rpms/sudo/devel sudo-1.6.9p4-audit.patch,1.2,1.3
Peter Vrabec (pvrabec)
fedora-extras-commits at redhat.com
Mon Jan 7 18:58:15 UTC 2008
Author: pvrabec
Update of /cvs/extras/rpms/sudo/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18324
Modified Files:
sudo-1.6.9p4-audit.patch
Log Message:
fix sudo-1.6.9p4-audit.patch
sudo-1.6.9p4-audit.patch:
Index: sudo-1.6.9p4-audit.patch
===================================================================
RCS file: /cvs/extras/rpms/sudo/devel/sudo-1.6.9p4-audit.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- sudo-1.6.9p4-audit.patch 7 Jan 2008 18:31:40 -0000 1.2
+++ sudo-1.6.9p4-audit.patch 7 Jan 2008 18:58:09 -0000 1.3
@@ -1,145 +1,86 @@
-diff -up sudo-1.6.9p4/audit_help.c.audit sudo-1.6.9p4/audit_help.c
---- sudo-1.6.9p4/audit_help.c.audit 2007-08-30 20:06:30.000000000 +0400
-+++ sudo-1.6.9p4/audit_help.c 2007-08-30 20:06:30.000000000 +0400
-@@ -0,0 +1,81 @@
-+/*
-+ * Audit helper functions used throughout sudo
-+ *
-+ * Copyright (C) 2007, Red Hat, Inc.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
-+ * may be used to endorse or promote products derived from this software
-+ * without specific prior written permission.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ */
-+
-+#include <config.h>
-+
-+#ifdef WITH_AUDIT
-+
-+#include <stdlib.h>
-+#include <syslog.h>
-+#include <stdarg.h>
-+#include <libaudit.h>
-+#include <errno.h>
-+#include <stdio.h>
-+
-+int audit_fd;
-+
-+void audit_help_open (void)
-+{
-+ audit_fd = audit_open ();
-+ if (audit_fd < 0) {
-+ /* You get these only when the kernel doesn't have
-+ * audit compiled in. */
-+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
-+ errno == EAFNOSUPPORT)
-+ return;
-+ fprintf (stderr, "Cannot open audit interface - aborting.\n");
-+ exit (1);
-+ }
-+}
-+
-+/*
-+ * This function will log a message to the audit system using a predefined
-+ * message format. Parameter usage is as follows:
-+ *
-+ * type - type of message: AUDIT_USER_CMD
-+ * command - the command being logged
-+ * result - 1 is "success" and 0 is "failed"
-+ *
-+ */
-+void audit_logger (int type, const char *command, int result)
-+{
-+ int err;
-+
-+ if (audit_fd < 0)
-+ return;
-+ else {
-+ err = audit_log_user_command (audit_fd, type, command, NULL, result);
-+ /* The kernel supports auditing and we had
-+ enough privilege to write to the socket. */
-+ if( err <= 0 && !(errno == EPERM && getuid() != 0) ) {
-+ perror("audit_log_user_command()");
-+ }
-+ }
-+}
-+
-+#endif /* WITH_AUDIT */
-+
-diff -up sudo-1.6.9p4/Makefile.in.audit sudo-1.6.9p4/Makefile.in
---- sudo-1.6.9p4/Makefile.in.audit 2007-08-15 18:16:57.000000000 +0400
-+++ sudo-1.6.9p4/Makefile.in 2007-08-30 20:06:30.000000000 +0400
-@@ -118,11 +118,13 @@ HDRS = compat.h def_data.h defaults.h in
-
- AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
-
-+AUDIT_OBJS = audit_help.o
-+
- PARSEOBJS = sudo.tab.o lex.yy.o alloc.o defaults.o
-
- SUDOBJS = check.o env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o \
- interfaces.o logging.o parse.o set_perms.o sudo.o sudo_edit.o \
-- tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS)
-+ tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS) $(AUDIT_OBJS)
