isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Solaris audit support; from Gary Winiger at Oracle.

Browse Source
This commit is contained in:
Todd C. Miller
2014-06-27 16:01:40 -06:00
parent 6df6404113
commit 18dbc52e4b
10 changed files with 218 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
INSTALL
View File

@@ -400,6 +400,9 @@ Authentication options:
the user name (separated by a slash) when creating the the user name (separated by a slash) when creating the
principal name. principal name.
--with-solaris-audit
Enable audit support for Solaris systems.
--with-opie[=DIR] --with-opie[=DIR]
Enable NRL OPIE OTP (One Time Password) support. If specified, Enable NRL OPIE OTP (One Time Password) support. If specified,
DIR should contain include and lib directories with opie.h DIR should contain include and lib directories with opie.h

2
MANIFEST
View File

@@ -422,6 +422,8 @@ plugins/sudoers/regress/visudo/test4.sh
plugins/sudoers/regress/visudo/test5.out.ok plugins/sudoers/regress/visudo/test5.out.ok
plugins/sudoers/regress/visudo/test5.sh plugins/sudoers/regress/visudo/test5.sh
plugins/sudoers/set_perms.c plugins/sudoers/set_perms.c
plugins/sudoers/solaris_audit.c
plugins/sudoers/solaris_audit.h
plugins/sudoers/sssd.c plugins/sudoers/sssd.c
plugins/sudoers/sudo_nss.c plugins/sudoers/sudo_nss.c
plugins/sudoers/sudo_nss.h plugins/sudoers/sudo_nss.h

3
config.h.in
View File

@@ -548,6 +548,9 @@
/* Define to 1 if you have the `snprintf' function. */ /* Define to 1 if you have the `snprintf' function. */
#undef HAVE_SNPRINTF #undef HAVE_SNPRINTF
/* Define to 1 to enable Solaris audit support. */
#undef HAVE_SOLARIS_AUDIT
/* Define to 1 if you have the <spawn.h> header file. */ /* Define to 1 if you have the <spawn.h> header file. */
#undef HAVE_SPAWN_H #undef HAVE_SPAWN_H

21
configure vendored
View File

@@ -791,6 +791,7 @@ CPPFLAGS
PROGS PROGS
CFLAGS CFLAGS
LIBTOOL LIBTOOL
HAVE_SOLARIS_AUDIT
HAVE_BSM_AUDIT HAVE_BSM_AUDIT
target_alias target_alias
host_alias host_alias
@@ -841,6 +842,7 @@ with_rpath
with_blibpath with_blibpath
with_bsm_audit with_bsm_audit
with_linux_audit with_linux_audit
with_solaris_audit
with_sssd with_sssd
with_sssd_lib with_sssd_lib
with_incpath with_incpath
@@ -1628,6 +1630,7 @@ Optional Packages:
--with-blibpath=PATH deprecated --with-blibpath=PATH deprecated
--with-bsm-audit enable BSM audit support --with-bsm-audit enable BSM audit support
--with-linux-audit enable Linux audit support --with-linux-audit enable Linux audit support
--with-solaris-audit enable Solaris audit support
--with-sssd enable SSSD support --with-sssd enable SSSD support
--with-sssd-lib path to the SSSD library --with-sssd-lib path to the SSSD library
--with-incpath additional places to look for include files --with-incpath additional places to look for include files
@@ -2974,6 +2977,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
# #
@@ -3998,6 +4002,22 @@ fi
# Check whether --with-solaris-audit was given.
if test "${with_solaris_audit+set}" = set; then :
withval=$with_solaris_audit; case $with_solaris_audit in
yes) $as_echo "#define HAVE_SOLARIS_AUDIT 1" >>confdefs.h
SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm"
SUDOERS_OBJS="${SUDOERS_OBJS} solaris_audit.lo"
;;
no) ;;
*) as_fn_error $? "\"--with-solaris-audit does not take an argument.\"" "$LINENO" 5
;;
esac
fi
# Check whether --with-sssd was given. # Check whether --with-sssd was given.
if test "${with_sssd+set}" = set; then : if test "${with_sssd+set}" = set; then :
withval=$with_sssd; case $with_sssd in withval=$with_sssd; case $with_sssd in
@@ -24920,5 +24940,6 @@ fi

