summaryrefslogtreecommitdiffstats
path: root/plugins/sudoers/sudoreplay.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--plugins/sudoers/sudoreplay.c1718
1 files changed, 1718 insertions, 0 deletions
diff --git a/plugins/sudoers/sudoreplay.c b/plugins/sudoers/sudoreplay.c
new file mode 100644
index 0000000..0f068f0
--- /dev/null
+++ b/plugins/sudoers/sudoreplay.c
@@ -0,0 +1,1718 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2009-2023 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#if defined(HAVE_STDINT_H)
+# include <stdint.h>
+#elif defined(HAVE_INTTYPES_H)
+# include <inttypes.h>
+#endif
+#include <string.h>
+#include <unistd.h>
+#include <time.h>
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+#include <fcntl.h>
+#include <dirent.h>
+#ifdef HAVE_STDBOOL_H
+# include <stdbool.h>
+#else
+# include "compat/stdbool.h"
+#endif /* HAVE_STDBOOL_H */
+#include <regex.h>
+#include <signal.h>
+#ifdef HAVE_GETOPT_LONG
+# include <getopt.h>
+# else
+# include "compat/getopt.h"
+#endif /* HAVE_GETOPT_LONG */
+
+#include "pathnames.h"
+#include "sudo_compat.h"
+#include "sudo_conf.h"
+#include "sudo_debug.h"
+#include "sudo_event.h"
+#include "sudo_eventlog.h"
+#include "sudo_lbuf.h"
+#include "sudo_fatal.h"
+#include "sudo_gettext.h"
+#include "sudo_iolog.h"
+#include "sudo_plugin.h"
+#include "sudo_queue.h"
+#include "sudo_util.h"
+
+#include "logging.h"
+
+struct replay_closure {
+ const char *iolog_dir;
+ struct sudo_event_base *evbase;
+ struct sudo_event *delay_ev;
+ struct sudo_event *keyboard_ev;
+ struct sudo_event *output_ev;
+ struct sudo_event *sighup_ev;
+ struct sudo_event *sigint_ev;
+ struct sudo_event *sigquit_ev;
+ struct sudo_event *sigterm_ev;
+ struct sudo_event *sigtstp_ev;
+ struct timespec *offset;
+ struct timespec *max_delay;
+ struct timing_closure timing;
+ int iolog_dir_fd;
+ bool interactive;
+ bool suspend_wait;
+ struct io_buffer {
+ unsigned int len; /* buffer length (how much produced) */
+ unsigned int off; /* write position (how much already consumed) */
+ unsigned int toread; /* how much remains to be read */
+ int lastc; /* last char written */
+ char buf[64 * 1024];
+ } iobuf;
+};
+
+/*
+ * Handle expressions like:
+ * ( user millert or user root ) and tty console and command /bin/sh
+ */
+STAILQ_HEAD(search_node_list, search_node);
+struct search_node {
+ STAILQ_ENTRY(search_node) entries;
+#define ST_EXPR 1
+#define ST_TTY 2
+#define ST_USER 3
+#define ST_PATTERN 4
+#define ST_RUNASUSER 5
+#define ST_RUNASGROUP 6
+#define ST_FROMDATE 7
+#define ST_TODATE 8
+#define ST_CWD 9
+#define ST_HOST 10
+ char type;
+ bool negated;
+ bool or;
+ union {
+ regex_t cmdre;
+ struct timespec tstamp;
+ char *cwd;
+ char *host;
+ char *tty;
+ char *user;
+ char *runas_group;
+ char *runas_user;
+ struct search_node_list expr;
+ void *ptr;
+ } u;
+};
+
+static struct search_node_list search_expr = STAILQ_HEAD_INITIALIZER(search_expr);
+
+static double speed_factor = 1.0;
+
+static const char *session_dir = _PATH_SUDO_IO_LOGDIR;
+
+static bool terminal_can_resize, terminal_was_resized, follow_mode;
+
+static int terminal_lines, terminal_cols;
+
+static int ttyfd = -1;
+
+static struct iolog_file iolog_files[] = {
+ { false }, /* IOFD_STDIN */
+ { false }, /* IOFD_STDOUT */
+ { false }, /* IOFD_STDERR */
+ { false }, /* IOFD_TTYIN */
+ { false }, /* IOFD_TTYOUT */
+ { true, }, /* IOFD_TIMING */
+};
+
+static const char short_opts[] = "d:f:Fhlm:nRSs:V";
+static struct option long_opts[] = {
+ { "directory", required_argument, NULL, 'd' },
+ { "filter", required_argument, NULL, 'f' },
+ { "follow", no_argument, NULL, 'F' },
+ { "help", no_argument, NULL, 'h' },
+ { "list", no_argument, NULL, 'l' },
+ { "max-wait", required_argument, NULL, 'm' },
+ { "non-interactive", no_argument, NULL, 'n' },
+ { "no-resize", no_argument, NULL, 'R' },
+ { "suspend-wait", no_argument, NULL, 'S' },
+ { "speed", required_argument, NULL, 's' },
+ { "version", no_argument, NULL, 'V' },
+ { NULL, no_argument, NULL, '\0' },
+};
+
+/* XXX move to separate header? (currently in sudoers.h) */
+extern char *get_timestr(time_t, int);
+extern time_t get_date(char *);
+
+static int list_sessions(int, char **, const char *, const char *, const char *);
+static int parse_expr(struct search_node_list *, char **, bool);
+static void read_keyboard(int fd, int what, void *v);
+static int replay_session(int iolog_dir_fd, const char *iolog_dir,
+ struct timespec *offset, struct timespec *max_wait, const char *decimal,
+ bool interactive, bool suspend_wait);
+static void sudoreplay_cleanup(void);
+static void write_output(int fd, int what, void *v);
+static void restore_terminal_size(void);
+static void setup_terminal(struct eventlog *evlog, bool interactive, bool resize);
+sudo_noreturn static void help(void);
+sudo_noreturn static void usage(void);
+
+#define VALID_ID(s) (isalnum((unsigned char)(s)[0]) && \
+ isalnum((unsigned char)(s)[1]) && isalnum((unsigned char)(s)[2]) && \
+ isalnum((unsigned char)(s)[3]) && isalnum((unsigned char)(s)[4]) && \
+ isalnum((unsigned char)(s)[5]) && (s)[6] == '\0')
+
+sudo_dso_public int main(int argc, char *argv[]);
+
+int
+main(int argc, char *argv[])
+{
+ int ch, i, iolog_dir_fd, len, exitcode = EXIT_FAILURE;
+ bool def_filter = true, listonly = false;
+ bool interactive = true, suspend_wait = false, resize = true;
+ const char *decimal, *id, *user = NULL, *pattern = NULL, *tty = NULL;
+ char *cp, *ep, iolog_dir[PATH_MAX];
+ struct timespec offset = { 0, 0};
+ struct eventlog *evlog;
+ struct timespec max_delay_storage, *max_delay = NULL;
+ double dval;
+ debug_decl(main, SUDO_DEBUG_MAIN);
+
+#if defined(SUDO_DEVEL) && defined(__OpenBSD__)
+ {
+ extern char *malloc_options;
+ malloc_options = "S";
+ }
+#endif
+
+ initprogname(argc > 0 ? argv[0] : "sudoreplay");
+ setlocale(LC_ALL, "");
+ decimal = localeconv()->decimal_point;