-
- VISUDOBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o $(PARSEOBJS)
+diff -up sudo-1.6.9p4/set_perms.c.audit sudo-1.6.9p4/set_perms.c
+--- sudo-1.6.9p4/set_perms.c.audit 2007-07-06 16:16:22.000000000 +0200
++++ sudo-1.6.9p4/set_perms.c 2008-01-07 19:52:41.000000000 +0100
+@@ -53,6 +53,10 @@
+ #ifdef HAVE_LOGIN_CAP_H
+ # include <login_cap.h>
+ #endif
++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
++# include <sys/prctl.h>
++# include <sys/capability.h>
++#endif
-@@ -273,6 +275,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH
- sia.o: $(authdir)/sia.c $(AUTHDEP)
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
+ #include "sudo.h"
-+audit_help.o: audit_help.c sudo.h
-+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c
+@@ -101,22 +105,55 @@ set_perms(perm)
+ if (setresuid(user_uid, user_uid, user_uid))
+ err(1, "setresuid(user_uid, user_uid, user_uid)");
+ break;
+-
+
- sudo.man.in: $(srcdir)/sudo.pod
- @rm -f $(srcdir)/$@
- ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ )
-diff -up sudo-1.6.9p4/sudo.h.audit sudo-1.6.9p4/sudo.h
---- sudo-1.6.9p4/sudo.h.audit 2007-08-30 20:06:30.000000000 +0400
-+++ sudo-1.6.9p4/sudo.h 2007-08-30 20:06:30.000000000 +0400
-@@ -23,6 +23,8 @@
- #ifndef _SUDO_SUDO_H
- #define _SUDO_SUDO_H
-
-+#include <config.h>
++ case PERM_FULL_RUNAS:
++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
++ { /* BEGIN CAP BLOCK */
++ cap_t new_caps;
++ cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
++
++ if (runas_pw->pw_uid != ROOT_UID) {
++ new_caps = cap_init ();
++ if (!new_caps)
++ err(1, "Error initing capabilities, aborting.\n");
++
++ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) ||
++ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) {
++ err(1, "Error setting capabilities, aborting\n");
++ }
++
++ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0))
++ err(1, "Error setting KEEPCAPS, aborting\n");
++ }
++#endif
++ /* headed for exec(), assume euid == ROOT_UID */
++ runas_setup ();
++ if (setresuid(def_stay_setuid ?
++ user_uid : runas_pw->pw_uid,
++ runas_pw->pw_uid, runas_pw->pw_uid))
++ err(1, "unable to change to runas uid");
+
- #include <pathnames.h>
- #include <limits.h>
- #include "compat.h"
-@@ -274,4 +276,10 @@ extern int sudo_mode;
- extern int errno;
- #endif
-
-+#ifdef WITH_AUDIT
-+extern int audit_fd;
-+extern void audit_help_open (void);
-+extern void audit_logger (int, const char *, int);
++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
++ if (runas_pw->pw_uid != ROOT_UID) {
++ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)
++ err(1, "Error resetting KEEPCAPS, aborting\n");
++
++ if (cap_set_proc(new_caps))
++ err(1, "Error dropping capabilities, aborting\n");
++
++ if (cap_free (new_caps))
++ err(1, "Error freeing caps\n");
++ }
++ } /* END CAP BLOCK */
+#endif
++ break;
+
- #endif /* _SUDO_SUDO_H */
+ case PERM_RUNAS:
+ (void) setresgid(-1, runas_pw->pw_gid, -1);
+ if (setresuid(-1, runas_pw->pw_uid, -1))
+ err(1, "unable to change to runas uid");
+ break;
+
+- case PERM_FULL_RUNAS:
+- /* headed for exec(), assume euid == ROOT_UID */
+- runas_setup();
+- if (setresuid(def_stay_setuid ?
