Rename log_warning flags and only send mail if SLOG_SEND_MAIL is
set instead of mailing by default like we used to.
This commit is contained in:
Todd C. Miller
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2000-2005, 2007-2008, 2010-2013
|
* Copyright (c) 2000-2005, 2007-2008, 2010-2014
|
||||||
* Todd C. Miller <Todd.Miller@courtesan.com>
|
* Todd C. Miller <Todd.Miller@courtesan.com>
|
||||||
*
|
*
|
||||||
* Permission to use, copy, modify, and distribute this software for any
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
@@ -71,14 +71,13 @@ bsdauth_init(struct passwd *pw, sudo_auth *auth)
|
|||||||
else
|
else
|
||||||
state.lc = login_getclass(pw->pw_uid ? LOGIN_DEFCLASS : LOGIN_DEFROOTCLASS);
|
state.lc = login_getclass(pw->pw_uid ? LOGIN_DEFCLASS : LOGIN_DEFROOTCLASS);
|
||||||
if (state.lc == NULL) {
|
if (state.lc == NULL) {
|
||||||
log_warning(NO_MAIL,
|
log_warning(0,
|
||||||
N_("unable to get login class for user %s"), pw->pw_name);
|
N_("unable to get login class for user %s"), pw->pw_name);
|
||||||
debug_return_int(AUTH_FATAL);
|
debug_return_int(AUTH_FATAL);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((state.as = auth_open()) == NULL) {
|
if ((state.as = auth_open()) == NULL) {
|
||||||
log_warning(NO_MAIL,
|
log_warning(0, N_("unable to begin bsd authentication"));
|
||||||
N_("unable to begin bsd authentication"));
|
|
||||||
login_close(state.lc);
|
login_close(state.lc);
|
||||||
debug_return_int(AUTH_FATAL);
|
debug_return_int(AUTH_FATAL);
|
||||||
}
|
}
|
||||||
@@ -86,7 +85,7 @@ bsdauth_init(struct passwd *pw, sudo_auth *auth)
|
|||||||
/* XXX - maybe sanity check the auth style earlier? */
|
/* XXX - maybe sanity check the auth style earlier? */
|
||||||
login_style = login_getstyle(state.lc, login_style, "auth-sudo");
|
login_style = login_getstyle(state.lc, login_style, "auth-sudo");
|
||||||
if (login_style == NULL) {
|
if (login_style == NULL) {
|
||||||
log_warningx(NO_MAIL, N_("invalid authentication type"));
|
log_warningx(0, N_("invalid authentication type"));
|
||||||
auth_close(state.as);
|
auth_close(state.as);
|
||||||
login_close(state.lc);
|
login_close(state.lc);
|
||||||
debug_return_int(AUTH_FATAL);
|
debug_return_int(AUTH_FATAL);
|
||||||
@@ -95,7 +94,7 @@ bsdauth_init(struct passwd *pw, sudo_auth *auth)
|
|||||||
if (auth_setitem(state.as, AUTHV_STYLE, login_style) < 0 ||
|
if (auth_setitem(state.as, AUTHV_STYLE, login_style) < 0 ||
|
||||||
auth_setitem(state.as, AUTHV_NAME, pw->pw_name) < 0 ||
|
auth_setitem(state.as, AUTHV_NAME, pw->pw_name) < 0 ||
|
||||||
auth_setitem(state.as, AUTHV_CLASS, login_class) < 0) {
|
auth_setitem(state.as, AUTHV_CLASS, login_class) < 0) {
|
||||||
log_warningx(NO_MAIL, N_("unable to initialize BSD authentication"));
|
log_warningx(0, N_("unable to initialize BSD authentication"));
|
||||||
auth_close(state.as);
|
auth_close(state.as);
|
||||||
login_close(state.lc);
|
login_close(state.lc);
|
||||||
debug_return_int(AUTH_FATAL);
|
debug_return_int(AUTH_FATAL);
|
||||||
@@ -167,7 +166,7 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth)
|
|||||||
debug_return_int(AUTH_INTR);
|
debug_return_int(AUTH_INTR);
|
||||||
|
|
||||||
if ((s = auth_getvalue(as, "errormsg")) != NULL)
|
if ((s = auth_getvalue(as, "errormsg")) != NULL)
|
||||||
log_warningx(NO_MAIL, "%s", s);
|
log_warningx(0, "%s", s);
|
||||||
debug_return_int(AUTH_FAILURE);
|
debug_return_int(AUTH_FAILURE);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1999-2005, 2007-2008, 2010-2013
|
* Copyright (c) 1999-2005, 2007-2008, 2010-2014
|
||||||
* Todd C. Miller <Todd.Miller@courtesan.com>
|
* Todd C. Miller <Todd.Miller@courtesan.com>
|
||||||
*
|
*
|
||||||
* Permission to use, copy, modify, and distribute this software for any
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
@@ -112,9 +112,9 @@ sudo_krb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
|
|||||||
* API does not currently provide this unless the auth is standalone.
|
* API does not currently provide this unless the auth is standalone.
|
||||||
*/
|
*/
|
||||||
if ((error = krb5_unparse_name(sudo_context, princ, &pname))) {
|
if ((error = krb5_unparse_name(sudo_context, princ, &pname))) {
|
||||||
log_warningx(NO_MAIL,
|
log_warningx(0,
|
||||||
N_("%s: unable to convert principal to string ('%s'): %s"),
|
N_("%s: unable to convert principal to string ('%s'): %s"),
|
||||||
auth->name, pw->pw_name, error_message(error));
|
auth->name, pw->pw_name, error_message(error));
|
||||||
debug_return_int(AUTH_FAILURE);
|
debug_return_int(AUTH_FAILURE);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -155,9 +155,8 @@ sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
|
|||||||
|
|
||||||
error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ));
|
error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ));
|
||||||
if (error) {
|
if (error) {
|
||||||
log_warningx(NO_MAIL,
|
log_warningx(0, N_("%s: unable to parse '%s': %s"), auth->name, pname,
|
||||||
N_("%s: unable to parse '%s': %s"), auth->name, pname,
|
error_message(error));
|
||||||
error_message(error));
|
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -165,9 +164,8 @@ sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
|
|||||||
(long) getpid());
|
(long) getpid());
|
||||||
if ((error = krb5_cc_resolve(sudo_context, cache_name,
|
if ((error = krb5_cc_resolve(sudo_context, cache_name,
|
||||||
&(sudo_krb5_data.ccache)))) {
|
&(sudo_krb5_data.ccache)))) {
|
||||||
log_warningx(NO_MAIL,
|
log_warningx(0, N_("%s: unable to resolve credential cache: %s"),
|
||||||
N_("%s: unable to resolve credential cache: %s"), auth->name,
|
auth->name, error_message(error));
|
||||||
error_message(error));
|
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -213,9 +211,8 @@ sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
