summaryrefslogtreecommitdiffstats
path: root/plugins/sudoers/iolog.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--plugins/sudoers/iolog.c1292
1 files changed, 1292 insertions, 0 deletions
diff --git a/plugins/sudoers/iolog.c b/plugins/sudoers/iolog.c
new file mode 100644
index 0000000..b746c61
--- /dev/null
+++ b/plugins/sudoers/iolog.c
@@ -0,0 +1,1292 @@
+/*
+ * Copyright (c) 2009-2018 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <stdlib.h>
+#ifdef HAVE_STRING_H
+# include <string.h>
+#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#include <unistd.h>
+#include <time.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <pwd.h>
+#include <grp.h>
+
+#include "sudoers.h"
+#include "iolog.h"
+#include "iolog_files.h"
+
+/* XXX - separate sudoers.h and iolog.h? */
+#undef runas_pw
+#undef runas_gr
+
+struct iolog_details {
+ const char *cwd;
+ const char *tty;
+ const char *user;
+ const char *command;
+ const char *iolog_path;
+ struct passwd *runas_pw;
+ struct group *runas_gr;
+ int lines;
+ int cols;
+ bool ignore_iolog_errors;
+};
+
+static struct iolog_details iolog_details;
+static bool iolog_compress = false;
+static bool warned = false;
+static struct timespec last_time;
+static unsigned int sessid_max = SESSID_MAX;
+static mode_t iolog_filemode = S_IRUSR|S_IWUSR;
+static mode_t iolog_dirmode = S_IRWXU;
+static bool iolog_gid_set;
+
+/* shared with set_perms.c */
+uid_t iolog_uid = ROOT_UID;
+gid_t iolog_gid = ROOT_GID;
+
+/* sudoers_io is declared at the end of this file. */
+extern __dso_public struct io_plugin sudoers_io;
+
+/*
+ * Create directory and any parent directories as needed.
+ */
+static bool
+io_mkdirs(char *path)
+{
+ struct stat sb;
+ bool ok, uid_changed = false;
+ debug_decl(io_mkdirs, SUDOERS_DEBUG_UTIL)
+
+ ok = stat(path, &sb) == 0;
+ if (!ok && errno == EACCES) {
+ /* Try again as the I/O log owner (for NFS). */
+ if (set_perms(PERM_IOLOG)) {
+ ok = stat(path, &sb) == 0;
+ if (!restore_perms())
+ ok = false;
+ }
+ }
+ if (ok) {
+ if (S_ISDIR(sb.st_mode)) {
+ if (sb.st_uid != iolog_uid || sb.st_gid != iolog_gid) {
+ if (chown(path, iolog_uid, iolog_gid) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "%s: unable to chown %d:%d %s", __func__,
+ (int)iolog_uid, (int)iolog_gid, path);
+ }
+ }
+ if ((sb.st_mode & ALLPERMS) != iolog_dirmode) {
+ if (chmod(path, iolog_dirmode) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "%s: unable to chmod 0%o %s", __func__,
+ (int)iolog_dirmode, path);
+ }
+ }
+ } else {
+ sudo_warnx(U_("%s exists but is not a directory (0%o)"),
+ path, (unsigned int) sb.st_mode);
+ ok = false;
+ }
+ goto done;
+ }
+
+ ok = sudo_mkdir_parents(path, iolog_uid, iolog_gid, iolog_dirmode, true);
+ if (!ok && errno == EACCES) {
+ /* Try again as the I/O log owner (for NFS). */
+ uid_changed = set_perms(PERM_IOLOG);
+ ok = sudo_mkdir_parents(path, -1, -1, iolog_dirmode, false);
+ }
+ if (ok) {
+ /* Create final path component. */
+ sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
+ "mkdir %s, mode 0%o", path, (unsigned int) iolog_dirmode);
+ ok = mkdir(path, iolog_dirmode) == 0 || errno == EEXIST;
+ if (!ok) {
+ if (errno == EACCES && !uid_changed) {
+ /* Try again as the I/O log owner (for NFS). */
+ uid_changed = set_perms(PERM_IOLOG);
+ ok = mkdir(path, iolog_dirmode) == 0 || errno == EEXIST;
+ }
+ if (!ok)
+ sudo_warn(U_("unable to mkdir %s"), path);
+ } else {
+ if (chown(path, iolog_uid, iolog_gid) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "%s: unable to chown %d:%d %s", __func__,
+ (int)iolog_uid, (int)iolog_gid, path);
+ }
+ }
+ }
+ if (uid_changed) {
+ if (!restore_perms())
+ ok = false;
+ }
+done:
+ debug_return_bool(ok);
+}
+
+/*
+ * Create temporary directory and any parent directories as needed.
+ */
+static bool
+io_mkdtemp(char *path)
+{
+ bool ok, uid_changed = false;
+ debug_decl(io_mkdtemp, SUDOERS_DEBUG_UTIL)
+
+ ok = sudo_mkdir_parents(path, iolog_uid, iolog_gid, iolog_dirmode, true);
+ if (!ok && errno == EACCES) {
+ /* Try again as the I/O log owner (for NFS). */
+ uid_changed = set_perms(PERM_IOLOG);
+ ok = sudo_mkdir_parents(path, -1, -1, iolog_dirmode, false);
+ }
+ if (ok) {
+ /* Create final path component. */
+ sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
+ "mkdtemp %s", path);
+ /* We cannot retry mkdtemp() so always use PERM_IOLOG */
+ if (!uid_changed)
+ uid_changed = set_perms(PERM_IOLOG);
+ if (mkdtemp(path) == NULL) {
+ sudo_warn(U_("unable to mkdir %s"), path);
+ ok = false;
+ } else {
+ if (chmod(path, iolog_dirmode) != 0) {
+ sudo_warn(U_("unable to change mode of %s to 0%o"),
+ path, (unsigned int)iolog_dirmode);
+ }
+ }
+ }
+
+ if (uid_changed) {
+ if (!restore_perms())
+ ok = false;
+ }
+ debug_return_bool(ok);
+}
+
+/*
+ * Set max session ID (aka sequence number)
+ */
+static bool
+io_set_max_sessid(const char *maxval)
+{
+ const char *errstr;
+ unsigned int value;
+ debug_decl(io_set_max_sessid, SUDOERS_DEBUG_UTIL)
+
+ value = strtonum(maxval, 0, SESSID_MAX, &errstr);
+ if (errstr != NULL) {
+ if (errno != ERANGE) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "bad maxseq: %s: %s", maxval, errstr);
+ debug_return_bool(false);
+ }
+ /* Out of range, clamp to SESSID_MAX as documented. */
+ value = SESSID_MAX;
+ }
+ sessid_max = value;
+ debug_return_bool(true);
+}
+
+/*
+ * Sudoers callback for maxseq Defaults setting.
