rpms/sudo/devel sudo-1.6.9p13-audit.patch, 1.2, 1.3 sudo.spec, 1.68, 1.69
Peter Vrabec
pvrabec at fedoraproject.org
Tue Sep 2 13:56:42 UTC 2008
Author: pvrabec
Update of /cvs/extras/rpms/sudo/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3626
Modified Files:
sudo-1.6.9p13-audit.patch sudo.spec
Log Message:
- adjust audit patch, do not scream when kernel is
compiled without audit netlink support (#401201
sudo-1.6.9p13-audit.patch:
Index: sudo-1.6.9p13-audit.patch
===================================================================
RCS file: /cvs/extras/rpms/sudo/devel/sudo-1.6.9p13-audit.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- sudo-1.6.9p13-audit.patch 4 Mar 2008 10:28:10 -0000 1.2
+++ sudo-1.6.9p13-audit.patch 2 Sep 2008 13:56:42 -0000 1.3
@@ -1,184 +1,6 @@
-diff -up sudo-1.6.9p13/set_perms.c.audit sudo-1.6.9p13/set_perms.c
---- sudo-1.6.9p13/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100
-+++ sudo-1.6.9p13/set_perms.c 2008-03-04 11:18:45.000000000 +0100
-@@ -53,6 +53,10 @@
- #ifdef HAVE_LOGIN_CAP_H
- # include <login_cap.h>
- #endif
-+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
-+# include <sys/prctl.h>
-+# include <sys/capability.h>
-+#endif
-
- #include "sudo.h"
-
-@@ -119,13 +123,46 @@ set_perms(perm)
- break;
-
- case PERM_FULL_RUNAS:
-- /* headed for exec(), assume euid == ROOT_UID */
-- runas_setup();
-- if (setresuid(def_stay_setuid ?
-- user_uid : runas_pw->pw_uid,
-- runas_pw->pw_uid, runas_pw->pw_uid))
-- err(1, "unable to change to runas uid");
-- break;
-+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
-+ { /* BEGIN CAP BLOCK */
-+ cap_t new_caps;
-+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
-+
-+ if (runas_pw->pw_uid != ROOT_UID) {
-+ new_caps = cap_init ();
-+ if (!new_caps)
-+ err(1, "Error initing capabilities, aborting.\n");
-+
-+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) ||
-+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) {
-+ err(1, "Error setting capabilities, aborting\n");
-+ }
-+
-+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0))
-+ err(1, "Error setting KEEPCAPS, aborting\n");
-+ }
-+#endif
-+ /* headed for exec(), assume euid == ROOT_UID */
-+ runas_setup ();
-+ if (setresuid(def_stay_setuid ?
-+ user_uid : runas_pw->pw_uid,
-+ runas_pw->pw_uid, runas_pw->pw_uid))
-+ err(1, "unable to change to runas uid");
-+
-+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
-+ if (runas_pw->pw_uid != ROOT_UID) {
-+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)
-+ err(1, "Error resetting KEEPCAPS, aborting\n");
-+
-+ if (cap_set_proc(new_caps))
-+ err(1, "Error dropping capabilities, aborting\n");
-+
-+ if (cap_free (new_caps))
-+ err(1, "Error freeing caps\n");
-+ }
-+ } /* END CAP BLOCK */
-+#endif
-+ break;
-
- case PERM_SUDOERS:
- /* assume euid == ROOT_UID, ruid == user */
-diff -up sudo-1.6.9p13/sudo.c.audit sudo-1.6.9p13/sudo.c
---- sudo-1.6.9p13/sudo.c.audit 2008-03-04 11:18:45.000000000 +0100
-+++ sudo-1.6.9p13/sudo.c 2008-03-04 11:21:54.000000000 +0100
-@@ -100,6 +100,10 @@
- # include <selinux/selinux.h>
- #endif
-
-+#ifdef WITH_AUDIT
-+#include <libaudit.h>
-+#endif
-+
- #include "sudo.h"
- #include "interfaces.h"
- #include "version.h"
-@@ -295,6 +299,10 @@ main(argc, argv, envp)
- if (safe_cmnd == NULL)
- safe_cmnd = estrdup(user_cmnd);
-
-+#if defined(WITH_AUDIT)
-+ audit_help_open ();
-+#endif
-+
- /*
- * Look up the timestamp dir owner if one is specified.
