Rename log_children -> log_subcmds

2021-08-26 16:36:41 -06:00
parent d8d4023335
commit ba171724f7
13 changed files with 76 additions and 76 deletions
--- a/6
+++ b/6
@@ -29,9 +29,9 @@ What's new in Sudo 1.9.8
   intercept_authenticate and intercept_allow_setid sudoers settings
   can be used to change this behavior.
- * The new "log_children" sudoers setting can be used to log commands
+ * The new "log_subcmds" sudoers setting can be used to log additional
-   run in a privileged shell.  It uses the same mechanism as the
+   commands run in a privileged shell.  It uses the same mechanism as
-   intercept support described above and has the same limitations.
+   the intercept support described above and has the same limitations.
 * Support for logging sudo_logsrvd errors via syslog or to a file.
   Previously, most sudo_logsrvd errors were only visible in the
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -2758,34 +2758,6 @@ by default.
 .sp
 This setting is only supported by version 1.8.29 or higher.
 .TP 18n
 log_children
 If set,
 \fBsudoers\fR
 will log when a command spawns a child process and executes a program
 using the
 \fBexecv\fR()
 or
 \fBexecve\fR()
 library functions.
 For example, if a shell is run by
 \fBsudo\fR,
 the individual commands run via the shell will be logged.
 This flag is
 \fIoff\fR
 by default.
 .sp
 The
 \fIlog_children\fR
 flag uses the same underlying mechanism as the
 \fIintercept\fR
 and
 \fInoexec\fR
 settings.
 See
 \fIPreventing shell escapes\fR
 for more information on what systems support this option and its limitations.
 This setting is only supported by version 1.9.8 or higher.
 .TP 18n
 log_denied
 If set,
 \fBsudoers\fR
@@ -2882,6 +2854,34 @@ by default.
 .sp
 This setting is only supported by version 1.9.0 or higher.
 .TP 18n
 log_subcmds
 If set,
 \fBsudoers\fR
 will log when a command spawns a child process and executes a program
 using the
 \fBexecv\fR()
 or
 \fBexecve\fR()
 library functions.
 For example, if a shell is run by
 \fBsudo\fR,
 the individual commands run via the shell will be logged.
 This flag is
 \fIoff\fR
 by default.
 .sp
 The
 \fIlog_subcmds\fR
 flag uses the same underlying mechanism as the
 \fIintercept\fR
 and
 \fInoexec\fR
 settings.
 See
 \fIPreventing shell escapes\fR
 for more information on what systems support this option and its limitations.
 This setting is only supported by version 1.9.8 or higher.
 .TP 18n
 log_year
 If set, the four-digit year will be logged in the (non-syslog)
 \fBsudo\fR
@@ -6389,7 +6389,7 @@ flag.
 This will log the command's output but will not create an event log
 entry when the additional command is run.
 The second is to enable the
-\fIlog_children\fR
+\fIlog_subcmds\fR
 flag in
 \fIsudoers\fR
 which will create an event log entry every time a new command is run.
@@ -6399,7 +6399,7 @@ This offset can be passed to the
 sudoreplay(@mansectsu@)
 utility to replay the I/O log at the exact moment when the command was run.
 The
-\fIlog_children\fR
+\fIlog_subcmds\fR
 flag uses the same mechanism as
 \fIintercept\fR
 (see above) and has the same limitations.
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -2598,33 +2598,6 @@ This flag is
 by default.
 .Pp
 This setting is only supported by version 1.8.29 or higher.
 .It log_children
 If set,
 .Nm
 will log when a command spawns a child process and executes a program
 using the
 .Fn execv
 or
 .Fn execve
 library functions.
 For example, if a shell is run by
 .Nm sudo ,
 the individual commands run via the shell will be logged.
 This flag is
 .Em off
 by default.
 .Pp
 The
 .Em log_children
 flag uses the same underlying mechanism as the
 .Em intercept
 and
 .Em noexec
 settings.
