Pass back a failure or error string to the front end.

The audit_failure() function now stores the failure string. This will allow an audit plugin to log the reason if the user's request is a rejected.
2025-08-31 22:35:10 +00:00 · 2020-01-30 13:25:36 -07:00
parent 22105009d8
commit 45e589d443
8 changed files with 176 additions and 98 deletions
--- a/plugins/sudoers/audit.c
+++ b/plugins/sudoers/audit.c
@@ -1,7 +1,7 @@
 /*
 * SPDX-License-Identifier: ISC
 *
- * Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2009-2015, 2019-2020 Todd C. Miller <Todd.Miller@sudo.ws>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -26,6 +26,7 @@
 #include <sys/types.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include "sudoers.h"
@@ -39,6 +40,8 @@
 # include "solaris_audit.h"
 #endif
 char *audit_msg = NULL;
 int
 audit_success(int argc, char *argv[])
 {
@@ -70,14 +73,22 @@ int
 audit_failure(int argc, char *argv[], char const *const fmt, ...)
 {
    int rc = 0;
    va_list ap;
    debug_decl(audit_success, SUDOERS_DEBUG_AUDIT);
    /* Set audit_msg for audit plugin.  */
    free(audit_msg);
    audit_msg = NULL;
    va_start(ap, fmt);
    if (vasprintf(&audit_msg, fmt, ap) == -1)
 	rc = -1;
    va_end(ap);
    if (!def_log_denied)
 	debug_return_int(0);
 #if defined(HAVE_BSM_AUDIT) || defined(HAVE_LINUX_AUDIT)
    if (argv != NULL) {
 	va_list ap;
 	int oldlocale;
 	/* Audit error messages should be in the sudoers locale. */
--- a/plugins/sudoers/iolog.c
+++ b/plugins/sudoers/iolog.c
@@ -633,7 +633,8 @@ static int
 sudoers_io_open(unsigned int version, sudo_conv_t conversation,
    sudo_printf_t plugin_printf, char * const settings[],
    char * const user_info[], char * const command_info[],
-    int argc, char * const argv[], char * const user_env[], char * const args[])
+    int argc, char * const argv[], char * const user_env[], char * const args[],
    const char **errstr)
 {
    struct sudo_conf_debug_file_list debug_files = TAILQ_HEAD_INITIALIZER(debug_files);
    char * const *cur;
@@ -881,36 +882,44 @@ done:
 * Returns 1 on success and -1 on error.
 */
 static int
-sudoers_io_log(const char *buf, unsigned int len, int event)
+sudoers_io_log(const char *buf, unsigned int len, int event, const char **errstr)
 {
    struct timespec now, delay;
-    const char *errstr = NULL;
+    const char *ioerror = NULL;
    int ret = -1;
    debug_decl(sudoers_io_log, SUDOERS_DEBUG_PLUGIN);
    if (sudo_gettime_awake(&now) == -1) {
 	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
 	    "%s: unable to get time of day", __func__);
-	errstr = strerror(errno);
+	ioerror = N_("unable to read the clock");
 	goto bad;
    }
    sudo_timespecsub(&now, &last_time, &delay);
    if (iolog_remote)
-	ret = sudoers_io_log_remote(event, buf, len, &delay, &errstr);
+	ret = sudoers_io_log_remote(event, buf, len, &delay, &ioerror);
    else
-	ret = sudoers_io_log_local(event, buf, len, &delay, &errstr);
+	ret = sudoers_io_log_local(event, buf, len, &delay, &ioerror);
    last_time.tv_sec = now.tv_sec;
    last_time.tv_nsec = now.tv_nsec;
 bad:
    if (ret == -1) {
-	if (errstr != NULL && !warned) {
+	if (ioerror != NULL) {
-	    /* Only warn about I/O log file errors once. */
+	    char *cp;
-	    log_warning(SLOG_SEND_MAIL,
+
-		N_("unable to write to I/O log file: %s"), errstr);
+	    if (asprintf(&cp, N_("unable to write to I/O log file: %s"),
-	    warned = true;
+		    ioerror) != -1) {
 		*errstr = cp;
 	    }
 	    if (!warned) {
 		/* Only warn about I/O log file errors once. */
 		log_warning(SLOG_SEND_MAIL,
 		    N_("unable to write to I/O log file: %s"), ioerror);
 		warned = true;
 	    }
 	}
 	/* Ignore errors if they occur if the policy says so. */