+ bindtextdomain("sudoers", LOCALEDIR); /* XXX - should have sudoreplay domain */
+ textdomain("sudoers");
+
+ /* Register fatal/fatalx callback. */
+ sudo_fatal_callback_register(sudoreplay_cleanup);
+
+ /* Read sudo.conf and initialize the debug subsystem. */
+ if (sudo_conf_read(NULL, SUDO_CONF_DEBUG) == -1)
+ exit(EXIT_FAILURE);
+ sudo_debug_register(getprogname(), NULL, NULL,
+ sudo_conf_debug_files(getprogname()), -1);
+
+ while ((ch = getopt_long(argc, argv, short_opts, long_opts, NULL)) != -1) {
+ switch (ch) {
+ case 'd':
+ session_dir = optarg;
+ break;
+ case 'f':
+ /* Set the replay filter. */
+ def_filter = false;
+ for (cp = strtok_r(optarg, ",", &ep); cp; cp = strtok_r(NULL, ",", &ep)) {
+ if (strcmp(cp, "stdin") == 0)
+ iolog_files[IOFD_STDIN].enabled = true;
+ else if (strcmp(cp, "stdout") == 0)
+ iolog_files[IOFD_STDOUT].enabled = true;
+ else if (strcmp(cp, "stderr") == 0)
+ iolog_files[IOFD_STDERR].enabled = true;
+ else if (strcmp(cp, "ttyin") == 0)
+ iolog_files[IOFD_TTYIN].enabled = true;
+ else if (strcmp(cp, "ttyout") == 0)
+ iolog_files[IOFD_TTYOUT].enabled = true;
+ else
+ sudo_fatalx(U_("invalid filter option: %s"), optarg);
+ }
+ break;
+ case 'F':
+ follow_mode = true;
+ break;
+ case 'h':
+ help();
+ /* NOTREACHED */
+ case 'l':
+ listonly = true;
+ break;
+ case 'm':
+ errno = 0;
+ dval = strtod(optarg, &ep);
+ if (*ep != '\0' || errno != 0)
+ sudo_fatalx(U_("invalid max wait: %s"), optarg);
+ if (dval <= 0.0) {
+ sudo_timespecclear(&max_delay_storage);
+ } else {
+ max_delay_storage.tv_sec = dval;
+ max_delay_storage.tv_nsec =
+ (dval - max_delay_storage.tv_sec) * 1000000000.0;
+ }
+ max_delay = &max_delay_storage;
+ break;
+ case 'n':
+ interactive = false;
+ break;
+ case 'R':
+ resize = false;
+ break;
+ case 'S':
+ suspend_wait = true;
+ break;
+ case 's':
+ errno = 0;
+ speed_factor = strtod(optarg, &ep);
+ if (*ep != '\0' || errno != 0)
+ sudo_fatalx(U_("invalid speed factor: %s"), optarg);
+ break;
+ case 'V':
+ (void) printf(_("%s version %s\n"), getprogname(), PACKAGE_VERSION);
+ exitcode = EXIT_SUCCESS;
+ goto done;
+ default:
+ usage();
+ /* NOTREACHED */
+ }
+
+ }
+ argc -= optind;
+ argv += optind;
+
+ if (listonly) {
+ exitcode = list_sessions(argc, argv, pattern, user, tty);
+ goto done;
+ }
+
+ if (argc != 1)
+ usage();
+
+ /* By default we replay stdout, stderr and ttyout. */
+ if (def_filter) {
+ iolog_files[IOFD_STDOUT].enabled = true;
+ iolog_files[IOFD_STDERR].enabled = true;
+ iolog_files[IOFD_TTYOUT].enabled = true;
+ }
+
+ /* Check for offset in @sec.nsec form at the end of the id. */
+ id = argv[0];
+ if ((cp = strchr(id, '@')) != NULL) {
+ ep = iolog_parse_delay(cp + 1, &offset, decimal);
+ if (ep == NULL || *ep != '\0')
+ sudo_fatalx(U_("invalid time offset %s"), cp + 1);
+ *cp = '\0';
+ }
+
+ /* 6 digit ID in base 36, e.g. 01G712AB or free-form name */
+ if (VALID_ID(id)) {
+ len = snprintf(iolog_dir, sizeof(iolog_dir), "%s/%.2s/%.2s/%.2s",
+ session_dir, id, &id[2], &id[4]);
+ if (len < 0 || len >= ssizeof(iolog_dir))
+ sudo_fatalx(U_("%s/%.2s/%.2s/%.2s: %s"), session_dir,
+ id, &id[2], &id[4], strerror(ENAMETOOLONG));
+ } else if (id[0] == '/') {
+ len = snprintf(iolog_dir, sizeof(iolog_dir), "%s", id);
+ if (len < 0 || len >= ssizeof(iolog_dir))
+ sudo_fatalx(U_("%s/timing: %s"), id, strerror(ENAMETOOLONG));
+ } else {
+ len = snprintf(iolog_dir, sizeof(iolog_dir), "%s/%s", session_dir, id);
+ if (len < 0 || len >= ssizeof(iolog_dir)) {
+ sudo_fatalx(U_("%s/%s: %s"), session_dir, id,
+ strerror(ENAMETOOLONG));
+ }
+ }
+
+ /* Open files for replay, applying replay filter for the -f flag. */
+ if ((iolog_dir_fd = iolog_openat(AT_FDCWD, iolog_dir, O_RDONLY)) == -1)
+ sudo_fatal("%s", iolog_dir);
+ for (i = 0; i < IOFD_MAX; i++) {
+ if (!iolog_open(&iolog_files[i], iolog_dir_fd, i, "r")) {
+ if (errno != ENOENT) {
+ sudo_fatal(U_("unable to open %s/%s"), iolog_dir,
+ iolog_fd_to_name(i));
+ }
+ }
+ }
+ if (!iolog_files[IOFD_TIMING].enabled) {
+ sudo_fatal(U_("unable to open %s/%s"), iolog_dir,
+ iolog_fd_to_name(IOFD_TIMING));
+ }
+
+ /* Parse log file. */
+ if ((evlog = iolog_parse_loginfo(iolog_dir_fd, iolog_dir)) == NULL)
+ goto done;
+ printf(_("Replaying sudo session: %s"), evlog->command);
+ if (evlog->argv != NULL && evlog->argv[0] != NULL) {
+ for (i = 1; evlog->argv[i] != NULL; i++)
+ printf(" %s", evlog->argv[i]);
+ }
+
+ /* Setup terminal if appropriate. */
+ if (!isatty(STDIN_FILENO) || !isatty(STDOUT_FILENO))
+ interactive = false;
+ setup_terminal(evlog, interactive, resize);
+ putchar('\r');
+ putchar('\n');
+
+ /* Done with parsed log file. */
+ eventlog_free(evlog);
+ evlog = NULL;
+
+ /* Replay session corresponding to iolog_files[]. */
+ exitcode = replay_session(iolog_dir_fd, iolog_dir, &offset, max_delay,
+ decimal, interactive, suspend_wait);
+
+ restore_terminal_size();
+ sudo_term_restore(ttyfd, true);
+done:
+ sudo_debug_exit_int(__func__, __FILE__, __LINE__, sudo_debug_subsys, exitcode);
+ return exitcode;
+}
+
+/*
+ * List of terminals that support xterm-like resizing.
+ * This is not an exhaustive list.
+ * For a list of VT100 style escape codes, see:
+ * http://invisible-island.net/xterm/ctlseqs/ctlseqs.html#VT100%20Mode
+ */
+struct term_names {
+ const char *name;
+ unsigned int len;
+} compatible_terms[] = {
+ { "Eterm", 5 },
+ { "aterm", 5 },
+ { "dtterm", 6 },
+ { "gnome", 5 },
+ { "konsole", 7 },
+ { "kvt\0", 4 },
+ { "mlterm", 6 },
+ { "rxvt", 4 },
+ { "xterm", 5 },
+ { NULL, 0 }
+};
+
+struct getsize_closure {
+ int nums[2];
+ int nums_depth;
+ int nums_maxdepth;
+ int state;
+ const char *cp;
+ struct sudo_event *ev;
+ struct timespec timeout;
+};
+
+/* getsize states */
+#define INITIAL 0x00
+#define NEW_NUMBER 0x01
+#define NUMBER 0x02
+#define GOTSIZE 0x04
+#define READCHAR 0x10
+
+/*
+ * Callback for reading the terminal size response.
