mirror of
https://github.com/sudo-project/sudo.git
synced 2025-08-31 06:15:37 +00:00
Rename log_warning flags and only send mail if SLOG_SEND_MAIL is
set instead of mailing by default like we used to.
This commit is contained in:
Todd C. Miller
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2005, 2007-2008, 2010-2013
|
||||
* Copyright (c) 2000-2005, 2007-2008, 2010-2014
|
||||
* Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
@@ -71,14 +71,13 @@ bsdauth_init(struct passwd *pw, sudo_auth *auth)
|
||||
else
|
||||
state.lc = login_getclass(pw->pw_uid ? LOGIN_DEFCLASS : LOGIN_DEFROOTCLASS);
|
||||
if (state.lc == NULL) {
|
||||
log_warning(NO_MAIL,
|
||||
log_warning(0,
|
||||
N_("unable to get login class for user %s"), pw->pw_name);
|
||||
debug_return_int(AUTH_FATAL);
|
||||
}
|
||||
|
||||
if ((state.as = auth_open()) == NULL) {
|
||||
log_warning(NO_MAIL,
|
||||
N_("unable to begin bsd authentication"));
|
||||
log_warning(0, N_("unable to begin bsd authentication"));
|
||||
login_close(state.lc);
|
||||
debug_return_int(AUTH_FATAL);
|
||||
}
|
||||
@@ -86,7 +85,7 @@ bsdauth_init(struct passwd *pw, sudo_auth *auth)
|
||||
/* XXX - maybe sanity check the auth style earlier? */
|
||||
login_style = login_getstyle(state.lc, login_style, "auth-sudo");
|
||||
if (login_style == NULL) {
|
||||
log_warningx(NO_MAIL, N_("invalid authentication type"));
|
||||
log_warningx(0, N_("invalid authentication type"));
|
||||
auth_close(state.as);
|
||||
login_close(state.lc);
|
||||
debug_return_int(AUTH_FATAL);
|
||||
@@ -95,7 +94,7 @@ bsdauth_init(struct passwd *pw, sudo_auth *auth)
|
||||
if (auth_setitem(state.as, AUTHV_STYLE, login_style) < 0 ||
|
||||
auth_setitem(state.as, AUTHV_NAME, pw->pw_name) < 0 ||
|
||||
auth_setitem(state.as, AUTHV_CLASS, login_class) < 0) {
|
||||
log_warningx(NO_MAIL, N_("unable to initialize BSD authentication"));
|
||||
log_warningx(0, N_("unable to initialize BSD authentication"));
|
||||
auth_close(state.as);
|
||||
login_close(state.lc);
|
||||
debug_return_int(AUTH_FATAL);
|
||||
@@ -167,7 +166,7 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth)
|
||||
debug_return_int(AUTH_INTR);
|
||||
|
||||
if ((s = auth_getvalue(as, "errormsg")) != NULL)
|
||||
log_warningx(NO_MAIL, "%s", s);
|
||||
log_warningx(0, "%s", s);
|
||||
debug_return_int(AUTH_FAILURE);
|
||||
}
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2005, 2007-2008, 2010-2013
|
||||
* Copyright (c) 1999-2005, 2007-2008, 2010-2014
|
||||
* Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
@@ -112,9 +112,9 @@ sudo_krb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
|
||||
* API does not currently provide this unless the auth is standalone.
