diff -up sudo-1.6.9p4/audit_help.c.audit sudo-1.6.9p4/audit_help.c --- sudo-1.6.9p4/audit_help.c.audit 2007-08-30 20:06:30.000000000 +0400 +++ sudo-1.6.9p4/audit_help.c 2007-08-30 20:06:30.000000000 +0400 @@ -0,0 +1,81 @@ +/* + * Audit helper functions used throughout sudo + * + * Copyright (C) 2007, Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Julianne F. Haugh nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include + +#ifdef WITH_AUDIT + +#include +#include +#include +#include +#include +#include + +int audit_fd; + +void audit_help_open (void) +{ + audit_fd = audit_open (); + if (audit_fd < 0) { + /* You get these only when the kernel doesn't have + * audit compiled in. */ + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return; + fprintf (stderr, "Cannot open audit interface - aborting.\n"); + exit (1); + } +} + +/* + * This function will log a message to the audit system using a predefined + * message format. Parameter usage is as follows: + * + * type - type of message: AUDIT_USER_CMD + * command - the command being logged + * result - 1 is "success" and 0 is "failed" + * + */ +void audit_logger (int type, const char *command, int result) +{ + int err; + + if (audit_fd < 0) + return; + else { + err = audit_log_user_command (audit_fd, type, command, NULL, result); + if( err <= 0 ) + perror("audit_log_user_command()"); + } +} + +#endif /* WITH_AUDIT */ + diff -up sudo-1.6.9p4/Makefile.in.audit sudo-1.6.9p4/Makefile.in --- sudo-1.6.9p4/Makefile.in.audit 2007-08-15 18:16:57.000000000 +0400 +++ sudo-1.6.9p4/Makefile.in 2007-08-30 20:06:30.000000000 +0400 @@ -118,11 +118,13 @@ HDRS = compat.h def_data.h defaults.h in AUTH_OBJS = sudo_auth.o @AUTH_OBJS@ +AUDIT_OBJS = audit_help.o + PARSEOBJS = sudo.tab.o lex.yy.o alloc.o defaults.o SUDOBJS = check.o env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o \ interfaces.o logging.o parse.o set_perms.o sudo.o sudo_edit.o \ - tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS) + tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS) $(AUDIT_OBJS) VISUDOBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o $(PARSEOBJS) @@ -273,6 +275,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH sia.o: $(authdir)/sia.c $(AUTHDEP) $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c +audit_help.o: audit_help.c sudo.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c + sudo.man.in: $(srcdir)/sudo.pod @rm -f $(srcdir)/$@ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ ) diff -up sudo-1.6.9p4/sudo.h.audit sudo-1.6.9p4/sudo.h --- sudo-1.6.9p4/sudo.h.audit 2007-08-30 20:06:30.000000000 +0400 +++ sudo-1.6.9p4/sudo.h 2007-08-30 20:06:30.000000000 +0400 @@ -23,6 +23,8 @@ #ifndef _SUDO_SUDO_H #define _SUDO_SUDO_H +#include + #include #include #include "compat.h" @@ -274,4 +276,10 @@ extern int sudo_mode; extern int errno; #endif +#ifdef WITH_AUDIT +extern int audit_fd; +extern void audit_help_open (void); +extern void audit_logger (int, const char *, int); +#endif + #endif /* _SUDO_SUDO_H */ diff -up sudo-1.6.9p4/sudo.c.audit sudo-1.6.9p4/sudo.c --- sudo-1.6.9p4/sudo.c.audit 2007-08-30 20:06:30.000000000 +0400 +++ sudo-1.6.9p4/sudo.c 2007-08-30 20:18:26.000000000 +0400 @@ -97,6 +97,10 @@ # include #endif +#ifdef WITH_AUDIT +#include +#endif + #include "sudo.h" #include "interfaces.h" #include "version.h" @@ -292,6 +296,10 @@ main(argc, argv, envp) if (safe_cmnd == NULL) safe_cmnd = estrdup(user_cmnd); +#if defined(WITH_AUDIT) + audit_help_open (); +#endif + /* * Look up the timestamp dir owner if one is specified. */ @@ -302,9 +310,13 @@ main(argc, argv, envp) pw = getpwuid(atoi(def_timestampowner + 1)); else pw = getpwnam(def_timestampowner); - if (!pw) + if (!pw) { +#if defined(WITH_AUDIT) + audit_logger(AUDIT_USER_CMD, user_cmnd, 0); +#endif log_error(0, "timestamp owner (%s): No such user", def_timestampowner); + } timestamp_uid = pw->pw_uid; } @@ -314,15 +326,22 @@ main(argc, argv, envp) exit(0); } - if (ISSET(validated, VALIDATE_ERROR)) + if (ISSET(validated, VALIDATE_ERROR)) { +#if defined(WITH_AUDIT) + audit_logger(AUDIT_USER_CMD, user_cmnd, 0); +#endif log_error(0, "parse error in %s near line %d", _PATH_SUDOERS, errorlineno); + } /* Is root even allowed to run sudo? */ if (user_uid == 0 && !def_root_sudo) { (void) fprintf(stderr, "Sorry, %s has been configured to not allow root to run it.\n", getprogname()); +#if defined(WITH_AUDIT) + audit_logger(AUDIT_USER_CMD, user_cmnd, 0); +#endif exit(1); } @@ -336,8 +355,12 @@ main(argc, argv, envp) /* Bail if a tty is required and we don't have one. */ if (def_requiretty) { - if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) + if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) { +#if defined(WITH_AUDIT) + audit_logger(AUDIT_USER_CMD, user_cmnd, 0); +#endif log_error(NO_MAIL, "sorry, you must have a tty to run sudo"); + } else (void) close(fd); } @@ -370,17 +393,27 @@ main(argc, argv, envp) /* Finally tell the user if the command did not exist. */ if (cmnd_status == NOT_FOUND_DOT) { warnx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd); +#if defined(WITH_AUDIT) + audit_logger(AUDIT_USER_CMD, user_cmnd, 0); +#endif exit(1); } else if (cmnd_status == NOT_FOUND) { warnx("%s: command not found", user_cmnd); +#if defined(WITH_AUDIT) + audit_logger(AUDIT_USER_CMD, user_cmnd, 0); +#endif exit(1); } /* If user specified env vars make sure sudoers allows it. */ if (ISSET(sudo_mode, MODE_RUN) && !ISSET(validated, FLAG_SETENV)) { - if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) + if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) { +#if defined(WITH_AUDIT) + audit_logger(AUDIT_USER_CMD, user_cmnd, 0); +#endif log_error(NO_MAIL, "sorry, you are not allowed to preserve the environment"); + } else validate_env_vars(sudo_user.env_vars); } @@ -439,11 +472,23 @@ main(argc, argv, envp) (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); (void) sigaction(SIGCHLD, &saved_sa_chld, NULL); + if (access(safe_cmnd, X_OK) != 0) { + warn ("unable to execute %s", safe_cmnd); +#ifdef WITH_AUDIT + audit_logger(AUDIT_USER_CMD, safe_cmnd, 0); +#endif + exit(127); + } +#ifdef WITH_AUDIT + audit_logger(AUDIT_USER_CMD, safe_cmnd, 1); +#endif + #ifndef PROFILING if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) exit(0); - else + else { execve(safe_cmnd, NewArgv, environ); + } #else exit(0); #endif /* PROFILING */ @@ -456,6 +501,9 @@ main(argc, argv, envp) NewArgv[1] = safe_cmnd; execve(_PATH_BSHELL, NewArgv, environ); } +#ifdef WITH_AUDIT + audit_logger(AUDIT_USER_CMD, safe_cmnd, 0); +#endif warn("unable to execute %s", safe_cmnd); exit(127); } else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) { diff -up sudo-1.6.9p4/configure.in.audit sudo-1.6.9p4/configure.in --- sudo-1.6.9p4/configure.in.audit 