isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Split log_{input,output} into log_{stdin,ttyin} and log_{ttyout,stdout,stderr}

Browse Source 
If log_input is set, log_{stdin,ttyin} will be set as well.
If log_output is set, log_{stdout,stderr,ttyout} will be set as well.
This provides more fine-grained control over I/O logging and makes it
possible to disable logging piped or redirected intput or output.
This commit is contained in:
Todd C. Miller
2022-09-20 14:35:12 -06:00
parent 4ee0caf07d
commit ce387a6849
12 changed files with 782 additions and 196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

361
docs/sudoers.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS" "@mansectform@" "September 20, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -292,27 +292,17 @@ and
\fIlogfile\fR
settings.
See
\fILOG FORMAT\fR
\fIEVENT LOGGING\fR
for a description of the log file format.
.PP
\fBsudoers\fR
is also capable of running a command in a pseudo-terminal and logging all
is also capable of running a command in a pseudo-terminal and logging
input and/or output.
The standard input, standard output, and standard error can be logged
even when not associated with a terminal.
I/O logging is not on by default but can be enabled using
the
\fIlog_input\fR
and
\fIlog_output\fR
options as well as the
\fRLOG_INPUT\fR
and
\fRLOG_OUTPUT\fR
command tags.
See
\fII/O LOG FILES\fR
for details on how I/O log files are stored.
For more information about I/O logging, see the
\fII/O LOGGING\fR
section.
.PP
Starting with version 1.9, the
\fIlog_servers\fR
@@ -1860,22 +1850,16 @@ command and are ignored for all other commands.
These tags override the value of the
\fIlog_input\fR
flag on a per-command basis.
For more information, see the description of
\fIlog_input\fR
in the
\fISUDOERS OPTIONS\fR
section below.
For more information, see
\fII/O LOGGING\fR.
.TP 2n
\fRLOG_OUTPUT\fR and \fRNOLOG_OUTPUT\fR
.sp
These tags override the value of the
\fIlog_output\fR
flag on a per-command basis.
For more information, see the description of
\fIlog_output\fR
in the
\fISUDOERS OPTIONS\fR
section below.
For more information, see
\fII/O LOGGING\fR.
.TP 2n
\fRMAIL\fR and \fRNOMAIL\fR
.sp
@@ -2846,7 +2830,7 @@ Most programs that require a user's password will disable echo before
reading the password to avoid displaying the plaintext password on
the screen.
However, if terminal input is being logged (see
\fIlog_input\fR),
\fII/O LOGGING\fR),
the password will still be present in the I/O log.
If the
\fIlog_passwords\fR
@@ -2869,8 +2853,8 @@ is set), only the
first character of the password will be replaced in the I/O log.
This option has no effect unless
\fIlog_input\fR
and
\fIlog_input\fR
or
\fIlog_ttyin\fR
are also set.
This flag is
\fIon\fR
@@ -3088,19 +3072,14 @@ by default.
log_input
If set,
\fBsudo\fR
will run the command in a pseudo-terminal and log all user input.
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
Anything sent to the standard input will be consumed, regardless of
whether or not the command run via
will run the command in a pseudo-terminal (if
\fBsudo\fR
is actually reading the standard input.
This may have unexpected results when using
\fBsudo\fR
in a shell script that expects to process the standard input.
was run from a terminal) and log all user input.
If the standard input is not connected to the user's terminal, due
to I/O redirection or because the command is part of a pipeline,
that input is also logged.
For more information about I/O logging, see the
\fII/O LOG FILES\fR
\fII/O LOGGING\fR
section.
This flag is
\fIoff\fR
@@ -3109,12 +3088,15 @@ by default.
log_output
If set,
\fBsudo\fR
will run the command in a pseudo-terminal and log all output that is sent
to the screen, similar to the
script(1)
command.
will run the command in a pseudo-terminal (if
\fBsudo\fR
was run from a terminal) and log all output that is sent to the
user's terminal, the standard output or the standard error.
If the standard output or standard error is not connected to the
user's terminal, due to I/O redirection or because the command is
part of a pipeline, that output is also logged.
For more information about I/O logging, see the
\fII/O LOG FILES\fR
\fII/O LOGGING\fR
section.
This flag is
\fIoff\fR
@@ -3150,6 +3132,48 @@ by default.
.sp
This setting is only supported by version 1.9.0 or higher.
.TP 18n
log_stderr
If set,
\fBsudo\fR
will run the command in a pseudo-terminal and log the standard error
if it is not connected to the user's terminal.
This can be used to log output to a pipe or redirected to a file.
This flag is
\fIoff\fR
by default but is enabled when either the
\fIlog_output\fR
flag or the
\fRLOG_OUTPUT\fR
command tag is set.
.TP 18n
log_stdin
If set,
\fBsudo\fR
will run the command in a pseudo-terminal and log the standard input
if it is not connected to the user's terminal.
This can be used to log input from a pipe or redirected from a file.
This flag is
\fIoff\fR
by default but is enabled when either the
\fIlog_input\fR
flag or the
\fRLOG_INPUT\fR
command tag is set.
.TP 18n
log_stdout
If set,
\fBsudo\fR
will run the command in a pseudo-terminal and log the standard output
if it is not connected to the user's terminal.
This can be used to log output to a pipe or redirected to a file.
This flag is
\fIoff\fR
by default but is enabled when either the
\fIlog_output\fR
flag or the
\fRLOG_OUTPUT\fR
command tag is set.
.TP 18n
log_subcmds
If set,
\fBsudoers\fR
@@ -3185,6 +3209,38 @@ and is incompatible with SELinux RBAC support unless the system supports
seccomp(2)
filter mode.
.TP 18n
log_ttyin
If set,
\fBsudo\fR
will run the command in a pseudo-terminal and log user keystrokes
sent to the user's terminal, if one is present.
This flag is
\fIoff\fR
by default but is enabled when either the
\fIlog_input\fR
flag or the
\fRLOG_INPUT\fR
command tag is set.
If no terminal is present, for example when running a remote command using
ssh(1),
this flag will have no effect.
.TP 18n
log_ttyout
If set,
\fBsudo\fR
will run the command in a pseudo-terminal and log all output displayed
on the user's terminal, if one is present.
This flag is
\fIoff\fR
by default but is enabled when either the
\fIlog_output\fR
flag or the
\fRLOG_OUTPUT\fR
command tag is set.
If no terminal is present, for example when running a remote command using
ssh(1),
this flag will have no effect.
.TP 18n
log_year
If set, the four-digit year will be logged in the (non-syslog)
\fBsudo\fR
@@ -3834,6 +3890,11 @@ A pseudo-terminal is allocated by
when it is running in a terminal and one or more of the
\fIlog_input\fR,
\fIlog_output\fR,
\fIlog_stdin\fR,
\fIlog_stdout\fR,
\fIlog_stderr\fR,
\fIlog_ttyin\fR,
\fIlog_ttyout\fR,
or
\fIuse_pty\fR
flags is enabled.
@@ -4606,7 +4667,7 @@ For
\fBsudo_logsrvd\fR,
client certificate validation is controlled by the
\fItls_checkpeer\fR
option, which defaults to
flag, which defaults to
