From f42cf76d8ac254e5ce1f831ca9e884f3c6cdff2f Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 30 Apr 2010 12:01:15 -0400 Subject: [PATCH] Re-enable bsm audit. Currently auditing is done within the sudoers plugin itself. If possible, this should really be done in the main driver but we don't presently have the needed data to do that. This will be re-evaluated when Linux audit support is added. --- configure | 4 ++-- configure.in | 4 ++-- plugins/sudoers/Makefile.in | 8 ++++++-- plugins/sudoers/auth/sudo_auth.c | 16 +--------------- plugins/sudoers/sudoers.c | 19 ++++++++++--------- src/Makefile.in | 2 -- 6 files changed, 21 insertions(+), 32 deletions(-) diff --git a/configure b/configure index d5d1fc9e7..cc51ccba1 100755 --- a/configure +++ b/configure @@ -2278,8 +2278,8 @@ if test "${with_bsm_audit+set}" = set; then #define HAVE_BSM_AUDIT 1 _ACEOF - SUDO_LIBS="${SUDO_LIBS} -lbsm" - SUDO_OBJS="${SUDO_OBJS} bsm_audit.o" + SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm" + SUDOERS_OBJS="${SUDOERS_OBJS} bsm_audit.lo" ;; no) ;; *) { { echo "$as_me:$LINENO: error: \"--with-bsm-audit does not take an argument.\"" >&5 diff --git a/configure.in b/configure.in index 723773ec1..e3f112582 100644 --- a/configure.in +++ b/configure.in @@ -221,8 +221,8 @@ dnl AC_ARG_WITH(bsm-audit, [AS_HELP_STRING([--with-bsm-audit], [enable BSM audit support])], [case $with_bsm_audit in yes) AC_DEFINE(HAVE_BSM_AUDIT) - SUDO_LIBS="${SUDO_LIBS} -lbsm" - SUDO_OBJS="${SUDO_OBJS} bsm_audit.o" + SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm" + SUDOERS_OBJS="${SUDOERS_OBJS} bsm_audit.o" ;; no) ;; *) AC_MSG_ERROR(["--with-bsm-audit does not take an argument."]) diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in index a2fd23bd8..60de3842f 100644 --- a/plugins/sudoers/Makefile.in +++ b/plugins/sudoers/Makefile.in @@ -95,8 +95,8 @@ SHELL = /bin/sh AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@ -LIBSUDOERS_OBJS = alias.lo alloc.lo atobool.lo defaults.lo gram.lo list.lo \ - match.lo pwutil.lo timestr.lo toke.lo redblack.lo \ +LIBSUDOERS_OBJS = alias.lo alloc.lo atobool.lo audit.lo defaults.lo gram.lo \ + list.lo match.lo pwutil.lo timestr.lo toke.lo redblack.lo \ zero_bytes.lo @NONUNIX_GROUPS_IMPL@ SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo fmt_string.lo \ @@ -212,6 +212,10 @@ list.lo: $(top_srcdir)/src/list.c $(SUDODEP) lbuf.lo: $(top_srcdir)/src/lbuf.c $(SUDODEP) zero_bytes.lo: $(top_srcdir)/src/zero_bytes.c $(incdir)/compat.h $(top_builddir)/config.h +# Upper level audit dependencies (XXX - move into sudoers?) +audit.lo: $(top_srcdir)/src/audit.c $(SUDODEP) +bsm_audit.lo: $(top_srcdir)/src/bsm_audit.c $(SUDODEP) $(top_srcdir)/src/bsm_audit.h + # Auth dependencies sudo_auth.lo: $(authdir)/sudo_auth.c $(AUTHDEP) $(INSDEP) afs.lo: $(authdir)/afs.c $(AUTHDEP) diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c index 3a7f83725..16e89c5d6 100644 --- a/plugins/sudoers/auth/sudo_auth.c +++ b/plugins/sudoers/auth/sudo_auth.c @@ -93,9 +93,7 @@ verify_user(struct passwd *pw, char *prompt) char *p; sudo_auth *auth; sigaction_t sa, osa; -#ifdef HAVE_BSM_AUDIT - extern char **NewArgv; -#endif + extern char **NewArgv; /* XXX */ /* Enable suspend during password entry. */ sigemptyset(&sa.sa_mask); @@ -105,9 +103,7 @@ verify_user(struct passwd *pw, char *prompt) /* Make sure we have at least one auth method. */ if (auth_switch[0].name == NULL) { -#ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "no authentication methods"); -#endif log_error(0, "%s %s %s", "There are no authentication methods compiled into sudo!", "If you want to turn off authentication, use the", @@ -129,9 +125,7 @@ verify_user(struct passwd *pw, char *prompt) if (status == AUTH_FAILURE) CLR(auth->flags, FLAG_CONFIGURED); else if (status == AUTH_FATAL) { /* XXX log */ -#ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); -#endif