Defer lookup of runas user until sudoers_main() for better logging.
The log message now includes user info and the command attempted.
This commit is contained in:
Todd C. Miller
@@ -657,7 +657,7 @@ sudoers_to_eventlog(struct eventlog *evlog, char * const argv[],
|
||||
memset(evlog, 0, sizeof(*evlog));
|
||||
/* TODO: iolog_path */
|
||||
evlog->iolog_file = sudo_user.iolog_file;
|
||||
evlog->command = safe_cmnd;
|
||||
evlog->command = safe_cmnd ? safe_cmnd : (argv ? argv[0] : NULL);
|
||||
evlog->cwd = user_cwd;
|
||||
if (def_runchroot != NULL && strcmp(def_runchroot, "*") != 0) {
|
||||
evlog->runchroot = def_runchroot;
|
||||
|
||||
@@ -395,6 +395,21 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Set runas passwd/group entries based on command line or sudoers.
|
||||
* Note that if runas_group was specified without runas_user we
|
||||
* run the command as the invoking user.
|
||||
*/
|
||||
if (runas_group != NULL) {
|
||||
if (!set_runasgr(runas_group, false))
|
||||
goto done;
|
||||
if (!set_runaspw(runas_user ? runas_user : user_name, false))
|
||||
goto done;
|
||||
} else {
|
||||
if (!set_runaspw(runas_user ? runas_user : def_runas_default, false))
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* If given the -P option, set the "preserve_groups" flag. */
|
||||
if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS))
|
||||
def_preserve_groups = true;
|
||||
@@ -860,21 +875,6 @@ init_vars(char * const envp[])
|
||||
debug_return_bool(false);
|
||||
}
|
||||
|
||||
/*
|
||||
* Set runas passwd/group entries based on command line or sudoers.
|
||||
* Note that if runas_group was specified without runas_user we
|
||||
* run the command as the invoking user.
|
||||
*/
|
||||
if (runas_group != NULL) {
|
||||
if (!set_runasgr(runas_group, false))
|
||||
debug_return_bool(false);
|
||||
if (!set_runaspw(runas_user ? runas_user : user_name, false))
|
||||
debug_return_bool(false);
|
||||
} else {
|
||||
if (!set_runaspw(runas_user ? runas_user : def_runas_default, false))
|
||||
debug_return_bool(false);
|
||||
}
|
||||
|
||||
debug_return_bool(true);
|
||||
}
|
||||
|
||||
@@ -1304,7 +1304,7 @@ set_runaspw(const char *user, bool quiet)
|
||||
if (pw == NULL) {
|
||||
if ((pw = sudo_getpwnam(user)) == NULL) {
|
||||
if (!quiet)
|
||||
log_warningx(SLOG_RAW_MSG, N_("unknown user: %s"), user);
|
||||
log_warningx(SLOG_AUDIT, N_("unknown user: %s"), user);
|
||||
debug_return_bool(false);
|
||||
}
|
||||
}
|
||||
@@ -1338,7 +1338,7 @@ set_runasgr(const char *group, bool quiet)
|
||||
if (gr == NULL) {
|
||||
if ((gr = sudo_getgrnam(group)) == NULL) {
|
||||
if (!quiet)
|
||||
log_warningx(SLOG_RAW_MSG, N_("unknown group: %s"), group);
|
||||
log_warningx(SLOG_AUDIT, N_("unknown group: %s"), group);
|
||||
debug_return_bool(false);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user