diff --git a/configure b/configure index d5d1fc9e7..cc51ccba1 100755 --- a/configure +++ b/configure @@ -2278,8 +2278,8 @@ if test "${with_bsm_audit+set}" = set; then #define HAVE_BSM_AUDIT 1 _ACEOF - SUDO_LIBS="${SUDO_LIBS} -lbsm" - SUDO_OBJS="${SUDO_OBJS} bsm_audit.o" + SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm" + SUDOERS_OBJS="${SUDOERS_OBJS} bsm_audit.lo" ;; no) ;; *) { { echo "$as_me:$LINENO: error: \"--with-bsm-audit does not take an argument.\"" >&5 diff --git a/configure.in b/configure.in index 723773ec1..e3f112582 100644 --- a/configure.in +++ b/configure.in @@ -221,8 +221,8 @@ dnl AC_ARG_WITH(bsm-audit, [AS_HELP_STRING([--with-bsm-audit], [enable BSM audit support])], [case $with_bsm_audit in yes) AC_DEFINE(HAVE_BSM_AUDIT) - SUDO_LIBS="${SUDO_LIBS} -lbsm" - SUDO_OBJS="${SUDO_OBJS} bsm_audit.o" + SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm" + SUDOERS_OBJS="${SUDOERS_OBJS} bsm_audit.o" ;; no) ;; *) AC_MSG_ERROR(["--with-bsm-audit does not take an argument."]) diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in index a2fd23bd8..60de3842f 100644 --- a/plugins/sudoers/Makefile.in +++ b/plugins/sudoers/Makefile.in @@ -95,8 +95,8 @@ SHELL = /bin/sh AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@ -LIBSUDOERS_OBJS = alias.lo alloc.lo atobool.lo defaults.lo gram.lo list.lo \ - match.lo pwutil.lo timestr.lo toke.lo redblack.lo \ +LIBSUDOERS_OBJS = alias.lo alloc.lo atobool.lo audit.lo defaults.lo gram.lo \ + list.lo match.lo pwutil.lo timestr.lo toke.lo redblack.lo \ zero_bytes.lo @NONUNIX_GROUPS_IMPL@ SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo fmt_string.lo \ @@ -212,6 +212,10 @@ list.lo: $(top_srcdir)/src/list.c $(SUDODEP) lbuf.lo: $(top_srcdir)/src/lbuf.c $(SUDODEP) zero_bytes.lo: $(top_srcdir)/src/zero_bytes.c $(incdir)/compat.h $(top_builddir)/config.h +# Upper level audit dependencies (XXX - move into sudoers?) +audit.lo: $(top_srcdir)/src/audit.c $(SUDODEP) +bsm_audit.lo: $(top_srcdir)/src/bsm_audit.c $(SUDODEP) $(top_srcdir)/src/bsm_audit.h + # Auth dependencies sudo_auth.lo: $(authdir)/sudo_auth.c $(AUTHDEP) $(INSDEP) afs.lo: $(authdir)/afs.c $(AUTHDEP) diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c index 3a7f83725..16e89c5d6 100644 --- a/plugins/sudoers/auth/sudo_auth.c +++ b/plugins/sudoers/auth/sudo_auth.c @@ -93,9 +93,7 @@ verify_user(struct passwd *pw, char *prompt) char *p; sudo_auth *auth; sigaction_t sa, osa; -#ifdef HAVE_BSM_AUDIT - extern char **NewArgv; -#endif + extern char **NewArgv; /* XXX */ /* Enable suspend during password entry. */ sigemptyset(&sa.sa_mask); @@ -105,9 +103,7 @@ verify_user(struct passwd *pw, char *prompt) /* Make sure we have at least one auth method. */ if (auth_switch[0].name == NULL) { -#ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "no authentication methods"); -#endif log_error(0, "%s %s %s", "There are no authentication methods compiled into sudo!", "If you want to turn off authentication, use the", @@ -129,9 +125,7 @@ verify_user(struct passwd *pw, char *prompt) if (status == AUTH_FAILURE) CLR(auth->flags, FLAG_CONFIGURED); else if (status == AUTH_FATAL) { /* XXX log */ -#ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); -#endif return -1; /* assume error msg already printed */ } @@ -151,9 +145,7 @@ verify_user(struct passwd *pw, char *prompt) if (status == AUTH_FAILURE) CLR(auth->flags, FLAG_CONFIGURED); else if (status == AUTH_FATAL) {/* XXX log */ -#ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); -#endif return -1; /* assume error msg already