improve newgrp audit patch
This commit is contained in:
parent
d58e4bd862
commit
b4dd99d31b
@ -1,7 +1,7 @@
|
|||||||
diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c
|
diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c
|
||||||
--- shadow-4.1.0.orig/src/newgrp.c 2007-11-18 18:15:05.000000000 -0500
|
--- shadow-4.1.0.orig/src/newgrp.c 2007-11-18 18:15:05.000000000 -0500
|
||||||
+++ shadow-4.1.0/src/newgrp.c 2008-02-12 16:45:20.000000000 -0500
|
+++ shadow-4.1.0/src/newgrp.c 2008-03-06 10:01:17.000000000 -0500
|
||||||
@@ -122,6 +122,8 @@ int main (int argc, char **argv)
|
@@ -122,6 +123,8 @@ int main (int argc, char **argv)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
@ -10,7 +10,7 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c
|
|||||||
audit_help_open ();
|
audit_help_open ();
|
||||||
#endif
|
#endif
|
||||||
setlocale (LC_ALL, "");
|
setlocale (LC_ALL, "");
|
||||||
@@ -164,7 +166,7 @@ int main (int argc, char **argv)
|
@@ -164,7 +167,7 @@ int main (int argc, char **argv)
|
||||||
if (!pwd) {
|
if (!pwd) {
|
||||||
fprintf (stderr, _("unknown UID: %u\n"), getuid ());
|
fprintf (stderr, _("unknown UID: %u\n"), getuid ());
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
@ -19,41 +19,69 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c
|
|||||||
getuid (), 0);
|
getuid (), 0);
|
||||||
#endif
|
#endif
|
||||||
SYSLOG ((LOG_WARN, "unknown UID %u", getuid ()));
|
SYSLOG ((LOG_WARN, "unknown UID %u", getuid ()));
|
||||||
@@ -272,8 +274,14 @@ int main (int argc, char **argv)
|
@@ -272,7 +275,13 @@ int main (int argc, char **argv)
|
||||||
if (ngroups < 0) {
|
if (ngroups < 0) {
|
||||||
perror ("getgroups");
|
perror ("getgroups");
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
- audit_logger (AUDIT_USER_START, Prog,
|
- audit_logger (AUDIT_USER_START, Prog,
|
||||||
- "changing", NULL, getuid (), 0);
|
|
||||||
+ if (group) {
|
+ if (group) {
|
||||||
+ snprintf(audit_buf, sizeof(audit_buf),
|
+ snprintf (audit_buf, sizeof(audit_buf),
|
||||||
+ "changing new-group=%s", group);
|
+ "changing new_group=%s", group);
|
||||||
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
+ audit_buf, NULL, getuid (), 0);
|
+ audit_buf, NULL, getuid (), 0);
|
||||||
+ } else
|
+ } else
|
||||||
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
+ "changing", NULL, getuid (), 0);
|
"changing", NULL, getuid (), 0);
|
||||||
#endif
|
#endif
|
||||||
exit (1);
|
exit (1);
|
||||||
|
@@ -394,13 +403,26 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
if (grp->gr_passwd[0] == '\0' ||
|
||||||
|
strcmp (cpasswd, grp->gr_passwd) != 0) {
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ snprintf (audit_buf, sizeof(audit_buf),
|
||||||
|
+ "authentication new_gid=%d",
|
||||||
|
+ grp->gr_gid);
|
||||||
|
+ audit_logger (AUDIT_GRP_AUTH, Prog,
|
||||||
|
+ audit_buf, NULL, getuid (), 0);
|
||||||
|
+#endif
|
||||||
|
SYSLOG ((LOG_INFO,
|
||||||
|
"Invalid password for group `%s' from `%s'",
|
||||||
|
group, name));
|
||||||
|
sleep (1);
|
||||||
|
- fputs (_("Invalid password."), stderr);
|
||||||
|
+ fputs (_("Invalid password.\n"), stderr);
|
||||||
|
goto failure;
|
||||||
|
}
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ snprintf (audit_buf, sizeof(audit_buf),
|
||||||
|
+ "authentication new_gid=%d", grp->gr_gid);
|
||||||
|
+ audit_logger (AUDIT_GRP_AUTH, Prog,
|
||||||
|
+ audit_buf, NULL, getuid (), 1);
|
||||||
|
+#endif
|
||||||
}
|
}
|
||||||
@@ -461,8 +469,14 @@ int main (int argc, char **argv)
|
|
||||||
fprintf (stderr, _("%s: failure forking: %s"),
|
/*
|
||||||
|
