From 1017ad4e2c76b0a930db76f1804f1436a221467b Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Tue, 25 Mar 2014 16:46:00 -0600
Subject: [PATCH] Audit path too long errror.  Add comments about non-audit
 events and placeholders for future audit hooks.

---
 plugins/sudoers/env.c     | 1 +
 plugins/sudoers/sudoers.c | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/plugins/sudoers/env.c b/plugins/sudoers/env.c
index edbcd664c..f60c57932 100644
--- a/plugins/sudoers/env.c
+++ b/plugins/sudoers/env.c
@@ -1010,6 +1010,7 @@ validate_env_vars(char * const env_vars[])
     }
     if (bad != NULL) {
 	bad[blen - 2] = '\0';		/* remove trailing ", " */
+	/* XXX - audit? */
 	log_fatal(NO_MAIL,
 	    N_("sorry, you are not allowed to set the following environment variables: %s"), bad);
 	/* NOTREACHED */
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 79c1c76c2..b0b44240a 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -219,6 +219,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 
     /* Is root even allowed to run sudo? */
     if (user_uid == 0 && !def_root_sudo) {
+	/* Not an audit event. */
         warningx(U_("sudoers specifies that root is not allowed to sudo"));
         goto bad;
     }    
@@ -258,6 +259,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     /* Check for -C overriding def_closefrom. */
     if (user_closefrom >= 0 && user_closefrom != def_closefrom) {
 	if (!def_closefrom_override) {
+	    /* XXX - audit? */
 	    warningx(U_("you are not permitted to use the -C option"));
 	    goto bad;
 	}
@@ -319,6 +321,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 
     /* If no command line args and "shell_noargs" is not set, error out. */
     if (ISSET(sudo_mode, MODE_IMPLIED_SHELL) && !def_shell_noargs) {
+	/* Not an audit event. */
 	rval = -2; /* usage error */
 	goto done;
     }
@@ -344,6 +347,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     /* Require a password if sudoers says so.  */
     rval = check_user(validated, sudo_mode);
     if (rval != true) {
+	/* Note: log_denial() calls audit for us. */
 	if (!ISSET(validated, VALIDATE_OK))
 	    log_denial(validated, false);
 	goto done;
@@ -365,6 +369,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 
     /* If the user was not allowed to run the command we are done. */
     if (!ISSET(validated, VALIDATE_OK)) {
+	/* Note: log_failure() calls audit for us. */
 	log_failure(validated, cmnd_status);
 	goto bad;
     }
@@ -391,6 +396,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     /* If user specified env vars make sure sudoers allows it. */
     if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) {
 	if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) {
+	    /* XXX - audit? */
 	    warningx(U_("sorry, you are not allowed to preserve the environment"));
 	    goto bad;
 	} else
@@ -662,6 +668,7 @@ set_cmnd(void)
 	}
     }
     if (strlen(user_cmnd) >= PATH_MAX) {
+	audit_failure(NewArgv, N_("command too long"));
 	errno = ENAMETOOLONG;
 	fatal("%s", user_cmnd);
     }
-- 
2.40.0