return -1; /* assume error msg already printed */ } @@ -151,9 +145,7 @@ verify_user(struct passwd *pw, char *prompt) if (status == AUTH_FAILURE) CLR(auth->flags, FLAG_CONFIGURED); else if (status == AUTH_FATAL) {/* XXX log */ -#ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); -#endif return -1; /* assume error msg already printed */ } @@ -203,9 +195,7 @@ cleanup: status = (auth->cleanup)(pw, auth); if (status == AUTH_FATAL) { /* XXX log */ -#ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); -#endif return -1; /* assume error msg already printed */ } @@ -230,16 +220,12 @@ cleanup: def_passwd_tries - counter, (def_passwd_tries - counter == 1) ? "" : "s"); } -#ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); -#endif rval = FALSE; break; case AUTH_FATAL: default: -#ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); -#endif rval = -1; break; } diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index 04e75e65b..da8c47014 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -153,8 +153,9 @@ static char *runas_user; static char *runas_group; static struct sudo_nss_list *snl; -static int NewArgc; -static char **NewArgv; +/* XXX - must be extern for audit bits of sudo_auth.c */ +int NewArgc; +char **NewArgv; /* error.c */ extern sigjmp_buf error_jmp; @@ -396,7 +397,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], if (def_requiretty) { int fd = open(_PATH_TTY, O_RDWR|O_NOCTTY); if (fd == -1) { - //audit_failure(NewArgv, "no tty"); + audit_failure(NewArgv, "no tty"); warningx("sorry, you must have a tty to run sudo"); goto done; } else @@ -440,7 +441,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], /* If the user was not allowed to run the command we are done. */ if (!ISSET(validated, VALIDATE_OK)) { if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) { - //audit_failure(NewArgv, "No user or host"); + audit_failure(NewArgv, "No user or host"); log_denial(validated, 1); } else { if (def_path_info) { @@ -461,18 +462,18 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], /* Just tell the user they are not allowed to run foo. */ log_denial(validated, 1); } - //audit_failure(NewArgv, "validation failure"); + audit_failure(NewArgv, "validation failure"); } goto done; } /* Finally tell the user if the command did not exist. */ if (cmnd_status == NOT_FOUND_DOT) { - //audit_failure(NewArgv, "command in current directory"); + audit_failure(NewArgv, "command in current directory"); warningx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd); goto done; } else if (cmnd_status == NOT_FOUND) { - //audit_failure(NewArgv, "%s: command not found", user_cmnd); + audit_failure(NewArgv, "%s: command not found", user_cmnd); warningx("%s: command not found", user_cmnd); goto done; } @@ -580,7 +581,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], } /* Must audit before uid change. */ - //audit_success(NewArgv); /* XXX */ + audit_success(NewArgv); *command_infop = command_info; @@ -1025,7 +1026,7 @@ set_runaspw(char *user) runas_pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0); } else { if ((runas_pw = sudo_getpwnam(user)) == NULL) { - //audit_failure(NewArgv, "unknown user: %s", user); + audit_failure(NewArgv, "unknown user: %s", user); log_error(NO_MAIL|MSG_ONLY, "unknown user: %s", user); } } diff --git a/src/Makefile.in b/src/Makefile.in index 6402ea692..a396f0d55 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -108,8 +108,6 @@ sesh: sesh.o aix.o: $(srcdir)/aix.c $(top_builddir)/config.h $(incdir)/compat.h alloc.o: $(srcdir)/alloc.c $(SUDODEP) atobool.o: $(srcdir)/atobool.c $(SUDODEP) -audit.o: $(srcdir)/audit.c $(SUDODEP) -bsm_audit.o: $(srcdir)/bsm_audit.c $(SUDODEP) bsm_audit.h conversation.o: $(srcdir)/conversation.c $(SUDODEP) error.o: $(srcdir)/error.c $(incdir)/compat.h $(incdir)/error.h $(top_builddir)/config.h fileops.o: $(srcdir)/fileops.c $(SUDODEP) -- 2.40.0