From 574273529d222e07642266f15db19c10737b84e0 Mon Sep 17 00:00:00 2001 From: Daniel Kopecek Date: Sep 07 2010 15:19:29 +0000 Subject: Cleanup --- diff --git a/sudo-1.7.1-audit.patch b/sudo-1.7.1-audit.patch deleted file mode 100644 index 65bb51c..0000000 --- a/sudo-1.7.1-audit.patch +++ /dev/null @@ -1,389 +0,0 @@ -diff -up /dev/null sudo-1.7.1/audit_help.c ---- /dev/null 2009-06-19 12:23:43.376002420 +0200 -+++ sudo-1.7.1/audit_help.c 2009-06-22 14:24:48.000000000 +0200 -@@ -0,0 +1,136 @@ -+/* -+ * Audit helper functions used throughout sudo -+ * -+ * Copyright (C) 2007, Red Hat, Inc. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors -+ * may be used to endorse or promote products derived from this software -+ * without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ */ -+ -+#include -+ -+#ifdef WITH_AUDIT -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef HAVE_SELINUX -+#include -+#endif -+ -+int audit_fd; -+ -+void audit_help_open (void) -+{ -+ audit_fd = audit_open (); -+ if (audit_fd < 0) { -+ /* You get these only when the kernel doesn't have -+ * audit compiled in. */ -+ if (errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT) -+ return; -+ fprintf (stderr, "Cannot open audit interface - aborting.\n"); -+ exit (1); -+ } -+} -+ -+/* -+ * This function will log a message to the audit system using a predefined -+ * message format. Parameter usage is as follows: -+ * -+ * type - type of message: AUDIT_USER_CMD -+ * command - the command being logged -+ * params - parames of the command -+ * result - 1 is "success" and 0 is "failed" -+ * -+ */ -+void audit_logger (int type, const char *command, const char *params, int result) -+{ -+ int err; -+ char *msg; -+ -+ if( audit_fd < 0 ) -+ return; -+ else { -+ -+ if( params ) -+ err = asprintf(&msg, "%s %s", command, params); -+ else -+ err = asprintf(&msg, "%s", command); -+ if (err < 0) { -+ fprintf (stderr, "Memory allocation for audit message wasn’t possible.\n"); -+ return; -+ } -+ -+ err = audit_log_user_command (audit_fd, type, msg, NULL, result); -+ /* The kernel supports auditing and we had -+ enough privilege to write to the socket. */ -+ if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) { -+ perror("audit_log_user_command()"); -+ } -+ -+ free(msg); -+ } -+} -+ -+#ifdef HAVE_SELINUX -+int send_audit_message(int success, security_context_t old_context, -+ security_context_t new_context, const char *ttyn) -+{ -+ char *msg = NULL; -+ int rc; -+ -+ if (audit_fd < 0) -+ return -1; -+ -+ if (asprintf(&msg, "newrole: old-context=%s new-context=%s", -+ old_context ? old_context : "?", -+ new_context ? new_context : "?") < 0) { -+ fprintf(stderr, "Error allocating memory.\n"); -+ rc = -1; -+ goto out; -+ } -+ -+ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, -+ msg, NULL, NULL, ttyn, success); -+ -+ if (rc <= 0) { -+ fprintf(stderr, "Error sending audit message.\n"); -+ rc = -1; -+ goto out; -+ } -+ rc = 0; -+ -+ out: -+ free(msg); -+ return rc; -+} -+#endif -+#endif /* WITH_AUDIT */ -diff -up sudo-1.7.1/configure.in.audit sudo-1.7.1/configure.in ---- sudo-1.7.1/configure.in.audit 2009-06-22 14:24:48.000000000 +0200 -+++ sudo-1.7.1/configure.in 2009-06-22 14:26:42.000000000 +0200 -@@ -179,6 +179,10 @@ dnl - dnl Options for --with - dnl - -+AC_ARG_WITH(audit, -+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])], -+ [with_audit=$withval], [with_audit=yes]) -+ - AC_ARG_WITH(CC, [ --with-CC C compiler to use], - [case $with_CC in - yes) AC_MSG_ERROR(["must give --with-CC an argument."]) -@@ -1706,6 +1710,24 @@ dnl - : ${mansectsu='8'} - : ${mansectform='5'} - -+AC_SUBST(LIBAUDIT) -+if test "$with_audit" = "yes"; then -+ # See if we have the audit library -+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"]) -+ if test "$audit_header" = "yes"; then -+ AC_CHECK_LIB(audit, audit_log_user_command, -+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages]) -+ LIBAUDIT="-laudit"]) -+ fi -+ # See if we have the libcap library -+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"]) -+ if test "$cap_header" = "yes"; then -+ AC_CHECK_LIB(cap, cap_init, -+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support]) -+ SUDO_LIBS="${SUDO_LIBS} -lcap"]) -+ fi -+fi -+ - dnl - dnl Add in any libpaths or libraries specified via configure - dnl -diff -up sudo-1.7.1/Makefile.in.audit sudo-1.7.1/Makefile.in ---- sudo-1.7.1/Makefile.in.audit 2009-06-22 14:24:48.000000000 +0200 -+++ sudo-1.7.1/Makefile.in 2009-06-22 14:24:48.000000000 +0200 -@@ -125,6 +125,8 @@ HDRS = bsm_audit.h compat.h def_data.h d - - AUTH_OBJS = sudo_auth.o @AUTH_OBJS@ - -+AUDIT_OBJS = audit_help.o -+ - # Note: gram.o must come first here - COMMON_OBJS = gram.o alias.o alloc.o defaults.o error.o list.o match.o \ - toke.o redblack.o zero_bytes.o -@@ -132,7 +134,7 @@ COMMON_OBJS = gram.o alias.o alloc.o def - SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ audit.o check.o env.o \ - getspwuid.o gettime.o goodpath.o fileops.o find_path.o \ - interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o \ -- sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o -+ sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o $(AUDIT_OBJS) - - VISUDO_OBJS = $(COMMON_OBJS) visudo.o fileops.o gettime.o goodpath.o \ - find_path.o pwutil.o -@@ -361,6 +363,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH - sia.o: $(authdir)/sia.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c - -+audit_help.o: audit_help.c sudo.h -+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c -+ - sudo.man.in: $(srcdir)/sudo.pod - @rm -f $(srcdir)/$@ - ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ ) -diff -up sudo-1.7.1/set_perms.c.audit sudo-1.7.1/set_perms.c ---- sudo-1.7.1/set_perms.c.audit 2008-03-06 18:19:56.000000000 +0100 -+++ sudo-1.7.1/set_perms.c 2009-06-22 14:24:48.000000000 +0200 -@@ -48,6 +48,10 @@ - #ifdef HAVE_LOGIN_CAP_H - # include - #endif -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+# include -+# include -+#endif - - #include "sudo.h" - -@@ -126,16 +130,59 @@ set_perms(perm) - break; - - case PERM_FULL_RUNAS: -- /* headed for exec(), assume euid == ROOT_UID */ -- runas_setup(); -- if (setresuid(def_stay_setuid ? -- user_uid : runas_pw->pw_uid, -- runas_pw->pw_uid, runas_pw->pw_uid)) { -- errstr = "unable to change to runas uid"; -- goto bad; -- } -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+ { /* BEGIN CAP BLOCK */ -+ cap_t new_caps; -+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE }; -+ -+ if (runas_pw->pw_uid != ROOT_UID) { -+ new_caps = cap_init (); -+ if (!new_caps) { -+ errstr = "Error initing capabilities, aborting.