|
|||||||
/* Set default flags based on the local config file. */
|
/* Set default flags based on the local config file. */
|
||||||
error = krb5_get_init_creds_opt_alloc(sudo_context, &opts);
|
error = krb5_get_init_creds_opt_alloc(sudo_context, &opts);
|
||||||
if (error) {
|
if (error) {
|
||||||
log_warningx(NO_MAIL,
|
log_warningx(0, N_("%s: unable to allocate options: %s"), auth->name,
|
||||||
N_("%s: unable to allocate options: %s"), auth->name,
|
error_message(error));
|
||||||
error_message(error));
|
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
#ifdef HAVE_HEIMDAL
|
#ifdef HAVE_HEIMDAL
|
||||||
@@ -228,10 +225,10 @@ sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
|
|||||||
pass, krb5_prompter_posix,
|
pass, krb5_prompter_posix,
|
||||||
NULL, 0, NULL, opts))) {
|
NULL, 0, NULL, opts))) {
|
||||||
/* Don't print error if just a bad password */
|
/* Don't print error if just a bad password */
|
||||||
if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY)
|
if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY) {
|
||||||
log_warningx(NO_MAIL,
|
log_warningx(0, N_("%s: unable to get credentials: %s"),
|
||||||
N_("%s: unable to get credentials: %s"), auth->name,
|
auth->name, error_message(error));
|
||||||
error_message(error));
|
}
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
creds = &credbuf;
|
creds = &credbuf;
|
||||||
@@ -242,13 +239,11 @@ sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
|
|||||||
|
|
||||||
/* Store credential in cache. */
|
/* Store credential in cache. */
|
||||||
if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
|
if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
|
||||||
log_warningx(NO_MAIL,
|
log_warningx(0, N_("%s: unable to initialize credential cache: %s"),
|
||||||
N_("%s: unable to initialize credential cache: %s"),
|
auth->name, error_message(error));
|
||||||
auth->name, error_message(error));
|
|
||||||
} else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) {
|
} else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) {
|
||||||
log_warningx(NO_MAIL,
|
log_warningx(0, N_("%s: unable to store credential in cache: %s"),
|
||||||
N_("%s: unable to store credential in cache: %s"),
|
auth->name, error_message(error));
|
||||||
auth->name, error_message(error));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
done:
|
done:
|
||||||
@@ -311,9 +306,8 @@ verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name)
|
|||||||
*/
|
*/
|
||||||
if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
|
if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
|
||||||
KRB5_NT_SRV_HST, &server))) {
|
KRB5_NT_SRV_HST, &server))) {
|
||||||
log_warningx(NO_MAIL,
|
log_warningx(0, N_("%s: unable to get host principal: %s"), auth_name,
|
||||||
N_("%s: unable to get host principal: %s"), auth_name,
|
error_message(error));
|
||||||
error_message(error));
|
|
||||||
debug_return_int(-1);
|
debug_return_int(-1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -325,10 +319,10 @@ verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name)
|
|||||||
error = krb5_verify_init_creds(sudo_context, cred, server, NULL,
|
error = krb5_verify_init_creds(sudo_context, cred, server, NULL,
|
||||||
NULL, &vopt);
|
NULL, &vopt);
|
||||||
krb5_free_principal(sudo_context, server);
|
krb5_free_principal(sudo_context, server);
|
||||||
if (error)
|
if (error) {
|
||||||
log_warningx(NO_MAIL,
|
log_warningx(0, N_("%s: Cannot verify TGT! Possible attack!: %s"),
|
||||||
N_("%s: Cannot verify TGT! Possible attack!: %s"),
|
auth_name, error_message(error));
|
||||||
auth_name, error_message(error));
|
}
|
||||||
debug_return_int(error);
|
debug_return_int(error);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1999-2005, 2007-2013 Todd C. Miller <Todd.Miller@courtesan.com>
|
* Copyright (c) 1999-2005, 2007-2014 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||||
*
|
*
|
||||||
* Permission to use, copy, modify, and distribute this software for any
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
* purpose with or without fee is hereby granted, provided that the above
|
* purpose with or without fee is hereby granted, provided that the above
|
||||||
@@ -95,7 +95,7 @@ sudo_pam_init(struct passwd *pw, sudo_auth *auth)
|
|||||||
pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ?
|
pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ?
|
||||||
def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh);
|
def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh);
|
||||||
if (pam_status != PAM_SUCCESS) {
|
if (pam_status != PAM_SUCCESS) {
|
||||||
log_warning(NO_MAIL, N_("unable to initialize PAM"));
|
log_warning(0, N_("unable to initialize PAM"));
|
||||||
debug_return_int(AUTH_FATAL);
|
debug_return_int(AUTH_FATAL);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -146,27 +146,27 @@ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth)
|
|||||||
case PAM_SUCCESS:
|
case PAM_SUCCESS:
|
||||||
debug_return_int(AUTH_SUCCESS);
|
debug_return_int(AUTH_SUCCESS);
|
||||||
case PAM_AUTH_ERR:
|
case PAM_AUTH_ERR:
|
||||||
log_warningx(NO_MAIL, N_("account validation failure, "
|
log_warningx(0, N_("account validation failure, "
|
||||||
"is your account locked?"));
|
"is your account locked?"));
|
||||||
debug_return_int(AUTH_FATAL);
|
debug_return_int(AUTH_FATAL);
|
||||||
case PAM_NEW_AUTHTOK_REQD:
|
case PAM_NEW_AUTHTOK_REQD:
|
||||||
log_warningx(NO_MAIL, N_("Account or password is "
|
log_warningx(0, N_("Account or password is "
|
||||||
"expired, reset your password and try again"));
|
"expired, reset your password and try again"));
|
||||||
*pam_status = pam_chauthtok(pamh,
|
*pam_status = pam_chauthtok(pamh,
|
||||||
PAM_CHANGE_EXPIRED_AUTHTOK);
|
PAM_CHANGE_EXPIRED_AUTHTOK);