 See
 .Sx Preventing shell escapes
 for more information on what systems support this option and its limitations.
 This setting is only supported by version 1.9.8 or higher.
 .It log_denied
 If set,
 .Nm
@@ -2713,6 +2686,33 @@ This flag is
 by default.
 .Pp
 This setting is only supported by version 1.9.0 or higher.
 .It log_subcmds
 If set,
 .Nm
 will log when a command spawns a child process and executes a program
 using the
 .Fn execv
 or
 .Fn execve
 library functions.
 For example, if a shell is run by
 .Nm sudo ,
 the individual commands run via the shell will be logged.
 This flag is
 .Em off
 by default.
 .Pp
 The
 .Em log_subcmds
 flag uses the same underlying mechanism as the
 .Em intercept
 and
 .Em noexec
 settings.
 See
 .Sx Preventing shell escapes
 for more information on what systems support this option and its limitations.
 This setting is only supported by version 1.9.8 or higher.
 .It log_year
 If set, the four-digit year will be logged in the (non-syslog)
 .Nm sudo
@@ -5904,7 +5904,7 @@ flag.
 This will log the command's output but will not create an event log
 entry when the additional command is run.
 The second is to enable the
-.Em log_children
+.Em log_subcmds
 flag in
 .Em sudoers
 which will create an event log entry every time a new command is run.
@@ -5914,7 +5914,7 @@ This offset can be passed to the
 .Xr sudoreplay @mansectsu@
 utility to replay the I/O log at the exact moment when the command was run.
 The
-.Em log_children
+.Em log_subcmds
 flag uses the same mechanism as
 .Em intercept
 (see above) and has the same limitations.
--- a/plugins/sudoers/def_data.c
+++ b/plugins/sudoers/def_data.c
@@ -582,8 +582,8 @@ struct sudo_defs_types sudo_defs_table[] = {
 	N_("Intercept further commands and apply sudoers restrictions to them"),
 	NULL,
    }, {
-	"log_children", T_FLAG,
+	"log_subcmds", T_FLAG,
-	N_("Log any child processes run by the command"),
+	N_("Log sub-commands run by the original command"),
 	NULL,
    }, {
 	"log_exit_status", T_FLAG,
--- a/plugins/sudoers/def_data.h
+++ b/plugins/sudoers/def_data.h
@@ -268,8 +268,8 @@
 #define def_admin_flag          (sudo_defs_table[I_ADMIN_FLAG].sd_un.str)
 #define I_INTERCEPT             133
 #define def_intercept           (sudo_defs_table[I_INTERCEPT].sd_un.flag)
-#define I_LOG_CHILDREN          134
+#define I_LOG_SUBCMDS           134
-#define def_log_children        (sudo_defs_table[I_LOG_CHILDREN].sd_un.flag)
+#define def_log_subcmds         (sudo_defs_table[I_LOG_SUBCMDS].sd_un.flag)
 #define I_LOG_EXIT_STATUS       135
 #define def_log_exit_status     (sudo_defs_table[I_LOG_EXIT_STATUS].sd_un.flag)
 #define I_INTERCEPT_AUTHENTICATE 136
--- a/plugins/sudoers/def_data.in
+++ b/plugins/sudoers/def_data.in
@@ -418,9 +418,9 @@ admin_flag
 intercept
 	T_FLAG
 	"Intercept further commands and apply sudoers restrictions to them"
-log_children
+log_subcmds
 	T_FLAG
-	"Log any child processes run by the command"
+	"Log sub-commands run by the original command"
 log_exit_status
 	T_FLAG
 	"Log the exit status of commands"
