16446717 add Solaris adt_*() auditing to sudo s11-update
authorApril Chin <april.chin@oracle.com>
Thu, 03 Apr 2014 15:29:22 -0700
branchs11-update
changeset 3048 4941064bbcd3
parent 3047 c06511111d22
child 3049 64dc23b0ff81
16446717 add Solaris adt_*() auditing to sudo 17617070 sudo does not use pam_setcred correctly to set the audit context.
components/sudo/Makefile
components/sudo/patches/01-sudo_debug.patch
components/sudo/patches/02-pam_setcred.patch
components/sudo/patches/03-solaris_audit.patch
components/sudo/patches/audit-event.patch
components/sudo/patches/sudo_debug.patch
--- a/components/sudo/Makefile	Thu Apr 03 11:10:33 2014 -0700
+++ b/components/sudo/Makefile	Thu Apr 03 15:29:22 2014 -0700
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 
 #
-# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
 #
 
 include ../../make-rules/shared-macros.mk
@@ -40,6 +40,9 @@
 include $(WS_TOP)/make-rules/configure.mk
 include $(WS_TOP)/make-rules/ips.mk
 
+# configure.in has been patched, so re-generate configure file
+COMPONENT_PREP_ACTION = ( cd $(@D) ; $(AUTORECONF) -f -I m4 )
+
 CONFIGURE_ENV +=	"CC=$(CC)"
 CONFIGURE_ENV +=	"CFLAGS=$(CFLAGS)"
 CONFIGURE_ENV +=	"CXX=$(CXX)"
@@ -53,7 +56,7 @@
 CONFIGURE_OPTIONS +=	--without-insults
 CONFIGURE_OPTIONS +=	--without-lecture
 CONFIGURE_OPTIONS +=	--with-ignore-dot
-CONFIGURE_OPTIONS +=	--with-bsm-audit
+CONFIGURE_OPTIONS +=	--with-solaris-audit
 CONFIGURE_OPTIONS +=	--libexecdir=/usr/lib/sudo
 CONFIGURE_OPTIONS +=	"sudo_cv_var_nroff_opt_Tascii=no"
 
@@ -62,6 +65,9 @@
 
 COMPONENT_INSTALL_TARGETS = install
 
+# Enable aslr for this component
+ASLR_MODE = $(ASLR_ENABLE)
+
 # common targets
 
 build:		$(BUILD_32)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/sudo/patches/01-sudo_debug.patch	Thu Apr 03 15:29:22 2014 -0700
@@ -0,0 +1,13 @@
+Solaris needs missing definition for __printflike
+Solaris-specific; not suitable for upstream.
+
+--- sudo-1.8.4p5.orig/include/sudo_debug.h	2012-03-29 10:37:01.000000000 -0700
++++ sudo-1.8.4p5/include/sudo_debug.h	2012-05-18 11:18:27.886010000 -0700
[email protected]@ -17,6 +17,7 @@
+ #ifndef _SUDO_DEBUG_H
+ #define _SUDO_DEBUG_H
+ 
++#include "missing.h"
+ #include <stdarg.h>
+ 
+ /*
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/sudo/patches/02-pam_setcred.patch	Thu Apr 03 15:29:22 2014 -0700
@@ -0,0 +1,21 @@
+Fix for
+17617070 sudo does not use pam_setcred correctly to set the audit context
+
+This fix will be submitted upstream to the latest sudo release,
+currently 1.8.10p2.
+
+diff -ru sudo-1.8.6p7-orig//plugins/sudoers/auth/pam.c sudo-1.8.6p7/plugins/sudoers/auth/pam.c
+--- sudo-1.8.6p7-orig//plugins/sudoers/auth/pam.c	Mon Feb 25 11:42:44 2013
++++ sudo-1.8.6p7/plugins/sudoers/auth/pam.c	Mon Oct 21 13:32:27 2013
[email protected]@ -229,8 +229,10 @@
+      * for the setcred module.  Because we haven't called pam_authenticate(),
+      * this is not set and so pam_setcred() returns PAM_PERM_DENIED.
