isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Make the behavior when we cannot write to a log or audit file

Browse Source 
configurable.  File log failures are ignored by default for consistency
with syslog.  Audit errors are ignored by default to allow the admin
to fix the issue.  I/O log file errors are still fatal by default
since if I/O logging is activated it is usually to have an audit trail.
Bug #751
This commit is contained in:
Todd C. Miller
2016-08-17 07:22:51 -06:00
parent 9ccd260842
commit ed18d0d5f8
13 changed files with 203 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
doc/sudoers.cat
View File

@@ -1027,11 +1027,37 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
This flag is _o_f_f by default.
ignore_audit_errors
Allow commands to be run even if ssuuddooeerrss cannot write
to the audit log. If enabled, an audit log write
failure is not treated as a fatal error. If disabled,
a command may only be run after the audit event is
successfully written. This flag is only effective on
systems for which ssuuddooeerrss supports audit logging,
including FreeBSD, Linux, Mac OS X and Solaris. This
flag is _o_n by default.
ignore_dot If set, ssuuddoo will ignore "." or "" (both denoting
current directory) in the PATH environment variable;
the PATH itself is not modified. This flag is _o_f_f by
default.
ignore_iolog_errors
Allow commands to be run even if ssuuddooeerrss cannot write
to the I/O log. If enabled, an I/O log write failure
is not treated as a fatal error. If disabled, the
command will be terminated if the I/O log cannot be
written to. This flag is _o_f_f by default.
ignore_logfile_errors
Allow commands to be run even if ssuuddooeerrss cannot write
to the log file. If enabled, a log file write failure
is not treated as a fatal error. If disabled, a
command may only be run after the log file entry is
successfully written. This flag only has an effect
when ssuuddooeerrss is configured to use file-based logging
via the _l_o_g_f_i_l_e option. This flag is _o_n by default.
ignore_local_sudoers
If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be
skipped. This is intended for Enterprises that wish to
@@ -2543,4 +2569,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details.
Sudo 1.8.18 August 10, 2016 Sudo 1.8.18
Sudo 1.8.18 August 17, 2016 Sudo 1.8.18

42
doc/sudoers.man.in
View File

@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "SUDOERS" "5" "August 10, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS" "5" "August 17, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -2194,6 +2194,20 @@ This flag is
by default.
.RE
.TP 18n
ignore_audit_errors
Allow commands to be run even if
\fBsudoers\fR
cannot write to the audit log.
If enabled, an audit log write failure is not treated as a fatal error.
If disabled, a command may only be run after the audit event is successfully
written.
This flag is only effective on systems for which
\fBsudoers\fR
supports audit logging, including FreeBSD, Linux, Mac OS X and Solaris.
This flag is
\fIon\fR
by default.
.TP 18n
ignore_dot
If set,
\fBsudo\fR
@@ -2206,6 +2220,32 @@ This flag is
\fI@ignore_dot@\fR
by default.
.TP 18n
ignore_iolog_errors
Allow commands to be run even if
\fBsudoers\fR
cannot write to the I/O log.
If enabled, an I/O log write failure is not treated as a fatal error.
If disabled, the command will be terminated if the I/O log cannot be written to.
This flag is
\fIoff\fR
by default.
.TP 18n
ignore_logfile_errors
Allow commands to be run even if
\fBsudoers\fR
cannot write to the log file.
If enabled, a log file write failure is not treated as a fatal error.
If disabled, a command may only be run after the log file entry is successfully
written.
This flag only has an effect when
\fBsudoers\fR
is configured to use file-based logging via the
\fIlogfile\fR
option.
This flag is
\fIon\fR
by default.
.TP 18n
ignore_local_sudoers
If set via LDAP, parsing of
\fI@sysconfdir@/sudoers\fR

