Fix the date written used by the exit record in sudo-format log files

The change to always get the current time when building a struct
evlog in sudoers broke the data and time written for exit records.
This only affected file-based logs, not syslog.  GitHub issue #405.

Author: millert

lib/eventlog/eventlog.c

@@ -1453,6 +1453,7 @@ eventlog_exit(const struct eventlog *evlog, int flags)
     bool ret = true;
     debug_decl(eventlog_exit, SUDO_DEBUG_UTIL);
 
+    /* We expect evlog->event_time to be the command start time. */
     if (sudo_timespecisset(&evlog->run_time)) {
 	sudo_timespecadd(&evlog->event_time, &evlog->run_time, &exit_time);
 	args.event_time = &exit_time;

logsrvd/logsrvd_local.c

@@ -423,7 +423,7 @@ store_exit_local(ExitMessage *msg, uint8_t *buf, size_t len,
 	    "command exited with %d", msg->exit_value);
     }
     if (logsrvd_conf_log_exit()) {
-	if (!eventlog_exit(closure->evlog, flags)) {
+	if (!eventlog_exit(evlog, flags)) {
 	    closure->errstr = _("error logging exit event");
 	    debug_return_bool(false);
 	}

plugins/sudoers/logging.c

@@ -655,6 +655,11 @@ log_exit_status(const struct sudoers_context *ctx, int status)
 	    if (!def_log_exit_status)
 		SET(evl_flags, EVLOG_MAIL_ONLY);
 	}
+	/*
+	 * eventlog_exit() expects event_time to be the command start time,
+	 * not the current time as set by sudoers_to_eventlog().
+	 */
+	sudo_timespecsub(&evlog.event_time, &run_time, &evlog.event_time);
 	evlog.run_time = run_time;
 	evlog.exit_value = exit_value;
 	evlog.signal_name = signal_name;