+ */
+bool
+cb_maxseq(const union sudo_defs_val *sd_un)
+{
+ debug_decl(cb_maxseq, SUDOERS_DEBUG_UTIL)
+
+ /* Clamp value to SESSID_MAX as documented. */
+ sessid_max = sd_un->uival < SESSID_MAX ? sd_un->uival : SESSID_MAX;
+ debug_return_bool(true);
+}
+
+/*
+ * Look up I/O log user ID from user name. Sets iolog_uid.
+ * Also sets iolog_gid if iolog_group not specified.
+ */
+static bool
+iolog_set_user(const char *name)
+{
+ struct passwd *pw;
+ debug_decl(iolog_set_user, SUDOERS_DEBUG_UTIL)
+
+ if (name != NULL) {
+ pw = sudo_getpwnam(name);
+ if (pw != NULL) {
+ iolog_uid = pw->pw_uid;
+ if (!iolog_gid_set)
+ iolog_gid = pw->pw_gid;
+ sudo_pw_delref(pw);
+ } else {
+ log_warningx(SLOG_SEND_MAIL,
+ N_("unknown user: %s"), name);
+ }
+ } else {
+ /* Reset to default. */
+ iolog_uid = ROOT_UID;
+ if (!iolog_gid_set)
+ iolog_gid = ROOT_GID;
+ }
+
+ debug_return_bool(true);
+}
+
+/*
+ * Sudoers callback for iolog_user Defaults setting.
+ */
+bool
+cb_iolog_user(const union sudo_defs_val *sd_un)
+{
+ return iolog_set_user(sd_un->str);
+}
+
+/*
+ * Look up I/O log group ID from group name.
+ * Sets iolog_gid.
+ */
+static bool
+iolog_set_group(const char *name)
+{
+ struct group *gr;
+ debug_decl(iolog_set_group, SUDOERS_DEBUG_UTIL)
+
+ if (name != NULL) {
+ gr = sudo_getgrnam(name);
+ if (gr != NULL) {
+ iolog_gid = gr->gr_gid;
+ iolog_gid_set = true;
+ sudo_gr_delref(gr);
+ } else {
+ log_warningx(SLOG_SEND_MAIL,
+ N_("unknown group: %s"), name);
+ }
+ } else {
+ /* Reset to default. */
+ iolog_gid = ROOT_GID;
+ iolog_gid_set = false;
+ }
+
+ debug_return_bool(true);
+}
+
+/*
+ * Look up I/O log group ID from group name.
+ */
+bool
+cb_iolog_group(const union sudo_defs_val *sd_un)
+{
+ return iolog_set_group(sd_un->str);
+}
+
+/*
+ * Set iolog_filemode and iolog_dirmode.
+ */
+static bool
+iolog_set_mode(mode_t mode)
+{
+ debug_decl(iolog_set_mode, SUDOERS_DEBUG_UTIL)
+
+ /* I/O log files must be readable and writable by owner. */
+ iolog_filemode = S_IRUSR|S_IWUSR;
+
+ /* Add in group and other read/write if specified. */
+ iolog_filemode |= mode & (S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
+
+ /* For directory mode, add execute bits as needed. */
+ iolog_dirmode = iolog_filemode | S_IXUSR;
+ if (iolog_dirmode & (S_IRGRP|S_IWGRP))
+ iolog_dirmode |= S_IXGRP;
+ if (iolog_dirmode & (S_IROTH|S_IWOTH))
+ iolog_dirmode |= S_IXOTH;
+
+ debug_return_bool(true);
+}
+
+/*
+ * Sudoers callback for iolog_mode Defaults setting.
+ */
+bool
+cb_iolog_mode(const union sudo_defs_val *sd_un)
+{
+ return iolog_set_mode(sd_un->mode);
+}
+
+/*
+ * Wrapper for open(2) that retries with PERM_IOLOG if open(2)
+ * returns EACCES.
+ */
+static int
+io_open(const char *path, int flags, mode_t perm)
+{
+ int fd;
+ debug_decl(io_open, SUDOERS_DEBUG_UTIL)
+
+ fd = open(path, flags, perm);
+ if (fd == -1 && errno == EACCES) {
+ /* Try again as the I/O log owner (for NFS). */
+ if (set_perms(PERM_IOLOG)) {
+ fd = open(path, flags, perm);
+ if (!restore_perms()) {
+ /* restore_perms() warns on error. */
+ if (fd != -1) {
+ close(fd);
+ fd = -1;
+ }
+ }
+ }
+ }
+ debug_return_int(fd);
+}
+
+/*
+ * Read the on-disk sequence number, set sessid to the next
+ * number, and update the on-disk copy.
+ * Uses file locking to avoid sequence number collisions.
