From Todd.Miller at courtesan.com Sun Nov 2 14:16:22 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sun, 02 Nov 2008 14:16:22 -0500 Subject: [sudo-workers] sudo 1.7 - stable? In-Reply-To: Your message of "Thu, 30 Oct 2008 11:56:58 -0000." References: Message-ID: <200811021916.mA2JGMCo030339@core.courtesan.com> In message so spake Paul MacLeod (paulmacleod7): > I can see on the main page that the stable release has been 1.6.9p17 > since June 26th, and the development 1.7.0rc2 since June 10th. Been > checking frequently with no changes. I'm about to release 1.7.0rc3 but I want to make sure that it fixes defaults-related the issues reported by Chris O'Regan first. > There hasn't been many mails to 'workers' and so I'm wondering when > things will be considered good for 1.7 to become the stable release? Barring unforseen events I will release 1.7.0rc3 this week and, if there are no problems reported, do a general release of 1.7.0 by the end of November. - todd From Todd.Miller at courtesan.com Tue Nov 4 18:39:51 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 04 Nov 2008 18:39:51 -0500 Subject: [sudo-workers] sudo 1.7.0rc3 released Message-ID: <200811042339.mA4NdpAA018333@core.courtesan.com> This is the third release candidate of sudo version 1.7.0. I'd love to hear reports of success (or failure!) in real-world environments. Download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.0rc3.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.0rc3.tar.gz Changes from Sudo 1.7.0rc2: o Fixed line continuation in double quotes. It was only being honored if preceded by whitespace. o Fixed a use after free bug. o Added sudoers_locale Defaults option to override the default sudoers locale of "C". o For sudoedit, check EDITOR/VISUAL to make sure sudoedit is not re-invoking itself or sudo. This allows one to set EDITOR to sudoedit without getting into an infinite loop of sudoedit running itself until the path gets too big. Also added SUDO_EDITOR environment variable which is used by sudoedit in preference to EDITOR/VISUAL. o Added character class support to bundled glob(3) and fnmatch(3). o Fixed AIX limit setting. o Fixed a parser bug on machines with signed char (powerpc). o Don't error out on a zero-length sudoers file. With the advent of #include the user could create a situation where sudo is unusable. o Fixed several bugs in Defaults matching. o When setting the umask, use the union of the user's umask and the default value set in sudoers so that we never lower the user's umask when running a command What's new in Sudo 1.7? * Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications. * Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files. * Sudo's -l (list) flag has been enhanced: o applicable Defaults options are now listed o a command argument can be specified for testing whether a user may run a specific command. o a new -U flag can be used in conjunction with "sudo -l" to allow root (or a user with "sudo ALL") list another user's privileges. * A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification. * A uid may now be used anywhere a username is valid. * The "secure_path" run-time Defaults option has been restored. * Password and group data is now cached for fast lookups. * The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line. * Visudo will now warn about aliases that are defined but not used. * The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run. * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: sudoers: ldap files to check LDAP, then /etc/sudoers. The default is "files", even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. * Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run. * If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass. * A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required. From tobias at bugol.de Sun Nov 9 07:56:22 2008 From: tobias at bugol.de (Tobias Stoeckmann) Date: Sun, 9 Nov 2008 13:56:22 +0100 Subject: [sudo-workers] overriden -> overridden Message-ID: <20081109125622.GA5112@fungi.pizza.local> Hi, this just a quick typo fix. Tobias Stoeckmann Index: pathnames.h.in =================================================================== RCS file: /cvs/sudo/pathnames.h.in,v retrieving revision 1.62 diff -u -p -r1.62 pathnames.h.in --- pathnames.h.in 2 Mar 2008 14:31:56 -0000 1.62 +++ pathnames.h.in 9 Nov 2008 12:52:58 -0000 @@ -50,7 +50,7 @@ #endif /* _PATH_ENVIRONMENT */ /* - * NOTE: _PATH_SUDOERS is usually overriden by the Makefile. + * NOTE: _PATH_SUDOERS is usually overridden by the Makefile. */ #ifndef _PATH_SUDOERS #define _PATH_SUDOERS "/etc/sudoers" Index: sudo.c =================================================================== RCS file: /cvs/sudo/sudo.c,v retrieving revision 1.495 diff -u -p -r1.495 sudo.c --- sudo.c 7 Nov 2008 02:06:48 -0000 1.495 +++ sudo.c 9 Nov 2008 12:52:58 -0000 @@ -409,7 +409,7 @@ main(argc, argv, envp) } } - /* User may have overriden environment resetting via the -E flag. */ + /* User may have overridden environment resetting via the -E flag. */ if (ISSET(sudo_mode, MODE_PRESERVE_ENV) && def_setenv) def_env_reset = FALSE; From Todd.Miller at courtesan.com Mon Nov 10 08:08:11 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 10 Nov 2008 08:08:11 -0500 Subject: [sudo-workers] overriden -> overridden In-Reply-To: Your message of "Sun, 09 Nov 2008 13:56:22 +0100." <20081109125622.GA5112@fungi.pizza.local> References: <20081109125622.GA5112@fungi.pizza.local> Message-ID: <200811101308.mAAD8BmG023390@core.courtesan.com> In message <20081109125622.GA5112 at fungi.pizza.local> so spake Tobias Stoeckmann (tobias): > this just a quick typo fix. Thanks, this is now fixed in cvs. - todd From Todd.Miller at courtesan.com Mon Nov 10 15:31:58 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 10 Nov 2008 15:31:58 -0500 Subject: [sudo-workers] sudo 1.7.0rc4 released Message-ID: <200811102031.mAAKVwbQ016441@core.courtesan.com> This is the fourth release candidate of sudo version 1.7.0. I'd love to hear reports of success (or failure!) in real-world environments. Download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.0rc4.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.0rc4.tar.gz Changes from Sudo 1.7.0rc4: * Fixed an off-by-one bug introduced in rc3. * When run with the -c flag in strict mode (-s), visudo will now warn if the sudoers permissions or owner is incorrect. * If sudo needs to prompt for a password and it is unable to disable echo (and no askpass program is defined), it will refuse to run unless the "visiblepw" Defaults option has been specified. * Prior to version 1.7.0, hitting enter/return at the Password: prompt would exit sudo. In sudo 1.7.0 and beyond, this is treated as an empty password. To exit sudo, the user must press ^C or ^D at the prompt. What's new in Sudo 1.7? * Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications. * Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files. * Sudo's -l (list) flag has been enhanced: o applicable Defaults options are now listed o a command argument can be specified for testing whether a user may run a specific command. o a new -U flag can be used in conjunction with "sudo -l" to allow root (or a user with "sudo ALL") list another user's privileges. * A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification. * A uid may now be used anywhere a username is valid. * The "secure_path" run-time Defaults option has been restored. * Password and group data is now cached for fast lookups. * The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line. * Visudo will now warn about aliases that are defined but not used. * The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run. * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: sudoers: ldap files to check LDAP, then /etc/sudoers. The default is "files", even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. * Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run. * If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass. * A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required. From Todd.Miller at courtesan.com Mon Nov 10 15:39:59 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 10 Nov 2008 15:39:59 -0500 Subject: [sudo-workers] sudo 1.7.0rc4 released In-Reply-To: Your message of "Mon, 10 Nov 2008 15:31:58 EST." <200811102031.mAAKVwbQ016441@core.courtesan.com> References: <200811102031.mAAKVwbQ016441@core.courtesan.com> Message-ID: <200811102040.mAAKdxUO031678@core.courtesan.com> In message <200811102031.mAAKVwbQ016441 at core.courtesan.com> so spake "Todd C. Miller" (Todd.Miller): > Changes from Sudo 1.7.0rc4: Of course I meant changes from 1.7.0rc3. - todd From Todd.Miller at courtesan.com Tue Nov 11 15:12:22 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 11 Nov 2008 15:12:22 -0500 Subject: [sudo-workers] sudo 1.7.0rc5 released Message-ID: <200811112012.mABKCMfe009890@core.courtesan.com> This is the fifth release candidate of sudo version 1.7.0. I'd love to hear reports of success (or failure!) in real-world environments. Download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.0rc5.