+      * We can't call pam_acct_mgmt() with Linux-PAM for a similar reason.
++     *
++     * Reinitialize credentials when changing a user. 
+      */
+-    (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
++    (void) pam_setcred(pamh, PAM_REINITIALIZE_CRED);
+ 
+ #ifdef HAVE_PAM_GETENVLIST
+     /*
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/sudo/patches/03-solaris_audit.patch	Thu Apr 03 15:29:22 2014 -0700
@@ -0,0 +1,279 @@
+Add Solaris auditing to sudo.
+Code was developed in-house.
+Plan is to contribute these changes upstream to
+the latest sudo release, currently 1.8.10p2.
+
+diff -rupN sudo-1.8.6p7-orig/config.h.in sudo-1.8.6p7/config.h.in
+--- sudo-1.8.6p7-orig/config.h.in	2013-02-25 11:46:09.000000000 -0800
++++ sudo-1.8.6p7/config.h.in	2013-12-18 13:23:28.000000000 -0800
[email protected]@ -506,6 +506,9 @@
+ /* Define to 1 if you have the `snprintf' function. */
+ #undef HAVE_SNPRINTF
+ 
++/* Define to 1 to enable Solaris audit support. */
++#undef HAVE_SOLARIS_AUDIT
++
+ /* Define to 1 if you have the <spawn.h> header file. */
+ #undef HAVE_SPAWN_H
+ 
+diff -rupN sudo-1.8.6p7-orig/configure.in sudo-1.8.6p7/configure.in
+--- sudo-1.8.6p7-orig/configure.in	2013-02-25 11:47:48.000000000 -0800
++++ sudo-1.8.6p7/configure.in	2014-04-02 15:17:30.692015000 -0700
[email protected]@ -13,6 +13,7 @@ dnl
+ dnl Variables that get substituted in the Makefile and man pages
+ dnl
+ AC_SUBST([HAVE_BSM_AUDIT])
++AC_SUBST([HAVE_SOLARIS_AUDIT])
+ AC_SUBST([SHELL])
+ AC_SUBST([LIBTOOL])
+ AC_SUBST([CFLAGS])
[email protected]@ -305,6 +306,20 @@ AC_ARG_WITH(linux-audit, [AS_HELP_STRING
+ esac])
+ 
+ dnl
++dnl Handle Solaris auditing support.
++dnl
++AC_ARG_WITH(solaris-audit, [AS_HELP_STRING([--with-solaris-audit], [enable Solaris audit support])],
++[case $with_solaris_audit in
++    yes)	AC_DEFINE(HAVE_SOLARIS_AUDIT)
++		SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm"
++		SUDOERS_OBJS="${SUDOERS_OBJS} solaris_audit.lo"
++		;;
++    no)		;;
++    *)		AC_MSG_ERROR(["--with-solaris-audit does not take an argument."])
++		;;
++esac])
++
++dnl
+ dnl Handle SSSD support.
+ dnl
+ AC_ARG_WITH(sssd, [AS_HELP_STRING([--with-sssd], [enable SSSD support])],
[email protected]@ -1979,6 +1994,13 @@ if test -n "$with_noexec"; then
+ fi
+ 
+ dnl
++dnl Check for use of Solaris audit with BSM or Linux audit
++dnl
++if test "${with_solaris_audit+set}" = set && ( test "${with_bsm_audit+set}" = set || test "${with_linux_audit+set}" = set); then
++        AC_MSG_ERROR([BSM/Linux and Solaris auditing options are mutually exclusive.])
++fi 
++
++dnl
+ dnl Check for mixing mutually exclusive and regular auth methods
+ dnl
+ AUTH_REG=${AUTH_REG# }
[email protected]@ -3622,6 +3644,7 @@ AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1
+ AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
+ AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
+ AH_TEMPLATE(HAVE_RFC1938_SKEYCHALLENGE, [Define to 1 if the skeychallenge() function is RFC1938-compliant and takes 4 arguments])
++AH_TEMPLATE(HAVE_SOLARIS_AUDIT, [Define to 1 to enable Solaris audit support.])
+ AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union])
+ AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member])
+ AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member])
+diff -rupN sudo-1.8.6p7-orig/INSTALL sudo-1.8.6p7/INSTALL
+--- sudo-1.8.6p7-orig/INSTALL	2013-02-25 11:42:43.000000000 -0800
++++ sudo-1.8.6p7/INSTALL	2013-12-18 14:06:38.000000000 -0800
[email protected]@ -159,6 +159,9 @@ Special features/options:
+ 	DIR should contain include and lib directories with skey.h
+ 	and libskey.a respectively.
+ 
++  --with-solaris-audit
++	Enable audit support for Solaris systems.
++
+   --with-opie[=DIR]
+ 	Enable NRL OPIE OTP (One Time Password) support.  If specified,
+ 	DIR should contain include and lib directories with opie.h
+diff -rupN sudo-1.8.6p7-orig/MANIFEST sudo-1.8.6p7/MANIFEST
+--- sudo-1.8.6p7-orig/MANIFEST	2013-02-25 11:42:43.000000000 -0800
++++ sudo-1.8.6p7/MANIFEST	2013-12-18 13:46:06.000000000 -0800
[email protected]@ -261,6 +261,8 @@ plugins/sudoers/regress/sudoers/test8.to
+ plugins/sudoers/regress/testsudoers/test1.out.ok
+ plugins/sudoers/regress/testsudoers/test1.sh
+ plugins/sudoers/set_perms.c
++plugins/sudoers/solaris_audit.c
++plugins/sudoers/solaris_audit.h
+ plugins/sudoers/sssd.c
+ plugins/sudoers/sudo_nss.c
+ plugins/sudoers/sudo_nss.h
+diff -rupN sudo-1.8.6p7-orig/mkdep.pl sudo-1.8.6p7/mkdep.pl
+--- sudo-1.8.6p7-orig/mkdep.pl	2013-02-25 11:42:44.000000000 -0800
++++ sudo-1.8.6p7/mkdep.pl	2013-12-18 14:03:37.000000000 -0800
[email protected]@ -52,7 +52,7 @@ sub mkdep {
+     $makefile =~ s:\@DEV\@::g;
+     $makefile =~ s:\@COMMON_OBJS\@:aix.lo:;
+     $makefile =~ s:\@SUDO_OBJS\@:preload.o selinux.o sesh.o sudo_noexec.lo:;
+-    $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo plugin_error.lo sssd.lo:;
++    $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo plugin_error.lo solaris_audit.lo sssd.lo:;
+     # XXX - fill in AUTH_OBJS from contents of the auth dir instead
+     $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;
+     $makefile =~ s:\@LTLIBOBJS\@:closefrom.lo dlopen.lo fnmatch.lo getcwd.lo getgrouplist.lo getline.lo getprogname.lo glob.lo isblank.lo memrchr.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo pw_dup.lo sig2str.lo siglist.lo signame.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo utimes.lo globtest.o fnm_test.o:;
+diff -rupN sudo-1.8.6p7-orig/plugins/sudoers/audit.c sudo-1.8.6p7/plugins/sudoers/audit.c
+--- sudo-1.8.6p7-orig/plugins/sudoers/audit.c	2013-02-25 11:46:09.000000000 -0800
++++ sudo-1.8.6p7/plugins/sudoers/audit.c	2013-12-18 13:48:56.000000000 -0800
[email protected]@ -43,6 +43,9 @@
+ #ifdef HAVE_LINUX_AUDIT
+ # include "linux_audit.h"
+ #endif
++#ifdef HAVE_SOLARIS_AUDIT
++# include "solaris_audit.h"
++#endif
+ 
+ void
+ audit_success(char *exec_args[])
[email protected]@ -56,6 +59,9 @@ audit_success(char *exec_args[])
