rpms/sudo/devel sudo-1.6.9p13-audit.patch, 1.1, 1.2 sudo.spec, 1.61, 1.62
Peter Vrabec (pvrabec)
fedora-extras-commits at redhat.com
Tue Mar 4 10:28:20 UTC 2008
- Previous message (by thread): rpms/lighttpd/devel lighttpd-1.4.18-Fix-372-and-1562.patch, NONE, 1.1 lighttpd-1.4.18-mod_cgi-fix.patch, NONE, 1.1 lighttpd.spec, 1.42, 1.43
- Next message (by thread): rpms/lighttpd/F-7 lighttpd-1.4.18-Fix-372-and-1562.patch, NONE, 1.1 lighttpd-1.4.18-mod_cgi-fix.patch, NONE, 1.1 lighttpd.spec, 1.35, 1.36
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: pvrabec
Update of /cvs/extras/rpms/sudo/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3369
Modified Files:
sudo-1.6.9p13-audit.patch sudo.spec
Log Message:
audit support improvement
sudo-1.6.9p13-audit.patch:
Index: sudo-1.6.9p13-audit.patch
===================================================================
RCS file: /cvs/extras/rpms/sudo/devel/sudo-1.6.9p13-audit.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sudo-1.6.9p13-audit.patch 21 Feb 2008 15:10:42 -0000 1.1
+++ sudo-1.6.9p13-audit.patch 4 Mar 2008 10:28:10 -0000 1.2
@@ -1,6 +1,6 @@
diff -up sudo-1.6.9p13/set_perms.c.audit sudo-1.6.9p13/set_perms.c
--- sudo-1.6.9p13/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100
-+++ sudo-1.6.9p13/set_perms.c 2008-02-21 14:03:02.000000000 +0100
++++ sudo-1.6.9p13/set_perms.c 2008-03-04 11:18:45.000000000 +0100
@@ -53,6 +53,10 @@
#ifdef HAVE_LOGIN_CAP_H
# include <login_cap.h>
@@ -67,8 +67,8 @@
case PERM_SUDOERS:
/* assume euid == ROOT_UID, ruid == user */
diff -up sudo-1.6.9p13/sudo.c.audit sudo-1.6.9p13/sudo.c
---- sudo-1.6.9p13/sudo.c.audit 2008-02-21 14:03:02.000000000 +0100
-+++ sudo-1.6.9p13/sudo.c 2008-02-21 14:03:02.000000000 +0100
+--- sudo-1.6.9p13/sudo.c.audit 2008-03-04 11:18:45.000000000 +0100
++++ sudo-1.6.9p13/sudo.c 2008-03-04 11:21:54.000000000 +0100
@@ -100,6 +100,10 @@
# include <selinux/selinux.h>
#endif
@@ -91,119 +91,54 @@
/*
* Look up the timestamp dir owner if one is specified.
*/
-@@ -305,9 +313,13 @@ main(argc, argv, envp)
- pw = getpwuid(atoi(def_timestampowner + 1));
- else
- pw = getpwnam(def_timestampowner);
-- if (!pw)
-+ if (!pw) {
-+#if defined(WITH_AUDIT)
-+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
-+#endif
- log_error(0, "timestamp owner (%s): No such user",
- def_timestampowner);
-+ }
- timestamp_uid = pw->pw_uid;
- }
-
-@@ -317,15 +329,22 @@ main(argc, argv, envp)
- exit(0);
- }
-
-- if (ISSET(validated, VALIDATE_ERROR))
-+ if (ISSET(validated, VALIDATE_ERROR)) {
-+#if defined(WITH_AUDIT)
-+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
-+#endif
- log_error(0, "parse error in %s near line %d", _PATH_SUDOERS,
- errorlineno);
-+ }
-
- /* Is root even allowed to run sudo? */
- if (user_uid == 0 && !def_root_sudo) {
- (void) fprintf(stderr,
- "Sorry, %s has been configured to not allow root to run it.\n",
- getprogname());
-+#if defined(WITH_AUDIT)
-+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
-+#endif
- exit(1);
- }
-
-@@ -339,8 +358,12 @@ main(argc, argv, envp)
-
- /* Bail if a tty is required and we don't have one. */
- if (def_requiretty) {
-- if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1)
-+ if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) {
-+#if defined(WITH_AUDIT)
-+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
-+#endif
- log_error(NO_MAIL, "sorry, you must have a tty to run sudo");
-+ }
- else
- (void) close(fd);
- }
-@@ -373,17 +396,27 @@ main(argc, argv, envp)
