isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Re-enable bsm audit. Currently auditing is done within the sudoers

Browse Source 
plugin itself.  If possible, this should really be done in the main
driver but we don't presently have the needed data to do that.  This
will be re-evaluated when Linux audit support is added.
This commit is contained in:
Todd C. Miller
2010-04-30 12:01:15 -04:00
parent 0c7e3235f6
commit f42cf76d8a
6 changed files with 21 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
configure vendored
View File

@@ -2278,8 +2278,8 @@ if test "${with_bsm_audit+set}" = set; then
#define HAVE_BSM_AUDIT 1 #define HAVE_BSM_AUDIT 1
_ACEOF _ACEOF
SUDO_LIBS="${SUDO_LIBS} -lbsm" SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm"
SUDO_OBJS="${SUDO_OBJS} bsm_audit.o" SUDOERS_OBJS="${SUDOERS_OBJS} bsm_audit.lo"
;; ;;
no) ;; no) ;;
*) { { echo "$as_me:$LINENO: error: \"--with-bsm-audit does not take an argument.\"" >&5 *) { { echo "$as_me:$LINENO: error: \"--with-bsm-audit does not take an argument.\"" >&5

4
configure.in
View File

@@ -221,8 +221,8 @@ dnl
AC_ARG_WITH(bsm-audit, [AS_HELP_STRING([--with-bsm-audit], [enable BSM audit support])], AC_ARG_WITH(bsm-audit, [AS_HELP_STRING([--with-bsm-audit], [enable BSM audit support])],
[case $with_bsm_audit in [case $with_bsm_audit in
yes) AC_DEFINE(HAVE_BSM_AUDIT) yes) AC_DEFINE(HAVE_BSM_AUDIT)
SUDO_LIBS="${SUDO_LIBS} -lbsm" SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm"
SUDO_OBJS="${SUDO_OBJS} bsm_audit.o" SUDOERS_OBJS="${SUDOERS_OBJS} bsm_audit.o"
;; ;;
no) ;; no) ;;
*) AC_MSG_ERROR(["--with-bsm-audit does not take an argument."]) *) AC_MSG_ERROR(["--with-bsm-audit does not take an argument."])

8
plugins/sudoers/Makefile.in
View File

@@ -95,8 +95,8 @@ SHELL = /bin/sh
AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@ AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@
LIBSUDOERS_OBJS = alias.lo alloc.lo atobool.lo defaults.lo gram.lo list.lo \ LIBSUDOERS_OBJS = alias.lo alloc.lo atobool.lo audit.lo defaults.lo gram.lo \
match.lo pwutil.lo timestr.lo toke.lo redblack.lo \ list.lo match.lo pwutil.lo timestr.lo toke.lo redblack.lo \
zero_bytes.lo @NONUNIX_GROUPS_IMPL@ zero_bytes.lo @NONUNIX_GROUPS_IMPL@
SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo fmt_string.lo \ SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo fmt_string.lo \
@@ -212,6 +212,10 @@ list.lo: $(top_srcdir)/src/list.c $(SUDODEP)
lbuf.lo: $(top_srcdir)/src/lbuf.c $(SUDODEP) lbuf.lo: $(top_srcdir)/src/lbuf.c $(SUDODEP)
zero_bytes.lo: $(top_srcdir)/src/zero_bytes.c $(incdir)/compat.h $(top_builddir)/config.h zero_bytes.lo: $(top_srcdir)/src/zero_bytes.c $(incdir)/compat.h $(top_builddir)/config.h
# Upper level audit dependencies (XXX - move into sudoers?)
audit.lo: $(top_srcdir)/src/audit.c $(SUDODEP)
bsm_audit.lo: $(top_srcdir)/src/bsm_audit.c $(SUDODEP) $(top_srcdir)/src/bsm_audit.h
# Auth dependencies # Auth dependencies
sudo_auth.lo: $(authdir)/sudo_auth.c $(AUTHDEP) $(INSDEP) sudo_auth.lo: $(authdir)/sudo_auth.c $(AUTHDEP) $(INSDEP)
afs.lo: $(authdir)/afs.c $(AUTHDEP) afs.lo: $(authdir)/afs.c $(AUTHDEP)

