isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add SLOG_AUDIT flag for log_warningx() to also audit the message.

Browse Source 
This lets us combine audit_failure() and log_warningx() calls with
the same message.
This commit is contained in:
Todd C. Miller
2020-09-23 08:18:55 -06:00
parent 6ee731caff
commit f1d19f1d6e
4 changed files with 36 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
plugins/sudoers/sudoers.c
View File

@@ -292,10 +292,7 @@ check_user_runchroot(void)
if (def_runchroot == NULL || (strcmp(def_runchroot, "*") != 0 &&
strcmp(def_runchroot, user_runchroot) != 0)) {
audit_failure(NewArgv,
N_("user not allowed to change root directory to %s"),
user_runchroot);
log_warningx(SLOG_NO_STDERR,
log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
N_("user not allowed to change root directory to %s"),
user_runchroot);
sudo_warnx(U_("you are not permitted to use the -R option with %s"),
@@ -322,9 +319,7 @@ check_user_runcwd(void)
if (strcmp(user_cwd, user_runcwd) != 0) {
if (def_runcwd == NULL || strcmp(def_runcwd, "*") != 0) {
audit_failure(NewArgv,
N_("user not allowed to change directory to %s"), user_runcwd);
log_warningx(SLOG_NO_STDERR,
log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
N_("user not allowed to change directory to %s"), user_runcwd);
sudo_warnx(U_("you are not permitted to use the -D option with %s"),
user_cmnd);
@@ -416,9 +411,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
/* Check for -C overriding def_closefrom. */
if (user_closefrom >= 0 && user_closefrom != def_closefrom) {
if (!def_closefrom_override) {
audit_failure(NewArgv,
N_("user not allowed to override closefrom limit"));
log_warningx(SLOG_NO_STDERR,
log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
N_("user not allowed to override closefrom limit"));
sudo_warnx("%s", U_("you are not permitted to use the -C option"));
goto bad;
@@ -448,14 +441,13 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
/* Defer uid/gid checks until after defaults have been updated. */
if (unknown_runas_uid && !def_runas_allow_unknown_id) {
audit_failure(NewArgv, N_("unknown user: %s"), runas_pw->pw_name);
log_warningx(0, N_("unknown user: %s"), runas_pw->pw_name);
log_warningx(SLOG_AUDIT, N_("unknown user: %s"), runas_pw->pw_name);
goto done;
}
if (runas_gr != NULL) {
if (unknown_runas_gid && !def_runas_allow_unknown_id) {
audit_failure(NewArgv, N_("unknown group: %s"), runas_gr->gr_name);
log_warningx(0, N_("unknown group: %s"), runas_gr->gr_name);
log_warningx(SLOG_AUDIT, N_("unknown group: %s"),
runas_gr->gr_name);
goto done;
}
}
@@ -496,17 +488,15 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
/* Bail if a tty is required and we don't have one. */
if (def_requiretty && !tty_present()) {
audit_failure(NewArgv, N_("no tty"));
log_warningx(SLOG_NO_STDERR, N_("no tty"));
log_warningx(SLOG_NO_STDERR|SLOG_AUDIT, N_("no tty"));
sudo_warnx("%s", U_("sorry, you must have a tty to run sudo"));
goto bad;
}
/* Check runas user's shell. */
if (!check_user_shell(runas_pw)) {
audit_failure(NewArgv, N_("invalid shell for user %s: %s"),
runas_pw->pw_name, runas_pw->pw_shell);
log_warningx(SLOG_RAW_MSG, N_("invalid shell for user %s: %s"),
log_warningx(SLOG_RAW_MSG|SLOG_AUDIT,
N_("invalid shell for user %s: %s"),
runas_pw->pw_name, runas_pw->pw_shell);
goto bad;
}
@@ -607,8 +597,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
/* If user specified a timeout make sure sudoers allows it. */
if (!def_user_command_timeouts && user_timeout > 0) {
audit_failure(NewArgv, N_("user not allowed to set a command timeout"));
log_warningx(SLOG_NO_STDERR,
log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
N_("user not allowed to set a command timeout"));
sudo_warnx("%s",
U_("sorry, you are not allowed set a command timeout"));
@@ -618,9 +607,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
/* If user specified env vars make sure sudoers allows it. */
if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) {
if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) {
audit_failure(NewArgv,
N_("user not allowed to preserve the environment"));
log_warningx(SLOG_NO_STDERR,
log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
N_("user not allowed to preserve the environment"));
sudo_warnx("%s",
U_("sorry, you are not allowed to preserve the environment"));