mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-09-04 16:25:25 +00:00
Code Issues Releases Wiki Activity

Do not inform the user that the command was not permitted by the

Browse Source 
policy if they do not successfully authenticate.  This is a regression
introduced in sudo 1.8.6.
This commit is contained in:
Todd C. Miller
2012-11-06 11:19:51 -05:00
parent 941d759c51
commit 5d052aeb60
4 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
plugins/sudoers/audit.c
View File

@@ -26,6 +26,11 @@
# include <stdlib.h> # include <stdlib.h>
# endif # endif
#endif /* STDC_HEADERS */ #endif /* STDC_HEADERS */
#ifdef HAVE_STDBOOL_H
# include <stdbool.h>
#else
# include "compat/stdbool.h"
#endif /* HAVE_STDBOOL_H */
#include <stdarg.h> #include <stdarg.h>
#include "missing.h" #include "missing.h"

16
plugins/sudoers/logging.c
View File

@@ -247,14 +247,20 @@ do_logfile(char *msg)
} }
/* /*
* Log and mail the denial message, optionally informing the user. * Log, audit and mail the denial message, optionally informing the user.
*/ */
static void void
log_denial(int status, bool inform_user) log_denial(int status, bool inform_user)
{ {
char *logline, *message; char *logline, *message;
debug_decl(log_denial, SUDO_DEBUG_LOGGING) debug_decl(log_denial, SUDO_DEBUG_LOGGING)
/* Handle auditing first. */
if (ISSET(status, FLAG_NO_USER | FLAG_NO_HOST))
audit_failure(NewArgv, _("No user or host"));
else
audit_failure(NewArgv, _("validation failure"));
/* Set error message. */ /* Set error message. */
if (ISSET(status, FLAG_NO_USER)) if (ISSET(status, FLAG_NO_USER))
message = _("user NOT in sudoers"); message = _("user NOT in sudoers");
@@ -312,12 +318,6 @@ log_failure(int status, int flags)
debug_decl(log_failure, SUDO_DEBUG_LOGGING) debug_decl(log_failure, SUDO_DEBUG_LOGGING)
bool inform_user = true; bool inform_user = true;
/* Handle auditing first. */
if (ISSET(status, FLAG_NO_USER | FLAG_NO_HOST))
audit_failure(NewArgv, _("No user or host"));
else
audit_failure(NewArgv, _("validation failure"));
/* The user doesn't always get to see the log message (path info). */ /* The user doesn't always get to see the log message (path info). */
if (!ISSET(status, FLAG_NO_USER | FLAG_NO_HOST) && def_path_info && if (!ISSET(status, FLAG_NO_USER | FLAG_NO_HOST) && def_path_info &&
(flags == NOT_FOUND_DOT || flags == NOT_FOUND)) (flags == NOT_FOUND_DOT || flags == NOT_FOUND))

1
plugins/sudoers/logging.h
View File

@@ -56,6 +56,7 @@ void audit_success(char *exec_args[]);
void audit_failure(char *exec_args[], char const *const fmt, ...); void audit_failure(char *exec_args[], char const *const fmt, ...);
void log_allowed(int status); void log_allowed(int status);
void log_auth_failure(int status, int tries); void log_auth_failure(int status, int tries);
void log_denial(int status, bool inform_user);
void log_failure(int status, int flags); void log_failure(int status, int flags);
void log_error(int flags, const char *fmt, ...) __printflike(2, 3); void log_error(int flags, const char *fmt, ...) __printflike(2, 3);
void log_fatal(int flags, const char *fmt, ...) __printflike(2, 3) __attribute__((__noreturn__)); void log_fatal(int flags, const char *fmt, ...) __printflike(2, 3) __attribute__((__noreturn__));

2
plugins/sudoers/sudoers.c
View File

@@ -379,7 +379,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
rval = check_user(validated, sudo_mode); rval = check_user(validated, sudo_mode);
if (rval != true) { if (rval != true) {
if (!ISSET(validated, VALIDATE_OK)) if (!ISSET(validated, VALIDATE_OK))
log_failure(validated, cmnd_status); log_denial(validated, false);
goto done; goto done;
} }