16
configure.ac
View File

@@ -15,6 +15,7 @@ dnl
dnl Variables that get substituted in the Makefile and man pages dnl Variables that get substituted in the Makefile and man pages
dnl dnl
AC_SUBST([HAVE_BSM_AUDIT]) AC_SUBST([HAVE_BSM_AUDIT])
AC_SUBST([HAVE_SOLARIS_AUDIT])
AC_SUBST([SHELL]) AC_SUBST([SHELL])
AC_SUBST([LIBTOOL]) AC_SUBST([LIBTOOL])
AC_SUBST([CFLAGS]) AC_SUBST([CFLAGS])
@@ -331,6 +332,20 @@ AC_ARG_WITH(linux-audit, [AS_HELP_STRING([--with-linux-audit], [enable Linux aud
;; ;;
esac]) esac])
dnl
dnl Handle Solaris auditing support.
dnl
AC_ARG_WITH(solaris-audit, [AS_HELP_STRING([--with-solaris-audit], [enable Solaris audit support])],
[case $with_solaris_audit in
yes) AC_DEFINE(HAVE_SOLARIS_AUDIT)
SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm"
SUDOERS_OBJS="${SUDOERS_OBJS} solaris_audit.lo"
;;
no) ;;
*) AC_MSG_ERROR(["--with-solaris-audit does not take an argument."])
;;
esac])
dnl dnl
dnl Handle SSSD support. dnl Handle SSSD support.
dnl dnl
@@ -3924,6 +3939,7 @@ AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.])
AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.]) AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().]) AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
AH_TEMPLATE(HAVE_RFC1938_SKEYCHALLENGE, [Define to 1 if the skeychallenge() function is RFC1938-compliant and takes 4 arguments.]) AH_TEMPLATE(HAVE_RFC1938_SKEYCHALLENGE, [Define to 1 if the skeychallenge() function is RFC1938-compliant and takes 4 arguments.])
AH_TEMPLATE(HAVE_SOLARIS_AUDIT, [Define to 1 to enable Solaris audit support.])
AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union.]) AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union.])
AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member.]) AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member.])
AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member.]) AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member.])

2
mkdep.pl
View File

@@ -67,7 +67,7 @@ sub mkdep {
$makefile =~ s:\@DEV\@::g; $makefile =~ s:\@DEV\@::g;
$makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:; $makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:;
$makefile =~ s:\@SUDO_OBJS\@:openbsd.o preload.o selinux.o sesh.o solaris.o sudo_noexec.lo:; $makefile =~ s:\@SUDO_OBJS\@:openbsd.o preload.o selinux.o sesh.o solaris.o sudo_noexec.lo:;
$makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo sssd.lo:; $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo solaris_audit.lo sssd.lo:;
# XXX - fill in AUTH_OBJS from contents of the auth dir instead # XXX - fill in AUTH_OBJS from contents of the auth dir instead
$makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:; $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;
$makefile =~ s:\@LTLIBOBJS\@:clock_gettime.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getgrouplist.lo getline.lo getopt_long.lo glob.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo pw_dup.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo strtonum.lo utimes.lo globtest.o fnm_test.o inet_pton:; $makefile =~ s:\@LTLIBOBJS\@:clock_gettime.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getgrouplist.lo getline.lo getopt_long.lo glob.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo pw_dup.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo strtonum.lo utimes.lo globtest.o fnm_test.o inet_pton:;