- */
-@@ -442,6 +450,17 @@ main(argc, argv, envp)
- (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
- (void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
-
-+ if (access(safe_cmnd, X_OK) != 0) {
-+ warn ("unable to execute %s", safe_cmnd);
-+#ifdef WITH_AUDIT
-+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
-+#endif
-+ exit(127);
-+ }
-+#ifdef WITH_AUDIT
-+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1);
-+#endif
-+
- #ifndef PROFILING
- if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
- exit(0);
-@@ -465,10 +484,16 @@ main(argc, argv, envp)
- NewArgv[1] = safe_cmnd;
- execve(_PATH_BSHELL, NewArgv, environ);
- }
-+#ifdef WITH_AUDIT
-+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
-+#endif
- warn("unable to execute %s", safe_cmnd);
- exit(127);
- } else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {
- log_auth(validated, 1);
-+#ifdef WITH_AUDIT
-+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
-+#endif
- exit(1);
- } else if (ISSET(validated, VALIDATE_NOT_OK)) {
- if (def_path_info) {
-@@ -489,6 +514,9 @@ main(argc, argv, envp)
- /* Just tell the user they are not allowed to run foo. */
- log_auth(validated, 1);
- }
-+#ifdef WITH_AUDIT
-+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
-+#endif
- exit(1);
- } else {
- /* should never get here */
-diff -up sudo-1.6.9p13/configure.in.audit sudo-1.6.9p13/configure.in
---- sudo-1.6.9p13/configure.in.audit 2008-03-04 11:18:45.000000000 +0100
-+++ sudo-1.6.9p13/configure.in 2008-03-04 11:18:45.000000000 +0100
-@@ -166,6 +166,10 @@ dnl
- dnl Options for --with
- dnl
-
-+AC_ARG_WITH(audit,
-+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
-+ [with_audit=$withval], [with_audit=yes])
-+
- AC_ARG_WITH(CC, [ --with-CC C compiler to use],
- [case $with_CC in
- yes) AC_MSG_ERROR(["must give --with-CC an argument."])
-@@ -1614,6 +1618,25 @@ dnl
- : ${mansectsu='8'}
- : ${mansectform='5'}
-
-+
-+AC_SUBST(LIBAUDIT)
-+if test "$with_audit" = "yes"; then
-+ # See if we have the audit library
-+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
-+ if test "$audit_header" = "yes"; then
-+ AC_CHECK_LIB(audit, audit_log_user_command,
-+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages])
-+ LIBAUDIT="-laudit"])
-+ fi
-+ # See if we have the libcap library
-+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"])
-+ if test "$cap_header" = "yes"; then
-+ AC_CHECK_LIB(cap, cap_init,
-+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support])
-+ SUDO_LIBS="${SUDO_LIBS} -lcap"])
-+ fi
-+fi
-+
- dnl
- dnl Add in any libpaths or libraries specified via configure
- dnl
-diff -up /dev/null sudo-1.6.9p13/audit_help.c
---- /dev/null 2008-02-05 17:16:01.642928004 +0100
-+++ sudo-1.6.9p13/audit_help.c 2008-03-04 11:21:15.000000000 +0100
+diff -up /dev/null sudo-1.6.9p17/audit_help.c
+--- /dev/null 2008-08-23 21:55:45.734000982 +0200
++++ sudo-1.6.9p17/audit_help.c 2008-09-02 15:49:38.000000000 +0200
@@ -0,0 +1,140 @@
+/*
+ * Audit helper functions used throughout sudo
@@ -275,7 +97,7 @@
+ err = audit_log_user_command (audit_fd, type, msg, NULL, result);
+ /* The kernel supports auditing and we had
+ enough privilege to write to the socket. */
-+ if( err <= 0 && !(errno == EPERM && getuid() != 0) ) {
++ if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) {
+ perror("audit_log_user_command()");
+ }
+
@@ -320,10 +142,50 @@
+#endif /* WITH_AUDIT */
+
+
-diff -up sudo-1.6.9p13/Makefile.in.audit sudo-1.6.9p13/Makefile.in
---- sudo-1.6.9p13/Makefile.in.audit 2008-02-19 19:13:10.000000000 +0100
-+++ sudo-1.6.9p13/Makefile.in 2008-03-04 11:18:45.000000000 +0100
-@@ -120,11 +120,13 @@ HDRS = compat.h def_data.h defaults.h in
+diff -up sudo-1.6.9p17/configure.in.audit sudo-1.6.9p17/configure.in
+--- sudo-1.6.9p17/configure.in.audit 2008-09-02 15:48:46.000000000 +0200
++++ sudo-1.6.9p17/configure.in 2008-09-02 15:48:46.000000000 +0200
+@@ -167,6 +167,10 @@ dnl
+ dnl Options for --with
+ dnl
+
++AC_ARG_WITH(audit,
++ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
++ [with_audit=$withval], [with_audit=yes])
++
+ AC_ARG_WITH(CC, [ --with-CC C compiler to use],
+ [case $with_CC in
+ yes) AC_MSG_ERROR(["must give --with-CC an argument."])
