Cleanup
This commit is contained in:
parent
e273750ee7
commit
574273529d
@ -1,389 +0,0 @@
|
|||||||
diff -up /dev/null sudo-1.7.1/audit_help.c
|
|
||||||
--- /dev/null 2009-06-19 12:23:43.376002420 +0200
|
|
||||||
+++ sudo-1.7.1/audit_help.c 2009-06-22 14:24:48.000000000 +0200
|
|
||||||
@@ -0,0 +1,136 @@
|
|
||||||
+/*
|
|
||||||
+ * Audit helper functions used throughout sudo
|
|
||||||
+ *
|
|
||||||
+ * Copyright (C) 2007, Red Hat, Inc.
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
|
|
||||||
+ * may be used to endorse or promote products derived from this software
|
|
||||||
+ * without specific prior written permission.
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
|
|
||||||
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
||||||
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
||||||
+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
|
|
||||||
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
||||||
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
||||||
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
||||||
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
||||||
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
||||||
+ * SUCH DAMAGE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include <config.h>
|
|
||||||
+
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <syslog.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
+#include <libaudit.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_SELINUX
|
|
||||||
+#include <selinux/selinux.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+int audit_fd;
|
|
||||||
+
|
|
||||||
+void audit_help_open (void)
|
|
||||||
+{
|
|
||||||
+ audit_fd = audit_open ();
|
|
||||||
+ if (audit_fd < 0) {
|
|
||||||
+ /* You get these only when the kernel doesn't have
|
|
||||||
+ * audit compiled in. */
|
|
||||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
|
||||||
+ errno == EAFNOSUPPORT)
|
|
||||||
+ return;
|
|
||||||
+ fprintf (stderr, "Cannot open audit interface - aborting.\n");
|
|
||||||
+ exit (1);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * This function will log a message to the audit system using a predefined
|
|
||||||
+ * message format. Parameter usage is as follows:
|
|
||||||
+ *
|
|
||||||
+ * type - type of message: AUDIT_USER_CMD
|
|
||||||
+ * command - the command being logged
|
|
||||||
+ * params - parames of the command
|
|
||||||
+ * result - 1 is "success" and 0 is "failed"
|
|
||||||
+ *
|
|
||||||
+ */
|
|
||||||
+void audit_logger (int type, const char *command, const char *params, int result)
|
|
||||||
+{
|
|
||||||
+ int err;
|
|
||||||
+ char *msg;
|
|
||||||
+
|
|
||||||
+ if( audit_fd < 0 )
|
|
||||||
+ return;
|
|
||||||
+ else {
|
|
||||||
+
|
|
||||||
+ if( params )
|
|
||||||
+ err = asprintf(&msg, "%s %s", command, params);
|
|
||||||
+ else
|
|
||||||
+ err = asprintf(&msg, "%s", command);
|
|
||||||
+ if (err < 0) {
|
|
||||||
+ fprintf (stderr, "Memory allocation for audit message wasn’t possible.\n");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ err = audit_log_user_command (audit_fd, type, msg, NULL, result);
|
|
||||||
+ /* The kernel supports auditing and we had
|
|
||||||
+ enough privilege to write to the socket. */
|
|
||||||
+ if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) {
|
|
||||||
+ perror("audit_log_user_command()");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(msg);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_SELINUX
|
|
||||||
+int send_audit_message(int success, security_context_t old_context,
|
|
||||||
+ security_context_t new_context, const char *ttyn)
|
|
||||||
+{
|
|
||||||
+ char *msg = NULL;
|
|
||||||
+ int rc;
|
|
||||||
+
|
|
||||||
+ if (audit_fd < 0)
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
+ if (asprintf(&msg, "newrole: old-context=%s new-context=%s",
|
|
||||||
+ old_context ? old_context : "?",
|
|
||||||
+ new_context ? new_context : "?") < 0) {
|
|
||||||
+ fprintf(stderr, "Error allocating memory.\n");
|
|
||||||
+ rc = -1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
|
|
||||||
+ msg, NULL, NULL, ttyn, success);
|
|
||||||
+
|
|
||||||
+ if (rc <= 0) {
|
|
||||||
+ fprintf(stderr, "Error sending audit message.\n");
|
|
||||||
+ rc = -1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ rc = 0;
|
|
||||||
+
|
|
||||||
+ out:
|
|
||||||
+ free(msg);
|
|
||||||
+ return rc;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+#endif /* WITH_AUDIT */
|
|
||||||
diff -up sudo-1.7.1/configure.in.audit sudo-1.7.1/configure.in
|
|
||||||
--- sudo-1.7.1/configure.in.audit 2009-06-22 14:24:48.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/configure.in 2009-06-22 14:26:42.000000000 +0200
|
|
||||||
@@ -179,6 +179,10 @@ dnl
|
|
||||||
dnl Options for --with
|
|
||||||
dnl
|
|
||||||
|
|
||||||
+AC_ARG_WITH(audit,
|
|
||||||
+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
|
|
||||||
+ [with_audit=$withval], [with_audit=yes])
|
|
||||||
+
|
|
||||||
AC_ARG_WITH(CC, [ --with-CC C compiler to use],
|
|
||||||
[case $with_CC in
|
|
||||||
yes) AC_MSG_ERROR(["must give --with-CC an argument."])
|
|
||||||
@@ -1706,6 +1710,24 @@ dnl
|
|
||||||
: ${mansectsu='8'}
|
|
||||||
: ${mansectform='5'}
|
|
||||||
|
|
||||||
+AC_SUBST(LIBAUDIT)
|
|
||||||
+if test "$with_audit" = "yes"; then
|
|
||||||
+ # See if we have the audit library
|
|
||||||
+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
|
|
||||||
+ if test "$audit_header" = "yes"; then
|
|
||||||
+ AC_CHECK_LIB(audit, audit_log_user_command,
|
|
||||||
+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages])
|
|
||||||
+ LIBAUDIT="-laudit"])
|
|
||||||
+ fi
|
|
||||||
+ # See if we have the libcap library
|
|
||||||
+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"])
|
|
||||||
+ if test "$cap_header" = "yes"; then
|
|
||||||
+ AC_CHECK_LIB(cap, cap_init,
|
|
||||||
+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support])
|
|
||||||
+ SUDO_LIBS="${SUDO_LIBS} -lcap"])
|
|
||||||
+ fi
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
dnl
|
|
||||||
dnl Add in any libpaths or libraries specified via configure
|
|
||||||
dnl
|
|
||||||
diff -up sudo-1.7.1/Makefile.in.audit sudo-1.7.1/Makefile.in
|
|
||||||
--- sudo-1.7.1/Makefile.in.audit 2009-06-22 14:24:48.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/Makefile.in 2009-06-22 14:24:48.000000000 +0200
|
|
||||||
@@ -125,6 +125,8 @@ HDRS = bsm_audit.h compat.h def_data.h d
|
|
||||||
|
|
||||||
AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
|
|
||||||
|
|
||||||
+AUDIT_OBJS = audit_help.o
|
|
||||||
+
|
|
||||||
# Note: gram.o must come first here
|
|
||||||
COMMON_OBJS = gram.o alias.o alloc.o defaults.o error.o list.o match.o \
|
|
||||||
toke.o redblack.o zero_bytes.o
|
|
||||||
@@ -132,7 +134,7 @@ COMMON_OBJS = gram.o alias.o alloc.o def
|
|
||||||
SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ audit.o check.o env.o \
|
|
||||||
getspwuid.o gettime.o goodpath.o fileops.o find_path.o \
|
|
||||||
interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o \
|
|
||||||
- sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o
|
|
||||||
+ sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o $(AUDIT_OBJS)
|
|
||||||
|
|
||||||
VISUDO_OBJS = $(COMMON_OBJS) visudo.o fileops.o gettime.o goodpath.o \
|
|
||||||
find_path.o pwutil.o
|
|
||||||
@@ -361,6 +363,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH
|
|
||||||
sia.o: $(authdir)/sia.c $(AUTHDEP)
|
|
||||||
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
|
|
||||||
|
|
||||||
+audit_help.o: audit_help.c sudo.h
|
|
||||||
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c
|
|
||||||
+
|
|
||||||
sudo.man.in: $(srcdir)/sudo.pod
|
|
||||||
@rm -f $(srcdir)/$@
|
|
||||||
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
|
|
||||||
diff -up sudo-1.7.1/set_perms.c.audit sudo-1.7.1/set_perms.c
|
|
||||||
--- sudo-1.7.1/set_perms.c.audit 2008-03-06 18:19:56.000000000 +0100
|
|
||||||
+++ sudo-1.7.1/set_perms.c 2009-06-22 14:24:48.000000000 +0200
|
|
||||||
@@ -48,6 +48,10 @@
|
|
||||||
#ifdef HAVE_LOGIN_CAP_H
|
|
||||||
# include <login_cap.h>
|
|
||||||
#endif
|
|
||||||
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
|
|
||||||
+# include <sys/prctl.h>
|
|
||||||
+# include <sys/capability.h>
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#include "sudo.h"
|
|
||||||
|
|
||||||
@@ -126,16 +130,59 @@ set_perms(perm)
|
|
||||||
break;
|
|
||||||
|
|
||||||
case PERM_FULL_RUNAS:
|
|
||||||
- /* headed for exec(), assume euid == ROOT_UID */
|
|
||||||
- runas_setup();
|
|
||||||
- if (setresuid(def_stay_setuid ?
|
|
||||||
- user_uid : runas_pw->pw_uid,
|
|
||||||
- runas_pw->pw_uid, runas_pw->pw_uid)) {
|
|
||||||
- errstr = "unable to change to runas uid";
|
|
||||||
- goto bad;
|
|
||||||
- }
|
|
||||||
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
|
|
||||||
+ { /* BEGIN CAP BLOCK */
|
|
||||||
+ cap_t new_caps;
|
|
||||||
+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
|
|
||||||
+
|
|
||||||
+ if (runas_pw->pw_uid != ROOT_UID) {
|
|
||||||
+ new_caps = cap_init ();
|
|
||||||
+ if (!new_caps) {
|
|
||||||
+ errstr = "Error initing capabilities, aborting.\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) ||
|
|
||||||
+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) {
|
|
||||||
+ errstr = "Error setting capabilities, aborting\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
|
|
||||||
+ errstr = "Error setting KEEPCAPS, aborting\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+ /* headed for exec(), assume euid == ROOT_UID */
|
|
||||||
+ runas_setup();
|
|
||||||
+ if (setresuid(def_stay_setuid ?