+- user_uid : runas_pw->pw_uid,
+- runas_pw->pw_uid, runas_pw->pw_uid))
+- err(1, "unable to change to runas uid");
+- break;
+-
+ case PERM_SUDOERS:
+ /* assume euid == ROOT_UID, ruid == user */
+ if (setresgid(-1, SUDOERS_GID, -1))
diff -up sudo-1.6.9p4/sudo.c.audit sudo-1.6.9p4/sudo.c
---- sudo-1.6.9p4/sudo.c.audit 2007-08-30 20:06:30.000000000 +0400
-+++ sudo-1.6.9p4/sudo.c 2007-08-30 20:18:26.000000000 +0400
+--- sudo-1.6.9p4/sudo.c.audit 2008-01-07 19:52:41.000000000 +0100
++++ sudo-1.6.9p4/sudo.c 2008-01-07 19:52:41.000000000 +0100
@@ -97,6 +97,10 @@
# include <sys/task.h>
#endif
@@ -280,8 +221,8 @@
exit(127);
} else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {
diff -up sudo-1.6.9p4/configure.in.audit sudo-1.6.9p4/configure.in
---- sudo-1.6.9p4/configure.in.audit 2007-08-30 20:06:30.000000000 +0400
-+++ sudo-1.6.9p4/configure.in 2007-08-30 20:06:30.000000000 +0400
+--- sudo-1.6.9p4/configure.in.audit 2008-01-07 19:52:41.000000000 +0100
++++ sudo-1.6.9p4/configure.in 2008-01-07 19:52:41.000000000 +0100
@@ -150,6 +150,10 @@ dnl
dnl Options for --with
dnl
@@ -319,83 +260,146 @@
dnl
dnl Add in any libpaths or libraries specified via configure
dnl
-diff -up sudo-1.6.9p4/set_perms.c.audit sudo-1.6.9p4/set_perms.c
---- sudo-1.6.9p4/set_perms.c.audit 2007-07-06 18:16:22.000000000 +0400
-+++ sudo-1.6.9p4/set_perms.c 2007-08-30 20:06:30.000000000 +0400
-@@ -53,6 +53,10 @@
- #ifdef HAVE_LOGIN_CAP_H
- # include <login_cap.h>
- #endif
-+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
-+# include <sys/prctl.h>
-+# include <sys/capability.h>
-+#endif
+diff -up /dev/null sudo-1.6.9p4/audit_help.c
+--- /dev/null 2008-01-04 00:33:16.572612675 +0100
++++ sudo-1.6.9p4/audit_help.c 2008-01-07 19:55:40.000000000 +0100
+@@ -0,0 +1,88 @@
++/*
++ * Audit helper functions used throughout sudo
++ *
++ * Copyright (C) 2007, Red Hat, Inc.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#include <config.h>
++
++#ifdef WITH_AUDIT
++
++#include <stdlib.h>
++#include <syslog.h>
++#include <stdarg.h>
++#include <libaudit.h>
++#include <errno.h>
++#include <stdio.h>
++#include <unistd.h>
++#include <sys/types.h>
++
++int audit_fd;
++
++void audit_help_open (void)
++{
++ audit_fd = audit_open ();
++ if (audit_fd < 0) {
++ /* You get these only when the kernel doesn't have
++ * audit compiled in. */
++ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
++ errno == EAFNOSUPPORT)
++ return;
++ fprintf (stderr, "Cannot open audit interface - aborting.\n");
++ exit (1);
++ }
++}
++
++/*
++ * This function will log a message to the audit system using a predefined
++ * message format. Parameter usage is as follows:
++ *
++ * type - type of message: AUDIT_USER_CMD
++ * command - the command being logged
++ * result - 1 is "success" and 0 is "failed"
++ *
++ */
++void audit_logger (int type, const char *command, int result)
++{
++ int err;
++
++ if (audit_fd < 0)
++ return;
++ else {
++ err = audit_log_user_command (audit_fd, type, command, NULL, result);
++ /* The kernel supports auditing and we had
++ enough privilege to write to the socket. */
++ if( err <= 0 && !(errno == EPERM && getuid() != 0) ) {
++ perror("audit_log_user_command()");
++ }
++ }
++}
++
++
++#endif /* WITH_AUDIT */
++
++
+diff -up sudo-1.6.9p4/Makefile.in.audit sudo-1.6.9p4/Makefile.in
+--- sudo-1.6.9p4/Makefile.in.audit 2007-08-15 16:16:57.000000000 +0200
++++ sudo-1.6.9p4/Makefile.in 2008-01-07 19:52:41.000000000 +0100
+@@ -118,11 +118,13 @@ HDRS = compat.h def_data.h defaults.h in
- #include "sudo.h"
+ AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
-@@ -101,22 +105,55 @@ set_perms(perm)
- if (setresuid(user_uid, user_uid, user_uid))
- err(1, "setresuid(user_uid, user_uid, user_uid)");
- break;
--
++AUDIT_OBJS = audit_help.o
+
-+ case PERM_FULL_RUNAS:
-+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
-+ { /* BEGIN CAP BLOCK */
-+ cap_t new_caps;
-+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
-+
-+ if (runas_pw->pw_uid != ROOT_UID) {
-+ new_caps = cap_init ();
-+ if (!new_caps)
-+ err(1, "Error initing capabilities, aborting.\n");
-+
-+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) ||
-+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) {
-+ err(1, "Error setting capabilities, aborting\n");
-+ }
-+
-+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0))
-+ err(1, "Error setting KEEPCAPS, aborting\n");
-+ }
-+#endif
-+ /* headed for exec(), assume euid == ROOT_UID */
-+ runas_setup ();
-+ if (setresuid(def_stay_setuid ?