@@ -458,10 +480,16 @@ int main (int argc, char **argv)
|
||||||
|
child = fork ();
|
||||||
|
if (child < 0) {
|
||||||
|
/* error in fork() */
|
||||||
|
- fprintf (stderr, _("%s: failure forking: %s"),
|
||||||
|
+ fprintf (stderr, _("%s: failure forking: %s\n"),
|
||||||
is_newgrp ? "newgrp" : "sg", strerror (errno));
|
is_newgrp ? "newgrp" : "sg", strerror (errno));
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
- audit_logger (AUDIT_USER_START, Prog, "changing",
|
- audit_logger (AUDIT_USER_START, Prog, "changing",
|
||||||
- NULL, getuid (), 0);
|
|
||||||
+ if (group) {
|
+ if (group) {
|
||||||
+ snprintf(audit_buf, sizeof(audit_buf),
|
+ snprintf (audit_buf, sizeof(audit_buf),
|
||||||
+ "changing new-group=%s", group);
|
+ "changing new_group=%s", group);
|
||||||
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
+ audit_buf, NULL, getuid (), 0);
|
+ audit_buf, NULL, getuid (), 0);
|
||||||
+ } else
|
+ } else
|
||||||
+ audit_logger (AUDIT_CHGRP_ID, Prog, "changing",
|
+ audit_logger (AUDIT_CHGRP_ID, Prog, "changing",
|
||||||
+ NULL, getuid (), 0);
|
NULL, getuid (), 0);
|
||||||
#endif
|
#endif
|
||||||
exit (1);
|
exit (1);
|
||||||
} else if (child) {
|
@@ -531,14 +559,24 @@ int main (int argc, char **argv)
|
||||||
@@ -531,14 +545,24 @@ int main (int argc, char **argv)
|
|
||||||
* to the real UID. For root, this also sets the real GID to the
|
* to the real UID. For root, this also sets the real GID to the
|
||||||
* new group id.
|
* new group id.
|
||||||
*/
|
*/
|
||||||
@ -61,8 +89,8 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c
|
|||||||
+ if (setgid (gid)) {
|
+ if (setgid (gid)) {
|
||||||
perror ("setgid");
|
perror ("setgid");
|
||||||
+#ifdef WITH_AUDIT
|
+#ifdef WITH_AUDIT
|
||||||
+ snprintf(audit_buf, sizeof(audit_buf),
|
+ snprintf (audit_buf, sizeof(audit_buf),
|
||||||
+ "changing new-gid=%d", gid);
|
+ "changing new_gid=%d", gid);
|
||||||
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
+ audit_buf, NULL, getuid (), 0);
|
+ audit_buf, NULL, getuid (), 0);
|
||||||
+#endif
|
+#endif
|
||||||
@ -74,44 +102,44 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c
|
|||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
- audit_logger (AUDIT_USER_START, Prog, "changing",
|
- audit_logger (AUDIT_USER_START, Prog, "changing",
|
||||||
- NULL, getuid (), 0);
|
- NULL, getuid (), 0);
|
||||||
+ snprintf(audit_buf, sizeof(audit_buf),
|
+ snprintf (audit_buf, sizeof(audit_buf),
|
||||||
+ "changing new-gid=%d", gid);
|
+ "changing new_gid=%d", gid);
|
||||||
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
+ audit_buf, NULL, getuid (), 0);
|
+ audit_buf, NULL, getuid (), 0);
|
||||||
#endif
|
#endif
|
||||||
exit (1);
|
exit (1);
|
||||||
}
|
}
|
||||||
@@ -551,8 +575,10 @@ int main (int argc, char **argv)
|
@@ -551,8 +589,10 @@ int main (int argc, char **argv)
|
||||||
closelog ();
|
closelog ();
|
||||||
execl ("/bin/sh", "sh", "-c", command, (char *) 0);
|
execl ("/bin/sh", "sh", "-c", command, (char *) 0);
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
- audit_logger (AUDIT_USER_START, Prog, "changing",
|
- audit_logger (AUDIT_USER_START, Prog, "changing",
|
||||||
- NULL, getuid (), 0);
|
- NULL, getuid (), 0);
|
||||||
+ snprintf(audit_buf, sizeof(audit_buf),
|
+ snprintf (audit_buf, sizeof(audit_buf),
|
||||||
+ "changing new-gid=%d", gid);
|
+ "changing new_gid=%d", gid);
|
||||||
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
+ audit_buf, NULL, getuid (), 0);
|
+ audit_buf, NULL, getuid (), 0);
|
||||||
#endif
|
#endif
|
||||||
perror ("/bin/sh");
|