13
plugins/sudoers/Makefile.in
View File

@@ -463,7 +463,8 @@ alias.lo: $(srcdir)/alias.c $(devdir)/def_data.h $(devdir)/gram.h \
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/alias.c $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/alias.c
audit.lo: $(srcdir)/audit.c $(incdir)/compat/stdbool.h $(incdir)/gettext.h \ audit.lo: $(srcdir)/audit.c $(incdir)/compat/stdbool.h $(incdir)/gettext.h \
$(incdir)/missing.h $(incdir)/sudo_debug.h $(srcdir)/bsm_audit.h \ $(incdir)/missing.h $(incdir)/sudo_debug.h $(srcdir)/bsm_audit.h \
$(srcdir)/linux_audit.h $(srcdir)/logging.h $(top_builddir)/config.h $(srcdir)/linux_audit.h $(srcdir)/logging.h \
$(srcdir)/solaris_audit.h $(top_builddir)/config.h
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/audit.c $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/audit.c
base64.lo: $(srcdir)/base64.c $(incdir)/missing.h $(incdir)/sudo_debug.h \ base64.lo: $(srcdir)/base64.c $(incdir)/missing.h $(incdir)/sudo_debug.h \
$(top_builddir)/config.h $(top_builddir)/config.h
@@ -809,6 +810,16 @@ sia.lo: $(authdir)/sia.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
$(srcdir)/logging.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ $(srcdir)/logging.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
$(top_builddir)/config.h $(top_builddir)/pathnames.h $(top_builddir)/config.h $(top_builddir)/pathnames.h
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/sia.c $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/sia.c
solaris_audit.lo: $(srcdir)/solaris_audit.c $(devdir)/def_data.h \
$(incdir)/compat/stdbool.h $(incdir)/fatal.h \
$(incdir)/gettext.h $(incdir)/missing.h $(incdir)/queue.h \
$(incdir)/sudo_alloc.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_util.h \
$(srcdir)/defaults.h $(srcdir)/logging.h \
$(srcdir)/solaris_audit.h $(srcdir)/sudo_nss.h \
$(srcdir)/sudoers.h $(top_builddir)/config.h \
$(top_builddir)/pathnames.h
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/solaris_audit.c
sssd.lo: $(srcdir)/sssd.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ sssd.lo: $(srcdir)/sssd.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
$(incdir)/fatal.h $(incdir)/gettext.h $(incdir)/missing.h \ $(incdir)/fatal.h $(incdir)/gettext.h $(incdir)/missing.h \
$(incdir)/queue.h $(incdir)/sudo_alloc.h $(incdir)/sudo_debug.h \ $(incdir)/queue.h $(incdir)/sudo_alloc.h $(incdir)/sudo_debug.h \

13
plugins/sudoers/audit.c
View File

@@ -46,6 +46,9 @@
#ifdef HAVE_LINUX_AUDIT #ifdef HAVE_LINUX_AUDIT
# include "linux_audit.h" # include "linux_audit.h"
#endif #endif
#ifdef HAVE_SOLARIS_AUDIT
# include "solaris_audit.h"
#endif
int int
audit_success(int argc, char *argv[]) audit_success(int argc, char *argv[])
@@ -61,6 +64,10 @@ audit_success(int argc, char *argv[])
#ifdef HAVE_LINUX_AUDIT #ifdef HAVE_LINUX_AUDIT
if (linux_audit_command(argv, 1) == -1) if (linux_audit_command(argv, 1) == -1)
rc = -1; rc = -1;
#endif
#ifdef HAVE_SOLARIS_AUDIT
if (solaris_audit_success(argc, argv) == -1)
rc = -1;
#endif #endif
} }
@@ -93,6 +100,12 @@ audit_failure(int argc, char *argv[], char const *const fmt, ...)
rc = -1; rc = -1;
va_end(ap); va_end(ap);
#endif #endif
#ifdef HAVE_SOLARIS_AUDIT
va_start(ap, fmt);
if (solaris_audit_failure(argc, argv, _(fmt), ap) == -1)
rc = -1;
va_end(ap);
#endif
sudoers_setlocale(oldlocale, NULL); sudoers_setlocale(oldlocale, NULL);
} }

