static int
adt_sudo_common(int argc, char *argv[])
{
if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
log_warning(SLOG_NO_STDERR, "adt_start_session");
return -1;
}
if ((event = adt_alloc_event(ah, ADT_sudo)) == NULL) {
log_warning(SLOG_NO_STDERR, "alloc_event");
(void) adt_end_session(ah);
return -1;
}
if ((event->adt_sudo.cwdpath = getcwd(cwd, sizeof(cwd))) == NULL) {
log_warning(SLOG_NO_STDERR, _("unable to get current working directory"));
}
/* get the real executable name */
if (user_cmnd != NULL) {
if (strlcpy(cmdpath, (const char *)user_cmnd,
sizeof(cmdpath)) >= sizeof(cmdpath)) {
log_warningx(SLOG_NO_STDERR,
_("truncated audit path user_cmnd: %s"),
user_cmnd);
}
} else {
if (strlcpy(cmdpath, (const char *)argv[0],
sizeof(cmdpath)) >= sizeof(cmdpath)) {
log_warningx(SLOG_NO_STDERR,
_("truncated audit path argv[0]: %s"),
argv[0]);
}
}
event->adt_sudo.cmdpath = cmdpath;
event->adt_sudo.argc = argc - 1;
event->adt_sudo.argv = &argv[1];
event->adt_sudo.envp = env_get();
return 0;
}
/*
* Log and audit that user was not able to authenticate themselves.
*/
bool
log_auth_failure(int status, unsigned int tries)
{
int flags = 0;
bool ret = true;
debug_decl(log_auth_failure, SUDOERS_DEBUG_LOGGING)
/* Handle auditing first. */
audit_failure(NewArgc, NewArgv, N_("authentication failure"));
/*
* Do we need to send mail?
* We want to avoid sending multiple messages for the same command
* so if we are going to send an email about the denial, that takes
* precedence.
*/
if (ISSET(status, VALIDATE_SUCCESS)) {
/* Command allowed, auth failed; do we need to send mail? */
if (def_mail_badpass || def_mail_always)
SET(flags, SLOG_SEND_MAIL);
} else {
/* Command denied, auth failed; make sure we don't send mail twice. */
if (def_mail_badpass && !should_mail(status))
SET(flags, SLOG_SEND_MAIL);
/* Don't log the bad password message, we'll log a denial instead. */
SET(flags, SLOG_NO_LOG);
}
/*
* If sudoers denied the command we'll log that separately.
*/
if (ISSET(status, FLAG_BAD_PASSWORD))
ret = log_warningx(flags, INCORRECT_PASSWORD_ATTEMPT, tries);
else if (ISSET(status, FLAG_NON_INTERACTIVE))
ret = log_warningx(flags, N_("a password is required"));
debug_return_bool(ret);
}
/*
* Get passwd entry for the user we are going to authenticate as.
* By default, this is the user invoking sudo. In the most common
* case, this matches sudo_user.pw or runas_pw.
*/
static struct passwd *
get_authpw(int mode)
{
struct passwd *pw = NULL;
debug_decl(get_authpw, SUDOERS_DEBUG_AUTH)
if (ISSET(mode, (MODE_CHECK|MODE_LIST))) {
/* In list mode we always prompt for the user's password. */
sudo_pw_addref(sudo_user.pw);
pw = sudo_user.pw;
} else {
if (def_rootpw) {
if ((pw = sudo_getpwuid(ROOT_UID)) == NULL) {
log_warningx(SLOG_SEND_MAIL, N_("unknown uid: %u"), ROOT_UID);
}
} else if (def_runaspw) {
if ((pw = sudo_getpwnam(def_runas_default)) == NULL) {
log_warningx(SLOG_SEND_MAIL,
N_("unknown user: %s"), def_runas_default);
}
} else if (def_targetpw) {
if (runas_pw->pw_name == NULL) {
/* This should never be NULL as we fake up the passwd struct */
log_warningx(SLOG_RAW_MSG, N_("unknown uid: %u"),
(unsigned int) runas_pw->pw_uid);
} else {
sudo_pw_addref(runas_pw);
pw = runas_pw;
}
} else {
sudo_pw_addref(sudo_user.pw);
pw = sudo_user.pw;
}
}
debug_return_ptr(pw);
}
