isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Solaris audit support; from Gary Winiger at Oracle.

Browse Source
This commit is contained in:
Todd C. Miller
2014-06-27 16:01:40 -06:00
parent 6df6404113
commit 18dbc52e4b
10 changed files with 218 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
INSTALL
View File

@@ -400,6 +400,9 @@ Authentication options:
the user name (separated by a slash) when creating the
principal name.
--with-solaris-audit
Enable audit support for Solaris systems.
--with-opie[=DIR]
Enable NRL OPIE OTP (One Time Password) support. If specified,
DIR should contain include and lib directories with opie.h

2
MANIFEST
View File

@@ -422,6 +422,8 @@ plugins/sudoers/regress/visudo/test4.sh
plugins/sudoers/regress/visudo/test5.out.ok
plugins/sudoers/regress/visudo/test5.sh
plugins/sudoers/set_perms.c
plugins/sudoers/solaris_audit.c
plugins/sudoers/solaris_audit.h
plugins/sudoers/sssd.c
plugins/sudoers/sudo_nss.c
plugins/sudoers/sudo_nss.h

3
config.h.in
View File

@@ -548,6 +548,9 @@
/* Define to 1 if you have the `snprintf' function. */
#undef HAVE_SNPRINTF
/* Define to 1 to enable Solaris audit support. */
#undef HAVE_SOLARIS_AUDIT
/* Define to 1 if you have the <spawn.h> header file. */
#undef HAVE_SPAWN_H

21
configure vendored
View File

@@ -791,6 +791,7 @@ CPPFLAGS
PROGS
CFLAGS
LIBTOOL
HAVE_SOLARIS_AUDIT
HAVE_BSM_AUDIT
target_alias
host_alias
@@ -841,6 +842,7 @@ with_rpath
with_blibpath
with_bsm_audit
with_linux_audit
with_solaris_audit
with_sssd
with_sssd_lib
with_incpath
@@ -1628,6 +1630,7 @@ Optional Packages:
--with-blibpath=PATH deprecated
--with-bsm-audit enable BSM audit support
--with-linux-audit enable Linux audit support
--with-solaris-audit enable Solaris audit support
--with-sssd enable SSSD support
--with-sssd-lib path to the SSSD library
--with-incpath additional places to look for include files
@@ -2974,6 +2977,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
#
@@ -3998,6 +4002,22 @@ fi
# Check whether --with-solaris-audit was given.
if test "${with_solaris_audit+set}" = set; then :
withval=$with_solaris_audit; case $with_solaris_audit in
yes) $as_echo "#define HAVE_SOLARIS_AUDIT 1" >>confdefs.h
SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm"
SUDOERS_OBJS="${SUDOERS_OBJS} solaris_audit.lo"
;;
no) ;;
*) as_fn_error $? "\"--with-solaris-audit does not take an argument.\"" "$LINENO" 5
;;
esac
fi
# Check whether --with-sssd was given.
if test "${with_sssd+set}" = set; then :
withval=$with_sssd; case $with_sssd in
@@ -24920,5 +24940,6 @@ fi

16
configure.ac
View File

@@ -15,6 +15,7 @@ dnl
dnl Variables that get substituted in the Makefile and man pages
dnl
AC_SUBST([HAVE_BSM_AUDIT])
AC_SUBST([HAVE_SOLARIS_AUDIT])
AC_SUBST([SHELL])
AC_SUBST([LIBTOOL])
AC_SUBST([CFLAGS])
@@ -331,6 +332,20 @@ AC_ARG_WITH(linux-audit, [AS_HELP_STRING([--with-linux-audit], [enable Linux aud
;;
esac])
dnl
dnl Handle Solaris auditing support.
dnl
AC_ARG_WITH(solaris-audit, [AS_HELP_STRING([--with-solaris-audit], [enable Solaris audit support])],
[case $with_solaris_audit in
yes) AC_DEFINE(HAVE_SOLARIS_AUDIT)
SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm"
SUDOERS_OBJS="${SUDOERS_OBJS} solaris_audit.lo"
;;
no) ;;
*) AC_MSG_ERROR(["--with-solaris-audit does not take an argument."])
;;
esac])
dnl
dnl Handle SSSD support.
dnl
@@ -3924,6 +3939,7 @@ AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.])
AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
AH_TEMPLATE(HAVE_RFC1938_SKEYCHALLENGE, [Define to 1 if the skeychallenge() function is RFC1938-compliant and takes 4 arguments.])
AH_TEMPLATE(HAVE_SOLARIS_AUDIT, [Define to 1 to enable Solaris audit support.])
AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union.])
AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member.])
AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member.])

