isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Propagate errors in audit code to caller instead of using fatal().

Browse Source 
If we fail to audit an otherwise successful command, return an error
from the policy.  For Linux audit, sudo may be compiled with audit
support but auditing may not be setup, so we don't consider that
an error.
This commit is contained in:
Todd C. Miller
2014-03-26 13:00:56 -06:00
parent 7d7f9cb55a
commit 2220f55aef
6 changed files with 150 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
plugins/sudoers/audit.c
View File

@@ -47,28 +47,30 @@
# include "linux_audit.h"
#endif
void
int
audit_success(char *exec_args[])
{
int rc = 0;
debug_decl(audit_success, SUDO_DEBUG_AUDIT)
if (exec_args != NULL) {
#ifdef HAVE_BSM_AUDIT
bsm_audit_success(exec_args);
rc = bsm_audit_success(exec_args);
#endif
#ifdef HAVE_LINUX_AUDIT
linux_audit_command(exec_args, 1);
rc = linux_audit_command(exec_args, 1);
#endif
}
debug_return;
debug_return_int(rc);
}
void
int
audit_failure(char *exec_args[], char const *const fmt, ...)
{
va_list ap;
int oldlocale;
int rc = 0;
debug_decl(audit_success, SUDO_DEBUG_AUDIT)
/* Audit error messages should be in the sudoers locale. */
@@ -77,15 +79,15 @@ audit_failure(char *exec_args[], char const *const fmt, ...)
if (exec_args != NULL) {
va_start(ap, fmt);
#ifdef HAVE_BSM_AUDIT
bsm_audit_failure(exec_args, _(fmt), ap);
rc = bsm_audit_failure(exec_args, _(fmt), ap);
#endif
#ifdef HAVE_LINUX_AUDIT
linux_audit_command(exec_args, 0);
rc = linux_audit_command(exec_args, 0);
#endif
va_end(ap);
}
sudoers_setlocale(oldlocale, NULL);
debug_return;
debug_return_int(rc);
}