+ */
+bool
+io_nextid(char *iolog_dir, char *iolog_dir_fallback, char sessid[7])
+{
+ struct stat sb;
+ char buf[32], *ep;
+ int i, len, fd = -1;
+ unsigned long id = 0;
+ mode_t omask;
+ ssize_t nread;
+ bool ret = false;
+ char pathbuf[PATH_MAX];
+ static const char b36char[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+ debug_decl(io_nextid, SUDOERS_DEBUG_UTIL)
+
+ /* umask must not be more restrictive than the file modes. */
+ omask = umask(ACCESSPERMS & ~(iolog_filemode|iolog_dirmode));
+
+ /*
+ * Create I/O log directory if it doesn't already exist.
+ */
+ if (!io_mkdirs(iolog_dir))
+ goto done;
+
+ /*
+ * Open sequence file
+ */
+ len = snprintf(pathbuf, sizeof(pathbuf), "%s/seq", iolog_dir);
+ if (len <= 0 || (size_t)len >= sizeof(pathbuf)) {
+ errno = ENAMETOOLONG;
+ log_warning(SLOG_SEND_MAIL, "%s/seq", pathbuf);
+ goto done;
+ }
+ fd = io_open(pathbuf, O_RDWR|O_CREAT, iolog_filemode);
+ if (fd == -1) {
+ log_warning(SLOG_SEND_MAIL, N_("unable to open %s"), pathbuf);
+ goto done;
+ }
+ sudo_lock_file(fd, SUDO_LOCK);
+ if (fchown(fd, iolog_uid, iolog_gid) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "%s: unable to fchown %d:%d %s", __func__,
+ (int)iolog_uid, (int)iolog_gid, pathbuf);
+ }
+
+ /*
+ * If there is no seq file in iolog_dir and a fallback dir was
+ * specified, look for seq in the fallback dir. This is to work
+ * around a bug in sudo 1.8.5 and older where iolog_dir was not
+ * expanded before the sequence number was updated.
+ */
+ if (iolog_dir_fallback != NULL && fstat(fd, &sb) == 0 && sb.st_size == 0) {
+ char fallback[PATH_MAX];
+
+ len = snprintf(fallback, sizeof(fallback), "%s/seq",
+ iolog_dir_fallback);
+ if (len > 0 && (size_t)len < sizeof(fallback)) {
+ int fd2 = io_open(fallback, O_RDWR|O_CREAT, iolog_filemode);
+ if (fd2 != -1) {
+ if (fchown(fd2, iolog_uid, iolog_gid) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "%s: unable to fchown %d:%d %s", __func__,
+ (int)iolog_uid, (int)iolog_gid, fallback);
+ }
+ nread = read(fd2, buf, sizeof(buf) - 1);
+ if (nread > 0) {
+ if (buf[nread - 1] == '\n')
+ nread--;
+ buf[nread] = '\0';
+ id = strtoul(buf, &ep, 36);
+ if (ep == buf || *ep != '\0' || id >= sessid_max) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "%s: bad sequence number: %s", fallback, buf);
+ id = 0;
+ }
+ }
+ close(fd2);
+ }
+ }
+ }
+
+ /* Read current seq number (base 36). */
+ if (id == 0) {
+ nread = read(fd, buf, sizeof(buf) - 1);
+ if (nread != 0) {
+ if (nread == -1) {
+ log_warning(SLOG_SEND_MAIL, N_("unable to read %s"), pathbuf);
+ goto done;
+ }
+ if (buf[nread - 1] == '\n')
+ nread--;
+ buf[nread] = '\0';
+ id = strtoul(buf, &ep, 36);
+ if (ep == buf || *ep != '\0' || id >= sessid_max) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "%s: bad sequence number: %s", pathbuf, buf);
+ id = 0;
+ }
+ }
+ }
+ id++;
+
+ /*
+ * Convert id to a string and stash in sessid.
+ * Note that that least significant digits go at the end of the string.
+ */
+ for (i = 5; i >= 0; i--) {
+ buf[i] = b36char[id % 36];
+ id /= 36;
+ }
+ buf[6] = '\n';
+
+ /* Stash id for logging purposes. */
+ memcpy(sessid, buf, 6);
+ sessid[6] = '\0';
+
+ /* Rewind and overwrite old seq file, including the NUL byte. */
+#ifdef HAVE_PWRITE
+ if (pwrite(fd, buf, 7, 0) != 7) {
+#else
+ if (lseek(fd, 0, SEEK_SET) == -1 || write(fd, buf, 7) != 7) {
+#endif
+ log_warning(SLOG_SEND_MAIL, N_("unable to write to %s"), pathbuf);
+ warned = true;
+ goto done;
+ }
+ ret = true;
+
+done:
+ umask(omask);
+ if (fd != -1)
+ close(fd);
+ debug_return_bool(ret);
+}
+
+/*
+ * Copy iolog_path to pathbuf and create the directory and any intermediate
+ * directories. If iolog_path ends in 'XXXXXX', use mkdtemp().
+ * Returns SIZE_MAX on error.
+ */
+static size_t
+mkdir_iopath(const char *iolog_path, char *pathbuf, size_t pathsize)
+{
+ size_t len;
+ bool ok;
+ debug_decl(mkdir_iopath, SUDOERS_DEBUG_UTIL)
+
+ len = strlcpy(pathbuf, iolog_path, pathsize);
+ if (len >= pathsize) {
+ errno = ENAMETOOLONG;
+ log_warning(SLOG_SEND_MAIL, "%s", iolog_path);
+ debug_return_size_t((size_t)-1);
+ }
+
+ /*
+ * Create path and intermediate subdirs as needed.
+ * If path ends in at least 6 Xs (ala POSIX mktemp), use mkdtemp().
+ * Sets iolog_gid (if it is not already set) as a side effect.