@@ -922,33 +931,33 @@ bad:
 }
 static int
-sudoers_io_log_stdin(const char *buf, unsigned int len)
+sudoers_io_log_stdin(const char *buf, unsigned int len, const char **errstr)
 {
-    return sudoers_io_log(buf, len, IO_EVENT_STDIN);
+    return sudoers_io_log(buf, len, IO_EVENT_STDIN, errstr);
 }
 static int
-sudoers_io_log_stdout(const char *buf, unsigned int len)
+sudoers_io_log_stdout(const char *buf, unsigned int len, const char **errstr)
 {
-    return sudoers_io_log(buf, len, IO_EVENT_STDOUT);
+    return sudoers_io_log(buf, len, IO_EVENT_STDOUT, errstr);
 }
 static int
-sudoers_io_log_stderr(const char *buf, unsigned int len)
+sudoers_io_log_stderr(const char *buf, unsigned int len, const char **errstr)
 {
-    return sudoers_io_log(buf, len, IO_EVENT_STDERR);
+    return sudoers_io_log(buf, len, IO_EVENT_STDERR, errstr);
 }
 static int
-sudoers_io_log_ttyin(const char *buf, unsigned int len)
+sudoers_io_log_ttyin(const char *buf, unsigned int len, const char **errstr)
 {
-    return sudoers_io_log(buf, len, IO_EVENT_TTYIN);
+    return sudoers_io_log(buf, len, IO_EVENT_TTYIN, errstr);
 }
 static int
-sudoers_io_log_ttyout(const char *buf, unsigned int len)
+sudoers_io_log_ttyout(const char *buf, unsigned int len, const char **errstr)
 {
-    return sudoers_io_log(buf, len, IO_EVENT_TTYOUT);
+    return sudoers_io_log(buf, len, IO_EVENT_TTYOUT, errstr);
 }
 static int
@@ -1002,36 +1011,44 @@ sudoers_io_change_winsize_remote(unsigned int lines, unsigned int cols,
 }
 static int
-sudoers_io_change_winsize(unsigned int lines, unsigned int cols)
+sudoers_io_change_winsize(unsigned int lines, unsigned int cols, const char **errstr)
 {
    struct timespec now, delay;
-    const char *errstr = NULL;
+    const char *ioerror = NULL;
    int ret = -1;
    debug_decl(sudoers_io_change_winsize, SUDOERS_DEBUG_PLUGIN);
    if (sudo_gettime_awake(&now) == -1) {
 	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
 	    "%s: unable to get time of day", __func__);
-	errstr = strerror(errno);
+	ioerror = N_("unable to read the clock");
 	goto bad;
    }
    sudo_timespecsub(&now, &last_time, &delay);
    if (iolog_remote)
-	ret = sudoers_io_change_winsize_remote(lines, cols, &delay, &errstr);
+	ret = sudoers_io_change_winsize_remote(lines, cols, &delay, &ioerror);
    else
-	ret = sudoers_io_change_winsize_local(lines, cols, &delay, &errstr);
+	ret = sudoers_io_change_winsize_local(lines, cols, &delay, &ioerror);
    last_time.tv_sec = now.tv_sec;
    last_time.tv_nsec = now.tv_nsec;
 bad:
    if (ret == -1) {
-	if (errstr != NULL && !warned) {
+	if (ioerror != NULL && !warned) {
-	    /* Only warn about I/O log file errors once. */
+	    char *cp;
-	    log_warning(SLOG_SEND_MAIL,
+
-		N_("unable to write to I/O log file: %s"), errstr);
+	    if (asprintf(&cp, N_("unable to write to I/O log file: %s"),
-	    warned = true;
+		    ioerror) != -1) {
 		*errstr = cp;
 	    }
 	    if (!warned) {
 		/* Only warn about I/O log file errors once. */
 		log_warning(SLOG_SEND_MAIL,
 		    N_("unable to write to I/O log file: %s"), ioerror);
 		warned = true;
 	    }
 	}
 	/* Ignore errors if they occur if the policy says so. */
@@ -1093,11 +1110,11 @@ sudoers_io_suspend_remote(const char *signame, struct timespec *delay,
 }
 static int
-sudoers_io_suspend(int signo)
+sudoers_io_suspend(int signo, const char **errstr)
 {
    struct timespec now, delay;
    char signame[SIG2STR_MAX];
-    const char *errstr = NULL;
+    const char *ioerror = NULL;
    int ret = -1;
    debug_decl(sudoers_io_suspend, SUDOERS_DEBUG_PLUGIN);
@@ -1110,27 +1127,35 @@ sudoers_io_suspend(int signo)
    if (sudo_gettime_awake(&now) == -1) {