+ #ifdef HAVE_LINUX_AUDIT
+ 	linux_audit_command(exec_args, 1);
+ #endif
++#ifdef HAVE_SOLARIS_AUDIT
++	solaris_audit_success(exec_args);
++#endif
+     }
+ 
+     debug_return;
[email protected]@ -75,6 +81,9 @@ audit_failure(char *exec_args[], char co
+ #ifdef HAVE_LINUX_AUDIT
+ 	linux_audit_command(exec_args, 0);
+ #endif
++#ifdef HAVE_SOLARIS_AUDIT
++	solaris_audit_failure(exec_args, fmt, ap);
++#endif
+ 	va_end(ap);
+     }
+ 
+diff -rupN sudo-1.8.6p7-orig/plugins/sudoers/Makefile.in sudo-1.8.6p7/plugins/sudoers/Makefile.in
+--- sudo-1.8.6p7-orig/plugins/sudoers/Makefile.in	2013-02-25 11:46:09.000000000 -0800
++++ sudo-1.8.6p7/plugins/sudoers/Makefile.in	2014-04-02 12:31:58.298858000 -0700
[email protected]@ -432,7 +432,7 @@ alias.lo: $(srcdir)/alias.c $(top_buildd
+ 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/alias.c
+ audit.lo: $(srcdir)/audit.c $(top_builddir)/config.h $(incdir)/missing.h \
+           $(srcdir)/logging.h $(incdir)/sudo_debug.h $(srcdir)/bsm_audit.h \
+-          $(srcdir)/linux_audit.h
++          $(srcdir)/linux_audit.h $(srcdir)/solaris_audit.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/audit.c
+ boottime.lo: $(srcdir)/boottime.c $(top_builddir)/config.h $(incdir)/missing.h \
+              $(incdir)/sudo_debug.h
[email protected]@ -728,6 +728,10 @@ sia.lo: $(authdir)/sia.c $(top_builddir)
+         $(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
+         $(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
+ 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/sia.c
++solaris_audit.lo: $(srcdir)/solaris_audit.c $(top_builddir)/config.h \
++              $(srcdir)/sudoers.h $(incdir)/sudo_debug.h \
++              $(srcdir)/solaris_audit.h
++	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/solaris_audit.c
+ sssd.lo: $(srcdir)/sssd.c $(top_builddir)/config.h \
+          $(top_srcdir)/compat/dlfcn.h $(srcdir)/sudoers.h \
+          $(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
+diff -rupN sudo-1.8.6p7-orig/plugins/sudoers/solaris_audit.c sudo-1.8.6p7/plugins/sudoers/solaris_audit.c
+--- sudo-1.8.6p7-orig/plugins/sudoers/solaris_audit.c	1969-12-31 16:00:00.000000000 -0800
++++ sudo-1.8.6p7/plugins/sudoers/solaris_audit.c	2014-03-18 12:09:27.000000000 -0700
[email protected]@ -0,0 +1,95 @@
++/*
++ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
++ */
++
++#include <config.h>
++#include <stdarg.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++
++#include <bsm/adt.h>
++#include <bsm/adt_event.h>
++
++#include "sudoers.h"
++#include "sudo_debug.h"
++#include "solaris_audit.h"
++
++adt_session_data_t	*ah;		/* audit session handle */
++adt_event_data_t	*event;		/* event to be generated */
++char			cwd[MAXPATHLEN];
++char			cmdpath[PATH_MAX];
++
++static void
++adt_sudo_common(char *exec_args[])
++{
++	int	argc;
++
++	if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