+ * We use an event for this to support timeouts.
+ */
+static void
+getsize_cb(int fd, int what, void *v)
+{
+ struct getsize_closure *gc = v;
+ unsigned char ch = '\0';
+ debug_decl(getsize_cb, SUDO_DEBUG_UTIL);
+
+ for (;;) {
+ if (gc->cp[0] == '\0') {
+ gc->state = GOTSIZE;
+ goto done;
+ }
+ if (ISSET(gc->state, READCHAR)) {
+ ssize_t nread = read(ttyfd, &ch, 1);
+ switch (nread) {
+ case -1:
+ if (errno == EAGAIN)
+ goto another;
+ FALLTHROUGH;
+ case 0:
+ goto done;
+ default:
+ CLR(gc->state, READCHAR);
+ break;
+ }
+ }
+ switch (gc->state) {
+ case INITIAL:
+ if (ch == 0233 && gc->cp[0] == '\033') {
+ /* meta escape, equivalent to ESC[ */
+ ch = '[';
+ gc->cp++;
+ }
+ if (gc->cp[0] == '%' && gc->cp[1] == 'd') {
+ gc->state = NEW_NUMBER;
+ continue;
+ }
+ if (gc->cp[0] != ch) {
+ sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
+ "got %d, expected %d", ch, gc->cp[0]);
+ goto done;
+ }
+ sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
+ "got %d", ch);
+ SET(gc->state, READCHAR);
+ gc->cp++;
+ break;
+ case NEW_NUMBER:
+ sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
+ "parsing number");
+ if (!isdigit(ch))
+ goto done;
+ gc->cp += 2;
+ if (gc->nums_depth > gc->nums_maxdepth)
+ goto done;
+ gc->nums[gc->nums_depth] = 0;
+ gc->state = NUMBER;
+ FALLTHROUGH;
+ case NUMBER:
+ if (!isdigit(ch)) {
+ /* done with number, reparse ch */
+ sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
+ "number %d (ch %d)", gc->nums[gc->nums_depth], ch);
+ gc->nums_depth++;
+ gc->state = INITIAL;
+ continue;
+ }
+ sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
+ "got %d", ch);
+ if (gc->nums[gc->nums_depth] > INT_MAX / 10)
+ goto done;
+ gc->nums[gc->nums_depth] *= 10;
+ gc->nums[gc->nums_depth] += (ch - '0');
+ SET(gc->state, READCHAR);
+ break;
+ }
+ }
+
+another:
+ if (sudo_ev_add(NULL, gc->ev, &gc->timeout, false) == -1)
+ sudo_fatal("%s", U_("unable to add event to queue"));
+done:
+ debug_return;
+}
+
+
+/*
+ * Get the terminal size using vt100 terminal escapes.
+ */
+static bool
+xterm_get_size(int *new_lines, int *new_cols)
+{
+ struct sudo_event_base *evbase;
+ struct getsize_closure gc;
+ const char getsize_request[] = "\0337\033[r\033[999;999H\033[6n";
+ const char getsize_response[] = "\033[%d;%dR";
+ bool ret = false;
+ debug_decl(xterm_get_size, SUDO_DEBUG_UTIL);
+
+ /* request the terminal's size */
+ if (write(ttyfd, getsize_request, strlen(getsize_request)) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+ "%s: error writing xterm size request", __func__);
+ goto done;
+ }
+
+ /*
+ * Callback info for reading back the size with a 10 second timeout.
+ * We expect two numbers (lines and cols).
+ */
+ gc.state = INITIAL|READCHAR;
+ gc.nums_depth = 0;
+ gc.nums_maxdepth = 1;
+ gc.cp = getsize_response;
+ gc.timeout.tv_sec = 10;
+ gc.timeout.tv_nsec = 0;
+
+ /* Setup an event for reading the terminal size */
+ evbase = sudo_ev_base_alloc();
+ if (evbase == NULL)
+ sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ gc.ev = sudo_ev_alloc(ttyfd, SUDO_EV_READ, getsize_cb, &gc);
+ if (gc.ev == NULL)
+ sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+
+ /* Read back terminal size response */
+ if (sudo_ev_add(evbase, gc.ev, &gc.timeout, false) == -1)
+ sudo_fatal("%s", U_("unable to add event to queue"));
+ sudo_ev_dispatch(evbase);
+
+ if (gc.state == GOTSIZE) {
+ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ "terminal size %d x %x", gc.nums[0], gc.nums[1]);
+ *new_lines = gc.nums[0];
+ *new_cols = gc.nums[1];
+ ret = true;
+ }
+
+ sudo_ev_base_free(evbase);
+ sudo_ev_free(gc.ev);
+
+done:
+ debug_return_bool(ret);
+}
+
+/*
+ * Set the size of the text area to lines and cols.
+ * Depending on the terminal implementation, the window itself may
+ * or may not shrink to a smaller size.
+ */
+static bool
+xterm_set_size(int lines, int cols)
+{
+ const char setsize_fmt[] = "\033[8;%d;%dt";
+ int len, new_lines, new_cols;
+ bool ret = false;
+ char buf[1024];
+ debug_decl(xterm_set_size, SUDO_DEBUG_UTIL);
+
+ /* XXX - save cursor and position restore after resizing */
+ len = snprintf(buf, sizeof(buf), setsize_fmt, lines, cols);
+ if (len < 0 || len >= ssizeof(buf)) {
+ /* not possible due to size of buf */
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "%s: internal error, buffer too small?", __func__);
+ goto done;
+ }
+ if (write(ttyfd, buf, strlen(buf)) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+ "%s: error writing xterm resize request", __func__);
+ goto done;
+ }
+ /* XXX - keyboard input will interfere with this */
+ if (!xterm_get_size(&new_lines, &new_cols))
+ goto done;
+ if (lines == new_lines && cols == new_cols)
+ ret = true;
+
+done:
+ debug_return_bool(ret);
+}
+
+static void
+setup_terminal(struct eventlog *evlog, bool interactive, bool resize)
+{
+ const char *term;
+ debug_decl(check_terminal, SUDO_DEBUG_UTIL);
+
+ fflush(stdout);
+
+ /* Open fd for /dev/tty and set to raw mode. */
+ if (interactive) {
+ ttyfd = open(_PATH_TTY, O_RDWR);
+ while (!sudo_term_raw(ttyfd, 1)) {
+ if (errno != EINTR)
+ sudo_fatal("%s", U_("unable to set tty to raw mode"));
+ kill(getpid(), SIGTTOU);
+ }
+ }
+
+ /* Find terminal size if the session has size info. */
+ if (evlog->lines == 0 && evlog->columns == 0) {
+ /* no tty size info, hope for the best... */
+ debug_return;
+ }
+
+ if (resize && ttyfd != -1) {
+ term = getenv("TERM");
+ if (term != NULL && *term != '\0') {
+ struct term_names *tn;
+
+ for (tn = compatible_terms; tn->name != NULL; tn++) {
+ if (strncmp(term, tn->name, tn->len) == 0) {
+ /* xterm-like terminals can resize themselves. */
+ if (xterm_get_size(&terminal_lines, &terminal_cols))
+ terminal_can_resize = true;
+ break;
+ }
+ }
+ }
+ }
+
+ if (!terminal_can_resize) {
+ /* either not xterm or not interactive */
+ sudo_get_ttysize(&terminal_lines, &terminal_cols);