|
||||
*/
|
||||
if ((error = krb5_unparse_name(sudo_context, princ, &pname))) {
|
||||
log_warningx(NO_MAIL,
|
||||
N_("%s: unable to convert principal to string ('%s'): %s"),
|
||||
auth->name, pw->pw_name, error_message(error));
|
||||
log_warningx(0,
|
||||
N_("%s: unable to convert principal to string ('%s'): %s"),
|
||||
auth->name, pw->pw_name, error_message(error));
|
||||
debug_return_int(AUTH_FAILURE);
|
||||
}
|
||||
|
||||
@@ -155,9 +155,8 @@ sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
|
||||
|
||||
error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ));
|
||||
if (error) {
|
||||
log_warningx(NO_MAIL,
|
||||
N_("%s: unable to parse '%s': %s"), auth->name, pname,
|
||||
error_message(error));
|
||||
log_warningx(0, N_("%s: unable to parse '%s': %s"), auth->name, pname,
|
||||
error_message(error));
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -165,9 +164,8 @@ sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
|
||||
(long) getpid());
|
||||
if ((error = krb5_cc_resolve(sudo_context, cache_name,
|
||||
&(sudo_krb5_data.ccache)))) {
|
||||
log_warningx(NO_MAIL,
|
||||
N_("%s: unable to resolve credential cache: %s"), auth->name,
|
||||
error_message(error));
|
||||
log_warningx(0, N_("%s: unable to resolve credential cache: %s"),
|
||||
auth->name, error_message(error));
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -213,9 +211,8 @@ sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
|
||||
/* Set default flags based on the local config file. */
|
||||
error = krb5_get_init_creds_opt_alloc(sudo_context, &opts);
|
||||
if (error) {
|
||||
log_warningx(NO_MAIL,
|
||||
N_("%s: unable to allocate options: %s"), auth->name,
|
||||
error_message(error));
|
||||
log_warningx(0, N_("%s: unable to allocate options: %s"), auth->name,
|
||||
error_message(error));
|
||||
goto done;
|
||||
}
|
||||
#ifdef HAVE_HEIMDAL
|
||||
@@ -228,10 +225,10 @@ sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
|
||||
pass, krb5_prompter_posix,
|
||||
NULL, 0, NULL, opts))) {
|
||||
/* Don't print error if just a bad password */
|
||||
if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY)
|
||||
log_warningx(NO_MAIL,
|
||||
N_("%s: unable to get credentials: %s"), auth->name,
|
||||
error_message(error));
|
||||
if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY) {
|
||||
log_warningx(0, N_("%s: unable to get credentials: %s"),
|
||||
auth->name, error_message(error));
|
||||
}
|
||||
goto done;
|
||||
}
|
||||
creds = &credbuf;
|
||||
@@ -242,13 +239,11 @@ sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
|
||||
|
||||
/* Store credential in cache. */
|
||||
if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
|
||||
log_warningx(NO_MAIL,
|
||||
N_("%s: unable to initialize credential cache: %s"),
|
||||
auth->name, error_message(error));
|
||||
log_warningx(0, N_("%s: unable to initialize credential cache: %s"),
|
||||
auth->name, error_message(error));
|
||||
} else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) {
|
||||
log_warningx(NO_MAIL,
|
||||
N_("%s: unable to store credential in cache: %s"),
|
||||
auth->name, error_message(error));
|
||||
log_warningx(0, N_("%s: unable to store credential in cache: %s"),
|
||||
auth->name, error_message(error));
|
||||
}
|
||||
|
||||
done:
|
||||
@@ -311,9 +306,8 @@ verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name)
|
||||
*/
|
||||
if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
|
||||
KRB5_NT_SRV_HST, &server))) {
|
||||
log_warningx(NO_MAIL,
|
||||
N_("%s: unable to get host principal: %s"), auth_name,
|
||||
error_message(error));
|
||||
log_warningx(0, N_("%s: unable to get host principal: %s"), auth_name,
|
||||
error_message(error));
|
||||
debug_return_int(-1);
|
||||
}
|
||||
|
||||
@@ -325,10 +319,10 @@ verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name)
|
||||
error = krb5_verify_init_creds(sudo_context, cred, server, NULL,
|
||||
NULL, &vopt);
|
||||
krb5_free_principal(sudo_context, server);
|
||||
if (error)
|
||||
log_warningx(NO_MAIL,
|
||||
N_("%s: Cannot verify TGT! Possible attack!: %s"),
|
||||
auth_name, error_message(error));
|
||||
if (error) {
|
||||
log_warningx(0, N_("%s: Cannot verify TGT! Possible attack!: %s"),
|
||||
auth_name, error_message(error));
|
||||
}
|
||||
debug_return_int(error);
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2005, 2007-2013 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
* Copyright (c) 1999-2005, 2007-2014 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -95,7 +95,7 @@ sudo_pam_init(struct passwd *pw, sudo_auth *auth)
|
||||
pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ?
