Pass explicit reason to fmt_alert_message() and fmt_reject_message()

millert · millert · commit 7eaa5269478d · 2025-10-30T11:39:46.000-06:00
In intercept mode, when a sub-command is rejected by policy we need to pass in the explicit reason for the failure and not rely on the reason in the closure (which will be NULL). Recent changes to sudo_logsrvd require a reason for the RejectMessage. Found by the ZeroPath AI Security Engineer <https://zeropath.com>
diff --git a/plugins/sudoers/log_client.c b/plugins/sudoers/log_client.c
@@ -1048,7 +1048,7 @@ fmt_accept_message(struct client_closure *closure, const struct eventlog *evlog)
  * Returns true on success, false on failure.
  */
 bool
-fmt_reject_message(struct client_closure *closure, const struct eventlog *evlog)
+fmt_reject_message(struct client_closure *closure, const struct eventlog *evlog,    const char *reason)
 {
     ClientMessage client_msg = CLIENT_MESSAGE__INIT;
     RejectMessage reject_msg = REJECT_MESSAGE__INIT;
@@ -1072,7 +1072,7 @@ fmt_reject_message(struct client_closure *closure, const struct eventlog *evlog)
     reject_msg.submit_time = &ts;
 
     /* Reason for rejecting the request. */
-    reject_msg.reason = (char *)closure->reason;
+    reject_msg.reason = (char *)reason;
 
     reject_msg.info_msgs = fmt_info_messages(closure, evlog,
 	&reject_msg.n_info_msgs);
@@ -1100,7 +1100,8 @@ fmt_reject_message(struct client_closure *closure, const struct eventlog *evlog)
  * Returns true on success, false on failure.
  */
 bool
-fmt_alert_message(struct client_closure *closure, const struct eventlog *evlog)
+fmt_alert_message(struct client_closure *closure, const struct eventlog *evlog,
+    const char *reason)
 {
     ClientMessage client_msg = CLIENT_MESSAGE__INIT;
     AlertMessage alert_msg = ALERT_MESSAGE__INIT;
@@ -1125,7 +1126,7 @@ fmt_alert_message(struct client_closure *closure, const struct eventlog *evlog)
     alert_msg.alert_time = &ts;
 
     /* Reason for the alert. */
-    alert_msg.reason = (char *)closure->reason;
+    alert_msg.reason = (char *)reason;
 
     alert_msg.info_msgs = fmt_info_messages(closure, evlog,
 	&alert_msg.n_info_msgs);
@@ -1179,11 +1180,13 @@ fmt_initial_message(struct client_closure *closure)
 	break;
     case SEND_REJECT:
 	/* Format and schedule RejectMessage. */
-	ret = fmt_reject_message(closure, closure->log_details->evlog);
+	ret = fmt_reject_message(closure, closure->log_details->evlog,
+	    closure->reason);
 	break;
     case SEND_ALERT:
 	/* Format and schedule AlertMessage. */
-	ret = fmt_alert_message(closure, closure->log_details->evlog);
+	ret = fmt_alert_message(closure, closure->log_details->evlog,
+	    closure->reason);
 	break;
     default:
 	sudo_warnx(U_("%s: unexpected state %d"), __func__, closure->state);
diff --git a/plugins/sudoers/log_client.h b/plugins/sudoers/log_client.h
@@ -109,8 +109,8 @@ struct client_closure {
 struct client_closure *log_server_open(struct log_details *details, struct timespec *start_time, bool log_io, enum client_state initial_state, const char *reason);
 bool log_server_close(struct client_closure *closure, int exit_status, int error);
 bool fmt_accept_message(struct client_closure *closure, const struct eventlog *evlog);
-bool fmt_reject_message(struct client_closure *closure, const struct eventlog *evlog);
-bool fmt_alert_message(struct client_closure *closure, const struct eventlog *evlog);
+bool fmt_reject_message(struct client_closure *closure, const struct eventlog *evlog, const char *reason);
+bool fmt_alert_message(struct client_closure *closure, const struct eventlog *evlog, const char *reason);
 bool fmt_io_buf(struct client_closure *closure, int type, const char *buf, unsigned int len, const struct timespec *delay);
 bool fmt_suspend(struct client_closure *closure, const char *signame, const struct timespec *delay);
 bool fmt_winsize(struct client_closure *closure, unsigned int lines, unsigned int cols, const struct timespec *delay);
diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
@@ -137,7 +137,7 @@ log_server_reject(const struct sudoers_context *ctx, struct eventlog *evlog,
 	    debug_return_bool(true);
 
 	/* Use existing client closure. */
-        if (fmt_reject_message(client_closure, evlog)) {
+        if (fmt_reject_message(client_closure, evlog, message)) {
             if (client_closure->write_ev->add(client_closure->write_ev,
                     &client_closure->log_details->server_timeout) == -1) {
                 sudo_warn("%s", U_("unable to add event to queue"));
@@ -195,7 +195,7 @@ log_server_alert(const struct sudoers_context *ctx, struct eventlog *evlog,
 	}
 
 	/* Use existing client closure. */
-        if (fmt_alert_message(client_closure, evlog)) {
+        if (fmt_alert_message(client_closure, evlog, emessage ? emessage : message)) {
             if (client_closure->write_ev->add(client_closure->write_ev,
                     &client_closure->log_details->server_timeout) == -1) {
                 sudo_warn("%s", U_("unable to add event to queue"));