\fIfalse\fR.
.sp
This setting is only supported by version 1.9.0 or higher.
@@ -5110,7 +5171,7 @@ may be truncated.
.TP 10n
sudo
Traditional sudo-style logs, see
\fILOG FORMAT\fR
\fIEVENT LOGGING\fR
for a description of the log file format.
.PP
This setting affects logs sent via
@@ -5693,7 +5754,7 @@ Defaults group_plugin=system_group.so
.PP
The group provider plugin API is described in detail in
sudo_plugin(@mansectform@).
.SH "LOG FORMAT"
.SH "EVENT LOGGING"
\fBsudoers\fR
can log events in either JSON or
\fIsudo\fR
@@ -6049,11 +6110,60 @@ If the
option is set to 0 (or negated with a
\(oq\&!\(cq),
word wrap will be disabled.
.SH "I/O LOG FILES"
.SH "I/O LOGGING"
When I/O logging is enabled,
\fBsudo\fR
will run the command in a pseudo-terminal and log all user input and/or output,
depending on which options are enabled.
will runs the command in a pseudo-terminal, logging user input
and/or output, depending on which
\fBsudoers\fR
flags are enabled.
There are five distinct types of I/O that can be logged, each with
a corresponding
\fBsudoers\fR
flag.
.TS
l l l.
.PP
\fBType\fR \fBFlag\fR \fBDescription\fR
.PP
terminal input log_ttyin keystrokes entered by the user
.PP
terminal output log_ttyout command output displayed to the screen
.PP
standard input log_stdin input from a pipe or a file
.PP
standard output log_stdout output to a pipe or a file
.PP
standard error log_stderr output to a pipe or a file
.TE
.PP
In addition to flags described the above, the
\fIlog_input\fR
flag and
\fRLOG_INPUT\fR
command tag set both
\fIlog_ttyin\fR
and
\fIlog_stdin\fR.
The
\fIlog_output\fR
flag and
\fRLOG_OUTPUT\fR
command tag set
\fIlog_ttyout\fR,
\fIlog_stdout\fR,
and
\fIlog_stderr\fR.
.PP
To capture terminal input and output,
\fBsudo\fR
run the command in a pseudo-terminal, logging the input and
output before passing it on to the user.
To capture the standard input, standard output or standard error,
\fBsudo\fR
uses a pipe to interpose itself between the input or output stream,
logging the I/O before passing it to the other end of the pipe.
.PP
I/O can be logged either to the local machine or to a remote log server.
For local logs, I/O is logged to the directory specified by the
\fIiolog_dir\fR
@@ -6073,7 +6183,121 @@ setting is used to specify one or more log servers running
\fBsudo_logsrvd\fR
or another server that implements the protocol described by
sudo_logsrv.proto(@mansectform@).
.SS "I/O logging pitfals"
When logging standard input, anything sent to the standard input
will be consumed, regardless of whether or not the command run via
\fBsudo\fR
is actively reading the standard input.
This may have unexpected results when using
\fBsudo\fR
in a shell script that expects to process the standard input.
For example, given the following shell script:
.nf
.sp
.RS 4n
#!/bin/sh
sudo echo testing
echo done
.RE
.fi
.PP
It will behave as expected when the script is passed to the shell as a
an argument:
.nf
.sp
.RS 4n
$ sh test.sh
testing
done
.RE
.fi
.PP
However, if the script is passed to the shell on the standard input, the
\(oqsudo echo testing\(cq
command will consume the rest of the script.
This means that the
\(oqecho done\(cq
statement is never executed.
.nf
.sp
.RS 4n
$ sh -s < test.sh
testing
.RE
.fi
.PP
There are several ways to work around this problem:
.TP 5n
1.\&
Redirect the standard input from
\fI/dev/null\fR
when running a command via
\fBsudo\fR
that does not need to read the standard input.
.nf
.sp
.RS 9n
sudo echo testing < /dev/null
.RE
.fi
.TP 5n
2.\&
Pass the script to the shell by path name instead of via the standard input.
.nf
.sp
.RS 9n
sh test.sh
.RE
.fi
.TP 5n
3.\&
Disable logging the standard input for commands that do not need
to read the standard input.
.nf
.sp
.RS 9n
Defaults!/bin/echo !log_stdin
.RE
.fi
.PP
Depending on the command, it may not be desirable to log the
standard input or standard output.
For example, I/O logging of commands that send or receive large
amount of data via the standard output or standard input such as
rsync(1)
and
tar(1)
could fill up the log file system with superfluous data.
It is possible to disable logging of the standard input and standard
output for such commands as follows:
.nf
.sp
.RS 4n
Cmnd_Alias COPY_CMDS = /usr/bin/tar, /usr/bin/cpio, /usr/bin/rsync
# Log input and output but omit stdin and stdout when copying files.
Defaults log_input, log_output
Defaults!COPY_CMDS !log_stdin, !log_stdout
.RE
.fi
.PP
However, be aware that using the
\fIlog_input\fR
flag or the
\fRLOG_INPUT\fR
command tag will also enable
\fIlog_stdin\fR.
Likewise, the
\fIlog_ouput\fR
flag or the
\fRLOG_OUTPUT\fR
command tag will enable
\fIlog_stdout\fR
and
\fIlog_stderr.\fR
Careful ordering of rules may be necessary to achieve the results
that you expect.
.SS "I/O log format"
For both local and remote I/O logs, each log is stored in a separate
directory that contains the following files:
.TP 10n
@@ -6219,6 +6443,13 @@ command suspend or resume, signal received
.TP 10n
\fIttyin\fR
Raw input from the user's terminal, exactly as it was received.
This file is only present if the
\fIlog_input\fR
or
\fIlog_ttyin\fR
flags are set and
\fBsudo\fR
was run from a terminal.
No post-processing is performed.
For manual viewing, you may wish to convert carriage return characters
in the log to line feeds.
@@ -6228,19 +6459,42 @@ For example:
\fIstdin\fR
The standard input when no terminal is present, or input redirected from
a pipe or file.
This file is only present if the
\fIlog_input\fR
or
\fIlog_stdin\fR
flags are set and the standard input is not connected to a terminal.
.TP 10n
\fIttyout\fR
Output from the pseudo-terminal (what the command writes to the screen).
Terminal-specific post-processing is performed before the data is logged.
This means that, for example, line feeds are usually converted to
line feed/carriage return pairs and tabs may be expanded to spaces.
This file is only present if the
\fIlog_output\fR
or
\fIlog_ttyout\fR
flags are set and
\fBsudo\fR
was run from a terminal.
.TP 10n
\fIstdout\fR
The standard output when no terminal is present, or output redirected to
a pipe or file.
This file is only present if the
\fIlog_output\fR
or
\fIlog_stdout\fR
flags are set and the standard output is not connected to a terminal.
.TP 10n
\fIstderr\fR
The standard error redirected to a pipe or file.
The standard error when no terminal is present, or output redirected to
a pipe or file.
This file is only present if the
\fIlog_output\fR
or
\fIlog_stderr\fR
flags are set and the standard error is not connected to a terminal.
.PP
All files other than
\fIlog\fR
@@ -6268,6 +6522,9 @@ In most cases, logging the command output via
or
\fRLOG_OUTPUT\fR
is all that is required.
When logging input, consider disabling the
\fIlog_passwords\fR
flag.
.PP
Since each session's I/O logs are stored in a separate directory,
traditional log rotation utilities cannot be used to limit the