\n"; -+ goto bad; -+ } -+ -+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) || -+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) { -+ errstr = "Error setting capabilities, aborting\n"; -+ goto bad; -+ } -+ -+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { -+ errstr = "Error setting KEEPCAPS, aborting\n"; -+ goto bad; -+ } -+ } -+#endif -+ /* headed for exec(), assume euid == ROOT_UID */ -+ runas_setup(); -+ if (setresuid(def_stay_setuid ? -+ user_uid : runas_pw->pw_uid, -+ runas_pw->pw_uid, runas_pw->pw_uid)) { -+ errstr = "unable to change to runas uid"; -+ goto bad; -+ } -+ -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+ if (runas_pw->pw_uid != ROOT_UID) { -+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) { -+ errstr = "Error resetting KEEPCAPS, aborting\n"; -+ goto bad; -+ } -+ -+ if (cap_set_proc(new_caps)) { -+ errstr = "Error dropping capabilities, aborting\n"; -+ goto bad; -+ } -+ -+ if (cap_free (new_caps)) { -+ errstr = "Error freeing caps\n"; -+ goto bad; -+ } -+ } -+ } /* END CAP BLOCK */ -+#endif - break; -- - case PERM_SUDOERS: - /* assume euid == ROOT_UID, ruid == user */ - if (setresgid(-1, SUDOERS_GID, -1)) -diff -up sudo-1.7.1/sudo.c.audit sudo-1.7.1/sudo.c ---- sudo-1.7.1/sudo.c.audit 2009-06-22 14:24:48.000000000 +0200 -+++ sudo-1.7.1/sudo.c 2009-06-22 14:24:48.000000000 +0200 -@@ -95,6 +95,10 @@ - # include - #endif - -+#ifdef WITH_AUDIT -+#include -+#endif -+ - #include - #include "sudo.h" - #include "lbuf.h" -@@ -360,6 +364,10 @@ main(argc, argv, envp) - if (safe_cmnd == NULL) - safe_cmnd = estrdup(user_cmnd); - -+#if defined(WITH_AUDIT) -+ audit_help_open (); -+#endif -+ - #ifdef HAVE_SETLOCALE - setlocale(LC_ALL, ""); - #endif -@@ -521,7 +529,18 @@ main(argc, argv, envp) - (void) sigaction(SIGINT, &saved_sa_int, NULL); - (void) sigaction(SIGQUIT, &saved_sa_quit, NULL); - (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); -- -+ -+ if (access(safe_cmnd, X_OK) != 0) { -+ warn ("unable to execute %s", safe_cmnd); -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif -+ exit(127); -+ } -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1); -+#endif -+ - /* Close the password and group files and free up memory. */ - sudo_endpwent(); - sudo_endgrent(); -@@ -554,11 +573,17 @@ main(argc, argv, envp) - NewArgv[1] = safe_cmnd; - execv(_PATH_BSHELL, NewArgv); - } -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - warning("unable to execute %s", safe_cmnd); - exit(127); - } else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) { - audit_failure(NewArgv, "No user or host"); - log_denial(validated, 1); -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - exit(1); - } else { - if (def_path_info) { -@@ -580,6 +605,9 @@ main(argc, argv, envp) - log_denial(validated, 1); - } - audit_failure(NewArgv, "validation failure"); -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - exit(1); - } - exit(0); /* not reached */ -diff -up sudo-1.7.1/sudo.h.audit sudo-1.7.1/sudo.h ---- sudo-1.7.1/sudo.h.audit 2009-06-22 14:24:48.000000000 +0200 -+++ sudo-1.7.1/sudo.h 2009-06-22 14:24:48.000000000 +0200 -@@ -24,6 +24,8 @@ - #ifndef _SUDO_SUDO_H - #define _SUDO_SUDO_H - -+#include -+ - #include - #include - #include "compat.h" -@@ -338,4 +340,10 @@ extern int sudo_mode; - extern int errno; - #endif - -+#ifdef WITH_AUDIT -+extern int audit_fd; -+extern void audit_help_open (void); -+extern void audit_logger (int, const char *, const char *, int); -+#endif -+ - #endif /* _SUDO_SUDO_H */ diff --git a/sudo-1.7.1-auditfix.patch b/sudo-1.7.1-auditfix.patch deleted file mode 100644 index a1e8892..0000000 --- a/sudo-1.7.1-auditfix.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -up sudo-1.7.1/audit_help.c.auditfix sudo-1.7.1/audit_help.c ---- sudo-1.7.1/audit_help.c.auditfix 2009-07-09 15:05:14.000000000 +0200 -+++ sudo-1.7.1/audit_help.c 2009-07-09 15:04:33.000000000 +0200 -@@ -45,7 +45,7 @@ - #include - #endif - --int audit_fd; -+int audit_fd = -1; - - void audit_help_open (void) - { -diff -up sudo-1.7.1/sudo.c.auditfix sudo-1.7.1/sudo.c ---- sudo-1.7.1/sudo.c.auditfix 2009-07-09 14:35:50.000000000 +0200 -+++ sudo-1.7.1/sudo.c 2009-07-09 15:02:41.000000000 +0200 -@@ -363,10 +363,6 @@ main(argc, argv, envp) - } - if (safe_cmnd == NULL) - safe_cmnd = estrdup(user_cmnd); -- --#if defined(WITH_AUDIT) -- audit_help_open (); --#endif - - #ifdef HAVE_SETLOCALE - setlocale(LC_ALL, ""); -@@ -529,7 +525,12 @@ main(argc, argv, envp) - (void) sigaction(SIGINT, &saved_sa_int, NULL); - (void) sigaction(SIGQUIT, &saved_sa_quit, NULL); - (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); -+ -+ closefrom(def_closefrom + 1); - -+#if defined(WITH_AUDIT) -+ audit_help_open (); -+#endif - if (access(safe_cmnd, X_OK) != 0) { - warn ("unable to execute %s", safe_cmnd); - #ifdef WITH_AUDIT -@@ -545,8 +546,6 @@ main(argc, argv, envp) - sudo_endpwent(); - sudo_endgrent(); - -- closefrom(def_closefrom + 1); -- - #ifndef PROFILING - if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) { - syslog(LOG_AUTH|LOG_ERR, "fork"); diff --git a/sudo-1.7.1-conffix.patch b/sudo-1.7.1-conffix.patch deleted file mode 100644 index 1d71d12..0000000 --- a/sudo-1.7.1-conffix.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up sudo-1.7.1/configure.in.conffix sudo-1.7.1/configure.in ---- sudo-1.7.1/configure.in.conffix 2009-06-22 15:45:51.000000000 +0200 -+++ sudo-1.7.1/configure.in 2009-06-22 15:45:30.000000000 +0200 -@@ -2473,7 +2473,7 @@ if test ${with_ldap-'no'} != "no"; then - AC_MSG_RESULT([yes]) - AC_DEFINE(HAVE_LBER_H)]) - -- AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s), [break]]) -+ AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break]) - AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include ]) - AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np) - diff --git a/sudo-1.7.1-envdebug.patch b/sudo-1.7.1-envdebug.patch deleted file mode 100644 index 446ada1..0000000 --- a/sudo-1.7.1-envdebug.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up sudo-1.7.1/configure.in.envdebug sudo-1.7.1/configure.in ---- sudo-1.7.1/configure.in.envdebug 2009-05-02 21:25:56.000000000 +0200 -+++ sudo-1.7.1/configure.in 2009-05-02 21:27:17.000000000 +0200 -@@ -1192,7 +1192,7 @@ AC_ARG_ENABLE(env_debug, - [ --enable-env-debug Whether to enable environment debugging.], - [ case "$enableval" in - yes) AC_MSG_RESULT(yes) -- AC_DEFINE(ENV_DEBUG) -+ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.]) - ;; - no) AC_MSG_RESULT(no) - ;; diff --git a/sudo-1.7.1-getgrouplist.patch b/sudo-1.7.1-getgrouplist.patch deleted file mode 100644 index 42cc3fc..0000000 --- a/sudo-1.7.1-getgrouplist.