 	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
 	    "%s: unable to get time of day", __func__);
-	errstr = strerror(errno);
+	ioerror = N_("unable to read the clock");
 	goto bad;
    }
    sudo_timespecsub(&now, &last_time, &delay);
    /* Write suspend event to the timing file. */
    if (iolog_remote)
-	ret = sudoers_io_suspend_remote(signame, &delay, &errstr);
+	ret = sudoers_io_suspend_remote(signame, &delay, &ioerror);
    else
-	ret = sudoers_io_suspend_local(signame, &delay, &errstr);
+	ret = sudoers_io_suspend_local(signame, &delay, &ioerror);
    last_time.tv_sec = now.tv_sec;
    last_time.tv_nsec = now.tv_nsec;
 bad:
    if (ret == -1) {
-	if (errstr != NULL && !warned) {
+	if (ioerror != NULL && !warned) {
-	    /* Only warn about I/O log file errors once. */
+	    char *cp;
-	    log_warning(SLOG_SEND_MAIL,
+
-		N_("unable to write to I/O log file: %s"), errstr);
+	    if (asprintf(&cp, N_("unable to write to I/O log file: %s"),
-	    warned = true;
+		    ioerror) != -1) {
 		*errstr = cp;
 	    }
 	    if (!warned) {
 		/* Only warn about I/O log file errors once. */
 		log_warning(SLOG_SEND_MAIL,
 		    N_("unable to write to I/O log file: %s"), ioerror);
 		warned = true;
 	    }
 	}
 	/* Ignore errors if they occur if the policy says so. */
--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
@@ -1,7 +1,7 @@
 /*
 * SPDX-License-Identifier: ISC
 *
- * Copyright (c) 1994-1996, 1998-2019 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 1994-1996, 1998-2020 Todd C. Miller <Todd.Miller@sudo.ws>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -241,28 +241,25 @@ log_denial(int status, bool inform_user)
    bool mailit;
    debug_decl(log_denial, SUDOERS_DEBUG_LOGGING);
    /* Handle auditing first (audit_failure() handles the locale itself). */
    if (ISSET(status, FLAG_NO_USER | FLAG_NO_HOST))
 	audit_failure(NewArgc, NewArgv, N_("No user or host"));
    else
 	audit_failure(NewArgc, NewArgv, N_("validation failure"));
    /* Send mail based on status. */
    mailit = should_mail(status);
    /* Set error message. */
    if (ISSET(status, FLAG_NO_USER))
 	message = N_("user NOT in sudoers");
    else if (ISSET(status, FLAG_NO_HOST))
 	message = N_("user NOT authorized on host");
    else
 	message = N_("command not allowed");
    /* Do auditing first (audit_failure() handles the locale itself). */
    audit_failure(NewArgc, NewArgv, "%s", message);
    if (def_log_denied || mailit) {
 	/* Log and mail messages should be in the sudoers locale. */
 	sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);
-	/* Set error message. */
+	logline = new_logline(_(message), NULL);
 	if (ISSET(status, FLAG_NO_USER))
 	    message = _("user NOT in sudoers");
 	else if (ISSET(status, FLAG_NO_HOST))
 	    message = _("user NOT authorized on host");
 	else
 	    message = _("command not allowed");
 	logline = new_logline(message, NULL);
 	if (logline == NULL)
 	    debug_return_bool(false);
@@ -361,8 +358,8 @@ log_auth_failure(int status, unsigned int tries)
    bool ret = true;
    debug_decl(log_auth_failure, SUDOERS_DEBUG_LOGGING);
-    /* Handle auditing first. */
+    /* Do auditing first (audit_failure() handles the locale itself). */
-    audit_failure(NewArgc, NewArgv, N_("authentication failure"));
+    audit_failure(NewArgc, NewArgv, "%s", N_("authentication failure"));
    /*
     * Do we need to send mail?
--- a/plugins/sudoers/logging.h
+++ b/plugins/sudoers/logging.h
@@ -63,6 +63,7 @@
 /* XXX - needed for auditing */
 extern int NewArgc;
 extern char **NewArgv;
 extern char *audit_msg;
 union sudo_defs_val;
--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
@@ -551,7 +551,7 @@ bad:
 * Consumes iolog_path if not NULL.