327
docs/sudoers.mdoc.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.Dd September 13, 2022
.Dd September 20, 2022
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -281,27 +281,17 @@ and
.Em logfile
settings.
See
.Sx "LOG FORMAT"
.Sx "EVENT LOGGING"
for a description of the log file format.
.Pp
.Nm
is also capable of running a command in a pseudo-terminal and logging all
is also capable of running a command in a pseudo-terminal and logging
input and/or output.
The standard input, standard output, and standard error can be logged
even when not associated with a terminal.
I/O logging is not on by default but can be enabled using
the
.Em log_input
and
.Em log_output
options as well as the
.Dv LOG_INPUT
and
.Dv LOG_OUTPUT
command tags.
See
.Sx "I/O LOG FILES"
for details on how I/O log files are stored.
For more information about I/O logging, see the
.Sx "I/O LOGGING"
section.
.Pp
Starting with version 1.9, the
.Em log_servers
@@ -1772,21 +1762,15 @@ command and are ignored for all other commands.
These tags override the value of the
.Em log_input
flag on a per-command basis.
For more information, see the description of
.Em log_input
in the
.Sx SUDOERS OPTIONS
section below.
For more information, see
.Sx "I/O LOGGING" .
.It Dv LOG_OUTPUT No and Dv NOLOG_OUTPUT
.sp
These tags override the value of the
.Em log_output
flag on a per-command basis.
For more information, see the description of
.Em log_output
in the
.Sx SUDOERS OPTIONS
section below.
For more information, see
.Sx "I/O LOGGING" .
.It Dv MAIL No and Dv NOMAIL
.sp
These tags provide fine-grained control over whether
@@ -2696,7 +2680,7 @@ Most programs that require a user's password will disable echo before
reading the password to avoid displaying the plaintext password on
the screen.
However, if terminal input is being logged (see
.Em log_input ) ,
.Sx "I/O LOGGING" ) ,
the password will still be present in the I/O log.
If the
.Em log_passwords
@@ -2719,8 +2703,8 @@ is set), only the
first character of the password will be replaced in the I/O log.
This option has no effect unless
.Em log_input
and
.Em log_input
or
.Em log_ttyin
are also set.
This flag is
.Em on
@@ -2921,19 +2905,14 @@ by default.
.It log_input
If set,
.Nm sudo
will run the command in a pseudo-terminal and log all user input.
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
Anything sent to the standard input will be consumed, regardless of
whether or not the command run via
will run the command in a pseudo-terminal (if
.Nm sudo
is actually reading the standard input.
This may have unexpected results when using
.Nm sudo
in a shell script that expects to process the standard input.
was run from a terminal) and log all user input.
If the standard input is not connected to the user's terminal, due
to I/O redirection or because the command is part of a pipeline,
that input is also logged.
For more information about I/O logging, see the
.Sx "I/O LOG FILES"
.Sx "I/O LOGGING"
section.
This flag is
.Em off
@@ -2941,12 +2920,15 @@ by default.
.It log_output
If set,
.Nm sudo
will run the command in a pseudo-terminal and log all output that is sent
to the screen, similar to the
.Xr script 1
command.
will run the command in a pseudo-terminal (if
.Nm sudo
was run from a terminal) and log all output that is sent to the
user's terminal, the standard output or the standard error.
If the standard output or standard error is not connected to the
user's terminal, due to I/O redirection or because the command is
part of a pipeline, that output is also logged.
For more information about I/O logging, see the
.Sx "I/O LOG FILES"
.Sx "I/O LOGGING"
section.
This flag is
.Em off
@@ -2978,6 +2960,45 @@ This flag is
by default.
.Pp
This setting is only supported by version 1.9.0 or higher.
.It log_stderr
If set,
.Nm sudo
will run the command in a pseudo-terminal and log the standard error
if it is not connected to the user's terminal.
This can be used to log output to a pipe or redirected to a file.
This flag is
.Em off
by default but is enabled when either the
.Em log_output
flag or the
.Dv LOG_OUTPUT
command tag is set.
.It log_stdin
If set,
.Nm sudo
will run the command in a pseudo-terminal and log the standard input
if it is not connected to the user's terminal.
This can be used to log input from a pipe or redirected from a file.
This flag is
.Em off
by default but is enabled when either the
.Em log_input
flag or the
.Dv LOG_INPUT
command tag is set.
.It log_stdout
If set,
.Nm sudo
will run the command in a pseudo-terminal and log the standard output
if it is not connected to the user's terminal.
This can be used to log output to a pipe or redirected to a file.
This flag is
.Em off
by default but is enabled when either the
.Em log_output
flag or the
.Dv LOG_OUTPUT
command tag is set.
.It log_subcmds
If set,
.Nm
@@ -3012,6 +3033,36 @@ This setting is only supported by version 1.9.8 or higher
and is incompatible with SELinux RBAC support unless the system supports
.Xr seccomp 2
filter mode.
.It log_ttyin
If set,
.Nm sudo
will run the command in a pseudo-terminal and log user keystrokes
sent to the user's terminal, if one is present.
This flag is
.Em off
by default but is enabled when either the
.Em log_input
flag or the
.Dv LOG_INPUT
command tag is set.
If no terminal is present, for example when running a remote command using
.Xr ssh 1 ,
this flag will have no effect.
.It log_ttyout
If set,
.Nm sudo
will run the command in a pseudo-terminal and log all output displayed
on the user's terminal, if one is present.
This flag is
.Em off
by default but is enabled when either the
.Em log_output
flag or the
.Dv LOG_OUTPUT
command tag is set.
If no terminal is present, for example when running a remote command using
.Xr ssh 1 ,
this flag will have no effect.
.It log_year
If set, the four-digit year will be logged in the (non-syslog)
.Nm sudo
@@ -3626,6 +3677,11 @@ A pseudo-terminal is allocated by
when it is running in a terminal and one or more of the
.Em log_input ,
.Em log_output ,
.Em log_stdin ,
.Em log_stdout ,
.Em log_stderr ,
.Em log_ttyin ,
.Em log_ttyout ,
or
.Em use_pty
flags is enabled.
@@ -4348,7 +4404,7 @@ For
.Nm sudo_logsrvd ,
client certificate validation is controlled by the
.Em tls_checkpeer
option, which defaults to
flag, which defaults to
.Em false .
.Pp
This setting is only supported by version 1.9.0 or higher.
@@ -4791,7 +4847,7 @@ Due to limitations of the protocol, JSON events sent via
may be truncated.
.It sudo
Traditional sudo-style logs, see
.Sx "LOG FORMAT"
.Sx "EVENT LOGGING"
for a description of the log file format.
.El
.Pp
