rpms/sudo
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

- adjust audit patch, do not scream when kernel is compiled without audit

Browse Source 
netlink support (#401201
This commit is contained in:
Peter Vrabec 2008-09-02 13:56:42 +00:00
parent 5d9121aa3f
commit 5922acb089
2 changed files with 195 additions and 191 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

380
sudo-1.6.9p13-audit.patch
View File

@ -1,184 +1,6 @@
diff -up sudo-1.6.9p13/set_perms.c.audit sudo-1.6.9p13/set_perms.c
--- sudo-1.6.9p13/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100
+++ sudo-1.6.9p13/set_perms.c 2008-03-04 11:18:45.000000000 +0100
@@ -53,6 +53,10 @@
#ifdef HAVE_LOGIN_CAP_H
# include <login_cap.h>
#endif
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
+# include <sys/prctl.h>
+# include <sys/capability.h>
+#endif
#include "sudo.h"
@@ -119,13 +123,46 @@ set_perms(perm)
break;
case PERM_FULL_RUNAS:
- /* headed for exec(), assume euid == ROOT_UID */
- runas_setup();
- if (setresuid(def_stay_setuid ?
- user_uid : runas_pw->pw_uid,
- runas_pw->pw_uid, runas_pw->pw_uid))
- err(1, "unable to change to runas uid");
- break;
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
+ { /* BEGIN CAP BLOCK */
+ cap_t new_caps;
+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
+
+ if (runas_pw->pw_uid != ROOT_UID) {
+ new_caps = cap_init ();
+ if (!new_caps)
+ err(1, "Error initing capabilities, aborting.\n");
+
+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) ||
+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) {
+ err(1, "Error setting capabilities, aborting\n");
+ }
+
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0))
+ err(1, "Error setting KEEPCAPS, aborting\n");
+ }
+#endif
+ /* headed for exec(), assume euid == ROOT_UID */
+ runas_setup ();
+ if (setresuid(def_stay_setuid ?
+ user_uid : runas_pw->pw_uid,
+ runas_pw->pw_uid, runas_pw->pw_uid))
+ err(1, "unable to change to runas uid");
+
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
+ if (runas_pw->pw_uid != ROOT_UID) {
+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)
+ err(1, "Error resetting KEEPCAPS, aborting\n");
+
+ if (cap_set_proc(new_caps))
+ err(1, "Error dropping capabilities, aborting\n");
+
+ if (cap_free (new_caps))
+ err(1, "Error freeing caps\n");
+ }
+ } /* END CAP BLOCK */
+#endif
+ break;
case PERM_SUDOERS:
/* assume euid == ROOT_UID, ruid == user */
diff -up sudo-1.6.9p13/sudo.c.audit sudo-1.6.9p13/sudo.c
--- sudo-1.6.9p13/sudo.c.audit 2008-03-04 11:18:45.000000000 +0100
+++ sudo-1.6.9p13/sudo.c 2008-03-04 11:21:54.000000000 +0100
@@ -100,6 +100,10 @@
# include <selinux/selinux.h>
#endif
+#ifdef WITH_AUDIT
+#include <libaudit.h>
+#endif
+
#include "sudo.h"
#include "interfaces.h"
#include "version.h"
@@ -295,6 +299,10 @@ main(argc, argv, envp)
if (safe_cmnd == NULL)
safe_cmnd = estrdup(user_cmnd);
+#if defined(WITH_AUDIT)
+ audit_help_open ();
+#endif
+
/*
* Look up the timestamp dir owner if one is specified.
*/
@@ -442,6 +450,17 @@ main(argc, argv, envp)
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
(void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
+ if (access(safe_cmnd, X_OK) != 0) {
+ warn ("unable to execute %s", safe_cmnd);
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
+ exit(127);
+ }
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1);
+#endif
+
#ifndef PROFILING
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
exit(0);
@@ -465,10 +484,16 @@ main(argc, argv, envp)
NewArgv[1] = safe_cmnd;
execve(_PATH_BSHELL, NewArgv, environ);
}
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
warn("unable to execute %s", safe_cmnd);
exit(127);
} else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {
log_auth(validated, 1);
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
exit(1);
} else if (ISSET(validated, VALIDATE_NOT_OK)) {
if (def_path_info) {
@@ -489,6 +514,9 @@ main(argc, argv, envp)
/* Just tell the user they are not allowed to run foo. */
log_auth(validated, 1);
}
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
exit(1);
} else {
/* should never get here */
diff -up sudo-1.6.9p13/configure.in.audit sudo-1.6.9p13/configure.in
--- sudo-1.6.9p13/configure.in.audit 2008-03-04 11:18:45.000000000 +0100
+++ sudo-1.6.9p13/configure.in 2008-03-04 11:18:45.000000000 +0100
@@ -166,6 +166,10 @@ dnl
dnl Options for --with
dnl
+AC_ARG_WITH(audit,