 * Returns 1 on success and -1 on error.
 */
-int
+bool
 sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
    char *iolog_path, void *v)
 {
@@ -560,14 +560,19 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
    int info_len = 0;
    debug_decl(sudoers_policy_exec_setup, SUDOERS_DEBUG_PLUGIN);
    if (exec_args == NULL)
 	debug_return_bool(true);	/* nothing to do */
    /* Increase the length of command_info as needed, it is *not* checked. */
-    command_info = calloc(48, sizeof(char *));
+    command_info = calloc(50, sizeof(char *));
    if (command_info == NULL)
 	goto oom;
-    command_info[info_len] = sudo_new_key_val("command", safe_cmnd);
+    if (safe_cmnd != NULL) {
-    if (command_info[info_len++] == NULL)
+	command_info[info_len] = sudo_new_key_val("command", safe_cmnd);
-	goto oom;
+	if (command_info[info_len++] == NULL)
 	    goto oom;
    }
    if (def_log_input || def_log_output) {
 	if (iolog_path)
 	    command_info[info_len++] = iolog_path;	/* now owned */
@@ -814,26 +819,30 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
    *(exec_args->envp) = envp;
    *(exec_args->info) = command_info;
-    debug_return_int(true);
+    debug_return_bool(true);
 oom:
    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 bad:
    free(audit_msg);
    audit_msg = NULL;
    while (info_len--)
 	free(command_info[info_len]);
    free(command_info);
-    debug_return_int(-1);
+    debug_return_bool(false);
 }
 static int
 sudoers_policy_open(unsigned int version, sudo_conv_t conversation,
    sudo_printf_t plugin_printf, char * const settings[],
-    char * const user_info[], char * const envp[], char * const args[])
+    char * const user_info[], char * const envp[], char * const args[],
    const char **errstr)
 {
    struct sudo_conf_debug_file_list debug_files = TAILQ_HEAD_INITIALIZER(debug_files);
    struct sudoers_policy_open_info info;
    const char *cp, *plugin_path = NULL;
    char * const *cur;
    int ret;
    debug_decl(sudoers_policy_open, SUDOERS_DEBUG_PLUGIN);
    sudo_version = version;
@@ -864,7 +873,12 @@ sudoers_policy_open(unsigned int version, sudo_conv_t conversation,
    info.settings = settings;
    info.user_info = user_info;
    info.plugin_args = args;
-    debug_return_int(sudoers_policy_init(&info, envp));
+    ret = sudoers_policy_init(&info, envp);
    /* The audit functions set audit_msg on failure. */
    if (ret != 1 && audit_msg != NULL)
 	*errstr = audit_msg;
    debug_return_int(ret);
 }
 static void
@@ -905,6 +919,8 @@ sudoers_policy_close(int exit_status, int error_code)
    }
    free(user_gids);
    user_gids = NULL;
    free(audit_msg);
    audit_msg = NULL;
    sudoers_debug_deregister();
@@ -917,20 +933,28 @@ sudoers_policy_close(int exit_status, int error_code)
 * Returns 1 on success, 0 on failure and -1 on error.