|
||||||
if (*pam_status == PAM_SUCCESS)
|
if (*pam_status == PAM_SUCCESS)
|
||||||
debug_return_int(AUTH_SUCCESS);
|
debug_return_int(AUTH_SUCCESS);
|
||||||
if ((s = pam_strerror(pamh, *pam_status)) != NULL) {
|
if ((s = pam_strerror(pamh, *pam_status)) != NULL) {
|
||||||
log_warningx(NO_MAIL,
|
log_warningx(0,
|
||||||
N_("unable to change expired password: %s"), s);
|
N_("unable to change expired password: %s"), s);
|
||||||
}
|
}
|
||||||
debug_return_int(AUTH_FAILURE);
|
debug_return_int(AUTH_FAILURE);
|
||||||
case PAM_AUTHTOK_EXPIRED:
|
case PAM_AUTHTOK_EXPIRED:
|
||||||
log_warningx(NO_MAIL,
|
log_warningx(0,
|
||||||
N_("Password expired, contact your system administrator"));
|
N_("Password expired, contact your system administrator"));
|
||||||
debug_return_int(AUTH_FATAL);
|
debug_return_int(AUTH_FATAL);
|
||||||
case PAM_ACCT_EXPIRED:
|
case PAM_ACCT_EXPIRED:
|
||||||
log_warningx(NO_MAIL,
|
log_warningx(0,
|
||||||
N_("Account expired or PAM config lacks an \"account\" "
|
N_("Account expired or PAM config lacks an \"account\" "
|
||||||
"section for sudo, contact your system administrator"));
|
"section for sudo, contact your system administrator"));
|
||||||
debug_return_int(AUTH_FATAL);
|
debug_return_int(AUTH_FATAL);
|
||||||
@@ -184,7 +184,7 @@ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth)
|
|||||||
debug_return_int(AUTH_FAILURE);
|
debug_return_int(AUTH_FAILURE);
|
||||||
default:
|
default:
|
||||||
if ((s = pam_strerror(pamh, *pam_status)) != NULL)
|
if ((s = pam_strerror(pamh, *pam_status)) != NULL)
|
||||||
log_warningx(NO_MAIL, N_("PAM authentication error: %s"), s);
|
log_warningx(0, N_("PAM authentication error: %s"), s);
|
||||||
debug_return_int(AUTH_FATAL);
|
debug_return_int(AUTH_FATAL);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -104,8 +104,7 @@ sudo_sia_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
|
|||||||
|
|
||||||
if (sia_ses_init(&siah, sudo_argc, sudo_argv, NULL, pw->pw_name, user_ttypath, 1, NULL) != SIASUCCESS) {
|
if (sia_ses_init(&siah, sudo_argc, sudo_argv, NULL, pw->pw_name, user_ttypath, 1, NULL) != SIASUCCESS) {
|
||||||
|
|
||||||
log_warning(NO_MAIL,
|
log_warning(0, N_("unable to initialize SIA session"));
|
||||||
N_("unable to initialize SIA session"));
|
|
||||||
debug_return_int(AUTH_FATAL);
|
debug_return_int(AUTH_FATAL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1999-2005, 2008-2013 Todd C. Miller <Todd.Miller@courtesan.com>
|
* Copyright (c) 1999-2005, 2008-2014 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||||
*
|
*
|
||||||
* Permission to use, copy, modify, and distribute this software for any
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
* purpose with or without fee is hereby granted, provided that the above
|
* purpose with or without fee is hereby granted, provided that the above
|
||||||
@@ -117,7 +117,8 @@ sudo_auth_init(struct passwd *pw)
|
|||||||
standalone = IS_STANDALONE(&auth_switch[0]);
|
standalone = IS_STANDALONE(&auth_switch[0]);
|
||||||
if (standalone && auth_switch[1].name != NULL) {
|
if (standalone && auth_switch[1].name != NULL) {
|
||||||
audit_failure(NewArgv, N_("invalid authentication methods"));
|
audit_failure(NewArgv, N_("invalid authentication methods"));
|
||||||
log_warningx(0, N_("Invalid authentication methods compiled into sudo! "
|
log_warningx(SLOG_SEND_MAIL,
|
||||||
|
N_("Invalid authentication methods compiled into sudo! "
|
||||||
"You may not mix standalone and non-standalone authentication."));
|
"You may not mix standalone and non-standalone authentication."));
|
||||||
debug_return_int(-1);
|
debug_return_int(-1);
|
||||||
}
|
}
|
||||||
@@ -187,7 +188,7 @@ verify_user(struct passwd *pw, char *prompt, int validated)
|
|||||||
/* XXX - check FLAG_DISABLED too */
|
/* XXX - check FLAG_DISABLED too */
|
||||||
if (auth_switch[0].name == NULL) {
|
if (auth_switch[0].name == NULL) {
|
||||||
audit_failure(NewArgv, N_("no authentication methods"));
|
audit_failure(NewArgv, N_("no authentication methods"));
|
||||||
log_warningx(0,
|
log_warningx(SLOG_SEND_MAIL,
|
||||||
N_("There are no authentication methods compiled into sudo! "
|
N_("There are no authentication methods compiled into sudo! "
|
||||||
"If you want to turn off authentication, use the "
|
"If you want to turn off authentication, use the "
|
||||||
"--disable-authentication configure option."));
|
"--disable-authentication configure option."));
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1993-1996,1998-2005, 2007-2013
|
* Copyright (c) 1993-1996,1998-2005, 2007-2014
|
||||||
* Todd C. Miller <Todd.Miller@courtesan.com>
|
* Todd C. Miller <Todd.Miller@courtesan.com>
|
||||||
*
|
*
|
||||||
* Permission to use, copy, modify, and distribute this software for any
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
@@ -236,15 +236,18 @@ get_authpw(int mode)
|
|||||||
pw = sudo_user.pw;
|
pw = sudo_user.pw;
|
||||||
} else {
|
} else {
|
||||||
if (def_rootpw) {
|
if (def_rootpw) {
|
||||||
if ((pw = sudo_getpwuid(ROOT_UID)) == NULL)
|
if ((pw = sudo_getpwuid(ROOT_UID)) == NULL) {
|
||||||
log_warningx(0, N_("unknown uid: %u"), ROOT_UID);
|
log_warningx(SLOG_SEND_MAIL, N_("unknown uid: %u"), ROOT_UID);
|
||||||
|
}
|
||||||
} else if (def_runaspw) {
|
} else if (def_runaspw) {
|
||||||
if ((pw = sudo_getpwnam(def_runas_default)) == NULL)
|
if ((pw = sudo_getpwnam(def_runas_default)) == NULL) {
|
||||||
log_warningx(0, N_("unknown user: %s"), def_runas_default);
|
log_warningx(SLOG_SEND_MAIL,
|
||||||
|
N_("unknown user: %s"), def_runas_default);
|
||||||
|
}
|
||||||
} else if (def_targetpw) {
|
} else if (def_targetpw) {
|
||||||
if (runas_pw->pw_name == NULL) {
|
if (runas_pw->pw_name == NULL) {
|
||||||
/* This should never be NULL as we fake up the passwd struct */