+@@ -1616,6 +1620,25 @@ dnl
+ : ${mansectsu='8'}
+ : ${mansectform='5'}
+
++
++AC_SUBST(LIBAUDIT)
++if test "$with_audit" = "yes"; then
++ # See if we have the audit library
++ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
++ if test "$audit_header" = "yes"; then
++ AC_CHECK_LIB(audit, audit_log_user_command,
++ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages])
++ LIBAUDIT="-laudit"])
++ fi
++ # See if we have the libcap library
++ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"])
++ if test "$cap_header" = "yes"; then
++ AC_CHECK_LIB(cap, cap_init,
++ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support])
++ SUDO_LIBS="${SUDO_LIBS} -lcap"])
++ fi
++fi
++
+ dnl
+ dnl Add in any libpaths or libraries specified via configure
+ dnl
+diff -up sudo-1.6.9p17/Makefile.in.audit sudo-1.6.9p17/Makefile.in
+--- sudo-1.6.9p17/Makefile.in.audit 2008-06-22 22:29:03.000000000 +0200
++++ sudo-1.6.9p17/Makefile.in 2008-09-02 15:48:46.000000000 +0200
+@@ -121,11 +121,13 @@ HDRS = compat.h def_data.h defaults.h in
AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
@@ -338,7 +200,7 @@
VISUDOBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o $(PARSEOBJS)
-@@ -276,6 +278,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH
+@@ -277,6 +279,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH
sia.o: $(authdir)/sia.c $(AUTHDEP)
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
@@ -348,9 +210,147 @@
sudo.man.in: $(srcdir)/sudo.pod
@rm -f $(srcdir)/$@
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
-diff -up sudo-1.6.9p13/sudo.h.audit sudo-1.6.9p13/sudo.h
---- sudo-1.6.9p13/sudo.h.audit 2008-03-04 11:18:45.000000000 +0100
-+++ sudo-1.6.9p13/sudo.h 2008-03-04 11:18:45.000000000 +0100
+diff -up sudo-1.6.9p17/set_perms.c.audit sudo-1.6.9p17/set_perms.c
+--- sudo-1.6.9p17/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100
++++ sudo-1.6.9p17/set_perms.c 2008-09-02 15:48:46.000000000 +0200
+@@ -53,6 +53,10 @@
+ #ifdef HAVE_LOGIN_CAP_H
+ # include <login_cap.h>
+ #endif
++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
++# include <sys/prctl.h>
++# include <sys/capability.h>
++#endif
+
+ #include "sudo.h"
+
+@@ -119,13 +123,46 @@ set_perms(perm)
+ break;
+
+ case PERM_FULL_RUNAS:
+- /* headed for exec(), assume euid == ROOT_UID */
+- runas_setup();
+- if (setresuid(def_stay_setuid ?
+- user_uid : runas_pw->pw_uid,
+- runas_pw->pw_uid, runas_pw->pw_uid))
+- err(1, "unable to change to runas uid");
+- break;
++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
++ { /* BEGIN CAP BLOCK */
++ cap_t new_caps;
++ cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
++
++ if (runas_pw->pw_uid != ROOT_UID) {
++ new_caps = cap_init ();
++ if (!new_caps)
++ err(1, "Error initing capabilities, aborting.\n");
++
++ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) ||
++ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) {
++ err(1, "Error setting capabilities, aborting\n");
++ }
++
++ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0))
++ err(1, "Error setting KEEPCAPS, aborting\n");
++ }
++#endif
++ /* headed for exec(), assume euid == ROOT_UID */
++ runas_setup ();
++ if (setresuid(def_stay_setuid ?
