Module Name: src
Committed By: gdt
Date: Tue Mar 2 16:19:13 UTC 2010
Modified Files:
src/usr.bin/passwd: local_passwd.c pam_passwd.c
Log Message:
Log successful and unsuccessful attempts to change passwords, via -l
or pam, to ease IT audit guideline compliance. Patch from Richard
Hansen of BBN in private mail.
Proposed on tech-kern with positive comments, except a suggestion I
didn't implement:
A possible future enhancement is refraining from logging if the old
password is empty, as some people abort password changing that way.
However, it's not clear if this complies with most guidelines that
require password change logging, and at first glance that appears to
be a fairly difficult change.
To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 src/usr.bin/passwd/local_passwd.c
cvs rdiff -u -r1.4 -r1.5 src/usr.bin/passwd/pam_passwd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.bin/passwd/local_passwd.c
diff -u src/usr.bin/passwd/local_passwd.c:1.33 src/usr.bin/passwd/local_passwd.c:1.34
--- src/usr.bin/passwd/local_passwd.c:1.33 Fri Apr 17 20:25:08 2009
+++ src/usr.bin/passwd/local_passwd.c Tue Mar 2 16:19:13 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: local_passwd.c,v 1.33 2009/04/17 20:25:08 dyoung Exp $ */
+/* $NetBSD: local_passwd.c,v 1.34 2010/03/02 16:19:13 gdt Exp $ */
/*-
* Copyright (c) 1990, 1993, 1994
@@ -34,7 +34,7 @@
#if 0
static char sccsid[] = "from: @(#)local_passwd.c 8.3 (Berkeley) 4/2/94";
#else
-__RCSID("$NetBSD: local_passwd.c,v 1.33 2009/04/17 20:25:08 dyoung Exp $");
+__RCSID("$NetBSD: local_passwd.c,v 1.34 2010/03/02 16:19:13 gdt Exp $");
#endif
#endif /* not lint */
@@ -53,6 +53,7 @@
#include <unistd.h>
#include <util.h>
#include <login_cap.h>
+#include <syslog.h>
#include "extern.h"
@@ -72,6 +73,10 @@
strcmp(crypt(getpass("Old password:"), pw->pw_passwd),
pw->pw_passwd)) {
errno = EACCES;
+ syslog(LOG_AUTH | LOG_NOTICE,
+ "user %s (UID %lu) failed to change the "
+ "local password of user %s: %m",
+ pw->pw_name, (unsigned long)uid, pw->pw_name);
pw_error(NULL, 1, 1);
}
@@ -213,6 +218,11 @@
if (pw_mkdb(username, old_change == pw->pw_change) < 0)
pw_error((char *)NULL, 0, 1);
+
+ syslog(LOG_AUTH | LOG_INFO,
+ "user %s (UID %lu) successfully changed "
+ "the local password of user %s",
+ uid ? username : "root", (unsigned long)uid, username);
}
#else /* ! USE_PAM */
@@ -319,6 +329,12 @@
if (pw_mkdb(uname, old_change == pw->pw_change) < 0)
pw_error((char *)NULL, 0, 1);
+
+ syslog(LOG_AUTH | LOG_INFO,
+ "user %s (UID %lu) successfully changed "
+ "the local password of user %s",
+ uid ? uname : "root", (unsigned long)uid, uname);
+
return (0);
}
Index: src/usr.bin/passwd/pam_passwd.c
diff -u src/usr.bin/passwd/pam_passwd.c:1.4 src/usr.bin/passwd/pam_passwd.c:1.5
--- src/usr.bin/passwd/pam_passwd.c:1.4 Sun May 6 09:19:44 2007
+++ src/usr.bin/passwd/pam_passwd.c Tue Mar 2 16:19:13 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: pam_passwd.c,v 1.4 2007/05/06 09:19:44 jnemeth Exp $ */
+/* $NetBSD: pam_passwd.c,v 1.5 2010/03/02 16:19:13 gdt Exp $ */
/*-
* Copyright (c) 2002 Networks Associates Technologies, Inc.
@@ -38,7 +38,7 @@
#ifdef __FreeBSD__
__FBSDID("$FreeBSD: src/usr.bin/passwd/passwd.c,v 1.23 2003/04/18 21:27:09 nectar Exp $");
#else
-__RCSID("$NetBSD: pam_passwd.c,v 1.4 2007/05/06 09:19:44 jnemeth Exp $");
+__RCSID("$NetBSD: pam_passwd.c,v 1.5 2010/03/02 16:19:13 gdt Exp $");
#endif
#include <sys/param.h>
@@ -75,6 +75,12 @@
int ch, pam_err;
char hostname[MAXHOSTNAMELEN + 1];
+ /* details about the invoking user for logging */
+ const uid_t i_uid = getuid();
+ const struct passwd *const i_pwd = getpwuid(i_uid);
+ const char *const i_username = (i_pwd && i_pwd->pw_name)
+ ? i_pwd->pw_name : "(null)";
+
while ((ch = getopt(argc, argv, "")) != -1) {
switch (ch) {
default:
@@ -116,9 +122,22 @@
/* set new password */
pam_err = pam_chauthtok(pamh, 0);
- if (pam_err != PAM_SUCCESS)
+ if (pam_err != PAM_SUCCESS) {
+ if (pam_err == PAM_PERM_DENIED) {
+ syslog(LOG_AUTH | LOG_NOTICE,
+ "user %s (UID %lu) failed to change the "
+ "PAM authentication token of user %s: %s",
+ i_username, (unsigned long)i_uid, username,
+ pam_strerror(pamh, pam_err));
+ }
printf("Unable to change auth token: %s\n",
pam_strerror(pamh, pam_err));
+ } else {
+ syslog(LOG_AUTH | LOG_INFO,
+ "user %s (UID %lu) successfully changed the "
+ "PAM authentication token of user %s",
+ i_username, (unsigned long)i_uid, username);
+ }
end:
pam_end(pamh, pam_err);