39
doc/sudoers.mdoc.in
View File

@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd August 10, 2016
.Dd August 17, 2016
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -2057,6 +2057,19 @@ aliases from DNS.
This flag is
.Em @fqdn@
by default.
.It ignore_audit_errors
Allow commands to be run even if
.Nm
cannot write to the audit log.
If enabled, an audit log write failure is not treated as a fatal error.
If disabled, a command may only be run after the audit event is successfully
written.
This flag is only effective on systems for which
.Nm
supports audit logging, including FreeBSD, Linux, Mac OS X and Solaris.
This flag is
.Em on
by default.
.It ignore_dot
If set,
.Nm sudo
@@ -2068,6 +2081,30 @@ itself is not modified.
This flag is
.Em @ignore_dot@
by default.
.It ignore_iolog_errors
Allow commands to be run even if
.Nm
cannot write to the I/O log.
If enabled, an I/O log write failure is not treated as a fatal error.
If disabled, the command will be terminated if the I/O log cannot be written to.
This flag is
.Em off
by default.
.It ignore_logfile_errors
Allow commands to be run even if
.Nm
cannot write to the log file.
If enabled, a log file write failure is not treated as a fatal error.
If disabled, a command may only be run after the log file entry is successfully
written.
This flag only has an effect when
.Nm
is configured to use file-based logging via the
.Em logfile
option.
This flag is
.Em on
by default.
.It ignore_local_sudoers
If set via LDAP, parsing of
.Pa @sysconfdir@/sudoers

12
plugins/sudoers/def_data.c
View File

@@ -402,6 +402,18 @@ struct sudo_defs_types sudo_defs_table[] = {
"netgroup_tuple", T_FLAG,
N_("Match netgroups based on the entire tuple: user, host and domain"),
NULL,
}, {
"ignore_audit_errors", T_FLAG,
N_("Allow commands to be run even if sudo cannot write to the audit log"),
NULL,
}, {
"ignore_iolog_errors", T_FLAG,
N_("Allow commands to be run even if sudo cannot write to the I/O log"),
NULL,
}, {
"ignore_logfile_errors", T_FLAG,
N_("Allow commands to be run even if sudo cannot write to the log file"),
NULL,
}, {
NULL, 0, NULL
}

6
plugins/sudoers/def_data.h
View File

@@ -188,6 +188,12 @@
#define I_ALWAYS_QUERY_GROUP_PLUGIN93
#define def_netgroup_tuple (sudo_defs_table[94].sd_un.flag)
#define I_NETGROUP_TUPLE 94
#define def_ignore_audit_errors (sudo_defs_table[95].sd_un.flag)
#define I_IGNORE_AUDIT_ERRORS 95
#define def_ignore_iolog_errors (sudo_defs_table[96].sd_un.flag)
#define I_IGNORE_IOLOG_ERRORS 96
#define def_ignore_logfile_errors (sudo_defs_table[97].sd_un.flag)
#define I_IGNORE_LOGFILE_ERRORS 97
enum def_tuple {
never,

9
plugins/sudoers/def_data.in
View File

@@ -298,3 +298,12 @@ always_query_group_plugin
netgroup_tuple
T_FLAG
"Match netgroups based on the entire tuple: user, host and domain"
ignore_audit_errors
T_FLAG
"Allow commands to be run even if sudo cannot write to the audit log"
ignore_iolog_errors
T_FLAG
"Allow commands to be run even if sudo cannot write to the I/O log"
ignore_logfile_errors
T_FLAG
"Allow commands to be run even if sudo cannot write to the log file"

3
plugins/sudoers/defaults.c
View File

@@ -513,6 +513,9 @@ init_defaults(void)
#ifdef HAVE_ZLIB_H
def_compress_io = true;
#endif
def_ignore_audit_errors = true;
def_ignore_iolog_errors = false;
def_ignore_logfile_errors = true;
/* Now do the strings */
if ((def_mailto = strdup(MAILTO)) == NULL)

