chpasswd, chgpasswd: open audit when starting

This commit is contained in:
Tomas Mraz 2016-05-30 11:59:54 +02:00
parent f884cd4c94
commit abed79ee4e
2 changed files with 33 additions and 18 deletions

View File

@ -1,6 +1,6 @@
diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
--- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 --- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100
+++ shadow-4.2.1/src/chgpasswd.c 2016-05-26 20:56:56.723676087 +0200 +++ shadow-4.2.1/src/chgpasswd.c 2016-05-30 11:57:53.635841186 +0200
@@ -39,6 +39,13 @@ @@ -39,6 +39,13 @@
#include <pwd.h> #include <pwd.h>
#include <stdio.h> #include <stdio.h>
@ -25,7 +25,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
/* local function prototypes */ /* local function prototypes */
static void fail_exit (int code); static void fail_exit (int code);
static /*@noreturn@*/void usage (int status); static /*@noreturn@*/void usage (int status);
@@ -300,6 +310,62 @@ static void check_perms (void) @@ -300,6 +310,63 @@ static void check_perms (void)
#endif /* ACCT_TOOLS_SETUID */ #endif /* ACCT_TOOLS_SETUID */
} }
@ -44,16 +44,17 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
+ char *buf; + char *buf;
+ +
+ if (vasprintf (&buf, fmt, ap) < 0) + if (vasprintf (&buf, fmt, ap) < 0)
+ return 0; + goto ret;
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+ NULL, 0); + NULL, 0);
+ audit_close(audit_fd); + audit_close(audit_fd);
+ free(buf); + free(buf);
+ return 0; + goto ret;
+ } + }
+ +
+#endif +#endif
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap); + vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+ret:
+ va_end(ap); + va_end(ap);
+ return 0; + return 0;
+} +}
@ -88,7 +89,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
/* /*
* open_files - lock and open the group databases * open_files - lock and open the group databases
*/ */
@@ -393,6 +459,7 @@ int main (int argc, char **argv) @@ -393,6 +460,7 @@ int main (int argc, char **argv)
const struct group *gr; const struct group *gr;
struct group newgr; struct group newgr;
@ -96,10 +97,14 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
int errors = 0; int errors = 0;
int line = 0; int line = 0;
@@ -408,8 +475,29 @@ int main (int argc, char **argv) @@ -408,8 +476,33 @@ int main (int argc, char **argv)
OPENLOG ("chgpasswd"); OPENLOG ("chgpasswd");
+#ifdef WITH_AUDIT
+ audit_help_open ();
+#endif
+
+ /* + /*
+ * Determine the name of the user that invoked this command. This + * Determine the name of the user that invoked this command. This
+ * is really hit or miss because there are so many ways that command + * is really hit or miss because there are so many ways that command
@ -126,7 +131,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
#ifdef SHADOWGRP #ifdef SHADOWGRP
is_shadow_grp = sgr_file_present (); is_shadow_grp = sgr_file_present ();
#endif #endif
@@ -536,6 +624,15 @@ int main (int argc, char **argv) @@ -536,6 +629,15 @@ int main (int argc, char **argv)
newgr.gr_passwd = cp; newgr.gr_passwd = cp;
} }
@ -144,7 +149,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
* be written to the group file later, after all the * be written to the group file later, after all the
diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
--- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100 --- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100
+++ shadow-4.2.1/src/chpasswd.c 2016-05-26 20:40:56.190224029 +0200 +++ shadow-4.2.1/src/chpasswd.c 2016-05-30 11:58:23.034484807 +0200
@@ -39,6 +39,13 @@ @@ -39,6 +39,13 @@
#include <pwd.h> #include <pwd.h>
#include <stdio.h> #include <stdio.h>
@ -159,7 +164,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
#ifdef USE_PAM #ifdef USE_PAM
#include "pam_defs.h" #include "pam_defs.h"
#endif /* USE_PAM */ #endif /* USE_PAM */
@@ -297,6 +304,62 @@ static void check_perms (void) @@ -297,6 +304,63 @@ static void check_perms (void)
#endif /* USE_PAM */ #endif /* USE_PAM */
} }
@ -178,16 +183,17 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
+ char *buf; + char *buf;
+ +
+ if (vasprintf (&buf, fmt, ap) < 0) + if (vasprintf (&buf, fmt, ap) < 0)
+ return 0; + goto ret;
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+ NULL, 0); + NULL, 0);
+ audit_close(audit_fd); + audit_close(audit_fd);
+ free(buf); + free(buf);
+ return 0; + goto ret;
+ } + }
+ +
+#endif +#endif
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap); + vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+ret:
+ va_end(ap); + va_end(ap);
+ return 0; + return 0;
+} +}
@ -222,8 +228,14 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
/* /*
* open_files - lock and open the password databases * open_files - lock and open the password databases
*/ */
@@ -407,6 +470,10 @@ int main (int argc, char **argv) @@ -405,8 +469,16 @@ int main (int argc, char **argv)
OPENLOG ("chpasswd");
+#ifdef WITH_AUDIT
+ audit_help_open ();
+#endif
+
check_perms (); check_perms ();
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
@ -233,7 +245,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
#ifdef USE_PAM #ifdef USE_PAM
if (!use_pam) if (!use_pam)
#endif /* USE_PAM */ #endif /* USE_PAM */
@@ -566,6 +633,11 @@ int main (int argc, char **argv) @@ -566,6 +638,11 @@ int main (int argc, char **argv)
newpw.pw_passwd = cp; newpw.pw_passwd = cp;
} }
@ -246,8 +258,8 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
* The updated password file entry is then put back and will * The updated password file entry is then put back and will
* be written to the password file later, after all the * be written to the password file later, after all the
diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am
--- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-26 19:02:07.000000000 +0200 --- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-27 16:04:00.896475284 +0200
+++ shadow-4.2.1/src/Makefile.am 2016-05-26 20:38:52.738468738 +0200 +++ shadow-4.2.1/src/Makefile.am 2016-05-27 16:04:00.899475353 +0200
@@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) @@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID)
newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
newgidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
@ -261,8 +273,8 @@ diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in
--- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-26 19:02:07.000000000 +0200 --- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-27 16:04:00.896475284 +0200
+++ shadow-4.2.1/src/Makefile.in 2016-05-26 20:40:03.547049098 +0200 +++ shadow-4.2.1/src/Makefile.in 2016-05-27 16:04:00.899475353 +0200
@@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $( @@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(
newuidmap_LDADD = $(LDADD) $(LIBSELINUX) newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
newgidmap_LDADD = $(LDADD) $(LIBSELINUX) newgidmap_LDADD = $(LDADD) $(LIBSELINUX)

View File

@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils Name: shadow-utils
Version: 4.2.1 Version: 4.2.1
Release: 9%{?dist} Release: 10%{?dist}
Epoch: 2 Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/ URL: http://pkg-shadow.alioth.debian.org/
Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
@ -257,6 +257,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/vigr.8* %{_mandir}/man8/vigr.8*
%changelog %changelog
* Mon May 30 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-10
- chpasswd, chgpasswd: open audit when starting
* Thu May 26 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-9 * Thu May 26 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-9
- chgpasswd: do not remove it - chgpasswd: do not remove it
- chpasswd, chgpasswd: add selinux_check_access call (#1336902) - chpasswd, chgpasswd: add selinux_check_access call (#1336902)