 */
 static int
-sudoers_policy_init_session(struct passwd *pwd, char **user_env[])
+sudoers_policy_init_session(struct passwd *pwd, char **user_env[],
    const char **errstr)
 {
    int ret;
    debug_decl(sudoers_policy_init_session, SUDOERS_DEBUG_PLUGIN);
    /* user_env is only specified for API version 1.2 and higher. */
    if (sudo_version < SUDO_API_MKVERSION(1, 2))
 	user_env = NULL;
-    debug_return_int(sudo_auth_begin_session(pwd, user_env));
+    ret = sudo_auth_begin_session(pwd, user_env);
    /* The audit functions set audit_msg on failure. */
    if (ret != 1 && audit_msg != NULL)
 	*errstr = audit_msg;
    debug_return_int(ret);
 }
 static int
 sudoers_policy_check(int argc, char * const argv[], char *env_add[],
-    char **command_infop[], char **argv_out[], char **user_env_out[])
+    char **command_infop[], char **argv_out[], char **user_env_out[],
    const char **errstr)
 {
    struct sudoers_exec_args exec_args;
    int ret;
@@ -950,18 +974,28 @@ sudoers_policy_check(int argc, char * const argv[], char *env_add[],
 	    !sudo_auth_needs_end_session())
 	    sudoers_policy.close = NULL;
    }
    /* The audit functions set audit_msg on failure. */
    if (ret != 1 && audit_msg != NULL)
 	*errstr = audit_msg;
    debug_return_int(ret);
 }
 static int
-sudoers_policy_validate(void)
+sudoers_policy_validate(const char **errstr)
 {
    int ret;
    debug_decl(sudoers_policy_validate, SUDOERS_DEBUG_PLUGIN);
    user_cmnd = "validate";
    SET(sudo_mode, MODE_VALIDATE);
-    debug_return_int(sudoers_policy_main(0, NULL, I_VERIFYPW, NULL, false, NULL));
+    ret = sudoers_policy_main(0, NULL, I_VERIFYPW, NULL, false, NULL);
    /* The audit functions set audit_msg on failure. */
    if (ret != 1 && audit_msg != NULL)
 	*errstr = audit_msg;
    debug_return_int(ret);
 }
 static void
@@ -979,7 +1013,7 @@ sudoers_policy_invalidate(int remove)
 static int
 sudoers_policy_list(int argc, char * const argv[], int verbose,
-    const char *list_user)
+    const char *list_user, const char **errstr)
 {
    int ret;
    debug_decl(sudoers_policy_list, SUDOERS_DEBUG_PLUGIN);
@@ -1002,6 +1036,9 @@ sudoers_policy_list(int argc, char * const argv[], int verbose,
 	list_pw = NULL;
    }
    /* The audit functions set audit_msg on failure. */
    if (ret != 1 && audit_msg != NULL)
 	*errstr = audit_msg;
    debug_return_int(ret);
 }
--- a/plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c
+++ b/plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c
@@ -206,6 +206,7 @@ void
 test_endpoints(int *ntests, int *nerrors, const char *iolog_dir, char *envp[])
 {
    int rc, cmnd_argc = 1;
    const char *errstr = NULL;
    char buf[1024], iolog_path[PATH_MAX];
    char runas_gid[64], runas_uid[64];
    FILE *fp;
@@ -251,7 +252,7 @@ test_endpoints(int *ntests, int *nerrors, const char *iolog_dir, char *envp[])
    /* Test open endpoint. */
    rc = sudoers_io.open(SUDO_API_VERSION, NULL, sudo_printf_int, settings,
-	user_info, command_info, cmnd_argc, cmnd_argv, envp, NULL);
+	user_info, command_info, cmnd_argc, cmnd_argv, envp, NULL, &errstr);
    (*ntests)++;
    if (rc != 1) {
 	sudo_warnx("I/O log open endpoint failed");
@@ -266,7 +267,7 @@ test_endpoints(int *ntests, int *nerrors, const char *iolog_dir, char *envp[])
 	(*nerrors)++;
    /* Test log_ttyout endpoint. */
-    rc = sudoers_io.log_ttyout(output, strlen(output));
+    rc = sudoers_io.log_ttyout(output, strlen(output), &errstr);
    (*ntests)++;
    if (rc != 1) {
 	sudo_warnx("I/O log_ttyout endpoint failed");
@@ -275,14 +276,14 @@ test_endpoints(int *ntests, int *nerrors, const char *iolog_dir, char *envp[])
    }
    /* Test change_winsize endpoint (twice). */
-    rc = sudoers_io.change_winsize(32, 128);
+    rc = sudoers_io.change_winsize(32, 128, &errstr);
    (*ntests)++;
    if (rc != 1) {
 	sudo_warnx("I/O change_winsize endpoint failed");
 	(*nerrors)++;
 	return;
    }
-    rc = sudoers_io.change_winsize(24, 80);
+    rc = sudoers_io.change_winsize(24, 80, &errstr);
    (*ntests)++;
    if (rc != 1) {
 	sudo_warnx("I/O change_winsize endpoint failed");
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -1,7 +1,7 @@
 /*
 * SPDX-License-Identifier: ISC
 *
- * Copyright (c) 1993-1996, 1998-2019 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 1993-1996, 1998-2020 Todd C. Miller <Todd.Miller@sudo.ws>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -292,7 +292,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
