diff --git a/plugins/sudoers/audit.c b/plugins/sudoers/audit.c index 77ac37d52..b14051403 100644 --- a/plugins/sudoers/audit.c +++ b/plugins/sudoers/audit.c @@ -60,7 +60,7 @@ audit_success(const struct sudoers_context *ctx, char *const argv[]) if (argv != NULL) { #ifdef HAVE_BSM_AUDIT - if (bsm_audit_success(argv) == -1) + if (bsm_audit_success(ctx, argv) == -1) rc = -1; #endif #ifdef HAVE_LINUX_AUDIT @@ -86,7 +86,7 @@ audit_failure_int(const struct sudoers_context *ctx, char *const argv[], #if defined(HAVE_BSM_AUDIT) || defined(HAVE_LINUX_AUDIT) if (def_log_denied && argv != NULL) { #ifdef HAVE_BSM_AUDIT - if (bsm_audit_failure(argv, message) == -1) + if (bsm_audit_failure(ctx, argv, message) == -1) ret = -1; #endif #ifdef HAVE_LINUX_AUDIT diff --git a/plugins/sudoers/bsm_audit.c b/plugins/sudoers/bsm_audit.c index 2867c5f5f..633542bbf 100644 --- a/plugins/sudoers/bsm_audit.c +++ b/plugins/sudoers/bsm_audit.c @@ -104,14 +104,13 @@ audit_sudo_selected(int sorf) * Returns 0 on success or -1 on error. */ int -bsm_audit_success(char *const exec_args[]) +bsm_audit_success(const struct sudoers_context *ctx, char *const exec_args[]) { auditinfo_addr_t ainfo_addr; token_t *tok; au_id_t auid; long au_cond; int aufd, selected; - pid_t pid; debug_decl(bsm_audit_success, SUDOERS_DEBUG_AUDIT); /* @@ -140,10 +139,10 @@ bsm_audit_success(char *const exec_args[]) sudo_warn("au_open"); debug_return_int(-1); } - pid = getpid(); if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) { - tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(), - getuid(), pid, pid, &ainfo_addr.ai_termid); + tok = au_to_subject_ex(auid, ctx->user.euid, ctx->user.egid, + ctx->user.uid, ctx->user.gid, ctx->user.pid, ctx->user.pid, + &ainfo_addr.ai_termid); #ifdef BSM_AUDIT_COMPAT } else if (errno == ENOSYS) { auditinfo_t ainfo; @@ -155,8 +154,9 @@ bsm_audit_success(char *const exec_args[]) sudo_warn("getaudit"); debug_return_int(-1); } - tok = au_to_subject(auid, geteuid(), getegid(), getuid(), - getuid(), pid, pid, &ainfo.ai_termid); + tok = au_to_subject(auid, ctx->user.euid, ctx->user.egid, + ctx->user.uid, ctx->user.gid, ctx->user.pid, ctx->user.pid, + &ainfo.ai_termid); #endif /* BSM_AUDIT_COMPAT */ } else { sudo_warn("getaudit_addr"); @@ -195,13 +195,13 @@ bsm_audit_success(char *const exec_args[]) * Returns 0 on success or -1 on error. */ int -bsm_audit_failure(char *const exec_args[], const char *errmsg) +bsm_audit_failure(const struct sudoers_context *ctx, char *const exec_args[], + const char *errmsg) { auditinfo_addr_t ainfo_addr; token_t *tok; long au_cond; au_id_t auid; - pid_t pid; int aufd; debug_decl(bsm_audit_failure, SUDOERS_DEBUG_AUDIT); @@ -226,10 +226,10 @@ bsm_audit_failure(char *const exec_args[], const char *errmsg) sudo_warn("au_open"); debug_return_int(-1); } - pid = getpid(); if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) { - tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(), - getuid(), pid, pid, &ainfo_addr.ai_termid); + tok = au_to_subject_ex(auid, ctx->user.euid, ctx->user.egid, + ctx->user.uid, ctx->user.gid, ctx->user.pid, ctx->user.pid, + &ainfo_addr.ai_termid); #ifdef BSM_AUDIT_COMPAT } else if (errno == ENOSYS) { auditinfo_t ainfo; @@ -238,8 +238,9 @@ bsm_audit_failure(char *const exec_args[], const char *errmsg) sudo_warn("getaudit"); debug_return_int(-1); } - tok = au_to_subject(auid, geteuid(), getegid(), getuid(), - getuid(), pid, pid, &ainfo.ai_termid); + tok = au_to_subject(auid, ctx->user.euid, ctx->user.egid, + ctx->user.uid, ctx->user.gid, ctx->user.pid, ctx->user.pid, + &ainfo.ai_termid); #endif /* BSM_AUDIT_COMPAT */ } else { sudo_warn("getaudit_addr"); diff --git a/plugins/sudoers/bsm_audit.h b/plugins/sudoers/bsm_audit.h index db2f4962b..5128fa51e 100644 --- a/plugins/sudoers/bsm_audit.h +++ b/plugins/sudoers/bsm_audit.h @@ -20,7 +20,7 @@ #ifndef SUDOERS_BSM_AUDIT_H #define SUDOERS_BSM_AUDIT_H -int bsm_audit_success(char *const argv[]); -int bsm_audit_failure(char *const argv[], const char *errmsg); +int bsm_audit_success(const struct sudoers_context *ctx, char *const argv[]); +int bsm_audit_failure(const struct sudoers_context *ctx, char *const argv[], const char *errmsg); #endif /* SUDOERS_BSM_AUDIT_H */ diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c index cbb760279..fe6363ff7 100644 --- a/plugins/sudoers/policy.c +++ b/plugins/sudoers/policy.c @@ -423,6 +423,15 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v, goto oom; continue; } + if (MATCHES(*cur, "euid=")) { + p = *cur + sizeof("euid=") - 1; + ctx->user.euid = (uid_t) sudo_strtoid(p, &errstr); + if (errstr != NULL) { + sudo_warnx(U_("%s: %s"), *cur, U_(errstr)); + goto bad; + } + continue; + } if (MATCHES(*cur, "uid=")) { p = *cur + sizeof("uid=") - 1; ctx->user.uid = (uid_t) sudo_strtoid(p, &errstr); @@ -432,6 +441,15 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v, } continue; } + if (MATCHES(*cur, "egid=")) { + p = *cur + sizeof("egid=") - 1; + ctx->user.egid = (gid_t) sudo_strtoid(p, &errstr); + if (errstr != NULL) { + sudo_warnx(U_("%s: %s"), *cur, U_(errstr)); + goto bad; + } + continue; + } if (MATCHES(*cur, "gid=")) { p = *cur + sizeof("gid=") - 1; ctx->user.gid = (gid_t) sudo_strtoid(p, &errstr); diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index 75e12bf08..1ea67bc60 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -138,7 +138,9 @@ struct sudoers_user_context { int cols; int timeout; mode_t umask; + uid_t euid; uid_t uid; + uid_t egid; uid_t gid; pid_t pid; pid_t ppid;