++		log_error(USE_ERRNO | NO_STDERR, _("sudo: adt_start_session"));
++	}
++	if ((event = adt_alloc_event(ah, ADT_sudo)) == NULL) {
++		log_error(USE_ERRNO | NO_STDERR, _("sudo: alloc_event"));
++	}
++	if ((event->adt_sudo.cwdpath = getcwd(cwd, sizeof (cwd))) == NULL) {
++		log_error(USE_ERRNO | NO_STDERR, _("sudo: can't add cwd path"));
++	}
++	for (argc = 0; exec_args[argc] != NULL; argc++) {
++		continue;
++	}
++
++	/* get the real executable name */
++	if (user_cmnd != NULL) {
++		if (strlcpy(cmdpath, (const char *)user_cmnd,
++		    sizeof (cmdpath)) >= sizeof (cmdpath)) {
++			log_error(NO_STDERR,
++			    _("sudo: truncated audit path " "user_cmnd: %s"),
++			    user_cmnd);
++		}
++	} else {
++		if (strlcpy(cmdpath, (const char *)exec_args[0],
++		    sizeof (cmdpath)) >= sizeof (cmdpath)) {
++			log_error(NO_STDERR,
++			    _("sudo: truncated audit path " "argv[0]: %s"),
++			    exec_args[0]);
++		}
++	}
++
++	event->adt_sudo.cmdpath = cmdpath;
++
++	event->adt_sudo.argc = argc - 1;
++	event->adt_sudo.argv = &exec_args[1];
++	event->adt_sudo.envp = env_get();
++}
++
++
++void
++solaris_audit_success(char *exec_args[])
++{
++	adt_sudo_common(exec_args);
++
++	if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
++		log_error(USE_ERRNO | NO_STDERR,
++		    _("sudo: adt_put_event(success)"));
++	}
++	adt_free_event(event);
++	(void) adt_end_session(ah);
++}
++
++void
++solaris_audit_failure(char *exec_args[], char const *const fmt, va_list ap)
++{
++	adt_sudo_common(exec_args);
++
++	if (vasprintf(&event->adt_sudo.errmsg, fmt, ap) == -1) {
++		log_error(USE_ERRNO | NO_STDERR,
++		    _("sudo: audit_failure message too long"));
++	}
++	if (adt_put_event(event, ADT_FAILURE, ADT_FAIL_VALUE_PROGRAM) != 0) {
++		log_error(USE_ERRNO | NO_STDERR,
++		    _("sudo: adt_put_event(failure)"));
++	}
++	free(event->adt_sudo.errmsg);
++	adt_free_event(event);
++	(void) adt_end_session(ah);
++}
+diff -rupN sudo-1.8.6p7-orig/plugins/sudoers/solaris_audit.h sudo-1.8.6p7/plugins/sudoers/solaris_audit.h
+--- sudo-1.8.6p7-orig/plugins/sudoers/solaris_audit.h	1969-12-31 16:00:00.000000000 -0800
++++ sudo-1.8.6p7/plugins/sudoers/solaris_audit.h	2014-03-18 14:20:22.000000000 -0700
[email protected]@ -0,0 +1,11 @@
++/*
++ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
++ */
++
++#ifndef _SUDO_SOLARIS_AUDIT_H
++#define	_SUDO_SOLARIS_AUDIT_H
++
++void	solaris_audit_success(char **);
++void	solaris_audit_failure(char **, char const * const, va_list);
++
++#endif /* _SUDO_SOLARIS_AUDIT_H */
--- a/components/sudo/patches/audit-event.patch	Thu Apr 03 11:10:33 2014 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,77 +0,0 @@
-au_* calls need correct parameters.
-This legacy auditing will later be replaced by Solaris adt_* calls,
-so in the future, use of bsm_audit.c and configuring --with-bsm-audit will 
-be removed.