+ */
+ if (len >= 6 && strcmp(&pathbuf[len - 6], "XXXXXX") == 0)
+ ok = io_mkdtemp(pathbuf);
+ else
+ ok = io_mkdirs(pathbuf);
+
+ debug_return_size_t(ok ? len : (size_t)-1);
+}
+
+/*
+ * Append suffix to pathbuf after len chars and open the resulting file.
+ * Note that the size of pathbuf is assumed to be PATH_MAX.
+ * Uses zlib if docompress is true.
+ * Stores the open file handle which has the close-on-exec flag set.
+ */
+static bool
+open_io_fd(char *pathbuf, size_t len, struct io_log_file *iol, bool docompress)
+{
+ debug_decl(open_io_fd, SUDOERS_DEBUG_UTIL)
+
+ pathbuf[len] = '\0';
+ strlcat(pathbuf, iol->suffix, PATH_MAX);
+ if (iol->enabled) {
+ int fd = io_open(pathbuf, O_CREAT|O_TRUNC|O_WRONLY, iolog_filemode);
+ if (fd != -1) {
+ if (fchown(fd, iolog_uid, iolog_gid) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "%s: unable to fchown %d:%d %s", __func__,
+ (int)iolog_uid, (int)iolog_gid, pathbuf);
+ }
+ (void)fcntl(fd, F_SETFD, FD_CLOEXEC);
+#ifdef HAVE_ZLIB_H
+ if (docompress)
+ iol->fd.g = gzdopen(fd, "w");
+ else
+#endif
+ iol->fd.f = fdopen(fd, "w");
+ if (iol->fd.v == NULL) {
+ close(fd);
+ fd = -1;
+ }
+ }
+ if (fd == -1) {
+ log_warning(SLOG_SEND_MAIL, N_("unable to create %s"), pathbuf);
+ debug_return_bool(false);
+ }
+ } else {
+ /* Remove old log file if we recycled sequence numbers. */
+ unlink(pathbuf);
+ }
+ debug_return_bool(true);
+}
+
+/*
+ * Pull out I/O log related data from user_info and command_info arrays.
+ * Returns true if I/O logging is enabled, else false.
+ */
+static bool
+iolog_deserialize_info(struct iolog_details *details, char * const user_info[],
+ char * const command_info[])
+{
+ const char *runas_uid_str = "0", *runas_euid_str = NULL;
+ const char *runas_gid_str = "0", *runas_egid_str = NULL;
+ const char *errstr;
+ char idbuf[MAX_UID_T_LEN + 2];
+ char * const *cur;
+ id_t id;
+ uid_t runas_uid = 0;
+ gid_t runas_gid = 0;
+ debug_decl(iolog_deserialize_info, SUDOERS_DEBUG_UTIL)
+
+ details->lines = 24;
+ details->cols = 80;
+
+ for (cur = user_info; *cur != NULL; cur++) {
+ switch (**cur) {
+ case 'c':
+ if (strncmp(*cur, "cols=", sizeof("cols=") - 1) == 0) {
+ int n = strtonum(*cur + sizeof("cols=") - 1, 1, INT_MAX, NULL);
+ if (n > 0)
+ details->cols = n;
+ continue;
+ }
+ if (strncmp(*cur, "cwd=", sizeof("cwd=") - 1) == 0) {
+ details->cwd = *cur + sizeof("cwd=") - 1;
+ continue;
+ }
+ break;
+ case 'l':
+ if (strncmp(*cur, "lines=", sizeof("lines=") - 1) == 0) {
+ int n = strtonum(*cur + sizeof("lines=") - 1, 1, INT_MAX, NULL);
+ if (n > 0)
+ details->lines = n;
+ continue;
+ }
+ break;
+ case 't':
+ if (strncmp(*cur, "tty=", sizeof("tty=") - 1) == 0) {
+ details->tty = *cur + sizeof("tty=") - 1;
+ continue;
+ }
+ break;
+ case 'u':
+ if (strncmp(*cur, "user=", sizeof("user=") - 1) == 0) {
+ details->user = *cur + sizeof("user=") - 1;
+ continue;
+ }
+ break;
+ }
+ }
+
+ for (cur = command_info; *cur != NULL; cur++) {
+ switch (**cur) {
+ case 'c':
+ if (strncmp(*cur, "command=", sizeof("command=") - 1) == 0) {
+ details->command = *cur + sizeof("command=") - 1;
+ continue;
+ }
+ break;
+ case 'i':
+ if (strncmp(*cur, "ignore_iolog_errors=", sizeof("ignore_iolog_errors=") - 1) == 0) {
+ if (sudo_strtobool(*cur + sizeof("ignore_iolog_errors=") - 1) == true)
+ details->ignore_iolog_errors = true;
+ continue;
+ }
+ if (strncmp(*cur, "iolog_path=", sizeof("iolog_path=") - 1) == 0) {
+ details->iolog_path = *cur + sizeof("iolog_path=") - 1;
+ continue;
+ }
+ if (strncmp(*cur, "iolog_stdin=", sizeof("iolog_stdin=") - 1) == 0) {
+ if (sudo_strtobool(*cur + sizeof("iolog_stdin=") - 1) == true)
+ io_log_files[IOFD_STDIN].enabled = true;