124
plugins/sudoers/solaris_audit.c Normal file
View File

@@ -0,0 +1,124 @@
/*
* Copyright (c) 2014, Oracle and/or its affiliates.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <config.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <bsm/adt.h>
#include <bsm/adt_event.h>
#include "sudoers.h"
#include "sudo_debug.h"
#include "solaris_audit.h"
static adt_session_data_t *ah; /* audit session handle */
static adt_event_data_t *event; /* event to be generated */
static char cwd[MAXPATHLEN];
static char cmdpath[PATH_MAX];
static int
adt_sudo_common(int argc, char *argv[])
{
if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
log_warning(SLOG_NO_STDERR, "adt_start_session");
return -1;
}
if ((event = adt_alloc_event(ah, ADT_sudo)) == NULL) {
log_warning(SLOG_NO_STDERR, "alloc_event");
(void) adt_end_session(ah);
return -1;
}
if ((event->adt_sudo.cwdpath = getcwd(cwd, sizeof(cwd))) == NULL) {
log_warning(SLOG_NO_STDERR, _("unable to get current working directory"));
}
/* get the real executable name */
if (user_cmnd != NULL) {
if (strlcpy(cmdpath, (const char *)user_cmnd,
sizeof(cmdpath)) >= sizeof(cmdpath)) {
log_warningx(SLOG_NO_STDERR,
_("truncated audit path user_cmnd: %s"),
user_cmnd);
}
} else {
if (strlcpy(cmdpath, (const char *)argv[0],
sizeof(cmdpath)) >= sizeof(cmdpath)) {
log_warningx(SLOG_NO_STDERR,
_("truncated audit path argv[0]: %s"),
argv[0]);
}
}
event->adt_sudo.cmdpath = cmdpath;
event->adt_sudo.argc = argc - 1;
event->adt_sudo.argv = &argv[1];
event->adt_sudo.envp = env_get();
return 0;
}
/*
* Returns 0 on success or -1 on error.
*/
int
solaris_audit_success(int argc, char *argv[])
{
int rc = -1;
if (adt_sudo_common(argc, argv) != 0) {
return -1;
}
if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
log_warning(SLOG_NO_STDERR, "adt_put_event(ADT_SUCCESS)");
} else {
rc = 0;
}
adt_free_event(event);
(void) adt_end_session(ah);
return rc;
}
/*
* Returns 0 on success or -1 on error.
*/
int
solaris_audit_failure(int argc, char *argv[], char const *const fmt, va_list ap)
{
int rc = -1;
if (adt_sudo_common(argc, argv) != 0) {
return -1;
}
if (vasprintf(&event->adt_sudo.errmsg, fmt, ap) == -1) {
log_warning(SLOG_NO_STDERR,
_("audit_failure message too long"));
}
if (adt_put_event(event, ADT_FAILURE, ADT_FAIL_VALUE_PROGRAM) != 0) {
log_warning(SLOG_NO_STDERR, "adt_put_event(ADT_FAILURE)");
} else {
rc = 0;
}
free(event->adt_sudo.errmsg);
adt_free_event(event);
(void) adt_end_session(ah);
return 0;
}

23
plugins/sudoers/solaris_audit.h Normal file
View File

@@ -0,0 +1,23 @@
/*
* Copyright (c) 2014, Oracle and/or its affiliates.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _SUDOERS_SOLARIS_AUDIT_H
#define _SUDOERS_SOLARIS_AUDIT_H
int solaris_audit_success(int argc, char *argv[]);
int solaris_audit_failure(int argc, char *argv[], char const *const fmt, va_list);
#endif /* _SUDOERS_SOLARIS_AUDIT_H */