static int adt_sudo_common(int argc, char *argv[]) { if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) { log_warning(SLOG_NO_STDERR, "adt_start_session"); return -1; } if ((event = adt_alloc_event(ah, ADT_sudo)) == NULL) { log_warning(SLOG_NO_STDERR, "alloc_event"); (void) adt_end_session(ah); return -1; } if ((event->adt_sudo.cwdpath = getcwd(cwd, sizeof(cwd))) == NULL) { log_warning(SLOG_NO_STDERR, _("unable to get current working directory")); } /* get the real executable name */ if (user_cmnd != NULL) { if (strlcpy(cmdpath, (const char *)user_cmnd, sizeof(cmdpath)) >= sizeof(cmdpath)) { log_warningx(SLOG_NO_STDERR, _("truncated audit path user_cmnd: %s"), user_cmnd); } } else { if (strlcpy(cmdpath, (const char *)argv[0], sizeof(cmdpath)) >= sizeof(cmdpath)) { log_warningx(SLOG_NO_STDERR, _("truncated audit path argv[0]: %s"), argv[0]); } } event->adt_sudo.cmdpath = cmdpath; event->adt_sudo.argc = argc - 1; event->adt_sudo.argv = &argv[1]; event->adt_sudo.envp = env_get(); return 0; }
/* * Log and audit that user was not able to authenticate themselves. */ bool log_auth_failure(int status, unsigned int tries) { int flags = 0; bool ret = true; debug_decl(log_auth_failure, SUDOERS_DEBUG_LOGGING) /* Handle auditing first. */ audit_failure(NewArgc, NewArgv, N_("authentication failure")); /* * Do we need to send mail? * We want to avoid sending multiple messages for the same command * so if we are going to send an email about the denial, that takes * precedence. */ if (ISSET(status, VALIDATE_SUCCESS)) { /* Command allowed, auth failed; do we need to send mail? */ if (def_mail_badpass || def_mail_always) SET(flags, SLOG_SEND_MAIL); } else { /* Command denied, auth failed; make sure we don't send mail twice. */ if (def_mail_badpass && !should_mail(status)) SET(flags, SLOG_SEND_MAIL); /* Don't log the bad password message, we'll log a denial instead. */ SET(flags, SLOG_NO_LOG); } /* * If sudoers denied the command we'll log that separately. */ if (ISSET(status, FLAG_BAD_PASSWORD)) ret = log_warningx(flags, INCORRECT_PASSWORD_ATTEMPT, tries); else if (ISSET(status, FLAG_NON_INTERACTIVE)) ret = log_warningx(flags, N_("a password is required")); debug_return_bool(ret); }
/* * Get passwd entry for the user we are going to authenticate as. * By default, this is the user invoking sudo. In the most common * case, this matches sudo_user.pw or runas_pw. */ static struct passwd * get_authpw(int mode) { struct passwd *pw = NULL; debug_decl(get_authpw, SUDOERS_DEBUG_AUTH) if (ISSET(mode, (MODE_CHECK|MODE_LIST))) { /* In list mode we always prompt for the user's password. */ sudo_pw_addref(sudo_user.pw); pw = sudo_user.pw; } else { if (def_rootpw) { if ((pw = sudo_getpwuid(ROOT_UID)) == NULL) { log_warningx(SLOG_SEND_MAIL, N_("unknown uid: %u"), ROOT_UID); } } else if (def_runaspw) { if ((pw = sudo_getpwnam(def_runas_default)) == NULL) { log_warningx(SLOG_SEND_MAIL, N_("unknown user: %s"), def_runas_default); } } else if (def_targetpw) { if (runas_pw->pw_name == NULL) { /* This should never be NULL as we fake up the passwd struct */ log_warningx(SLOG_RAW_MSG, N_("unknown uid: %u"), (unsigned int) runas_pw->pw_uid); } else { sudo_pw_addref(runas_pw); pw = runas_pw; } } else { sudo_pw_addref(sudo_user.pw); pw = sudo_user.pw; } } debug_return_ptr(pw); }