void log_error(int flags, const char *fmt, ...) { int serrno = errno; char *message; char *logline; va_list ap; /* Expand printf-style format + args. */ va_start(ap, fmt); evasprintf(&message, fmt, ap); va_end(ap); /* Become root if we are not already to avoid user interference */ set_perms(PERM_ROOT|PERM_NOEXIT); if (ISSET(flags, MSG_ONLY)) logline = message; else logline = new_logline(message, ISSET(flags, USE_ERRNO) ? serrno : 0); /* * Tell the user. */ if (!ISSET(flags, NO_STDERR)) { if (ISSET(flags, USE_ERRNO)) warning("%s", message); else warningx("%s", message); } if (logline != message) efree(message); /* * Send a copy of the error via mail. */ if (!ISSET(flags, NO_MAIL)) send_mail("%s", logline); /* * Log to syslog and/or a file. */ if (def_syslog) do_syslog(def_syslog_badpri, logline); if (def_logfile) do_logfile(logline); efree(logline); restore_perms(); if (!ISSET(flags, NO_EXIT)) { plugin_cleanup(0); siglongjmp(error_jmp, 1); } }
/* * Log and mail the denial message, optionally informing the user. */ void log_denial(int status, int inform_user) { char *message; char *logline; /* Set error message. */ if (ISSET(status, FLAG_NO_USER)) message = _("user NOT in sudoers"); else if (ISSET(status, FLAG_NO_HOST)) message = _("user NOT authorized on host"); else message = _("command not allowed"); logline = new_logline(message, 0); if (should_mail(status)) send_mail("%s", logline); /* send mail based on status */ /* Inform the user if they failed to authenticate. */ if (inform_user) { if (ISSET(status, FLAG_NO_USER)) { sudo_printf(SUDO_CONV_ERROR_MSG, _("%s is not in the sudoers " "file. This incident will be reported.\n"), user_name); } else if (ISSET(status, FLAG_NO_HOST)) { sudo_printf(SUDO_CONV_ERROR_MSG, _("%s is not allowed to run sudo " "on %s. This incident will be reported.\n"), user_name, user_shost); } else if (ISSET(status, FLAG_NO_CHECK)) { sudo_printf(SUDO_CONV_ERROR_MSG, _("Sorry, user %s may not run " "sudo on %s.\n"), user_name, user_shost); } else { sudo_printf(SUDO_CONV_ERROR_MSG, _("Sorry, user %s is not allowed " "to execute '%s%s%s' as %s%s%s on %s.\n"), user_name, user_cmnd, user_args ? " " : "", user_args ? user_args : "", list_pw ? list_pw->pw_name : runas_pw ? runas_pw->pw_name : user_name, runas_gr ? ":" : "", runas_gr ? runas_gr->gr_name : "", user_host); } } /* * Log via syslog and/or a file. */ if (def_syslog) do_syslog(def_syslog_badpri, logline); if (def_logfile) do_logfile(logline); efree(logline); }
/* * Log and potentially mail the allowed command. */ void log_allowed(int status) { char *logline; logline = new_logline(NULL, 0); if (should_mail(status)) send_mail("%s", logline); /* send mail based on status */ /* * Log via syslog and/or a file. */ if (def_syslog) do_syslog(def_syslog_goodpri, logline); if (def_logfile) do_logfile(logline); efree(logline); }
/* * Log and potentially mail the allowed command. */ bool log_allowed(int status) { char *logline; int oldlocale; bool uid_changed, ret = true; debug_decl(log_allowed, SUDOERS_DEBUG_LOGGING) /* Log and mail messages should be in the sudoers locale. */ sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); if ((logline = new_logline(NULL, 0)) == NULL) debug_return_bool(false); /* Become root if we are not already. */ uid_changed = set_perms(PERM_ROOT); /* XXX - return value */ if (should_mail(status)) send_mail("%s", logline); /* send mail based on status */ /* * Log via syslog and/or a file. */ if (def_syslog) do_syslog(def_syslog_goodpri, logline); if (def_logfile && !do_logfile(logline)) ret = false; if (uid_changed) { if (!restore_perms()) ret = false; /* XXX - return -1 instead? */ } free(logline); sudoers_setlocale(oldlocale, NULL); debug_return_bool(ret); }
/* * Log, audit and mail the denial message, optionally informing the user. */ bool log_denial(int status, bool inform_user) { const char *message; char *logline; int oldlocale; bool uid_changed, ret = true; debug_decl(log_denial, SUDOERS_DEBUG_LOGGING) /* Handle auditing first (audit_failure() handles the locale itself). */ if (ISSET(status, FLAG_NO_USER | FLAG_NO_HOST)) audit_failure(NewArgc, NewArgv, N_("No user or host")); else audit_failure(NewArgc, NewArgv, N_("validation failure")); /* Log and mail messages should be in the sudoers locale. */ sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); /* Set error message. */ if (ISSET(status, FLAG_NO_USER)) message = _("user NOT in sudoers"); else if (ISSET(status, FLAG_NO_HOST)) message = _("user NOT authorized on host"); else message = _("command not allowed"); logline = new_logline(message, 0); if (logline == NULL) debug_return_bool(false); /* Become root if we are not already. */ uid_changed = set_perms(PERM_ROOT); if (should_mail(status)) send_mail("%s", logline); /* send mail based on status */ /* * Log via syslog and/or a file. */ if (def_syslog) do_syslog(def_syslog_badpri, logline); if (def_logfile && !do_logfile(logline)) ret = false; if (uid_changed) { if (!restore_perms()) ret = false; /* XXX - return -1 instead? */ } free(logline); /* Restore locale. */ sudoers_setlocale(oldlocale, NULL); /* Inform the user if they failed to authenticate (in their locale). */ if (inform_user) { sudoers_setlocale(SUDOERS_LOCALE_USER, &oldlocale); if (ISSET(status, FLAG_NO_USER)) { sudo_printf(SUDO_CONV_ERROR_MSG, _("%s is not in the sudoers " "file. This incident will be reported.\n"), user_name); } else if (ISSET(status, FLAG_NO_HOST)) { sudo_printf(SUDO_CONV_ERROR_MSG, _("%s is not allowed to run sudo " "on %s. This incident will be reported.\n"), user_name, user_srunhost); } else if (ISSET(status, FLAG_NO_CHECK)) { sudo_printf(SUDO_CONV_ERROR_MSG, _("Sorry, user %s may not run " "sudo on %s.\n"), user_name, user_srunhost); } else { sudo_printf(SUDO_CONV_ERROR_MSG, _("Sorry, user %s is not allowed " "to execute '%s%s%s' as %s%s%s on %s.\n"), user_name, user_cmnd, user_args ? " " : "", user_args ? user_args : "", list_pw ? list_pw->pw_name : runas_pw ? runas_pw->pw_name : user_name, runas_gr ? ":" : "", runas_gr ? runas_gr->gr_name : "", user_host); } sudoers_setlocale(oldlocale, NULL); } debug_return_bool(ret); }