diff options
| -rw-r--r-- | modules/pam_unix/Makefile.am | 6 | ||||
| -rw-r--r-- | modules/pam_unix/audit.c | 45 | ||||
| -rw-r--r-- | modules/pam_unix/audit.h | 7 | ||||
| -rw-r--r-- | modules/pam_unix/passverify.h | 1 | ||||
| -rw-r--r-- | modules/pam_unix/unix_chkpwd.c | 38 |
5 files changed, 61 insertions, 36 deletions
diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index 4a774559..c510f87f 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -43,7 +43,7 @@ pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ securelib_LTLIBRARIES = pam_unix.la -noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h passverify.h +noinst_HEADERS = audit.h md5.h support.h yppasswd.h bigcrypt.h passverify.h sbin_PROGRAMS = unix_chkpwd if WITH_SELINUX @@ -63,14 +63,14 @@ bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c bigcrypt_CFLAGS = $(AM_CFLAGS) bigcrypt_LDADD = @LIBCRYPT@ -unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \ +unix_chkpwd_SOURCES = unix_chkpwd.c audit.c md5_good.c md5_broken.c bigcrypt.c \ passverify.c unix_chkpwd_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" unix_chkpwd_LDFLAGS = @EXE_LDFLAGS@ unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ if WITH_SELINUX -unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \ +unix_update_SOURCES = unix_update.c audit.c md5_good.c md5_broken.c bigcrypt.c \ passverify.c unix_update_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" unix_update_LDFLAGS = @EXE_LDFLAGS@ diff --git a/modules/pam_unix/audit.c b/modules/pam_unix/audit.c new file mode 100644 index 00000000..1547a652 --- /dev/null +++ b/modules/pam_unix/audit.c @@ -0,0 +1,45 @@ +#include "audit.h" + +#include "config.h" + +#ifdef HAVE_LIBAUDIT + +#include <errno.h> +#include <unistd.h> + +#include <libaudit.h> + +#include <security/_pam_types.h> + +#include "passverify.h" + +int audit_log(int type, const char *uname, int retval) +{ + int audit_fd, rc; + + audit_fd = audit_open(); + if (audit_fd < 0) { + /* You get these error codes only when the kernel doesn't have + * audit compiled in. */ + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return PAM_SUCCESS; + + helper_log_err(LOG_CRIT, "audit_open() failed: %m"); + return PAM_AUTH_ERR; + } + + + + rc = audit_log_acct_message(audit_fd, type, NULL, "PAM:" HELPER_COMPILE, + uname, -1, NULL, NULL, NULL, retval == PAM_SUCCESS); + if (rc == -EPERM && geteuid() != 0) { + rc = 0; + } + + audit_close(audit_fd); + + return rc < 0 ? PAM_AUTH_ERR : PAM_SUCCESS; +} + +#endif /* HAVE_LIBAUDIT */ diff --git a/modules/pam_unix/audit.h b/modules/pam_unix/audit.h new file mode 100644 index 00000000..321232a1 --- /dev/null +++ b/modules/pam_unix/audit.h @@ -0,0 +1,7 @@ +#ifndef PAM_UNIX_AUDIT_H +#define PAM_UNIX_AUDIT_H + +int +audit_log(int type, const char *uname, int rc); + +#endif /* PAM_UNIX_AUDIT_H */ diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h index 9276347c..c4c8df5f 100644 --- a/modules/pam_unix/passverify.h +++ b/modules/pam_unix/passverify.h @@ -4,6 +4,7 @@ #include <sys/types.h> #include <pwd.h> +#include <shadow.h> #include <security/pam_modules.h> #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 50570dbc..5f47133c 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -27,6 +27,7 @@ #include <errno.h> #ifdef HAVE_LIBAUDIT #include <libaudit.h> +#include "audit.h" #endif #include <security/_pam_types.h> @@ -59,35 +60,6 @@ static int _check_expiry(const char *uname) return retval; } -#ifdef HAVE_LIBAUDIT -static int _audit_log(int type, const char *uname, int rc) -{ - int audit_fd; - - audit_fd = audit_open(); - if (audit_fd < 0) { - /* You get these error codes only when the kernel doesn't have - * audit compiled in. */ - if (errno == EINVAL || errno == EPROTONOSUPPORT || - errno == EAFNOSUPPORT) - return PAM_SUCCESS; - - helper_log_err(LOG_CRIT, "audit_open() failed: %m"); - return PAM_AUTH_ERR; - } - - rc = audit_log_acct_message(audit_fd, type, NULL, "PAM:unix_chkpwd", - uname, -1, NULL, NULL, NULL, rc == PAM_SUCCESS); - if (rc == -EPERM && geteuid() != 0) { - rc = 0; - } - - audit_close(audit_fd); - - return rc < 0 ? PAM_AUTH_ERR : PAM_SUCCESS; -} -#endif - int main(int argc, char *argv[]) { char pass[PAM_MAX_RESP_SIZE + 1]; @@ -117,7 +89,7 @@ int main(int argc, char *argv[]) ,"inappropriate use of Unix helper binary [UID=%d]" ,getuid()); #ifdef HAVE_LIBAUDIT - _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); + audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); #endif fprintf(stderr ,"This binary is not designed for running in this way\n" @@ -157,7 +129,7 @@ int main(int argc, char *argv[]) nullok = 0; else { #ifdef HAVE_LIBAUDIT - _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); + audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); #endif return PAM_SYSTEM_ERR; } @@ -185,7 +157,7 @@ int main(int argc, char *argv[]) /* no need to log blank pass test */ #ifdef HAVE_LIBAUDIT if (getuid() != 0) - _audit_log(AUDIT_USER_AUTH, user, PAM_AUTH_ERR); + audit_log(AUDIT_USER_AUTH, user, PAM_AUTH_ERR); #endif helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user); } @@ -200,7 +172,7 @@ int main(int argc, char *argv[]) } else { if (getuid() != 0) { #ifdef HAVE_LIBAUDIT - return _audit_log(AUDIT_USER_AUTH, user, PAM_SUCCESS); + return audit_log(AUDIT_USER_AUTH, user, PAM_SUCCESS); #else return PAM_SUCCESS; #endif |