@@ -5325,7 +5381,7 @@ Defaults group_plugin=system_group.so
.Pp
The group provider plugin API is described in detail in
.Xr sudo_plugin @mansectform@ .
.Sh LOG FORMAT
.Sh EVENT LOGGING
.Nm
can log events in either JSON or
.Em sudo
@@ -5653,11 +5709,53 @@ option is set to 0 (or negated with a
.Ql \&! ) ,
word wrap will be disabled.
.El
.Sh I/O LOG FILES
.Sh I/O LOGGING
When I/O logging is enabled,
.Nm sudo
will run the command in a pseudo-terminal and log all user input and/or output,
depending on which options are enabled.
will runs the command in a pseudo-terminal, logging user input
and/or output, depending on which
.Nm
flags are enabled.
There are five distinct types of I/O that can be logged, each with
a corresponding
.Nm
flag.
.Bl -column "standard output" "log_output" "command output displayed to the screen"
.It Sy Type Ta Sy Flag Ta Sy Description
.It terminal input Ta log_ttyin Ta keystrokes entered by the user
.It terminal output Ta log_ttyout Ta command output displayed to the screen
.It standard input Ta log_stdin Ta input from a pipe or a file
.It standard output Ta log_stdout Ta output to a pipe or a file
.It standard error Ta log_stderr Ta output to a pipe or a file
.El
.Pp
In addition to flags described the above, the
.Em log_input
flag and
.Dv LOG_INPUT
command tag set both
.Em log_ttyin
and
.Em log_stdin .
The
.Em log_output
flag and
.Dv LOG_OUTPUT
command tag set
.Em log_ttyout ,
.Em log_stdout ,
and
.Em log_stderr .
.Pp
To capture terminal input and output,
.Nm sudo
run the command in a pseudo-terminal, logging the input and
output before passing it on to the user.
To capture the standard input, standard output or standard error,
.Nm sudo
uses a pipe to interpose itself between the input or output stream,
logging the I/O before passing it to the other end of the pipe.
.Pp
I/O can be logged either to the local machine or to a remote log server.
For local logs, I/O is logged to the directory specified by the
.Em iolog_dir
@@ -5679,7 +5777,99 @@ setting is used to specify one or more log servers running
.Nm sudo_logsrvd
or another server that implements the protocol described by
.Xr sudo_logsrv.proto @mansectform@ .
.Ss I/O logging pitfals
When logging standard input, anything sent to the standard input
will be consumed, regardless of whether or not the command run via
.Nm sudo
is actively reading the standard input.
This may have unexpected results when using
.Nm sudo
in a shell script that expects to process the standard input.
For example, given the following shell script:
.Bd -literal -offset 4n
#!/bin/sh
sudo echo testing
echo done
.Ed
.Pp
It will behave as expected when the script is passed to the shell as a
an argument:
.Bd -literal -offset 4n
$ sh test.sh
testing
done
.Ed
.Pp
However, if the script is passed to the shell on the standard input, the
.Ql sudo echo testing
command will consume the rest of the script.
This means that the
.Ql echo done
statement is never executed.
.Bd -literal -offset 4n
$ sh -s < test.sh
testing
.Ed
.Pp
There are several ways to work around this problem:
.Bl -enum
.It
Redirect the standard input from
.Pa /dev/null
when running a command via
.Nm sudo
that does not need to read the standard input.
.Bd -literal -offset 4n
sudo echo testing < /dev/null
.Ed
.It
Pass the script to the shell by path name instead of via the standard input.
.Bd -literal -offset 4n
sh test.sh
.Ed
.It
Disable logging the standard input for commands that do not need
to read the standard input.
.Bd -literal -offset 4n
Defaults!/bin/echo !log_stdin
.Ed
.El
.Pp
Depending on the command, it may not be desirable to log the
standard input or standard output.
For example, I/O logging of commands that send or receive large
amount of data via the standard output or standard input such as
.Xr rsync 1
and
.Xr tar 1
could fill up the log file system with superfluous data.
It is possible to disable logging of the standard input and standard
output for such commands as follows:
.Bd -literal -offset 4n
Cmnd_Alias COPY_CMDS = /usr/bin/tar, /usr/bin/cpio, /usr/bin/rsync
# Log input and output but omit stdin and stdout when copying files.
Defaults log_input, log_output
Defaults!COPY_CMDS !log_stdin, !log_stdout
.Ed
.Pp
However, be aware that using the
.Em log_input
flag or the
.Dv LOG_INPUT
command tag will also enable
.Em log_stdin .
Likewise, the
.Em log_ouput
flag or the
.Dv LOG_OUTPUT
command tag will enable
.Em log_stdout
and
.Em log_stderr.
Careful ordering of rules may be necessary to achieve the results
that you expect.
.Ss I/O log format
For both local and remote I/O logs, each log is stored in a separate
directory that contains the following files:
.Bl -tag -width 8n
@@ -5789,6 +5979,13 @@ command suspend or resume, signal received
.El
.It Pa ttyin
Raw input from the user's terminal, exactly as it was received.
This file is only present if the
.Em log_input
or
.Em log_ttyin
flags are set and
.Nm sudo
was run from a terminal.
No post-processing is performed.
For manual viewing, you may wish to convert carriage return characters
in the log to line feeds.
@@ -5797,16 +5994,39 @@ For example:
.It Pa stdin
The standard input when no terminal is present, or input redirected from
a pipe or file.
This file is only present if the
.Em log_input
or
.Em log_stdin
flags are set and the standard input is not connected to a terminal.
.It Pa ttyout
Output from the pseudo-terminal (what the command writes to the screen).
Terminal-specific post-processing is performed before the data is logged.
This means that, for example, line feeds are usually converted to
line feed/carriage return pairs and tabs may be expanded to spaces.
This file is only present if the
.Em log_output
or
.Em log_ttyout
flags are set and
.Nm sudo
was run from a terminal.
.It Pa stdout
The standard output when no terminal is present, or output redirected to
a pipe or file.
This file is only present if the
.Em log_output
or
.Em log_stdout
flags are set and the standard output is not connected to a terminal.
.It Pa stderr
The standard error redirected to a pipe or file.
The standard error when no terminal is present, or output redirected to
a pipe or file.
This file is only present if the
.Em log_output
or
.Em log_stderr
flags are set and the standard error is not connected to a terminal.
.El
.Pp
All files other than
@@ -5835,6 +6055,9 @@ In most cases, logging the command output via
or
.Dv LOG_OUTPUT
is all that is required.
When logging input, consider disabling the
.Em log_passwords
flag.
.Pp
Since each session's I/O logs are stored in a separate directory,
traditional log rotation utilities cannot be used to limit the