+ continue;
+ }
+ if (strncmp(*cur, "iolog_stdout=", sizeof("iolog_stdout=") - 1) == 0) {
+ if (sudo_strtobool(*cur + sizeof("iolog_stdout=") - 1) == true)
+ io_log_files[IOFD_STDOUT].enabled = true;
+ continue;
+ }
+ if (strncmp(*cur, "iolog_stderr=", sizeof("iolog_stderr=") - 1) == 0) {
+ if (sudo_strtobool(*cur + sizeof("iolog_stderr=") - 1) == true)
+ io_log_files[IOFD_STDERR].enabled = true;
+ continue;
+ }
+ if (strncmp(*cur, "iolog_ttyin=", sizeof("iolog_ttyin=") - 1) == 0) {
+ if (sudo_strtobool(*cur + sizeof("iolog_ttyin=") - 1) == true)
+ io_log_files[IOFD_TTYIN].enabled = true;
+ continue;
+ }
+ if (strncmp(*cur, "iolog_ttyout=", sizeof("iolog_ttyout=") - 1) == 0) {
+ if (sudo_strtobool(*cur + sizeof("iolog_ttyout=") - 1) == true)
+ io_log_files[IOFD_TTYOUT].enabled = true;
+ continue;
+ }
+ if (strncmp(*cur, "iolog_compress=", sizeof("iolog_compress=") - 1) == 0) {
+ if (sudo_strtobool(*cur + sizeof("iolog_compress=") - 1) == true)
+ iolog_compress = true; /* must be global */
+ continue;
+ }
+ if (strncmp(*cur, "iolog_mode=", sizeof("iolog_mode=") - 1) == 0) {
+ mode_t mode = sudo_strtomode(*cur + sizeof("iolog_mode=") - 1, &errstr);
+ if (errstr == NULL)
+ iolog_set_mode(mode);
+ continue;
+ }
+ if (strncmp(*cur, "iolog_group=", sizeof("iolog_group=") - 1) == 0) {
+ iolog_set_group(*cur + sizeof("iolog_group=") - 1);
+ continue;
+ }
+ if (strncmp(*cur, "iolog_user=", sizeof("iolog_user=") - 1) == 0) {
+ iolog_set_user(*cur + sizeof("iolog_user=") - 1);
+ continue;
+ }
+ break;
+ case 'm':
+ if (strncmp(*cur, "maxseq=", sizeof("maxseq=") - 1) == 0) {
+ io_set_max_sessid(*cur + sizeof("maxseq=") - 1);
+ continue;
+ }
+ break;
+ case 'r':
+ if (strncmp(*cur, "runas_gid=", sizeof("runas_gid=") - 1) == 0) {
+ runas_gid_str = *cur + sizeof("runas_gid=") - 1;
+ continue;
+ }
+ if (strncmp(*cur, "runas_egid=", sizeof("runas_egid=") - 1) == 0) {
+ runas_egid_str = *cur + sizeof("runas_egid=") - 1;
+ continue;
+ }
+ if (strncmp(*cur, "runas_uid=", sizeof("runas_uid=") - 1) == 0) {
+ runas_uid_str = *cur + sizeof("runas_uid=") - 1;
+ continue;
+ }
+ if (strncmp(*cur, "runas_euid=", sizeof("runas_euid=") - 1) == 0) {
+ runas_euid_str = *cur + sizeof("runas_euid=") - 1;
+ continue;
+ }
+ break;
+ }
+ }
+
+ /*
+ * Lookup runas user and group, preferring effective over real uid/gid.
+ */
+ if (runas_euid_str != NULL)
+ runas_uid_str = runas_euid_str;
+ if (runas_uid_str != NULL) {
+ id = sudo_strtoid(runas_uid_str, NULL, NULL, &errstr);
+ if (errstr != NULL)
+ sudo_warnx("runas uid %s: %s", runas_uid_str, U_(errstr));
+ else
+ runas_uid = (uid_t)id;
+ }
+ if (runas_egid_str != NULL)
+ runas_gid_str = runas_egid_str;
+ if (runas_gid_str != NULL) {
+ id = sudo_strtoid(runas_gid_str, NULL, NULL, &errstr);
+ if (errstr != NULL)
+ sudo_warnx("runas gid %s: %s", runas_gid_str, U_(errstr));
+ else
+ runas_gid = (gid_t)id;
+ }
+
+ details->runas_pw = sudo_getpwuid(runas_uid);
+ if (details->runas_pw == NULL) {
+ idbuf[0] = '#';
+ strlcpy(&idbuf[1], runas_uid_str, sizeof(idbuf) - 1);
+ details->runas_pw = sudo_fakepwnam(idbuf, runas_gid);
+ }
+
+ if (runas_gid != details->runas_pw->pw_gid) {
+ details->runas_gr = sudo_getgrgid(runas_gid);
+ if (details->runas_gr == NULL) {
+ idbuf[0] = '#';
+ strlcpy(&idbuf[1], runas_gid_str, sizeof(idbuf) - 1);
+ details->runas_gr = sudo_fakegrnam(idbuf);
+ }
+ }
+ debug_return_bool(
+ io_log_files[IOFD_STDIN].enabled || io_log_files[IOFD_STDOUT].enabled ||
+ io_log_files[IOFD_STDERR].enabled || io_log_files[IOFD_TTYIN].enabled ||
+ io_log_files[IOFD_TTYOUT].enabled);
+}
+
+/*
+ * Write the "/log" file that contains the user and command info.
+ * This file is not compressed.
