isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

log_allowed: pass struct eventlog * instead of argv[] and envp[].

Browse Source 
This lets us log based on the command_info[] list passed in from
the front-end.  Previously, much of the struct eventlog was constructed
from internal sudoers state instead.
This commit is contained in:
Todd C. Miller
2021-08-25 17:29:15 -06:00
parent e199dd8254
commit ec751c63eb
3 changed files with 17 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
plugins/sudoers/audit.c
View File

@@ -198,13 +198,13 @@ sudoers_audit_open(unsigned int version, sudo_conv_t conversation,
static void static void
audit_to_eventlog(struct eventlog *evlog, char * const command_info[], audit_to_eventlog(struct eventlog *evlog, char * const command_info[],
char * const run_argv[], char * const run_envp[]) char * const run_argv[], char * const run_envp[], const char *uuid_str)
{ {
char * const *cur; char * const *cur;
debug_decl(audit_to_eventlog, SUDOERS_DEBUG_PLUGIN); debug_decl(audit_to_eventlog, SUDOERS_DEBUG_PLUGIN);
/* Fill in evlog from sudoers Defaults, run_argv and run_envp. */ /* Fill in evlog from sudoers Defaults, run_argv and run_envp. */
sudoers_to_eventlog(evlog, run_argv, run_envp, NULL); sudoers_to_eventlog(evlog, run_argv, run_envp, uuid_str);
/* Update iolog and execution environment from command_info[]. */ /* Update iolog and execution environment from command_info[]. */
if (command_info != NULL) { if (command_info != NULL) {
@@ -242,10 +242,8 @@ audit_to_eventlog(struct eventlog *evlog, char * const command_info[],
#ifdef SUDOERS_LOG_CLIENT #ifdef SUDOERS_LOG_CLIENT
static bool static bool
log_server_accept(char * const command_info[], char * const run_argv[], log_server_accept(struct eventlog *evlog)
char * const run_envp[])
{ {
struct eventlog *evlog = NULL;
struct timespec now; struct timespec now;
bool ret = false; bool ret = false;
debug_decl(log_server_accept, SUDOERS_DEBUG_PLUGIN); debug_decl(log_server_accept, SUDOERS_DEBUG_PLUGIN);
@@ -267,11 +265,6 @@ log_server_accept(char * const command_info[], char * const run_argv[],
sudo_warn("%s", U_("unable to get time of day")); sudo_warn("%s", U_("unable to get time of day"));
goto done; goto done;
} }
if ((evlog = malloc(sizeof(*evlog))) == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
goto done;
}
audit_to_eventlog(evlog, command_info, run_argv, run_envp);
if (client_closure != NULL) { if (client_closure != NULL) {
/* Use existing client closure. */ /* Use existing client closure. */
@@ -286,7 +279,6 @@ log_server_accept(char * const command_info[], char * const run_argv[],
} else { } else {
if (!init_log_details(&audit_details, evlog)) if (!init_log_details(&audit_details, evlog))
goto done; goto done;
evlog = NULL;
/* Open connection to log server, send hello and accept messages. */ /* Open connection to log server, send hello and accept messages. */
client_closure = log_server_open(&audit_details, &now, false, client_closure = log_server_open(&audit_details, &now, false,
@@ -296,8 +288,6 @@ log_server_accept(char * const command_info[], char * const run_argv[],
} }
done: done:
/* Contents of evlog are not dynamically allocated so no eventlog_free(). */
free(evlog);
debug_return_bool(ret); debug_return_bool(ret);
} }
@@ -328,8 +318,7 @@ log_server_exit(int status_type, int status)
} }
#else #else
static bool static bool
log_server_accept(char * const command_info[], char * const run_argv[], log_server_accept(struct eventlog *evlog)
char * const run_envp[])
{ {
return true; return true;
} }
@@ -346,6 +335,8 @@ sudoers_audit_accept(const char *plugin_name, unsigned int plugin_type,
char * const command_info[], char * const run_argv[], char * const command_info[], char * const run_argv[],
char * const run_envp[], const char **errstr) char * const run_envp[], const char **errstr)
{ {
const char *uuid_str = NULL;
struct eventlog evlog;
int ret = true; int ret = true;
debug_decl(sudoers_audit_accept, SUDOERS_DEBUG_PLUGIN); debug_decl(sudoers_audit_accept, SUDOERS_DEBUG_PLUGIN);
@@ -359,10 +350,14 @@ sudoers_audit_accept(const char *plugin_name, unsigned int plugin_type,
if (audit_success(run_argv) != 0 && !def_ignore_audit_errors) if (audit_success(run_argv) != 0 && !def_ignore_audit_errors)
ret = false; ret = false;
if (!log_allowed(run_argv, run_envp) && !def_ignore_logfile_errors) if (!ISSET(sudo_mode, MODE_POLICY_INTERCEPTED))
uuid_str = sudo_user.uuid_str;
audit_to_eventlog(&evlog, command_info, run_argv, run_envp, uuid_str);
if (!log_allowed(&evlog) && !def_ignore_logfile_errors)
ret = false; ret = false;
if (!log_server_accept(command_info, run_argv, run_envp)) { if (!log_server_accept(&evlog)) {
if (!def_ignore_logfile_errors) if (!def_ignore_logfile_errors)
ret = false; ret = false;
} }
@@ -390,7 +385,7 @@ sudoers_audit_reject(const char *plugin_name, unsigned int plugin_type,
ret = false; ret = false;
} }
audit_to_eventlog(&evlog, command_info, NewArgv, env_get()); audit_to_eventlog(&evlog, command_info, NewArgv, env_get(), NULL);
if (!eventlog_reject(&evlog, 0, message, NULL, NULL)) if (!eventlog_reject(&evlog, 0, message, NULL, NULL))
ret = false; ret = false;
@@ -423,7 +418,7 @@ sudoers_audit_error(const char *plugin_name, unsigned int plugin_type,
debug_return_bool(false); debug_return_bool(false);
} }
audit_to_eventlog(&evlog, command_info, NewArgv, env_get()); audit_to_eventlog(&evlog, command_info, NewArgv, env_get(), NULL);
if (!eventlog_alert(&evlog, 0, &now, message, NULL)) if (!eventlog_alert(&evlog, 0, &now, message, NULL))
ret = false; ret = false;