2
plugins/sudoers/audit.c
View File

@@ -261,7 +261,7 @@ log_server_accept(struct eventlog *evlog)
debug_return_bool(true);
} else {
/* Only send accept event to log server if I/O log plugin did not. */
if (def_log_input || def_log_output)
if (iolog_enabled)
debug_return_bool(true);
}

20
plugins/sudoers/def_data.c
View File

@@ -351,10 +351,30 @@ struct sudo_defs_types sudo_defs_table[] = {
"log_input", T_FLAG,
N_("Log user's input for the command being run"),
NULL,
}, {
"log_stdin", T_FLAG,
N_("Log the command's standard input if not connected to a terminal"),
NULL,
}, {
"log_ttyin", T_FLAG,
N_("Log the user's terminal input for the command being run"),
NULL,
}, {
"log_output", T_FLAG,
N_("Log the output of the command being run"),
NULL,
}, {
"log_stdout", T_FLAG,
N_("Log the command's standard output if not connected to a terminal"),
NULL,
}, {
"log_stderr", T_FLAG,
N_("Log the command's standard error if not connected to a terminal"),
NULL,
}, {
"log_ttyout", T_FLAG,
N_("Log the terminal output of the command being run"),
NULL,
}, {
"compress_io", T_FLAG,
N_("Compress I/O logs using zlib"),