+ */
+static bool
+write_info_log(char *pathbuf, size_t len, struct iolog_details *details,
+ char * const argv[])
+{
+ time_t now;
+ char * const *av;
+ FILE *fp;
+ int fd;
+ bool ret = true;
+ debug_decl(write_info_log, SUDOERS_DEBUG_UTIL)
+
+ pathbuf[len] = '\0';
+ strlcat(pathbuf, "/log", PATH_MAX);
+ fd = io_open(pathbuf, O_CREAT|O_TRUNC|O_WRONLY, iolog_filemode);
+ if (fd == -1 || (fp = fdopen(fd, "w")) == NULL) {
+ log_warning(SLOG_SEND_MAIL, N_("unable to create %s"), pathbuf);
+ debug_return_bool(false);
+ }
+ if (fchown(fd, iolog_uid, iolog_gid) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "%s: unable to fchown %d:%d %s", __func__,
+ (int)iolog_uid, (int)iolog_gid, pathbuf);
+ }
+
+ fprintf(fp, "%lld:%s:%s:%s:%s:%d:%d\n%s\n%s", (long long)time(&now),
+ details->user ? details->user : "unknown", details->runas_pw->pw_name,
+ details->runas_gr ? details->runas_gr->gr_name : "",
+ details->tty ? details->tty : "unknown", details->lines, details->cols,
+ details->cwd ? details->cwd : "unknown",
+ details->command ? details->command : "unknown");
+ for (av = argv + 1; *av != NULL; av++) {
+ fputc(' ', fp);
+ fputs(*av, fp);
+ }
+ fputc('\n', fp);
+ fflush(fp);
+ if (ferror(fp)) {
+ log_warning(SLOG_SEND_MAIL,
+ N_("unable to write to I/O log file: %s"), strerror(errno));
+ warned = true;
+ ret = false;
+ }
+ fclose(fp);
+ debug_return_bool(ret);
+}
+
+#ifdef HAVE_ZLIB_H
+static const char *
+gzstrerror(gzFile file)
+{
+ int errnum;
+
+ return gzerror(file, &errnum);
+}
+#endif /* HAVE_ZLIB_H */
+
+/*
+ * Write to an I/O log, compressing if iolog_compress is enabled.
+ * If def_iolog_flush is true, flush the buffer immediately.
+ */
+static const char *
+iolog_write(union io_fd ifd, const void *buf, unsigned int len)
+{
+ const char *errstr = NULL;
+ debug_decl(iolog_write, SUDOERS_DEBUG_PLUGIN)
+
+#ifdef HAVE_ZLIB_H
+ if (iolog_compress) {
+ if (gzwrite(ifd.g, (const voidp)buf, len) != (int)len) {
+ errstr = gzstrerror(ifd.g);
+ goto done;
+ }
+ if (def_iolog_flush) {
+ if (gzflush(ifd.g, Z_SYNC_FLUSH) != Z_OK) {
+ errstr = gzstrerror(ifd.g);
+ goto done;
+ }
+ }
+ } else
+#endif
+ {
+ if (fwrite(buf, 1, len, ifd.f) != len) {
+ errstr = strerror(errno);
+ goto done;
+ }
+ if (def_iolog_flush) {
+ if (fflush(ifd.f) != 0) {
+ errstr = strerror(errno);
+ goto done;
+ }
+ }
+ }
+
+done:
+ debug_return_const_str(errstr);
+}
+
+static int
+sudoers_io_open(unsigned int version, sudo_conv_t conversation,
+ sudo_printf_t plugin_printf, char * const settings[],
+ char * const user_info[], char * const command_info[],
+ int argc, char * const argv[], char * const user_env[], char * const args[])
+{
+ struct sudo_conf_debug_file_list debug_files = TAILQ_HEAD_INITIALIZER(debug_files);
+ char pathbuf[PATH_MAX], sessid[7];
+ char *tofree = NULL;
+ char * const *cur;
+ const char *cp, *plugin_path = NULL;
+ size_t len;
+ mode_t omask;
+ int i, ret = -1;
+ debug_decl(sudoers_io_open, SUDOERS_DEBUG_PLUGIN)
+
+ sudo_conv = conversation;
+ sudo_printf = plugin_printf;
+
+ /* If we have no command (because -V was specified) just return. */
+ if (argc == 0)
+ debug_return_int(true);
+
+ bindtextdomain("sudoers", LOCALEDIR);
+
+ /* Initialize the debug subsystem. */
+ for (cur = settings; (cp = *cur) != NULL; cur++) {
+ if (strncmp(cp, "debug_flags=", sizeof("debug_flags=") - 1) == 0) {
+ cp += sizeof("debug_flags=") - 1;
+ if (!sudoers_debug_parse_flags(&debug_files, cp))
+ debug_return_int(-1);
+ continue;
+ }
+ if (strncmp(cp, "plugin_path=", sizeof("plugin_path=") - 1) == 0) {
+ plugin_path = cp + sizeof("plugin_path=") - 1;
+ continue;
+ }
+ }
+
+ /* umask must not be more restrictive than the file modes. */
+ omask = umask(ACCESSPERMS & ~(iolog_filemode|iolog_dirmode));
+
+ if (!sudoers_debug_register(plugin_path, &debug_files)) {
+ ret = -1;
+ goto done;
+ }
+
+ /*
+ * Pull iolog settings out of command_info.
+ */
+ if (!iolog_deserialize_info(&iolog_details, user_info, command_info)) {
+ ret = false;
+ goto done;
+ }
+
+ /* If no I/O log path defined we need to figure it out ourselves. */
+ if (iolog_details.iolog_path == NULL) {
+ /* Get next session ID and convert it into a path. */
+ tofree = malloc(sizeof(_PATH_SUDO_IO_LOGDIR) + sizeof(sessid) + 2);
+ if (tofree == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ goto done;
+ }
+ memcpy(tofree, _PATH_SUDO_IO_LOGDIR, sizeof(_PATH_SUDO_IO_LOGDIR));
+ if (!io_nextid(tofree, NULL, sessid)) {
+ ret = false;
+ goto done;
+ }
+ snprintf(tofree + sizeof(_PATH_SUDO_IO_LOGDIR), sizeof(sessid) + 2,
+ "%c%c/%c%c/%c%c", sessid[0], sessid[1], sessid[2], sessid[3],
+ sessid[4], sessid[5]);
+ iolog_details.iolog_path = tofree;
+ }
+
+ /*
+ * Make local copy of I/O log path and create it, along with any
+ * intermediate subdirs. Calls mkdtemp() if iolog_path ends in XXXXXX.
