From 71ef5e4a1c83fed2bb6f9753afc6a8a7c81ee0ba Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 16 Apr 2008 07:50:09 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2008-04-16 Tomas Mraz * modules/pam_unix/Makefile.am: Link unix_chkpwd with libaudit. * modules/pam_unix/unix_chkpwd.c(_audit_log): New function for audit. (main): Call _audit_log() when appropriate. --- modules/pam_unix/Makefile.am | 2 +- modules/pam_unix/unix_chkpwd.c | 48 +++++++++++++++++++++++++++++++++++++++--- 2 files changed, 46 insertions(+), 4 deletions(-) (limited to 'modules/pam_unix') diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index 61a3b0ce..c4f746c9 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -50,7 +50,7 @@ unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \ passverify.c unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ -unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ +unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \ passverify.c diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 5f872d27..b4f9b3df 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -24,6 +24,10 @@ #include #include #include +#include +#ifdef HAVE_LIBAUDIT +#include +#endif #include #include @@ -54,6 +58,37 @@ static int _check_expiry(const char *uname) return retval; } +static int _audit_log(int type, const char *uname, int rc) +{ +#ifdef HAVE_LIBAUDIT + int audit_fd; + + audit_fd = audit_open(); + if (audit_fd < 0) { + /* You get these error codes only when the kernel doesn't have + * audit compiled in. */ + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return PAM_SUCCESS; + + helper_log_err(LOG_CRIT, "audit_open() failed: %m"); + return PAM_AUTH_ERR; + } + + rc = audit_log_acct_message(audit_fd, type, NULL, "PAM:unix_chkpwd", + uname, -1, NULL, NULL, NULL, rc == PAM_SUCCESS); + if (rc == -EPERM && geteuid() != 0) { + rc = 0; + } + + audit_close(audit_fd); + + return rc < 0 ? PAM_AUTH_ERR : PAM_SUCCESS; +#else + return PAM_SUCCESS; +#endif +} + int main(int argc, char *argv[]) { char pass[MAXPASS + 1]; @@ -82,6 +117,7 @@ int main(int argc, char *argv[]) helper_log_err(LOG_NOTICE ,"inappropriate use of Unix helper binary [UID=%d]" ,getuid()); + _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); fprintf(stderr ,"This binary is not designed for running in this way\n" "-- the system administrator has been informed\n"); @@ -118,9 +154,10 @@ int main(int argc, char *argv[]) nullok = 1; else if (strcmp(option, "nonull") == 0) nullok = 0; - else + else { + _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); return PAM_SYSTEM_ERR; - + } /* read the password from stdin (a pipe from the pam_unix module) */ npass = read_passwords(STDIN_FILENO, 1, passwords); @@ -141,11 +178,16 @@ int main(int argc, char *argv[]) /* return pass or fail */ if (retval != PAM_SUCCESS) { - if (!nullok || !blankpass) + if (!nullok || !blankpass) { /* no need to log blank pass test */ + if (getuid() != 0) + _audit_log(AUDIT_USER_AUTH, user, PAM_AUTH_ERR); helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user); + } return PAM_AUTH_ERR; } else { + if (getuid() != 0) + return _audit_log(AUDIT_USER_AUTH, user, PAM_SUCCESS); return PAM_SUCCESS; } } -- cgit v1.2.3