isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Log when user-specified command line options are rejected by sudoers.

Browse Source 
We already audit those but in some cases they were not logged as well.
This commit is contained in:
Todd C. Miller
2020-09-23 08:02:43 -06:00
parent 6f8e1b9741
commit 6ee731caff
1 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
plugins/sudoers/sudoers.c
View File

@@ -295,6 +295,9 @@ check_user_runchroot(void)
audit_failure(NewArgv, audit_failure(NewArgv,
N_("user not allowed to change root directory to %s"), N_("user not allowed to change root directory to %s"),
user_runchroot); user_runchroot);
log_warningx(SLOG_NO_STDERR,
N_("user not allowed to change root directory to %s"),
user_runchroot);
sudo_warnx(U_("you are not permitted to use the -R option with %s"), sudo_warnx(U_("you are not permitted to use the -R option with %s"),
user_cmnd); user_cmnd);
debug_return_bool(false); debug_return_bool(false);
@@ -321,6 +324,8 @@ check_user_runcwd(void)
if (def_runcwd == NULL || strcmp(def_runcwd, "*") != 0) { if (def_runcwd == NULL || strcmp(def_runcwd, "*") != 0) {
audit_failure(NewArgv, audit_failure(NewArgv,
N_("user not allowed to change directory to %s"), user_runcwd); N_("user not allowed to change directory to %s"), user_runcwd);
log_warningx(SLOG_NO_STDERR,
N_("user not allowed to change directory to %s"), user_runcwd);
sudo_warnx(U_("you are not permitted to use the -D option with %s"), sudo_warnx(U_("you are not permitted to use the -D option with %s"),
user_cmnd); user_cmnd);
debug_return_bool(false); debug_return_bool(false);
@@ -413,6 +418,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
if (!def_closefrom_override) { if (!def_closefrom_override) {
audit_failure(NewArgv, audit_failure(NewArgv,
N_("user not allowed to override closefrom limit")); N_("user not allowed to override closefrom limit"));
log_warningx(SLOG_NO_STDERR,
N_("user not allowed to override closefrom limit"));
sudo_warnx("%s", U_("you are not permitted to use the -C option")); sudo_warnx("%s", U_("you are not permitted to use the -C option"));
goto bad; goto bad;
} }
@@ -442,13 +449,13 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
/* Defer uid/gid checks until after defaults have been updated. */ /* Defer uid/gid checks until after defaults have been updated. */
if (unknown_runas_uid && !def_runas_allow_unknown_id) { if (unknown_runas_uid && !def_runas_allow_unknown_id) {
audit_failure(NewArgv, N_("unknown user: %s"), runas_pw->pw_name); audit_failure(NewArgv, N_("unknown user: %s"), runas_pw->pw_name);
sudo_warnx(U_("unknown user: %s"), runas_pw->pw_name); log_warningx(0, N_("unknown user: %s"), runas_pw->pw_name);
goto done; goto done;
} }
if (runas_gr != NULL) { if (runas_gr != NULL) {
if (unknown_runas_gid && !def_runas_allow_unknown_id) { if (unknown_runas_gid && !def_runas_allow_unknown_id) {
audit_failure(NewArgv, N_("unknown group: %s"), runas_gr->gr_name); audit_failure(NewArgv, N_("unknown group: %s"), runas_gr->gr_name);
sudo_warnx(U_("unknown group: %s"), runas_gr->gr_name); log_warningx(0, N_("unknown group: %s"), runas_gr->gr_name);
goto done; goto done;
} }
} }
@@ -490,6 +497,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
/* Bail if a tty is required and we don't have one. */ /* Bail if a tty is required and we don't have one. */
if (def_requiretty && !tty_present()) { if (def_requiretty && !tty_present()) {
audit_failure(NewArgv, N_("no tty")); audit_failure(NewArgv, N_("no tty"));
log_warningx(SLOG_NO_STDERR, N_("no tty"));
sudo_warnx("%s", U_("sorry, you must have a tty to run sudo")); sudo_warnx("%s", U_("sorry, you must have a tty to run sudo"));
goto bad; goto bad;
} }
@@ -600,6 +608,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
/* If user specified a timeout make sure sudoers allows it. */ /* If user specified a timeout make sure sudoers allows it. */
if (!def_user_command_timeouts && user_timeout > 0) { if (!def_user_command_timeouts && user_timeout > 0) {
audit_failure(NewArgv, N_("user not allowed to set a command timeout")); audit_failure(NewArgv, N_("user not allowed to set a command timeout"));
log_warningx(SLOG_NO_STDERR,
N_("user not allowed to set a command timeout"));
sudo_warnx("%s", sudo_warnx("%s",
U_("sorry, you are not allowed set a command timeout")); U_("sorry, you are not allowed set a command timeout"));
goto bad; goto bad;
@@ -610,6 +620,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) { if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) {
audit_failure(NewArgv, audit_failure(NewArgv,
N_("user not allowed to preserve the environment")); N_("user not allowed to preserve the environment"));
log_warningx(SLOG_NO_STDERR,
N_("user not allowed to preserve the environment"));
sudo_warnx("%s", sudo_warnx("%s",
U_("sorry, you are not allowed to preserve the environment")); U_("sorry, you are not allowed to preserve the environment"));
goto bad; goto bad;