172
plugins/sudoers/def_data.h
View File

@@ -150,167 +150,177 @@
#define def_umask_override (sudo_defs_table[I_UMASK_OVERRIDE].sd_un.flag)
#define I_LOG_INPUT 74
#define def_log_input (sudo_defs_table[I_LOG_INPUT].sd_un.flag)
#define I_LOG_OUTPUT 75
#define I_LOG_STDIN 75
#define def_log_stdin (sudo_defs_table[I_LOG_STDIN].sd_un.flag)
#define I_LOG_TTYIN 76
#define def_log_ttyin (sudo_defs_table[I_LOG_TTYIN].sd_un.flag)
#define I_LOG_OUTPUT 77
#define def_log_output (sudo_defs_table[I_LOG_OUTPUT].sd_un.flag)
#define I_COMPRESS_IO 76
#define I_LOG_STDOUT 78
#define def_log_stdout (sudo_defs_table[I_LOG_STDOUT].sd_un.flag)
#define I_LOG_STDERR 79
#define def_log_stderr (sudo_defs_table[I_LOG_STDERR].sd_un.flag)
#define I_LOG_TTYOUT 80
#define def_log_ttyout (sudo_defs_table[I_LOG_TTYOUT].sd_un.flag)
#define I_COMPRESS_IO 81
#define def_compress_io (sudo_defs_table[I_COMPRESS_IO].sd_un.flag)
#define I_USE_PTY 77
#define I_USE_PTY 82
#define def_use_pty (sudo_defs_table[I_USE_PTY].sd_un.flag)
#define I_GROUP_PLUGIN 78
#define I_GROUP_PLUGIN 83
#define def_group_plugin (sudo_defs_table[I_GROUP_PLUGIN].sd_un.str)
#define I_IOLOG_DIR 79
#define I_IOLOG_DIR 84
#define def_iolog_dir (sudo_defs_table[I_IOLOG_DIR].sd_un.str)
#define I_IOLOG_FILE 80
#define I_IOLOG_FILE 85
#define def_iolog_file (sudo_defs_table[I_IOLOG_FILE].sd_un.str)
#define I_SET_UTMP 81
#define I_SET_UTMP 86
#define def_set_utmp (sudo_defs_table[I_SET_UTMP].sd_un.flag)
#define I_UTMP_RUNAS 82
#define I_UTMP_RUNAS 87
#define def_utmp_runas (sudo_defs_table[I_UTMP_RUNAS].sd_un.flag)
#define I_PRIVS 83
#define I_PRIVS 88
#define def_privs (sudo_defs_table[I_PRIVS].sd_un.str)
#define I_LIMITPRIVS 84
#define I_LIMITPRIVS 89
#define def_limitprivs (sudo_defs_table[I_LIMITPRIVS].sd_un.str)
#define I_EXEC_BACKGROUND 85
#define I_EXEC_BACKGROUND 90
#define def_exec_background (sudo_defs_table[I_EXEC_BACKGROUND].sd_un.flag)
#define I_PAM_SERVICE 86
#define I_PAM_SERVICE 91
#define def_pam_service (sudo_defs_table[I_PAM_SERVICE].sd_un.str)
#define I_PAM_LOGIN_SERVICE 87
#define I_PAM_LOGIN_SERVICE 92
#define def_pam_login_service (sudo_defs_table[I_PAM_LOGIN_SERVICE].sd_un.str)
#define I_PAM_ASKPASS_SERVICE 88
#define I_PAM_ASKPASS_SERVICE 93
#define def_pam_askpass_service (sudo_defs_table[I_PAM_ASKPASS_SERVICE].sd_un.str)
#define I_PAM_SETCRED 89
#define I_PAM_SETCRED 94
#define def_pam_setcred (sudo_defs_table[I_PAM_SETCRED].sd_un.flag)
#define I_PAM_SESSION 90
#define I_PAM_SESSION 95
#define def_pam_session (sudo_defs_table[I_PAM_SESSION].sd_un.flag)
#define I_PAM_ACCT_MGMT 91
#define I_PAM_ACCT_MGMT 96
#define def_pam_acct_mgmt (sudo_defs_table[I_PAM_ACCT_MGMT].sd_un.flag)
#define I_MAXSEQ 92
#define I_MAXSEQ 97
#define def_maxseq (sudo_defs_table[I_MAXSEQ].sd_un.str)
#define I_USE_NETGROUPS 93
#define I_USE_NETGROUPS 98
#define def_use_netgroups (sudo_defs_table[I_USE_NETGROUPS].sd_un.flag)
#define I_SUDOEDIT_CHECKDIR 94
#define I_SUDOEDIT_CHECKDIR 99
#define def_sudoedit_checkdir (sudo_defs_table[I_SUDOEDIT_CHECKDIR].sd_un.flag)
#define I_SUDOEDIT_FOLLOW 95
#define I_SUDOEDIT_FOLLOW 100
#define def_sudoedit_follow (sudo_defs_table[I_SUDOEDIT_FOLLOW].sd_un.flag)
#define I_ALWAYS_QUERY_GROUP_PLUGIN 96
#define I_ALWAYS_QUERY_GROUP_PLUGIN 101
#define def_always_query_group_plugin (sudo_defs_table[I_ALWAYS_QUERY_GROUP_PLUGIN].sd_un.flag)
#define I_NETGROUP_TUPLE 97
#define I_NETGROUP_TUPLE 102
#define def_netgroup_tuple (sudo_defs_table[I_NETGROUP_TUPLE].sd_un.flag)
#define I_IGNORE_AUDIT_ERRORS 98
#define I_IGNORE_AUDIT_ERRORS 103
#define def_ignore_audit_errors (sudo_defs_table[I_IGNORE_AUDIT_ERRORS].sd_un.flag)
#define I_IGNORE_IOLOG_ERRORS 99
#define I_IGNORE_IOLOG_ERRORS 104
#define def_ignore_iolog_errors (sudo_defs_table[I_IGNORE_IOLOG_ERRORS].sd_un.flag)
#define I_IGNORE_LOGFILE_ERRORS 100
#define I_IGNORE_LOGFILE_ERRORS 105
#define def_ignore_logfile_errors (sudo_defs_table[I_IGNORE_LOGFILE_ERRORS].sd_un.flag)
#define I_MATCH_GROUP_BY_GID 101
#define I_MATCH_GROUP_BY_GID 106
#define def_match_group_by_gid (sudo_defs_table[I_MATCH_GROUP_BY_GID].sd_un.flag)
#define I_SYSLOG_MAXLEN 102
#define I_SYSLOG_MAXLEN 107
#define def_syslog_maxlen (sudo_defs_table[I_SYSLOG_MAXLEN].sd_un.uival)
#define I_IOLOG_USER 103
#define I_IOLOG_USER 108
#define def_iolog_user (sudo_defs_table[I_IOLOG_USER].sd_un.str)
#define I_IOLOG_GROUP 104
#define I_IOLOG_GROUP 109
#define def_iolog_group (sudo_defs_table[I_IOLOG_GROUP].sd_un.str)
#define I_IOLOG_MODE 105
#define I_IOLOG_MODE 110
#define def_iolog_mode (sudo_defs_table[I_IOLOG_MODE].sd_un.mode)
#define I_FDEXEC 106
#define I_FDEXEC 111
#define def_fdexec (sudo_defs_table[I_FDEXEC].sd_un.tuple)
#define I_IGNORE_UNKNOWN_DEFAULTS 107
#define I_IGNORE_UNKNOWN_DEFAULTS 112
#define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag)
#define I_COMMAND_TIMEOUT 108
#define I_COMMAND_TIMEOUT 113
#define def_command_timeout (sudo_defs_table[I_COMMAND_TIMEOUT].sd_un.ival)
#define I_USER_COMMAND_TIMEOUTS 109
#define I_USER_COMMAND_TIMEOUTS 114
#define def_user_command_timeouts (sudo_defs_table[I_USER_COMMAND_TIMEOUTS].sd_un.flag)
#define I_IOLOG_FLUSH 110
#define I_IOLOG_FLUSH 115
#define def_iolog_flush (sudo_defs_table[I_IOLOG_FLUSH].sd_un.flag)
#define I_SYSLOG_PID 111
#define I_SYSLOG_PID 116
#define def_syslog_pid (sudo_defs_table[I_SYSLOG_PID].sd_un.flag)
#define I_TIMESTAMP_TYPE 112
#define I_TIMESTAMP_TYPE 117
#define def_timestamp_type (sudo_defs_table[I_TIMESTAMP_TYPE].sd_un.tuple)
#define I_AUTHFAIL_MESSAGE 113
#define I_AUTHFAIL_MESSAGE 118