|
/* This should never be NULL as we fake up the passwd struct */
|
||||||
log_warningx(NO_MAIL|MSG_ONLY, N_("unknown uid: %u"),
|
log_warningx(SLOG_RAW_MSG, N_("unknown uid: %u"),
|
||||||
(unsigned int) runas_pw->pw_uid);
|
(unsigned int) runas_pw->pw_uid);
|
||||||
} else {
|
} else {
|
||||||
sudo_pw_addref(runas_pw);
|
sudo_pw_addref(runas_pw);
|
||||||
|
|||||||
@@ -1047,7 +1047,7 @@ validate_env_vars(char * const env_vars[])
|
|||||||
if (bad != NULL) {
|
if (bad != NULL) {
|
||||||
bad[blen - 2] = '\0'; /* remove trailing ", " */
|
bad[blen - 2] = '\0'; /* remove trailing ", " */
|
||||||
/* XXX - audit? */
|
/* XXX - audit? */
|
||||||
log_warningx(NO_MAIL,
|
log_warningx(0,
|
||||||
N_("sorry, you are not allowed to set the following environment variables: %s"), bad);
|
N_("sorry, you are not allowed to set the following environment variables: %s"), bad);
|
||||||
efree(bad);
|
efree(bad);
|
||||||
rval = false;
|
rval = false;
|
||||||
|
|||||||
@@ -97,7 +97,8 @@ io_mkdirs(char *path, mode_t mode, bool is_temp)
|
|||||||
/* Fast path: not a temporary and already exists. */
|
/* Fast path: not a temporary and already exists. */
|
||||||
if (!is_temp && stat(path, &sb) == 0) {
|
if (!is_temp && stat(path, &sb) == 0) {
|
||||||
if (!S_ISDIR(sb.st_mode)) {
|
if (!S_ISDIR(sb.st_mode)) {
|
||||||
log_warningx(0, N_("%s exists but is not a directory (0%o)"),
|
log_warningx(SLOG_SEND_MAIL,
|
||||||
|
N_("%s exists but is not a directory (0%o)"),
|
||||||
path, (unsigned int) sb.st_mode);
|
path, (unsigned int) sb.st_mode);
|
||||||
ok = false;
|
ok = false;
|
||||||
}
|
}
|
||||||
@@ -108,13 +109,14 @@ io_mkdirs(char *path, mode_t mode, bool is_temp)
|
|||||||
*slash = '\0';
|
*slash = '\0';
|
||||||
if (stat(path, &sb) != 0) {
|
if (stat(path, &sb) != 0) {
|
||||||
if (mkdir(path, mode) != 0) {
|
if (mkdir(path, mode) != 0) {
|
||||||
log_warning(0, N_("unable to mkdir %s"), path);
|
log_warning(SLOG_SEND_MAIL, N_("unable to mkdir %s"), path);
|
||||||
ok = false;
|
ok = false;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
ignore_result(chown(path, (uid_t)-1, parent_gid));
|
ignore_result(chown(path, (uid_t)-1, parent_gid));
|
||||||
} else if (!S_ISDIR(sb.st_mode)) {
|
} else if (!S_ISDIR(sb.st_mode)) {
|
||||||
log_warningx(0, N_("%s exists but is not a directory (0%o)"),
|
log_warningx(SLOG_SEND_MAIL,
|
||||||
|
N_("%s exists but is not a directory (0%o)"),
|
||||||
path, (unsigned int) sb.st_mode);
|
path, (unsigned int) sb.st_mode);
|
||||||
ok = false;
|
ok = false;
|
||||||
break;
|
break;
|
||||||
@@ -128,14 +130,14 @@ io_mkdirs(char *path, mode_t mode, bool is_temp)
|
|||||||
/* Create final path component. */
|
/* Create final path component. */
|
||||||
if (is_temp) {
|
if (is_temp) {
|
||||||
if (mkdtemp(path) == NULL) {
|
if (mkdtemp(path) == NULL) {
|
||||||
log_warning(0, N_("unable to mkdir %s"), path);
|
log_warning(SLOG_SEND_MAIL, N_("unable to mkdir %s"), path);
|
||||||
ok = false;
|
ok = false;
|
||||||
} else {
|
} else {
|
||||||
ignore_result(chown(path, (uid_t)-1, parent_gid));
|
ignore_result(chown(path, (uid_t)-1, parent_gid));
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (mkdir(path, mode) != 0 && errno != EEXIST) {
|
if (mkdir(path, mode) != 0 && errno != EEXIST) {
|
||||||
log_warning(0, N_("unable to mkdir %s"), path);
|
log_warning(SLOG_SEND_MAIL, N_("unable to mkdir %s"), path);
|
||||||
ok = false;
|
ok = false;
|
||||||
} else {
|
} else {
|
||||||
ignore_result(chown(path, (uid_t)-1, parent_gid));
|
ignore_result(chown(path, (uid_t)-1, parent_gid));
|
||||||
@@ -199,12 +201,12 @@ io_nextid(char *iolog_dir, char *iolog_dir_fallback, char sessid[7])
|
|||||||
len = snprintf(pathbuf, sizeof(pathbuf), "%s/seq", iolog_dir);
|
len = snprintf(pathbuf, sizeof(pathbuf), "%s/seq", iolog_dir);
|
||||||
if (len <= 0 || (size_t)len >= sizeof(pathbuf)) {
|
if (len <= 0 || (size_t)len >= sizeof(pathbuf)) {
|
||||||
errno = ENAMETOOLONG;
|
errno = ENAMETOOLONG;
|
||||||
log_warning(0, "%s/seq", pathbuf);
|
log_warning(SLOG_SEND_MAIL, "%s/seq", pathbuf);
|
||||||
debug_return_bool(false);
|
debug_return_bool(false);
|
||||||
}
|
}
|
||||||
fd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR);
|
fd = open(pathbuf, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR);
|
||||||
if (fd == -1) {
|
if (fd == -1) {
|
||||||
log_warning(0, N_("unable to open %s"), pathbuf);
|
log_warning(SLOG_SEND_MAIL, N_("unable to open %s"), pathbuf);
|
||||||
debug_return_bool(false);
|
debug_return_bool(false);
|
||||||
}
|
}
|
||||||
lock_file(fd, SUDO_LOCK);
|
lock_file(fd, SUDO_LOCK);
|
||||||
@@ -245,7 +247,7 @@ io_nextid(char *iolog_dir, char *iolog_dir_fallback, char sessid[7])
|
|||||||
nread = read(fd, buf, sizeof(buf) - 1);
|
nread = read(fd, buf, sizeof(buf) - 1);
|
||||||
if (nread != 0) {
|
if (nread != 0) {
|
||||||
if (nread == -1) {
|
if (nread == -1) {
|
||||||
log_warning(0, N_("unable to read %s"), pathbuf);
|
log_warning(SLOG_SEND_MAIL, N_("unable to read %s"), pathbuf);
|
||||||
debug_return_bool(false);
|
debug_return_bool(false);
|
||||||
}
|
}
|
||||||
if (buf[nread - 1] == '\n')
|
if (buf[nread - 1] == '\n')
|
||||||
@@ -277,7 +279,7 @@ io_nextid(char *iolog_dir, char *iolog_dir_fallback, char sessid[7])
|
|||||||
|
|
||||||
/* Rewind and overwrite old seq file, including the NUL byte. */
|
/* Rewind and overwrite old seq file, including the NUL byte. */
|
||||||
if (lseek(fd, (off_t)0, SEEK_SET) == (off_t)-1 || write(fd, buf, 7) != 7) {
|
if (lseek(fd, (off_t)0, SEEK_SET) == (off_t)-1 || write(fd, buf, 7) != 7) {
|
||||||
log_warning(0, N_("unable to write to %s"), pathbuf);
|
log_warning(SLOG_SEND_MAIL, N_("unable to write to %s"), pathbuf);
|
||||||
debug_return_bool(false);
|
debug_return_bool(false);
|
||||||
}
|
}
|
||||||
close(fd);