+ }
+
+ if (evlog->lines == terminal_lines && evlog->columns == terminal_cols) {
+ /* nothing to change */
+ debug_return;
+ }
+
+ if (terminal_can_resize) {
+ /* session terminal size is different, try to resize ours */
+ if (xterm_set_size(evlog->lines, evlog->columns)) {
+ /* success */
+ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ "resized terminal to %d x %x", evlog->lines, evlog->columns);
+ terminal_was_resized = true;
+ debug_return;
+ }
+ /* resize failed, don't try again */
+ terminal_can_resize = false;
+ }
+
+ if (evlog->lines > terminal_lines || evlog->columns > terminal_cols) {
+ fputs(_("Warning: your terminal is too small to properly replay the log.\n"), stdout);
+ printf(_("Log geometry is %d x %d, your terminal's geometry is %d x %d."), evlog->lines, evlog->columns, terminal_lines, terminal_cols);
+ }
+ debug_return;
+}
+
+static void
+resize_terminal(int lines, int cols)
+{
+ debug_decl(resize_terminal, SUDO_DEBUG_UTIL);
+
+ if (terminal_can_resize) {
+ if (xterm_set_size(lines, cols))
+ terminal_was_resized = true;
+ else
+ terminal_can_resize = false;
+ }
+
+ debug_return;
+}
+
+static void
+restore_terminal_size(void)
+{
+ debug_decl(restore_terminal, SUDO_DEBUG_UTIL);
+
+ if (terminal_was_resized) {
+ /* We are still in raw mode, hence the carriage return. */
+ putchar('\r');
+ fputs(U_("Replay finished, press any key to restore the terminal."),
+ stdout);
+ fflush(stdout);
+ (void)getchar();
+ xterm_set_size(terminal_lines, terminal_cols);
+ putchar('\r');
+ putchar('\n');
+ }
+
+ debug_return;
+}
+
+static bool
+iolog_complete(struct replay_closure *closure)
+{
+ struct stat sb;
+ debug_decl(iolog_complete, SUDO_DEBUG_UTIL);
+
+ if (fstatat(closure->iolog_dir_fd, "timing", &sb, 0) != -1) {
+ if (ISSET(sb.st_mode, S_IWUSR|S_IWGRP|S_IWOTH))
+ debug_return_bool(false);
+ }
+
+ debug_return_bool(true);
+}
+
+/*
+ * Read the next record from the timing file and schedule a delay
+ * event with the specified timeout.
+ * In follow mode, ignore EOF and just delay for a short time.
+ * Return 0 on success, 1 on EOF and -1 on error.
+ */
+static int
+get_timing_record(struct replay_closure *closure)
+{
+ struct timing_closure *timing = &closure->timing;
+ bool nodelay = false;
+ debug_decl(get_timing_record, SUDO_DEBUG_UTIL);
+
+ if (follow_mode && timing->event == IO_EVENT_COUNT) {
+ /* In follow mode, we already waited. */
+ nodelay = true;
+ }
+
+ switch (iolog_read_timing_record(&iolog_files[IOFD_TIMING], timing)) {
+ case -1:
+ /* error */
+ debug_return_int(-1);
+ case 1:
+ /* EOF */
+ if (!follow_mode || iolog_complete(closure)) {
+ debug_return_int(1);
+ }
+ /* Follow mode, keep reading until done. */
+ iolog_clearerr(&iolog_files[IOFD_TIMING]);
+ timing->delay.tv_sec = 0;
+ timing->delay.tv_nsec = 1000000;
+ timing->iol = NULL;
+ timing->event = IO_EVENT_COUNT;
+ break;
+ default:
+ /* Record number bytes to read. */
+ if (timing->event != IO_EVENT_WINSIZE &&
+ timing->event != IO_EVENT_SUSPEND) {
+ closure->iobuf.len = 0;
+ closure->iobuf.off = 0;
+ closure->iobuf.lastc = '\0';
+ closure->iobuf.toread = timing->u.nbytes;
+ }
+
+ if (sudo_timespecisset(closure->offset)) {
+ if (sudo_timespeccmp(&timing->delay, closure->offset, >)) {
+ sudo_timespecsub(&timing->delay, closure->offset, &timing->delay);
+ sudo_timespecclear(closure->offset);
+ } else {
+ sudo_timespecsub(closure->offset, &timing->delay, closure->offset);
+ sudo_timespecclear(&timing->delay);
+ }
+ }
+
+ if (nodelay) {
+ /* Already waited, fire immediately. */
+ timing->delay.tv_sec = 0;
+ timing->delay.tv_nsec = 0;
+ } else {
+ /* Adjust delay using speed factor and max_delay. */
+ iolog_adjust_delay(&timing->delay, closure->max_delay,
+ speed_factor);
+ }
+ break;
+ }
+
+ /* Schedule the delay event. */
+ if (sudo_ev_add(closure->evbase, closure->delay_ev, &timing->delay, false) == -1)
+ sudo_fatal("%s", U_("unable to add event to queue"));
+
+ debug_return_int(0);
+}
+
+/*
+ * Read next timing record.
+ * Exits the event loop on EOF, breaks out on error.
+ */
+static void
+next_timing_record(struct replay_closure *closure)
+{
+ debug_decl(next_timing_record, SUDO_DEBUG_UTIL);
+
+again:
+ switch (get_timing_record(closure)) {
+ case 0:
+ /* success */
+ if (closure->timing.event == IO_EVENT_SUSPEND &&
+ closure->timing.u.signo == SIGCONT && !closure->suspend_wait) {
+ /* Ignore time spent suspended. */
+ goto again;
+ }
+ break;
+ case 1:
+ /* EOF */
+ sudo_ev_loopexit(closure->evbase);
+ break;
+ default:
+ /* error */
+ sudo_ev_loopbreak(closure->evbase);
+ break;
+ }
+ debug_return;
+}
+
+static bool
+fill_iobuf(struct replay_closure *closure)
+{
+ const size_t space = sizeof(closure->iobuf.buf) - closure->iobuf.len;
+ const struct timing_closure *timing = &closure->timing;
+ const char *errstr;
+ debug_decl(fill_iobuf, SUDO_DEBUG_UTIL);
+
+ if (closure->iobuf.toread != 0 && space != 0) {
+ const size_t len =
+ closure->iobuf.toread < space ? closure->iobuf.toread : space;
+ ssize_t nread = iolog_read(timing->iol,
+ closure->iobuf.buf + closure->iobuf.off, len, &errstr);
+ if (nread <= 0) {
+ if (nread == 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "%s/%s: premature EOF, expected %u bytes",
+ closure->iolog_dir, iolog_fd_to_name(timing->event),
+ closure->iobuf.toread);
+ } else {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "%s/%s: read error: %s", closure->iolog_dir,
+ iolog_fd_to_name(timing->event), errstr);
+ }
+ sudo_warnx(U_("unable to read %s/%s: %s"),
+ closure->iolog_dir, iolog_fd_to_name(timing->event), errstr);
+ debug_return_bool(false);
+ }
+ closure->iobuf.toread -= nread;
+ closure->iobuf.len += nread;
+ }
+
+ debug_return_bool(true);
+}
+
+/*
+ * Called when the inter-record delay has expired.
+ * Depending on the record type, either reads the next
+ * record or changes window size.