2007-08-30 20:06:30.000000000 +0400 +++ sudo-1.6.9p4/configure.in 2007-08-30 20:06:30.000000000 +0400 @@ -150,6 +150,10 @@ dnl dnl Options for --with dnl +AC_ARG_WITH(audit, + [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])], + [with_audit=$withval], [with_audit=yes]) + AC_ARG_WITH(CC, [ --with-CC C compiler to use], [case $with_CC in yes) AC_MSG_ERROR(["must give --with-CC an argument."]) @@ -1579,6 +1583,25 @@ dnl : ${mansectsu='8'} : ${mansectform='5'} + +AC_SUBST(LIBAUDIT) +if test "$with_audit" = "yes"; then + # See if we have the audit library + AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"]) + if test "$audit_header" = "yes"; then + AC_CHECK_LIB(audit, audit_log_user_command, + [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages]) + LIBAUDIT="-laudit"]) + fi + # See if we have the libcap library + AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"]) + if test "$cap_header" = "yes"; then + AC_CHECK_LIB(cap, cap_init, + [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support]) + SUDO_LIBS="${SUDO_LIBS} -lcap"]) + fi +fi + dnl dnl Add in any libpaths or libraries specified via configure dnl diff -up sudo-1.6.9p4/set_perms.c.audit sudo-1.6.9p4/set_perms.c --- sudo-1.6.9p4/set_perms.c.audit 2007-07-06 18:16:22.000000000 +0400 +++ sudo-1.6.9p4/set_perms.c 2007-08-30 20:06:30.000000000 +0400 @@ -53,6 +53,10 @@ #ifdef HAVE_LOGIN_CAP_H # include #endif +#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) +# include +# include +#endif #include "sudo.h" @@ -101,22 +105,55 @@ set_perms(perm) if (setresuid(user_uid, user_uid, user_uid)) err(1, "setresuid(user_uid, user_uid, user_uid)"); break; - + + case PERM_FULL_RUNAS: +#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) + { /* BEGIN CAP BLOCK */ + cap_t new_caps; + cap_value_t cap_list[] = { CAP_AUDIT_WRITE }; + + if (runas_pw->pw_uid != ROOT_UID) { + new_caps = cap_init (); + if (!new_caps) + err(1, "Error initing capabilities, aborting.\n"); + + if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) || + cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) { + err(1, "Error setting capabilities, aborting\n"); + } + + if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) + err(1, "Error setting KEEPCAPS, aborting\n"); + } +#endif + /* headed for exec(), assume euid == ROOT_UID */ + runas_setup (); + if (setresuid(def_stay_setuid ? + user_uid : runas_pw->pw_uid, + runas_pw->pw_uid, runas_pw->pw_uid)) + err(1, "unable to change to runas uid"); + +#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) + if (runas_pw->pw_uid != ROOT_UID) { + if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) + err(1, "Error resetting KEEPCAPS, aborting\n"); + + if (cap_set_proc(new_caps)) + err(1, "Error dropping capabilities, aborting\n"); + + if (cap_free (new_caps)) + err(1, "Error freeing caps\n"); + } + } /* END CAP BLOCK */ +#endif + break; + case PERM_RUNAS: (void) setresgid(-1, runas_pw->pw_gid, -1); if (setresuid(-1, runas_pw->pw_uid, -1)) err(1, "unable to change to runas uid"); break; - case PERM_FULL_RUNAS: - /* headed for exec(), assume euid == ROOT_UID */ - runas_setup(); - if (setresuid(def_stay_setuid ? - user_uid : runas_pw->pw_uid, - runas_pw->pw_uid, runas_pw->pw_uid)) - err(1, "unable to change to runas uid"); - break; - case PERM_SUDOERS: /* assume euid == ROOT_UID, ruid == user */ if (setresgid(-1, SUDOERS_GID, -1))