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.0rc5.tar.gz Changes from Sudo 1.7.0rc5: * The checks for a valid tty (introduced in rc4) were too strict. What's new in Sudo 1.7? * Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications. * Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files. * Sudo's -l (list) flag has been enhanced: o applicable Defaults options are now listed o a command argument can be specified for testing whether a user may run a specific command. o a new -U flag can be used in conjunction with "sudo -l" to allow root (or a user with "sudo ALL") list another user's privileges. * A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification. * A uid may now be used anywhere a username is valid. * The "secure_path" run-time Defaults option has been restored. * Password and group data is now cached for fast lookups. * The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line. * Visudo will now warn about aliases that are defined but not used. * The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run. * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: sudoers: ldap files to check LDAP, then /etc/sudoers. The default is "files", even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. * Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run. * If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass. * A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required. ____________________________________________________________ sudo-workers mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-workers From Todd.Miller at courtesan.com Mon Nov 24 07:35:56 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 24 Nov 2008 07:35:56 -0500 Subject: [sudo-workers] sudo 1.7.0rc6 released Message-ID: <200811241235.mAOCZuJV027454@core.courtesan.com> This is the sixth release candidate of sudo version 1.7.0. I'd love to hear reports of success (or failure!) in real-world environments. We're on track for a release of 1.7.0 in early December. Download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.0rc6.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.0rc6.tar.gz Changes from Sudo 1.7.0rc5: * Fixed unused alias detection in visudo * Fixed a bug parsing certain comment lines in sudoers What's new in Sudo 1.7? * Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications. * Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files. * Sudo's -l (list) flag has been enhanced: o applicable Defaults options are now listed o a command argument can be specified for testing whether a user may run a specific command. o a new -U flag can be used in conjunction with "sudo -l" to allow root (or a user with "sudo ALL") list another user's privileges. * A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification. * A uid may now be used anywhere a username is valid. * The "secure_path" run-time Defaults option has been restored. * Password and group data is now cached for fast lookups. * The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line. * Visudo will now warn about aliases that are defined but not used. * The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run. * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: sudoers: ldap files to check LDAP, then /etc/sudoers. The default is "files", even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. * Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run. * If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass. * A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required. ____________________________________________________________ sudo-workers mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-workers ____________________________________________________________ sudo-workers mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-workers From Todd.Miller at courtesan.com Tue Nov 25 20:11:53 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 25 Nov 2008 20:11:53 -0500 Subject: [sudo-workers] sudo 1.7.0rc7 released Message-ID: <200811260111.mAQ1BraN013681@core.courtesan.com> This is the seventh release candidate of sudo version 1.7.0. I'd love to hear reports of success (or failure!) in real-world environments. We're still on track for a release of 1.7.0 in early December. Download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.0rc7.