From 71ef5e4a1c83fed2bb6f9753afc6a8a7c81ee0ba Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Wed, 16 Apr 2008 07:50:09 +0000
Subject: Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------
2008-04-16  Tomas Mraz <t8m@centrum.cz>

        * modules/pam_unix/Makefile.am: Link unix_chkpwd with libaudit.

        * modules/pam_unix/unix_chkpwd.c(_audit_log): New function for audit.
        (main): Call _audit_log() when appropriate.
---
 modules/pam_unix/unix_chkpwd.c | 48 +++++++++++++++++++++++++++++++++++++++---
 1 file changed, 45 insertions(+), 3 deletions(-)

(limited to 'modules/pam_unix/unix_chkpwd.c')

diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c
index 5f872d27..b4f9b3df 100644
--- a/modules/pam_unix/unix_chkpwd.c
+++ b/modules/pam_unix/unix_chkpwd.c
@@ -24,6 +24,10 @@
 #include <shadow.h>
 #include <signal.h>
 #include <time.h>
+#include <errno.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
 
 #include <security/_pam_types.h>
 #include <security/_pam_macros.h>
@@ -54,6 +58,37 @@ static int _check_expiry(const char *uname)
 	return retval;
 }
 
+static int _audit_log(int type, const char *uname, int rc)
+{
+#ifdef HAVE_LIBAUDIT
+	int audit_fd;
+
+	audit_fd = audit_open();
+	if (audit_fd < 0) {
+		/* You get these error codes only when the kernel doesn't have
+		 * audit compiled in. */
+		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+			errno == EAFNOSUPPORT)
+			return PAM_SUCCESS;
+
+		helper_log_err(LOG_CRIT, "audit_open() failed: %m");
+		return PAM_AUTH_ERR;
+	}
+
+	rc = audit_log_acct_message(audit_fd, type, NULL, "PAM:unix_chkpwd",
+		uname, -1, NULL, NULL, NULL, rc == PAM_SUCCESS);
+	if (rc == -EPERM && geteuid() != 0) {
+		rc = 0;
+	}
+
+	audit_close(audit_fd);
+
+	return rc < 0 ? PAM_AUTH_ERR : PAM_SUCCESS;
+#else
+	return PAM_SUCCESS;
+#endif
+}
+
 int main(int argc, char *argv[])
 {
 	char pass[MAXPASS + 1];
@@ -82,6 +117,7 @@ int main(int argc, char *argv[])
 		helper_log_err(LOG_NOTICE
 		      ,"inappropriate use of Unix helper binary [UID=%d]"
 			 ,getuid());
+		_audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR);
 		fprintf(stderr
 		 ,"This binary is not designed for running in this way\n"
 		      "-- the system administrator has been informed\n");
@@ -118,9 +154,10 @@ int main(int argc, char *argv[])
 	  nullok = 1;
 	else if (strcmp(option, "nonull") == 0)
 	  nullok = 0;
-	else
+	else {
+	  _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR);
 	  return PAM_SYSTEM_ERR;
-
+	}
 	/* read the password from stdin (a pipe from the pam_unix module) */
 
 	npass = read_passwords(STDIN_FILENO, 1, passwords);
@@ -141,11 +178,16 @@ int main(int argc, char *argv[])
 	/* return pass or fail */
 
 	if (retval != PAM_SUCCESS) {
-		if (!nullok || !blankpass)
+		if (!nullok || !blankpass) {
 			/* no need to log blank pass test */
+			if (getuid() != 0)
+				_audit_log(AUDIT_USER_AUTH, user, PAM_AUTH_ERR);
 			helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user);
+		}
 		return PAM_AUTH_ERR;
 	} else {
+		if (getuid() != 0)
+			return _audit_log(AUDIT_USER_AUTH, user, PAM_SUCCESS);
 		return PAM_SUCCESS;
 	}
 }
-- 
cgit v1.2.3


From 8f0abb6a4553664074d27bd6c6ddea09598c7e72 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Sun, 22 Jun 2008 09:13:39 +0000
Subject: Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------

2008-06-22  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_unix/unix_chkpwd.c (main): Fix compiling without
        audit support.

