From 22b320645ccd40acab0216c249aab6ffc5892a45 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 6 Sep 2024 13:05:47 -0600 Subject: [PATCH] Fix the date written used by the exit record in sudo-format log files The change to always get the current time when building a struct evlog in sudoers broke the data and time written for exit records. This only affected file-based logs, not syslog. GitHub issue #405. --- lib/eventlog/eventlog.c | 1 + logsrvd/logsrvd_local.c | 2 +- plugins/sudoers/logging.c | 5 +++++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c index 5d4a832623..5a32824645 100644 --- a/lib/eventlog/eventlog.c +++ b/lib/eventlog/eventlog.c @@ -1453,6 +1453,7 @@ eventlog_exit(const struct eventlog *evlog, int flags) bool ret = true; debug_decl(eventlog_exit, SUDO_DEBUG_UTIL); + /* We expect evlog->event_time to be the command start time. */ if (sudo_timespecisset(&evlog->run_time)) { sudo_timespecadd(&evlog->event_time, &evlog->run_time, &exit_time); args.event_time = &exit_time; diff --git a/logsrvd/logsrvd_local.c b/logsrvd/logsrvd_local.c index 024ae7cfa3..f863e5a237 100644 --- a/logsrvd/logsrvd_local.c +++ b/logsrvd/logsrvd_local.c @@ -423,7 +423,7 @@ store_exit_local(ExitMessage *msg, uint8_t *buf, size_t len, "command exited with %d", msg->exit_value); } if (logsrvd_conf_log_exit()) { - if (!eventlog_exit(closure->evlog, flags)) { + if (!eventlog_exit(evlog, flags)) { closure->errstr = _("error logging exit event"); debug_return_bool(false); } diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c index e6d9b7afea..a1ae85cc58 100644 --- a/plugins/sudoers/logging.c +++ b/plugins/sudoers/logging.c @@ -655,6 +655,11 @@ log_exit_status(const struct sudoers_context *ctx, int status) if (!def_log_exit_status) SET(evl_flags, EVLOG_MAIL_ONLY); } + /* + * eventlog_exit() expects event_time to be the command start time, + * not the current time as set by sudoers_to_eventlog(). + */ + sudo_timespecsub(&evlog.event_time, &run_time, &evlog.event_time); evlog.run_time = run_time; evlog.exit_value = exit_value; evlog.signal_name = signal_name;