[PATCH 2/4] Send a USER_LOGIN event like other Linux login programs do.

Gaetan Nadon memsize at videotron.ca
Mon Aug 8 18:57:57 PDT 2011 

On Tue, 2011-08-09 at 02:46 +0200, Matěj Cepl wrote:

> https://bugzilla.redhat.com/469357
> Patch by Steve Grubb <sgrubb at redhat dot com>
> 
> Signed-off-by: Matěj Cepl <mcepl at redhat.com>
> ---
>  configure.ac    |   22 ++++++++++++++++++++++
>  greeter/greet.c |   32 ++++++++++++++++++++++++++++++++
>  2 files changed, 54 insertions(+), 0 deletions(-)
> 
> Index: xdm.git/configure.ac
> ===================================================================
> --- xdm.git.orig/configure.ac
> +++ xdm.git/configure.ac
> @@ -145,6 +145,28 @@ if test "x$USE_SELINUX" != "xno" ; then
>      )
>  fi
>  
> +AC_ARG_WITH(libaudit, AS_HELP_STRING([--with-libaudit=<auto/yes/no>],


I have never seen this auto/yes/no string anywhere in xorg before.
Users are not invited to type "yes no" (althought they can), they type
--with-libaudit or --without-libaudit or nothing for autodetection.

To make everyone life's easy, just copy a similar option like
PAM/SELinux above which seems to follow the same pattern and have been
cleaned-up and reviewed a little while ago:


        # Check for Linux Audit support
        AC_ARG_WITH(libaudit, AS_HELP_STRING([--with-libaudit],
        	[Add support for Linux Audit (default is autodetected)]),
        	[USE_LINUX_AUDIT=$withval], [USE_LINUX_AUDIT=auto])
        if test "x$USE_LINUX_AUDIT" != "xno" ; then
        
        [...] Sorry I can't complete and test the code, but you get the idea.
        fi
        [...] 

One question, is it wise to enable Linux Audit by default if the library
is installed? Will its use have any distracting effects for those who
don't know anything about it and don't even know they have it installed?
Like myself :-)



> +	[Add Linux audit support (default=auto)]),
> +    [],	[with_libaudit=auto])
> +
> +# Check for Linux auditing API
> +#
> +# libaudit detection
> +if test x$with_libaudit = xno ; then
> +    have_libaudit=no;
> +else
> +    # See if we have audit daemon library
> +    AC_CHECK_LIB(audit, audit_log_user_message,
> +                 have_libaudit=yes, have_libaudit=no)
> +fi
> +
> +AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)
> +
> +if test x$have_libaudit = xyes ; then
> +    XDMGREET_LIBS="$XDMGREET_LIBS -laudit"
> +    AC_DEFINE(HAVE_LIBAUDIT,1,[linux audit support])
> +fi
> +
>  # FIXME: Find better test for which OS'es use su -m  - for now, just try to
>  # mirror the Imakefile setting of:
>  # if  defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) || defined(FreeBSDArchitecture) || defined(DarwinArchitecture)
> @@ -171,7 +193,7 @@ AC_SUBST(SU)
>  
>  # Define a configure option to locate a special file (/dev/random or /dev/urandom)
>  # that serves as a random or a pseudorandom number generator
> -AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device\[=<pathname>\]],
> +AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device=<pathname>],
>  	[Use <pathname> as a source of randomness (default is auto-detected)]),
>  	[USE_DEVICE="$withval"], [USE_DEVICE="auto"])
>  if test x$USE_DEVICE != xno ; then
> Index: xdm.git/greeter/greet.c
> ===================================================================
> --- xdm.git.orig/greeter/greet.c
> +++ xdm.git/greeter/greet.c
> @@ -86,6 +86,13 @@ from The Open Group.
>  # endif
>  #endif
>  
> +#ifdef HAVE_LIBAUDIT
> +#include <libaudit.h>
> +#include <pwd.h>
> +#else
> +#define log_to_audit_system(l,h,s)   do { ; } while (0)
> +#endif
> +
>  #include <string.h>
>  
>  #if defined(SECURE_RPC) && defined(sun)
> @@ -415,6 +422,29 @@ FailedLogin (struct display *d, const ch
>      DrawFail (login);
>  }
>  
> +#ifdef USE_PAM
> +#ifdef HAVE_LIBAUDIT
> +static void
> +log_to_audit_system(const pam_handle_t *pamhp, int success)
> +{
> +	struct passwd *pw = NULL;
> +	char *hostname = NULL, *tty = NULL, *login=NULL;
> +	int audit_fd;
> +
> +	audit_fd = audit_open();
> +	pam_get_item(pamhp, PAM_RHOST, &hostname);
> +	pam_get_item(pamhp, PAM_TTY, &tty);
> +	pam_get_item(pamhp, PAM_USER, &login);
> +	if (login)
> +		pw = getpwnam(login);
> +	audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
> +		NULL, "login", login ? login : "(unknown)",
> +		pw ? pw->pw_uid : -1, hostname, NULL, tty, success);
> +	close(audit_fd);
> +}
> +#endif
> +#endif
> +
>  _X_EXPORT
>  greet_user_rtn GreetUser(
>      struct display          *d,
> @@ -600,6 +630,7 @@ greet_user_rtn GreetUser(
>  	if ((pam_error == PAM_SUCCESS) && (Verify (d, greet, verify))) {
>  	    SetPrompt (login, 1, "Login Successful", LOGIN_TEXT_INFO, False);
>  	    SetValue (login, 1, NULL);
> +	    log_to_audit_system(*pamhp, 1);
>  	    break;
>  	} else {
>  	    /* Try to fill in username for failed login error log */
> @@ -611,6 +642,7 @@ greet_user_rtn GreetUser(
>  					 (void *) &username));
>  	    }
>  	    FailedLogin (d, username);
> +	    log_to_audit_system(*pamhp, 0);
>  	    RUN_AND_CHECK_PAM_ERROR(pam_end,
>  				    (*pamhp, pam_error));
>  	}
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x.org/archives/xorg-devel/attachments/20110808/fa944881/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.x.org/archives/xorg-devel/attachments/20110808/fa944881/attachment.pgp>

More information about the xorg-devel mailing list