isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow syslog priority to be negated or set to "none" to disable

Browse Source 
logging successes or failures.
This commit is contained in:
Todd C. Miller
2016-11-30 16:26:10 -07:00
parent cb1f044017
commit 00b6be9dfa
7 changed files with 62 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
doc/sudoers.cat
View File

@@ -1655,17 +1655,25 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
not specified on the command line. This defaults to not specified on the command line. This defaults to
root. root.
syslog_badpri Syslog priority to use when user authenticates syslog_badpri Syslog priority to use when the user is not allowed to
unsuccessfully. Defaults to alert. run a command or when authentication is unsuccessful.
Defaults to alert.
The following syslog priorities are supported: aalleerrtt, The following syslog priorities are supported: aalleerrtt,
ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and wwaarrnniinngg. ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, wwaarrnniinngg, and
nnoonnee. Negating the option or setting it to a value of
nnoonnee will disable logging of unsuccessful commands.
syslog_goodpri Syslog priority to use when user authenticates syslog_goodpri Syslog priority to use when the user is allowed to run
successfully. Defaults to notice. a command and authentication is successful. Defaults
to notice.
See _s_y_s_l_o_g___b_a_d_p_r_i for the list of supported syslog See _s_y_s_l_o_g___b_a_d_p_r_i for the list of supported syslog
priorities. priorities. Negating the option or setting it to a
value of nnoonnee will disable logging of successful
commands.
syslog_goodpri
syslog_maxlen On many systems, syslog(3) has a relatively small log syslog_maxlen On many systems, syslog(3) has a relatively small log
buffer. IETF RFC 5424 states that syslog servers must buffer. IETF RFC 5424 states that syslog servers must
@@ -2632,4 +2640,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.19 November 7, 2016 Sudo 1.8.19 Sudo 1.8.19 November 30, 2016 Sudo 1.8.19

19
doc/sudoers.man.in
View File

@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "SUDOERS" "5" "November 7, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "5" "November 30, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -3368,7 +3368,8 @@ This defaults to
\fR@runas_default@\fR. \fR@runas_default@\fR.
.TP 18n .TP 18n
syslog_badpri syslog_badpri
Syslog priority to use when user authenticates unsuccessfully. Syslog priority to use when the user is not allowed to run a command or
when authentication is unsuccessful.
Defaults to Defaults to
\fR@badpri@\fR. \fR@badpri@\fR.
.sp .sp
@@ -3380,17 +3381,27 @@ The following syslog priorities are supported:
\fBerr\fR, \fBerr\fR,
\fBinfo\fR, \fBinfo\fR,
\fBnotice\fR, \fBnotice\fR,
\fBwarning\fR,
and and
\fBwarning\fR. \fBnone\fR.
Negating the option or setting it to a value of
\fBnone\fR
will disable logging of unsuccessful commands.
.TP 18n .TP 18n
syslog_goodpri syslog_goodpri
Syslog priority to use when user authenticates successfully. Syslog priority to use when the user is allowed to run a command and
authentication is successful.
Defaults to Defaults to
\fR@goodpri@\fR. \fR@goodpri@\fR.
.sp .sp
See See
\fIsyslog_badpri\fR \fIsyslog_badpri\fR
for the list of supported syslog priorities. for the list of supported syslog priorities.
Negating the option or setting it to a value of
\fBnone\fR
will disable logging of successful commands.
.TP 18n
syslog_goodpri
.TP 18n .TP 18n
syslog_maxlen syslog_maxlen
On many systems, On many systems,

18
doc/sudoers.mdoc.in
View File

@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd November 7, 2016 .Dd November 30, 2016
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -3145,7 +3145,8 @@ option is not specified on the command line.
This defaults to This defaults to
.Li @runas_default@ . .Li @runas_default@ .
.It syslog_badpri .It syslog_badpri
Syslog priority to use when user authenticates unsuccessfully. Syslog priority to use when the user is not allowed to run a command or
when authentication is unsuccessful.
Defaults to Defaults to
.Li @badpri@ . .Li @badpri@ .
.Pp .Pp
@@ -3157,16 +3158,25 @@ The following syslog priorities are supported:
.Sy err , .Sy err ,
.Sy info , .Sy info ,
.Sy notice , .Sy notice ,
.Sy warning ,
and and
.Sy warning . .Sy none .
Negating the option or setting it to a value of
.Sy none
will disable logging of unsuccessful commands.
.It syslog_goodpri .It syslog_goodpri
Syslog priority to use when user authenticates successfully. Syslog priority to use when the user is allowed to run a command and
authentication is successful.
Defaults to Defaults to
.Li @goodpri@ . .Li @goodpri@ .
.Pp .Pp
See See
.Em syslog_badpri .Em syslog_badpri
for the list of supported syslog priorities. for the list of supported syslog priorities.
Negating the option or setting it to a value of
.Sy none
will disable logging of successful commands.
.It syslog_goodpri
.It syslog_maxlen .It syslog_maxlen
On many systems, On many systems,
.Xr syslog 3 .Xr syslog 3