-
---- sudo-1.8.6p7.orig/plugins/sudoers/bsm_audit.c	2012-09-18 06:56:29.000000000 -0700
-+++ sudo-1.8.6p7/plugins/sudoers/bsm_audit.c	2013-03-07 10:18:20.309947000 -0800
[email protected]@ -31,8 +31,8 @@
- #include <unistd.h>
- 
- #include "gettext.h"
--#include "error.h"
- #include "sudo_debug.h"
-+#include "error.h"
- #include "bsm_audit.h"
- 
- /*
[email protected]@ -103,7 +103,7 @@ bsm_audit_success(char **exec_args)
- 		error(1, _("au_open: failed"));
- 	if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) {
- 		tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(),
--		    getuid(), pid, pid, &ainfo_addr.ai_termid);
-+		    getgid(), pid, ainfo_addr.ai_asid, &ainfo_addr.ai_termid);
- 	} else if (errno == ENOSYS) {
- 		/*
- 		 * NB: We should probably watch out for ERANGE here.
[email protected]@ -111,7 +111,7 @@ bsm_audit_success(char **exec_args)
- 		if (getaudit(&ainfo) < 0)
- 			error(1, _("getaudit: failed"));
- 		tok = au_to_subject(auid, geteuid(), getegid(), getuid(),
--		    getuid(), pid, pid, &ainfo.ai_termid);
-+		    getgid(), pid, ainfo.ai_asid, &ainfo.ai_termid);
- 	} else
- 		error(1, _("getaudit: failed"));
- 	if (tok == NULL)
[email protected]@ -125,7 +125,7 @@ bsm_audit_success(char **exec_args)
- 	if (tok == NULL)
- 		error(1, _("au_to_return32: failed"));
- 	au_write(aufd, tok);
--	if (au_close(aufd, 1, AUE_sudo) == -1)
-+	if (au_close(aufd, 1, AUE_sudo, PAD_FAILURE) == -1)
- 		error(1, _("unable to commit audit record"));
- 	debug_return;
- }
[email protected]@ -147,7 +147,7 @@ bsm_audit_failure(char **exec_args, char
- 	/*
- 	 * If we are not auditing, don't cut an audit record; just return.
- 	 */
--	if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
-+	if (auditon(A_GETCOND, (caddr_t)&au_cond, sizeof(long)) < 0) {
- 		if (errno == AUDIT_NOT_CONFIGURED)
- 			debug_return;
- 		error(1, _("Could not determine audit condition"));
[email protected]@ -162,12 +162,12 @@ bsm_audit_failure(char **exec_args, char
- 		error(1, _("au_open: failed"));
- 	if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) { 
- 		tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(),
--		    getuid(), pid, pid, &ainfo_addr.ai_termid);
-+		    getgid(), pid, ainfo_addr.ai_asid, &ainfo_addr.ai_termid);
- 	} else if (errno == ENOSYS) {
- 		if (getaudit(&ainfo) < 0) 
- 			error(1, _("getaudit: failed"));
- 		tok = au_to_subject(auid, geteuid(), getegid(), getuid(),
--		    getuid(), pid, pid, &ainfo.ai_termid);
-+		    getgid(), pid, ainfo.ai_asid, &ainfo.ai_termid);
- 	} else
- 		error(1, _("getaudit: failed"));
- 	if (tok == NULL)
[email protected]@ -186,7 +186,7 @@ bsm_audit_failure(char **exec_args, char
- 	if (tok == NULL)
- 		error(1, _("au_to_return32: failed"));
- 	au_write(aufd, tok);
--	if (au_close(aufd, 1, AUE_sudo) == -1)
-+	if (au_close(aufd, 1, AUE_sudo, PAD_FAILURE) == -1)
- 		error(1, _("unable to commit audit record"));
- 	debug_return;
- }
--- a/components/sudo/patches/sudo_debug.patch	Thu Apr 03 11:10:33 2014 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,12 +0,0 @@
-Solaris needs missing definition for __printflike
-
---- sudo-1.8.4p5.orig/include/sudo_debug.h	2012-03-29 10:37:01.000000000 -0700
-+++ sudo-1.8.4p5/include/sudo_debug.h	2012-05-18 11:18:27.886010000 -0700
[email protected]@ -17,6 +17,7 @@
- #ifndef _SUDO_DEBUG_H
- #define _SUDO_DEBUG_H
- 
-+#include "missing.h"
- #include <stdarg.h>
- 
- /*