[PATCH app-xdm] Send a USER_LOGIN event like other Linux login programs do.
Gaetan Nadon
memsize at videotron.ca
Fri Aug 12 19:46:46 PDT 2011
From: Steve Grubb <sgrubb at redhat.com>
https://bugzilla.redhat.com/469357
PAM is a pre-requisite for Linux Audit.
The configuration will check that PAM is installed before enabling
Linux Audit.
If you configure the package without PAM (when it is installed),
Linux Audit is disabled as it cannot function.
Coauthored-by: Gaetan Nadon <memsize at videotron.ca>
Signed-off-by: Matěj Cepl <mcepl at redhat.com>
Signed-off-by: Gaetan Nadon <memsize at videotron.ca>
---
This is my version where I workaround the #define log_to_audit_system
I also fixed the patch author name.
Please review/test until you are absolutely sure it is bug free.
configure.ac | 24 +++++++++++++++++++++++-
greeter/greet.c | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 57 insertions(+), 1 deletions(-)
diff --git a/configure.ac b/configure.ac
index 0c79999..e164e20 100644
--- a/configure.ac
+++ b/configure.ac
@@ -123,6 +123,7 @@ if test "x$USE_PAM" != "xno" ; then
AC_SEARCH_LIBS([pam_open_session], [pam],
[AC_CHECK_FUNC([pam_open_session],
[AC_DEFINE(USE_PAM,1,[Use PAM for authentication])]
+ [HAVE_PAM="yes"]
)],
[AS_IF([test "x$USE_PAM" = "xyes"],
[AC_MSG_ERROR([PAM support requested, but pam_open_session not found.])]
@@ -145,6 +146,27 @@ if test "x$USE_SELINUX" != "xno" ; then
)
fi
+# Check for Linux Audit support
+# PAM support is required for Linux Audit
+AC_ARG_WITH(libaudit, AS_HELP_STRING([--with-libaudit],
+ [Add support for Linux Audit (default is autodetected)]),
+ [USE_LINUX_AUDIT=$withval], [USE_LINUX_AUDIT=auto])
+if test "x$USE_LINUX_AUDIT" != "xno" ; then
+ AC_CHECK_LIB(audit, audit_log_user_message,
+ [AS_IF([test "x$HAVE_PAM" = "xyes"],[],
+ [AS_IF([test "x$USE_LINUX_AUDIT" = "xauto"],
+ [AC_MSG_WARN([Linux Audit support autodetected, but PAM support not installed.])],
+ [AC_MSG_ERROR([Linux Audit support requested, but PAM support not installed.])]
+ )]
+ )]
+ [AC_DEFINE(USE_LINUX_AUDIT,1,[Use Linux Audit support])]
+ XDMGREET_LIBS="$XDMGREET_LIBS -laudit",
+ [AS_IF([test "x$USE_LINUX_AUDIT" = "xyes"],
+ [AC_MSG_ERROR([Linux Audit support requested, but audit_log_user_message not found.])]
+ )]
+ )
+fi
+
# FIXME: Find better test for which OS'es use su -m - for now, just try to
# mirror the Imakefile setting of:
# if defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) || defined(FreeBSDArchitecture) || defined(DarwinArchitecture)
@@ -171,7 +193,7 @@ AC_SUBST(SU)
# Define a configure option to locate a special file (/dev/random or /dev/urandom)
# that serves as a random or a pseudorandom number generator
-AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device\[=<pathname>\]],
+AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device=<pathname>],
[Use <pathname> as a source of randomness (default is auto-detected)]),
[USE_DEVICE="$withval"], [USE_DEVICE="auto"])
if test x$USE_DEVICE != xno ; then
diff --git a/greeter/greet.c b/greeter/greet.c
index 87d2a83..59e5e34 100644
--- a/greeter/greet.c
+++ b/greeter/greet.c
@@ -86,6 +86,11 @@ from The Open Group.
# endif
#endif
+#ifdef USE_LINUX_AUDIT
+#include <libaudit.h>
+#include <pwd.h>
+#endif
+
#include <string.h>
#if defined(SECURE_RPC) && defined(sun)
@@ -415,6 +420,29 @@ FailedLogin (struct display *d, const char *username)
DrawFail (login);
}
+#ifdef USE_PAM
+#ifdef USE_LINUX_AUDIT
+static void
+log_to_audit_system(const pam_handle_t *pamhp, int success)
+{
+ struct passwd *pw = NULL;
+ char *hostname = NULL, *tty = NULL, *login=NULL;
+ int audit_fd;
+
+ audit_fd = audit_open();
+ pam_get_item(pamhp, PAM_RHOST, &hostname);
+ pam_get_item(pamhp, PAM_TTY, &tty);
+ pam_get_item(pamhp, PAM_USER, &login);
+ if (login)
+ pw = getpwnam(login);
+ audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+ NULL, "login", login ? login : "(unknown)",
+ pw ? pw->pw_uid : -1, hostname, NULL, tty, success);
+ close(audit_fd);
+}
+#endif
+#endif
+
_X_EXPORT
greet_user_rtn GreetUser(
struct display *d,
@@ -600,6 +628,9 @@ greet_user_rtn GreetUser(
if ((pam_error == PAM_SUCCESS) && (Verify (d, greet, verify))) {
SetPrompt (login, 1, "Login Successful", LOGIN_TEXT_INFO, False);
SetValue (login, 1, NULL);
+#ifdef USE_LINUX_AUDIT
+ log_to_audit_system(*pamhp, 1);
+#endif
break;
} else {
/* Try to fill in username for failed login error log */
@@ -611,6 +642,9 @@ greet_user_rtn GreetUser(
(void *) &username));
}
FailedLogin (d, username);
+#ifdef USE_LINUX_AUDIT
+ log_to_audit_system(*pamhp, 0);
+#endif
RUN_AND_CHECK_PAM_ERROR(pam_end,
(*pamhp, pam_error));
}
--
1.7.4.1
More information about the xorg-devel
mailing list