isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Defer lookup of runas user until sudoers_main() for better logging.

Browse Source 
The log message now includes user info and the command attempted.
This commit is contained in:
Todd C. Miller
2020-12-04 13:49:37 -07:00
parent 567e5167d1
commit fd39e2d7d6
2 changed files with 18 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/sudoers/logging.c
View File

@@ -657,7 +657,7 @@ sudoers_to_eventlog(struct eventlog *evlog, char * const argv[],
memset(evlog, 0, sizeof(*evlog)); memset(evlog, 0, sizeof(*evlog));
/* TODO: iolog_path */ /* TODO: iolog_path */
evlog->iolog_file = sudo_user.iolog_file; evlog->iolog_file = sudo_user.iolog_file;
evlog->command = safe_cmnd; evlog->command = safe_cmnd ? safe_cmnd : (argv ? argv[0] : NULL);
evlog->cwd = user_cwd; evlog->cwd = user_cwd;
if (def_runchroot != NULL && strcmp(def_runchroot, "*") != 0) { if (def_runchroot != NULL && strcmp(def_runchroot, "*") != 0) {
evlog->runchroot = def_runchroot; evlog->runchroot = def_runchroot;

34
plugins/sudoers/sudoers.c
View File

@@ -395,6 +395,21 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
} }
} }
/*
* Set runas passwd/group entries based on command line or sudoers.
* Note that if runas_group was specified without runas_user we
* run the command as the invoking user.
*/
if (runas_group != NULL) {
if (!set_runasgr(runas_group, false))
goto done;
if (!set_runaspw(runas_user ? runas_user : user_name, false))
goto done;
} else {
if (!set_runaspw(runas_user ? runas_user : def_runas_default, false))
goto done;
}
/* If given the -P option, set the "preserve_groups" flag. */ /* If given the -P option, set the "preserve_groups" flag. */
if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS)) if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS))
def_preserve_groups = true; def_preserve_groups = true;
@@ -860,21 +875,6 @@ init_vars(char * const envp[])
debug_return_bool(false); debug_return_bool(false);
} }
/*
* Set runas passwd/group entries based on command line or sudoers.
* Note that if runas_group was specified without runas_user we
* run the command as the invoking user.
*/
if (runas_group != NULL) {
if (!set_runasgr(runas_group, false))
debug_return_bool(false);
if (!set_runaspw(runas_user ? runas_user : user_name, false))
debug_return_bool(false);
} else {
if (!set_runaspw(runas_user ? runas_user : def_runas_default, false))
debug_return_bool(false);
}
debug_return_bool(true); debug_return_bool(true);
} }
@@ -1304,7 +1304,7 @@ set_runaspw(const char *user, bool quiet)
if (pw == NULL) { if (pw == NULL) {
if ((pw = sudo_getpwnam(user)) == NULL) { if ((pw = sudo_getpwnam(user)) == NULL) {
if (!quiet) if (!quiet)
log_warningx(SLOG_RAW_MSG, N_("unknown user: %s"), user); log_warningx(SLOG_AUDIT, N_("unknown user: %s"), user);
debug_return_bool(false); debug_return_bool(false);
} }
} }
@@ -1338,7 +1338,7 @@ set_runasgr(const char *group, bool quiet)
if (gr == NULL) { if (gr == NULL) {
if ((gr = sudo_getgrnam(group)) == NULL) { if ((gr = sudo_getgrnam(group)) == NULL) {
if (!quiet) if (!quiet)
log_warningx(SLOG_RAW_MSG, N_("unknown group: %s"), group); log_warningx(SLOG_AUDIT, N_("unknown group: %s"), group);
debug_return_bool(false); debug_return_bool(false);
} }
} }