|
|
||||||
+ user_uid : runas_pw->pw_uid,
|
|
||||||
+ runas_pw->pw_uid, runas_pw->pw_uid)) {
|
|
||||||
+ errstr = "unable to change to runas uid";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
|
|
||||||
+ if (runas_pw->pw_uid != ROOT_UID) {
|
|
||||||
+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
|
|
||||||
+ errstr = "Error resetting KEEPCAPS, aborting\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (cap_set_proc(new_caps)) {
|
|
||||||
+ errstr = "Error dropping capabilities, aborting\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (cap_free (new_caps)) {
|
|
||||||
+ errstr = "Error freeing caps\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ } /* END CAP BLOCK */
|
|
||||||
+#endif
|
|
||||||
break;
|
|
||||||
-
|
|
||||||
case PERM_SUDOERS:
|
|
||||||
/* assume euid == ROOT_UID, ruid == user */
|
|
||||||
if (setresgid(-1, SUDOERS_GID, -1))
|
|
||||||
diff -up sudo-1.7.1/sudo.c.audit sudo-1.7.1/sudo.c
|
|
||||||
--- sudo-1.7.1/sudo.c.audit 2009-06-22 14:24:48.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/sudo.c 2009-06-22 14:24:48.000000000 +0200
|
|
||||||
@@ -95,6 +95,10 @@
|
|
||||||
# include <selinux/selinux.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+#include <libaudit.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#include <sudo_usage.h>
|
|
||||||
#include "sudo.h"
|
|
||||||
#include "lbuf.h"
|
|
||||||
@@ -360,6 +364,10 @@ main(argc, argv, envp)
|
|
||||||
if (safe_cmnd == NULL)
|
|
||||||
safe_cmnd = estrdup(user_cmnd);
|
|
||||||
|
|
||||||
+#if defined(WITH_AUDIT)
|
|
||||||
+ audit_help_open ();
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#ifdef HAVE_SETLOCALE
|
|
||||||
setlocale(LC_ALL, "");
|
|
||||||
#endif
|
|
||||||
@@ -521,7 +529,18 @@ main(argc, argv, envp)
|
|
||||||
(void) sigaction(SIGINT, &saved_sa_int, NULL);
|
|
||||||
(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
|
|
||||||
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
|
|
||||||
-
|
|
||||||
+
|
|
||||||
+ if (access(safe_cmnd, X_OK) != 0) {
|
|
||||||
+ warn ("unable to execute %s", safe_cmnd);
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
|
||||||
+#endif
|
|
||||||
+ exit(127);
|
|
||||||
+ }
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/* Close the password and group files and free up memory. */
|
|
||||||
sudo_endpwent();
|
|
||||||
sudo_endgrent();
|
|
||||||
@@ -554,11 +573,17 @@ main(argc, argv, envp)
|
|
||||||
NewArgv[1] = safe_cmnd;
|
|
||||||
execv(_PATH_BSHELL, NewArgv);
|
|
||||||
}
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
|
||||||
+#endif
|
|
||||||
warning("unable to execute %s", safe_cmnd);
|
|
||||||
exit(127);
|
|
||||||
} else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) {
|
|
||||||
audit_failure(NewArgv, "No user or host");
|
|
||||||
log_denial(validated, 1);
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
|
||||||
+#endif
|
|
||||||
exit(1);
|
|
||||||
} else {
|
|
||||||
if (def_path_info) {
|
|
||||||
@@ -580,6 +605,9 @@ main(argc, argv, envp)
|
|
||||||
log_denial(validated, 1);
|
|
||||||
}
|
|
||||||
audit_failure(NewArgv, "validation failure");
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
|
||||||
+#endif
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
exit(0); /* not reached */
|
|
||||||
diff -up sudo-1.7.1/sudo.h.audit sudo-1.7.1/sudo.h
|
|
||||||
--- sudo-1.7.1/sudo.h.audit 2009-06-22 14:24:48.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/sudo.h 2009-06-22 14:24:48.000000000 +0200
|
|
||||||
@@ -24,6 +24,8 @@
|
|
||||||
#ifndef _SUDO_SUDO_H
|
|
||||||
#define _SUDO_SUDO_H
|
|
||||||
|
|
||||||
+#include <config.h>
|
|
||||||
+
|
|
||||||
#include <pathnames.h>
|
|
||||||
#include <limits.h>
|
|
||||||
#include "compat.h"
|
|
||||||
@@ -338,4 +340,10 @@ extern int sudo_mode;
|
|
||||||
extern int errno;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+extern int audit_fd;
|
|
||||||
+extern void audit_help_open (void);
|
|
||||||
+extern void audit_logger (int, const char *, const char *, int);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#endif /* _SUDO_SUDO_H */
|
|
@ -1,48 +0,0 @@
|
|||||||
diff -up sudo-1.7.1/audit_help.c.auditfix sudo-1.7.1/audit_help.c
|
|
||||||
--- sudo-1.7.1/audit_help.c.auditfix 2009-07-09 15:05:14.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/audit_help.c 2009-07-09 15:04:33.000000000 +0200
|
|
||||||
@@ -45,7 +45,7 @@
|
|
||||||
#include <selinux/selinux.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-int audit_fd;
|
|
||||||
+int audit_fd = -1;
|
|
||||||
|
|
||||||
void audit_help_open (void)
|
|
||||||
{
|
|
||||||
diff -up sudo-1.7.1/sudo.c.auditfix sudo-1.7.1/sudo.c
|
|
||||||
--- sudo-1.7.1/sudo.c.auditfix 2009-07-09 14:35:50.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/sudo.c 2009-07-09 15:02:41.000000000 +0200
|
|
||||||
@@ -363,10 +363,6 @@ main(argc, argv, envp)
|
|
||||||
}
|
|
||||||
if (safe_cmnd == NULL)
|
|
||||||
safe_cmnd = estrdup(user_cmnd);
|
|
||||||
-
|
|
||||||
-#if defined(WITH_AUDIT)
|
|
||||||
- audit_help_open ();
|
|
||||||
-#endif
|
|
||||||
|
|
||||||
#ifdef HAVE_SETLOCALE
|
|
||||||
setlocale(LC_ALL, "");
|
|
||||||
@@ -529,7 +525,12 @@ main(argc, argv, envp)
|
|
||||||
(void) sigaction(SIGINT, &saved_sa_int, NULL);
|
|
||||||
(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
|
|
||||||
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
|
|
||||||
+
|
|
||||||
+ closefrom(def_closefrom + 1);
|
|
||||||
|
|
||||||
+#if defined(WITH_AUDIT)
|
|
||||||
+ audit_help_open ();
|
|
||||||
+#endif
|
|
||||||
if (access(safe_cmnd, X_OK) != 0) {
|
|
||||||
warn ("unable to execute %s", safe_cmnd);
|
|
||||||
#ifdef WITH_AUDIT
|
|
||||||
@@ -545,8 +546,6 @@ main(argc, argv, envp)
|
|
||||||
sudo_endpwent();
|
|
||||||
sudo_endgrent();
|
|
||||||
|
|
||||||
- closefrom(def_closefrom + 1);
|
|
||||||
-
|
|
||||||
#ifndef PROFILING
|
|
||||||
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) {
|
|
||||||
syslog(LOG_AUTH|LOG_ERR, "fork");
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up sudo-1.7.1/configure.in.conffix sudo-1.7.1/configure.in
|
|
||||||
--- sudo-1.7.1/configure.in.conffix 2009-06-22 15:45:51.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/configure.in 2009-06-22 15:45:30.000000000 +0200
|
|
||||||
@@ -2473,7 +2473,7 @@ if test ${with_ldap-'no'} != "no"; then
|
|
||||||
AC_MSG_RESULT([yes])
|
|
||||||
AC_DEFINE(HAVE_LBER_H)])
|
|
||||||
|
|
||||||
- AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s), [break]])
|
|
||||||
+ AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break])
|
|
||||||
AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
|
|
||||||
AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np)
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up sudo-1.7.1/configure.in.envdebug sudo-1.7.1/configure.in
|
|
||||||
--- sudo-1.7.1/configure.in.envdebug 2009-05-02 21:25:56.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/configure.in 2009-05-02 21:27:17.000000000 +0200
|
|
||||||
@@ -1192,7 +1192,7 @@ AC_ARG_ENABLE(env_debug,
|
|
||||||
[ --enable-env-debug Whether to enable environment debugging.],
|
|
||||||
[ case "$enableval" in
|
|
||||||
yes) AC_MSG_RESULT(yes)
|
|
||||||
- AC_DEFINE(ENV_DEBUG)
|
|
||||||
+ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.])