|
close(fd);
|
||||||
@@ -300,7 +302,7 @@ mkdir_iopath(const char *iolog_path, char *pathbuf, size_t pathsize)
|
|||||||
len = strlcpy(pathbuf, iolog_path, pathsize);
|
len = strlcpy(pathbuf, iolog_path, pathsize);
|
||||||
if (len >= pathsize) {
|
if (len >= pathsize) {
|
||||||
errno = ENAMETOOLONG;
|
errno = ENAMETOOLONG;
|
||||||
log_warning(0, "%s", iolog_path);
|
log_warning(SLOG_SEND_MAIL, "%s", iolog_path);
|
||||||
debug_return_size_t((size_t)-1);
|
debug_return_size_t((size_t)-1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -342,7 +344,7 @@ open_io_fd(char *pathbuf, size_t len, struct io_log_file *iol, bool docompress)
|
|||||||
iol->fd.f = fdopen(fd, "w");
|
iol->fd.f = fdopen(fd, "w");
|
||||||
}
|
}
|
||||||
if (fd == -1 || iol->fd.v == NULL) {
|
if (fd == -1 || iol->fd.v == NULL) {
|
||||||
log_warning(0, N_("unable to create %s"), pathbuf);
|
log_warning(SLOG_SEND_MAIL, N_("unable to create %s"), pathbuf);
|
||||||
debug_return_bool(false);
|
debug_return_bool(false);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
@@ -540,7 +542,7 @@ write_info_log(char *pathbuf, size_t len, struct iolog_details *details,
|
|||||||
strlcat(pathbuf, "/log", PATH_MAX);
|
strlcat(pathbuf, "/log", PATH_MAX);
|
||||||
fd = open(pathbuf, O_CREAT|O_TRUNC|O_WRONLY, S_IRUSR|S_IWUSR);
|
fd = open(pathbuf, O_CREAT|O_TRUNC|O_WRONLY, S_IRUSR|S_IWUSR);
|
||||||
if (fd == -1 || (fp = fdopen(fd, "w")) == NULL) {
|
if (fd == -1 || (fp = fdopen(fd, "w")) == NULL) {
|
||||||
log_warning(0, N_("unable to create %s"), pathbuf);
|
log_warning(SLOG_SEND_MAIL, N_("unable to create %s"), pathbuf);
|
||||||
debug_return_bool(false);
|
debug_return_bool(false);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -348,7 +348,7 @@ log_failure(int status, int flags)
|
|||||||
void
|
void
|
||||||
log_auth_failure(int status, unsigned int tries)
|
log_auth_failure(int status, unsigned int tries)
|
||||||
{
|
{
|
||||||
int flags = NO_MAIL;
|
int flags = 0;
|
||||||
debug_decl(log_auth_failure, SUDO_DEBUG_LOGGING)
|
debug_decl(log_auth_failure, SUDO_DEBUG_LOGGING)
|
||||||
|
|
||||||
/* Handle auditing first. */
|
/* Handle auditing first. */
|
||||||
@@ -363,13 +363,13 @@ log_auth_failure(int status, unsigned int tries)
|
|||||||
if (ISSET(status, VALIDATE_OK)) {
|
if (ISSET(status, VALIDATE_OK)) {
|
||||||
/* Command allowed, auth failed; do we need to send mail? */
|
/* Command allowed, auth failed; do we need to send mail? */
|
||||||
if (def_mail_badpass || def_mail_always)
|
if (def_mail_badpass || def_mail_always)
|
||||||
flags = 0;
|
SET(flags, SLOG_SEND_MAIL);
|
||||||
} else {
|
} else {
|
||||||
/* Command denied, auth failed; make sure we don't send mail twice. */
|
/* Command denied, auth failed; make sure we don't send mail twice. */
|
||||||
if (def_mail_badpass && !should_mail(status))
|
if (def_mail_badpass && !should_mail(status))
|
||||||
flags = 0;
|
SET(flags, SLOG_SEND_MAIL);
|
||||||
/* Don't log the bad password message, we'll log a denial instead. */
|
/* Don't log the bad password message, we'll log a denial instead. */
|
||||||
flags |= NO_LOG;
|
SET(flags, SLOG_NO_LOG);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -435,8 +435,8 @@ vlog_warning(int flags, const char *fmt, va_list ap)
|
|||||||
va_list ap2;
|
va_list ap2;
|
||||||
debug_decl(vlog_error, SUDO_DEBUG_LOGGING)
|
debug_decl(vlog_error, SUDO_DEBUG_LOGGING)
|
||||||
|
|
||||||
/* Need extra copy of ap for warning() below. */
|
/* Need extra copy of ap for vwarning()/vwarningx() below. */
|
||||||
if (!ISSET(flags, NO_STDERR))
|
if (!ISSET(flags, SLOG_NO_STDERR))
|
||||||
va_copy(ap2, ap);
|
va_copy(ap2, ap);
|
||||||
|
|
||||||
/* Log messages should be in the sudoers locale. */
|
/* Log messages should be in the sudoers locale. */
|
||||||
@@ -452,7 +452,7 @@ vlog_warning(int flags, const char *fmt, va_list ap)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Log to debug file. */
|
/* Log to debug file. */
|
||||||
if (USE_ERRNO) {
|
if (SLOG_USE_ERRNO) {
|
||||||
sudo_debug_printf2(NULL, NULL, 0,
|
sudo_debug_printf2(NULL, NULL, 0,
|
||||||
SUDO_DEBUG_WARN|SUDO_DEBUG_ERRNO|sudo_debug_subsys, "%s", message);
|
SUDO_DEBUG_WARN|SUDO_DEBUG_ERRNO|sudo_debug_subsys, "%s", message);
|
||||||
} else {
|
} else {
|
||||||
@@ -460,10 +460,10 @@ vlog_warning(int flags, const char *fmt, va_list ap)
|
|||||||
SUDO_DEBUG_WARN|sudo_debug_subsys, "%s", message);
|
SUDO_DEBUG_WARN|sudo_debug_subsys, "%s", message);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ISSET(flags, MSG_ONLY)) {
|
if (ISSET(flags, SLOG_RAW_MSG)) {
|
||||||
logline = message;
|
logline = message;
|
||||||
} else {
|
} else {
|
||||||
logline = new_logline(message, ISSET(flags, USE_ERRNO) ? serrno : 0);
|
logline = new_logline(message, ISSET(flags, SLOG_USE_ERRNO) ? serrno : 0);
|
||||||
efree(message);
|
efree(message);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -473,13 +473,13 @@ vlog_warning(int flags, const char *fmt, va_list ap)
|
|||||||
/*
|
/*
|
||||||
* Send a copy of the error via mail.
|
* Send a copy of the error via mail.
|
||||||
*/
|
*/
|
||||||
if (!ISSET(flags, NO_MAIL))
|
if (ISSET(flags, SLOG_SEND_MAIL))
|
||||||
send_mail("%s", logline);
|
send_mail("%s", logline);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Log to syslog and/or a file.
|
* Log to syslog and/or a file.
|
||||||
*/
|
*/
|
||||||
if (!ISSET(flags, NO_LOG)) {
|
if (!ISSET(flags, SLOG_NO_LOG)) {
|
||||||
if (def_syslog)
|
if (def_syslog)
|
||||||
do_syslog(def_syslog_badpri, logline);
|
do_syslog(def_syslog_badpri, logline);
|
||||||
if (def_logfile)
|
if (def_logfile)
|
||||||
@@ -496,14 +496,14 @@ vlog_warning(int flags, const char *fmt, va_list ap)
|
|||||||
/*
|
/*
|
||||||
* Tell the user (in their locale).
|
* Tell the user (in their locale).