+ */
+static void
+delay_cb(int fd, int what, void *v)
+{
+ struct replay_closure *closure = v;
+ struct timing_closure *timing = &closure->timing;
+ debug_decl(delay_cb, SUDO_DEBUG_UTIL);
+
+ switch (timing->event) {
+ case IO_EVENT_WINSIZE:
+ resize_terminal(timing->u.winsize.lines, timing->u.winsize.cols);
+ break;
+ case IO_EVENT_STDIN:
+ if (iolog_files[IOFD_STDIN].enabled)
+ timing->iol = &iolog_files[IOFD_STDIN];
+ break;
+ case IO_EVENT_STDOUT:
+ if (iolog_files[IOFD_STDOUT].enabled)
+ timing->iol = &iolog_files[IOFD_STDOUT];
+ break;
+ case IO_EVENT_STDERR:
+ if (iolog_files[IOFD_STDERR].enabled)
+ timing->iol = &iolog_files[IOFD_STDERR];
+ break;
+ case IO_EVENT_TTYIN:
+ if (iolog_files[IOFD_TTYIN].enabled)
+ timing->iol = &iolog_files[IOFD_TTYIN];
+ break;
+ case IO_EVENT_TTYOUT:
+ if (iolog_files[IOFD_TTYOUT].enabled)
+ timing->iol = &iolog_files[IOFD_TTYOUT];
+ break;
+ }
+
+ if (timing->iol != NULL) {
+ /* If the stream is open, enable the write event. */
+ if (sudo_ev_add(closure->evbase, closure->output_ev, NULL, false) == -1)
+ sudo_fatal("%s", U_("unable to add event to queue"));
+ } else {
+ /* Not replaying, get the next timing record and continue. */
+ next_timing_record(closure);
+ }
+
+ debug_return;
+}
+
+static void
+replay_closure_free(struct replay_closure *closure)
+{
+ /*
+ * Free events and event base, then the closure itself.
+ */
+ if (closure->iolog_dir_fd != -1)
+ close(closure->iolog_dir_fd);
+ sudo_ev_free(closure->delay_ev);
+ sudo_ev_free(closure->keyboard_ev);
+ sudo_ev_free(closure->output_ev);
+ sudo_ev_free(closure->sighup_ev);
+ sudo_ev_free(closure->sigint_ev);
+ sudo_ev_free(closure->sigquit_ev);
+ sudo_ev_free(closure->sigterm_ev);
+ sudo_ev_free(closure->sigtstp_ev);
+ sudo_ev_base_free(closure->evbase);
+ free(closure);
+}
+
+static void
+signal_cb(int signo, int what, void *v)
+{
+ struct replay_closure *closure = v;
+ debug_decl(signal_cb, SUDO_DEBUG_UTIL);
+
+ switch (signo) {
+ case SIGHUP:
+ case SIGINT:
+ case SIGQUIT:
+ case SIGTERM:
+ /* Free the event base and restore signal handlers. */
+ replay_closure_free(closure);
+
+ /* Restore the terminal and die. */
+ sudoreplay_cleanup();
+ kill(getpid(), signo);
+ break;
+ case SIGTSTP:
+ /* Ignore ^Z since we have no way to restore the screen. */
+ break;
+ }
+
+ debug_return;
+}
+
+static struct replay_closure *
+replay_closure_alloc(int iolog_dir_fd, const char *iolog_dir,
+ struct timespec *offset, struct timespec *max_delay, const char *decimal,
+ bool interactive, bool suspend_wait)
+{
+ struct replay_closure *closure;
+ debug_decl(replay_closure_alloc, SUDO_DEBUG_UTIL);
+
+ if ((closure = calloc(1, sizeof(*closure))) == NULL)
+ debug_return_ptr(NULL);
+
+ closure->iolog_dir_fd = iolog_dir_fd;
+ closure->iolog_dir = iolog_dir;
+ closure->interactive = interactive;
+ closure->offset = offset;
+ closure->suspend_wait = suspend_wait;
+ closure->max_delay = max_delay;
+ closure->timing.decimal = decimal;
+
+ /*
+ * Setup event base and delay, input and output events.
+ * If interactive, take input from and write to /dev/tty.
+ * If not interactive there is no input event.
+ */
+ closure->evbase = sudo_ev_base_alloc();
+ if (closure->evbase == NULL)
+ goto bad;
+ closure->delay_ev = sudo_ev_alloc(-1, SUDO_EV_TIMEOUT, delay_cb, closure);
+ if (closure->delay_ev == NULL)
+ goto bad;
+ if (interactive) {
+ closure->keyboard_ev = sudo_ev_alloc(ttyfd, SUDO_EV_READ|SUDO_EV_PERSIST,
+ read_keyboard, closure);
+ if (closure->keyboard_ev == NULL)
+ goto bad;
+ if (sudo_ev_add(closure->evbase, closure->keyboard_ev, NULL, false) == -1)
+ sudo_fatal("%s", U_("unable to add event to queue"));
+ }
+ closure->output_ev = sudo_ev_alloc(interactive ? ttyfd : STDOUT_FILENO,
+ SUDO_EV_WRITE, write_output, closure);
+ if (closure->output_ev == NULL)
+ goto bad;
+
+ /*
+ * Setup signal events, we need to restore the terminal if killed.
+ */
+ closure->sighup_ev = sudo_ev_alloc(SIGHUP, SUDO_EV_SIGNAL, signal_cb,
+ closure);
+ if (closure->sighup_ev == NULL)
+ goto bad;
+ if (sudo_ev_add(closure->evbase, closure->sighup_ev, NULL, false) == -1)
+ sudo_fatal("%s", U_("unable to add event to queue"));
+
+ closure->sigint_ev = sudo_ev_alloc(SIGINT, SUDO_EV_SIGNAL, signal_cb,
+ closure);
+ if (closure->sigint_ev == NULL)
+ goto bad;
+ if (sudo_ev_add(closure->evbase, closure->sigint_ev, NULL, false) == -1)
+ sudo_fatal("%s", U_("unable to add event to queue"));
+
+ closure->sigquit_ev = sudo_ev_alloc(SIGQUIT, SUDO_EV_SIGNAL, signal_cb,
+ closure);
+ if (closure->sigquit_ev == NULL)
+ goto bad;
+ if (sudo_ev_add(closure->evbase, closure->sigquit_ev, NULL, false) == -1)
+ sudo_fatal("%s", U_("unable to add event to queue"));
+
+ closure->sigterm_ev = sudo_ev_alloc(SIGTERM, SUDO_EV_SIGNAL, signal_cb,
+ closure);
+ if (closure->sigterm_ev == NULL)
+ goto bad;
+ if (sudo_ev_add(closure->evbase, closure->sigterm_ev, NULL, false) == -1)
+ sudo_fatal("%s", U_("unable to add event to queue"));
+
+ closure->sigtstp_ev = sudo_ev_alloc(SIGTSTP, SUDO_EV_SIGNAL, signal_cb,
+ closure);
+ if (closure->sigtstp_ev == NULL)
+ goto bad;
+ if (sudo_ev_add(closure->evbase, closure->sigtstp_ev, NULL, false) == -1)
+ sudo_fatal("%s", U_("unable to add event to queue"));
+
+ debug_return_ptr(closure);
+bad:
+ replay_closure_free(closure);
+ debug_return_ptr(NULL);
+}
+
+static int
+replay_session(int iolog_dir_fd, const char *iolog_dir, struct timespec *offset,
+ struct timespec *max_delay, const char *decimal, bool interactive,
+ bool suspend_wait)
+{
+ struct replay_closure *closure;
+ int ret = 0;
+ debug_decl(replay_session, SUDO_DEBUG_UTIL);
+
+ /* Allocate the delay closure and read the first timing record. */
+ closure = replay_closure_alloc(iolog_dir_fd, iolog_dir, offset, max_delay,
+ decimal, interactive, suspend_wait);
+ if (get_timing_record(closure) != 0) {
+ ret = 1;
+ goto done;
+ }
+
+ /* Run event loop. */
+ sudo_ev_dispatch(closure->evbase);
+ if (sudo_ev_got_break(closure->evbase))
+ ret = 1;
+
+done:
+ /* Clean up and return. */
+ replay_closure_free(closure);
+ debug_return_int(ret);
+}
+
+/*
+ * Write the I/O buffer.
