diff options
| author | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-04-09 15:57:20 -0700 |
|---|---|---|
| committer | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-04-09 15:57:20 -0700 |
| commit | f1250933e4a2ac09a3d0b25b3877068e12f44da5 (patch) | |
| tree | 2781c695ae6681db41e3a1d2445032a5d005d22e | |
| parent | e2632a15614446a50d7ee37259103b9dbc58abfd (diff) | |
| download | vyatta-bash-f1250933e4a2ac09a3d0b25b3877068e12f44da5.tar.gz vyatta-bash-f1250933e4a2ac09a3d0b25b3877068e12f44da5.zip | |
Fix command auditing to work right
The command auditing patch had a number of issues:
* was looking at shell_input_line rather than what user entered
* reopened audit file descriptor on each command
* left audit_fd dangling in child
* looked up tty on each command
It still does getcwd() on each command but that probably can't be helped.
| -rw-r--r-- | eval.c | 69 | ||||
| -rw-r--r-- | parse.y | 2 |
2 files changed, 35 insertions, 36 deletions
@@ -46,6 +46,7 @@ #endif #if defined (AUDIT_SHELL) +# include "filecntl.h" # include <libaudit.h> # include <errno.h> #endif @@ -69,42 +70,49 @@ extern int current_readline_line_index; #if defined (AUDIT_SHELL) static int audit_fd = -1; +static char *audit_tty; static int audit_start () { - audit_fd = audit_open (); if (audit_fd < 0) - return -1; - else - return 0; + { + audit_fd = audit_open (); + if (audit_fd < 0) + { + if (errno != EINVAL && errno != EPROTONOSUPPORT + && errno != EAFNOSUPPORT) + return -1; + } + else + SET_CLOSE_ON_EXEC(audit_fd); + } + + if (audit_tty == NULL) + { + char *tty = ttyname(fileno(stdin)); + if (tty) + audit_tty = strdup(tty); + } + + return 0; } -static int -audit (cmd, result) - char *cmd; +static void +audit (result) int result; { - int rc; - - if (audit_fd < 0) - return 0; - - rc = audit_log_user_command (audit_fd, AUDIT_USER_CMD, cmd, - NULL, !result); - close (audit_fd); - audit_fd = -1; - return rc; + audit_log_user_command (audit_fd, AUDIT_USER_CMD, current_readline_line, + audit_tty, result == EXECUTION_SUCCESS); } #endif - /* Read and execute commands until EOF is reached. This assumes that the input source has already been initialized. */ int reader_loop () { - int our_indirection_level; + int our_indirection_level, result; COMMAND * volatile current_command; current_command = (COMMAND *)NULL; @@ -112,6 +120,11 @@ reader_loop () our_indirection_level = ++indirection_level; +#if defined (AUDIT_SHELL) + if (audited && interactive_shell && audit_start () < 0) + return EXECUTION_FAILURE; +#endif + while (EOF_Reached == 0) { int code; @@ -186,24 +199,10 @@ reader_loop () executing = 1; stdin_redir = 0; -#if defined (AUDIT_SHELL) - if (audited && interactive_shell) - { - if (audit_start () < 0) - { - if (errno != EINVAL && errno != EPROTONOSUPPORT && - errno != EAFNOSUPPORT) - return EXECUTION_FAILURE; - } - } -#endif - execute_command (current_command); + result = execute_command (current_command); #if defined (AUDIT_SHELL) - { - extern char *shell_input_line; - audit (shell_input_line, last_command_exit_value); - } + audit (result); #endif exec_done: @@ -263,7 +263,7 @@ int need_here_doc; /* Where shell input comes from. History expansion is performed on each line when the shell is interactive. */ -char *shell_input_line = (char *)NULL; +static char *shell_input_line = (char *)NULL; static int shell_input_line_index; static int shell_input_line_size; /* Amount allocated for shell_input_line. */ static int shell_input_line_len; /* strlen (shell_input_line) */ |