|
|
||||||
;;
|
|
||||||
no) AC_MSG_RESULT(no)
|
|
||||||
;;
|
|
@ -1,40 +0,0 @@
|
|||||||
diff -up sudo-1.7.1/check.c.getgrouplist sudo-1.7.1/check.c
|
|
||||||
--- sudo-1.7.1/check.c.getgrouplist 2009-05-02 21:48:17.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/check.c 2009-05-02 21:49:04.000000000 +0200
|
|
||||||
@@ -353,6 +353,24 @@ user_is_exempt()
|
|
||||||
return(TRUE);
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef HAVE_GETGROUPLIST
|
|
||||||
+ {
|
|
||||||
+ gid_t *grouplist, grouptmp;
|
|
||||||
+ int n_groups, i;
|
|
||||||
+ n_groups = 1;
|
|
||||||
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
|
|
||||||
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
|
|
||||||
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
|
|
||||||
+ for (i = 0; i < n_groups; i++)
|
|
||||||
+ if (grouplist[i] == grp->gr_gid) {
|
|
||||||
+ free(grouplist);
|
|
||||||
+ return(TRUE);
|
|
||||||
+ }
|
|
||||||
+ free(grouplist);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
return(FALSE);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up sudo-1.7.1/configure.in.getgrouplist sudo-1.7.1/configure.in
|
|
||||||
--- sudo-1.7.1/configure.in.getgrouplist 2009-05-02 21:48:13.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/configure.in 2009-05-02 21:50:05.000000000 +0200
|
|
||||||
@@ -1809,7 +1809,7 @@ dnl
|
|
||||||
AC_FUNC_GETGROUPS
|
|
||||||
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
|
|
||||||
strftime setrlimit initgroups getgroups fstat gettimeofday \
|
|
||||||
- setlocale getaddrinfo setsid setenv)
|
|
||||||
+ setlocale getaddrinfo setsid setenv getgrouplist)
|
|
||||||
AC_CHECK_FUNCS(unsetenv, SUDO_FUNC_UNSETENV_VOID)
|
|
||||||
SUDO_FUNC_PUTENV_CONST
|
|
||||||
if test -z "$SKIP_SETRESUID"; then
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up sudo-1.7.1/Makefile.in.libtool sudo-1.7.1/Makefile.in
|
|
||||||
--- sudo-1.7.1/Makefile.in.libtool 2009-05-02 21:35:55.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/Makefile.in 2009-05-02 21:36:04.000000000 +0200
|
|
||||||
@@ -198,7 +198,7 @@ sudo_noexec.lo: $(srcdir)/sudo_noexec.c
|
|
||||||
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c
|
|
||||||
|
|
||||||
sudo_noexec.la: sudo_noexec.lo
|
|
||||||
- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
|
|
||||||
+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -module -avoid-version -rpath $(noexecdir)
|
|
||||||
|
|
||||||
# Uncomment the following if you want "make distclean" to clean the parser
|
|
||||||
@DEV@GENERATED = gram.h gram.c toke.c def_data.c def_data.h
|
|
@ -1,111 +0,0 @@
|
|||||||
diff -up sudo-1.7.1/auth/pam.c.login sudo-1.7.1/auth/pam.c
|
|
||||||
--- sudo-1.7.1/auth/pam.c.login 2009-05-02 21:01:17.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/auth/pam.c 2009-05-02 21:07:42.000000000 +0200
|
|
||||||
@@ -100,7 +100,13 @@ pam_init(pw, promptp, auth)
|
|
||||||
if (auth != NULL)
|
|
||||||
auth->data = (void *) &pam_status;
|
|
||||||
pam_conv.conv = sudo_conv;
|
|
||||||
- pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
|
|
||||||
+#ifdef HAVE_PAM_LOGIN
|
|
||||||
+ if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
|
|
||||||
+ pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
|
|
||||||
+ else
|
|
||||||
+#endif
|
|
||||||
+ pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
|
|
||||||
+
|
|
||||||
if (pam_status != PAM_SUCCESS) {
|
|
||||||
log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");
|
|
||||||
return(AUTH_FATAL);
|
|
||||||
diff -up sudo-1.7.1/configure.in.login sudo-1.7.1/configure.in
|
|
||||||
--- sudo-1.7.1/configure.in.login 2009-05-02 21:01:33.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/configure.in 2009-05-02 21:13:59.000000000 +0200
|
|
||||||
@@ -393,6 +393,17 @@ AC_ARG_WITH(pam, [ --with-pam
|
|
||||||
;;
|
|
||||||
esac])
|
|
||||||
|
|
||||||
+AC_ARG_WITH(pam-login, [ --with-pam-login enable specific PAM session for sudo -i],
|
|
||||||
+[case $with_pam_login in
|
|
||||||
+ yes) AC_DEFINE([HAVE_PAM_LOGIN], [], ["Define to 1 if you use specific PAM session for sodo -i."])
|
|
||||||
+ AC_MSG_CHECKING(whether to use PAM login)
|
|
||||||
+ AC_MSG_RESULT(yes)
|
|
||||||
+ ;;
|
|
||||||
+ no) ;;
|
|
||||||
+ *) AC_MSG_ERROR(["--with-pam-login does not take an argument."])
|
|
||||||
+ ;;
|
|
||||||
+esac])
|
|
||||||
+
|
|
||||||
AC_ARG_WITH(AFS, [ --with-AFS enable AFS support],
|
|
||||||
[case $with_AFS in
|
|
||||||
yes) AC_DEFINE(HAVE_AFS)
|
|
||||||
diff -up sudo-1.7.1/env.c.login sudo-1.7.1/env.c
|
|
||||||
--- sudo-1.7.1/env.c.login 2009-05-02 21:01:24.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/env.c 2009-05-02 21:12:28.000000000 +0200
|
|
||||||
@@ -101,7 +101,7 @@ struct environment {
|
|
||||||
/*
|
|
||||||
* Prototypes
|
|
||||||
*/
|
|
||||||
-void rebuild_env __P((int, int));
|
|
||||||
+void rebuild_env __P((int));
|
|
||||||
static void sudo_setenv __P((const char *, const char *, int));
|
|
||||||
static void sudo_putenv __P((char *, int, int));
|
|
||||||
|
|
||||||
@@ -550,8 +550,7 @@ matches_env_keep(var)
|
|
||||||
* Also adds sudo-specific variables (SUDO_*).
|
|
||||||
*/
|
|
||||||
void
|
|
||||||
-rebuild_env(sudo_mode, noexec)
|
|
||||||
- int sudo_mode;
|
|
||||||
+rebuild_env(noexec)
|
|
||||||
int noexec;
|
|
||||||
{
|
|
||||||
char **old_envp, **ep, *cp, *ps1;
|
|
||||||
diff -up sudo-1.7.1/sudo.c.login sudo-1.7.1/sudo.c
|
|
||||||
--- sudo-1.7.1/sudo.c.login 2009-05-02 21:01:49.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/sudo.c 2009-05-02 21:18:18.000000000 +0200
|
|
||||||
@@ -123,7 +123,7 @@ static void usage_excl __P((int))
|
|
||||||
__attribute__((__noreturn__));
|
|
||||||
static struct passwd *get_authpw __P((void));
|
|
||||||
extern int sudo_edit __P((int, char **, char **));
|
|
||||||
-extern void rebuild_env __P((int, int));
|
|
||||||
+extern void rebuild_env __P((int));
|
|
||||||
void validate_env_vars __P((struct list_member *));
|
|
||||||
void insert_env_vars __P((struct list_member *));
|
|
||||||
|
|
||||||
@@ -154,6 +154,8 @@ login_cap_t *lc;
|
|
||||||
char *login_style;
|
|
||||||
#endif /* HAVE_BSD_AUTH_H */
|
|
||||||
sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
|
|
||||||
+
|
|
||||||
+int sudo_mode;
|
|
||||||
static char *runas_user;
|
|
||||||
static char *runas_group;
|
|
||||||
static struct sudo_nss_list *snl;
|
|
||||||
@@ -169,7 +171,7 @@ main(argc, argv, envp)
|
|
||||||
char **envp;
|
|
||||||
{
|
|
||||||
int sources = 0, validated;
|
|
||||||
- int fd, cmnd_status, sudo_mode, pwflag, rc = 0;
|
|
||||||
+ int fd, cmnd_status, pwflag, rc = 0;
|
|
||||||
sigaction_t sa;
|
|
||||||
struct sudo_nss *nss;
|
|
||||||
#if defined(SUDO_DEVEL) && defined(__OpenBSD__)
|
|
||||||
@@ -408,7 +410,7 @@ main(argc, argv, envp)
|
|
||||||
def_env_reset = FALSE;
|
|
||||||
|
|
||||||
/* Build a new environment that avoids any nasty bits. */
|
|
||||||
- rebuild_env(sudo_mode, def_noexec);
|
|
||||||
+ rebuild_env(def_noexec);
|
|
||||||
|
|
||||||
/* Fill in passwd struct based on user we are authenticating as. */
|
|
||||||
auth_pw = get_authpw();
|
|
||||||
diff -up sudo-1.7.1/sudo.h.login sudo-1.7.1/sudo.h
|
|
||||||
--- sudo-1.7.1/sudo.h.login 2009-05-02 21:01:42.000000000 +0200
|
|
||||||
+++ sudo-1.7.1/sudo.h 2009-05-02 21:14:58.000000000 +0200
|
|
||||||
@@ -332,6 +332,7 @@ extern struct passwd *auth_pw, *list_pw;
|
|
||||||
extern int tgetpass_flags;
|
|
||||||
extern int long_list;
|
|
||||||
extern uid_t timestamp_uid;
|
|
||||||
+extern int sudo_mode;
|
|
||||||
#endif
|
|
||||||
#ifndef errno
|
|
||||||
extern int errno;
|
|
@ -1,400 +0,0 @@
|
|||||||
diff -up /dev/null sudo-1.7.2p1/audit_help.c
|
|
||||||
--- /dev/null 2009-09-09 14:57:12.384002457 +0200
|
|
||||||
+++ sudo-1.7.2p1/audit_help.c 2009-10-30 12:25:49.000000000 +0100
|
|
||||||
@@ -0,0 +1,136 @@
|
|
||||||
+/*
|
|
||||||
+ * Audit helper functions used throughout sudo
|
|
||||||
+ *
|
|
||||||
+ * Copyright (C) 2007, Red Hat, Inc.
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
|
|
||||||
+ * may be used to endorse or promote products derived from this software
|
|
||||||
+ * without specific prior written permission.