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -up sudo-1.7.1/check.c.getgrouplist sudo-1.7.1/check.c ---- sudo-1.7.1/check.c.getgrouplist 2009-05-02 21:48:17.000000000 +0200 -+++ sudo-1.7.1/check.c 2009-05-02 21:49:04.000000000 +0200 -@@ -353,6 +353,24 @@ user_is_exempt() - return(TRUE); - } - -+#ifdef HAVE_GETGROUPLIST -+ { -+ gid_t *grouplist, grouptmp; -+ int n_groups, i; -+ n_groups = 1; -+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) { -+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1)); -+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0) -+ for (i = 0; i < n_groups; i++) -+ if (grouplist[i] == grp->gr_gid) { -+ free(grouplist); -+ return(TRUE); -+ } -+ free(grouplist); -+ } -+ } -+#endif -+ - return(FALSE); - } - -diff -up sudo-1.7.1/configure.in.getgrouplist sudo-1.7.1/configure.in ---- sudo-1.7.1/configure.in.getgrouplist 2009-05-02 21:48:13.000000000 +0200 -+++ sudo-1.7.1/configure.in 2009-05-02 21:50:05.000000000 +0200 -@@ -1809,7 +1809,7 @@ dnl - AC_FUNC_GETGROUPS - AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \ - strftime setrlimit initgroups getgroups fstat gettimeofday \ -- setlocale getaddrinfo setsid setenv) -+ setlocale getaddrinfo setsid setenv getgrouplist) - AC_CHECK_FUNCS(unsetenv, SUDO_FUNC_UNSETENV_VOID) - SUDO_FUNC_PUTENV_CONST - if test -z "$SKIP_SETRESUID"; then diff --git a/sudo-1.7.1-libtool.patch b/sudo-1.7.1-libtool.patch deleted file mode 100644 index 4082953..0000000 --- a/sudo-1.7.1-libtool.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up sudo-1.7.1/Makefile.in.libtool sudo-1.7.1/Makefile.in ---- sudo-1.7.1/Makefile.in.libtool 2009-05-02 21:35:55.000000000 +0200 -+++ sudo-1.7.1/Makefile.in 2009-05-02 21:36:04.000000000 +0200 -@@ -198,7 +198,7 @@ sudo_noexec.lo: $(srcdir)/sudo_noexec.c - $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c - - sudo_noexec.la: sudo_noexec.lo -- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir) -+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -module -avoid-version -rpath $(noexecdir) - - # Uncomment the following if you want "make distclean" to clean the parser - @DEV@GENERATED = gram.h gram.c toke.c def_data.c def_data.h diff --git a/sudo-1.7.1-login.patch b/sudo-1.7.1-login.patch deleted file mode 100644 index 03a6fd3..0000000 --- a/sudo-1.7.1-login.patch +++ /dev/null @@ -1,111 +0,0 @@ -diff -up sudo-1.7.1/auth/pam.c.login sudo-1.7.1/auth/pam.c ---- sudo-1.7.1/auth/pam.c.login 2009-05-02 21:01:17.000000000 +0200 -+++ sudo-1.7.1/auth/pam.c 2009-05-02 21:07:42.000000000 +0200 -@@ -100,7 +100,13 @@ pam_init(pw, promptp, auth) - if (auth != NULL) - auth->data = (void *) &pam_status; - pam_conv.conv = sudo_conv; -- pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); -+#ifdef HAVE_PAM_LOGIN -+ if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) -+ pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh); -+ else -+#endif -+ pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); -+ - if (pam_status != PAM_SUCCESS) { - log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM"); - return(AUTH_FATAL); -diff -up sudo-1.7.1/configure.in.login sudo-1.7.1/configure.in ---- sudo-1.7.1/configure.in.login 2009-05-02 21:01:33.000000000 +0200 -+++ sudo-1.7.1/configure.in 2009-05-02 21:13:59.000000000 +0200 -@@ -393,6 +393,17 @@ AC_ARG_WITH(pam, [ --with-pam - ;; - esac]) - -+AC_ARG_WITH(pam-login, [ --with-pam-login enable specific PAM session for sudo -i], -+[case $with_pam_login in -+ yes) AC_DEFINE([HAVE_PAM_LOGIN], [], ["Define to 1 if you use specific PAM session for sodo -i."]) -+ AC_MSG_CHECKING(whether to use PAM login) -+ AC_MSG_RESULT(yes) -+ ;; -+ no) ;; -+ *) AC_MSG_ERROR(["--with-pam-login does not take an argument."]) -+ ;; -+esac]) -+ - AC_ARG_WITH(AFS, [ --with-AFS enable AFS support], - [case $with_AFS in - yes) AC_DEFINE(HAVE_AFS) -diff -up sudo-1.7.1/env.c.login sudo-1.7.1/env.c ---- sudo-1.7.1/env.c.login 2009-05-02 21:01:24.000000000 +0200 -+++ sudo-1.7.1/env.c 2009-05-02 21:12:28.000000000 +0200 -@@ -101,7 +101,7 @@ struct environment { - /* - * Prototypes - */ --void rebuild_env __P((int, int)); -+void rebuild_env __P((int)); - static void sudo_setenv __P((const char *, const char *, int)); - static void sudo_putenv __P((char *, int, int)); - -@@ -550,8 +550,7 @@ matches_env_keep(var) - * Also adds sudo-specific variables (SUDO_*). - */ - void --rebuild_env(sudo_mode, noexec) -- int sudo_mode; -+rebuild_env(noexec) - int noexec; - { - char **old_envp, **ep, *cp, *ps1; -diff -up sudo-1.7.1/sudo.c.login sudo-1.7.1/sudo.c ---- sudo-1.7.1/sudo.c.login 2009-05-02 21:01:49.000000000 +0200 -+++ sudo-1.7.1/sudo.c 2009-05-02 21:18:18.000000000 +0200 -@@ -123,7 +123,7 @@ static void usage_excl __P((int)) - __attribute__((__noreturn__)); - static struct passwd *get_authpw __P((void)); - extern int sudo_edit __P((int, char **, char **)); --extern void rebuild_env __P((int, int)); -+extern void rebuild_env __P((int)); - void validate_env_vars __P((struct list_member *)); - void insert_env_vars __P((struct list_member *)); - -@@ -154,6 +154,8 @@ login_cap_t *lc; - char *login_style; - #endif /* HAVE_BSD_AUTH_H */ - sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp; -+ -+int sudo_mode; - static char *runas_user; - static char *runas_group; - static struct sudo_nss_list *snl; -@@ -169,7 +171,7 @@ main(argc, argv, envp) - char **envp; - { - int sources = 0, validated; -- int fd, cmnd_status, sudo_mode, pwflag, rc = 0; -+ int fd, cmnd_status, pwflag, rc = 0; - sigaction_t sa; - struct sudo_nss *nss; - #if defined(SUDO_DEVEL) && defined(__OpenBSD__) -@@ -408,7 +410,7 @@ main(argc, argv, envp) - def_env_reset = FALSE; - - /* Build a new environment that avoids any nasty bits. */ -- rebuild_env(sudo_mode, def_noexec); -+ rebuild_env(def_noexec); - - /* Fill in passwd struct based on user we are authenticating as. */ - auth_pw = get_authpw(); -diff -up sudo-1.7.1/sudo.h.login sudo-1.7.1/sudo.h ---- sudo-1.7.1/sudo.h.login 2009-05-02 21:01:42.000000000 +0200 -+++ sudo-1.7.1/sudo.h 2009-05-02 21:14:58.000000000 +0200 -@@ -332,6 +332,7 @@ extern struct passwd *auth_pw, *list_pw; - extern int tgetpass_flags; - extern int long_list; - extern uid_t timestamp_uid; -+extern int sudo_mode; - #endif - #ifndef errno - extern int errno; diff --git a/sudo-1.7.2p1-audit.patch b/sudo-1.7.2p1-audit.patch deleted file mode 100644 index 409aa5b..0000000 --- a/sudo-1.7.2p1-audit.patch +++ /dev/null @@ -1,400 +0,0 @@ -diff -up /dev/null sudo-1.7.2p1/audit_help.c ---- /dev/null 2009-09-09 14:57:12.384002457 +0200 -+++ sudo-1.7.2p1/audit_help.c 2009-10-30 12:25:49.000000000 +0100 -@@ -0,0 +1,136 @@ -+/* -+ * Audit helper functions used throughout sudo -+ * -+ * Copyright (C) 2007, Red Hat, Inc. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors -+ * may be used to endorse or promote products derived from this software -+ * without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ */ -+ -+#include -+ -+#ifdef WITH_AUDIT -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef HAVE_SELINUX -+#include -+#endif -+ -+int audit_fd = -1; -+ -+void audit_help_open (void) -+{ -+ audit_fd = audit_open (); -+ if (audit_fd < 0) { -+ /* You get these only when the kernel doesn't have -+ * audit compiled in. */ -+ if (errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT) -+ return; -+ fprintf (stderr, "Cannot open audit interface - aborting.\n"); -+ exit (1); -+ } -+} -+ -+/* -+ * This function will log a message to the audit system using a predefined -+ * message format. Parameter usage is as follows: -+ * -+ * type - type of message: AUDIT_USER_CMD -+ * command - the command being logged -+ * params - parames of the command -+ * result - 1 is "success" and 0 is "failed" -+ * -+ */ -+void audit_logger (int type, const char *command, const char *params, int result) -+{ -+ int err; -+ char *msg; -+ -+ if( audit_fd < 0 ) -+ return; -+ else { -+ -+ if( params ) -+ err = asprintf(&msg, "%s %s", command, params); -+ else -+ err = asprintf(&msg, "%s", command); -+ if (err < 0) { -+ fprintf (stderr, "Memory allocation for audit message wasn’t possible.\n"); -+ return; -+ } -+ -+ err = audit_log_user_command (audit_fd, type, msg, NULL, result); -+ /* The kernel supports auditing and we had -+ enough privilege to write to the socket. */ -+ if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) { -+ perror("audit_log_user_command()"); -+ } -+ -+ free(msg); -+ } -+} -+ -+#ifdef HAVE_SELINUX -+int send_audit_message(int success, security_context_t old_context, -+ security_context_t new_context, const char *ttyn) -+{ -+ char *msg = NULL; -+ int rc; -+ -+ if (audit_fd < 0) -+ return -1; -+ -+ if (asprintf(&msg, "newrole: old-context=%s new-context=%s", -+ old_context ? old_context : "?", -+ new_context ? new_context : "?") < 0) { -+ fprintf(stderr, "Error allocating memory.\n"); -+ rc = -1; -+ goto out; -+ } -+ -+ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, -+ msg, NULL, NULL, ttyn, success); -+ -+ if (rc <= 0) { -+ fprintf(stderr, "Error sending audit message.\n"); -+ rc = -1; -+ goto out; -+ } -+ rc = 0; -+ -+ out: -+ free(msg); -+ return rc; -+} -+#endif -+#endif /* WITH_AUDIT */ -diff -up sudo-1.7.2p1/configure.in.audit sudo-1.7.2p1/configure.in ---- sudo-1.7.2p1/configure.in.audit 2009-10-30 12:25:49.000000000 +0100 -+++ sudo-1.7.2p1/configure.in 2009-10-30 12:25:49.000000000 +0100 -@@ -180,6 +180,10 @@ dnl - dnl Options for --with - dnl - -+AC_ARG_WITH(audit, -+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])], -+ [with_audit=$withval], [with_audit=yes]) -+ - AC_ARG_WITH(CC, [AS_HELP_STRING([--with-CC], [C compiler to use])], - [case $with_CC in - yes) AC_MSG_ERROR(["must give --with-CC an argument."]) -@@ -1743,6 +1747,24 @@ dnl - : ${mansectsu='8'} - : ${mansectform='5'} - -+AC_SUBST(LIBAUDIT) -+if test "$with_audit" = "yes"; then -+ # See if we have the audit library -+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"]) -+ if test "$audit_header" = "yes"; then -+ AC_CHECK_LIB(audit, audit_log_user_command, -+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages]) -+ LIBAUDIT="-laudit"]) -+ fi -+ # See if we have the libcap library -+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"]) -+ if test "$cap_header" = "yes"; then -+ AC_CHECK_LIB(cap, cap_init, -+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support]) -+ SUDO_LIBS="${SUDO_LIBS} -lcap"]) -+ fi -+fi -+ - dnl - dnl Add in any libpaths or libraries specified via configure - dnl -diff -up sudo-1.7.2p1/Makefile.in.audit sudo-1.7.2p1/Makefile.in ---- sudo-1.7.2p1/Makefile.in.audit 2009-10-30 12:25:49.000000000 +0100 -+++ sudo-1.7.2p1/Makefile.in 2009-10-30 12:25:49.000000000 +0100 -@@ -125,6 +125,8 @@ HDRS = bsm_audit.h compat.h def_data.h d - - AUTH_OBJS = sudo_auth.o @AUTH_OBJS@ - -+AUDIT_OBJS = audit_help.o -+ - # Note: gram.o must come first here - COMMON_OBJS = gram.o alias.o alloc.o defaults.o error.o list.o match.o \ - toke.o redblack.o zero_bytes.o @NONUNIX_GROUPS_IMPL@ -@@ -132,7 +134,7 @@ COMMON_OBJS = gram.o alias.o alloc.o def - SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ audit.o check.o env.o \ - getspwuid.o gettime.o goodpath.o fileops.o find_path.o \ - interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o \ -- sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o -+ sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o $(AUDIT_OBJS) - - VISUDO_OBJS = $(COMMON_OBJS) visudo.o fileops.o gettime.o goodpath.o \ - find_path.o pwutil.o -@@ -363,6 +365,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH - sia.o: $(authdir)/sia.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c - -+audit_help.o: audit_help.c sudo.h -+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c -+ - sudo.man.in: $(srcdir)/sudo.pod - @rm -f $(srcdir)/$@ - ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ ) -diff -up sudo-1.7.2p1/set_perms.c.audit sudo-1.7.2p1/set_perms.c ---- sudo-1.7.2p1/set_perms.c.audit 2009-06-25 14:44:33.000000000 +0200 -+++ sudo-1.7.2p1/set_perms.c 2009-10-30 12:32:03.000000000 +0100 -@@ -48,6 +48,10 @@ - #ifdef HAVE_LOGIN_CAP_H - # include - #endif -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+# include -+# include -+#endif - - #include "sudo.h" - -@@ -130,16 +134,59 @@ set_perms(perm) - break; - - case PERM_FULL_RUNAS: -- /* headed for exec(), assume euid == ROOT_UID */ -- runas_setup(); -- if (setresuid(def_stay_setuid ? -- user_uid : runas_pw->pw_uid, -- runas_pw->pw_uid, runas_pw->pw_uid)) { -- errstr = "unable to change to runas uid"; -- goto bad; -- } -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+ { /* BEGIN CAP BLOCK */ -+ cap_t new_caps; -+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE }; -+ -+ if (runas_pw->pw_uid != ROOT_UID) { -+ new_caps = cap_init (); -+ if (!new_caps) { -+ errstr = "Error initing capabilities, aborting.