2
mkdep.pl
View File

@@ -67,7 +67,7 @@ sub mkdep {
$makefile =~ s:\@DEV\@::g;
$makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:;
$makefile =~ s:\@SUDO_OBJS\@:openbsd.o preload.o selinux.o sesh.o solaris.o sudo_noexec.lo:;
$makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo sssd.lo:;
$makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo solaris_audit.lo sssd.lo:;
# XXX - fill in AUTH_OBJS from contents of the auth dir instead
$makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;
$makefile =~ s:\@LTLIBOBJS\@:clock_gettime.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getgrouplist.lo getline.lo getopt_long.lo glob.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo pw_dup.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo strtonum.lo utimes.lo globtest.o fnm_test.o inet_pton:;

13
plugins/sudoers/Makefile.in
View File

@@ -463,7 +463,8 @@ alias.lo: $(srcdir)/alias.c $(devdir)/def_data.h $(devdir)/gram.h \
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/alias.c
audit.lo: $(srcdir)/audit.c $(incdir)/compat/stdbool.h $(incdir)/gettext.h \
$(incdir)/missing.h $(incdir)/sudo_debug.h $(srcdir)/bsm_audit.h \
$(srcdir)/linux_audit.h $(srcdir)/logging.h $(top_builddir)/config.h
$(srcdir)/linux_audit.h $(srcdir)/logging.h \
$(srcdir)/solaris_audit.h $(top_builddir)/config.h
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/audit.c
base64.lo: $(srcdir)/base64.c $(incdir)/missing.h $(incdir)/sudo_debug.h \
$(top_builddir)/config.h
@@ -809,6 +810,16 @@ sia.lo: $(authdir)/sia.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
$(srcdir)/logging.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
$(top_builddir)/config.h $(top_builddir)/pathnames.h
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/sia.c
solaris_audit.lo: $(srcdir)/solaris_audit.c $(devdir)/def_data.h \
$(incdir)/compat/stdbool.h $(incdir)/fatal.h \
$(incdir)/gettext.h $(incdir)/missing.h $(incdir)/queue.h \
$(incdir)/sudo_alloc.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_util.h \
$(srcdir)/defaults.h $(srcdir)/logging.h \
$(srcdir)/solaris_audit.h $(srcdir)/sudo_nss.h \
$(srcdir)/sudoers.h $(top_builddir)/config.h \
$(top_builddir)/pathnames.h
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/solaris_audit.c
sssd.lo: $(srcdir)/sssd.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
$(incdir)/fatal.h $(incdir)/gettext.h $(incdir)/missing.h \
$(incdir)/queue.h $(incdir)/sudo_alloc.h $(incdir)/sudo_debug.h \

13
plugins/sudoers/audit.c
View File

@@ -46,6 +46,9 @@
#ifdef HAVE_LINUX_AUDIT
# include "linux_audit.h"
#endif
#ifdef HAVE_SOLARIS_AUDIT
# include "solaris_audit.h"
#endif
int
audit_success(int argc, char *argv[])
@@ -61,6 +64,10 @@ audit_success(int argc, char *argv[])
#ifdef HAVE_LINUX_AUDIT
if (linux_audit_command(argv, 1) == -1)
rc = -1;
#endif
#ifdef HAVE_SOLARIS_AUDIT
if (solaris_audit_success(argc, argv) == -1)
rc = -1;
#endif
}
@@ -93,6 +100,12 @@ audit_failure(int argc, char *argv[], char const *const fmt, ...)
rc = -1;
va_end(ap);
#endif
#ifdef HAVE_SOLARIS_AUDIT
va_start(ap, fmt);
if (solaris_audit_failure(argc, argv, _(fmt), ap) == -1)
rc = -1;
va_end(ap);
#endif
sudoers_setlocale(oldlocale, NULL);
}

