[PATCH 4/4] Send a USER_LOGIN event like other Linux login programs do.

Gaetan Nadon memsize at videotron.ca
Fri Aug 12 18:59:15 PDT 2011 

On Wed, 2011-08-10 at 20:37 +0200, Matěj Cepl wrote:

> From: Steve Grubb <sgrubb at redhat.com>
> 
> https://bugzilla.redhat.com/469357
> 
> Thanks for help with this patch to
> "Gaetan Nadon" <memsize at videotron.ca>
> 
> Signed-off-by: Matěj Cepl <mcepl at redhat.com>
> ---
>  configure.ac    |   16 +++++++++++++++-
>  greeter/greet.c |   32 ++++++++++++++++++++++++++++++++
>  2 files changed, 47 insertions(+), 1 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 0c79999..ef2302c 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -145,6 +145,20 @@ if test "x$USE_SELINUX" != "xno" ; then
>      )
>  fi
>  
> +# Check for Linux Audit support
> +AC_ARG_WITH(libaudit, AS_HELP_STRING([--with-libaudit],
> +        [Add support for Linux Audit (default is autodetected)]),
> +        [USE_LINUX_AUDIT=$withval], [USE_LINUX_AUDIT=auto])
> +if test "x$USE_LINUX_AUDIT" != "xno" ; then
> +    AC_CHECK_LIB(audit, audit_log_user_message,
> +        [AC_DEFINE(USE_LINUX_AUDIT,1,[Use Linux Audit support])]
> +        XDMGREET_LIBS="$XDMGREET_LIBS -laudit",
> +        [AS_IF([test "x$USE_LINUX_AUDIT" = "xyes"],
> +            [AC_MSG_ERROR([Linux Audit support requested, but audit_log_user_message not found.])]
> +        )]
> +    )
> +fi
> +
>  # FIXME: Find better test for which OS'es use su -m  - for now, just try to
>  # mirror the Imakefile setting of:
>  # if  defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) || defined(FreeBSDArchitecture) || defined(DarwinArchitecture)
> @@ -171,7 +185,7 @@ AC_SUBST(SU)
>  
>  # Define a configure option to locate a special file (/dev/random or /dev/urandom)
>  # that serves as a random or a pseudorandom number generator
> -AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device\[=<pathname>\]],
> +AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device=<pathname>],
>  	[Use <pathname> as a source of randomness (default is auto-detected)]),
>  	[USE_DEVICE="$withval"], [USE_DEVICE="auto"])
>  if test x$USE_DEVICE != xno ; then
> diff --git a/greeter/greet.c b/greeter/greet.c
> index 87d2a83..2d26c69 100644
> --- a/greeter/greet.c
> +++ b/greeter/greet.c
> @@ -86,6 +86,13 @@ from The Open Group.
>  # endif
>  #endif
>  
> +#ifdef HAVE_LIBAUDIT
> +#include <libaudit.h>
> +#include <pwd.h>
> +#else
> +#define log_to_audit_system(l,h,s)   do { ; } while (0)

This define seems to be dead code. There are a number of versions you
can find on the net.
The Gnome display manager has a four parameter version. In this patch
the function has two parameters. 

This Fedora patch cannot compile when libaudit is missing which has
probably never been tried.
http://lists.fedoraproject.org/pipermail/scm-commits/2010-March/410961.html

This patch needs more work and mainly more testing. I'd be happy to help
with the configuration part, but I cannot review the C code which
appears faulty to me.


> +#endif
> +
>  #include <string.h>
>  
>  #if defined(SECURE_RPC) && defined(sun)
> @@ -415,6 +422,29 @@ FailedLogin (struct display *d, const char *username)
>      DrawFail (login);
>  }
>  
> +#ifdef USE_PAM
> +#ifdef HAVE_LIBAUDIT
> +static void
> +log_to_audit_system(const pam_handle_t *pamhp, int success)
> +{
> +	struct passwd *pw = NULL;
> +	char *hostname = NULL, *tty = NULL, *login=NULL;
> +	int audit_fd;
> +
> +	audit_fd = audit_open();
> +	pam_get_item(pamhp, PAM_RHOST, &hostname);
> +	pam_get_item(pamhp, PAM_TTY, &tty);
> +	pam_get_item(pamhp, PAM_USER, &login);
> +	if (login)
> +		pw = getpwnam(login);
> +		audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
> +			NULL, "login", login ? login : "(unknown)",
> +			pw ? pw->pw_uid : -1, hostname, NULL, tty, success);
> +	close(audit_fd);
> +}
> +#endif
> +#endif
> +
>  _X_EXPORT
>  greet_user_rtn GreetUser(
>      struct display          *d,
> @@ -600,6 +630,7 @@ greet_user_rtn GreetUser(
>  	if ((pam_error == PAM_SUCCESS) && (Verify (d, greet, verify))) {
>  	    SetPrompt (login, 1, "Login Successful", LOGIN_TEXT_INFO, False);
>  	    SetValue (login, 1, NULL);
> +	    log_to_audit_system(*pamhp, 1);
>  	    break;
>  	} else {
>  	    /* Try to fill in username for failed login error log */
> @@ -611,6 +642,7 @@ greet_user_rtn GreetUser(
>  					 (void *) &username));
>  	    }
>  	    FailedLogin (d, username);
> +	    log_to_audit_system(*pamhp, 0);
>  	    RUN_AND_CHECK_PAM_ERROR(pam_end,
>  				    (*pamhp, pam_error));
>  	}
> -- 
> 1.7.6
> 
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x.org/archives/xorg-devel/attachments/20110812/baec2ca6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.x.org/archives/xorg-devel/attachments/20110812/baec2ca6/attachment.pgp>

More information about the xorg-devel mailing list