++ user_uid : runas_pw->pw_uid,
++ runas_pw->pw_uid, runas_pw->pw_uid))
++ err(1, "unable to change to runas uid");
++
++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
++ if (runas_pw->pw_uid != ROOT_UID) {
++ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)
++ err(1, "Error resetting KEEPCAPS, aborting\n");
++
++ if (cap_set_proc(new_caps))
++ err(1, "Error dropping capabilities, aborting\n");
++
++ if (cap_free (new_caps))
++ err(1, "Error freeing caps\n");
++ }
++ } /* END CAP BLOCK */
++#endif
++ break;
+
+ case PERM_SUDOERS:
+ /* assume euid == ROOT_UID, ruid == user */
+diff -up sudo-1.6.9p17/sudo.c.audit sudo-1.6.9p17/sudo.c
+--- sudo-1.6.9p17/sudo.c.audit 2008-09-02 15:48:46.000000000 +0200
++++ sudo-1.6.9p17/sudo.c 2008-09-02 15:48:46.000000000 +0200
+@@ -100,6 +100,10 @@
+ # include <selinux/selinux.h>
+ #endif
+
++#ifdef WITH_AUDIT
++#include <libaudit.h>
++#endif
++
+ #include "sudo.h"
+ #include "interfaces.h"
+ #include "version.h"
+@@ -289,6 +293,10 @@ main(argc, argv, envp)
+ if (safe_cmnd == NULL)
+ safe_cmnd = estrdup(user_cmnd);
+
++#if defined(WITH_AUDIT)
++ audit_help_open ();
++#endif
++
+ /*
+ * Look up the timestamp dir owner if one is specified.
+ */
+@@ -435,6 +443,17 @@ main(argc, argv, envp)
+ (void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
+ (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
+
++ if (access(safe_cmnd, X_OK) != 0) {
++ warn ("unable to execute %s", safe_cmnd);
++#ifdef WITH_AUDIT
++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
++#endif
++ exit(127);
++ }
++#ifdef WITH_AUDIT
++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1);
++#endif
++
+ #ifndef PROFILING
+ if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
+ exit(0);
+@@ -458,10 +477,16 @@ main(argc, argv, envp)
+ NewArgv[1] = safe_cmnd;
+ execve(_PATH_BSHELL, NewArgv, environ);
+ }
++#ifdef WITH_AUDIT
++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
++#endif
+ warn("unable to execute %s", safe_cmnd);
+ exit(127);
+ } else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {
+ log_auth(validated, 1);
++#ifdef WITH_AUDIT
++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
++#endif
+ exit(1);
+ } else if (ISSET(validated, VALIDATE_NOT_OK)) {
+ if (def_path_info) {
+@@ -482,6 +507,9 @@ main(argc, argv, envp)
+ /* Just tell the user they are not allowed to run foo. */
+ log_auth(validated, 1);
+ }
++#ifdef WITH_AUDIT
++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
++#endif
+ exit(1);
+ } else {
+ /* should never get here */
+diff -up sudo-1.6.9p17/sudo.h.audit sudo-1.6.9p17/sudo.h
+--- sudo-1.6.9p17/sudo.h.audit 2008-09-02 15:48:46.000000000 +0200
++++ sudo-1.6.9p17/sudo.h 2008-09-02 15:48:46.000000000 +0200
@@ -23,6 +23,8 @@
#ifndef _SUDO_SUDO_H
#define _SUDO_SUDO_H
Index: sudo.spec
===================================================================
RCS file: /cvs/extras/rpms/sudo/devel/sudo.spec,v
retrieving revision 1.68
retrieving revision 1.69
diff -u -r1.68 -r1.69
--- sudo.spec 4 Jul 2008 14:13:33 -0000 1.68
+++ sudo.spec 2 Sep 2008 13:56:42 -0000 1.69
@@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.6.9p17
-Release: 1%{?dist}
+Release: 2%{?dist}
License: BSD
Group: Applications/System
URL: http://www.courtesan.com/sudo/
@@ -133,6 +133,10 @@
/bin/chmod 0440 /etc/sudoers || :
%changelog
+* Tue Sep 02 2008 Peter Vrabec <pvrabec at redhat.com> 1.6.9p17-2
+- adjust audit patch, do not scream when kernel is
+ compiled without audit netlink support (#401201)
+
* Fri Jul 04 2008 Peter Vrabec <pvrabec at redhat.com> 1.6.9p17-1
- upgrade
More information about the fedora-extras-commits
mailing list