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
|
|
||||||
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
||||||
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
||||||
+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
|
|
||||||
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
||||||
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
||||||
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
||||||
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
||||||
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
||||||
+ * SUCH DAMAGE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include <config.h>
|
|
||||||
+
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <syslog.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
+#include <libaudit.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_SELINUX
|
|
||||||
+#include <selinux/selinux.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+int audit_fd = -1;
|
|
||||||
+
|
|
||||||
+void audit_help_open (void)
|
|
||||||
+{
|
|
||||||
+ audit_fd = audit_open ();
|
|
||||||
+ if (audit_fd < 0) {
|
|
||||||
+ /* You get these only when the kernel doesn't have
|
|
||||||
+ * audit compiled in. */
|
|
||||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
|
||||||
+ errno == EAFNOSUPPORT)
|
|
||||||
+ return;
|
|
||||||
+ fprintf (stderr, "Cannot open audit interface - aborting.\n");
|
|
||||||
+ exit (1);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * This function will log a message to the audit system using a predefined
|
|
||||||
+ * message format. Parameter usage is as follows:
|
|
||||||
+ *
|
|
||||||
+ * type - type of message: AUDIT_USER_CMD
|
|
||||||
+ * command - the command being logged
|
|
||||||
+ * params - parames of the command
|
|
||||||
+ * result - 1 is "success" and 0 is "failed"
|
|
||||||
+ *
|
|
||||||
+ */
|
|
||||||
+void audit_logger (int type, const char *command, const char *params, int result)
|
|
||||||
+{
|
|
||||||
+ int err;
|
|
||||||
+ char *msg;
|
|
||||||
+
|
|
||||||
+ if( audit_fd < 0 )
|
|
||||||
+ return;
|
|
||||||
+ else {
|
|
||||||
+
|
|
||||||
+ if( params )
|
|
||||||
+ err = asprintf(&msg, "%s %s", command, params);
|
|
||||||
+ else
|
|
||||||
+ err = asprintf(&msg, "%s", command);
|
|
||||||
+ if (err < 0) {
|
|
||||||
+ fprintf (stderr, "Memory allocation for audit message wasn’t possible.\n");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ err = audit_log_user_command (audit_fd, type, msg, NULL, result);
|
|
||||||
+ /* The kernel supports auditing and we had
|
|
||||||
+ enough privilege to write to the socket. */
|
|
||||||
+ if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) {
|
|
||||||
+ perror("audit_log_user_command()");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(msg);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_SELINUX
|
|
||||||
+int send_audit_message(int success, security_context_t old_context,
|
|
||||||
+ security_context_t new_context, const char *ttyn)
|
|
||||||
+{
|
|
||||||
+ char *msg = NULL;
|
|
||||||
+ int rc;
|
|
||||||
+
|
|
||||||
+ if (audit_fd < 0)
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
+ if (asprintf(&msg, "newrole: old-context=%s new-context=%s",
|
|
||||||
+ old_context ? old_context : "?",
|
|
||||||
+ new_context ? new_context : "?") < 0) {
|
|
||||||
+ fprintf(stderr, "Error allocating memory.\n");
|
|
||||||
+ rc = -1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
|
|
||||||
+ msg, NULL, NULL, ttyn, success);
|
|
||||||
+
|
|
||||||
+ if (rc <= 0) {
|
|
||||||
+ fprintf(stderr, "Error sending audit message.\n");
|
|
||||||
+ rc = -1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ rc = 0;
|
|
||||||
+
|
|
||||||
+ out:
|
|
||||||
+ free(msg);
|
|
||||||
+ return rc;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+#endif /* WITH_AUDIT */
|
|
||||||
diff -up sudo-1.7.2p1/configure.in.audit sudo-1.7.2p1/configure.in
|
|
||||||
--- sudo-1.7.2p1/configure.in.audit 2009-10-30 12:25:49.000000000 +0100
|
|
||||||
+++ sudo-1.7.2p1/configure.in 2009-10-30 12:25:49.000000000 +0100
|
|
||||||
@@ -180,6 +180,10 @@ dnl
|
|
||||||
dnl Options for --with
|
|
||||||
dnl
|
|
||||||
|
|
||||||
+AC_ARG_WITH(audit,
|
|
||||||
+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
|
|
||||||
+ [with_audit=$withval], [with_audit=yes])
|
|
||||||
+
|
|
||||||
AC_ARG_WITH(CC, [AS_HELP_STRING([--with-CC], [C compiler to use])],
|
|
||||||
[case $with_CC in
|
|
||||||
yes) AC_MSG_ERROR(["must give --with-CC an argument."])
|
|
||||||
@@ -1743,6 +1747,24 @@ dnl
|
|
||||||
: ${mansectsu='8'}
|
|
||||||
: ${mansectform='5'}
|
|
||||||
|
|
||||||
+AC_SUBST(LIBAUDIT)
|
|
||||||
+if test "$with_audit" = "yes"; then
|
|
||||||
+ # See if we have the audit library
|
|
||||||
+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
|
|
||||||
+ if test "$audit_header" = "yes"; then
|
|
||||||
+ AC_CHECK_LIB(audit, audit_log_user_command,
|
|
||||||
+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages])
|
|
||||||
+ LIBAUDIT="-laudit"])
|
|
||||||
+ fi
|
|
||||||
+ # See if we have the libcap library
|
|
||||||
+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"])
|
|
||||||
+ if test "$cap_header" = "yes"; then
|
|
||||||
+ AC_CHECK_LIB(cap, cap_init,
|
|
||||||
+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support])
|
|
||||||
+ SUDO_LIBS="${SUDO_LIBS} -lcap"])
|
|
||||||
+ fi
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
dnl
|
|
||||||
dnl Add in any libpaths or libraries specified via configure
|
|
||||||
dnl
|
|
||||||
diff -up sudo-1.7.2p1/Makefile.in.audit sudo-1.7.2p1/Makefile.in
|
|
||||||
--- sudo-1.7.2p1/Makefile.in.audit 2009-10-30 12:25:49.000000000 +0100
|
|
||||||
+++ sudo-1.7.2p1/Makefile.in 2009-10-30 12:25:49.000000000 +0100
|
|
||||||
@@ -125,6 +125,8 @@ HDRS = bsm_audit.h compat.h def_data.h d
|
|
||||||
|
|
||||||
AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
|
|
||||||
|
|
||||||
+AUDIT_OBJS = audit_help.o
|
|
||||||
+
|
|
||||||
# Note: gram.o must come first here
|
|
||||||
COMMON_OBJS = gram.o alias.o alloc.o defaults.o error.o list.o match.o \
|
|
||||||
toke.o redblack.o zero_bytes.o @NONUNIX_GROUPS_IMPL@
|
|
||||||
@@ -132,7 +134,7 @@ COMMON_OBJS = gram.o alias.o alloc.o def
|
|
||||||
SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ audit.o check.o env.o \
|
|
||||||
getspwuid.o gettime.o goodpath.o fileops.o find_path.o \
|
|
||||||
interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o \
|
|
||||||
- sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o
|
|
||||||
+ sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o $(AUDIT_OBJS)
|
|
||||||
|
|
||||||
VISUDO_OBJS = $(COMMON_OBJS) visudo.o fileops.o gettime.o goodpath.o \
|
|
||||||
find_path.o pwutil.o
|
|
||||||
@@ -363,6 +365,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH
|
|
||||||
sia.o: $(authdir)/sia.c $(AUTHDEP)
|
|
||||||
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
|
|
||||||
|
|
||||||
+audit_help.o: audit_help.c sudo.h
|
|
||||||
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c
|
|
||||||
+
|
|
||||||
sudo.man.in: $(srcdir)/sudo.pod
|
|
||||||
@rm -f $(srcdir)/$@
|
|
||||||
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
|
|
||||||
diff -up sudo-1.7.2p1/set_perms.c.audit sudo-1.7.2p1/set_perms.c
|
|
||||||
--- sudo-1.7.2p1/set_perms.c.audit 2009-06-25 14:44:33.000000000 +0200
|
|
||||||
+++ sudo-1.7.2p1/set_perms.c 2009-10-30 12:32:03.000000000 +0100
|
|
||||||
@@ -48,6 +48,10 @@
|
|
||||||
#ifdef HAVE_LOGIN_CAP_H
|
|
||||||
# include <login_cap.h>
|
|
||||||
#endif
|
|
||||||
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
|
|
||||||
+# include <sys/prctl.h>
|
|
||||||
+# include <sys/capability.h>
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#include "sudo.h"
|
|
||||||
|
|
||||||
@@ -130,16 +134,59 @@ set_perms(perm)
|
|
||||||
break;
|
|
||||||
|
|
||||||
case PERM_FULL_RUNAS:
|
|
||||||
- /* headed for exec(), assume euid == ROOT_UID */
|
|
||||||
- runas_setup();
|
|
||||||
- if (setresuid(def_stay_setuid ?
|
|
||||||
- user_uid : runas_pw->pw_uid,
|
|
||||||
- runas_pw->pw_uid, runas_pw->pw_uid)) {
|
|
||||||
- errstr = "unable to change to runas uid";
|
|
||||||
- goto bad;
|
|
||||||
- }
|
|
||||||
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
|
|
||||||
+ { /* BEGIN CAP BLOCK */
|
|
||||||
+ cap_t new_caps;
|
|
||||||
+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
|
|
||||||
+
|
|
||||||
+ if (runas_pw->pw_uid != ROOT_UID) {
|
|
||||||
+ new_caps = cap_init ();
|
|
||||||
+ if (!new_caps) {
|
|
||||||
+ errstr = "Error initing capabilities, aborting.\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) ||
|
|
||||||
+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) {
|
|
||||||
+ errstr = "Error setting capabilities, aborting\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
|
|
||||||
+ errstr = "Error setting KEEPCAPS, aborting\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+ /* headed for exec(), assume euid == ROOT_UID */
|
|
||||||
+ runas_setup();
|
|
||||||
+ if (setresuid(def_stay_setuid ?