124
plugins/sudoers/solaris_audit.c Normal file
View File

@@ -0,0 +1,124 @@
/*
* Copyright (c) 2014, Oracle and/or its affiliates.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <config.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <bsm/adt.h>
#include <bsm/adt_event.h>
#include "sudoers.h"
#include "sudo_debug.h"
#include "solaris_audit.h"
static adt_session_data_t *ah; /* audit session handle */
static adt_event_data_t *event; /* event to be generated */
static char cwd[MAXPATHLEN];
static char cmdpath[PATH_MAX];
static int
adt_sudo_common(int argc, char *argv[])
{
if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
log_warning(SLOG_NO_STDERR, "adt_start_session");
return -1;
}
if ((event = adt_alloc_event(ah, ADT_sudo)) == NULL) {
log_warning(SLOG_NO_STDERR, "alloc_event");
(void) adt_end_session(ah);
return -1;
}
if ((event->adt_sudo.cwdpath = getcwd(cwd, sizeof(cwd))) == NULL) {
log_warning(SLOG_NO_STDERR, _("unable to get current working directory"));
}
/* get the real executable name */
if (user_cmnd != NULL) {
if (strlcpy(cmdpath, (const char *)user_cmnd,
sizeof(cmdpath)) >= sizeof(cmdpath)) {
log_warningx(SLOG_NO_STDERR,
_("truncated audit path user_cmnd: %s"),
user_cmnd);
}
} else {
if (strlcpy(cmdpath, (const char *)argv[0],
sizeof(cmdpath)) >= sizeof(cmdpath)) {
log_warningx(SLOG_NO_STDERR,
_("truncated audit path argv[0]: %s"),
argv[0]);
}
}
event->adt_sudo.cmdpath = cmdpath;
event->adt_sudo.argc = argc - 1;
event->adt_sudo.argv = &argv[1];
event->adt_sudo.envp = env_get();
return 0;
}
/*
* Returns 0 on success or -1 on error.
*/
int
solaris_audit_success(int argc, char *argv[])
{
int rc = -1;
if (adt_sudo_common(argc, argv) != 0) {
return -1;
}
if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
log_warning(SLOG_NO_STDERR, "adt_put_event(ADT_SUCCESS)");
} else {
rc = 0;
}
adt_free_event(event);
(void) adt_end_session(ah);
return rc;
}
/*
* Returns 0 on success or -1 on error.
*/
int
solaris_audit_failure(int argc, char *argv[], char const *const fmt, va_list ap)
{
int rc = -1;
if (adt_sudo_common(argc, argv) != 0) {
return -1;
}
if (vasprintf(&event->adt_sudo.errmsg, fmt, ap) == -1) {
log_warning(SLOG_NO_STDERR,
_("audit_failure message too long"));
}
if (adt_put_event(event, ADT_FAILURE, ADT_FAIL_VALUE_PROGRAM) != 0) {
log_warning(SLOG_NO_STDERR, "adt_put_event(ADT_FAILURE)");
} else {
rc = 0;
}
free(event->adt_sudo.errmsg);
adt_free_event(event);
(void) adt_end_session(ah);
return 0;
}

23
plugins/sudoers/solaris_audit.h Normal file
View File

@@ -0,0 +1,23 @@
/*
* Copyright (c) 2014, Oracle and/or its affiliates.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _SUDOERS_SOLARIS_AUDIT_H
#define _SUDOERS_SOLARIS_AUDIT_H
int solaris_audit_success(int argc, char *argv[]);
int solaris_audit_failure(int argc, char *argv[], char const *const fmt, va_list);
#endif /* _SUDOERS_SOLARIS_AUDIT_H */