perror ("/bin/sh");
|
||||||
exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
|
exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
|
||||||
@@ -618,7 +644,8 @@ int main (int argc, char **argv)
|
@@ -618,7 +658,8 @@ int main (int argc, char **argv)
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
- audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 1);
|
- audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 1);
|
||||||
+ snprintf(audit_buf, sizeof(audit_buf), "changing new-gid=%d", gid);
|
+ snprintf (audit_buf, sizeof(audit_buf), "changing new_gid=%d", gid);
|
||||||
+ audit_logger (AUDIT_CHGRP_ID, Prog, audit_buf, NULL, getuid (), 1);
|
+ audit_logger (AUDIT_CHGRP_ID, Prog, audit_buf, NULL, getuid (), 1);
|
||||||
#endif
|
#endif
|
||||||
/*
|
/*
|
||||||
* Exec the login shell and go away. We are trying to get back to
|
* Exec the login shell and go away. We are trying to get back to
|
||||||
@@ -641,7 +668,14 @@ int main (int argc, char **argv)
|
@@ -641,7 +682,14 @@ int main (int argc, char **argv)
|
||||||
*/
|
*/
|
||||||
closelog ();
|
closelog ();
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
- audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 0);
|
- audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 0);
|
||||||
+ if (group) {
|
+ if (group) {
|
||||||
+ snprintf(audit_buf, sizeof(audit_buf),
|
+ snprintf (audit_buf, sizeof(audit_buf),
|
||||||
+ "changing new-group=%s", group);
|
+ "changing new_group=%s", group);
|
||||||
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
+ audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
+ audit_buf, NULL, getuid (), 0);
|
+ audit_buf, NULL, getuid (), 0);
|
||||||
+ } else
|
+ } else
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
Summary: Utilities for managing accounts and shadow password files
|
Summary: Utilities for managing accounts and shadow password files
|
||||||
Name: shadow-utils
|
Name: shadow-utils
|
||||||
Version: 4.1.0
|
Version: 4.1.0
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
URL: http://pkg-shadow.alioth.debian.org/
|
URL: http://pkg-shadow.alioth.debian.org/
|
||||||
Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
|
Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
|
||||||
@ -22,6 +22,7 @@ Patch6: shadow-4.0.18.1-findNewUidOnce.patch
|
|||||||
Patch7: shadow-4.0.18.1-mtime.patch
|
Patch7: shadow-4.0.18.1-mtime.patch
|
||||||
Patch8: shadow-4.1.0-audit-newgrp.patch
|
Patch8: shadow-4.1.0-audit-newgrp.patch
|
||||||
Patch9: shadow-4.1.0-segfault.patch
|
Patch9: shadow-4.1.0-segfault.patch
|
||||||
|
Patch10: shadow-4.1.0-fasterReset.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
@ -56,6 +57,7 @@ are used for managing group accounts.
|
|||||||
%patch7 -p1 -b .mtime
|
%patch7 -p1 -b .mtime
|
||||||
%patch8 -p1 -b .auditNewgrp
|
%patch8 -p1 -b .auditNewgrp
|
||||||
%patch9 -p1 -b .segfault
|
%patch9 -p1 -b .segfault
|
||||||
|
%patch10 -p1 -b .fasterReset
|
||||||
|
|
||||||
rm po/*.gmo
|
rm po/*.gmo
|
||||||
rm po/stamp-po
|
rm po/stamp-po
|
||||||
@ -195,6 +197,9 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_mandir}/man8/vigr.8*
|
%{_mandir}/man8/vigr.8*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 07 2008 Peter Vrabec <pvrabec@redhat.com> 2:4.1.0-5
|
||||||
|
- improve newgrp audit patch
|
||||||
|
|
||||||
* Mon Mar 03 2008 Peter Vrabec <pvrabec@redhat.com> 2:4.1.0-4
|
* Mon Mar 03 2008 Peter Vrabec <pvrabec@redhat.com> 2:4.1.0-4
|
||||||
- fix selinux labeling (#433757)
|
- fix selinux labeling (#433757)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user