    /* Is root even allowed to run sudo? */
    if (user_uid == 0 && !def_root_sudo) {
-	/* Not an audit event. */
+	/* Not an audit event (should it be?). */
 	sudo_warnx(U_("sudoers specifies that root is not allowed to sudo"));
 	goto bad;
    }
@@ -350,7 +350,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
    /* Check for -C overriding def_closefrom. */
    if (user_closefrom >= 0 && user_closefrom != def_closefrom) {
 	if (!def_closefrom_override) {
-	    /* XXX - audit? */
+	    audit_failure(NewArgc, NewArgv,
 		N_("user not allowed to override closefrom limit"));
 	    sudo_warnx(U_("you are not permitted to use the -C option"));
 	    goto bad;
 	}
@@ -413,6 +414,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	    timestamp_gid = pw->pw_gid;
 	    sudo_pw_delref(pw);
 	} else {
 	    /* XXX - audit too? */
 	    log_warningx(SLOG_SEND_MAIL,
 		N_("timestamp owner (%s): No such user"), def_timestampowner);
 	    timestamp_uid = ROOT_UID;
@@ -436,6 +438,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
    /* Check runas user's shell. */
    if (!check_user_shell(runas_pw)) {
 	audit_failure(NewArgc, NewArgv, N_("invalid shell for user %s: %s"),
 	    runas_pw->pw_name, runas_pw->pw_shell);
 	log_warningx(SLOG_RAW_MSG, N_("invalid shell for user %s: %s"),
 	    runas_pw->pw_name, runas_pw->pw_shell);
 	goto bad;
@@ -517,7 +521,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
    /* If user specified a timeout make sure sudoers allows it. */
    if (!def_user_command_timeouts && user_timeout > 0) {
-	/* XXX - audit/log? */
+	audit_failure(NewArgc, NewArgv,
 	    N_("user not allowed to set a command timeout"));
 	sudo_warnx(U_("sorry, you are not allowed set a command timeout"));
 	goto bad;
    }
@@ -525,7 +530,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
    /* If user specified env vars make sure sudoers allows it. */
    if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) {
 	if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) {
-	    /* XXX - audit/log? */
+	    audit_failure(NewArgc, NewArgv,
 		N_("user not allowed to set a preserve the environment"));
 	    sudo_warnx(U_("sorry, you are not allowed to preserve the environment"));
 	    goto bad;
 	} else {
@@ -557,12 +563,10 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	    ret = display_privs(snl, list_pw ? list_pw : sudo_user.pw, verbose);
 	    break;
 	case MODE_VALIDATE:
 	    /* Nothing to do. */
 	    ret = true;
 	    break;
 	case MODE_RUN:
 	case MODE_EDIT:
-	    /* ret set by sudoers_policy_exec_setup() below. */
+	    /* ret may be overridden by "goto bad" later */
 	    ret = true;
 	    break;
 	default:
 	    /* Should not happen. */
@@ -676,19 +680,20 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	    goto done;
    }
    /* Setup execution environment to pass back to front-end. */
    ret = sudoers_policy_exec_setup(edit_argv ? edit_argv : NewArgv,
 	env_get(), cmnd_umask, iolog_path, closure);
    /* Zero out stashed copy of environment, it is owned by the front-end. */
    (void)env_init(NULL);
    goto done;
 bad:
    ret = false;
 done:
    /* Setup execution environment to pass back to front-end. */
    if (!sudoers_policy_exec_setup(edit_argv ? edit_argv : NewArgv,
 	    env_get(), cmnd_umask, iolog_path, closure))
 	ret = -1;
    /* Zero out stashed copy of environment, it is owned by the front-end. */
    (void)env_init(NULL);
    if (!rewind_perms())
 	ret = -1;
@@ -871,8 +876,9 @@ set_cmnd(void)
 		    debug_return_int(-1);
 	    }
 	    if (ret == NOT_FOUND_ERROR) {
-		if (errno == ENAMETOOLONG)
+		if (errno == ENAMETOOLONG) {
 		    audit_failure(NewArgc, NewArgv, N_("command too long"));
 		}
 		log_warning(0, "%s", NewArgv[0]);
 		debug_return_int(ret);
 	    }
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -397,7 +397,7 @@ void sudoers_debug_deregister(void);
 /* policy.c */
 int sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group);
-int sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask, char *iolog_path, void *v);
+bool sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask, char *iolog_path, void *v);
 extern const char *path_ldap_conf;
 extern const char *path_ldap_secret;