|
|
||||||
+ user_uid : runas_pw->pw_uid,
|
|
||||||
+ runas_pw->pw_uid, runas_pw->pw_uid)) {
|
|
||||||
+ errstr = "unable to change to runas uid";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
|
|
||||||
+ if (runas_pw->pw_uid != ROOT_UID) {
|
|
||||||
+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
|
|
||||||
+ errstr = "Error resetting KEEPCAPS, aborting\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (cap_set_proc(new_caps)) {
|
|
||||||
+ errstr = "Error dropping capabilities, aborting\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (cap_free (new_caps)) {
|
|
||||||
+ errstr = "Error freeing caps\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ } /* END CAP BLOCK */
|
|
||||||
+#endif
|
|
||||||
break;
|
|
||||||
-
|
|
||||||
case PERM_SUDOERS:
|
|
||||||
/* assume euid == ROOT_UID, ruid == user */
|
|
||||||
if (setresgid(-1, SUDOERS_GID, -1))
|
|
||||||
diff -up sudo-1.7.2p1/sudo.c.audit sudo-1.7.2p1/sudo.c
|
|
||||||
--- sudo-1.7.2p1/sudo.c.audit 2009-10-30 12:25:49.000000000 +0100
|
|
||||||
+++ sudo-1.7.2p1/sudo.c 2009-10-30 12:25:49.000000000 +0100
|
|
||||||
@@ -95,6 +95,10 @@
|
|
||||||
# include <selinux/selinux.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+#include <libaudit.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#include <sudo_usage.h>
|
|
||||||
#include "sudo.h"
|
|
||||||
#include "lbuf.h"
|
|
||||||
@@ -372,7 +376,7 @@ main(argc, argv, envp)
|
|
||||||
|
|
||||||
if (safe_cmnd == NULL)
|
|
||||||
safe_cmnd = estrdup(user_cmnd);
|
|
||||||
-
|
|
||||||
+
|
|
||||||
#ifdef HAVE_SETLOCALE
|
|
||||||
setlocale(LC_ALL, "");
|
|
||||||
#endif
|
|
||||||
@@ -538,12 +542,26 @@ main(argc, argv, envp)
|
|
||||||
(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
|
|
||||||
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
|
|
||||||
|
|
||||||
+ closefrom(def_closefrom + 1);
|
|
||||||
+
|
|
||||||
+#if defined(WITH_AUDIT)
|
|
||||||
+ audit_help_open ();
|
|
||||||
+#endif
|
|
||||||
+ if (access(safe_cmnd, X_OK) != 0) {
|
|
||||||
+ warn ("unable to execute %s", safe_cmnd);
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
|
||||||
+#endif
|
|
||||||
+ exit(127);
|
|
||||||
+ }
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/* Close the password and group files and free up memory. */
|
|
||||||
sudo_endpwent();
|
|
||||||
sudo_endgrent();
|
|
||||||
|
|
||||||
- closefrom(def_closefrom + 1);
|
|
||||||
-
|
|
||||||
#ifndef PROFILING
|
|
||||||
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) {
|
|
||||||
syslog(LOG_AUTH|LOG_ERR, "fork");
|
|
||||||
@@ -568,11 +586,17 @@ main(argc, argv, envp)
|
|
||||||
NewArgv[1] = safe_cmnd;
|
|
||||||
execv(_PATH_BSHELL, NewArgv);
|
|
||||||
}
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
|
||||||
+#endif
|
|
||||||
warning("unable to execute %s", safe_cmnd);
|
|
||||||
exit(127);
|
|
||||||
} else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) {
|
|
||||||
audit_failure(NewArgv, "No user or host");
|
|
||||||
log_denial(validated, 1);
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
|
||||||
+#endif
|
|
||||||
exit(1);
|
|
||||||
} else {
|
|
||||||
if (def_path_info) {
|
|
||||||
@@ -594,6 +618,9 @@ main(argc, argv, envp)
|
|
||||||
log_denial(validated, 1);
|
|
||||||
}
|
|
||||||
audit_failure(NewArgv, "validation failure");
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
|
||||||
+#endif
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
exit(0); /* not reached */
|
|
||||||
diff -up sudo-1.7.2p1/sudo.h.audit sudo-1.7.2p1/sudo.h
|
|
||||||
--- sudo-1.7.2p1/sudo.h.audit 2009-10-30 12:25:49.000000000 +0100
|
|
||||||
+++ sudo-1.7.2p1/sudo.h 2009-10-30 12:39:16.000000000 +0100
|
|
||||||
@@ -24,6 +24,8 @@
|
|
||||||
#ifndef _SUDO_SUDO_H
|
|
||||||
#define _SUDO_SUDO_H
|
|
||||||
|
|
||||||
+#include <config.h>
|
|
||||||
+
|
|
||||||
#include <pathnames.h>
|
|
||||||
#include <limits.h>
|
|
||||||
#include "compat.h"
|
|
||||||
@@ -340,4 +342,14 @@ extern int sudo_mode;
|
|
||||||
extern int errno;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+extern int audit_fd;
|
|
||||||
+extern void audit_help_open (void);
|
|
||||||
+extern void audit_logger (int, const char *, const char *, int);
|
|
||||||
+#ifdef HAVE_SELINUX
|
|
||||||
+# include <selinux/selinux.h>
|
|
||||||
+extern int send_audit_message(int, security_context_t, security_context_t, const char *);
|
|
||||||
+#endif /* HAVE_SELINUX */
|
|
||||||
+#endif /* WITH_AUDIT */
|
|
||||||
+
|
|
||||||
#endif /* _SUDO_SUDO_H */
|
|
@ -1,111 +0,0 @@
|
|||||||
diff -up sudo-1.7.2p1/auth/pam.c.login sudo-1.7.2p1/auth/pam.c
|
|
||||||
--- sudo-1.7.2p1/auth/pam.c.login 2009-05-25 14:02:42.000000000 +0200
|
|
||||||
+++ sudo-1.7.2p1/auth/pam.c 2009-10-30 12:15:48.000000000 +0100
|
|
||||||
@@ -100,7 +100,13 @@ pam_init(pw, promptp, auth)
|
|
||||||
if (auth != NULL)
|
|
||||||
auth->data = (void *) &pam_status;
|
|
||||||
pam_conv.conv = sudo_conv;
|
|
||||||
- pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
|
|
||||||
+#ifdef HAVE_PAM_LOGIN
|
|
||||||
+ if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
|
|
||||||
+ pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
|
|
||||||
+ else
|
|
||||||
+#endif
|
|
||||||
+ pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
|
|
||||||
+
|
|
||||||
if (pam_status != PAM_SUCCESS) {
|
|
||||||
log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");
|
|
||||||
return(AUTH_FATAL);
|
|
||||||
diff -up sudo-1.7.2p1/configure.in.login sudo-1.7.2p1/configure.in
|
|
||||||
--- sudo-1.7.2p1/configure.in.login 2009-07-20 15:34:37.000000000 +0200
|
|
||||||
+++ sudo-1.7.2p1/configure.in 2009-10-30 12:16:24.000000000 +0100
|
|
||||||
@@ -394,6 +394,17 @@ AC_ARG_WITH(pam, [AS_HELP_STRING([--with
|
|
||||||
;;
|
|
||||||
esac])
|
|
||||||
|
|
||||||
+AC_ARG_WITH(pam-login, [ --with-pam-login enable specific PAM session for sudo -i],
|
|
||||||
+[case $with_pam_login in
|
|
||||||
+ yes) AC_DEFINE([HAVE_PAM_LOGIN], [], ["Define to 1 if you use specific PAM session for sodo -i."])
|
|
||||||
+ AC_MSG_CHECKING(whether to use PAM login)
|
|
||||||
+ AC_MSG_RESULT(yes)
|
|
||||||
+ ;;
|
|
||||||
+ no) ;;
|
|
||||||
+ *) AC_MSG_ERROR(["--with-pam-login does not take an argument."])
|
|
||||||
+ ;;
|
|
||||||
+esac])
|
|
||||||
+
|
|
||||||
AC_ARG_WITH(AFS, [AS_HELP_STRING([--with-AFS], [enable AFS support])],
|
|
||||||
[case $with_AFS in
|
|
||||||
yes) AC_DEFINE(HAVE_AFS)
|
|
||||||
diff -up sudo-1.7.2p1/env.c.login sudo-1.7.2p1/env.c
|
|
||||||
--- sudo-1.7.2p1/env.c.login 2009-06-23 20:24:42.000000000 +0200
|
|
||||||
+++ sudo-1.7.2p1/env.c 2009-10-30 12:15:48.000000000 +0100
|
|
||||||
@@ -102,7 +102,7 @@ struct environment {
|
|
||||||
/*
|
|
||||||
* Prototypes
|
|
||||||
*/
|
|
||||||
-void rebuild_env __P((int, int));
|
|
||||||
+void rebuild_env __P((int));
|
|
||||||
static void sudo_setenv __P((const char *, const char *, int));
|
|
||||||
static void sudo_putenv __P((char *, int, int));
|
|
||||||
|
|
||||||
@@ -562,8 +562,7 @@ matches_env_keep(var)
|
|
||||||
* Also adds sudo-specific variables (SUDO_*).