+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
+ [with_audit=$withval], [with_audit=yes])
+
AC_ARG_WITH(CC, [ --with-CC C compiler to use],
[case $with_CC in
yes) AC_MSG_ERROR(["must give --with-CC an argument."])
@@ -1614,6 +1618,25 @@ dnl
: ${mansectsu='8'}
: ${mansectform='5'}
+
+AC_SUBST(LIBAUDIT)
+if test "$with_audit" = "yes"; then
+ # See if we have the audit library
+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
+ if test "$audit_header" = "yes"; then
+ AC_CHECK_LIB(audit, audit_log_user_command,
+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages])
+ LIBAUDIT="-laudit"])
+ fi
+ # See if we have the libcap library
+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"])
+ if test "$cap_header" = "yes"; then
+ AC_CHECK_LIB(cap, cap_init,
+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support])
+ SUDO_LIBS="${SUDO_LIBS} -lcap"])
+ fi
+fi
+
dnl
dnl Add in any libpaths or libraries specified via configure
dnl
diff -up /dev/null sudo-1.6.9p13/audit_help.c
--- /dev/null 2008-02-05 17:16:01.642928004 +0100
+++ sudo-1.6.9p13/audit_help.c 2008-03-04 11:21:15.000000000 +0100
diff -up /dev/null sudo-1.6.9p17/audit_help.c
--- /dev/null 2008-08-23 21:55:45.734000982 +0200
+++ sudo-1.6.9p17/audit_help.c 2008-09-02 15:49:38.000000000 +0200
@@ -0,0 +1,140 @@
+/*
+ * Audit helper functions used throughout sudo
@ -275,7 +97,7 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c
+ err = audit_log_user_command (audit_fd, type, msg, NULL, result);
+ /* The kernel supports auditing and we had
+ enough privilege to write to the socket. */
+ if( err <= 0 && !(errno == EPERM && getuid() != 0) ) {
+ if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) {
+ perror("audit_log_user_command()");
+ }
+
@ -320,10 +142,50 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c
+#endif /* WITH_AUDIT */
+
+
diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in
--- sudo-1.6.9p13/Makefile.in.audit 2008-02-19 19:13:10.000000000 +0100
+++ sudo-1.6.9p13/Makefile.in 2008-03-04 11:18:45.000000000 +0100
@@ -120,11 +120,13 @@ HDRS = compat.h def_data.h defaults.h in
diff -up sudo-1.6.9p17/configure.in.audit sudo-1.6.9p17/configure.in
--- sudo-1.6.9p17/configure.in.audit 2008-09-02 15:48:46.000000000 +0200
+++ sudo-1.6.9p17/configure.in 2008-09-02 15:48:46.000000000 +0200
@@ -167,6 +167,10 @@ dnl
dnl Options for --with
dnl
+AC_ARG_WITH(audit,
+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
+ [with_audit=$withval], [with_audit=yes])
+
AC_ARG_WITH(CC, [ --with-CC C compiler to use],
[case $with_CC in
yes) AC_MSG_ERROR(["must give --with-CC an argument."])
@@ -1616,6 +1620,25 @@ dnl
: ${mansectsu='8'}
: ${mansectform='5'}
+
+AC_SUBST(LIBAUDIT)
+if test "$with_audit" = "yes"; then
+ # See if we have the audit library
+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
+ if test "$audit_header" = "yes"; then
+ AC_CHECK_LIB(audit, audit_log_user_command,
+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages])
+ LIBAUDIT="-laudit"])
+ fi
+ # See if we have the libcap library
+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"])
+ if test "$cap_header" = "yes"; then
+ AC_CHECK_LIB(cap, cap_init,
+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support])
+ SUDO_LIBS="${SUDO_LIBS} -lcap"])
+ fi
+fi
+
dnl
dnl Add in any libpaths or libraries specified via configure
dnl
diff -up sudo-1.6.9p17/Makefile.in.audit sudo-1.6.9p17/Makefile.in
--- sudo-1.6.9p17/Makefile.in.audit 2008-06-22 22:29:03.000000000 +0200
+++ sudo-1.6.9p17/Makefile.in 2008-09-02 15:48:46.000000000 +0200
@@ -121,11 +121,13 @@ HDRS = compat.h def_data.h defaults.h in
AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
@ -338,7 +200,7 @@ diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in
VISUDOBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o $(PARSEOBJS)
@@ -276,6 +278,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH
@@ -277,6 +279,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH
sia.o: $(authdir)/sia.c $(AUTHDEP)
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
@ -348,9 +210,147 @@ diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in
sudo.man.in: $(srcdir)/sudo.pod
@rm -f $(srcdir)/$@
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
diff -up sudo-1.6.9p13/sudo.h.audit sudo-1.6.9p13/sudo.h
--- sudo-1.6.9p13/sudo.h.audit 2008-03-04 11:18:45.000000000 +0100
+++ sudo-1.6.9p13/sudo.h 2008-03-04 11:18:45.000000000 +0100
