From 5922acb08943b793b85bfb2e6a79745f8aa6bbc2 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 2 Sep 2008 13:56:42 +0000 Subject: [PATCH] - adjust audit patch, do not scream when kernel is compiled without audit netlink support (#401201 --- sudo-1.6.9p13-audit.patch | 380 +++++++++++++++++++------------------- sudo.spec | 6 +- 2 files changed, 195 insertions(+), 191 deletions(-) diff --git a/sudo-1.6.9p13-audit.patch b/sudo-1.6.9p13-audit.patch index 909d8a7..d8937e2 100644 --- a/sudo-1.6.9p13-audit.patch +++ b/sudo-1.6.9p13-audit.patch @@ -1,184 +1,6 @@ -diff -up sudo-1.6.9p13/set_perms.c.audit sudo-1.6.9p13/set_perms.c ---- sudo-1.6.9p13/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100 -+++ sudo-1.6.9p13/set_perms.c 2008-03-04 11:18:45.000000000 +0100 -@@ -53,6 +53,10 @@ - #ifdef HAVE_LOGIN_CAP_H - # include - #endif -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+# include -+# include -+#endif - - #include "sudo.h" - -@@ -119,13 +123,46 @@ set_perms(perm) - break; - - case PERM_FULL_RUNAS: -- /* headed for exec(), assume euid == ROOT_UID */ -- runas_setup(); -- if (setresuid(def_stay_setuid ? -- user_uid : runas_pw->pw_uid, -- runas_pw->pw_uid, runas_pw->pw_uid)) -- err(1, "unable to change to runas uid"); -- break; -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+ { /* BEGIN CAP BLOCK */ -+ cap_t new_caps; -+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE }; -+ -+ if (runas_pw->pw_uid != ROOT_UID) { -+ new_caps = cap_init (); -+ if (!new_caps) -+ err(1, "Error initing capabilities, aborting.\n"); -+ -+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) || -+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) { -+ err(1, "Error setting capabilities, aborting\n"); -+ } -+ -+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) -+ err(1, "Error setting KEEPCAPS, aborting\n"); -+ } -+#endif -+ /* headed for exec(), assume euid == ROOT_UID */ -+ runas_setup (); -+ if (setresuid(def_stay_setuid ? -+ user_uid : runas_pw->pw_uid, -+ runas_pw->pw_uid, runas_pw->pw_uid)) -+ err(1, "unable to change to runas uid"); -+ -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+ if (runas_pw->pw_uid != ROOT_UID) { -+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) -+ err(1, "Error resetting KEEPCAPS, aborting\n"); -+ -+ if (cap_set_proc(new_caps)) -+ err(1, "Error dropping capabilities, aborting\n"); -+ -+ if (cap_free (new_caps)) -+ err(1, "Error freeing caps\n"); -+ } -+ } /* END CAP BLOCK */ -+#endif -+ break; - - case PERM_SUDOERS: - /* assume euid == ROOT_UID, ruid == user */ -diff -up sudo-1.6.9p13/sudo.c.audit sudo-1.6.9p13/sudo.c ---- sudo-1.6.9p13/sudo.c.audit 2008-03-04 11:18:45.000000000 +0100 -+++ sudo-1.6.9p13/sudo.c 2008-03-04 11:21:54.000000000 +0100 -@@ -100,6 +100,10 @@ - # include - #endif - -+#ifdef WITH_AUDIT -+#include -+#endif -+ - #include "sudo.h" - #include "interfaces.h" - #include "version.h" -@@ -295,6 +299,10 @@ main(argc, argv, envp) - if (safe_cmnd == NULL) - safe_cmnd = estrdup(user_cmnd); - -+#if defined(WITH_AUDIT) -+ audit_help_open (); -+#endif -+ - /* - * Look up the timestamp dir owner if one is specified. - */ -@@ -442,6 +450,17 @@ main(argc, argv, envp) - (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); - (void) sigaction(SIGCHLD, &saved_sa_chld, NULL); - -+ if (access(safe_cmnd, X_OK) != 0) { -+ warn ("unable to execute %s", safe_cmnd); -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif -+ exit(127); -+ } -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1); -+#endif -+ - #ifndef PROFILING - if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) - exit(0); -@@ -465,10 +484,16 @@ main(argc, argv, envp) - NewArgv[1] = safe_cmnd; - execve(_PATH_BSHELL, NewArgv, environ); - } -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - warn("unable to execute %s", safe_cmnd); - exit(127); - } else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) { - log_auth(validated, 1); -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - exit(1); - } else if (ISSET(validated, VALIDATE_NOT_OK)) { - if (def_path_info) { -@@ -489,6 +514,9 @@ main(argc, argv, envp) - /* Just tell the user they are not allowed to run foo. */ - log_auth(validated, 1); - } -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - exit(1); - } else { - /* should never get here */ -diff -up sudo-1.6.9p13/configure.in.audit sudo-1.6.9p13/configure.in ---- sudo-1.6.9p13/configure.in.audit 2008-03-04 11:18:45.000000000 +0100 -+++ sudo-1.6.9p13/configure.in 2008-03-04 11:18:45.000000000 +0100 -@@ -166,6 +166,10 @@ dnl - dnl Options for --with - dnl - -+AC_ARG_WITH(audit, -+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])], -+ [with_audit=$withval], [with_audit=yes]) -+ - AC_ARG_WITH(CC, [ --with-CC C compiler to use], - [case $with_CC in - yes) AC_MSG_ERROR(["must give --with-CC an argument."]) -@@ -1614,6 +1618,25 @@ dnl - : ${mansectsu='8'} - : ${mansectform='5'} - -+ -+AC_SUBST(LIBAUDIT) -+if test "$with_audit" = "yes"; then -+ # See if we have the audit library -+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"]) -+ if test "$audit_header" = "yes"; then -+ AC_CHECK_LIB(audit, audit_log_user_command, -+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages]) -+ LIBAUDIT="-laudit"]) -+ fi -+ # See if we have the libcap library -+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"]) -+ if test "$cap_header" = "yes"; then -+ AC_CHECK_LIB(cap, cap_init, -+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support]) -+ SUDO_LIBS="${SUDO_LIBS} -lcap"]) -+ fi -+fi -+ - dnl - dnl Add in any libpaths or libraries specified via configure - dnl -diff -up /dev/null sudo-1.6.9p13/audit_help.c ---- /dev/null 2008-02-05 17:16:01.642928004 +0100 -+++ sudo-1.6.9p13/audit_help.c 2008-03-04 11:21:15.000000000 +0100 +diff -up /dev/null sudo-1.6.9p17/audit_help.c +--- /dev/null 2008-08-23 21:55:45.734000982 +0200 ++++ sudo-1.6.9p17/audit_help.c 2008-09-02 15:49:38.000000000 +0200 @@ -0,0 +1,140 @@ +/* + * Audit helper functions used throughout sudo @@ -275,7 +97,7 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c + err = audit_log_user_command (audit_fd, type, msg, NULL, result); + /* The kernel supports auditing and we had + enough privilege to write to the socket. */ -+ if( err <= 0 && !(errno == EPERM && getuid() != 0) ) { ++ if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) { + perror("audit_log_user_command()"); + } + @@ -320,10 +142,50 @@ diff -up /dev/null sudo-1.6.9p13/audit_help.c +#endif /* WITH_AUDIT */ + + -diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in ---- sudo-1.6.9p13/Makefile.in.audit 2008-02-19 19:13:10.000000000 +0100 -+++ sudo-1.6.9p13/Makefile.in 2008-03-04 11:18:45.000000000 +0100 -@@ -120,11 +120,13 @@ HDRS = compat.h def_data.h defaults.h in +diff -up sudo-1.6.9p17/configure.in.audit