|
||||
def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh);
|
||||
if (pam_status != PAM_SUCCESS) {
|
||||
log_warning(NO_MAIL, N_("unable to initialize PAM"));
|
||||
log_warning(0, N_("unable to initialize PAM"));
|
||||
debug_return_int(AUTH_FATAL);
|
||||
}
|
||||
|
||||
@@ -146,27 +146,27 @@ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth)
|
||||
case PAM_SUCCESS:
|
||||
debug_return_int(AUTH_SUCCESS);
|
||||
case PAM_AUTH_ERR:
|
||||
log_warningx(NO_MAIL, N_("account validation failure, "
|
||||
log_warningx(0, N_("account validation failure, "
|
||||
"is your account locked?"));
|
||||
debug_return_int(AUTH_FATAL);
|
||||
case PAM_NEW_AUTHTOK_REQD:
|
||||
log_warningx(NO_MAIL, N_("Account or password is "
|
||||
log_warningx(0, N_("Account or password is "
|
||||
"expired, reset your password and try again"));
|
||||
*pam_status = pam_chauthtok(pamh,
|
||||
PAM_CHANGE_EXPIRED_AUTHTOK);
|
||||
if (*pam_status == PAM_SUCCESS)
|
||||
debug_return_int(AUTH_SUCCESS);
|
||||
if ((s = pam_strerror(pamh, *pam_status)) != NULL) {
|
||||
log_warningx(NO_MAIL,
|
||||
log_warningx(0,
|
||||
N_("unable to change expired password: %s"), s);
|
||||
}
|
||||
debug_return_int(AUTH_FAILURE);
|
||||
case PAM_AUTHTOK_EXPIRED:
|
||||
log_warningx(NO_MAIL,
|
||||
log_warningx(0,
|
||||
N_("Password expired, contact your system administrator"));
|
||||
debug_return_int(AUTH_FATAL);
|
||||
case PAM_ACCT_EXPIRED:
|
||||
log_warningx(NO_MAIL,
|
||||
log_warningx(0,
|
||||
N_("Account expired or PAM config lacks an \"account\" "
|
||||
"section for sudo, contact your system administrator"));
|
||||
debug_return_int(AUTH_FATAL);
|
||||
@@ -184,7 +184,7 @@ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth)
|
||||
debug_return_int(AUTH_FAILURE);
|
||||
default:
|
||||
if ((s = pam_strerror(pamh, *pam_status)) != NULL)
|
||||
log_warningx(NO_MAIL, N_("PAM authentication error: %s"), s);
|
||||
log_warningx(0, N_("PAM authentication error: %s"), s);
|
||||
debug_return_int(AUTH_FATAL);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -104,8 +104,7 @@ sudo_sia_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
|
||||
|
||||
if (sia_ses_init(&siah, sudo_argc, sudo_argv, NULL, pw->pw_name, user_ttypath, 1, NULL) != SIASUCCESS) {
|
||||
|
||||
log_warning(NO_MAIL,
|
||||
N_("unable to initialize SIA session"));
|
||||
log_warning(0, N_("unable to initialize SIA session"));
|
||||
debug_return_int(AUTH_FATAL);
|
||||
}
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2005, 2008-2013 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
* Copyright (c) 1999-2005, 2008-2014 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -117,7 +117,8 @@ sudo_auth_init(struct passwd *pw)
|
||||
standalone = IS_STANDALONE(&auth_switch[0]);
|
||||
if (standalone && auth_switch[1].name != NULL) {
|
||||
audit_failure(NewArgv, N_("invalid authentication methods"));
|
||||
log_warningx(0, N_("Invalid authentication methods compiled into sudo! "
|
||||
log_warningx(SLOG_SEND_MAIL,
|
||||
N_("Invalid authentication methods compiled into sudo! "
|
||||
"You may not mix standalone and non-standalone authentication."));
|
||||
debug_return_int(-1);
|
||||
}
|
||||
@@ -187,7 +188,7 @@ verify_user(struct passwd *pw, char *prompt, int validated)
|
||||
/* XXX - check FLAG_DISABLED too */
|
||||
if (auth_switch[0].name == NULL) {
|
||||
audit_failure(NewArgv, N_("no authentication methods"));
|
||||
log_warningx(0,
|
||||
log_warningx(SLOG_SEND_MAIL,
|
||||
N_("There are no authentication methods compiled into sudo! "
|
||||
"If you want to turn off authentication, use the "
|
||||
"--disable-authentication configure option."));
|
||||
|
||||
Reference in New Issue
Block a user