+ */
+ len = mkdir_iopath(iolog_details.iolog_path, pathbuf, sizeof(pathbuf));
+ if (len >= sizeof(pathbuf))
+ goto done;
+
+ /* Write log file with user and command details. */
+ if (!write_info_log(pathbuf, len, &iolog_details, argv))
+ goto done;
+
+ /* Create the timing and I/O log files. */
+ for (i = 0; i < IOFD_MAX; i++) {
+ if (!open_io_fd(pathbuf, len, &io_log_files[i], iolog_compress))
+ goto done;
+ }
+
+ /*
+ * Clear I/O log function pointers for disabled log functions.
+ */
+ if (!io_log_files[IOFD_STDIN].enabled)
+ sudoers_io.log_stdin = NULL;
+ if (!io_log_files[IOFD_STDOUT].enabled)
+ sudoers_io.log_stdout = NULL;
+ if (!io_log_files[IOFD_STDERR].enabled)
+ sudoers_io.log_stderr = NULL;
+ if (!io_log_files[IOFD_TTYIN].enabled)
+ sudoers_io.log_ttyin = NULL;
+ if (!io_log_files[IOFD_TTYOUT].enabled)
+ sudoers_io.log_ttyout = NULL;
+
+ if (sudo_gettime_awake(&last_time) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "%s: unable to get time of day", __func__);
+ goto done;
+ }
+
+ ret = true;
+
+done:
+ umask(omask);
+ free(tofree);
+ if (iolog_details.runas_pw)
+ sudo_pw_delref(iolog_details.runas_pw);
+ if (iolog_details.runas_gr)
+ sudo_gr_delref(iolog_details.runas_gr);
+ sudo_freepwcache();
+ sudo_freegrcache();
+
+ /* Ignore errors if they occur if the policy says so. */
+ if (ret == -1 && iolog_details.ignore_iolog_errors)
+ ret = 0;
+
+ debug_return_int(ret);
+}
+
+static void
+sudoers_io_close(int exit_status, int error)
+{
+ const char *errstr = NULL;
+ int i;
+ debug_decl(sudoers_io_close, SUDOERS_DEBUG_PLUGIN)
+
+ for (i = 0; i < IOFD_MAX; i++) {
+ if (io_log_files[i].fd.v == NULL)
+ continue;
+#ifdef HAVE_ZLIB_H
+ if (iolog_compress) {
+ int errnum;
+
+ if (gzclose(io_log_files[i].fd.g) != Z_OK)
+ errstr = gzerror(io_log_files[i].fd.g, &errnum);
+ } else
+#endif
+ if (fclose(io_log_files[i].fd.f) != 0)
+ errstr = strerror(errno);
+ }
+
+ if (errstr != NULL && !warned) {
+ /* Only warn about I/O log file errors once. */
+ log_warning(SLOG_SEND_MAIL,
+ N_("unable to write to I/O log file: %s"), errstr);
+ warned = true;
+ }
+
+ sudoers_debug_deregister();
+
+ return;
+}
+
+static int
+sudoers_io_version(int verbose)
+{
+ debug_decl(sudoers_io_version, SUDOERS_DEBUG_PLUGIN)
+
+ sudo_printf(SUDO_CONV_INFO_MSG, "Sudoers I/O plugin version %s\n",
+ PACKAGE_VERSION);
+
+ debug_return_int(true);
+}
+
+/*
+ * Generic I/O logging function. Called by the I/O logging entry points.
+ * Returns 1 on success and -1 on error.
+ */
+static int
+sudoers_io_log(union io_fd ifd, const char *buf, unsigned int len, int event)
+{
+ struct timespec now, delay;
+ char tbuf[1024];
+ const char *errstr = NULL;
+ int ret = -1;
+ debug_decl(sudoers_io_log, SUDOERS_DEBUG_PLUGIN)
+
+ if (ifd.v == NULL) {
+ sudo_warnx(U_("%s: internal error, I/O log file for event %d not open"),
+ __func__, event);
+ debug_return_int(-1);
+ }
+
+ if (sudo_gettime_awake(&now) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "%s: unable to get time of day", __func__);
+ errstr = strerror(errno);
+ goto bad;
+ }
+
+ /* Write I/O log file entry. */
+ errstr = iolog_write(ifd, buf, len);
+ if (errstr != NULL)
+ goto done;
+
+ /* Write timing file entry. */
+ sudo_timespecsub(&now, &last_time, &delay);
+ len = (unsigned int)snprintf(tbuf, sizeof(tbuf), "%d %lld.%09ld %u\n",
+ event, (long long)delay.tv_sec, delay.tv_nsec, len);
+ if (len >= sizeof(tbuf)) {
+ /* Not actually possible due to the size of tbuf[]. */
+ errstr = strerror(EOVERFLOW);
+ goto done;
+ }
+ errstr = iolog_write(io_log_files[IOFD_TIMING].fd, tbuf, len);
+ if (errstr != NULL)
+ goto done;
+
+ /* Success. */
+ ret = 1;
+
+done:
+ last_time.tv_sec = now.tv_sec;
+ last_time.tv_nsec = now.tv_nsec;
+
+bad:
+ if (ret == -1) {
+ if (errstr != NULL && !warned) {
+ /* Only warn about I/O log file errors once. */
+ log_warning(SLOG_SEND_MAIL,
+ N_("unable to write to I/O log file: %s"), errstr);
+ warned = true;
+ }
+
+ /* Ignore errors if they occur if the policy says so. */
+ if (iolog_details.ignore_iolog_errors)
+ ret = 1;
+ }
+
+ debug_return_int(ret);
+}
+
+static int
+sudoers_io_log_stdin(const char *buf, unsigned int len)