|
||||||
*/
|
*/
|
||||||
if (!ISSET(flags, NO_STDERR)) {
|
if (!ISSET(flags, SLOG_NO_STDERR)) {
|
||||||
sudoers_setlocale(SUDOERS_LOCALE_USER, &oldlocale);
|
sudoers_setlocale(SUDOERS_LOCALE_USER, &oldlocale);
|
||||||
if (fmt == INCORRECT_PASSWORD_ATTEMPT) {
|
if (fmt == INCORRECT_PASSWORD_ATTEMPT) {
|
||||||
unsigned int tries = va_arg(ap2, unsigned int);
|
unsigned int tries = va_arg(ap2, unsigned int);
|
||||||
warningx_nodebug(ngettext("%u incorrect password attempt",
|
warningx_nodebug(ngettext("%u incorrect password attempt",
|
||||||
"%u incorrect password attempts", tries), tries);
|
"%u incorrect password attempts", tries), tries);
|
||||||
} else {
|
} else {
|
||||||
if (ISSET(flags, USE_ERRNO))
|
if (ISSET(flags, SLOG_USE_ERRNO))
|
||||||
vwarning_nodebug(_(fmt), ap2);
|
vwarning_nodebug(_(fmt), ap2);
|
||||||
else
|
else
|
||||||
vwarningx_nodebug(_(fmt), ap2);
|
vwarningx_nodebug(_(fmt), ap2);
|
||||||
@@ -523,7 +523,7 @@ log_warning(int flags, const char *fmt, ...)
|
|||||||
|
|
||||||
/* Log the error. */
|
/* Log the error. */
|
||||||
va_start(ap, fmt);
|
va_start(ap, fmt);
|
||||||
vlog_warning(flags|USE_ERRNO, fmt, ap);
|
vlog_warning(flags|SLOG_USE_ERRNO, fmt, ap);
|
||||||
va_end(ap);
|
va_end(ap);
|
||||||
|
|
||||||
debug_return;
|
debug_return;
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1999-2005, 2009-2013
|
* Copyright (c) 1999-2005, 2009-2014
|
||||||
* Todd C. Miller <Todd.Miller@courtesan.com>
|
* Todd C. Miller <Todd.Miller@courtesan.com>
|
||||||
*
|
*
|
||||||
* Permission to use, copy, modify, and distribute this software for any
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
@@ -25,23 +25,23 @@
|
|||||||
# include <varargs.h>
|
# include <varargs.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Logging types */
|
|
||||||
#define SLOG_SYSLOG 0x01
|
|
||||||
#define SLOG_FILE 0x02
|
|
||||||
#define SLOG_BOTH 0x03
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Values for sudoers_setlocale()
|
* Values for sudoers_setlocale()
|
||||||
*/
|
*/
|
||||||
#define SUDOERS_LOCALE_USER 0
|
#define SUDOERS_LOCALE_USER 0
|
||||||
#define SUDOERS_LOCALE_SUDOERS 1
|
#define SUDOERS_LOCALE_SUDOERS 1
|
||||||
|
|
||||||
|
/* Logging types */
|
||||||
|
#define SLOG_SYSLOG 0x01
|
||||||
|
#define SLOG_FILE 0x02
|
||||||
|
#define SLOG_BOTH 0x03
|
||||||
|
|
||||||
/* Flags for log_warning()/log_warningx() */
|
/* Flags for log_warning()/log_warningx() */
|
||||||
#define MSG_ONLY 0x01
|
#define SLOG_USE_ERRNO 0x01 /* internal use only */
|
||||||
#define USE_ERRNO 0x02 /* internal use only */
|
#define SLOG_RAW_MSG 0x02 /* do not format msg before logging */
|
||||||
#define NO_MAIL 0x04
|
#define SLOG_SEND_MAIL 0x04 /* log via mail */
|
||||||
#define NO_STDERR 0x08
|
#define SLOG_NO_STDERR 0x08 /* do not log via stderr */
|
||||||
#define NO_LOG 0x10
|
#define SLOG_NO_LOG 0x10 /* do not log via file or syslog */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Maximum number of characters to log per entry. The syslogger
|
* Maximum number of characters to log per entry. The syslogger
|
||||||
|
|||||||
@@ -112,10 +112,10 @@ sudo_file_parse(struct sudo_nss *nss)
|
|||||||
sudoersin = nss->handle;
|
sudoersin = nss->handle;
|
||||||
if (sudoersparse() != 0 || parse_error) {
|
if (sudoersparse() != 0 || parse_error) {
|
||||||
if (errorlineno != -1) {
|
if (errorlineno != -1) {
|
||||||
log_warningx(0, N_("parse error in %s near line %d"),
|
log_warningx(SLOG_SEND_MAIL, N_("parse error in %s near line %d"),
|
||||||
errorfile, errorlineno);
|
errorfile, errorlineno);
|
||||||
} else {
|
} else {
|
||||||
log_warningx(0, N_("parse error in %s"), errorfile);
|
log_warningx(SLOG_SEND_MAIL, N_("parse error in %s"), errorfile);
|
||||||
}
|
}
|
||||||
debug_return_int(-1);
|
debug_return_int(-1);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -155,8 +155,10 @@ sudoers_policy_init(void *info, char * const envp[])
|
|||||||
TAILQ_FOREACH_SAFE(nss, snl, entries, nss_next) {
|
TAILQ_FOREACH_SAFE(nss, snl, entries, nss_next) {
|
||||||
if (nss->open(nss) == 0 && nss->parse(nss) == 0) {
|
if (nss->open(nss) == 0 && nss->parse(nss) == 0) {
|
||||||
sources++;
|
sources++;
|
||||||
if (nss->setdefs(nss) != 0)
|
if (nss->setdefs(nss) != 0) {
|
||||||
log_warningx(NO_STDERR, N_("problem with defaults entries"));
|
log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR,
|
||||||
|
N_("problem with defaults entries"));
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
TAILQ_REMOVE(snl, nss, entries);
|
TAILQ_REMOVE(snl, nss, entries);
|
||||||
}
|
}
|
||||||
@@ -194,8 +196,10 @@ sudoers_policy_init(void *info, char * const envp[])
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!update_defaults(SETDEF_RUNAS))
|
if (!update_defaults(SETDEF_RUNAS)) {
|
||||||
log_warningx(NO_STDERR, N_("problem with defaults entries"));
|
log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR,
|
||||||
|
N_("problem with defaults entries"));
|
||||||
|
}
|
||||||
|
|
||||||
if (def_fqdn)
|
if (def_fqdn)
|
||||||
set_fqdn(); /* deferred until after sudoers is parsed */
|
set_fqdn(); /* deferred until after sudoers is parsed */
|
||||||
@@ -335,8 +339,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
|
|||||||
timestamp_uid = pw->pw_uid;
|
timestamp_uid = pw->pw_uid;
|
||||||
sudo_pw_delref(pw);
|
sudo_pw_delref(pw);
|
||||||
} else {
|
} else {
|
||||||