16
plugins/sudoers/auth/sudo_auth.c
View File

@@ -93,9 +93,7 @@ verify_user(struct passwd *pw, char *prompt)
char *p; char *p;
sudo_auth *auth; sudo_auth *auth;
sigaction_t sa, osa; sigaction_t sa, osa;
#ifdef HAVE_BSM_AUDIT extern char **NewArgv; /* XXX */
extern char **NewArgv;
#endif
/* Enable suspend during password entry. */ /* Enable suspend during password entry. */
sigemptyset(&sa.sa_mask); sigemptyset(&sa.sa_mask);
@@ -105,9 +103,7 @@ verify_user(struct passwd *pw, char *prompt)
/* Make sure we have at least one auth method. */ /* Make sure we have at least one auth method. */
if (auth_switch[0].name == NULL) { if (auth_switch[0].name == NULL) {
#ifdef HAVE_BSM_AUDIT
audit_failure(NewArgv, "no authentication methods"); audit_failure(NewArgv, "no authentication methods");
#endif
log_error(0, "%s %s %s", log_error(0, "%s %s %s",
"There are no authentication methods compiled into sudo!", "There are no authentication methods compiled into sudo!",
"If you want to turn off authentication, use the", "If you want to turn off authentication, use the",
@@ -129,9 +125,7 @@ verify_user(struct passwd *pw, char *prompt)
if (status == AUTH_FAILURE) if (status == AUTH_FAILURE)
CLR(auth->flags, FLAG_CONFIGURED); CLR(auth->flags, FLAG_CONFIGURED);
else if (status == AUTH_FATAL) { /* XXX log */ else if (status == AUTH_FATAL) { /* XXX log */
#ifdef HAVE_BSM_AUDIT
audit_failure(NewArgv, "authentication failure"); audit_failure(NewArgv, "authentication failure");
#endif
return -1; /* assume error msg already printed */ return -1; /* assume error msg already printed */
} }
@@ -151,9 +145,7 @@ verify_user(struct passwd *pw, char *prompt)
if (status == AUTH_FAILURE) if (status == AUTH_FAILURE)
CLR(auth->flags, FLAG_CONFIGURED); CLR(auth->flags, FLAG_CONFIGURED);
else if (status == AUTH_FATAL) {/* XXX log */ else if (status == AUTH_FATAL) {/* XXX log */
#ifdef HAVE_BSM_AUDIT
audit_failure(NewArgv, "authentication failure"); audit_failure(NewArgv, "authentication failure");
#endif
return -1; /* assume error msg already printed */ return -1; /* assume error msg already printed */
} }
@@ -203,9 +195,7 @@ cleanup:
status = (auth->cleanup)(pw, auth); status = (auth->cleanup)(pw, auth);
if (status == AUTH_FATAL) { /* XXX log */ if (status == AUTH_FATAL) { /* XXX log */
#ifdef HAVE_BSM_AUDIT
audit_failure(NewArgv, "authentication failure"); audit_failure(NewArgv, "authentication failure");
#endif
return -1; /* assume error msg already printed */ return -1; /* assume error msg already printed */
} }
@@ -230,16 +220,12 @@ cleanup:
def_passwd_tries - counter, def_passwd_tries - counter,
(def_passwd_tries - counter == 1) ? "" : "s"); (def_passwd_tries - counter == 1) ? "" : "s");
} }
#ifdef HAVE_BSM_AUDIT
audit_failure(NewArgv, "authentication failure"); audit_failure(NewArgv, "authentication failure");
#endif
rval = FALSE; rval = FALSE;
break; break;
case AUTH_FATAL: case AUTH_FATAL:
default: default:
#ifdef HAVE_BSM_AUDIT
audit_failure(NewArgv, "authentication failure"); audit_failure(NewArgv, "authentication failure");
#endif
rval = -1; rval = -1;
break; break;
} }