        * modules/pam_cracklib/pam_cracklib.8.xml: Fix typo in ucredit
        description (reported by Wayne Pollock <pollock@acm.org>)
---
 ChangeLog                               |  8 ++++++++
 modules/pam_cracklib/pam_cracklib.8.xml |  2 +-
 modules/pam_unix/unix_chkpwd.c          | 23 ++++++++++++++++-------
 3 files changed, 25 insertions(+), 8 deletions(-)

(limited to 'modules/pam_unix/unix_chkpwd.c')

diff --git a/ChangeLog b/ChangeLog
index f01c7cec..19237f55 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2008-06-22  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* modules/pam_unix/unix_chkpwd.c (main): Fix compiling without
+	audit support.
+
+	* modules/pam_cracklib/pam_cracklib.8.xml: Fix typo in ucredit
+	description (reported by Wayne Pollock <pollock@acm.org>)
+
 2008-06-19  Tomas Mraz <t8m@centrum.cz>
 
 	* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate):
diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml
index 589e7b44..823a0bce 100644
--- a/modules/pam_cracklib/pam_cracklib.8.xml
+++ b/modules/pam_cracklib/pam_cracklib.8.xml
@@ -281,7 +281,7 @@
               than 10.
             </para>
             <para>
-              (N &gt; 0) This is the minimum number of upper
+              (N &lt; 0) This is the minimum number of upper
               case letters that must be met for a new password.
             </para>
           </listitem>
diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c
index b4f9b3df..61675ed2 100644
--- a/modules/pam_unix/unix_chkpwd.c
+++ b/modules/pam_unix/unix_chkpwd.c
@@ -47,7 +47,7 @@ static int _check_expiry(const char *uname)
 		printf("-1\n");
 		return retval;
 	}
-	
+
 	if (spent == NULL) {
 		printf("-1\n");
 		return retval;
@@ -58,9 +58,9 @@ static int _check_expiry(const char *uname)
 	return retval;
 }
 
+#ifdef HAVE_LIBAUDIT
 static int _audit_log(int type, const char *uname, int rc)
 {
-#ifdef HAVE_LIBAUDIT
 	int audit_fd;
 
 	audit_fd = audit_open();
@@ -84,10 +84,8 @@ static int _audit_log(int type, const char *uname, int rc)
 	audit_close(audit_fd);
 
 	return rc < 0 ? PAM_AUTH_ERR : PAM_SUCCESS;
-#else
-	return PAM_SUCCESS;
-#endif
 }
+#endif
 
 int main(int argc, char *argv[])
 {
@@ -117,7 +115,9 @@ int main(int argc, char *argv[])
 		helper_log_err(LOG_NOTICE
 		      ,"inappropriate use of Unix helper binary [UID=%d]"
 			 ,getuid());
+#ifdef HAVE_LIBAUDIT
 		_audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR);
+#endif
 		fprintf(stderr
 		 ,"This binary is not designed for running in this way\n"
 		      "-- the system administrator has been informed\n");
@@ -148,14 +148,16 @@ int main(int argc, char *argv[])
 
 	if (strcmp(option, "chkexpiry") == 0)
 	  /* Check account information from the shadow file */
-	  return _check_expiry(argv[1]);	  
+	  return _check_expiry(argv[1]);
 	/* read the nullok/nonull option */
 	else if (strcmp(option, "nullok") == 0)
 	  nullok = 1;
 	else if (strcmp(option, "nonull") == 0)
 	  nullok = 0;
 	else {
+#ifdef HAVE_LIBAUDIT
 	  _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR);
+#endif
 	  return PAM_SYSTEM_ERR;
 	}
 	/* read the password from stdin (a pipe from the pam_unix module) */
@@ -180,14 +182,21 @@ int main(int argc, char *argv[])
 	if (retval != PAM_SUCCESS) {
 		if (!nullok || !blankpass) {
 			/* no need to log blank pass test */
+#ifdef HAVE_LIBAUDIT
 			if (getuid() != 0)
 				_audit_log(AUDIT_USER_AUTH, user, PAM_AUTH_ERR);
+#endif
 			helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user);
 		}
 		return PAM_AUTH_ERR;
 	} else {
-		if (getuid() != 0)
+	        if (getuid() != 0) {
+#ifdef HAVE_LIBAUDIT
 			return _audit_log(AUDIT_USER_AUTH, user, PAM_SUCCESS);
+#else
+		        return PAM_SUCCESS;
+#endif
+	        }
 		return PAM_SUCCESS;
 	}
 }
-- 
cgit v1.2.3