|
|
||||||
*/
|
|
||||||
void
|
|
||||||
-rebuild_env(sudo_mode, noexec)
|
|
||||||
- int sudo_mode;
|
|
||||||
+rebuild_env(noexec)
|
|
||||||
int noexec;
|
|
||||||
{
|
|
||||||
char **old_envp, **ep, *cp, *ps1;
|
|
||||||
diff -up sudo-1.7.2p1/sudo.c.login sudo-1.7.2p1/sudo.c
|
|
||||||
--- sudo-1.7.2p1/sudo.c.login 2009-05-27 02:49:07.000000000 +0200
|
|
||||||
+++ sudo-1.7.2p1/sudo.c 2009-10-30 12:15:48.000000000 +0100
|
|
||||||
@@ -126,7 +126,7 @@ static void usage_excl __P((int))
|
|
||||||
__attribute__((__noreturn__));
|
|
||||||
static struct passwd *get_authpw __P((void));
|
|
||||||
extern int sudo_edit __P((int, char **, char **));
|
|
||||||
-extern void rebuild_env __P((int, int));
|
|
||||||
+extern void rebuild_env __P((int));
|
|
||||||
void validate_env_vars __P((struct list_member *));
|
|
||||||
void insert_env_vars __P((struct list_member *));
|
|
||||||
|
|
||||||
@@ -157,6 +157,8 @@ login_cap_t *lc;
|
|
||||||
char *login_style;
|
|
||||||
#endif /* HAVE_BSD_AUTH_H */
|
|
||||||
sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
|
|
||||||
+
|
|
||||||
+int sudo_mode;
|
|
||||||
static char *runas_user;
|
|
||||||
static char *runas_group;
|
|
||||||
static struct sudo_nss_list *snl;
|
|
||||||
@@ -172,7 +174,7 @@ main(argc, argv, envp)
|
|
||||||
char **envp;
|
|
||||||
{
|
|
||||||
int sources = 0, validated;
|
|
||||||
- int fd, cmnd_status, sudo_mode, pwflag, rc = 0;
|
|
||||||
+ int fd, cmnd_status, pwflag, rc = 0;
|
|
||||||
sigaction_t sa;
|
|
||||||
struct sudo_nss *nss;
|
|
||||||
#if defined(SUDO_DEVEL) && defined(__OpenBSD__)
|
|
||||||
@@ -421,7 +423,7 @@ main(argc, argv, envp)
|
|
||||||
def_env_reset = FALSE;
|
|
||||||
|
|
||||||
/* Build a new environment that avoids any nasty bits. */
|
|
||||||
- rebuild_env(sudo_mode, def_noexec);
|
|
||||||
+ rebuild_env(def_noexec);
|
|
||||||
|
|
||||||
/* Fill in passwd struct based on user we are authenticating as. */
|
|
||||||
auth_pw = get_authpw();
|
|
||||||
diff -up sudo-1.7.2p1/sudo.h.login sudo-1.7.2p1/sudo.h
|
|
||||||
--- sudo-1.7.2p1/sudo.h.login 2009-05-25 14:02:41.000000000 +0200
|
|
||||||
+++ sudo-1.7.2p1/sudo.h 2009-10-30 12:15:48.000000000 +0100
|
|
||||||
@@ -334,6 +334,7 @@ extern struct passwd *auth_pw, *list_pw;
|
|
||||||
extern int tgetpass_flags;
|
|
||||||
extern int long_list;
|
|
||||||
extern uid_t timestamp_uid;
|
|
||||||
+extern int sudo_mode;
|
|
||||||
#endif
|
|
||||||
#ifndef errno
|
|
||||||
extern int errno;
|
|
@ -1,38 +0,0 @@
|
|||||||
diff -up sudo-1.7.2p2/toke.c.empty sudo-1.7.2p2/toke.c
|
|
||||||
--- sudo-1.7.2p2/toke.c.empty 2010-02-16 23:13:23.000000000 +0100
|
|
||||||
+++ sudo-1.7.2p2/toke.c 2010-02-16 23:17:57.000000000 +0100
|
|
||||||
@@ -1421,6 +1421,7 @@ __unused static const char rcsid[] = "$S
|
|
||||||
#endif /* lint */
|
|
||||||
|
|
||||||
extern YYSTYPE yylval;
|
|
||||||
+extern int parse_error;
|
|
||||||
int sudolineno = 1;
|
|
||||||
char *sudoers;
|
|
||||||
static int sawspace = 0;
|
|
||||||
@@ -1880,7 +1881,7 @@ YY_RULE_SETUP
|
|
||||||
LEXTRACE("INCLUDEDIR\n");
|
|
||||||
|
|
||||||
/* Push current buffer and switch to include file */
|
|
||||||
- if (!push_includedir(path))
|
|
||||||
+ if (!push_includedir(path) && parse_error)
|
|
||||||
yyterminate();
|
|
||||||
}
|
|
||||||
YY_BREAK
|
|
||||||
@@ -3369,7 +3370,7 @@ switch_dir(stack, dirpath)
|
|
||||||
|
|
||||||
if (!(dir = opendir(dirpath))) {
|
|
||||||
yyerror(dirpath);
|
|
||||||
- return(FALSE);
|
|
||||||
+ return(NULL);
|
|
||||||
}
|
|
||||||
while ((dent = readdir(dir))) {
|
|
||||||
/* Ignore files that end in '~' or have a '.' in them. */
|
|
||||||
@@ -3494,7 +3495,7 @@ _push_include(path, isdir)
|
|
||||||
}
|
|
||||||
if (isdir) {
|
|
||||||
if (!(path = switch_dir(&istack[idepth], path))) {
|
|
||||||
- yyerror(path);
|
|
||||||
+ /* yyerror(path); */
|
|
||||||
return(FALSE);
|
|
||||||
}
|
|
||||||
if ((fp = open_sudoers(path, FALSE, &keepopen)) == NULL) {
|
|
@ -1,83 +0,0 @@
|
|||||||
diff -up sudo-1.7.2p2/env.c.orig sudo-1.7.2p2/env.c
|
|
||||||
--- sudo-1.7.2p2/env.c.orig 2010-06-01 13:19:54.000000000 +0200
|
|
||||||
+++ sudo-1.7.2p2/env.c 2010-06-01 13:26:22.000000000 +0200
|
|
||||||
@@ -321,7 +321,7 @@ int
|
|
||||||
unsetenv(var)
|
|
||||||
const char *var;
|
|
||||||
{
|
|
||||||
- char **ep;
|
|
||||||
+ char **ep = env.envp;
|
|
||||||
size_t len;
|
|
||||||
|
|
||||||
if (strchr(var, '=') != NULL) {
|
|
||||||
@@ -359,13 +359,15 @@ unsetenv(var)
|
|
||||||
}
|
|
||||||
|
|
||||||
len = strlen(var);
|
|
||||||
- for (ep = env.envp; *ep; ep++) {
|
|
||||||
+ while (*ep != NULL) {
|
|
||||||
if (strncmp(var, *ep, len) == 0 && (*ep)[len] == '=') {
|
|
||||||
/* Found it; shift remainder + NULL over by one and update len. */
|
|
||||||
memmove(ep, ep + 1,
|
|
||||||
(env.env_len - (ep - env.envp)) * sizeof(char *));
|
|
||||||
env.env_len--;
|
|
||||||
- break;
|
|
||||||
+ /* Keep going, could be multiple instances of the var. */
|
|
||||||
+ } else {
|
|
||||||
+ ep++;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#ifndef UNSETENV_VOID
|
|
||||||
@@ -433,6 +435,7 @@ sudo_putenv(str, dupcheck, overwrite)
|
|
||||||
{
|
|
||||||
char **ep;
|
|
||||||
size_t len;
|
|
||||||
+ int found = FALSE;
|
|
||||||
|
|
||||||
/* Make sure there is room for the new entry plus a NULL. */
|
|
||||||
if (env.env_len + 2 > env.env_size) {
|
|
||||||
@@ -451,20 +454,34 @@ sudo_putenv(str, dupcheck, overwrite)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if (dupcheck) {
|
|
||||||
- len = (strchr(str, '=') - str) + 1;
|
|
||||||
- for (ep = env.envp; *ep; ep++) {
|
|
||||||
+ len = (strchr(str, '=') - str) + 1;
|
|
||||||
+ for (ep = env.envp; !found && *ep != NULL; ep++) {
|
|
||||||
+ if (strncmp(str, *ep, len) == 0) {
|
|
||||||
+ if (overwrite)
|
|
||||||
+ *ep = str;
|
|
||||||
+ found = TRUE;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ /* Prune out duplicate variables. */
|
|
||||||
+ if (found && overwrite) {
|
|
||||||
+ while (*ep != NULL) {
|
|
||||||
if (strncmp(str, *ep, len) == 0) {
|
|
||||||
- if (overwrite)
|
|
||||||
- *ep = str;
|
|
||||||
- return;
|
|
||||||
+ memmove(ep, ep + 1,
|
|
||||||
+ (env.env_len - (ep - env.envp)) * sizeof(char *));
|
|
||||||
+ env.env_len--;
|
|
||||||
+ } else {
|
|
||||||
+ ep++;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- } else
|
|
||||||
- ep = env.envp + env.env_len;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- env.env_len++;
|
|
||||||
- *ep++ = str;
|
|
||||||
- *ep = NULL;
|
|
||||||
+ if (!found) {
|
|
||||||
+ ep = env.envp + env.env_len;
|
|
||||||
+ env.env_len++;
|
|
||||||
+ *ep++ = str;
|
|
||||||
+ *ep = NULL;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
@ -1,32 +0,0 @@
|
|||||||
diff -up sudo-1.7.2p2/configure.in.libaudit sudo-1.7.2p2/configure.in
|
|
||||||
--- sudo-1.7.2p2/configure.in.libaudit 2010-02-10 16:21:26.000000000 +0100
|
|
||||||
+++ sudo-1.7.2p2/configure.in 2010-02-10 16:21:26.000000000 +0100
|
|
||||||
@@ -1752,7 +1752,6 @@ dnl
|
|
||||||
: ${mansectsu='8'}
|
|
||||||
: ${mansectform='5'}
|
|
||||||
|
|
||||||
-AC_SUBST(LIBAUDIT)
|
|
||||||
if test "$with_audit" = "yes"; then
|
|
||||||
# See if we have the audit library
|
|
||||||
AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
|
|
||||||
@@ -1770,6 +1769,8 @@ if test "$with_audit" = "yes"; then
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
+AC_SUBST(LIBAUDIT)
|
|
||||||
+
|
|
||||||
dnl
|
|
||||||
dnl Add in any libpaths or libraries specified via configure
|
|
||||||
dnl
|
|
||||||
diff -up sudo-1.7.2p2/Makefile.in.libaudit sudo-1.7.2p2/Makefile.in
|
|
||||||
--- sudo-1.7.2p2/Makefile.in.libaudit 2010-02-10 16:26:06.000000000 +0100
|
|
||||||
+++ sudo-1.7.2p2/Makefile.in 2010-02-10 16:26:40.000000000 +0100
|
|
||||||
@@ -44,7 +44,7 @@ INSTALL = $(SHELL) $(srcdir)/install-sh
|
|
||||||
# Libraries
|
|
||||||
LIBS = @LIBS@
|
|
||||||
NET_LIBS = @NET_LIBS@
|
|
||||||
-SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS)
|
|
||||||
+SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ @LIBAUDIT@ $(LIBS) $(NET_LIBS)
|
|
||||||
|
|
||||||
# C preprocessor flags
|
|
||||||
CPPFLAGS = -I. -I$(srcdir) @CPPFLAGS@
|
|
@ -1,33 +0,0 @@
|
|||||||
diff -up sudo-1.7.2p2/toke.c.loop sudo-1.7.2p2/toke.c
|
|
||||||