- /* Finally tell the user if the command did not exist. */
- if (cmnd_status == NOT_FOUND_DOT) {
- warnx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd);
-+#if defined(WITH_AUDIT)
-+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
-+#endif
- exit(1);
- } else if (cmnd_status == NOT_FOUND) {
- warnx("%s: command not found", user_cmnd);
-+#if defined(WITH_AUDIT)
-+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
-+#endif
- exit(1);
- }
-
- /* If user specified env vars make sure sudoers allows it. */
- if (ISSET(sudo_mode, MODE_RUN) && !ISSET(validated, FLAG_SETENV)) {
-- if (ISSET(sudo_mode, MODE_PRESERVE_ENV))
-+ if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) {
-+#if defined(WITH_AUDIT)
-+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
-+#endif
- log_error(NO_MAIL,
- "sorry, you are not allowed to preserve the environment");
-+ }
- else
- validate_env_vars(sudo_user.env_vars);
- }
-@@ -442,6 +475,17 @@ main(argc, argv, envp)
+@@ -442,6 +450,17 @@ main(argc, argv, envp)
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
(void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
+ if (access(safe_cmnd, X_OK) != 0) {
+ warn ("unable to execute %s", safe_cmnd);
+#ifdef WITH_AUDIT
-+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 0);
++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
+ exit(127);
+ }
+#ifdef WITH_AUDIT
-+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 1);
++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1);
+#endif
+
#ifndef PROFILING
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
exit(0);
-@@ -465,6 +509,9 @@ main(argc, argv, envp)
+@@ -465,10 +484,16 @@ main(argc, argv, envp)
NewArgv[1] = safe_cmnd;
execve(_PATH_BSHELL, NewArgv, environ);
}
+#ifdef WITH_AUDIT
-+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 0);
++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
warn("unable to execute %s", safe_cmnd);
exit(127);
} else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {
+ log_auth(validated, 1);
++#ifdef WITH_AUDIT
++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
++#endif
+ exit(1);
+ } else if (ISSET(validated, VALIDATE_NOT_OK)) {
+ if (def_path_info) {
+@@ -489,6 +514,9 @@ main(argc, argv, envp)
+ /* Just tell the user they are not allowed to run foo. */
+ log_auth(validated, 1);
+ }
++#ifdef WITH_AUDIT
++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
++#endif
+ exit(1);
+ } else {
+ /* should never get here */
diff -up sudo-1.6.9p13/configure.in.audit sudo-1.6.9p13/configure.in
---- sudo-1.6.9p13/configure.in.audit 2008-02-21 14:03:02.000000000 +0100
-+++ sudo-1.6.9p13/configure.in 2008-02-21 14:03:02.000000000 +0100
+--- sudo-1.6.9p13/configure.in.audit 2008-03-04 11:18:45.000000000 +0100
++++ sudo-1.6.9p13/configure.in 2008-03-04 11:18:45.000000000 +0100
@@ -166,6 +166,10 @@ dnl
dnl Options for --with
dnl
@@ -243,8 +178,8 @@
dnl
diff -up /dev/null sudo-1.6.9p13/audit_help.c
--- /dev/null 2008-02-05 17:16:01.642928004 +0100
-+++ sudo-1.6.9p13/audit_help.c 2008-02-21 14:20:56.000000000 +0100
-@@ -0,0 +1,124 @@
++++ sudo-1.6.9p13/audit_help.c 2008-03-04 11:21:15.000000000 +0100
+@@ -0,0 +1,140 @@
+/*
+ * Audit helper functions used throughout sudo
+ *
@@ -285,6 +220,7 @@
+#include <libaudit.h>
+#include <errno.h>
+#include <stdio.h>
++#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
@@ -314,22 +250,36 @@
+ *
+ * type - type of message: AUDIT_USER_CMD
+ * command - the command being logged
++ * params - parames of the command