#define def_authfail_message (sudo_defs_table[I_AUTHFAIL_MESSAGE].sd_un.str)
#define I_CASE_INSENSITIVE_USER 114
#define I_CASE_INSENSITIVE_USER 119
#define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
#define I_CASE_INSENSITIVE_GROUP 115
#define I_CASE_INSENSITIVE_GROUP 120
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
#define I_LOG_ALLOWED 116
#define I_LOG_ALLOWED 121
#define def_log_allowed (sudo_defs_table[I_LOG_ALLOWED].sd_un.flag)
#define I_LOG_DENIED 117
#define I_LOG_DENIED 122
#define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag)
#define I_LOG_SERVERS 118
#define I_LOG_SERVERS 123
#define def_log_servers (sudo_defs_table[I_LOG_SERVERS].sd_un.list)
#define I_LOG_SERVER_TIMEOUT 119
#define I_LOG_SERVER_TIMEOUT 124
#define def_log_server_timeout (sudo_defs_table[I_LOG_SERVER_TIMEOUT].sd_un.ival)
#define I_LOG_SERVER_KEEPALIVE 120
#define I_LOG_SERVER_KEEPALIVE 125
#define def_log_server_keepalive (sudo_defs_table[I_LOG_SERVER_KEEPALIVE].sd_un.flag)
#define I_LOG_SERVER_CABUNDLE 121
#define I_LOG_SERVER_CABUNDLE 126
#define def_log_server_cabundle (sudo_defs_table[I_LOG_SERVER_CABUNDLE].sd_un.str)
#define I_LOG_SERVER_PEER_CERT 122
#define I_LOG_SERVER_PEER_CERT 127
#define def_log_server_peer_cert (sudo_defs_table[I_LOG_SERVER_PEER_CERT].sd_un.str)
#define I_LOG_SERVER_PEER_KEY 123
#define I_LOG_SERVER_PEER_KEY 128
#define def_log_server_peer_key (sudo_defs_table[I_LOG_SERVER_PEER_KEY].sd_un.str)
#define I_LOG_SERVER_VERIFY 124
#define I_LOG_SERVER_VERIFY 129
#define def_log_server_verify (sudo_defs_table[I_LOG_SERVER_VERIFY].sd_un.flag)
#define I_RUNAS_ALLOW_UNKNOWN_ID 125
#define I_RUNAS_ALLOW_UNKNOWN_ID 130
#define def_runas_allow_unknown_id (sudo_defs_table[I_RUNAS_ALLOW_UNKNOWN_ID].sd_un.flag)
#define I_RUNAS_CHECK_SHELL 126
#define I_RUNAS_CHECK_SHELL 131
#define def_runas_check_shell (sudo_defs_table[I_RUNAS_CHECK_SHELL].sd_un.flag)
#define I_PAM_RUSER 127
#define I_PAM_RUSER 132
#define def_pam_ruser (sudo_defs_table[I_PAM_RUSER].sd_un.flag)
#define I_PAM_RHOST 128
#define I_PAM_RHOST 133
#define def_pam_rhost (sudo_defs_table[I_PAM_RHOST].sd_un.flag)
#define I_RUNCWD 129
#define I_RUNCWD 134
#define def_runcwd (sudo_defs_table[I_RUNCWD].sd_un.str)
#define I_RUNCHROOT 130
#define I_RUNCHROOT 135
#define def_runchroot (sudo_defs_table[I_RUNCHROOT].sd_un.str)
#define I_LOG_FORMAT 131
#define I_LOG_FORMAT 136
#define def_log_format (sudo_defs_table[I_LOG_FORMAT].sd_un.tuple)
#define I_SELINUX 132
#define I_SELINUX 137
#define def_selinux (sudo_defs_table[I_SELINUX].sd_un.flag)
#define I_ADMIN_FLAG 133
#define I_ADMIN_FLAG 138
#define def_admin_flag (sudo_defs_table[I_ADMIN_FLAG].sd_un.str)
#define I_INTERCEPT 134
#define I_INTERCEPT 139
#define def_intercept (sudo_defs_table[I_INTERCEPT].sd_un.flag)
#define I_LOG_SUBCMDS 135
#define I_LOG_SUBCMDS 140
#define def_log_subcmds (sudo_defs_table[I_LOG_SUBCMDS].sd_un.flag)
#define I_LOG_EXIT_STATUS 136
#define I_LOG_EXIT_STATUS 141
#define def_log_exit_status (sudo_defs_table[I_LOG_EXIT_STATUS].sd_un.flag)
#define I_INTERCEPT_AUTHENTICATE 137
#define I_INTERCEPT_AUTHENTICATE 142
#define def_intercept_authenticate (sudo_defs_table[I_INTERCEPT_AUTHENTICATE].sd_un.flag)
#define I_INTERCEPT_ALLOW_SETID 138
#define I_INTERCEPT_ALLOW_SETID 143
#define def_intercept_allow_setid (sudo_defs_table[I_INTERCEPT_ALLOW_SETID].sd_un.flag)
#define I_RLIMIT_AS 139
#define I_RLIMIT_AS 144
#define def_rlimit_as (sudo_defs_table[I_RLIMIT_AS].sd_un.str)
#define I_RLIMIT_CORE 140
#define I_RLIMIT_CORE 145
#define def_rlimit_core (sudo_defs_table[I_RLIMIT_CORE].sd_un.str)
#define I_RLIMIT_CPU 141
#define I_RLIMIT_CPU 146
#define def_rlimit_cpu (sudo_defs_table[I_RLIMIT_CPU].sd_un.str)
#define I_RLIMIT_DATA 142
#define I_RLIMIT_DATA 147
#define def_rlimit_data (sudo_defs_table[I_RLIMIT_DATA].sd_un.str)
#define I_RLIMIT_FSIZE 143
#define I_RLIMIT_FSIZE 148
#define def_rlimit_fsize (sudo_defs_table[I_RLIMIT_FSIZE].sd_un.str)
#define I_RLIMIT_LOCKS 144
#define I_RLIMIT_LOCKS 149
#define def_rlimit_locks (sudo_defs_table[I_RLIMIT_LOCKS].sd_un.str)
#define I_RLIMIT_MEMLOCK 145
#define I_RLIMIT_MEMLOCK 150
#define def_rlimit_memlock (sudo_defs_table[I_RLIMIT_MEMLOCK].sd_un.str)
#define I_RLIMIT_NOFILE 146
#define I_RLIMIT_NOFILE 151
#define def_rlimit_nofile (sudo_defs_table[I_RLIMIT_NOFILE].sd_un.str)
#define I_RLIMIT_NPROC 147
#define I_RLIMIT_NPROC 152
#define def_rlimit_nproc (sudo_defs_table[I_RLIMIT_NPROC].sd_un.str)
#define I_RLIMIT_RSS 148
#define I_RLIMIT_RSS 153
#define def_rlimit_rss (sudo_defs_table[I_RLIMIT_RSS].sd_un.str)
#define I_RLIMIT_STACK 149
#define I_RLIMIT_STACK 154
#define def_rlimit_stack (sudo_defs_table[I_RLIMIT_STACK].sd_un.str)
#define I_NONINTERACTIVE_AUTH 150
#define I_NONINTERACTIVE_AUTH 155
#define def_noninteractive_auth (sudo_defs_table[I_NONINTERACTIVE_AUTH].sd_un.flag)
#define I_LOG_PASSWORDS 151
#define I_LOG_PASSWORDS 156
#define def_log_passwords (sudo_defs_table[I_LOG_PASSWORDS].sd_un.flag)
#define I_PASSPROMPT_REGEX 152
#define I_PASSPROMPT_REGEX 157
#define def_passprompt_regex (sudo_defs_table[I_PASSPROMPT_REGEX].sd_un.list)
#define I_INTERCEPT_TYPE 153
#define I_INTERCEPT_TYPE 158
#define def_intercept_type (sudo_defs_table[I_INTERCEPT_TYPE].sd_un.tuple)
#define I_INTERCEPT_VERIFY 154
#define I_INTERCEPT_VERIFY 159
#define def_intercept_verify (sudo_defs_table[I_INTERCEPT_VERIFY].sd_un.flag)
#define I_APPARMOR_PROFILE 155
#define I_APPARMOR_PROFILE 160
#define def_apparmor_profile (sudo_defs_table[I_APPARMOR_PROFILE].sd_un.str)
enum def_tuple {