10
plugins/sudoers/logging.c
View File

@@ -501,10 +501,8 @@ log_auth_failure(int status, unsigned int tries)
* Log and potentially mail the allowed command. * Log and potentially mail the allowed command.
*/ */
bool bool
log_allowed(char *const argv[], char *const envp[]) log_allowed(struct eventlog *evlog)
{ {
const char *uuid_str = NULL;
struct eventlog evlog;
int oldlocale; int oldlocale;
int evl_flags = 0; int evl_flags = 0;
bool mailit, ret = true; bool mailit, ret = true;
@@ -513,20 +511,16 @@ log_allowed(char *const argv[], char *const envp[])
/* Send mail based on status. */ /* Send mail based on status. */
mailit = should_mail(VALIDATE_SUCCESS); mailit = should_mail(VALIDATE_SUCCESS);
if (!ISSET(sudo_mode, MODE_POLICY_INTERCEPTED))
uuid_str = sudo_user.uuid_str;
if (def_log_allowed || mailit) { if (def_log_allowed || mailit) {
/* Log and mail messages should be in the sudoers locale. */ /* Log and mail messages should be in the sudoers locale. */
sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);
sudoers_to_eventlog(&evlog, argv, envp, uuid_str);
if (mailit) { if (mailit) {
SET(evl_flags, EVLOG_MAIL); SET(evl_flags, EVLOG_MAIL);
if (!def_log_allowed) if (!def_log_allowed)
SET(evl_flags, EVLOG_MAIL_ONLY); SET(evl_flags, EVLOG_MAIL_ONLY);
} }
if (!eventlog_accept(&evlog, evl_flags, NULL, NULL)) if (!eventlog_accept(evlog, evl_flags, NULL, NULL))
ret = false; ret = false;
sudoers_setlocale(oldlocale, NULL); sudoers_setlocale(oldlocale, NULL);

2
plugins/sudoers/logging.h
View File

@@ -56,7 +56,7 @@ bool sudoers_setlocale(int locale_type, int *prev_locale);
int sudoers_getlocale(void); int sudoers_getlocale(void);
int audit_failure(char *const argv[], char const *const fmt, ...) __printflike(2, 3); int audit_failure(char *const argv[], char const *const fmt, ...) __printflike(2, 3);
int vaudit_failure(char *const argv[], char const *const fmt, va_list ap) __printflike(2, 0); int vaudit_failure(char *const argv[], char const *const fmt, va_list ap) __printflike(2, 0);
bool log_allowed(char *const argv[], char *const envp[]); bool log_allowed(struct eventlog *evlog);
bool log_exit_status(int exit_status); bool log_exit_status(int exit_status);
bool log_auth_failure(int status, unsigned int tries); bool log_auth_failure(int status, unsigned int tries);
bool log_denial(int status, bool inform_user); bool log_denial(int status, bool inform_user);