isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Only log the run environment for commands that are allowed.

Browse Source 
It may not be available otherwise and unless the command is being
run it has no real meaning.
This commit is contained in:
Todd C. Miller
2023-10-21 19:15:44 -06:00
parent 077826292c
commit 2b87749f8f
2 changed files with 6 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
plugins/sudoers/audit.c
View File

@@ -418,8 +418,7 @@ sudoers_audit_reject(const char *plugin_name, unsigned int plugin_type,
ret = false; ret = false;
} }
audit_to_eventlog(ctx, &evlog, command_info, ctx->runas.argv, env_get(), audit_to_eventlog(ctx, &evlog, command_info, ctx->runas.argv, NULL, NULL);
NULL);
if (!eventlog_reject(&evlog, 0, message, NULL, NULL)) if (!eventlog_reject(&evlog, 0, message, NULL, NULL))
ret = false; ret = false;
@@ -453,8 +452,7 @@ sudoers_audit_error(const char *plugin_name, unsigned int plugin_type,
debug_return_bool(false); debug_return_bool(false);
} }
audit_to_eventlog(ctx, &evlog, command_info, ctx->runas.argv, env_get(), audit_to_eventlog(ctx, &evlog, command_info, ctx->runas.argv, NULL, NULL);
NULL);
if (!eventlog_alert(&evlog, 0, &now, message, NULL)) if (!eventlog_alert(&evlog, 0, &now, message, NULL))
ret = false; ret = false;

8
plugins/sudoers/logging.c
View File

@@ -267,7 +267,7 @@ log_reject(const struct sudoers_context *ctx, const char *message,
SET(evl_flags, EVLOG_MAIL_ONLY); SET(evl_flags, EVLOG_MAIL_ONLY);
} }
sudoers_to_eventlog(ctx, &evlog, ctx->runas.cmnd, ctx->runas.argv, sudoers_to_eventlog(ctx, &evlog, ctx->runas.cmnd, ctx->runas.argv,
env_get(), uuid_str); NULL, uuid_str);
ret = eventlog_reject(&evlog, evl_flags, message, NULL, NULL); ret = eventlog_reject(&evlog, evl_flags, message, NULL, NULL);
if (!log_server_reject(ctx, &evlog, message)) if (!log_server_reject(ctx, &evlog, message))
ret = false; ret = false;
@@ -636,7 +636,7 @@ log_exit_status(const struct sudoers_context *ctx, int status)
sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);
sudoers_to_eventlog(ctx, &evlog, ctx->runas.cmnd_saved, sudoers_to_eventlog(ctx, &evlog, ctx->runas.cmnd_saved,
ctx->runas.argv_saved, env_get(), ctx->uuid_str); ctx->runas.argv_saved, NULL, ctx->uuid_str);
if (def_mail_always) { if (def_mail_always) {
SET(evl_flags, EVLOG_MAIL); SET(evl_flags, EVLOG_MAIL);
if (!def_log_exit_status) if (!def_log_exit_status)
@@ -740,7 +740,7 @@ vlog_warning(const struct sudoers_context *ctx, unsigned int flags,
SET(evl_flags, EVLOG_MAIL_ONLY); SET(evl_flags, EVLOG_MAIL_ONLY);
} }
sudoers_to_eventlog(ctx, &evlog, ctx->runas.cmnd, ctx->runas.argv, sudoers_to_eventlog(ctx, &evlog, ctx->runas.cmnd, ctx->runas.argv,
env_get(), ctx->uuid_str); NULL, ctx->uuid_str);
if (!eventlog_alert(&evlog, evl_flags, &now, message, errstr)) if (!eventlog_alert(&evlog, evl_flags, &now, message, errstr))
ret = false; ret = false;
if (!log_server_alert(ctx, &evlog, &now, message, errstr)) if (!log_server_alert(ctx, &evlog, &now, message, errstr))
@@ -860,7 +860,7 @@ mail_parse_errors(const struct sudoers_context *ctx)
goto done; goto done;
} }
sudoers_to_eventlog(ctx, &evlog, ctx->runas.cmnd, ctx->runas.argv, sudoers_to_eventlog(ctx, &evlog, ctx->runas.cmnd, ctx->runas.argv,
env_get(), ctx->uuid_str); NULL, ctx->uuid_str);
/* Convert parse_error_list to a string vector. */ /* Convert parse_error_list to a string vector. */
n = 0; n = 0;