log_warningx(0, N_("timestamp owner (%s): No such user"),
|
log_warningx(SLOG_SEND_MAIL,
|
||||||
def_timestampowner);
|
N_("timestamp owner (%s): No such user"), def_timestampowner);
|
||||||
timestamp_uid = ROOT_UID;
|
timestamp_uid = ROOT_UID;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -625,7 +629,8 @@ init_vars(char * const envp[])
|
|||||||
|
|
||||||
/* It is now safe to use log_warningx() and set_perms() */
|
/* It is now safe to use log_warningx() and set_perms() */
|
||||||
if (unknown_user) {
|
if (unknown_user) {
|
||||||
log_warningx(0, N_("unknown uid: %u"), (unsigned int) user_uid);
|
log_warningx(SLOG_SEND_MAIL, N_("unknown uid: %u"),
|
||||||
|
(unsigned int) user_uid);
|
||||||
debug_return_bool(false);
|
debug_return_bool(false);
|
||||||
}
|
}
|
||||||
debug_return_bool(true);
|
debug_return_bool(true);
|
||||||
@@ -671,7 +676,7 @@ set_cmnd(void)
|
|||||||
if (rval == NOT_FOUND_ERROR) {
|
if (rval == NOT_FOUND_ERROR) {
|
||||||
if (errno == ENAMETOOLONG)
|
if (errno == ENAMETOOLONG)
|
||||||
audit_failure(NewArgv, N_("command too long"));
|
audit_failure(NewArgv, N_("command too long"));
|
||||||
log_warning(NO_MAIL, "%s", NewArgv[0]);
|
log_warning(0, "%s", NewArgv[0]);
|
||||||
debug_return_int(rval);
|
debug_return_int(rval);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -720,8 +725,10 @@ set_cmnd(void)
|
|||||||
else
|
else
|
||||||
user_base = user_cmnd;
|
user_base = user_cmnd;
|
||||||
|
|
||||||
if (!update_defaults(SETDEF_CMND))
|
if (!update_defaults(SETDEF_CMND)) {
|
||||||
log_warningx(NO_STDERR, N_("problem with defaults entries"));
|
log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR,
|
||||||
|
N_("problem with defaults entries"));
|
||||||
|
}
|
||||||
|
|
||||||
debug_return_int(rval);
|
debug_return_int(rval);
|
||||||
}
|
}
|
||||||
@@ -758,10 +765,11 @@ open_sudoers(const char *sudoers, bool doedit, bool *keepopen)
|
|||||||
* the user with a reasonable error message (unlike the lexer).
|
* the user with a reasonable error message (unlike the lexer).
|
||||||
*/
|
*/
|
||||||
if ((fp = fopen(sudoers, "r")) == NULL) {
|
if ((fp = fopen(sudoers, "r")) == NULL) {
|
||||||
log_warning(0, N_("unable to open %s"), sudoers);
|
log_warning(SLOG_SEND_MAIL, N_("unable to open %s"), sudoers);
|
||||||
} else {
|
} else {
|
||||||
if (sb.st_size != 0 && fgetc(fp) == EOF) {
|
if (sb.st_size != 0 && fgetc(fp) == EOF) {
|
||||||
log_warning(0, N_("unable to read %s"), sudoers);
|
log_warning(SLOG_SEND_MAIL,
|
||||||
|
N_("unable to read %s"), sudoers);
|
||||||
fclose(fp);
|
fclose(fp);
|
||||||
fp = NULL;
|
fp = NULL;
|
||||||
} else {
|
} else {
|
||||||
@@ -772,21 +780,24 @@ open_sudoers(const char *sudoers, bool doedit, bool *keepopen)
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case SUDO_PATH_MISSING:
|
case SUDO_PATH_MISSING:
|
||||||
log_warning(0, N_("unable to stat %s"), sudoers);
|
log_warning(SLOG_SEND_MAIL, N_("unable to stat %s"), sudoers);
|
||||||
break;
|
break;
|
||||||
case SUDO_PATH_BAD_TYPE:
|
case SUDO_PATH_BAD_TYPE:
|
||||||
log_warningx(0, N_("%s is not a regular file"), sudoers);
|
log_warningx(SLOG_SEND_MAIL,
|
||||||
|
N_("%s is not a regular file"), sudoers);
|
||||||
break;
|
break;
|
||||||
case SUDO_PATH_WRONG_OWNER:
|
case SUDO_PATH_WRONG_OWNER:
|
||||||
log_warningx(0, N_("%s is owned by uid %u, should be %u"),
|
log_warningx(SLOG_SEND_MAIL,
|
||||||
sudoers, (unsigned int) sb.st_uid, (unsigned int) sudoers_uid);
|
N_("%s is owned by uid %u, should be %u"), sudoers,
|
||||||
|
(unsigned int) sb.st_uid, (unsigned int) sudoers_uid);
|
||||||
break;
|
break;
|
||||||
case SUDO_PATH_WORLD_WRITABLE:
|
case SUDO_PATH_WORLD_WRITABLE:
|
||||||
log_warningx(0, N_("%s is world writable"), sudoers);
|
log_warningx(SLOG_SEND_MAIL, N_("%s is world writable"), sudoers);
|
||||||
break;
|
break;
|
||||||
case SUDO_PATH_GROUP_WRITABLE:
|
case SUDO_PATH_GROUP_WRITABLE:
|
||||||
log_warningx(0, N_("%s is owned by gid %u, should be %u"),
|
log_warningx(SLOG_SEND_MAIL,
|
||||||
sudoers, (unsigned int) sb.st_gid, (unsigned int) sudoers_gid);
|
N_("%s is owned by gid %u, should be %u"), sudoers,
|
||||||
|
(unsigned int) sb.st_gid, (unsigned int) sudoers_gid);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
/* NOTREACHED */
|
/* NOTREACHED */
|
||||||
@@ -806,7 +817,7 @@ open_sudoers(const char *sudoers, bool doedit, bool *keepopen)
|
|||||||
static bool
|
static bool
|
||||||
set_loginclass(struct passwd *pw)
|
set_loginclass(struct passwd *pw)
|
||||||
{
|
{
|
||||||
const int errflags = NO_MAIL|MSG_ONLY;
|
const int errflags = SLOG_RAW_MSG;
|
||||||
login_cap_t *lc;
|
login_cap_t *lc;
|
||||||
bool rval = true;
|
bool rval = true;
|
||||||
debug_decl(set_loginclass, SUDO_DEBUG_PLUGIN)
|
debug_decl(set_loginclass, SUDO_DEBUG_PLUGIN)
|
||||||
@@ -871,7 +882,8 @@ set_fqdn(void)
|
|||||||
hint.ai_family = PF_UNSPEC;
|
hint.ai_family = PF_UNSPEC;
|
||||||
hint.ai_flags = AI_FQDN;
|
hint.ai_flags = AI_FQDN;
|
||||||
if (getaddrinfo(user_host, NULL, &hint, &res0) != 0) {
|
if (getaddrinfo(user_host, NULL, &hint, &res0) != 0) {
|
||||||
log_warningx(MSG_ONLY, N_("unable to resolve host %s"), user_host);
|
log_warningx(SLOG_SEND_MAIL|SLOG_RAW_MSG,
|
||||||
|
N_("unable to resolve host %s"), user_host);
|
||||||
} else {
|
} else {
|
||||||
if (user_shost != user_host)
|
if (user_shost != user_host)
|
||||||
efree(user_shost);
|
efree(user_shost);
|
||||||
