[PATCH 4/4] Send a USER_LOGIN event like other Linux login programs do.

Gaetan Nadon memsize at videotron.ca
Thu Aug 11 19:23:57 PDT 2011 

On Wed, 2011-08-10 at 20:37 +0200, Matěj Cepl wrote:

> From: Steve Grubb <sgrubb at redhat.com>
> 
> https://bugzilla.redhat.com/469357
> 
> Thanks for help with this patch to
> "Gaetan Nadon" <memsize at videotron.ca>
> 

Thanks for your patience. I noticed that the log to audit will only work
if PAM is available.
When a user configures --with-libaudit but PAM is not installed, Linux
Audit won't work
and there is no way for the user to figure out why. I'll figure out an
additional check tomorrow
and post it. The configuration should abort if libaudit is requested
(=yes) but libpam is missing.


> Signed-off-by: Matěj Cepl <mcepl at redhat.com>
> ---
>  configure.ac    |   16 +++++++++++++++-
>  greeter/greet.c |   32 ++++++++++++++++++++++++++++++++
>  2 files changed, 47 insertions(+), 1 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 0c79999..ef2302c 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -145,6 +145,20 @@ if test "x$USE_SELINUX" != "xno" ; then
>      )
>  fi
>  
> +# Check for Linux Audit support
> +AC_ARG_WITH(libaudit, AS_HELP_STRING([--with-libaudit],
> +        [Add support for Linux Audit (default is autodetected)]),
> +        [USE_LINUX_AUDIT=$withval], [USE_LINUX_AUDIT=auto])
> +if test "x$USE_LINUX_AUDIT" != "xno" ; then
> +    AC_CHECK_LIB(audit, audit_log_user_message,
> +        [AC_DEFINE(USE_LINUX_AUDIT,1,[Use Linux Audit support])]
> +        XDMGREET_LIBS="$XDMGREET_LIBS -laudit",
> +        [AS_IF([test "x$USE_LINUX_AUDIT" = "xyes"],
> +            [AC_MSG_ERROR([Linux Audit support requested, but audit_log_user_message not found.])]
> +        )]
> +    )
> +fi
> +
>  # FIXME: Find better test for which OS'es use su -m  - for now, just try to
>  # mirror the Imakefile setting of:
>  # if  defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) || defined(FreeBSDArchitecture) || defined(DarwinArchitecture)
> @@ -171,7 +185,7 @@ AC_SUBST(SU)
>  
>  # Define a configure option to locate a special file (/dev/random or /dev/urandom)
>  # that serves as a random or a pseudorandom number generator
> -AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device\[=<pathname>\]],
> +AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device=<pathname>],
>  	[Use <pathname> as a source of randomness (default is auto-detected)]),
>  	[USE_DEVICE="$withval"], [USE_DEVICE="auto"])
>  if test x$USE_DEVICE != xno ; then
> diff --git a/greeter/greet.c b/greeter/greet.c
> index 87d2a83..2d26c69 100644
> --- a/greeter/greet.c
> +++ b/greeter/greet.c
> @@ -86,6 +86,13 @@ from The Open Group.
>  # endif
>  #endif
>  
> +#ifdef HAVE_LIBAUDIT
> +#include <libaudit.h>
> +#include <pwd.h>
> +#else
> +#define log_to_audit_system(l,h,s)   do { ; } while (0)
> +#endif
> +
>  #include <string.h>
>  
>  #if defined(SECURE_RPC) && defined(sun)
> @@ -415,6 +422,29 @@ FailedLogin (struct display *d, const char *username)
>      DrawFail (login);
>  }
>  
> +#ifdef USE_PAM
> +#ifdef HAVE_LIBAUDIT
> +static void
> +log_to_audit_system(const pam_handle_t *pamhp, int success)
> +{
> +	struct passwd *pw = NULL;
> +	char *hostname = NULL, *tty = NULL, *login=NULL;
> +	int audit_fd;
> +
> +	audit_fd = audit_open();
> +	pam_get_item(pamhp, PAM_RHOST, &hostname);
> +	pam_get_item(pamhp, PAM_TTY, &tty);
> +	pam_get_item(pamhp, PAM_USER, &login);
> +	if (login)
> +		pw = getpwnam(login);
> +		audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
> +			NULL, "login", login ? login : "(unknown)",
> +			pw ? pw->pw_uid : -1, hostname, NULL, tty, success);
> +	close(audit_fd);
> +}
> +#endif
> +#endif
> +
>  _X_EXPORT
>  greet_user_rtn GreetUser(
>      struct display          *d,
> @@ -600,6 +630,7 @@ greet_user_rtn GreetUser(
>  	if ((pam_error == PAM_SUCCESS) && (Verify (d, greet, verify))) {
>  	    SetPrompt (login, 1, "Login Successful", LOGIN_TEXT_INFO, False);
>  	    SetValue (login, 1, NULL);
> +	    log_to_audit_system(*pamhp, 1);
>  	    break;
>  	} else {
>  	    /* Try to fill in username for failed login error log */
> @@ -611,6 +642,7 @@ greet_user_rtn GreetUser(
>  					 (void *) &username));
>  	    }
>  	    FailedLogin (d, username);
> +	    log_to_audit_system(*pamhp, 0);
>  	    RUN_AND_CHECK_PAM_ERROR(pam_end,
>  				    (*pamhp, pam_error));
>  	}
> -- 
> 1.7.6
> 
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x.org/archives/xorg-devel/attachments/20110811/9bbcfe8a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.x.org/archives/xorg-devel/attachments/20110811/9bbcfe8a/attachment-0001.pgp>

More information about the xorg-devel mailing list