44
plugins/sudoers/iolog.c
View File

@@ -711,6 +711,7 @@ done:
static void
sudoers_io_close(int exit_status, int error)
{
const char *errstr = NULL;
int i;
debug_decl(sudoers_io_close, SUDOERS_DEBUG_PLUGIN)
@@ -718,13 +719,20 @@ sudoers_io_close(int exit_status, int error)
if (io_log_files[i].fd.v == NULL)
continue;
#ifdef HAVE_ZLIB_H
if (iolog_compress)
gzclose(io_log_files[i].fd.g);
else
if (iolog_compress) {
int errnum;
if (gzclose(io_log_files[i].fd.g) != Z_OK)
errstr = gzerror(io_log_files[i].fd.g, &errnum);
} else
#endif
fclose(io_log_files[i].fd.f);
if (fclose(io_log_files[i].fd.f) != 0)
errstr = strerror(errno);
}
if (errstr != NULL)
sudo_warnx(U_("unable to write to I/O log file: %s"), errstr);
sudoers_debug_deregister();
return;
@@ -748,6 +756,8 @@ static int
sudoers_io_log(const char *buf, unsigned int len, int idx)
{
struct timeval now, delay;
static bool warned = false;
const char *errstr = NULL;
int rval = true;
debug_decl(sudoers_io_version, SUDOERS_DEBUG_PLUGIN)
@@ -761,30 +771,48 @@ sudoers_io_log(const char *buf, unsigned int len, int idx)
#ifdef HAVE_ZLIB_H
if (iolog_compress) {
if (gzwrite(io_log_files[idx].fd.g, (const voidp)buf, len) != (int)len)
if (gzwrite(io_log_files[idx].fd.g, (const voidp)buf, len) != (int)len) {
int errnum;
errstr = gzerror(io_log_files[idx].fd.g, &errnum);
rval = -1;
}
} else
#endif
{
if (fwrite(buf, 1, len, io_log_files[idx].fd.f) != len)
if (fwrite(buf, 1, len, io_log_files[idx].fd.f) != len) {
errstr = strerror(errno);
rval = -1;
}
}
sudo_timevalsub(&now, &last_time, &delay);
#ifdef HAVE_ZLIB_H
if (iolog_compress) {
if (gzprintf(io_log_files[IOFD_TIMING].fd.g, "%d %f %u\n", idx,
delay.tv_sec + ((double)delay.tv_usec / 1000000), len) == 0)
delay.tv_sec + ((double)delay.tv_usec / 1000000), len) == 0) {
int errnum;
errstr = gzerror(io_log_files[IOFD_TIMING].fd.g, &errnum);
rval = -1;
}
} else
#endif
{
if (fprintf(io_log_files[IOFD_TIMING].fd.f, "%d %f %u\n", idx,
delay.tv_sec + ((double)delay.tv_usec / 1000000), len) < 0)
delay.tv_sec + ((double)delay.tv_usec / 1000000), len) < 0) {
errstr = strerror(errno);
rval = -1;
}
}
last_time.tv_sec = now.tv_sec;
last_time.tv_usec = now.tv_usec;
if (errstr != NULL && !warned) {
/* Only warn about I/O log file errors once. */
sudo_warnx(U_("unable to write to I/O log file: %s"), errstr);
warned = true;
}
debug_return_int(rval);
}

4
plugins/sudoers/policy.c
View File

@@ -532,6 +532,10 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
if (asprintf(&command_info[info_len++], "closefrom=%d", def_closefrom) == -1)
goto oom;
}
if (def_ignore_iolog_errors) {
if ((command_info[info_len++] = strdup("ignore_iolog_errors=true")) == NULL)
goto oom;
}
if (def_noexec) {
if ((command_info[info_len++] = strdup("noexec=true")) == NULL)
goto oom;

6
plugins/sudoers/sudoers.c
View File

@@ -492,7 +492,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
}
}
if (!log_allowed(validated))
if (!log_allowed(validated) && !def_ignore_logfile_errors)
goto bad;
switch (sudo_mode & MODE_MASK) {
@@ -602,13 +602,13 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
goto done;
goto bad;
}
if (audit_success(edit_argc, edit_argv) != 0)
if (audit_success(edit_argc, edit_argv) != 0 && !def_ignore_audit_errors)
goto done;
/* We want to run the editor with the unmodified environment. */
env_swap_old();
} else {
if (audit_success(NewArgc, NewArgv) != 0)
if (audit_success(NewArgc, NewArgv) != 0 && !def_ignore_audit_errors)
goto done;
}