\n"; -+ goto bad; -+ } -+ -+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) || -+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) { -+ errstr = "Error setting capabilities, aborting\n"; -+ goto bad; -+ } -+ -+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { -+ errstr = "Error setting KEEPCAPS, aborting\n"; -+ goto bad; -+ } -+ } -+#endif -+ /* headed for exec(), assume euid == ROOT_UID */ -+ runas_setup(); -+ if (setresuid(def_stay_setuid ? -+ user_uid : runas_pw->pw_uid, -+ runas_pw->pw_uid, runas_pw->pw_uid)) { -+ errstr = "unable to change to runas uid"; -+ goto bad; -+ } -+ -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+ if (runas_pw->pw_uid != ROOT_UID) { -+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) { -+ errstr = "Error resetting KEEPCAPS, aborting\n"; -+ goto bad; -+ } -+ -+ if (cap_set_proc(new_caps)) { -+ errstr = "Error dropping capabilities, aborting\n"; -+ goto bad; -+ } -+ -+ if (cap_free (new_caps)) { -+ errstr = "Error freeing caps\n"; -+ goto bad; -+ } -+ } -+ } /* END CAP BLOCK */ -+#endif - break; -- - case PERM_SUDOERS: - /* assume euid == ROOT_UID, ruid == user */ - if (setresgid(-1, SUDOERS_GID, -1)) -diff -up sudo-1.7.2p1/sudo.c.audit sudo-1.7.2p1/sudo.c ---- sudo-1.7.2p1/sudo.c.audit 2009-10-30 12:25:49.000000000 +0100 -+++ sudo-1.7.2p1/sudo.c 2009-10-30 12:25:49.000000000 +0100 -@@ -95,6 +95,10 @@ - # include - #endif - -+#ifdef WITH_AUDIT -+#include -+#endif -+ - #include - #include "sudo.h" - #include "lbuf.h" -@@ -372,7 +376,7 @@ main(argc, argv, envp) - - if (safe_cmnd == NULL) - safe_cmnd = estrdup(user_cmnd); -- -+ - #ifdef HAVE_SETLOCALE - setlocale(LC_ALL, ""); - #endif -@@ -538,12 +542,26 @@ main(argc, argv, envp) - (void) sigaction(SIGQUIT, &saved_sa_quit, NULL); - (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); - -+ closefrom(def_closefrom + 1); -+ -+#if defined(WITH_AUDIT) -+ audit_help_open (); -+#endif -+ if (access(safe_cmnd, X_OK) != 0) { -+ warn ("unable to execute %s", safe_cmnd); -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif -+ exit(127); -+ } -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1); -+#endif -+ - /* Close the password and group files and free up memory. */ - sudo_endpwent(); - sudo_endgrent(); - -- closefrom(def_closefrom + 1); -- - #ifndef PROFILING - if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) { - syslog(LOG_AUTH|LOG_ERR, "fork"); -@@ -568,11 +586,17 @@ main(argc, argv, envp) - NewArgv[1] = safe_cmnd; - execv(_PATH_BSHELL, NewArgv); - } -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - warning("unable to execute %s", safe_cmnd); - exit(127); - } else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) { - audit_failure(NewArgv, "No user or host"); - log_denial(validated, 1); -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - exit(1); - } else { - if (def_path_info) { -@@ -594,6 +618,9 @@ main(argc, argv, envp) - log_denial(validated, 1); - } - audit_failure(NewArgv, "validation failure"); -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - exit(1); - } - exit(0); /* not reached */ -diff -up sudo-1.7.2p1/sudo.h.audit sudo-1.7.2p1/sudo.h ---- sudo-1.7.2p1/sudo.h.audit 2009-10-30 12:25:49.000000000 +0100 -+++ sudo-1.7.2p1/sudo.h 2009-10-30 12:39:16.000000000 +0100 -@@ -24,6 +24,8 @@ - #ifndef _SUDO_SUDO_H - #define _SUDO_SUDO_H - -+#include -+ - #include - #include - #include "compat.h" -@@ -340,4 +342,14 @@ extern int sudo_mode; - extern int errno; - #endif - -+#ifdef WITH_AUDIT -+extern int audit_fd; -+extern void audit_help_open (void); -+extern void audit_logger (int, const char *, const char *, int); -+#ifdef HAVE_SELINUX -+# include -+extern int send_audit_message(int, security_context_t, security_context_t, const char *); -+#endif /* HAVE_SELINUX */ -+#endif /* WITH_AUDIT */ -+ - #endif /* _SUDO_SUDO_H */ diff --git a/sudo-1.7.2p1-login.patch b/sudo-1.7.2p1-login.patch deleted file mode 100644 index aeb0cf6..0000000 --- a/sudo-1.7.2p1-login.patch +++ /dev/null @@ -1,111 +0,0 @@ -diff -up sudo-1.7.2p1/auth/pam.c.login sudo-1.7.2p1/auth/pam.c ---- sudo-1.7.2p1/auth/pam.c.login 2009-05-25 14:02:42.000000000 +0200 -+++ sudo-1.7.2p1/auth/pam.c 2009-10-30 12:15:48.000000000 +0100 -@@ -100,7 +100,13 @@ pam_init(pw, promptp, auth) - if (auth != NULL) - auth->data = (void *) &pam_status; - pam_conv.conv = sudo_conv; -- pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); -+#ifdef HAVE_PAM_LOGIN -+ if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) -+ pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh); -+ else -+#endif -+ pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); -+ - if (pam_status != PAM_SUCCESS) { - log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM"); - return(AUTH_FATAL); -diff -up sudo-1.7.2p1/configure.in.login sudo-1.7.2p1/configure.in ---- sudo-1.7.2p1/configure.in.login 2009-07-20 15:34:37.000000000 +0200 -+++ sudo-1.7.2p1/configure.in 2009-10-30 12:16:24.000000000 +0100 -@@ -394,6 +394,17 @@ AC_ARG_WITH(pam, [AS_HELP_STRING([--with - ;; - esac]) - -+AC_ARG_WITH(pam-login, [ --with-pam-login enable specific PAM session for sudo -i], -+[case $with_pam_login in -+ yes) AC_DEFINE([HAVE_PAM_LOGIN], [], ["Define to 1 if you use specific PAM session for sodo -i."]) -+ AC_MSG_CHECKING(whether to use PAM login) -+ AC_MSG_RESULT(yes) -+ ;; -+ no) ;; -+ *) AC_MSG_ERROR(["--with-pam-login does not take an argument."]) -+ ;; -+esac]) -+ - AC_ARG_WITH(AFS, [AS_HELP_STRING([--with-AFS], [enable AFS support])], - [case $with_AFS in - yes) AC_DEFINE(HAVE_AFS) -diff -up sudo-1.7.2p1/env.c.login sudo-1.7.2p1/env.c ---- sudo-1.7.2p1/env.c.login 2009-06-23 20:24:42.000000000 +0200 -+++ sudo-1.7.2p1/env.c 2009-10-30 12:15:48.000000000 +0100 -@@ -102,7 +102,7 @@ struct environment { - /* - * Prototypes - */ --void rebuild_env __P((int, int)); -+void rebuild_env __P((int)); - static void sudo_setenv __P((const char *, const char *, int)); - static void sudo_putenv __P((char *, int, int)); - -@@ -562,8 +562,7 @@ matches_env_keep(var) - * Also adds sudo-specific variables (SUDO_*). - */ - void --rebuild_env(sudo_mode, noexec) -- int sudo_mode; -+rebuild_env(noexec) - int noexec; - { - char **old_envp, **ep, *cp, *ps1; -diff -up sudo-1.7.2p1/sudo.c.login sudo-1.7.2p1/sudo.c ---- sudo-1.7.2p1/sudo.c.login 2009-05-27 02:49:07.000000000 +0200 -+++ sudo-1.7.2p1/sudo.c 2009-10-30 12:15:48.000000000 +0100 -@@ -126,7 +126,7 @@ static void usage_excl __P((int)) - __attribute__((__noreturn__)); - static struct passwd *get_authpw __P((void)); - extern int sudo_edit __P((int, char **, char **)); --extern void rebuild_env __P((int, int)); -+extern void rebuild_env __P((int)); - void validate_env_vars __P((struct list_member *)); - void insert_env_vars __P((struct list_member *)); - -@@ -157,6 +157,8 @@ login_cap_t *lc; - char *login_style; - #endif /* HAVE_BSD_AUTH_H */ - sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp; -+ -+int sudo_mode; - static char *runas_user; - static char *runas_group; - static struct sudo_nss_list *snl; -@@ -172,7 +174,7 @@ main(argc, argv, envp) - char **envp; - { - int sources = 0, validated; -- int fd, cmnd_status, sudo_mode, pwflag, rc = 0; -+ int fd, cmnd_status, pwflag, rc = 0; - sigaction_t sa; - struct sudo_nss *nss; - #if defined(SUDO_DEVEL) && defined(__OpenBSD__) -@@ -421,7 +423,7 @@ main(argc, argv, envp) - def_env_reset = FALSE; - - /* Build a new environment that avoids any nasty bits. */ -- rebuild_env(sudo_mode, def_noexec); -+ rebuild_env(def_noexec); - - /* Fill in passwd struct based on user we are authenticating as. */ - auth_pw = get_authpw(); -diff -up sudo-1.7.2p1/sudo.h.login sudo-1.7.2p1/sudo.h ---- sudo-1.7.2p1/sudo.h.login 2009-05-25 14:02:41.000000000 +0200 -+++ sudo-1.7.2p1/sudo.h 2009-10-30 12:15:48.000000000 +0100 -@@ -334,6 +334,7 @@ extern struct passwd *auth_pw, *list_pw; - extern int tgetpass_flags; - extern int long_list; - extern uid_t timestamp_uid; -+extern int sudo_mode; - #endif - #ifndef errno - extern int errno; diff --git a/sudo-1.7.2p2-emptyincldir.patch b/sudo-1.7.2p2-emptyincldir.patch deleted file mode 100644 index fbab43e..0000000 --- a/sudo-1.7.2p2-emptyincldir.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff -up sudo-1.7.2p2/toke.c.empty sudo-1.7.2p2/toke.c ---- sudo-1.7.2p2/toke.c.empty 2010-02-16 23:13:23.000000000 +0100 -+++ sudo-1.7.2p2/toke.c 2010-02-16 23:17:57.000000000 +0100 -@@ -1421,6 +1421,7 @@ __unused static const char rcsid[] = "$S - #endif /* lint */ - - extern YYSTYPE yylval; -+extern int parse_error; - int sudolineno = 1; - char *sudoers; - static int sawspace = 0; -@@ -1880,7 +1881,7 @@ YY_RULE_SETUP - LEXTRACE("INCLUDEDIR\n"); - - /* Push current buffer and switch to include file */ -- if (!push_includedir(path)) -+ if (!push_includedir(path) && parse_error) - yyterminate(); - } - YY_BREAK -@@ -3369,7 +3370,7 @@ switch_dir(stack, dirpath) - - if (!(dir = opendir(dirpath))) { - yyerror(dirpath); -- return(FALSE); -+ return(NULL); - } - while ((dent = readdir(dir))) { - /* Ignore files that end in '~' or have a '.' in them. */ -@@ -3494,7 +3495,7 @@ _push_include(path, isdir) - } - if (isdir) { - if (!(path = switch_dir(&istack[idepth], path))) { -- yyerror(path); -+ /* yyerror(path); */ - return(FALSE); - } - if ((fp = open_sudoers(path, FALSE, &keepopen)) == NULL) { diff --git a/sudo-1.7.2p2-envsanitize.patch b/sudo-1.7.2p2-envsanitize.patch deleted file mode 100644 index 37dc38c..0000000 --- a/sudo-1.7.2p2-envsanitize.patch +++ /dev/null @@ -1,83 +0,0 @@ -diff -up sudo-1.7.2p2/env.c.orig sudo-1.7.2p2/env.c ---- sudo-1.7.2p2/env.c.orig 2010-06-01 13:19:54.000000000 +0200 -+++ sudo-1.7.2p2/env.c 2010-06-01 13:26:22.000000000 +0200 -@@ -321,7 +321,7 @@ int - unsetenv(var) - const char *var; - { -- char **ep; -+ char **ep = env.envp; - size_t len; - - if (strchr(var, '=') != NULL) { -@@ -359,13 +359,15 @@ unsetenv(var) - } - - len = strlen(var); -- for (ep = env.envp; *ep; ep++) { -+ while (*ep != NULL) { - if (strncmp(var, *ep, len) == 0 && (*ep)[len] == '=') { - /* Found it; shift remainder + NULL over by one and update len. */ - memmove(ep, ep + 1, - (env.env_len - (ep - env.envp)) * sizeof(char *)); - env.env_len--; -- break; -+ /* Keep going, could be multiple instances of the var. */ -+ } else { -+ ep++; - } - } - #ifndef UNSETENV_VOID -@@ -433,6 +435,7 @@ sudo_putenv(str, dupcheck, overwrite) - { - char **ep; - size_t len; -+ int found = FALSE; - - /* Make sure there is room for the new entry plus a NULL. */ - if (env.env_len + 2 > env.env_size) { -@@ -451,20 +454,34 @@ sudo_putenv(str, dupcheck, overwrite) - #endif - - if (dupcheck) { -- len = (strchr(str, '=') - str) + 1; -- for (ep = env.envp; *ep; ep++) { -+ len = (strchr(str, '=') - str) + 1; -+ for (ep = env.envp; !found && *ep != NULL; ep++) { -+ if (strncmp(str, *ep, len) == 0) { -+ if (overwrite) -+ *ep = str; -+ found = TRUE; -+ } -+ } -+ /* Prune out duplicate variables. */ -+ if (found && overwrite) { -+ while (*ep != NULL) { - if (strncmp(str, *ep, len) == 0) { -- if (overwrite) -- *ep = str; -- return; -+ memmove(ep, ep + 1, -+ (env.env_len - (ep - env.envp)) * sizeof(char *)); -+ env.env_len--; -+ } else { -+ ep++; - } - } -- } else -- ep = env.envp + env.env_len; -+ } -+ } - -- env.env_len++; -- *ep++ = str; -- *ep = NULL; -+ if (!found) { -+ ep = env.envp + env.env_len; -+ env.env_len++; -+ *ep++ = str; -+ *ep = NULL; -+ } - } - - /* diff --git a/sudo-1.7.2p2-libaudit.patch b/sudo-1.7.2p2-libaudit.patch deleted file mode 100644 index 3f1af38..0000000 --- a/sudo-1.7.2p2-libaudit.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up sudo-1.7.2p2/configure.in.libaudit sudo-1.7.2p2/configure.in ---- sudo-1.7.2p2/configure.in.libaudit 2010-02-10 16:21:26.000000000 +0100 -+++ sudo-1.7.2p2/configure.in 2010-02-10 16:21:26.000000000 +0100 -@@ -1752,7 +1752,6 @@ dnl - : ${mansectsu='8'} - : ${mansectform='5'} - --AC_SUBST(LIBAUDIT) - if test "$with_audit" = "yes"; then - # See if we have the audit library - AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"]) -@@ -1770,6 +1769,8 @@ if test "$with_audit" = "yes"; then - fi - fi - -+AC_SUBST(LIBAUDIT) -+ - dnl - dnl Add in any libpaths or libraries specified via configure - dnl -diff -up sudo-1.7.2p2/Makefile.in.libaudit sudo-1.7.2p2/Makefile.in ---- sudo-1.7.2p2/Makefile.in.libaudit 2010-02-10 16:26:06.000000000 +0100 -+++ sudo-1.7.2p2/Makefile.in 2010-02-10 16:26:40.000000000 +0100 -@@ -44,7 +44,7 @@ INSTALL = $(SHELL) $(srcdir)/install-sh - # Libraries - LIBS = @LIBS@ - NET_LIBS = @NET_LIBS@ --SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS) -+SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ @LIBAUDIT@ $(LIBS) $(NET_LIBS) - - # C preprocessor flags - CPPFLAGS = -I. -I$(srcdir) @CPPFLAGS@ diff --git a/sudo-1.7.2p2-loopsegv3.patch b/sudo-1.7.2p2-loopsegv3.patch deleted file mode 100644 index e6953bb..0000000 --- a/sudo-1.7.2p2-loopsegv3.