19
plugins/sudoers/sudoers.c
View File

@@ -153,8 +153,9 @@ static char *runas_user;
static char *runas_group; static char *runas_group;
static struct sudo_nss_list *snl; static struct sudo_nss_list *snl;
static int NewArgc; /* XXX - must be extern for audit bits of sudo_auth.c */
static char **NewArgv; int NewArgc;
char **NewArgv;
/* error.c */ /* error.c */
extern sigjmp_buf error_jmp; extern sigjmp_buf error_jmp;
@@ -396,7 +397,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
if (def_requiretty) { if (def_requiretty) {
int fd = open(_PATH_TTY, O_RDWR|O_NOCTTY); int fd = open(_PATH_TTY, O_RDWR|O_NOCTTY);
if (fd == -1) { if (fd == -1) {
//audit_failure(NewArgv, "no tty"); audit_failure(NewArgv, "no tty");
warningx("sorry, you must have a tty to run sudo"); warningx("sorry, you must have a tty to run sudo");
goto done; goto done;
} else } else
@@ -440,7 +441,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
/* If the user was not allowed to run the command we are done. */ /* If the user was not allowed to run the command we are done. */
if (!ISSET(validated, VALIDATE_OK)) { if (!ISSET(validated, VALIDATE_OK)) {
if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) { if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) {
//audit_failure(NewArgv, "No user or host"); audit_failure(NewArgv, "No user or host");
log_denial(validated, 1); log_denial(validated, 1);
} else { } else {
if (def_path_info) { if (def_path_info) {
@@ -461,18 +462,18 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
/* Just tell the user they are not allowed to run foo. */ /* Just tell the user they are not allowed to run foo. */
log_denial(validated, 1); log_denial(validated, 1);
} }
//audit_failure(NewArgv, "validation failure"); audit_failure(NewArgv, "validation failure");
} }
goto done; goto done;
} }
/* Finally tell the user if the command did not exist. */ /* Finally tell the user if the command did not exist. */
if (cmnd_status == NOT_FOUND_DOT) { if (cmnd_status == NOT_FOUND_DOT) {
//audit_failure(NewArgv, "command in current directory"); audit_failure(NewArgv, "command in current directory");
warningx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd); warningx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd);
goto done; goto done;
} else if (cmnd_status == NOT_FOUND) { } else if (cmnd_status == NOT_FOUND) {
//audit_failure(NewArgv, "%s: command not found", user_cmnd); audit_failure(NewArgv, "%s: command not found", user_cmnd);
warningx("%s: command not found", user_cmnd); warningx("%s: command not found", user_cmnd);
goto done; goto done;
} }
@@ -580,7 +581,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
} }
/* Must audit before uid change. */ /* Must audit before uid change. */
//audit_success(NewArgv); /* XXX */ audit_success(NewArgv);
*command_infop = command_info; *command_infop = command_info;
@@ -1025,7 +1026,7 @@ set_runaspw(char *user)
runas_pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0); runas_pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0);
} else { } else {
if ((runas_pw = sudo_getpwnam(user)) == NULL) { if ((runas_pw = sudo_getpwnam(user)) == NULL) {
//audit_failure(NewArgv, "unknown user: %s", user); audit_failure(NewArgv, "unknown user: %s", user);
log_error(NO_MAIL|MSG_ONLY, "unknown user: %s", user); log_error(NO_MAIL|MSG_ONLY, "unknown user: %s", user);
} }
} }

2
src/Makefile.in
View File

@@ -108,8 +108,6 @@ sesh: sesh.o
aix.o: $(srcdir)/aix.c $(top_builddir)/config.h $(incdir)/compat.h aix.o: $(srcdir)/aix.c $(top_builddir)/config.h $(incdir)/compat.h
alloc.o: $(srcdir)/alloc.c $(SUDODEP) alloc.o: $(srcdir)/alloc.c $(SUDODEP)
atobool.o: $(srcdir)/atobool.c $(SUDODEP) atobool.o: $(srcdir)/atobool.c $(SUDODEP)
audit.o: $(srcdir)/audit.c $(SUDODEP)
bsm_audit.o: $(srcdir)/bsm_audit.c $(SUDODEP) bsm_audit.h
conversation.o: $(srcdir)/conversation.c $(SUDODEP) conversation.o: $(srcdir)/conversation.c $(SUDODEP)
error.o: $(srcdir)/error.c $(incdir)/compat.h $(incdir)/error.h $(top_builddir)/config.h error.o: $(srcdir)/error.c $(incdir)/compat.h $(incdir)/error.h $(top_builddir)/config.h
fileops.o: $(srcdir)/fileops.c $(SUDODEP) fileops.o: $(srcdir)/fileops.c $(SUDODEP)