|
version 1.1.1.2, 2012/05/29 12:26:49
|
version 1.1.1.3, 2012/10/09 09:29:52
|
|
Line 73 static char *new_logline(const char *, int);
|
Line 73 static char *new_logline(const char *, int);
|
| |
|
| extern sigjmp_buf error_jmp; |
extern sigjmp_buf error_jmp; |
| |
|
| |
extern char **NewArgv; /* XXX - for auditing */ |
| |
|
| #define MAXSYSLOGTRIES 16 /* num of retries for broken syslogs */ |
#define MAXSYSLOGTRIES 16 /* num of retries for broken syslogs */ |
| |
|
| /* |
/* |
|
Line 130 do_syslog(int pri, char *msg)
|
Line 132 do_syslog(int pri, char *msg)
|
| size_t len, maxlen; |
size_t len, maxlen; |
| char *p, *tmp, save; |
char *p, *tmp, save; |
| const char *fmt; |
const char *fmt; |
| |
#ifdef HAVE_SETLOCALE |
| |
const char *old_locale = estrdup(setlocale(LC_ALL, NULL)); |
| |
#endif |
| debug_decl(do_syslog, SUDO_DEBUG_LOGGING) |
debug_decl(do_syslog, SUDO_DEBUG_LOGGING) |
| |
|
| #ifdef HAVE_SETLOCALE |
#ifdef HAVE_SETLOCALE |
| const char *old_locale = estrdup(setlocale(LC_ALL, NULL)); |
|
| if (!setlocale(LC_ALL, def_sudoers_locale)) |
if (!setlocale(LC_ALL, def_sudoers_locale)) |
| setlocale(LC_ALL, "C"); |
setlocale(LC_ALL, "C"); |
| #endif /* HAVE_SETLOCALE */ |
#endif /* HAVE_SETLOCALE */ |
|
Line 245 do_logfile(char *msg)
|
Line 249 do_logfile(char *msg)
|
| /* |
/* |
| * Log and mail the denial message, optionally informing the user. |
* Log and mail the denial message, optionally informing the user. |
| */ |
*/ |
| void | static void |
| log_denial(int status, int inform_user) | log_denial(int status, bool inform_user) |
| { |
{ |
| char *logline, *message; |
char *logline, *message; |
| debug_decl(log_denial, SUDO_DEBUG_LOGGING) |
debug_decl(log_denial, SUDO_DEBUG_LOGGING) |
|
Line 300 log_denial(int status, int inform_user)
|
Line 304 log_denial(int status, int inform_user)
|
| } |
} |
| |
|
| /* |
/* |
| |
* Log and audit that user was not allowed to run the command. |
| |
*/ |
| |
void |
| |
log_failure(int status, int flags) |
| |
{ |
| |
debug_decl(log_failure, SUDO_DEBUG_LOGGING) |
| |
bool inform_user = true; |
| |
|
| |
/* Handle auditing first. */ |
| |
if (ISSET(status, FLAG_NO_USER | FLAG_NO_HOST)) |
| |
audit_failure(NewArgv, _("No user or host")); |
| |
else |
| |
audit_failure(NewArgv, _("validation failure")); |
| |
|
| |
/* The user doesn't always get to see the log message (path info). */ |
| |
if (!ISSET(status, FLAG_NO_USER | FLAG_NO_HOST) && def_path_info && |
| |
(flags == NOT_FOUND_DOT || flags == NOT_FOUND)) |
| |
inform_user = false; |
| |
log_denial(status, inform_user); |
| |
|
| |
if (!inform_user) { |
| |
/* |
| |
* We'd like to not leak path info at all here, but that can |
| |
* *really* confuse the users. To really close the leak we'd |
| |
* have to say "not allowed to run foo" even when the problem |
| |
* is just "no foo in path" since the user can trivially set |
| |
* their path to just contain a single dir. |
| |
*/ |
| |
if (flags == NOT_FOUND) |
| |
warningx(_("%s: command not found"), user_cmnd); |
| |
else if (flags == NOT_FOUND_DOT) |
| |
warningx(_("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run."), user_cmnd, user_cmnd, user_cmnd); |
| |
} |
| |
|
| |
debug_return; |
| |
} |
| |
|
| |
/* |
| |
* Log and audit that user was not able to authenticate themselves. |
| |
*/ |
| |
void |
| |
log_auth_failure(int status, int tries) |
| |
{ |
| |
int flags = NO_MAIL; |
| |
debug_decl(log_auth_failure, SUDO_DEBUG_LOGGING) |
| |
|
| |
/* Handle auditing first. */ |
| |
audit_failure(NewArgv, _("authentication failure")); |
| |
|
| |
/* |
| |
* Do we need to send mail? |
| |
* We want to avoid sending multiple messages for the same command |
| |
* so if we are going to send an email about the denial, that takes |
| |
* precedence. |
| |
*/ |
| |
if (ISSET(status, VALIDATE_OK)) { |
| |
/* Command allowed, auth failed; do we need to send mail? */ |
| |
if (def_mail_badpass || def_mail_always) |
| |
flags = 0; |
| |
} else { |
| |
/* Command denied, auth failed; make sure we don't send mail twice. */ |
| |
if (def_mail_badpass && !should_mail(status)) |
| |
flags = 0; |
| |
/* Don't log the bad password message, we'll log a denial instead. */ |
| |
flags |= NO_LOG; |
| |
} |
| |
|
| |
/* |
| |
* If sudoers denied the command we'll log that separately. |
| |
*/ |
| |
if (ISSET(status, FLAG_BAD_PASSWORD)) { |
| |
log_error(flags, ngettext("%d incorrect password attempt", |
| |
"%d incorrect password attempts", tries), tries); |
| |
} else if (ISSET(status, FLAG_NON_INTERACTIVE)) { |
| |
log_error(flags, _("a password is required")); |
| |
} |
| |
|
| |
debug_return; |
| |
} |
| |
|
| |
/* |
| * Log and potentially mail the allowed command. |
* Log and potentially mail the allowed command. |
| */ |
*/ |
| void |
void |
|
Line 367 vlog_error(int flags, const char *fmt, va_list ap)
|
Line 452 vlog_error(int flags, const char *fmt, va_list ap)
|
| /* |
/* |
| * Log to syslog and/or a file. |
* Log to syslog and/or a file. |
| */ |
*/ |
| if (def_syslog) | if (!ISSET(flags, NO_LOG)) { |
| do_syslog(def_syslog_badpri, logline); | if (def_syslog) |
| if (def_logfile) | do_syslog(def_syslog_badpri, logline); |
| do_logfile(logline); | if (def_logfile) |
| | do_logfile(logline); |
| | } |
| |
|
| efree(logline); |
efree(logline); |
| |
|
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to logging.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / plugins / sudoers