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.0rc7.tar.gz Changes from Sudo 1.7.0rc6: * Sudo would refuse to prompt for a password if neither the standard input nor the standard output were associated with a tty even if /dev/tty was available. What's new in Sudo 1.7? * Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications. * Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files. * Sudo's -l (list) flag has been enhanced: o applicable Defaults options are now listed o a command argument can be specified for testing whether a user may run a specific command. o a new -U flag can be used in conjunction with "sudo -l" to allow root (or a user with "sudo ALL") list another user's privileges. * A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification. * A uid may now be used anywhere a username is valid. * The "secure_path" run-time Defaults option has been restored. * Password and group data is now cached for fast lookups. * The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line. * Visudo will now warn about aliases that are defined but not used. * The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run. * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: sudoers: ldap files to check LDAP, then /etc/sudoers. The default is "files", even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. * Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run. * If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass. * A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required. From csjp at freebsd.org Thu Nov 27 21:27:48 2008 From: csjp at freebsd.org (Christian Peron) Date: Thu, 27 Nov 2008 20:27:48 -0600 Subject: [sudo-workers] [patch] to add support for BSM audit records Message-ID: <20081128022748.GA23986@jnz.sqrt.ca> Group, I would like to propose a patch to add BSM audit support to sudo. This patch and associated files adds support for the Sun's Basic Security Module (BSM) Audit API and file format. It should be noted that currently FreeBSD, OS X and Solaris use BSM. I have not tested on Solaris or OS X but, this patch should build on both. This is a starting point, it's possible that I could be missing some key error conditions which require auditing. Please review and send back any feedback/comments. Thanks! -------------- next part -------------- A non-text attachment was scrubbed... Name: sudo.1227835531.diff Type: text/x-diff Size: 8443 bytes Desc: not available URL: From csjp at freebsd.org Fri Nov 28 13:59:42 2008 From: csjp at freebsd.org (Christian Peron) Date: Fri, 28 Nov 2008 12:59:42 -0600 Subject: [sudo-workers] [patch] BSM audit support for sudo Message-ID: <20081128185942.GA26786@jnz.sqrt.ca> [forwarded] Group, I would like to propose a patch to add BSM audit support to sudo. This patch and associated files adds support for the Sun's Basic Security Module (BSM) Audit API. It should be noted that currently FreeBSD, OS X and Solaris use BSM. I have not tested on Solaris or OS X but, this patch should build on both. This is a starting point, it's possible that I could be missing some key error conditions which require auditing. Please review and send back any feedback/comments. Thanks! -------------- next part -------------- A non-text attachment was scrubbed... Name: sudo.1227835531.diff Type: text/x-diff Size: 8443 bytes Desc: not available URL: From csjp at freebsd.org Fri Nov 28 14:29:38 2008 From: csjp at freebsd.org (Christian Peron) Date: Fri, 28 Nov 2008 13:29:38 -0600 Subject: [sudo-workers] [patch] BSM audit support for sudo In-Reply-To: <20081128185942.GA26786@jnz.sqrt.ca> References: <20081128185942.GA26786@jnz.sqrt.ca> Message-ID: <20081128192938.GA26923@jnz.sqrt.ca> Apologies if this was posted already. On Fri, Nov 28, 2008 at 12:59:42PM -0600, Christian Peron wrote: > > [forwarded] > > Group, > > I would like to propose a patch to add BSM audit support to sudo. This patch > and associated files adds support for the Sun's Basic Security Module (BSM) > Audit API. It should be noted that currently FreeBSD, OS X > and Solaris use BSM. I have not tested on Solaris or OS X but, this patch > should build on both. This is a starting point, it's possible that I could > be missing some key error conditions which require auditing. > > Please review and send back any feedback/comments. > > Thanks! > ____________________________________________________________ > sudo-workers mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-workers From csjp at FreeBSD.org Sat Nov 29 10:32:07 2008 From: csjp at FreeBSD.org (Christian Peron) Date: Sat, 29 Nov 2008 09:32:07 -0600 Subject: [sudo-workers] [patch] to add support for BSM audit records In-Reply-To: References: <20081128022748.GA23986@jnz.sqrt.ca> Message-ID: <20081129153207.GA30232@jnz.sqrt.ca> On Sat, Nov 29, 2008 at 03:08:46PM +0000, Robert Watson wrote: [..] > > Hi Christian: > > This sounds extremely