168
plugins/sudoers/bsm_audit.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com>
* Copyright (c) 2009-2014 Todd C. Miller <Todd.Miller@courtesan.com>
* Copyright (c) 2009 Christian S.J. Peron
*
* Permission to use, copy, modify, and distribute this software for any
@@ -49,29 +49,37 @@
#endif
static int
audit_sudo_selected(int sf)
audit_sudo_selected(int sorf)
{
auditinfo_addr_t ainfo_addr;
struct au_mask *mask;
auditinfo_t ainfo;
int rc, sorf;
int rc;
debug_decl(audit_sudo_selected, SUDO_DEBUG_AUDIT)
if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) < 0) {
if (errno == ENOSYS) {
if (getaudit(&ainfo) < 0)
fatal("getaudit");
auditinfo_t ainfo;
/* Fall back to older BSM API. */
if (getaudit(&ainfo) < 0) {
warning("getaudit");
debug_return_int(-1);
}
mask = &ainfo.ai_mask;
} else
fatal("getaudit");
} else
} else {
warning("getaudit_addr");
debug_return_int(-1);
}
} else {
mask = &ainfo_addr.ai_mask;
sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
}
rc = au_preselect(AUE_sudo, mask, sorf, AU_PRS_REREAD);
debug_return_int(rc);
}
void
/*
* Returns 0 on success or -1 on error.
*/
int
bsm_audit_success(char **exec_args)
{
auditinfo_addr_t ainfo_addr;
@@ -79,31 +87,37 @@ bsm_audit_success(char **exec_args)
token_t *tok;
au_id_t auid;
long au_cond;
int aufd;
int aufd, selected;
pid_t pid;
debug_decl(bsm_audit_success, SUDO_DEBUG_AUDIT)
pid = getpid();
/*
* If we are not auditing, don't cut an audit record; just return.
*/
if (auditon(A_GETCOND, (caddr_t)&au_cond, sizeof(long)) < 0) {
if (errno == AUDIT_NOT_CONFIGURED)
return;
fatal(U_("Could not determine audit condition"));
debug_return_int(0);
warning(U_("Could not determine audit condition"));
debug_return_int(-1);
}
if (au_cond == AUC_NOAUDIT)
debug_return;
debug_return_int(0);
/*
* Check to see if the preselection masks are interested in seeing
* this event.
*/
if (!audit_sudo_selected(0))
debug_return;
if (getauid(&auid) < 0)
fatal("getauid");
if ((aufd = au_open()) == -1)
fatal("au_open");
selected = audit_sudo_selected(AU_PRS_SUCCESS);
if (selected != 1)
debug_return_int(!selected ? 0 : -1);
if (getauid(&auid) < 0) {
warning("getauid");
debug_return_int(-1);
}
if ((aufd = au_open()) == -1) {
warning("au_open");
debug_return_int(-1);
}
pid = getpid();
if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) {
tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(),
getuid(), pid, pid, &ainfo_addr.ai_termid);
@@ -111,33 +125,49 @@ bsm_audit_success(char **exec_args)
/*
* NB: We should probably watch out for ERANGE here.
*/
if (getaudit(&ainfo) < 0)
fatal("getaudit");
if (getaudit(&ainfo) < 0) {
warning("getaudit");
debug_return_int(-1);
}
tok = au_to_subject(auid, geteuid(), getegid(), getuid(),
getuid(), pid, pid, &ainfo.ai_termid);
} else
fatal("getaudit");
if (tok == NULL)
fatal("au_to_subject");
} else {
warning("getaudit_addr");
debug_return_int(-1);
}
if (tok == NULL) {
warning("au_to_subject");
debug_return_int(-1);
}
au_write(aufd, tok);
tok = au_to_exec_args(exec_args);
if (tok == NULL)
fatal("au_to_exec_args");
if (tok == NULL) {
warning("au_to_exec_args");
debug_return_int(-1);
}
au_write(aufd, tok);
tok = au_to_return32(0, 0);
if (tok == NULL)
fatal("au_to_return32");
if (tok == NULL) {
warning("au_to_return32");
debug_return_int(-1);
}
au_write(aufd, tok);
#ifdef __sun
if (au_close(aufd, 1, AUE_sudo, 0) == -1)
#else
if (au_close(aufd, 1, AUE_sudo) == -1)
#endif
fatal(U_("unable to commit audit record"));
debug_return;
{
warning(U_("unable to commit audit record"));
debug_return_int(-1);
}
debug_return_int(0);
}
void
/*
* Returns 0 on success or -1 on error.
*/
int
bsm_audit_failure(char **exec_args, char const *const fmt, va_list ap)
{
auditinfo_addr_t ainfo_addr;
@@ -150,54 +180,74 @@ bsm_audit_failure(char **exec_args, char const *const fmt, va_list ap)
int aufd;
debug_decl(bsm_audit_success, SUDO_DEBUG_AUDIT)
pid = getpid();
/*
* If we are not auditing, don't cut an audit record; just return.
*/
if (auditon(A_GETCOND, (caddr_t)&au_cond, sizeof(long)) < 0) {
if (errno == AUDIT_NOT_CONFIGURED)
debug_return;
fatal(U_("Could not determine audit condition"));
debug_return_int(0);
warning(U_("Could not determine audit condition"));
debug_return_int(-1);
}
if (au_cond == AUC_NOAUDIT)
debug_return;
if (!audit_sudo_selected(1))
debug_return;
if (getauid(&auid) < 0)
fatal("getauid");
if ((aufd = au_open()) == -1)
fatal("au_open");
debug_return_int(0);
if (!audit_sudo_selected(AU_PRS_FAILURE))
debug_return_int(0);
if (getauid(&auid) < 0) {
warning("getauid");
debug_return_int(-1);
}
if ((aufd = au_open()) == -1) {
warning("au_open");
debug_return_int(-1);
}
pid = getpid();
if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) {
tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(),
getuid(), pid, pid, &ainfo_addr.ai_termid);
} else if (errno == ENOSYS) {
if (getaudit(&ainfo) < 0)
fatal("getaudit");
if (getaudit(&ainfo) < 0) {
warning("getaudit");
debug_return_int(-1);
}
tok = au_to_subject(auid, geteuid(), getegid(), getuid(),
getuid(), pid, pid, &ainfo.ai_termid);
} else
fatal("getaudit");
if (tok == NULL)
fatal("au_to_subject");
} else {
warning("getaudit_addr");
debug_return_int(-1);
}
if (tok == NULL) {
warning("au_to_subject");
debug_return_int(-1);
}
au_write(aufd, tok);
tok = au_to_exec_args(exec_args);
if (tok == NULL)
fatal("au_to_exec_args");
if (tok == NULL) {
warning("au_to_exec_args");
debug_return_int(-1);
}
au_write(aufd, tok);
(void) vsnprintf(text, sizeof(text), fmt, ap);
tok = au_to_text(text);
if (tok == NULL)
fatal("au_to_text");
if (tok == NULL) {
warning("au_to_text");
debug_return_int(-1);
}
au_write(aufd, tok);
tok = au_to_return32(EPERM, 1);
if (tok == NULL)
fatal("au_to_return32");
if (tok == NULL) {
warning("au_to_return32");
debug_return_int(-1);
}
au_write(aufd, tok);
#ifdef __sun
if (au_close(aufd, 1, AUE_sudo, PAD_FAILURE) == -1)
#else
if (au_close(aufd, 1, AUE_sudo) == -1)
#endif
fatal(U_("unable to commit audit record"));
debug_return;
{
warning(U_("unable to commit audit record"));
debug_return_int(-1);
}
debug_return_int(0);
}