+{
+ const union io_fd ifd = io_log_files[IOFD_STDIN].fd;
+
+ return sudoers_io_log(ifd, buf, len, IO_EVENT_STDIN);
+}
+
+static int
+sudoers_io_log_stdout(const char *buf, unsigned int len)
+{
+ const union io_fd ifd = io_log_files[IOFD_STDOUT].fd;
+
+ return sudoers_io_log(ifd, buf, len, IO_EVENT_STDOUT);
+}
+
+static int
+sudoers_io_log_stderr(const char *buf, unsigned int len)
+{
+ const union io_fd ifd = io_log_files[IOFD_STDERR].fd;
+
+ return sudoers_io_log(ifd, buf, len, IO_EVENT_STDERR);
+}
+
+static int
+sudoers_io_log_ttyin(const char *buf, unsigned int len)
+{
+ const union io_fd ifd = io_log_files[IOFD_TTYIN].fd;
+
+ return sudoers_io_log(ifd, buf, len, IO_EVENT_TTYIN);
+}
+
+static int
+sudoers_io_log_ttyout(const char *buf, unsigned int len)
+{
+ const union io_fd ifd = io_log_files[IOFD_TTYOUT].fd;
+
+ return sudoers_io_log(ifd, buf, len, IO_EVENT_TTYOUT);
+}
+
+static int
+sudoers_io_change_winsize(unsigned int lines, unsigned int cols)
+{
+ struct timespec now, delay;
+ unsigned int len;
+ char tbuf[1024];
+ const char *errstr = NULL;
+ int ret = -1;
+ debug_decl(sudoers_io_change_winsize, SUDOERS_DEBUG_PLUGIN)
+
+ if (sudo_gettime_awake(&now) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "%s: unable to get time of day", __func__);
+ errstr = strerror(errno);
+ goto bad;
+ }
+
+ /* Write window change event to the timing file. */
+ sudo_timespecsub(&now, &last_time, &delay);
+ len = (unsigned int)snprintf(tbuf, sizeof(tbuf), "%d %lld.%09ld %u %u\n",
+ IO_EVENT_WINSIZE, (long long)delay.tv_sec, delay.tv_nsec, lines, cols);
+ if (len >= sizeof(tbuf)) {
+ /* Not actually possible due to the size of tbuf[]. */
+ errstr = strerror(EOVERFLOW);
+ goto done;
+ }
+ errstr = iolog_write(io_log_files[IOFD_TIMING].fd, tbuf, len);
+ if (errstr != NULL)
+ goto done;
+
+ /* Success. */
+ ret = 1;
+
+done:
+ last_time.tv_sec = now.tv_sec;
+ last_time.tv_nsec = now.tv_nsec;
+
+bad:
+ if (ret == -1) {
+ if (errstr != NULL && !warned) {
+ /* Only warn about I/O log file errors once. */
+ log_warning(SLOG_SEND_MAIL,
+ N_("unable to write to I/O log file: %s"), errstr);
+ warned = true;
+ }
+
+ /* Ignore errors if they occur if the policy says so. */
+ if (iolog_details.ignore_iolog_errors)
+ ret = 1;
+ }
+
+ debug_return_int(ret);
+}
+
+static int
+sudoers_io_suspend(int signo)
+{
+ struct timespec now, delay;
+ unsigned int len;
+ char tbuf[1024];
+ const char *errstr = NULL;
+ int ret = -1;
+ debug_decl(sudoers_io_suspend, SUDOERS_DEBUG_PLUGIN)
+
+ if (signo <= 0) {
+ sudo_warnx(U_("%s: internal error, invalid signal %d"),
+ __func__, signo);
+ debug_return_int(-1);
+ }
+
+ if (sudo_gettime_awake(&now) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "%s: unable to get time of day", __func__);
+ errstr = strerror(errno);
+ goto bad;
+ }
+
+ /* Write suspend event to the timing file. */
+ sudo_timespecsub(&now, &last_time, &delay);
+ len = (unsigned int)snprintf(tbuf, sizeof(tbuf), "%d %lld.%09ld %d\n",
+ IO_EVENT_SUSPEND, (long long)delay.tv_sec, delay.tv_nsec, signo);
+ if (len >= sizeof(tbuf)) {
+ /* Not actually possible due to the size of tbuf[]. */
+ errstr = strerror(EOVERFLOW);
+ goto done;
+ }
+ errstr = iolog_write(io_log_files[IOFD_TIMING].fd, tbuf, len);
+ if (errstr != NULL)
+ goto done;
+
+ /* Success. */
+ ret = 1;
+
+done:
+ last_time.tv_sec = now.tv_sec;
+ last_time.tv_nsec = now.tv_nsec;
+
+bad:
+ if (ret == -1) {
+ if (errstr != NULL && !warned) {
+ /* Only warn about I/O log file errors once. */
+ log_warning(SLOG_SEND_MAIL,
+ N_("unable to write to I/O log file: %s"), errstr);
+ warned = true;
+ }
+
+ /* Ignore errors if they occur if the policy says so. */
+ if (iolog_details.ignore_iolog_errors)
+ ret = 1;
+ }
+
+ debug_return_int(ret);
+}
+
+__dso_public struct io_plugin sudoers_io = {
+ SUDO_IO_PLUGIN,
+ SUDO_API_VERSION,
+ sudoers_io_open,
+ sudoers_io_close,
+ sudoers_io_version,
+ sudoers_io_log_ttyin,
+ sudoers_io_log_ttyout,
+ sudoers_io_log_stdin,
+ sudoers_io_log_stdout,
+ sudoers_io_log_stderr,
+ NULL, /* register_hooks */
+ NULL, /* deregister_hooks */
+ sudoers_io_change_winsize,
+ sudoers_io_suspend
+};