+ */
+static void
+write_output(int fd, int what, void *v)
+{
+ struct replay_closure *closure = v;
+ const struct timing_closure *timing = &closure->timing;
+ struct io_buffer *iobuf = &closure->iobuf;
+ unsigned iovcnt = 1;
+ struct iovec iov[2];
+ bool added_cr = false;
+ size_t nbytes, nwritten;
+ debug_decl(write_output, SUDO_DEBUG_UTIL);
+
+ /* Refill iobuf if there is more to read and buf is empty. */
+ if (!fill_iobuf(closure)) {
+ sudo_ev_loopbreak(closure->evbase);
+ debug_return;
+ }
+
+ nbytes = iobuf->len - iobuf->off;
+ iov[0].iov_base = iobuf->buf + iobuf->off;
+ iov[0].iov_len = nbytes;
+
+ if (closure->interactive &&
+ (timing->event == IO_EVENT_STDOUT || timing->event == IO_EVENT_STDERR)) {
+ char *nl;
+
+ /*
+ * We may need to insert a carriage return before the newline.
+ * Note that the carriage return may have already been written.
+ */
+ nl = memchr(iov[0].iov_base, '\n', iov[0].iov_len);
+ if (nl != NULL) {
+ size_t len = (size_t)(nl - (char *)iov[0].iov_base);
+ if ((nl == iov[0].iov_base && iobuf->lastc != '\r') ||
+ (nl != iov[0].iov_base && nl[-1] != '\r')) {
+ iov[0].iov_len = len;
+ iov[1].iov_base = (char *)"\r\n";
+ iov[1].iov_len = 2;
+ iovcnt = 2;
+ nbytes = iov[0].iov_len + iov[1].iov_len;
+ added_cr = true;
+ }
+ }
+ }
+
+ nwritten = writev(fd, iov, iovcnt);
+ switch ((ssize_t)nwritten) {
+ case -1:
+ if (errno != EINTR && errno != EAGAIN)
+ sudo_fatal(U_("unable to write to %s"), "stdout");
+ break;
+ case 0:
+ /* Should not happen. */
+ break;
+ default:
+ if (added_cr && nwritten >= nbytes - 1) {
+ /* The last char written was either '\r' or '\n'. */
+ iobuf->lastc = nwritten == nbytes ? '\n' : '\r';
+ } else {
+ /* Stash the last char written. */
+ iobuf->lastc = *((char *)iov[0].iov_base + nwritten);
+ }
+ if (added_cr) {
+ /* Subtract one for the carriage return we added above. */
+ nwritten--;
+ }
+ iobuf->off += nwritten;
+ break;
+ }
+
+ if (iobuf->off == iobuf->len) {
+ /* Write complete, go to next timing entry if possible. */
+ switch (get_timing_record(closure)) {
+ case 0:
+ /* success */
+ break;
+ case 1:
+ /* EOF */
+ sudo_ev_loopexit(closure->evbase);
+ break;
+ default:
+ /* error */
+ sudo_ev_loopbreak(closure->evbase);
+ break;
+ }
+ } else {
+ /* Reschedule event to write remainder. */
+ if (sudo_ev_add(NULL, closure->output_ev, NULL, false) == -1)
+ sudo_fatal("%s", U_("unable to add event to queue"));
+ }
+ debug_return;
+}
+
+/*
+ * Build expression list from search args
+ */
+static int
+parse_expr(struct search_node_list *head, char *argv[], bool sub_expr)
+{
+ bool or = false, not = false;
+ struct search_node *sn;
+ char type, **av;
+ const char *errstr;
+ debug_decl(parse_expr, SUDO_DEBUG_UTIL);
+
+ for (av = argv; *av != NULL; av++) {
+ switch (av[0][0]) {
+ case 'a': /* and (ignore) */
+ if (strncmp(*av, "and", strlen(*av)) != 0)
+ goto bad;
+ continue;
+ case 'o': /* or */
+ if (strncmp(*av, "or", strlen(*av)) != 0)
+ goto bad;
+ or = true;
+ continue;
+ case '!': /* negate */
+ if (av[0][1] != '\0')
+ goto bad;
+ not = true;
+ continue;
+ case 'c': /* cwd or command */
+ if (av[0][1] == '\0')
+ sudo_fatalx(U_("ambiguous expression \"%s\""), *av);
+ if (strncmp(*av, "cwd", strlen(*av)) == 0)
+ type = ST_CWD;
+ else if (strncmp(*av, "command", strlen(*av)) == 0)
+ type = ST_PATTERN;
+ else
+ goto bad;
+ break;
+ case 'f': /* from date */
+ if (strncmp(*av, "fromdate", strlen(*av)) != 0)
+ goto bad;
+ type = ST_FROMDATE;
+ break;
+ case 'g': /* runas group */
+ if (strncmp(*av, "group", strlen(*av)) != 0)
+ goto bad;
+ type = ST_RUNASGROUP;
+ break;
+ case 'h': /* host */
+ if (strncmp(*av, "host", strlen(*av)) != 0)
+ goto bad;
+ type = ST_HOST;
+ break;
+ case 'r': /* runas user */
+ if (strncmp(*av, "runas", strlen(*av)) != 0)
+ goto bad;
+ type = ST_RUNASUSER;
+ break;
+ case 't': /* tty or to date */
+ if (av[0][1] == '\0')
+ sudo_fatalx(U_("ambiguous expression \"%s\""), *av);
+ if (strncmp(*av, "todate", strlen(*av)) == 0)
+ type = ST_TODATE;
+ else if (strncmp(*av, "tty", strlen(*av)) == 0)
+ type = ST_TTY;
+ else
+ goto bad;
+ break;
+ case 'u': /* user */
+ if (strncmp(*av, "user", strlen(*av)) != 0)
+ goto bad;
+ type = ST_USER;
+ break;
+ case '(': /* start sub-expression */
+ if (av[0][1] != '\0')
+ goto bad;
+ type = ST_EXPR;
+ break;
+ case ')': /* end sub-expression */
+ if (av[0][1] != '\0')
+ goto bad;
+ if (!sub_expr)
+ sudo_fatalx("%s", U_("unmatched ')' in expression"));
+ debug_return_int(av - argv + 1);
+ default:
+ bad:
+ sudo_fatalx(U_("unknown search term \"%s\""), *av);
+ /* NOTREACHED */
+ }
+
+ /* Allocate new search node */
+ if ((sn = calloc(1, sizeof(*sn))) == NULL)
+ sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ sn->type = type;
+ sn->or = or;
+ sn->negated = not;
+ if (type == ST_EXPR) {
+ STAILQ_INIT(&sn->u.expr);
+ av += parse_expr(&sn->u.expr, av + 1, true);
+ } else {
+ if (*(++av) == NULL)
+ sudo_fatalx(U_("%s requires an argument"), av[-1]);
+ if (type == ST_PATTERN) {
+ if (!sudo_regex_compile(&sn->u.cmdre, *av, &errstr)) {
+ sudo_fatalx(U_("invalid regular expression \"%s\": %s"),
+ *av, U_(errstr));
+ }
+ } else if (type == ST_TODATE || type == ST_FROMDATE) {
+ sn->u.tstamp.tv_sec = get_date(*av);
+ sn->u.tstamp.tv_nsec = 0;
+ if (sn->u.tstamp.tv_sec == -1)
+ sudo_fatalx(U_("could not parse date \"%s\""), *av);
+ } else {
+ sn->u.ptr = *av;
+ }
+ }
+ not = or = false; /* reset state */
+ STAILQ_INSERT_TAIL(head, sn, entries);
