00/01. + * Path is of the form /var/log/sudo-io/00/00/01. */ - len = snprintf(pathbuf, pathsize, "%s/%c%c/%c%c/%c%c", _PATH_SUDO_IO_LOGDIR, + len = snprintf(pathbuf, pathsize, "%s/%c%c/%c%c/%c%c", def_iolog_dir, sudo_user.sessid[0], sudo_user.sessid[1], sudo_user.sessid[2], sudo_user.sessid[3], sudo_user.sessid[4], sudo_user.sessid[5]); if (len <= 0 && len >= pathsize) { errno = ENAMETOOLONG; - log_error(USE_ERRNO, "%s/%s", _PATH_SUDO_IO_LOGDIR, sudo_user.sessid); + log_error(USE_ERRNO, "%s/%s", def_iolog_dir, sudo_user.sessid); } /* @@ -227,7 +227,7 @@ io_log_open() /* * Build a path containing the session id split into two-digit subdirs, - * so ID 000001 becomes /var/log/sudo-session/00/00/01. + * so ID 000001 becomes /var/log/sudo-io/00/00/01. */ len = build_idpath(pathbuf, sizeof(pathbuf)); if (len == -1) diff --git a/sudoers.pod b/sudoers.pod index dcc6299c8..494789b49 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -1021,6 +1021,13 @@ B. B will choose the editor that matches the user's EDITOR environment variable if possible, or the first editor in the list that exists and is executable. The default is C<"@editor@">. +=item iolog_dir + +The directory in which to store input/output logs when the I +or I options are enabled or when the or +C tags are present for a command. +The default is C<"@iolog_dir@">. + =item mailsub Subject of the mail sent to the I user. The escape C<%h> @@ -1359,7 +1366,7 @@ Local groups file List of network groups -=item F +=item F<@iolog_dir@> I/O log files -- 2.40.0