Import legacy release 1.1

ChangeLog

@@ -1,5 +1,13 @@
-Thu August 3 - Version 1.00
----------------------------
+Thu August 17 - Version  1.1
+----------------------------
+o Added support for execv().  Although execv() calls execve()
+  [as described in the man page], execv() calls don't seem to log.
+  They now do.  Will investigate this issue a bit further.
+o Made logging code modular, as to accomodate for the extra 
+  overload that execv() brought.
+
+Thu August 3  - Version 1.00
+----------------------------
 o Cleaned up the codebase a bit
 o Added the output of username and sid (PID of the login shell) 
   to the logged output

Makefile

@@ -1,3 +1,6 @@
+# Makefile for snoopy
+# $Id: $
+
 CC = gcc
 LIBS  = -ldl
 

README

@@ -1,5 +1,5 @@
 ------------------------------------------------------------------------------
-Snoopy 1.0
+Snoopy 1.1
 ------------------------------------------------------------------------------
 
    [email protected]
@@ -15,6 +15,13 @@ D E S C R I P T I O N
   allowing secure offsite logging of activity, generally the authpriv is
   stored as /var/log/auth.log.
 
+N O T E
+
+  execv() calls are now explicitly logged.   Although,  according to the
+  man page for execv(),  it is supposed to call execve().   To this date
+  the reason why execv()  calls weren't being logged is unknown,  but we 
+  are working to find out why.
+
 U S A G E
 
   Snoopy is  able to log all  users or just root,  this functionality is

TODO

@@ -0,0 +1,8 @@
+o Decrease function-calling overhead by using macros to 
+  replace log().  
+  -> See where else macros could be used.
+
+o Logging of environment (in the case of execve())
+  -> Would require a change in the logging mechanism
+
+o The inclusion of Verio's parsing code in the snoopy distribution (?)

install.sh

@@ -1,4 +1,9 @@
 #!/bin/sh
+
+#installation script for snoopy (for system wide installs)
+#Run as root!
+#$Id: $
+
 [ -x snoopy.so ] && {
   touch /etc/ld.so.preload
   [ -w /etc/ld.so.preload ] && {

snoopy.c

@@ -1,6 +1,9 @@
 /* snoopy.c -- execve() logging wrapper 
  * Copyright (c) 2000 [email protected],[email protected]
+ * Version 1.1
+ * $Id: $
  *
+ * Part hacked on flight KL 0617, 30,000 ft or so over the Atlantic :) 
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -30,22 +33,17 @@
 
 #define FN(ptr,type,name,args)  ptr = (type (*)args)dlsym (REAL_LIBC, name)
 
-int execve(const char *filename, char **argv, char **envp) {
-	static int (*func)(const char *, char **, char **);
-	static int (*guid)(void);
+void log(const char *filename, char **argv) {
+
 	static char **ptr, *logstring; 
 	static int size = MAX;
+	static int (*guid)(void);
 
-	FN(func,int,"execve",(const char *, char **, char **));
 	FN(guid,int,"getuid",(void));
 
 	ptr       = (char **)&argv[1];
 	logstring = (char *)malloc((size_t *)size);
-
-#if ROOT_ONLY
-if ((*guid)() != 0) return (*func) (filename, argv, envp);
-#endif
-
+
 	openlog("snoopy", LOG_PID, LOG_AUTHPRIV);
 
 	size -= snprintf(logstring, size,"[%s, uid:%d sid:%d]: %s",
@@ -57,6 +55,33 @@ if ((*guid)() != 0) return (*func) (filename, argv, envp);
 	syslog(LOG_INFO, "%s", logstring);	
 	free(logstring);
 	closelog();
+}
+
+int execve(const char *filename, char **argv, char **envp) {
+	static int (*func)(const char *, char **, char **);
+
+	FN(func,int,"execve",(const char *, char **, char **));
+
+#if ROOT_ONLY
+if ((*guid)() != 0) return (*func) (filename, argv, envp);
+#endif
 
+	log(filename, argv);
+
 	return (*func) (filename, argv, envp);
 }
+
+int execv(const char *filename, char **argv) {
+	static int (*func)(const char *, char **);
+
+	FN(func,int,"execv",(const char *, char **));
+
+#if ROOT_ONLY
+if ((*guid)() != 0) return (*func) (filename, argv);
+#endif
+
+	log(filename, argv);
+
+	return (*func) (filename, argv);
+}
+

snoopy.h

@@ -1,4 +1,8 @@
-// Snoopy 1.0
+/* Snoopy 1.1
+ *
+ * $Id: $
+ * 
+ */
 
 /* ROOT_ONLY
  * log only the actions running under uid 0, set 1 to enable