On Wed, 2011-08-10 at 20:37 +0200, Matěj Cepl wrote: > From: Steve Grubb <[email protected]> > > https://bugzilla.redhat.com/469357 > > Thanks for help with this patch to > "Gaetan Nadon" <[email protected]> >
Thanks for your patience. I noticed that the log to audit will only work if PAM is available. When a user configures --with-libaudit but PAM is not installed, Linux Audit won't work and there is no way for the user to figure out why. I'll figure out an additional check tomorrow and post it. The configuration should abort if libaudit is requested (=yes) but libpam is missing. > Signed-off-by: Matěj Cepl <[email protected]> > --- > configure.ac | 16 +++++++++++++++- > greeter/greet.c | 32 ++++++++++++++++++++++++++++++++ > 2 files changed, 47 insertions(+), 1 deletions(-) > > diff --git a/configure.ac b/configure.ac > index 0c79999..ef2302c 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -145,6 +145,20 @@ if test "x$USE_SELINUX" != "xno" ; then > ) > fi > > +# Check for Linux Audit support > +AC_ARG_WITH(libaudit, AS_HELP_STRING([--with-libaudit], > + [Add support for Linux Audit (default is autodetected)]), > + [USE_LINUX_AUDIT=$withval], [USE_LINUX_AUDIT=auto]) > +if test "x$USE_LINUX_AUDIT" != "xno" ; then > + AC_CHECK_LIB(audit, audit_log_user_message, > + [AC_DEFINE(USE_LINUX_AUDIT,1,[Use Linux Audit support])] > + XDMGREET_LIBS="$XDMGREET_LIBS -laudit", > + [AS_IF([test "x$USE_LINUX_AUDIT" = "xyes"], > + [AC_MSG_ERROR([Linux Audit support requested, but > audit_log_user_message not found.])] > + )] > + ) > +fi > + > # FIXME: Find better test for which OS'es use su -m - for now, just try to > # mirror the Imakefile setting of: > # if defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) || > defined(FreeBSDArchitecture) || defined(DarwinArchitecture) > @@ -171,7 +185,7 @@ AC_SUBST(SU) > > # Define a configure option to locate a special file (/dev/random or > /dev/urandom) > # that serves as a random or a pseudorandom number generator > -AC_ARG_WITH(random-device, > AS_HELP_STRING([--with-random-device\[=<pathname>\]], > +AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device=<pathname>], > [Use <pathname> as a source of randomness (default is auto-detected)]), > [USE_DEVICE="$withval"], [USE_DEVICE="auto"]) > if test x$USE_DEVICE != xno ; then > diff --git a/greeter/greet.c b/greeter/greet.c > index 87d2a83..2d26c69 100644 > --- a/greeter/greet.c > +++ b/greeter/greet.c > @@ -86,6 +86,13 @@ from The Open Group. > # endif > #endif > > +#ifdef HAVE_LIBAUDIT > +#include <libaudit.h> > +#include <pwd.h> > +#else > +#define log_to_audit_system(l,h,s) do { ; } while (0) > +#endif > + > #include <string.h> > > #if defined(SECURE_RPC) && defined(sun) > @@ -415,6 +422,29 @@ FailedLogin (struct display *d, const char *username) > DrawFail (login); > } > > +#ifdef USE_PAM > +#ifdef HAVE_LIBAUDIT > +static void > +log_to_audit_system(const pam_handle_t *pamhp, int success) > +{ > + struct passwd *pw = NULL; > + char *hostname = NULL, *tty = NULL, *login=NULL; > + int audit_fd; > + > + audit_fd = audit_open(); > + pam_get_item(pamhp, PAM_RHOST, &hostname); > + pam_get_item(pamhp, PAM_TTY, &tty); > + pam_get_item(pamhp, PAM_USER, &login); > + if (login) > + pw = getpwnam(login); > + audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, > + NULL, "login", login ? login : "(unknown)", > + pw ? pw->pw_uid : -1, hostname, NULL, tty, success); > + close(audit_fd); > +} > +#endif > +#endif > + > _X_EXPORT > greet_user_rtn GreetUser( > struct display *d, > @@ -600,6 +630,7 @@ greet_user_rtn GreetUser( > if ((pam_error == PAM_SUCCESS) && (Verify (d, greet, verify))) { > SetPrompt (login, 1, "Login Successful", LOGIN_TEXT_INFO, False); > SetValue (login, 1, NULL); > + log_to_audit_system(*pamhp, 1); > break; > } else { > /* Try to fill in username for failed login error log */ > @@ -611,6 +642,7 @@ greet_user_rtn GreetUser( > (void *) &username)); > } > FailedLogin (d, username); > + log_to_audit_system(*pamhp, 0); > RUN_AND_CHECK_PAM_ERROR(pam_end, > (*pamhp, pam_error)); > } > -- > 1.7.6 > > _______________________________________________ > [email protected]: X.Org development > Archives: http://lists.x.org/archives/xorg-devel > Info: http://lists.x.org/mailman/listinfo/xorg-devel
signature.asc
Description: This is a digitally signed message part
_______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