--- sudo-1.7.2p2/toke.c.loop 2010-02-09 12:48:33.000000000 +0100
|
|
||||||
+++ sudo-1.7.2p2/toke.c 2010-02-09 16:54:17.000000000 +0100
|
|
||||||
@@ -3461,7 +3461,7 @@ init_lexer()
|
|
||||||
efree(pl);
|
|
||||||
}
|
|
||||||
efree(istack[idepth].path);
|
|
||||||
- if (!istack[idepth].keepopen)
|
|
||||||
+ if (idepth && !istack[idepth].keepopen)
|
|
||||||
fclose(istack[idepth].bs->yy_input_file);
|
|
||||||
yy_delete_buffer(istack[idepth].bs);
|
|
||||||
}
|
|
||||||
@@ -3486,7 +3486,7 @@ _push_include(path, isdir)
|
|
||||||
}
|
|
||||||
istacksize += SUDOERS_STACK_INCREMENT;
|
|
||||||
istack = (struct include_stack *) realloc(istack,
|
|
||||||
- sizeof(istack) * istacksize);
|
|
||||||
+ sizeof(*istack) * istacksize);
|
|
||||||
if (istack == NULL) {
|
|
||||||
yyerror("unable to allocate memory");
|
|
||||||
return(FALSE);
|
|
||||||
diff -up sudo-1.7.2p2/toke.l.loop sudo-1.7.2p2/toke.l
|
|
||||||
--- sudo-1.7.2p2/toke.l.loop 2010-02-09 12:48:30.000000000 +0100
|
|
||||||
+++ sudo-1.7.2p2/toke.l 2010-02-09 13:18:27.000000000 +0100
|
|
||||||
@@ -869,7 +869,7 @@ _push_include(path, isdir)
|
|
||||||
}
|
|
||||||
istacksize += SUDOERS_STACK_INCREMENT;
|
|
||||||
istack = (struct include_stack *) realloc(istack,
|
|
||||||
- sizeof(istack) * istacksize);
|
|
||||||
+ sizeof(*istack) * istacksize);
|
|
||||||
if (istack == NULL) {
|
|
||||||
yyerror("unable to allocate memory");
|
|
||||||
return(FALSE);
|
|
@ -1,40 +0,0 @@
|
|||||||
diff -up sudo-1.7.2p4/check.c.getgrouplist sudo-1.7.2p4/check.c
|
|
||||||
--- sudo-1.7.2p4/check.c.getgrouplist 2009-05-25 14:02:41.000000000 +0200
|
|
||||||
+++ sudo-1.7.2p4/check.c 2010-03-01 11:27:38.000000000 +0100
|
|
||||||
@@ -353,6 +353,24 @@ user_is_exempt()
|
|
||||||
return(TRUE);
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef HAVE_GETGROUPLIST
|
|
||||||
+ {
|
|
||||||
+ gid_t *grouplist, grouptmp;
|
|
||||||
+ int n_groups, i;
|
|
||||||
+ n_groups = 1;
|
|
||||||
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
|
|
||||||
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
|
|
||||||
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
|
|
||||||
+ for (i = 0; i < n_groups; i++)
|
|
||||||
+ if (grouplist[i] == grp->gr_gid) {
|
|
||||||
+ free(grouplist);
|
|
||||||
+ return(TRUE);
|
|
||||||
+ }
|
|
||||||
+ free(grouplist);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
return(FALSE);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up sudo-1.7.2p4/configure.in.getgrouplist sudo-1.7.2p4/configure.in
|
|
||||||
--- sudo-1.7.2p4/configure.in.getgrouplist 2010-03-01 11:27:38.000000000 +0100
|
|
||||||
+++ sudo-1.7.2p4/configure.in 2010-03-01 11:29:45.000000000 +0100
|
|
||||||
@@ -1852,7 +1852,7 @@ dnl
|
|
||||||
AC_FUNC_GETGROUPS
|
|
||||||
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
|
|
||||||
strftime setrlimit initgroups getgroups fstat gettimeofday \
|
|
||||||
- setlocale getaddrinfo setsid setenv setrlimit64)
|
|
||||||
+ setlocale getaddrinfo setsid setenv setrlimit64 getgrouplist)
|
|
||||||
AC_CHECK_FUNCS(unsetenv, SUDO_FUNC_UNSETENV_VOID)
|
|
||||||
SUDO_FUNC_PUTENV_CONST
|
|
||||||
if test -z "$SKIP_SETRESUID"; then
|
|
@ -1,401 +0,0 @@
|
|||||||
diff -up /dev/null sudo-1.7.2p6/audit_help.c
|
|
||||||
--- /dev/null 2010-03-17 15:58:02.830002615 +0100
|
|
||||||
+++ sudo-1.7.2p6/audit_help.c 2010-04-14 15:25:49.000000000 +0200
|
|
||||||
@@ -0,0 +1,136 @@
|
|
||||||
+/*
|
|
||||||
+ * Audit helper functions used throughout sudo
|
|
||||||
+ *
|
|
||||||
+ * Copyright (C) 2007, Red Hat, Inc.
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
|
|
||||||
+ * may be used to endorse or promote products derived from this software
|
|
||||||
+ * without specific prior written permission.
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
|
|
||||||
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
||||||
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
||||||
+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
|
|
||||||
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
||||||
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
||||||
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
||||||
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
||||||
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
||||||
+ * SUCH DAMAGE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include <config.h>
|
|
||||||
+
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <syslog.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
+#include <libaudit.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_SELINUX
|
|
||||||
+#include <selinux/selinux.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+int audit_fd = -1;
|
|
||||||
+
|
|
||||||
+void audit_help_open (void)
|
|
||||||
+{
|
|
||||||
+ audit_fd = audit_open ();
|
|
||||||
+ if (audit_fd < 0) {
|
|
||||||
+ /* You get these only when the kernel doesn't have
|
|
||||||
+ * audit compiled in. */
|
|
||||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
|
||||||
+ errno == EAFNOSUPPORT)
|
|
||||||
+ return;
|
|
||||||
+ fprintf (stderr, "Cannot open audit interface - aborting.\n");
|
|
||||||
+ exit (1);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * This function will log a message to the audit system using a predefined
|
|
||||||
+ * message format. Parameter usage is as follows:
|
|
||||||
+ *
|
|
||||||
+ * type - type of message: AUDIT_USER_CMD
|
|
||||||
+ * command - the command being logged
|
|
||||||
+ * params - parames of the command
|
|
||||||
+ * result - 1 is "success" and 0 is "failed"
|
|
||||||
+ *
|
|
||||||
+ */
|
|
||||||
+void audit_logger (int type, const char *command, const char *params, int result)
|
|
||||||
+{
|
|
||||||
+ int err;
|
|
||||||
+ char *msg;
|
|
||||||
+
|
|
||||||
+ if( audit_fd < 0 )
|
|
||||||
+ return;
|
|
||||||
+ else {
|
|
||||||
+
|
|
||||||
+ if( params )
|
|
||||||
+ err = asprintf(&msg, "%s %s", command, params);
|
|
||||||
+ else
|
|
||||||
+ err = asprintf(&msg, "%s", command);
|
|
||||||
+ if (err < 0) {
|
|
||||||
+ fprintf (stderr, "Memory allocation for audit message wasn’t possible.\n");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ err = audit_log_user_command (audit_fd, type, msg, NULL, result);
|
|
||||||
+ /* The kernel supports auditing and we had
|
|
||||||
+ enough privilege to write to the socket. */
|
|
||||||
+ if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) {
|
|
||||||
+ perror("audit_log_user_command()");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(msg);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_SELINUX
|
|
||||||
+int send_audit_message(int success, security_context_t old_context,
|
|
||||||
+ security_context_t new_context, const char *ttyn)
|
|
||||||
+{
|
|
||||||
+ char *msg = NULL;
|
|
||||||
+ int rc;
|
|
||||||
+
|
|
||||||
+ if (audit_fd < 0)
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
+ if (asprintf(&msg, "newrole: old-context=%s new-context=%s",
|
|
||||||
+ old_context ? old_context : "?",
|
|
||||||
+ new_context ? new_context : "?") < 0) {
|
|
||||||
+ fprintf(stderr, "Error allocating memory.\n");
|
|
||||||
+ rc = -1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
|
|
||||||
+ msg, NULL, NULL, ttyn, success);
|
|
||||||
+
|
|
||||||
+ if (rc <= 0) {
|
|
||||||
+ fprintf(stderr, "Error sending audit message.\n");
|
|
||||||
+ rc = -1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ rc = 0;
|
|
||||||
+
|
|
||||||
+ out:
|
|
||||||
+ free(msg);
|
|
||||||
+ return rc;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+#endif /* WITH_AUDIT */
|
|
||||||
diff -up sudo-1.7.2p6/configure.in.audit sudo-1.7.2p6/configure.in
|
|
||||||
--- sudo-1.7.2p6/configure.in.audit 2010-04-14 15:25:49.000000000 +0200
|
|
||||||
+++ sudo-1.7.2p6/configure.in 2010-04-14 15:25:49.000000000 +0200
|
|
||||||
@@ -181,6 +181,10 @@ dnl
|
|
||||||
dnl Options for --with
|
|
||||||
dnl
|
|
||||||
|
|
||||||
+AC_ARG_WITH(audit,
|
|
||||||
+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
|
|
||||||
+ [with_audit=$withval], [with_audit=yes])
|
|
||||||
+
|
|
||||||
AC_ARG_WITH(CC, [AS_HELP_STRING([--with-CC], [C compiler to use])],
|
|
||||||
[case $with_CC in
|
|
||||||
yes) AC_MSG_ERROR(["must give --with-CC an argument."])