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -up sudo-1.7.2p2/toke.c.loop sudo-1.7.2p2/toke.c ---- sudo-1.7.2p2/toke.c.loop 2010-02-09 12:48:33.000000000 +0100 -+++ sudo-1.7.2p2/toke.c 2010-02-09 16:54:17.000000000 +0100 -@@ -3461,7 +3461,7 @@ init_lexer() - efree(pl); - } - efree(istack[idepth].path); -- if (!istack[idepth].keepopen) -+ if (idepth && !istack[idepth].keepopen) - fclose(istack[idepth].bs->yy_input_file); - yy_delete_buffer(istack[idepth].bs); - } -@@ -3486,7 +3486,7 @@ _push_include(path, isdir) - } - istacksize += SUDOERS_STACK_INCREMENT; - istack = (struct include_stack *) realloc(istack, -- sizeof(istack) * istacksize); -+ sizeof(*istack) * istacksize); - if (istack == NULL) { - yyerror("unable to allocate memory"); - return(FALSE); -diff -up sudo-1.7.2p2/toke.l.loop sudo-1.7.2p2/toke.l ---- sudo-1.7.2p2/toke.l.loop 2010-02-09 12:48:30.000000000 +0100 -+++ sudo-1.7.2p2/toke.l 2010-02-09 13:18:27.000000000 +0100 -@@ -869,7 +869,7 @@ _push_include(path, isdir) - } - istacksize += SUDOERS_STACK_INCREMENT; - istack = (struct include_stack *) realloc(istack, -- sizeof(istack) * istacksize); -+ sizeof(*istack) * istacksize); - if (istack == NULL) { - yyerror("unable to allocate memory"); - return(FALSE); diff --git a/sudo-1.7.2p4-getgrouplist.patch b/sudo-1.7.2p4-getgrouplist.patch deleted file mode 100644 index 454b35b..0000000 --- a/sudo-1.7.2p4-getgrouplist.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -up sudo-1.7.2p4/check.c.getgrouplist sudo-1.7.2p4/check.c ---- sudo-1.7.2p4/check.c.getgrouplist 2009-05-25 14:02:41.000000000 +0200 -+++ sudo-1.7.2p4/check.c 2010-03-01 11:27:38.000000000 +0100 -@@ -353,6 +353,24 @@ user_is_exempt() - return(TRUE); - } - -+#ifdef HAVE_GETGROUPLIST -+ { -+ gid_t *grouplist, grouptmp; -+ int n_groups, i; -+ n_groups = 1; -+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) { -+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1)); -+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0) -+ for (i = 0; i < n_groups; i++) -+ if (grouplist[i] == grp->gr_gid) { -+ free(grouplist); -+ return(TRUE); -+ } -+ free(grouplist); -+ } -+ } -+#endif -+ - return(FALSE); - } - -diff -up sudo-1.7.2p4/configure.in.getgrouplist sudo-1.7.2p4/configure.in ---- sudo-1.7.2p4/configure.in.getgrouplist 2010-03-01 11:27:38.000000000 +0100 -+++ sudo-1.7.2p4/configure.in 2010-03-01 11:29:45.000000000 +0100 -@@ -1852,7 +1852,7 @@ dnl - AC_FUNC_GETGROUPS - AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \ - strftime setrlimit initgroups getgroups fstat gettimeofday \ -- setlocale getaddrinfo setsid setenv setrlimit64) -+ setlocale getaddrinfo setsid setenv setrlimit64 getgrouplist) - AC_CHECK_FUNCS(unsetenv, SUDO_FUNC_UNSETENV_VOID) - SUDO_FUNC_PUTENV_CONST - if test -z "$SKIP_SETRESUID"; then diff --git a/sudo-1.7.2p6-audit.patch b/sudo-1.7.2p6-audit.patch deleted file mode 100644 index 75b9675..0000000 --- a/sudo-1.7.2p6-audit.patch +++ /dev/null @@ -1,401 +0,0 @@ -diff -up /dev/null sudo-1.7.2p6/audit_help.c ---- /dev/null 2010-03-17 15:58:02.830002615 +0100 -+++ sudo-1.7.2p6/audit_help.c 2010-04-14 15:25:49.000000000 +0200 -@@ -0,0 +1,136 @@ -+/* -+ * Audit helper functions used throughout sudo -+ * -+ * Copyright (C) 2007, Red Hat, Inc. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors -+ * may be used to endorse or promote products derived from this software -+ * without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ */ -+ -+#include -+ -+#ifdef WITH_AUDIT -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef HAVE_SELINUX -+#include -+#endif -+ -+int audit_fd = -1; -+ -+void audit_help_open (void) -+{ -+ audit_fd = audit_open (); -+ if (audit_fd < 0) { -+ /* You get these only when the kernel doesn't have -+ * audit compiled in. */ -+ if (errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT) -+ return; -+ fprintf (stderr, "Cannot open audit interface - aborting.\n"); -+ exit (1); -+ } -+} -+ -+/* -+ * This function will log a message to the audit system using a predefined -+ * message format. Parameter usage is as follows: -+ * -+ * type - type of message: AUDIT_USER_CMD -+ * command - the command being logged -+ * params - parames of the command -+ * result - 1 is "success" and 0 is "failed" -+ * -+ */ -+void audit_logger (int type, const char *command, const char *params, int result) -+{ -+ int err; -+ char *msg; -+ -+ if( audit_fd < 0 ) -+ return; -+ else { -+ -+ if( params ) -+ err = asprintf(&msg, "%s %s", command, params); -+ else -+ err = asprintf(&msg, "%s", command); -+ if (err < 0) { -+ fprintf (stderr, "Memory allocation for audit message wasn’t possible.\n"); -+ return; -+ } -+ -+ err = audit_log_user_command (audit_fd, type, msg, NULL, result); -+ /* The kernel supports auditing and we had -+ enough privilege to write to the socket. */ -+ if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) { -+ perror("audit_log_user_command()"); -+ } -+ -+ free(msg); -+ } -+} -+ -+#ifdef HAVE_SELINUX -+int send_audit_message(int success, security_context_t old_context, -+ security_context_t new_context, const char *ttyn) -+{ -+ char *msg = NULL; -+ int rc; -+ -+ if (audit_fd < 0) -+ return -1; -+ -+ if (asprintf(&msg, "newrole: old-context=%s new-context=%s", -+ old_context ? old_context : "?", -+ new_context ? new_context : "?") < 0) { -+ fprintf(stderr, "Error allocating memory.\n"); -+ rc = -1; -+ goto out; -+ } -+ -+ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, -+ msg, NULL, NULL, ttyn, success); -+ -+ if (rc <= 0) { -+ fprintf(stderr, "Error sending audit message.\n"); -+ rc = -1; -+ goto out; -+ } -+ rc = 0; -+ -+ out: -+ free(msg); -+ return rc; -+} -+#endif -+#endif /* WITH_AUDIT */ -diff -up sudo-1.7.2p6/configure.in.audit sudo-1.7.2p6/configure.in ---- sudo-1.7.2p6/configure.in.audit 2010-04-14 15:25:49.000000000 +0200 -+++ sudo-1.7.2p6/configure.in 2010-04-14 15:25:49.000000000 +0200 -@@ -181,6 +181,10 @@ dnl - dnl Options for --with - dnl - -+AC_ARG_WITH(audit, -+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])], -+ [with_audit=$withval], [with_audit=yes]) -+ - AC_ARG_WITH(CC, [AS_HELP_STRING([--with-CC], [C compiler to use])], - [case $with_CC in - yes) AC_MSG_ERROR(["must give --with-CC an argument."]) -@@ -1747,6 +1751,24 @@ dnl - : ${mansectsu='8'} - : ${mansectform='5'} - -+ -+if test "$with_audit" = "yes"; then -+ # See if we have the audit library -+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"]) -+ if test "$audit_header" = "yes"; then -+ AC_CHECK_LIB(audit, audit_log_user_command, -+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages]) -+ LIBAUDIT="-laudit"]) -+ fi -+ # See if we have the libcap library -+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"]) -+ if