[PATCH] Send a USER_LOGIN event like other Linux login programs do.
Gaetan Nadon
memsize at videotron.ca
Tue Aug 9 16:03:42 PDT 2011
On Tue, 2011-08-09 at 16:57 +0200, Matěj Cepl wrote:
> https://bugzilla.redhat.com/469357
> Patch by Steve Grubb <sgrubb at redhat dot com>
>
> Signed-off-by: Matěj Cepl <mcepl at redhat.com>
> ---
> configure.ac | 24 +++++++++++++++++++++++-
> greeter/greet.c | 32 ++++++++++++++++++++++++++++++++
> 2 files changed, 55 insertions(+), 1 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 0c79999..f55455a 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -145,6 +145,28 @@ if test "x$USE_SELINUX" != "xno" ; then
> )
> fi
>
> +AC_ARG_WITH(libaudit, AS_HELP_STRING([--with-libaudit],
> + [Add Linux audit support (default=auto)]),
> + [with_libaudit="$withval"], [with_libaudit=auto])
> +
> +# Check for Linux auditing API
> +#
> +# libaudit detection
> +if test x$with_libaudit = xno ; then
> + have_libaudit=no;
> +else
> + # See if we have audit daemon library
> + AC_CHECK_LIB(audit, audit_log_user_message,
> + have_libaudit=yes, have_libaudit=no)
> +fi
> +
> +AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)
This AM_CONDITIONAL is dead code. It would be used in Makefile.am to
skip a section of the makefile (perhaps I missed it).
> +
> +if test x$have_libaudit = xyes ; then
> + XDMGREET_LIBS="$XDMGREET_LIBS -laudit"
> + AC_DEFINE(HAVE_LIBAUDIT,1,[linux audit support])
> +fi
> +
Sorry, I had some more time to look at it :-)
Assuming the default is "auto" and is acceptable for most users, there
is a missing behaviour. When a user specifies "--with-libaudit", he
really wants it. If it is not installed, there is no feedback and it
silently fails. So there is no difference between "auto" and "yes". This
is why you see statements similar to this:
AC_MSG_ERROR([Linux Audit support requested, but audit_log_user_message not found.])
This tells the user "you want libaudit, but it's nowhere to be found".
PAM and SELinux options are coded this way, it would be more consistent
to have Linux Audit option coded the same way.
This is the code I unit tested. It provides a complete implementation
for the libaudit option. Some variable names may not match the C code
patch.
# Check for Linux Audit support
AC_ARG_WITH(libaudit, AS_HELP_STRING([--with-libaudit],
[Add support for Linux Audit (default is autodetected)]),
[USE_LINUX_AUDIT=$withval], [USE_LINUX_AUDIT=auto])
if test "x$USE_LINUX_AUDIT" != "xno" ; then
AC_CHECK_LIB(audit, audit_log_user_message,
[AC_DEFINE(USE_LINUX_AUDIT,1,[Use Linux Audit support])]
XDMGREET_LIBS="$XDMGREET_LIBS -laudit",
[AS_IF([test "x$USE_LINUX_AUDIT" = "xyes"],
[AC_MSG_ERROR([Linux Audit support requested, but audit_log_user_message not found.])]
)]
)
fi
> # FIXME: Find better test for which OS'es use su -m - for now, just try to
> # mirror the Imakefile setting of:
> # if defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) || defined(FreeBSDArchitecture) || defined(DarwinArchitecture)
> @@ -171,7 +193,7 @@ AC_SUBST(SU)
>
> # Define a configure option to locate a special file (/dev/random or /dev/urandom)
> # that serves as a random or a pseudorandom number generator
> -AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device\[=<pathname>\]],
> +AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device=<pathname>],
> [Use <pathname> as a source of randomness (default is auto-detected)]),
> [USE_DEVICE="$withval"], [USE_DEVICE="auto"])
> if test x$USE_DEVICE != xno ; then
> diff --git a/greeter/greet.c b/greeter/greet.c
> index 87d2a83..2d26c69 100644
> --- a/greeter/greet.c
> +++ b/greeter/greet.c
> @@ -86,6 +86,13 @@ from The Open Group.
> # endif
> #endif
>
> +#ifdef HAVE_LIBAUDIT
> +#include <libaudit.h>
> +#include <pwd.h>
> +#else
> +#define log_to_audit_system(l,h,s) do { ; } while (0)
> +#endif
> +
> #include <string.h>
>
> #if defined(SECURE_RPC) && defined(sun)
> @@ -415,6 +422,29 @@ FailedLogin (struct display *d, const char *username)
> DrawFail (login);
> }
>
> +#ifdef USE_PAM
> +#ifdef HAVE_LIBAUDIT
> +static void
> +log_to_audit_system(const pam_handle_t *pamhp, int success)
> +{
> + struct passwd *pw = NULL;
> + char *hostname = NULL, *tty = NULL, *login=NULL;
> + int audit_fd;
> +
> + audit_fd = audit_open();
> + pam_get_item(pamhp, PAM_RHOST, &hostname);
> + pam_get_item(pamhp, PAM_TTY, &tty);
> + pam_get_item(pamhp, PAM_USER, &login);
> + if (login)
> + pw = getpwnam(login);
> + audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
> + NULL, "login", login ? login : "(unknown)",
> + pw ? pw->pw_uid : -1, hostname, NULL, tty, success);
> + close(audit_fd);
> +}
> +#endif
> +#endif
> +
> _X_EXPORT
> greet_user_rtn GreetUser(
> struct display *d,
> @@ -600,6 +630,7 @@ greet_user_rtn GreetUser(
> if ((pam_error == PAM_SUCCESS) && (Verify (d, greet, verify))) {
> SetPrompt (login, 1, "Login Successful", LOGIN_TEXT_INFO, False);
> SetValue (login, 1, NULL);
> + log_to_audit_system(*pamhp, 1);
> break;
> } else {
> /* Try to fill in username for failed login error log */
> @@ -611,6 +642,7 @@ greet_user_rtn GreetUser(
> (void *) &username));
> }
> FailedLogin (d, username);
> + log_to_audit_system(*pamhp, 0);
> RUN_AND_CHECK_PAM_ERROR(pam_end,
> (*pamhp, pam_error));
> }
> --
> 1.7.6
>
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x.org/archives/xorg-devel/attachments/20110809/cbb35ddd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.x.org/archives/xorg-devel/attachments/20110809/cbb35ddd/attachment-0001.pgp>
More information about the xorg-devel
mailing list