sudo-1.6.9p17/configure.in +--- sudo-1.6.9p17/configure.in.audit 2008-09-02 15:48:46.000000000 +0200 ++++ sudo-1.6.9p17/configure.in 2008-09-02 15:48:46.000000000 +0200 +@@ -167,6 +167,10 @@ dnl + dnl Options for --with + dnl + ++AC_ARG_WITH(audit, ++ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])], ++ [with_audit=$withval], [with_audit=yes]) ++ + AC_ARG_WITH(CC, [ --with-CC C compiler to use], + [case $with_CC in + yes) AC_MSG_ERROR(["must give --with-CC an argument."]) +@@ -1616,6 +1620,25 @@ dnl + : ${mansectsu='8'} + : ${mansectform='5'} + ++ ++AC_SUBST(LIBAUDIT) ++if test "$with_audit" = "yes"; then ++ # See if we have the audit library ++ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"]) ++ if test "$audit_header" = "yes"; then ++ AC_CHECK_LIB(audit, audit_log_user_command, ++ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages]) ++ LIBAUDIT="-laudit"]) ++ fi ++ # See if we have the libcap library ++ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"]) ++ if test "$cap_header" = "yes"; then ++ AC_CHECK_LIB(cap, cap_init, ++ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support]) ++ SUDO_LIBS="${SUDO_LIBS} -lcap"]) ++ fi ++fi ++ + dnl + dnl Add in any libpaths or libraries specified via configure + dnl +diff -up sudo-1.6.9p17/Makefile.in.audit sudo-1.6.9p17/Makefile.in +--- sudo-1.6.9p17/Makefile.in.audit 2008-06-22 22:29:03.000000000 +0200 ++++ sudo-1.6.9p17/Makefile.in 2008-09-02 15:48:46.000000000 +0200 +@@ -121,11 +121,13 @@ HDRS = compat.h def_data.h defaults.h in AUTH_OBJS = sudo_auth.o @AUTH_OBJS@ @@ -338,7 +200,7 @@ diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in VISUDOBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o $(PARSEOBJS) -@@ -276,6 +278,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH +@@ -277,6 +279,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH sia.o: $(authdir)/sia.c $(AUTHDEP) $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c @@ -348,9 +210,147 @@ diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in sudo.man.in: $(srcdir)/sudo.pod @rm -f $(srcdir)/$@ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ ) -diff -up sudo-1.6.9p13/sudo.h.audit sudo-1.6.9p13/sudo.h ---- sudo-1.6.9p13/sudo.h.audit 2008-03-04 11:18:45.000000000 +0100 -+++ sudo-1.6.9p13/sudo.h 2008-03-04 11:18:45.000000000 +0100 +diff -up sudo-1.6.9p17/set_perms.c.audit sudo-1.6.9p17/set_perms.c +--- sudo-1.6.9p17/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100 ++++ sudo-1.6.9p17/set_perms.c 2008-09-02 15:48:46.000000000 +0200 +@@ -53,6 +53,10 @@ + #ifdef HAVE_LOGIN_CAP_H + # include + #endif ++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) ++# include ++# include ++#endif + + #include "sudo.h" + +@@ -119,13 +123,46 @@ set_perms(perm) + break; + + case PERM_FULL_RUNAS: +- /* headed for exec(), assume euid == ROOT_UID */ +- runas_setup(); +- if (setresuid(def_stay_setuid ? +- user_uid : runas_pw->pw_uid, +- runas_pw->pw_uid, runas_pw->pw_uid)) +- err(1, "unable to change to runas uid"); +- break; ++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) ++ { /* BEGIN CAP BLOCK */ ++ cap_t new_caps; ++ cap_value_t cap_list[] = { CAP_AUDIT_WRITE }; ++ ++ if (runas_pw->pw_uid != ROOT_UID) { ++ new_caps = cap_init (); ++ if (!new_caps) ++ err(1, "Error initing capabilities, aborting.