+ }
+ if (sub_expr)
+ sudo_fatalx("%s", U_("unmatched '(' in expression"));
+ if (or)
+ sudo_fatalx("%s", U_("illegal trailing \"or\""));
+ if (not)
+ sudo_fatalx("%s", U_("illegal trailing \"!\""));
+
+ debug_return_int(av - argv);
+}
+
+static char *
+expand_command(struct eventlog *evlog, char **newbuf)
+{
+ size_t len, bufsize = strlen(evlog->command) + 1;
+ char *cp, *buf;
+ int ac;
+ debug_decl(expand_command, SUDO_DEBUG_UTIL);
+
+ if (evlog->argv == NULL || evlog->argv[0] == NULL || evlog->argv[1] == NULL) {
+ /* No arguments, we can use the command as-is. */
+ *newbuf = NULL;
+ debug_return_str(evlog->command);
+ }
+
+ /* Skip argv[0], we use evlog->command instead. */
+ for (ac = 1; evlog->argv[ac] != NULL; ac++)
+ bufsize += strlen(evlog->argv[ac]) + 1;
+
+ if ((buf = malloc(bufsize)) == NULL)
+ sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ cp = buf;
+
+ len = strlcpy(cp, evlog->command, bufsize);
+ if (len >= bufsize)
+ sudo_fatalx(U_("internal error, %s overflow"), __func__);
+ cp += len;
+ bufsize -= len;
+
+ for (ac = 1; evlog->argv[ac] != NULL; ac++) {
+ if (bufsize < 2)
+ sudo_fatalx(U_("internal error, %s overflow"), __func__);
+ *cp++ = ' ';
+ bufsize--;
+
+ len = strlcpy(cp, evlog->argv[ac], bufsize);
+ if (len >= bufsize)
+ sudo_fatalx(U_("internal error, %s overflow"), __func__);
+ cp += len;
+ bufsize -= len;
+ }
+
+ *newbuf = buf;
+ debug_return_str(buf);
+}
+
+static bool
+match_expr(struct search_node_list *head, struct eventlog *evlog, bool last_match)
+{
+ struct search_node *sn;
+ bool res = false, matched = last_match;
+ char *tofree;
+ int rc;
+ debug_decl(match_expr, SUDO_DEBUG_UTIL);
+
+ STAILQ_FOREACH(sn, head, entries) {
+ switch (sn->type) {
+ case ST_EXPR:
+ res = match_expr(&sn->u.expr, evlog, matched);
+ break;
+ case ST_CWD:
+ if (evlog->cwd != NULL)
+ res = strcmp(sn->u.cwd, evlog->cwd) == 0;
+ break;
+ case ST_HOST:
+ if (evlog->submithost != NULL)
+ res = strcmp(sn->u.host, evlog->submithost) == 0;
+ break;
+ case ST_TTY:
+ if (evlog->ttyname != NULL)
+ res = strcmp(sn->u.tty, evlog->ttyname) == 0;
+ break;
+ case ST_RUNASGROUP:
+ if (evlog->rungroup != NULL)
+ res = strcmp(sn->u.runas_group, evlog->rungroup) == 0;
+ break;
+ case ST_RUNASUSER:
+ if (evlog->runuser != NULL)
+ res = strcmp(sn->u.runas_user, evlog->runuser) == 0;
+ break;
+ case ST_USER:
+ if (evlog->submituser != NULL)
+ res = strcmp(sn->u.user, evlog->submituser) == 0;
+ break;
+ case ST_PATTERN:
+ rc = regexec(&sn->u.cmdre, expand_command(evlog, &tofree),
+ 0, NULL, 0);
+ if (rc && rc != REG_NOMATCH) {
+ char buf[BUFSIZ];
+ regerror(rc, &sn->u.cmdre, buf, sizeof(buf));
+ sudo_fatalx("%s", buf);
+ }
+ res = rc == REG_NOMATCH ? 0 : 1;
+ free(tofree);
+ break;
+ case ST_FROMDATE:
+ res = sudo_timespeccmp(&evlog->submit_time, &sn->u.tstamp, >=);
+ break;
+ case ST_TODATE:
+ res = sudo_timespeccmp(&evlog->submit_time, &sn->u.tstamp, <=);
+ break;
+ default:
+ sudo_fatalx(U_("unknown search type %d"), sn->type);
+ /* NOTREACHED */
+ }
+ if (sn->negated)
+ res = !res;
+ matched = sn->or ? (res || last_match) : (res && last_match);
+ last_match = matched;
+ }
+ debug_return_bool(matched);
+}
+
+static int
+list_session(struct sudo_lbuf *lbuf, char *log_dir, regex_t *re,
+ const char *user, const char *tty)
+{
+ struct eventlog *evlog = NULL;
+ const char *timestr;
+ int ret = -1;
+ debug_decl(list_session, SUDO_DEBUG_UTIL);
+
+ if ((evlog = iolog_parse_loginfo(-1, log_dir)) == NULL)
+ goto done;
+
+ if (evlog->command == NULL || evlog->submituser == NULL ||
+ evlog->runuser == NULL) {
+ goto done;
+ }
+ evlog->iolog_file = log_dir + strlen(session_dir) + 1;
+
+ /* Match on search expression if there is one. */
+ if (!STAILQ_EMPTY(&search_expr) && !match_expr(&search_expr, evlog, true))
+ goto done;
+
+ timestr = get_timestr(evlog->submit_time.tv_sec, 1);
+ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "%s : %s : ",
+ timestr ? timestr : "invalid date", evlog->submituser);
+
+ if (eventlog_store_sudo(EVLOG_ACCEPT, evlog, lbuf)) {
+ puts(lbuf->buf);
+ ret = 0;
+ }
+
+done:
+ lbuf->error = 0;
+ lbuf->len = 0;
+ eventlog_free(evlog);
+ debug_return_int(ret);
+}
+
+static int
+session_compare(const void *v1, const void *v2)
+{
+ const char *s1 = *(const char **)v1;
+ const char *s2 = *(const char **)v2;
+ return strcmp(s1, s2);
+}
+
+/* XXX - always returns 0, calls sudo_fatal() on failure */
+static int
+find_sessions(const char *dir, regex_t *re, const char *user, const char *tty)
+{
+ DIR *d;
+ struct dirent *dp;
+ struct stat sb;
+ struct sudo_lbuf lbuf;
+ size_t sdlen, sessions_len = 0, sessions_size = 0;
+ unsigned int i;
+ int len;
+ char pathbuf[PATH_MAX], **sessions = NULL;
+#ifdef HAVE_STRUCT_DIRENT_D_TYPE
+ bool checked_type = true;
+#else
+ const bool checked_type = false;
+#endif
+ debug_decl(find_sessions, SUDO_DEBUG_UTIL);
+
+ sudo_lbuf_init(&lbuf, NULL, 0, NULL, 0);
+
+ d = opendir(dir);
+ if (d == NULL)
+ sudo_fatal(U_("unable to open %s"), dir);
+
+ /* XXX - would be faster to use openat() and relative names */
+ sdlen = strlcpy(pathbuf, dir, sizeof(pathbuf));
+ if (sdlen + 1 >= sizeof(pathbuf)) {
+ errno = ENAMETOOLONG;
+ sudo_fatal("%s/", dir);
+ }
+ pathbuf[sdlen++] = '/';
+ pathbuf[sdlen] = '\0';
+
+ /* Store potential session dirs for sorting. */
+ while ((dp = readdir(d)) != NULL) {
+ /* Skip "." and ".." */
+ if (dp->d_name[0] == '.' && (dp->d_name[1] == '\0' ||