26
src/exec_pty.c
View File

@@ -89,6 +89,7 @@ static int ttymode = TERM_COOKED;
static pid_t ppgrp, cmnd_pgrp, mon_pgrp;
static sigset_t ttyblock;
static struct io_buffer_list iobufs;
static bool ignore_iolog_errors;
static void del_io_events(bool nonblocking);
static int exec_monitor(struct command_details *details, int backchannel);
@@ -218,7 +219,8 @@ log_ttyin(const char *buf, unsigned int n, struct io_buffer *iob)
/* Error: disable plugin's I/O function. */
plugin->u.io->log_ttyin = NULL;
}
rval = false;
if (!ignore_iolog_errors)
rval = false;
break;
}
}
@@ -250,7 +252,8 @@ log_stdin(const char *buf, unsigned int n, struct io_buffer *iob)
/* Error: disable plugin's I/O function. */
plugin->u.io->log_stdin = NULL;
}
rval = false;
if (!ignore_iolog_errors)
rval = false;
break;
}
}
@@ -282,7 +285,8 @@ log_ttyout(const char *buf, unsigned int n, struct io_buffer *iob)
/* Error: disable plugin's I/O function. */
plugin->u.io->log_ttyout = NULL;
}
rval = false;
if (!ignore_iolog_errors)
rval = false;
break;
}
}
@@ -326,7 +330,8 @@ log_stdout(const char *buf, unsigned int n, struct io_buffer *iob)
/* Error: disable plugin's I/O function. */
plugin->u.io->log_stdout = NULL;
}
rval = false;
if (!ignore_iolog_errors)
rval = false;
break;
}
}
@@ -370,7 +375,8 @@ log_stderr(const char *buf, unsigned int n, struct io_buffer *iob)
/* Error: disable plugin's I/O function. */
plugin->u.io->log_stderr = NULL;
}
rval = false;
if (!ignore_iolog_errors)
rval = false;
break;
}
}
@@ -676,7 +682,8 @@ write_callback(int fd, int what, void *v)
}
static void
io_buf_new(int rfd, int wfd, bool (*action)(const char *, unsigned int, struct io_buffer *),
io_buf_new(int rfd, int wfd,
bool (*action)(const char *, unsigned int, struct io_buffer *),
struct io_buffer_list *head)
{
int n;
@@ -742,6 +749,13 @@ fork_pty(struct command_details *details, int sv[], sigset_t *omask)
sigaddset(&ttyblock, SIGTTIN);
sigaddset(&ttyblock, SIGTTOU);
/*
* The security policy may tell us to ignore errors from the
* I/O log functions.
*/
if (!ISSET(details->flags, CD_IGNORE_IOLOG_ERRS))
ignore_iolog_errors = true;
/*
* Setup stdin/stdout/stderr for child, to be duped after forking.
* In background mode there is no stdin.

3
src/sudo.c
View File

@@ -675,6 +675,9 @@ command_info_to_details(char * const info[], struct command_details *details)
break;
}
break;
case 'i':
SET_FLAG("ignore_iolog_errors=", CD_IGNORE_IOLOG_ERRS)
break;
case 'l':
SET_STRING("login_class=", login_class)
break;

1
src/sudo.h
View File

@@ -130,6 +130,7 @@ struct user_details {
#define CD_SUDOEDIT_FOLLOW 0x10000
#define CD_SUDOEDIT_CHECKDIR 0x20000
#define CD_SET_GROUPS 0x40000
#define CD_IGNORE_IOLOG_ERRS 0x80000
struct preserved_fd {
TAILQ_ENTRY(preserved_fd) entries;