4
plugins/sudoers/def_data.c
View File

@@ -27,11 +27,11 @@ struct sudo_defs_types sudo_defs_table[] = {
N_("Syslog facility if syslog is being used for logging: %s"), N_("Syslog facility if syslog is being used for logging: %s"),
NULL, NULL,
}, { }, {
"syslog_goodpri", T_LOGPRI, "syslog_goodpri", T_LOGPRI|T_BOOL,
N_("Syslog priority to use when user authenticates successfully: %s"), N_("Syslog priority to use when user authenticates successfully: %s"),
NULL, NULL,
}, { }, {
"syslog_badpri", T_LOGPRI, "syslog_badpri", T_LOGPRI|T_BOOL,
N_("Syslog priority to use when user authenticates unsuccessfully: %s"), N_("Syslog priority to use when user authenticates unsuccessfully: %s"),
NULL, NULL,
}, { }, {

4
plugins/sudoers/def_data.in
View File

@@ -14,10 +14,10 @@ syslog
T_LOGFAC|T_BOOL T_LOGFAC|T_BOOL
"Syslog facility if syslog is being used for logging: %s" "Syslog facility if syslog is being used for logging: %s"
syslog_goodpri syslog_goodpri
T_LOGPRI T_LOGPRI|T_BOOL
"Syslog priority to use when user authenticates successfully: %s" "Syslog priority to use when user authenticates successfully: %s"
syslog_badpri syslog_badpri
T_LOGPRI T_LOGPRI|T_BOOL
"Syslog priority to use when user authenticates unsuccessfully: %s" "Syslog priority to use when user authenticates unsuccessfully: %s"
long_otp_prompt long_otp_prompt
T_FLAG T_FLAG

16
plugins/sudoers/defaults.c
View File

@@ -74,6 +74,7 @@ static struct strmap priorities[] = {
{ "info", LOG_INFO }, { "info", LOG_INFO },
{ "notice", LOG_NOTICE }, { "notice", LOG_NOTICE },
{ "warning", LOG_WARNING }, { "warning", LOG_WARNING },
{ "none", -1 },
{ NULL, -1 } { NULL, -1 }
}; };
@@ -936,9 +937,10 @@ store_syslogpri(const char *str, union sudo_defs_val *sd_un)
struct strmap *pri; struct strmap *pri;
debug_decl(store_syslogpri, SUDOERS_DEBUG_DEFAULTS) debug_decl(store_syslogpri, SUDOERS_DEBUG_DEFAULTS)
if (str == NULL) if (str == NULL) {
debug_return_bool(false); sd_un->ival = -1;
debug_return_bool(true);
}
for (pri = priorities; pri->name != NULL; pri++) { for (pri = priorities; pri->name != NULL; pri++) {
if (strcmp(str, pri->name) != 0) { if (strcmp(str, pri->name) != 0) {
sd_un->ival = pri->num; sd_un->ival = pri->num;
@@ -954,9 +956,11 @@ logpri2str(int n)
struct strmap *pri; struct strmap *pri;
debug_decl(logpri2str, SUDOERS_DEBUG_DEFAULTS) debug_decl(logpri2str, SUDOERS_DEBUG_DEFAULTS)
for (pri = priorities; pri->name && pri->num != n; pri++) for (pri = priorities; pri->name != NULL; pri++) {
continue; if (pri->num == n)
debug_return_const_str(pri->name); debug_return_const_str(pri->name);
}
debug_return_const_str("unknown");
} }
static bool static bool

4
plugins/sudoers/logging.c
View File

@@ -94,6 +94,10 @@ do_syslog(int pri, char *msg)
int oldlocale; int oldlocale;
debug_decl(do_syslog, SUDOERS_DEBUG_LOGGING) debug_decl(do_syslog, SUDOERS_DEBUG_LOGGING)
/* A priority of -1 corresponds to "none". */
if (pri == -1)
debug_return;
sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);
/* /*