+ * result - 1 is "success" and 0 is "failed"
+ *
+ */
-+void audit_logger (int type, const char *command, int result)
++void audit_logger (int type, const char *command, const char *params, int result)
+{
+ int err;
++ char *msg;
+
-+ if (audit_fd < 0)
++ if( audit_fd < 0 )
+ return;
+ else {
-+ err = audit_log_user_command (audit_fd, type, command, NULL, result);
-+ /* The kernel supports auditing and we had
++
++ if( params )
++ err = asprintf(&msg, "%s %s", command, params);
++ else
++ err = asprintf(&msg, "%s", command);
++ if (err < 0) {
++ fprintf (stderr, "Memory allocation for audit message wasn’t possible.\n");
++ return;
++ }
++
++ err = audit_log_user_command (audit_fd, type, msg, NULL, result);
++ /* The kernel supports auditing and we had
+ enough privilege to write to the socket. */
-+ if( err <= 0 && !(errno == EPERM && getuid() != 0) ) {
-+ perror("audit_log_user_command()");
-+ }
++ if( err <= 0 && !(errno == EPERM && getuid() != 0) ) {
++ perror("audit_log_user_command()");
++ }
++
++ free(msg);
+ }
+}
+
@@ -353,6 +303,7 @@
+
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
+ msg, NULL, NULL, ttyn, success);
++
+ if (rc <= 0) {
+ fprintf(stderr, "Error sending audit message.\n");
+ rc = -1;
@@ -371,7 +322,7 @@
+
diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in
--- sudo-1.6.9p13/Makefile.in.audit 2008-02-19 19:13:10.000000000 +0100
-+++ sudo-1.6.9p13/Makefile.in 2008-02-21 14:03:02.000000000 +0100
++++ sudo-1.6.9p13/Makefile.in 2008-03-04 11:18:45.000000000 +0100
@@ -120,11 +120,13 @@ HDRS = compat.h def_data.h defaults.h in
AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
@@ -398,8 +349,8 @@
@rm -f $(srcdir)/$@
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
diff -up sudo-1.6.9p13/sudo.h.audit sudo-1.6.9p13/sudo.h
---- sudo-1.6.9p13/sudo.h.audit 2008-02-21 14:03:02.000000000 +0100
-+++ sudo-1.6.9p13/sudo.h 2008-02-21 14:03:02.000000000 +0100
+--- sudo-1.6.9p13/sudo.h.audit 2008-03-04 11:18:45.000000000 +0100
++++ sudo-1.6.9p13/sudo.h 2008-03-04 11:18:45.000000000 +0100
@@ -23,6 +23,8 @@
#ifndef _SUDO_SUDO_H
#define _SUDO_SUDO_H
@@ -416,7 +367,7 @@
+#ifdef WITH_AUDIT
+extern int audit_fd;
+extern void audit_help_open (void);
-+extern void audit_logger (int, const char *, int);
++extern void audit_logger (int, const char *, const char *, int);
+#endif
+
#endif /* _SUDO_SUDO_H */
Index: sudo.spec
===================================================================
RCS file: /cvs/extras/rpms/sudo/devel/sudo.spec,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -r1.61 -r1.62
--- sudo.spec 21 Feb 2008 15:10:42 -0000 1.61
+++ sudo.spec 4 Mar 2008 10:28:10 -0000 1.62
@@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.6.9p13
-Release: 1%{?dist}
+Release: 2%{?dist}
License: BSD
Group: Applications/System
URL: http://www.courtesan.com/sudo/
@@ -129,6 +129,9 @@
/bin/chmod 0440 /etc/sudoers || :
%changelog
+* Tue Mar 04 2008 Peter Vrabec <pvrabec at redhat.com> 1.6.9p13-2
+- audit support improvement
+
* Thu Feb 21 2008 Peter Vrabec <pvrabec at redhat.com> 1.6.9p13-1
- upgrade to the latest upstream release
- Previous message (by thread): rpms/lighttpd/devel lighttpd-1.4.18-Fix-372-and-1562.patch, NONE, 1.1 lighttpd-1.4.18-mod_cgi-fix.patch, NONE, 1.1 lighttpd.spec, 1.42, 1.43
- Next message (by thread): rpms/lighttpd/F-7 lighttpd-1.4.18-Fix-372-and-1562.patch, NONE, 1.1 lighttpd-1.4.18-mod_cgi-fix.patch, NONE, 1.1 lighttpd.spec, 1.35, 1.36
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list