[PATCH app-xdm] Send a USER_LOGIN event like other Linux login programs do.

Fri, 12 Aug 2011 19:47:35 -0700 

From: Steve Grubb <[email protected]>

https://bugzilla.redhat.com/469357

PAM is a pre-requisite for Linux Audit.
The configuration will check that PAM is installed before enabling
Linux Audit.
If you configure the package without PAM (when it is installed),
Linux Audit is disabled as it cannot function.

Coauthored-by: Gaetan Nadon <[email protected]>
Signed-off-by: Matěj Cepl <[email protected]>
Signed-off-by: Gaetan Nadon <[email protected]>
---

This is my version where I workaround the #define log_to_audit_system
I also fixed the patch author name.
Please review/test until you are absolutely sure it is bug free.

 configure.ac    |   24 +++++++++++++++++++++++-
 greeter/greet.c |   34 ++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletions(-)

diff --git a/configure.ac b/configure.ac
index 0c79999..e164e20 100644
--- a/configure.ac
+++ b/configure.ac
@@ -123,6 +123,7 @@ if test "x$USE_PAM" != "xno" ; then
     AC_SEARCH_LIBS([pam_open_session], [pam],
        [AC_CHECK_FUNC([pam_open_session],
            [AC_DEFINE(USE_PAM,1,[Use PAM for authentication])]
+           [HAVE_PAM="yes"]
        )],
        [AS_IF([test "x$USE_PAM" = "xyes"],
            [AC_MSG_ERROR([PAM support requested, but pam_open_session not 
found.])]
@@ -145,6 +146,27 @@ if test "x$USE_SELINUX" != "xno" ; then
     )
 fi
 
+# Check for Linux Audit support
+# PAM support is required for Linux Audit
+AC_ARG_WITH(libaudit, AS_HELP_STRING([--with-libaudit],
+        [Add support for Linux Audit (default is autodetected)]),
+        [USE_LINUX_AUDIT=$withval], [USE_LINUX_AUDIT=auto])
+if test "x$USE_LINUX_AUDIT" != "xno" ; then
+    AC_CHECK_LIB(audit, audit_log_user_message,
+       [AS_IF([test "x$HAVE_PAM" = "xyes"],[],
+           [AS_IF([test "x$USE_LINUX_AUDIT" = "xauto"],
+               [AC_MSG_WARN([Linux Audit support autodetected, but PAM support 
not installed.])],
+               [AC_MSG_ERROR([Linux Audit support requested, but PAM support 
not installed.])]
+           )]
+       )]
+        [AC_DEFINE(USE_LINUX_AUDIT,1,[Use Linux Audit support])]
+        XDMGREET_LIBS="$XDMGREET_LIBS -laudit",
+        [AS_IF([test "x$USE_LINUX_AUDIT" = "xyes"],
+            [AC_MSG_ERROR([Linux Audit support requested, but 
audit_log_user_message not found.])]
+        )]
+    )
+fi
+
 # FIXME: Find better test for which OS'es use su -m  - for now, just try to
 # mirror the Imakefile setting of:
 # if  defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) || 
defined(FreeBSDArchitecture) || defined(DarwinArchitecture)
@@ -171,7 +193,7 @@ AC_SUBST(SU)
 
 # Define a configure option to locate a special file (/dev/random or 
/dev/urandom)
 # that serves as a random or a pseudorandom number generator
-AC_ARG_WITH(random-device, 
AS_HELP_STRING([--with-random-device\[=<pathname>\]],
+AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device=<pathname>],
        [Use <pathname> as a source of randomness (default is auto-detected)]),
        [USE_DEVICE="$withval"], [USE_DEVICE="auto"])
 if test x$USE_DEVICE != xno ; then
diff --git a/greeter/greet.c b/greeter/greet.c
index 87d2a83..59e5e34 100644
--- a/greeter/greet.c
+++ b/greeter/greet.c
@@ -86,6 +86,11 @@ from The Open Group.
 # endif
 #endif
 
+#ifdef USE_LINUX_AUDIT
+#include <libaudit.h>
+#include <pwd.h>
+#endif
+
 #include <string.h>
 
 #if defined(SECURE_RPC) && defined(sun)
@@ -415,6 +420,29 @@ FailedLogin (struct display *d, const char *username)
     DrawFail (login);
 }
 
+#ifdef USE_PAM
+#ifdef USE_LINUX_AUDIT
+static void
+log_to_audit_system(const pam_handle_t *pamhp, int success)
+{
+       struct passwd *pw = NULL;
+       char *hostname = NULL, *tty = NULL, *login=NULL;
+       int audit_fd;
+
+       audit_fd = audit_open();
+       pam_get_item(pamhp, PAM_RHOST, &hostname);
+       pam_get_item(pamhp, PAM_TTY, &tty);
+       pam_get_item(pamhp, PAM_USER, &login);
+       if (login)
+               pw = getpwnam(login);
+               audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+                       NULL, "login", login ? login : "(unknown)",
+                       pw ? pw->pw_uid : -1, hostname, NULL, tty, success);
+       close(audit_fd);
+}
+#endif
+#endif
+
 _X_EXPORT
 greet_user_rtn GreetUser(
     struct display          *d,
@@ -600,6 +628,9 @@ greet_user_rtn GreetUser(
        if ((pam_error == PAM_SUCCESS) && (Verify (d, greet, verify))) {
            SetPrompt (login, 1, "Login Successful", LOGIN_TEXT_INFO, False);
            SetValue (login, 1, NULL);
+#ifdef USE_LINUX_AUDIT
+           log_to_audit_system(*pamhp, 1);
+#endif
            break;
        } else {
            /* Try to fill in username for failed login error log */
@@ -611,6 +642,9 @@ greet_user_rtn GreetUser(
                                         (void *) &username));
            }
            FailedLogin (d, username);
+#ifdef USE_LINUX_AUDIT
+           log_to_audit_system(*pamhp, 0);
+#endif
            RUN_AND_CHECK_PAM_ERROR(pam_end,
                                    (*pamhp, pam_error));
        }
-- 
1.7.4.1

_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

Reply via email to