printed */ } @@ -203,9 +195,7 @@ cleanup: status = (auth->cleanup)(pw, auth); if (status == AUTH_FATAL) { /* XXX log */ -#ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); -#endif return -1; /* assume error msg already printed */ } @@ -230,16 +220,12 @@ cleanup: def_passwd_tries - counter, (def_passwd_tries - counter == 1) ? "" : "s"); } -#ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); -#endif rval = FALSE; break; case AUTH_FATAL: default: -#ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); -#endif rval = -1; break; } diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index 04e75e65b..da8c47014 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -153,8 +153,9 @@ static char *runas_user; static char *runas_group; static struct sudo_nss_list *snl; -static int NewArgc; -static char **NewArgv; +/* XXX - must be extern for audit bits of sudo_auth.c */ +int NewArgc; +char **NewArgv; /* error.c */ extern sigjmp_buf error_jmp; @@ -396,7 +397,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], if (def_requiretty) { int fd = open(_PATH_TTY, O_RDWR|O_NOCTTY); if (fd == -1) { - //audit_failure(NewArgv, "no tty"); + audit_failure(NewArgv, "no tty"); warningx("sorry, you must have a tty to run sudo"); goto done; } else @@ -440,7 +441,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], /* If the user was not allowed to run the command we are done. */ if (!ISSET(validated, VALIDATE_OK)) { if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) { - //audit_failure(NewArgv, "No user or host"); + audit_failure(NewArgv, "No user or host"); log_denial(validated, 1); } else { if (def_path_info) { @@ -461,18 +462,18 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], /* Just tell the user they are not allowed to run foo. */ log_denial(validated, 1); } - //audit_failure(NewArgv, "validation failure"); + audit_failure(NewArgv, "validation failure"); } goto done; } /* Finally tell the user if the command did not exist. */ if (cmnd_status == NOT_FOUND_DOT) { - //audit_failure(NewArgv, "command in current directory"); + audit_failure(NewArgv, "command in current directory"); warningx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd); goto done; } else if (cmnd_status == NOT_FOUND) { - //audit_failure(NewArgv, "%s: command not found", user_cmnd); + audit_failure(NewArgv, "%s: command not found", user_cmnd); warningx("%s: command not found", user_cmnd); goto done; } @@ -580,7 +581,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], } /* Must audit before uid change. */ - //audit_success(NewArgv); /* XXX */ + audit_success(NewArgv); *command_infop = command_info; @@ -1025,7 +1026,7 @@ set_runaspw(char *user) runas_pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0); } else { if ((runas_pw = sudo_getpwnam(user)) == NULL) { - //audit_failure(NewArgv, "unknown user: %s", user); + audit_failure(NewArgv, "unknown user: %s", user); log_error(NO_MAIL|MSG_ONLY, "unknown user: %s", user); } } diff --git a/src/Makefile.in b/src/Makefile.in index 6402ea692..a396f0d55 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -108,8 +108,6 @@ sesh: sesh.o aix.o: $(srcdir)/aix.c $(top_builddir)/config.h $(incdir)/compat.h alloc.o: $(srcdir)/alloc.c $(SUDODEP) atobool.o: $(srcdir)/atobool.c $(SUDODEP) -audit.o: $(srcdir)/audit.c $(SUDODEP) -bsm_audit.o: $(srcdir)/bsm_audit.c $(SUDODEP) bsm_audit.h conversation.o: $(srcdir)/conversation.c $(SUDODEP) error.o: $(srcdir)/error.c $(incdir)/compat.h $(incdir)/error.h $(top_builddir)/config.h fileops.o: $(srcdir)/fileops.c $(SUDODEP)