15
plugins/sudoers/def_data.in
View File

@@ -238,9 +238,24 @@ umask_override
log_input
T_FLAG
"Log user's input for the command being run"
log_stdin
T_FLAG
"Log the command's standard input if not connected to a terminal"
log_ttyin
T_FLAG
"Log the user's terminal input for the command being run"
log_output
T_FLAG
"Log the output of the command being run"
log_stdout
T_FLAG
"Log the command's standard output if not connected to a terminal"
log_stderr
T_FLAG
"Log the command's standard error if not connected to a terminal"
log_ttyout
T_FLAG
"Log the terminal output of the command being run"
compress_io
T_FLAG
"Compress I/O logs using zlib"

5
plugins/sudoers/defaults.h
View File

@@ -131,6 +131,11 @@ struct early_default {
#define SETDEF_CMND 0x10
#define SETDEF_ALL (SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER|SETDEF_RUNAS|SETDEF_CMND)
/*
* Convenience macros
*/
#define iolog_enabled (def_log_stdin || def_log_ttyin || def_log_stdout || def_log_stderr || def_log_ttyout)
/*
* Prototypes
*/

2
plugins/sudoers/parse.c
View File

@@ -358,11 +358,13 @@ apply_cmndspec(struct cmndspec *cs)
}
if (cs->tags.log_input != UNSPEC) {
def_log_input = cs->tags.log_input;
cb_log_input(NULL, 0, 0, NULL, cs->tags.log_input);
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_log_input -> %s", def_log_input ? "true" : "false");
}
if (cs->tags.log_output != UNSPEC) {
def_log_output = cs->tags.log_output;
cb_log_output(NULL, 0, 0, NULL, cs->tags.log_output);
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_log_output -> %s", def_log_output ? "true" : "false");
}

24
plugins/sudoers/policy.c
View File

@@ -666,20 +666,26 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
if ((command_info[info_len++] = strdup("log_subcmds=true")) == NULL)
goto oom;
}
if (def_log_input || def_log_output) {
if (iolog_enabled) {
if (iolog_path)
command_info[info_len++] = iolog_path; /* now owned */
if (def_log_input) {
if (def_log_stdin) {
if ((command_info[info_len++] = strdup("iolog_stdin=true")) == NULL)
goto oom;
}
if (def_log_stdout) {
if ((command_info[info_len++] = strdup("iolog_stdout=true")) == NULL)
goto oom;
}
if (def_log_stderr) {
if ((command_info[info_len++] = strdup("iolog_stderr=true")) == NULL)
goto oom;
}
if (def_log_ttyin) {
if ((command_info[info_len++] = strdup("iolog_ttyin=true")) == NULL)
goto oom;
}
if (def_log_output) {
if ((command_info[info_len++] = strdup("iolog_stdout=true")) == NULL)
goto oom;
if ((command_info[info_len++] = strdup("iolog_stderr=true")) == NULL)
goto oom;
if (def_log_ttyout) {
if ((command_info[info_len++] = strdup("iolog_ttyout=true")) == NULL)
goto oom;
}
@@ -1175,8 +1181,8 @@ sudoers_policy_check(int argc, char * const argv[], char *env_add[],
#ifndef NO_LEAKS
if (ret == true && sudo_version >= SUDO_API_MKVERSION(1, 3)) {
/* Unset close function if we don't need it to avoid extra process. */
if (!def_log_input && !def_log_output && !def_log_exit_status &&
!def_use_pty && !sudo_auth_needs_end_session())
if (!iolog_enabled && !def_log_exit_status && !def_use_pty &&
!sudo_auth_needs_end_session())
sudoers_policy.close = NULL;
}
#endif

14
plugins/sudoers/regress/fuzz/fuzz_sudoers.c
View File

@@ -135,6 +135,20 @@ cb_unused(struct sudoers_parse_tree *parse_tree, struct alias *a, void *v)
return 0;
}
bool
cb_log_input(const char *file, int line, int column,
const union sudo_defs_val *sd_un, int op)
{
return 0;
}
bool
cb_log_output(const char *file, int line, int column,
const union sudo_defs_val *sd_un, int op)
{
return 0;
}
static FILE *
open_data(const uint8_t *data, size_t size)
{

34
plugins/sudoers/sudoers.c
View File

@@ -689,13 +689,18 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
}
if (ISSET(sudo_mode, (MODE_RUN | MODE_EDIT)) && !remote_iologs) {
if ((def_log_input || def_log_output) && def_iolog_file && def_iolog_dir) {
if (iolog_enabled && def_iolog_file && def_iolog_dir) {
if ((iolog_path = format_iolog_path()) == NULL) {
if (!def_ignore_iolog_errors)
goto done;
/* Unable to expand I/O log path, disable I/O logging. */
def_log_input = false;
def_log_output = false;
def_log_stdin = false;
def_log_stdout = false;
def_log_stderr = false;
def_log_ttyin = false;
def_log_ttyout = false;
}
}
}
@@ -1680,6 +1685,31 @@ cb_intercept_allow_setid(const char *file, int line, int column,
debug_return_bool(true);
}
bool
cb_log_input(const char *file, int line, int column,
const union sudo_defs_val *sd_un, int op)
{
debug_decl(cb_log_input, SUDOERS_DEBUG_PLUGIN);
def_log_stdin = op;
def_log_ttyin = op;
debug_return_bool(true);
}
bool
cb_log_output(const char *file, int line, int column,
const union sudo_defs_val *sd_un, int op)
{
debug_decl(cb_log_output, SUDOERS_DEBUG_PLUGIN);
def_log_stdout = op;
def_log_stderr = op;
def_log_ttyout = op;
debug_return_bool(true);
}
/*
* Set parse Defaults callbacks.
* We do this here instead in def_data.in so we don't have to
@@ -1741,6 +1771,8 @@ set_callbacks(void)
sudo_defs_table[I_PASSPROMPT_REGEX].callback = cb_passprompt_regex;
sudo_defs_table[I_INTERCEPT_TYPE].callback = cb_intercept_type;
sudo_defs_table[I_INTERCEPT_ALLOW_SETID].callback = cb_intercept_allow_setid;
sudo_defs_table[I_LOG_INPUT].callback = cb_log_input;
sudo_defs_table[I_LOG_OUTPUT].callback = cb_log_output;
debug_return;
}

2
plugins/sudoers/sudoers.h
View File

@@ -420,6 +420,8 @@ bool matches_env_pattern(const char *pattern, const char *var, bool *full_match)
/* sudoers.c */
FILE *open_sudoers(const char *, bool, bool *);
bool cb_log_input(const char *file, int line, int column, const union sudo_defs_val *sd_un, int op);
bool cb_log_output(const char *file, int line, int column, const union sudo_defs_val *sd_un, int op);
int set_cmnd_path(const char *runchroot);
int sudoers_init(void *info, sudoers_logger_t logger, char * const envp[]);
int sudoers_policy_main(int argc, char *const argv[], int pwflag, char *env_add[], bool verbose, void *closure);