\n"); ++ ++ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) || ++ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) { ++ err(1, "Error setting capabilities, aborting\n"); ++ } ++ ++ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) ++ err(1, "Error setting KEEPCAPS, aborting\n"); ++ } ++#endif ++ /* headed for exec(), assume euid == ROOT_UID */ ++ runas_setup (); ++ if (setresuid(def_stay_setuid ? ++ user_uid : runas_pw->pw_uid, ++ runas_pw->pw_uid, runas_pw->pw_uid)) ++ err(1, "unable to change to runas uid"); ++ ++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) ++ if (runas_pw->pw_uid != ROOT_UID) { ++ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) ++ err(1, "Error resetting KEEPCAPS, aborting\n"); ++ ++ if (cap_set_proc(new_caps)) ++ err(1, "Error dropping capabilities, aborting\n"); ++ ++ if (cap_free (new_caps)) ++ err(1, "Error freeing caps\n"); ++ } ++ } /* END CAP BLOCK */ ++#endif ++ break; + + case PERM_SUDOERS: + /* assume euid == ROOT_UID, ruid == user */ +diff -up sudo-1.6.9p17/sudo.c.audit sudo-1.6.9p17/sudo.c +--- sudo-1.6.9p17/sudo.c.audit 2008-09-02 15:48:46.000000000 +0200 ++++ sudo-1.6.9p17/sudo.c 2008-09-02 15:48:46.000000000 +0200 +@@ -100,6 +100,10 @@ + # include + #endif + ++#ifdef WITH_AUDIT ++#include ++#endif ++ + #include "sudo.h" + #include "interfaces.h" + #include "version.h" +@@ -289,6 +293,10 @@ main(argc, argv, envp) + if (safe_cmnd == NULL) + safe_cmnd = estrdup(user_cmnd); + ++#if defined(WITH_AUDIT) ++ audit_help_open (); ++#endif ++ + /* + * Look up the timestamp dir owner if one is specified. + */ +@@ -435,6 +443,17 @@ main(argc, argv, envp) + (void) sigaction(SIGQUIT, &saved_sa_quit, NULL); + (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); + ++ if (access(safe_cmnd, X_OK) != 0) { ++ warn ("unable to execute %s", safe_cmnd); ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); ++#endif ++ exit(127); ++ } ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1); ++#endif ++ + #ifndef PROFILING + if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) + exit(0); +@@ -458,10 +477,16 @@ main(argc, argv, envp) + NewArgv[1] = safe_cmnd; + execve(_PATH_BSHELL, NewArgv, environ); + } ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); ++#endif + warn("unable to execute %s", safe_cmnd); + exit(127); + } else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) { + log_auth(validated, 1); ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); ++#endif + exit(1); + } else if (ISSET(validated, VALIDATE_NOT_OK)) { + if (def_path_info) { +@@ -482,6 +507,9 @@ main(argc, argv, envp) + /* Just tell the user they are not allowed to run foo. */ + log_auth(validated, 1); + } ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); ++#endif + exit(1); + } else { + /* should never get here */ +diff -up sudo-1.6.9p17/sudo.h.audit sudo-1.6.9p17/sudo.h +--- sudo-1.6.9p17/sudo.h.audit 2008-09-02 15:48:46.000000000 +0200 ++++ sudo-1.6.9p17/sudo.h 2008-09-02 15:48:46.000000000 +0200 @@ -23,6 +23,8 @@ #ifndef _SUDO_SUDO_H #define _SUDO_SUDO_H diff --git a/sudo.spec b/sudo.spec index 2c063ee..1e803ec 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.6.9p17 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -133,6 +133,10 @@ rm -rf $RPM_BUILD_ROOT /bin/chmod 0440 /etc/sudoers || : %changelog +* Tue Sep 02 2008 Peter Vrabec 1.6.9p17-2 +- adjust audit patch, do not scream when kernel is + compiled without audit netlink support (#401201) + * Fri Jul 04 2008 Peter Vrabec 1.6.9p17-1 - upgrade