diff -up sudo-1.6.9p17/set_perms.c.audit sudo-1.6.9p17/set_perms.c
--- sudo-1.6.9p17/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100
+++ sudo-1.6.9p17/set_perms.c 2008-09-02 15:48:46.000000000 +0200
@@ -53,6 +53,10 @@
#ifdef HAVE_LOGIN_CAP_H
# include <login_cap.h>
#endif
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
+# include <sys/prctl.h>
+# include <sys/capability.h>
+#endif
#include "sudo.h"
@@ -119,13 +123,46 @@ set_perms(perm)
break;
case PERM_FULL_RUNAS:
- /* headed for exec(), assume euid == ROOT_UID */
- runas_setup();
- if (setresuid(def_stay_setuid ?
- user_uid : runas_pw->pw_uid,
- runas_pw->pw_uid, runas_pw->pw_uid))
- err(1, "unable to change to runas uid");
- break;
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
+ { /* BEGIN CAP BLOCK */
+ cap_t new_caps;
+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
+
+ if (runas_pw->pw_uid != ROOT_UID) {
+ new_caps = cap_init ();
+ if (!new_caps)
+ err(1, "Error initing capabilities, aborting.\n");
+
+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) ||
+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) {
+ err(1, "Error setting capabilities, aborting\n");
+ }
+
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0))
+ err(1, "Error setting KEEPCAPS, aborting\n");
+ }
+#endif
+ /* headed for exec(), assume euid == ROOT_UID */
+ runas_setup ();
+ if (setresuid(def_stay_setuid ?
+ user_uid : runas_pw->pw_uid,
+ runas_pw->pw_uid, runas_pw->pw_uid))
+ err(1, "unable to change to runas uid");
+
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
+ if (runas_pw->pw_uid != ROOT_UID) {
+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)
+ err(1, "Error resetting KEEPCAPS, aborting\n");
+
+ if (cap_set_proc(new_caps))
+ err(1, "Error dropping capabilities, aborting\n");
+
+ if (cap_free (new_caps))
+ err(1, "Error freeing caps\n");
+ }
+ } /* END CAP BLOCK */
+#endif
+ break;
case PERM_SUDOERS:
/* assume euid == ROOT_UID, ruid == user */
diff -up sudo-1.6.9p17/sudo.c.audit sudo-1.6.9p17/sudo.c
--- sudo-1.6.9p17/sudo.c.audit 2008-09-02 15:48:46.000000000 +0200
+++ sudo-1.6.9p17/sudo.c 2008-09-02 15:48:46.000000000 +0200
@@ -100,6 +100,10 @@
# include <selinux/selinux.h>
#endif
+#ifdef WITH_AUDIT
+#include <libaudit.h>
+#endif
+
#include "sudo.h"
#include "interfaces.h"
#include "version.h"
@@ -289,6 +293,10 @@ main(argc, argv, envp)
if (safe_cmnd == NULL)
safe_cmnd = estrdup(user_cmnd);
+#if defined(WITH_AUDIT)
+ audit_help_open ();
+#endif
+
/*
* Look up the timestamp dir owner if one is specified.
*/
@@ -435,6 +443,17 @@ main(argc, argv, envp)
(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
+ if (access(safe_cmnd, X_OK) != 0) {
+ warn ("unable to execute %s", safe_cmnd);
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
+ exit(127);
+ }
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1);
+#endif
+
#ifndef PROFILING
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
exit(0);
@@ -458,10 +477,16 @@ main(argc, argv, envp)
NewArgv[1] = safe_cmnd;
execve(_PATH_BSHELL, NewArgv, environ);
}
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
warn("unable to execute %s", safe_cmnd);
exit(127);
} else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {
log_auth(validated, 1);
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
exit(1);
} else if (ISSET(validated, VALIDATE_NOT_OK)) {
if (def_path_info) {
@@ -482,6 +507,9 @@ main(argc, argv, envp)
/* Just tell the user they are not allowed to run foo. */
log_auth(validated, 1);
}
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
exit(1);
} else {
/* should never get here */
diff -up sudo-1.6.9p17/sudo.h.audit sudo-1.6.9p17/sudo.h
--- sudo-1.6.9p17/sudo.h.audit 2008-09-02 15:48:46.000000000 +0200
+++ sudo-1.6.9p17/sudo.h 2008-09-02 15:48:46.000000000 +0200
@@ -23,6 +23,8 @@
#ifndef _SUDO_SUDO_H
#define _SUDO_SUDO_H

6
sudo.spec
View File

@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.6.9p17
Release: 1%{?dist}
Release: 2%{?dist}
License: BSD
Group: Applications/System
URL: http://www.courtesan.com/sudo/
@ -133,6 +133,10 @@ rm -rf $RPM_BUILD_ROOT
/bin/chmod 0440 /etc/sudoers || :
%changelog
* Tue Sep 02 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-2
- adjust audit patch, do not scream when kernel is
compiled without audit netlink support (#401201)
* Fri Jul 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-1
- upgrade