6
plugins/sudoers/bsm_audit.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2009-2010, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
* Copyright (c) 2009-2010, 2013-2014 Todd C. Miller <Todd.Miller@courtesan.com>
* Copyright (c) 2009 Christian S.J. Peron
*
* Permission to use, copy, modify, and distribute this software for any
@@ -18,7 +18,7 @@
#ifndef _SUDOERS_BSM_AUDIT_H
#define _SUDOERS_BSM_AUDIT_H
void bsm_audit_success(char **);
void bsm_audit_failure(char **, char const * const, va_list);
int bsm_audit_success(char **);
int bsm_audit_failure(char **, char const * const, va_list);
#endif /* _SUDOERS_BSM_AUDIT_H */

36
plugins/sudoers/linux_audit.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com>
* Copyright (c) 2010-2014 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -40,12 +40,14 @@
#include "sudo_debug.h"
#include "linux_audit.h"
#define AUDIT_NOT_CONFIGURED -2
/*
* Open audit connection if possible.
* Returns audit fd on success and -1 on failure.
*/
int
static linux_audit_open(void)
static int
linux_audit_open(void)
{
static int au_fd = -1;
debug_decl(linux_audit_open, SUDO_DEBUG_AUDIT)
@@ -55,8 +57,10 @@ static linux_audit_open(void)
au_fd = audit_open();
if (au_fd == -1) {
/* Kernel may not have audit support. */
if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT)
fatal(U_("unable to open audit system"));
if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) {
warning(U_("unable to open audit system"));
au_fd == AUDIT_NOT_CONFIGURED;
}
} else {
(void)fcntl(au_fd, F_SETFD, FD_CLOEXEC);
}
@@ -66,13 +70,14 @@ static linux_audit_open(void)
int
linux_audit_command(char *argv[], int result)
{
int au_fd, rc;
int au_fd, rc = -1;
char *command, *cp, **av;
size_t size, n;
debug_decl(linux_audit_command, SUDO_DEBUG_AUDIT)
if ((au_fd = linux_audit_open()) == -1)
debug_return_int(-1);
/* Don't return an error if auditing is not configured. */
if ((au_fd = linux_audit_open()) < 0)
debug_return_int(au_fd == AUDIT_NOT_CONFIGURED ? 0 : -1);
/* Convert argv to a flat string. */
for (size = 0, av = argv; *av != NULL; av++)
@@ -81,8 +86,9 @@ linux_audit_command(char *argv[], int result)
for (av = argv; *av != NULL; av++) {
n = strlcpy(cp, *av, size - (cp - command));
if (n >= size - (cp - command)) {
fatalx(U_("internal error, %s overflow"),
warningx(U_("internal error, %s overflow"),
"linux_audit_command()");
goto done;
}
cp += n;
*cp++ = ' ';
@@ -90,10 +96,16 @@ linux_audit_command(char *argv[], int result)
*--cp = '\0';
/* Log command, ignoring ECONNREFUSED on error. */
rc = audit_log_user_command(au_fd, AUDIT_USER_CMD, command, NULL, result);
if (rc <= 0 && errno != ECONNREFUSED)
warning(U_("unable to send audit message"));
if (audit_log_user_command(au_fd, AUDIT_USER_CMD, command, NULL, result) <= 0) {
if (errno != ECONNREFUSED) {
warning(U_("unable to send audit message"));
goto done;
}
}
rc = 0;
done:
efree(command);
debug_return_int(rc);

4
plugins/sudoers/logging.h
View File

@@ -60,8 +60,8 @@
bool sudoers_setlocale(int newlocale, int *prevlocale);
int sudoers_getlocale(void);
void audit_success(char *exec_args[]);
void audit_failure(char *exec_args[], char const *const fmt, ...) __printflike(2, 3);
int audit_success(char *exec_args[]);
int audit_failure(char *exec_args[], char const *const fmt, ...) __printflike(2, 3);
void log_allowed(int status);
void log_auth_failure(int status, unsigned int tries);
void log_denial(int status, bool inform_user);

3
plugins/sudoers/sudoers.c
View File

@@ -496,7 +496,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
}
/* Must audit before uid change. */
audit_success(NewArgv);
if (audit_success(NewArgv) != 0)
goto bad;
/* Setup execution environment to pass back to front-end. */
rval = sudoers_policy_exec_setup(edit_argv ? edit_argv : NewArgv,