test "$cap_header" = "yes"; then -+ AC_CHECK_LIB(cap, cap_init, -+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support]) -+ SUDO_LIBS="${SUDO_LIBS} -lcap"]) -+ fi -+fi -+AC_SUBST(LIBAUDIT) - dnl - dnl Add in any libpaths or libraries specified via configure - dnl -diff -up sudo-1.7.2p6/Makefile.in.audit sudo-1.7.2p6/Makefile.in ---- sudo-1.7.2p6/Makefile.in.audit 2010-04-14 15:25:49.000000000 +0200 -+++ sudo-1.7.2p6/Makefile.in 2010-04-14 15:25:49.000000000 +0200 -@@ -44,7 +44,7 @@ INSTALL = $(SHELL) $(srcdir)/install-sh - # Libraries - LIBS = @LIBS@ - NET_LIBS = @NET_LIBS@ --SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS) -+SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ @LIBAUDIT@ $(LIBS) $(NET_LIBS) - - # C preprocessor flags - CPPFLAGS = -I. -I$(srcdir) @CPPFLAGS@ -@@ -123,6 +123,8 @@ HDRS = bsm_audit.h compat.h def_data.h d - - AUTH_OBJS = sudo_auth.o @AUTH_OBJS@ - -+AUDIT_OBJS = audit_help.o -+ - # Note: gram.o must come first here - COMMON_OBJS = gram.o alias.o alloc.o defaults.o error.o list.o match.o \ - toke.o redblack.o zero_bytes.o @NONUNIX_GROUPS_IMPL@ -@@ -130,7 +132,7 @@ COMMON_OBJS = gram.o alias.o alloc.o def - SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ audit.o check.o env.o \ - getspwuid.o gettime.o goodpath.o fileops.o find_path.o \ - interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o \ -- sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o -+ sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o $(AUDIT_OBJS) - - VISUDO_OBJS = $(COMMON_OBJS) visudo.o fileops.o gettime.o goodpath.o \ - find_path.o pwutil.o -@@ -361,6 +363,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH - sia.o: $(authdir)/sia.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c - -+audit_help.o: audit_help.c sudo.h -+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c -+ - sudo.man.in: $(srcdir)/sudo.pod - @rm -f $(srcdir)/$@ - ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ ) -diff -up sudo-1.7.2p6/set_perms.c.audit sudo-1.7.2p6/set_perms.c ---- sudo-1.7.2p6/set_perms.c.audit 2010-04-09 12:12:02.000000000 +0200 -+++ sudo-1.7.2p6/set_perms.c 2010-04-14 15:25:49.000000000 +0200 -@@ -48,6 +48,10 @@ - #ifdef HAVE_LOGIN_CAP_H - # include - #endif -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+# include -+# include -+#endif - - #include "sudo.h" - -@@ -126,16 +130,59 @@ set_perms(perm) - break; - - case PERM_FULL_RUNAS: -- /* headed for exec(), assume euid == ROOT_UID */ -- runas_setup(); -- if (setresuid(def_stay_setuid ? -- user_uid : runas_pw->pw_uid, -- runas_pw->pw_uid, runas_pw->pw_uid)) { -- errstr = "unable to change to runas uid"; -- goto bad; -- } -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+ { /* BEGIN CAP BLOCK */ -+ cap_t new_caps; -+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE }; -+ -+ if (runas_pw->pw_uid != ROOT_UID) { -+ new_caps = cap_init (); -+ if (!new_caps) { -+ errstr = "Error initing capabilities, aborting.\n"; -+ goto bad; -+ } -+ -+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) || -+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) { -+ errstr = "Error setting capabilities, aborting\n"; -+ goto bad; -+ } -+ -+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { -+ errstr = "Error setting KEEPCAPS, aborting\n"; -+ goto bad; -+ } -+ } -+#endif -+ /* headed for exec(), assume euid == ROOT_UID */ -+ runas_setup(); -+ if (setresuid(def_stay_setuid ? -+ user_uid : runas_pw->pw_uid, -+ runas_pw->pw_uid, runas_pw->pw_uid)) { -+ errstr = "unable to change to runas uid"; -+ goto bad; -+ } -+ -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+ if (runas_pw->pw_uid != ROOT_UID) { -+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) { -+ errstr = "Error resetting KEEPCAPS, aborting\n"; -+ goto bad; -+ } -+ -+ if (cap_set_proc(new_caps)) { -+ errstr = "Error dropping capabilities, aborting\n"; -+ goto bad; -+ } -+ -+ if (cap_free (new_caps)) { -+ errstr = "Error freeing caps\n"; -+ goto bad; -+ } -+ } -+ } /* END CAP BLOCK */ -+#endif - break; -- - case PERM_SUDOERS: - /* assume euid == ROOT_UID, ruid == user */ - if (setresgid(-1, SUDOERS_GID, -1)) -diff -up sudo-1.7.2p6/sudo.c.audit sudo-1.7.2p6/sudo.c ---- sudo-1.7.2p6/sudo.c.audit 2010-04-14 15:25:49.000000000 +0200 -+++ sudo-1.7.2p6/sudo.c 2010-04-14 15:31:47.000000000 +0200 -@@ -95,6 +95,10 @@ - # include - #endif - -+#ifdef WITH_AUDIT -+#include -+#endif -+ - #include - #include "sudo.h" - #include "lbuf.h" -@@ -368,7 +372,7 @@ main(argc, argv, envp) - - if (safe_cmnd == NULL) - safe_cmnd = estrdup(user_cmnd); -- -+ - #ifdef HAVE_SETLOCALE - setlocale(LC_ALL, ""); - #endif -@@ -540,6 +544,20 @@ main(argc, argv, envp) - - closefrom(def_closefrom); - -+#if defined(WITH_AUDIT) -+ audit_help_open (); -+#endif -+ if (access(safe_cmnd, X_OK) != 0) { -+ warn ("unable to execute %s", safe_cmnd); -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif -+ exit(127); -+ } -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1); -+#endif -+ - #ifndef PROFILING - if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) { - syslog(LOG_AUTH|LOG_ERR, "fork"); -@@ -564,11 +582,17 @@ main(argc, argv, envp) - NewArgv[1] = safe_cmnd; - execv(_PATH_BSHELL, NewArgv); - } -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - warning("unable to execute %s", safe_cmnd); - exit(127); - } else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) { - audit_failure(NewArgv, "No user or host"); - log_denial(validated, 1); -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - exit(1); - } else { - if (def_path_info) { -@@ -590,6 +614,9 @@ main(argc, argv, envp) - log_denial(validated, 1); - } - audit_failure(NewArgv, "validation failure"); -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - exit(1); - } - exit(0); /* not reached */ -diff -up sudo-1.7.2p6/sudo.h.audit sudo-1.7.2p6/sudo.h ---- sudo-1.7.2p6/sudo.h.audit 2010-04-14 15:25:49.000000000 +0200 -+++ sudo-1.7.2p6/sudo.h 2010-04-14 15:25:49.000000000 +0200 -@@ -22,6 +22,8 @@ - #ifndef _SUDO_SUDO_H - #define _SUDO_SUDO_H - -+#include -+ - #include - #include - #include "compat.h" -@@ -338,4 +340,14 @@ extern int sudo_mode; - extern int errno; - #endif - -+#ifdef WITH_AUDIT -+extern int audit_fd; -+extern void audit_help_open (void); -+extern void audit_logger (int, const char *, const char *, int); -+#ifdef HAVE_SELINUX -+# include -+extern int send_audit_message(int, security_context_t, security_context_t, const char *); -+#endif /* HAVE_SELINUX */ -+#endif /* WITH_AUDIT */ -+ - #endif /* _SUDO_SUDO_H */