|
|
||||||
@@ -1747,6 +1751,24 @@ dnl
|
|
||||||
: ${mansectsu='8'}
|
|
||||||
: ${mansectform='5'}
|
|
||||||
|
|
||||||
+
|
|
||||||
+if test "$with_audit" = "yes"; then
|
|
||||||
+ # See if we have the audit library
|
|
||||||
+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
|
|
||||||
+ if test "$audit_header" = "yes"; then
|
|
||||||
+ AC_CHECK_LIB(audit, audit_log_user_command,
|
|
||||||
+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages])
|
|
||||||
+ LIBAUDIT="-laudit"])
|
|
||||||
+ fi
|
|
||||||
+ # See if we have the libcap library
|
|
||||||
+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"])
|
|
||||||
+ if test "$cap_header" = "yes"; then
|
|
||||||
+ AC_CHECK_LIB(cap, cap_init,
|
|
||||||
+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support])
|
|
||||||
+ SUDO_LIBS="${SUDO_LIBS} -lcap"])
|
|
||||||
+ fi
|
|
||||||
+fi
|
|
||||||
+AC_SUBST(LIBAUDIT)
|
|
||||||
dnl
|
|
||||||
dnl Add in any libpaths or libraries specified via configure
|
|
||||||
dnl
|
|
||||||
diff -up sudo-1.7.2p6/Makefile.in.audit sudo-1.7.2p6/Makefile.in
|
|
||||||
--- sudo-1.7.2p6/Makefile.in.audit 2010-04-14 15:25:49.000000000 +0200
|
|
||||||
+++ sudo-1.7.2p6/Makefile.in 2010-04-14 15:25:49.000000000 +0200
|
|
||||||
@@ -44,7 +44,7 @@ INSTALL = $(SHELL) $(srcdir)/install-sh
|
|
||||||
# Libraries
|
|
||||||
LIBS = @LIBS@
|
|
||||||
NET_LIBS = @NET_LIBS@
|
|
||||||
-SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS)
|
|
||||||
+SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ @LIBAUDIT@ $(LIBS) $(NET_LIBS)
|
|
||||||
|
|
||||||
# C preprocessor flags
|
|
||||||
CPPFLAGS = -I. -I$(srcdir) @CPPFLAGS@
|
|
||||||
@@ -123,6 +123,8 @@ HDRS = bsm_audit.h compat.h def_data.h d
|
|
||||||
|
|
||||||
AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
|
|
||||||
|
|
||||||
+AUDIT_OBJS = audit_help.o
|
|
||||||
+
|
|
||||||
# Note: gram.o must come first here
|
|
||||||
COMMON_OBJS = gram.o alias.o alloc.o defaults.o error.o list.o match.o \
|
|
||||||
toke.o redblack.o zero_bytes.o @NONUNIX_GROUPS_IMPL@
|
|
||||||
@@ -130,7 +132,7 @@ COMMON_OBJS = gram.o alias.o alloc.o def
|
|
||||||
SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ audit.o check.o env.o \
|
|
||||||
getspwuid.o gettime.o goodpath.o fileops.o find_path.o \
|
|
||||||
interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o \
|
|
||||||
- sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o
|
|
||||||
+ sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o $(AUDIT_OBJS)
|
|
||||||
|
|
||||||
VISUDO_OBJS = $(COMMON_OBJS) visudo.o fileops.o gettime.o goodpath.o \
|
|
||||||
find_path.o pwutil.o
|
|
||||||
@@ -361,6 +363,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH
|
|
||||||
sia.o: $(authdir)/sia.c $(AUTHDEP)
|
|
||||||
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
|
|
||||||
|
|
||||||
+audit_help.o: audit_help.c sudo.h
|
|
||||||
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c
|
|
||||||
+
|
|
||||||
sudo.man.in: $(srcdir)/sudo.pod
|
|
||||||
@rm -f $(srcdir)/$@
|
|
||||||
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
|
|
||||||
diff -up sudo-1.7.2p6/set_perms.c.audit sudo-1.7.2p6/set_perms.c
|
|
||||||
--- sudo-1.7.2p6/set_perms.c.audit 2010-04-09 12:12:02.000000000 +0200
|
|
||||||
+++ sudo-1.7.2p6/set_perms.c 2010-04-14 15:25:49.000000000 +0200
|
|
||||||
@@ -48,6 +48,10 @@
|
|
||||||
#ifdef HAVE_LOGIN_CAP_H
|
|
||||||
# include <login_cap.h>
|
|
||||||
#endif
|
|
||||||
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
|
|
||||||
+# include <sys/prctl.h>
|
|
||||||
+# include <sys/capability.h>
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#include "sudo.h"
|
|
||||||
|
|
||||||
@@ -126,16 +130,59 @@ set_perms(perm)
|
|
||||||
break;
|
|
||||||
|
|
||||||
case PERM_FULL_RUNAS:
|
|
||||||
- /* headed for exec(), assume euid == ROOT_UID */
|
|
||||||
- runas_setup();
|
|
||||||
- if (setresuid(def_stay_setuid ?
|
|
||||||
- user_uid : runas_pw->pw_uid,
|
|
||||||
- runas_pw->pw_uid, runas_pw->pw_uid)) {
|
|
||||||
- errstr = "unable to change to runas uid";
|
|
||||||
- goto bad;
|
|
||||||
- }
|
|
||||||
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
|
|
||||||
+ { /* BEGIN CAP BLOCK */
|
|
||||||
+ cap_t new_caps;
|
|
||||||
+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
|
|
||||||
+
|
|
||||||
+ if (runas_pw->pw_uid != ROOT_UID) {
|
|
||||||
+ new_caps = cap_init ();
|
|
||||||
+ if (!new_caps) {
|
|
||||||
+ errstr = "Error initing capabilities, aborting.\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) ||
|
|
||||||
+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) {
|
|
||||||
+ errstr = "Error setting capabilities, aborting\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
|
|
||||||
+ errstr = "Error setting KEEPCAPS, aborting\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+ /* headed for exec(), assume euid == ROOT_UID */
|
|
||||||
+ runas_setup();
|
|
||||||
+ if (setresuid(def_stay_setuid ?
|
|
||||||
+ user_uid : runas_pw->pw_uid,
|
|
||||||
+ runas_pw->pw_uid, runas_pw->pw_uid)) {
|
|
||||||
+ errstr = "unable to change to runas uid";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
|
|
||||||
+ if (runas_pw->pw_uid != ROOT_UID) {
|
|
||||||
+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
|
|
||||||
+ errstr = "Error resetting KEEPCAPS, aborting\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (cap_set_proc(new_caps)) {
|
|
||||||
+ errstr = "Error dropping capabilities, aborting\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (cap_free (new_caps)) {
|
|
||||||
+ errstr = "Error freeing caps\n";
|
|
||||||
+ goto bad;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ } /* END CAP BLOCK */
|
|
||||||
+#endif
|
|
||||||
break;
|
|
||||||
-
|
|
||||||
case PERM_SUDOERS:
|
|
||||||
/* assume euid == ROOT_UID, ruid == user */
|
|
||||||
if (setresgid(-1, SUDOERS_GID, -1))
|
|
||||||
diff -up sudo-1.7.2p6/sudo.c.audit sudo-1.7.2p6/sudo.c
|
|
||||||
--- sudo-1.7.2p6/sudo.c.audit 2010-04-14 15:25:49.000000000 +0200
|
|
||||||
+++ sudo-1.7.2p6/sudo.c 2010-04-14 15:31:47.000000000 +0200
|
|
||||||
@@ -95,6 +95,10 @@
|
|
||||||
# include <selinux/selinux.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+#include <libaudit.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#include <sudo_usage.h>
|
|
||||||
#include "sudo.h"
|
|
||||||
#include "lbuf.h"
|
|
||||||
@@ -368,7 +372,7 @@ main(argc, argv, envp)
|
|
||||||
|
|
||||||
if (safe_cmnd == NULL)
|
|
||||||
safe_cmnd = estrdup(user_cmnd);
|
|
||||||
-
|
|
||||||
+
|
|
||||||
#ifdef HAVE_SETLOCALE
|
|
||||||
setlocale(LC_ALL, "");
|
|
||||||
#endif
|
|
||||||
@@ -540,6 +544,20 @@ main(argc, argv, envp)
|
|
||||||
|
|
||||||
closefrom(def_closefrom);
|
|
||||||
|
|
||||||
+#if defined(WITH_AUDIT)
|
|
||||||
+ audit_help_open ();
|
|
||||||
+#endif
|
|
||||||
+ if (access(safe_cmnd, X_OK) != 0) {
|
|
||||||
+ warn ("unable to execute %s", safe_cmnd);
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
|
||||||
+#endif
|
|
||||||
+ exit(127);
|
|
||||||
+ }
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#ifndef PROFILING
|
|
||||||
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) {
|
|
||||||
syslog(LOG_AUTH|LOG_ERR, "fork");
|
|
||||||
@@ -564,11 +582,17 @@ main(argc, argv, envp)
|
|
||||||
NewArgv[1] = safe_cmnd;
|
|
||||||
execv(_PATH_BSHELL, NewArgv);
|
|
||||||
}
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
|
||||||
+#endif
|
|
||||||
warning("unable to execute %s", safe_cmnd);
|
|
||||||
exit(127);
|
|
||||||
} else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) {
|
|
||||||
audit_failure(NewArgv, "No user or host");
|
|
||||||
log_denial(validated, 1);
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
|
||||||
+#endif
|
|
||||||
exit(1);
|
|
||||||
} else {
|
|
||||||
if (def_path_info) {
|
|
||||||
@@ -590,6 +614,9 @@ main(argc, argv, envp)
|
|
||||||
log_denial(validated, 1);
|
|
||||||
}
|
|
||||||
audit_failure(NewArgv, "validation failure");
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
|
|
||||||
+#endif
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
exit(0); /* not reached */
|
|
||||||
diff -up sudo-1.7.2p6/sudo.h.audit sudo-1.7.2p6/sudo.h
|
|
||||||
--- sudo-1.7.2p6/sudo.h.audit 2010-04-14 15:25:49.000000000 +0200
|
|
||||||
+++ sudo-1.7.2p6/sudo.h 2010-04-14 15:25:49.000000000 +0200
|
|
||||||
@@ -22,6 +22,8 @@
|
|
||||||
#ifndef _SUDO_SUDO_H
|
|
||||||
#define _SUDO_SUDO_H
|
|
||||||
|
|
||||||
+#include <config.h>
|
|
||||||
+
|
|
||||||
#include <pathnames.h>
|
|
||||||
#include <limits.h>
|
|
||||||
#include "compat.h"
|
|
||||||
@@ -338,4 +340,14 @@ extern int sudo_mode;
|
|
||||||
extern int errno;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifdef WITH_AUDIT
|
|
||||||
+extern int audit_fd;
|
|
||||||
+extern void audit_help_open (void);
|
|
||||||
+extern void audit_logger (int, const char *, const char *, int);
|
|
||||||
+#ifdef HAVE_SELINUX
|
|
||||||
+# include <selinux/selinux.h>
|
|
||||||
+extern int send_audit_message(int, security_context_t, security_context_t, const char *);
|
|
||||||
+#endif /* HAVE_SELINUX */
|
|
||||||
+#endif /* WITH_AUDIT */
|
|
||||||
+
|
|
||||||
#endif /* _SUDO_SUDO_H */
|
|
Loading…
Reference in New Issue
Block a user