--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
@@ -633,8 +633,8 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
 	if (command_info[info_len++] == NULL)
 	    goto oom;
    }
-    if (def_log_children) {
+    if (def_log_subcmds) {
-	if ((command_info[info_len++] = strdup("log_children=true")) == NULL)
+	if ((command_info[info_len++] = strdup("log_subcmds=true")) == NULL)
 	    goto oom;
    }
    if (def_log_input || def_log_output) {
--- a/src/exec.c
+++ b/src/exec.c
@@ -319,7 +319,7 @@ sudo_needs_pty(struct command_details *details)
 {
    struct plugin_container *plugin;
-    if (ISSET(details->flags, CD_USE_PTY|CD_INTERCEPT|CD_LOG_CHILDREN))
+    if (ISSET(details->flags, CD_USE_PTY|CD_INTERCEPT|CD_LOG_SUBCMDS))
 	return true;
    TAILQ_FOREACH(plugin, &io_plugins, entries) {
--- a/src/exec_common.c
+++ b/src/exec_common.c
@@ -104,7 +104,7 @@ sudo_execve(int fd, const char *path, char *const argv[], char *envp[],
    /* Modify the environment as needed to trap execve(). */
    if (ISSET(flags, CD_NOEXEC))
 	envp = disable_execute(envp, sudo_conf_noexec_path());
-    else if (ISSET(flags, CD_INTERCEPT|CD_LOG_CHILDREN))
+    else if (ISSET(flags, CD_INTERCEPT|CD_LOG_SUBCMDS))
 	envp = enable_intercept(envp, sudo_conf_intercept_path(), intercept_fd);
 #ifdef HAVE_FEXECVE
--- a/src/exec_nopty.c
+++ b/src/exec_nopty.c
@@ -369,7 +369,7 @@ exec_nopty(struct command_details *details, struct command_status *cstat)
     * Allocate a socketpair for communicating with sudo_intercept.so.
     * This must be inherited across exec, hence no FD_CLOEXEC.
     */
-    if (ISSET(details->flags, CD_INTERCEPT|CD_LOG_CHILDREN)) {
+    if (ISSET(details->flags, CD_INTERCEPT|CD_LOG_SUBCMDS)) {
 	if (socketpair(PF_UNIX, SOCK_STREAM, 0, intercept_sv) == -1)
 	    sudo_fatal("%s", U_("unable to create sockets"));
    }
--- a/src/exec_pty.c
+++ b/src/exec_pty.c
@@ -1391,7 +1391,7 @@ exec_pty(struct command_details *details, struct command_status *cstat)
     * Allocate a socketpair for communicating with sudo_intercept.so.
     * This must be inherited across exec, hence no FD_CLOEXEC.
     */
-    if (ISSET(details->flags, CD_INTERCEPT|CD_LOG_CHILDREN)) {
+    if (ISSET(details->flags, CD_INTERCEPT|CD_LOG_SUBCMDS)) {
 	if (socketpair(PF_UNIX, SOCK_STREAM, 0, intercept_sv) == -1)
 	    sudo_fatal("%s", U_("unable to create sockets"));
    }
--- a/src/sudo.c
+++ b/src/sudo.c
@@ -730,7 +730,7 @@ command_info_to_details(char * const info[], struct command_details *details)
 		break;
 	    case 'l':
 		SET_STRING("login_class=", login_class)
-		SET_FLAG("log_children=", CD_LOG_CHILDREN)
+		SET_FLAG("log_subcmds=", CD_LOG_SUBCMDS)
 		break;
 	    case 'n':
 		if (strncmp("nice=", info[i], sizeof("nice=") - 1) == 0) {
--- a/src/sudo.h
+++ b/src/sudo.h
@@ -139,7 +139,7 @@ struct user_details {
 #define CD_SET_GROUPS		0x040000
 #define CD_LOGIN_SHELL		0x080000
 #define CD_OVERRIDE_UMASK	0x100000
-#define CD_LOG_CHILDREN		0x200000
+#define CD_LOG_SUBCMDS		0x200000
 struct preserved_fd {
    TAILQ_ENTRY(preserved_fd) entries;