isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move log_denial() calls and logic to log_failure().

Browse Source 
Move authentication failure logging to log_auth_failure().
Both of these call audit_failure() for us.

This subtly changes logging for commands that are denied by sudoers
but where the user failed to enter the correct password.  Previously,
these would be logged as "N incorrect password attempts" but now
are logged as "command not allowed".  Fixes bug #563
This commit is contained in:
Todd C. Miller
2012-07-10 12:42:33 -04:00
parent 9c9cf9da41
commit 8b03f3e7d0
6 changed files with 147 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
plugins/sudoers/check.c
View File

@@ -149,7 +149,8 @@ check_user(int validated, int mode)
if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) {
/* Bail out if we are non-interactive and a password is required */
if (ISSET(mode, MODE_NONINTERACTIVE)) {
warningx(_("sorry, a password is required to run %s"), getprogname());
validated |= FLAG_NON_INTERACTIVE;
log_auth_failure(validated, 0);
rval = -1;
goto done;
}
@@ -161,7 +162,7 @@ check_user(int validated, int mode)
prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt,
user_name, user_shost);
rval = verify_user(auth_pw, prompt);
rval = verify_user(auth_pw, prompt, validated);
}
/* Only update timestamp if user was validated. */
if (rval == true && ISSET(validated, VALIDATE_OK) &&