-+ user_uid : runas_pw->pw_uid,
-+ runas_pw->pw_uid, runas_pw->pw_uid))
-+ err(1, "unable to change to runas uid");
+ PARSEOBJS = sudo.tab.o lex.yy.o alloc.o defaults.o
+
+ SUDOBJS = check.o env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o \
+ interfaces.o logging.o parse.o set_perms.o sudo.o sudo_edit.o \
+- tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS)
++ tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS) $(AUDIT_OBJS)
+
+ VISUDOBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o $(PARSEOBJS)
+
+@@ -273,6 +275,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH
+ sia.o: $(authdir)/sia.c $(AUTHDEP)
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
+
++audit_help.o: audit_help.c sudo.h
++ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c
+
-+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
-+ if (runas_pw->pw_uid != ROOT_UID) {
-+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)
-+ err(1, "Error resetting KEEPCAPS, aborting\n");
-+
-+ if (cap_set_proc(new_caps))
-+ err(1, "Error dropping capabilities, aborting\n");
-+
-+ if (cap_free (new_caps))
-+ err(1, "Error freeing caps\n");
-+ }
-+ } /* END CAP BLOCK */
-+#endif
-+ break;
+ sudo.man.in: $(srcdir)/sudo.pod
+ @rm -f $(srcdir)/$@
+ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ )
+diff -up sudo-1.6.9p4/sudo.h.audit sudo-1.6.9p4/sudo.h
+--- sudo-1.6.9p4/sudo.h.audit 2008-01-07 19:52:41.000000000 +0100
++++ sudo-1.6.9p4/sudo.h 2008-01-07 19:52:41.000000000 +0100
+@@ -23,6 +23,8 @@
+ #ifndef _SUDO_SUDO_H
+ #define _SUDO_SUDO_H
+
++#include <config.h>
+
- case PERM_RUNAS:
- (void) setresgid(-1, runas_pw->pw_gid, -1);
- if (setresuid(-1, runas_pw->pw_uid, -1))
- err(1, "unable to change to runas uid");
- break;
+ #include <pathnames.h>
+ #include <limits.h>
+ #include "compat.h"
+@@ -274,4 +276,10 @@ extern int sudo_mode;
+ extern int errno;
+ #endif
-- case PERM_FULL_RUNAS:
-- /* headed for exec(), assume euid == ROOT_UID */
-- runas_setup();
-- if (setresuid(def_stay_setuid ?
-- user_uid : runas_pw->pw_uid,
-- runas_pw->pw_uid, runas_pw->pw_uid))
-- err(1, "unable to change to runas uid");
-- break;
--
- case PERM_SUDOERS:
- /* assume euid == ROOT_UID, ruid == user */
- if (setresgid(-1, SUDOERS_GID, -1))
++#ifdef WITH_AUDIT
++extern int audit_fd;
++extern void audit_help_open (void);
++extern void audit_logger (int, const char *, int);
++#endif
++
+ #endif /* _SUDO_SUDO_H */
More information about the fedora-extras-commits
mailing list