@@ -907,7 +919,7 @@ set_runaspw(const char *user, bool quiet)
|
|||||||
if (pw == NULL) {
|
if (pw == NULL) {
|
||||||
if ((pw = sudo_getpwnam(user)) == NULL) {
|
if ((pw = sudo_getpwnam(user)) == NULL) {
|
||||||
if (!quiet)
|
if (!quiet)
|
||||||
log_warningx(NO_MAIL|MSG_ONLY, N_("unknown user: %s"), user);
|
log_warningx(SLOG_RAW_MSG, N_("unknown user: %s"), user);
|
||||||
debug_return_bool(false);
|
debug_return_bool(false);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -938,7 +950,7 @@ set_runasgr(const char *group, bool quiet)
|
|||||||
if (gr == NULL) {
|
if (gr == NULL) {
|
||||||
if ((gr = sudo_getgrnam(group)) == NULL) {
|
if ((gr = sudo_getgrnam(group)) == NULL) {
|
||||||
if (!quiet)
|
if (!quiet)
|
||||||
log_warningx(NO_MAIL|MSG_ONLY, N_("unknown group: %s"), group);
|
log_warningx(SLOG_RAW_MSG, N_("unknown group: %s"), group);
|
||||||
debug_return_bool(false);
|
debug_return_bool(false);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -182,10 +182,13 @@ found_it:
|
|||||||
if ((size_t)nwritten == sizeof(struct timestamp_entry))
|
if ((size_t)nwritten == sizeof(struct timestamp_entry))
|
||||||
debug_return_bool(true);
|
debug_return_bool(true);
|
||||||
|
|
||||||
if (nwritten == -1)
|
if (nwritten == -1) {
|
||||||
log_warning(0, N_("unable to write to %s"), timestamp_file);
|
log_warning(SLOG_SEND_MAIL,
|
||||||
else
|
N_("unable to write to %s"), timestamp_file);
|
||||||
log_warningx(0, N_("unable to write to %s"), timestamp_file);
|
} else {
|
||||||
|
log_warningx(SLOG_SEND_MAIL,
|
||||||
|
N_("unable to write to %s"), timestamp_file);
|
||||||
|
}
|
||||||
|
|
||||||
/* Truncate on partial write to be safe. */
|
/* Truncate on partial write to be safe. */
|
||||||
if (nwritten > 0 && old_eof != (off_t)-1) {
|
if (nwritten > 0 && old_eof != (off_t)-1) {
|
||||||
@@ -312,8 +315,8 @@ build_timestamp(struct passwd *pw)
|
|||||||
len = snprintf(timestamp_file, sizeof(timestamp_file), "%s/%s",
|
len = snprintf(timestamp_file, sizeof(timestamp_file), "%s/%s",
|
||||||
def_timestampdir, user_name);
|
def_timestampdir, user_name);
|
||||||
if (len <= 0 || (size_t)len >= sizeof(timestamp_file)) {
|
if (len <= 0 || (size_t)len >= sizeof(timestamp_file)) {
|
||||||
log_warningx(0, N_("timestamp path too long: %s/%s"),
|
log_warningx(SLOG_SEND_MAIL,
|
||||||
def_timestampdir, user_name);
|
N_("timestamp path too long: %s/%s"), def_timestampdir, user_name);
|
||||||
len = -1;
|
len = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -352,7 +355,7 @@ update_timestamp(struct passwd *pw)
|
|||||||
if (uid_changed)
|
if (uid_changed)
|
||||||
(void) restore_perms();
|
(void) restore_perms();
|
||||||
if (fd == -1) {
|
if (fd == -1) {
|
||||||
log_warning(0, N_("unable to open %s"), timestamp_file);
|
log_warning(SLOG_SEND_MAIL, N_("unable to open %s"), timestamp_file);
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -492,7 +495,8 @@ timestamp_status(struct passwd *pw)
|
|||||||
#ifdef CLOCK_MONOTONIC
|
#ifdef CLOCK_MONOTONIC
|
||||||
/* A monotonic clock should never run backwards. */
|
/* A monotonic clock should never run backwards. */
|
||||||
if (diff.tv_sec < 0) {
|
if (diff.tv_sec < 0) {
|
||||||
log_warningx(0, N_("ignoring time stamp from the future"));
|
log_warningx(SLOG_SEND_MAIL,
|
||||||
|
N_("ignoring time stamp from the future"));
|
||||||
status = TS_OLD;
|
status = TS_OLD;
|
||||||
SET(entry.flags, TS_DISABLED);
|
SET(entry.flags, TS_DISABLED);
|
||||||
ts_update_record(fd, &entry, timestamp_hint);
|
ts_update_record(fd, &entry, timestamp_hint);
|
||||||
@@ -503,7 +507,7 @@ timestamp_status(struct passwd *pw)
|
|||||||
timeout.tv_sec *= 2;
|
timeout.tv_sec *= 2;
|
||||||
if (sudo_timespeccmp(&diff, &timeout, >)) {
|
if (sudo_timespeccmp(&diff, &timeout, >)) {
|
||||||
time_t tv_sec = (time_t)entry.ts.tv_sec;
|
time_t tv_sec = (time_t)entry.ts.tv_sec;
|
||||||
log_warningx(0,
|
log_warningx(SLOG_SEND_MAIL,
|
||||||
N_("time stamp too far in the future: %20.20s"),
|
N_("time stamp too far in the future: %20.20s"),
|
||||||
4 + ctime(&tv_sec));
|
4 + ctime(&tv_sec));
|
||||||
status = TS_OLD;
|
status = TS_OLD;
|
||||||
@@ -607,7 +611,7 @@ already_lectured(int unused)
|
|||||||
if (len > 0 && (size_t)len < sizeof(status_file)) {
|
if (len > 0 && (size_t)len < sizeof(status_file)) {
|
||||||
debug_return_bool(stat(status_file, &sb) == 0);
|
debug_return_bool(stat(status_file, &sb) == 0);
|
||||||
}
|
}
|
||||||
log_warningx(0, N_("lecture status path too long: %s/%s"),
|
log_warningx(SLOG_SEND_MAIL, N_("lecture status path too long: %s/%s"),
|
||||||
def_lecture_status_dir, user_name);
|
def_lecture_status_dir, user_name);
|
||||||
}
|
}
|
||||||
debug_return_bool(false);
|
debug_return_bool(false);
|
||||||
@@ -628,7 +632,7 @@ set_lectured(void)
|
|||||||
len = snprintf(lecture_status, sizeof(lecture_status), "%s/%s",
|
len = snprintf(lecture_status, sizeof(lecture_status), "%s/%s",
|
||||||
def_lecture_status_dir, user_name);
|
def_lecture_status_dir, user_name);
|
||||||
if (len <= 0 || (size_t)len >= sizeof(lecture_status)) {
|
if (len <= 0 || (size_t)len >= sizeof(lecture_status)) {
|
||||||
log_warningx(0, N_("lecture status path too long: %s/%s"),
|
log_warningx(SLOG_SEND_MAIL, N_("lecture status path too long: %s/%s"),
|
||||||
def_lecture_status_dir, user_name);
|
def_lecture_status_dir, user_name);
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user