+ (dp->d_name[1] == '.' && dp->d_name[2] == '\0')))
+ continue;
+#ifdef HAVE_STRUCT_DIRENT_D_TYPE
+ if (checked_type) {
+ if (dp->d_type != DT_DIR) {
+ /* Not all file systems support d_type. */
+ if (dp->d_type != DT_UNKNOWN)
+ continue;
+ checked_type = false;
+ }
+ }
+#endif
+
+ /* Add name to session list. */
+ if (sessions_len + 1 > sessions_size) {
+ if (sessions_size == 0)
+ sessions_size = 36 * 36 / 2;
+ sessions = reallocarray(sessions, sessions_size, 2 * sizeof(char *));
+ if (sessions == NULL)
+ sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ sessions_size *= 2;
+ }
+ if ((sessions[sessions_len] = strdup(dp->d_name)) == NULL)
+ sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ sessions_len++;
+ }
+ closedir(d);
+
+ /* Sort and list the sessions. */
+ if (sessions != NULL) {
+ qsort(sessions, sessions_len, sizeof(char *), session_compare);
+ for (i = 0; i < sessions_len; i++) {
+ len = snprintf(&pathbuf[sdlen], sizeof(pathbuf) - sdlen,
+ "%s/log", sessions[i]);
+ if (len < 0 || (size_t)len >= sizeof(pathbuf) - sdlen) {
+ errno = ENAMETOOLONG;
+ sudo_fatal("%s/%s/log", dir, sessions[i]);
+ }
+ free(sessions[i]);
+
+ /* Check for dir with a log file. */
+ if (lstat(pathbuf, &sb) == 0 && S_ISREG(sb.st_mode)) {
+ pathbuf[sdlen + len - 4] = '\0';
+ list_session(&lbuf, pathbuf, re, user, tty);
+ } else {
+ /* Strip off "/log" and recurse if a non-log dir. */
+ pathbuf[sdlen + len - 4] = '\0';
+ if (checked_type ||
+ (lstat(pathbuf, &sb) == 0 && S_ISDIR(sb.st_mode)))
+ find_sessions(pathbuf, re, user, tty);
+ }
+ }
+ free(sessions);
+ }
+ sudo_lbuf_destroy(&lbuf);
+
+ debug_return_int(0);
+}
+
+/* XXX - always returns 0, calls sudo_fatal() on failure */
+static int
+list_sessions(int argc, char **argv, const char *pattern, const char *user,
+ const char *tty)
+{
+ regex_t rebuf, *re = NULL;
+ const char *errstr;
+ debug_decl(list_sessions, SUDO_DEBUG_UTIL);
+
+ /* Parse search expression if present */
+ parse_expr(&search_expr, argv, false);
+
+ /* optional regex */
+ if (pattern) {
+ re = &rebuf;
+ if (!sudo_regex_compile(re, pattern, &errstr)) {
+ sudo_fatalx(U_("invalid regular expression \"%s\": %s"),
+ pattern, U_(errstr));
+ }
+ }
+
+ debug_return_int(find_sessions(session_dir, re, user, tty));
+}
+
+/*
+ * Check keyboard for ' ', '<', '>', return
+ * pause, slow, fast, next
+ */
+static void
+read_keyboard(int fd, int what, void *v)
+{
+ struct replay_closure *closure = v;
+ static bool paused = false;
+ struct timespec ts;
+ ssize_t nread;
+ char ch;
+ debug_decl(read_keyboard, SUDO_DEBUG_UTIL);
+
+ nread = read(fd, &ch, 1);
+ switch (nread) {
+ case -1:
+ if (errno != EINTR && errno != EAGAIN)
+ sudo_fatal(U_("unable to read %s"), "stdin");
+ break;
+ case 0:
+ /* Ignore EOF. */
+ break;
+ default:
+ if (paused) {
+ /* Any key will unpause, run the delay callback directly. */
+ paused = false;
+ delay_cb(-1, SUDO_EV_TIMEOUT, closure);
+ debug_return;
+ }
+ switch (ch) {
+ case ' ':
+ paused = true;
+ /* Disable the delay event until we unpause. */
+ sudo_ev_del(closure->evbase, closure->delay_ev);
+ break;
+ case '<':
+ speed_factor /= 2;
+ if (sudo_ev_pending(closure->delay_ev, SUDO_EV_TIMEOUT, &ts)) {
+ /* Double remaining timeout. */
+ ts.tv_sec *= 2;
+ ts.tv_nsec *= 2;
+ if (ts.tv_nsec >= 1000000000) {
+ ts.tv_sec++;
+ ts.tv_nsec -= 1000000000;
+ }
+ if (sudo_ev_add(NULL, closure->delay_ev, &ts, false) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "failed to double remaining delay timeout");
+ }
+ }
+ break;
+ case '>':
+ speed_factor *= 2;
+ if (sudo_ev_pending(closure->delay_ev, SUDO_EV_TIMEOUT, &ts)) {
+ /* Halve remaining timeout. */
+ if (ts.tv_sec & 1)
+ ts.tv_nsec += 500000000;
+ ts.tv_sec /= 2;
+ ts.tv_nsec /= 2;
+ if (sudo_ev_add(NULL, closure->delay_ev, &ts, false) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "failed to halve remaining delay timeout");
+ }
+ }
+ break;
+ case '\r':
+ case '\n':
+ /* Cancel existing delay, run callback directly. */
+ sudo_ev_del(closure->evbase, closure->delay_ev);
+ delay_cb(-1, SUDO_EV_TIMEOUT, closure);
+ break;
+ default:
+ /* Unknown key, nothing to do. */
+ break;
+ }
+ break;
+ }
+ debug_return;
+}
+
+static void
+print_usage(FILE *fp)
+{
+ fprintf(fp, _("usage: %s [-hnRS] [-d dir] [-m num] [-s num] ID\n"),
+ getprogname());
+ fprintf(fp, _("usage: %s [-h] [-d dir] -l [search expression]\n"),
+ getprogname());
+}
+
+static void
+usage(void)
+{
+ print_usage(stderr);
+ exit(EXIT_FAILURE);
+}
+
+static void
+help(void)
+{
+ (void) printf(_("%s - replay sudo session logs\n\n"), getprogname());
+ print_usage(stdout);
+ (void) puts(_("\nOptions:\n"
+ " -d, --directory=dir specify directory for session logs\n"
+ " -f, --filter=filter specify which I/O type(s) to display\n"
+ " -h, --help display help message and exit\n"
+ " -l, --list list available session IDs, with optional expression\n"
+ " -m, --max-wait=num max number of seconds to wait between events\n"
+ " -n, --non-interactive no prompts, session is sent to the standard output\n"
+ " -R, --no-resize do not attempt to re-size the terminal\n"
+ " -S, --suspend-wait wait while the command was suspended\n"
+ " -s, --speed=num speed up or slow down output\n"
+ " -V, --version display version information and exit"));
+ exit(EXIT_SUCCESS);
+}
+
+/*
+ * Cleanup hook for sudo_fatal()/sudo_fatalx()
+ */
+static void
+sudoreplay_cleanup(void)
+{
+ restore_terminal_size();
+ sudo_term_restore(ttyfd, false);
+}