useful. Question: do you think it might be useful to > add the command line being requested to the audit record via another text > token? While presumably each execve(2) can be separately audited, the > original formulation (especially if it involves a pipeline) may be useful. > Yes, I was thinking about that. It probably makes sense to use the argv token type. I will update the patch. From rwatson at FreeBSD.org Sat Nov 29 10:08:46 2008 From: rwatson at FreeBSD.org (Robert Watson) Date: Sat, 29 Nov 2008 15:08:46 +0000 (GMT) Subject: [sudo-workers] [patch] to add support for BSM audit records In-Reply-To: <20081128022748.GA23986@jnz.sqrt.ca> References: <20081128022748.GA23986@jnz.sqrt.ca> Message-ID: On Thu, 27 Nov 2008, Christian Peron wrote: > I would like to propose a patch to add BSM audit support to sudo. This > patch and associated files adds support for the Sun's Basic Security Module > (BSM) Audit API and file format. It should be noted that currently FreeBSD, > OS X and Solaris use BSM. I have not tested on Solaris or OS X but, this > patch should build on both. This is a starting point, it's possible that I > could be missing some key error conditions which require auditing. > > Please review and send back any feedback/comments. Hi Christian: This sounds extremely useful. Question: do you think it might be useful to add the command line being requested to the audit record via another text token? While presumably each execve(2) can be separately audited, the original formulation (especially if it involves a pipeline) may be useful. Robert N M Watson Computer Laboratory University of Cambridge From Todd.Miller at courtesan.com Sun Nov 30 17:49:22 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sun, 30 Nov 2008 17:49:22 -0500 Subject: [sudo-workers] [patch] to add support for BSM audit records In-Reply-To: Your message of "Thu, 27 Nov 2008 20:27:48 CST." <20081128022748.GA23986@jnz.sqrt.ca> References: <20081128022748.GA23986@jnz.sqrt.ca> Message-ID: <200811302249.mAUMnMOi013678@core.courtesan.com> In message <20081128022748.GA23986 at jnz.sqrt.ca> so spake Christian Peron (csjp): > I would like to propose a patch to add BSM audit support to sudo. This patch > and associated files adds support for the Sun's Basic Security Module (BSM) > Audit API and file format. It should be noted that currently FreeBSD, OS X > and Solaris use BSM. I have not tested on Solaris or OS X but, this patch > should build on both. This is a starting point, it's possible that I could > be missing some key error conditions which require auditing. As luck would have it I was reviewing the Apple BSD audit patches recently. It's too late for this to go into sudo 1.7.0 but I'd like to have official support for BSM and Linux auditing in version 1.7.1. I don't see the bsm_audit.c file in your diff, BTW. - todd From csjp at freebsd.org Sun Nov 30 19:01:42 2008 From: csjp at freebsd.org (Christian Peron) Date: Sun, 30 Nov 2008 18:01:42 -0600 Subject: [sudo-workers] [patch] to add support for BSM audit records In-Reply-To: <200811302249.mAUMnMOi013678@core.courtesan.com> References: <20081128022748.GA23986@jnz.sqrt.ca> <200811302249.mAUMnMOi013678@core.courtesan.com> Message-ID: <20081201000142.GA35443@jnz.sqrt.ca> Strange... not sure what happen here. http://people.freebsd.org/~csjp/bsm_audit.c http://people.freebsd.org/~csjp/bsm_audit.h http://people.freebsd.org/~csjp/sudo.1228089242.diff Anyway here are the most recent diffs. I've taken Roberts suggestions into consideration here and I've included the command line in the audit record. I am not sure that Apple is doing this. One other area I need to dig a bit further into is the selection code. Cheers On Sun, Nov 30, 2008 at 05:49:22PM -0500, Todd C. Miller wrote: > In message <20081128022748.GA23986 at jnz.sqrt.ca> > so spake Christian Peron (csjp): > > > I would like to propose a patch to add BSM audit support to sudo. This patch > > and associated files adds support for the Sun's Basic Security Module (BSM) > > Audit API and file format. It should be noted that currently FreeBSD, OS X > > and Solaris use BSM. I have not tested on Solaris or OS X but, this patch > > should build on both. This is a starting point, it's possible that I could > > be missing some key error conditions which require auditing. > > As luck would have it I was reviewing the Apple BSD audit patches > recently. It's too late for this to go into sudo 1.7.0 but I'd > like to have official support for BSM and Linux auditing in version > 1.7.1. > > I don't see the bsm_audit.c file in your diff, BTW. > > - todd