/*
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice (including the next
* paragraph) shall be included in all copies or substantial portions of the
* Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
6417168, P3, gnome/screensaver - xscreensaver loops while trying to unlock a session for a user whose password was expired
Also ensures that Xscreensaver on Solaris only uses PAM, and never attempts
to fallback to direct use of getpwent(), which isn't audited
---
- $(PASSWD_LIBS)
+ -lbsm $(PASSWD_LIBS)
@@ -47,6 +47,8 @@
+# include <bsm/adt_event.h>
+static int replies = 0;
+
/* Some time between Red Hat 4.2 and 7.0, the words were transposed
in the various PAM_x_CRED macro names. Yay!
*/
*/
static void *suns_pam_implementation_blows = 0;
+
+
+/*
+ * audit_lock - audit entry to screenlock
+ *
+ * Entry Process running with appropriate privilege to generate
+ * audit records and real uid of the user.
+ *
+ * Exit ADT_screenlock audit record written.
+ */
+void
+audit_lock(void)
+{
+
+ /* Audit start of screen lock -- equivalent to logout ;-) */
+ {
+ return;
+ }
+ {
+ } else {
+ {
+ }
+ adt_free_event(event);
+ }
+ (void) adt_end_session(ah);
+}
+
+/*
+ * audit_unlock - audit screen unlock
+ *
+ * Entry Process running with appropriate privilege to generate
+ * audit records and real uid of the user.
+ * pam_status = PAM error code; reason for failure.
+ *
+ * Exit ADT_screenunlock audit record written.
+ */
+static void
+audit_unlock(int pam_status)
+{
+
+ {
+ "adt_start_session(ADT_screenunlock): %m");
+ return;
+ }
+ {
+ "adt_alloc_event(ADT_screenunlock): %m");
+ } else {
+ if (adt_put_event(event,
+ : ADT_FAIL_PAM + pam_status)
+ != 0)
+ {
+ "adt_put_event(ADT_screenunlock(%s): %m",
+ }
+ adt_free_event(event);
+ }
+ (void) adt_end_session(ah);
+}
+
+/*
+ * audit_passwd - audit password change
+ * Entry Process running with appropriate privilege to generate
+ * audit records and real uid of the user.
+ * pam_status = PAM error code; reason for failure.
+ *
+ * Exit ADT_passwd audit record written.
+ */
+static void
+audit_passwd(int pam_status)
+{
+
+ {
+ return;
+ }
+ {
+ } else {
+ if (adt_put_event(event,
+ : ADT_FAIL_PAM + pam_status)
+ != 0)
+ {
+ }
+ adt_free_event(event);
+ }
+ (void) adt_end_session(ah);
+}
+#endif /* sun */
/**
* This function is the PAM conversation driver. It conducts a full
@@ -231,6 +354,12 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
fprintf (stderr, "%s: pam_start (\"%s\", \"%s\", ...) ==> %d (%s)\n",
blurb(), service, si->user,
status, PAM_STRERROR (pamh, status));
+
+#ifdef __sun
+ if (audit_flag_global) /* We want one audit lock log per lock */
+ audit_lock ();
+#endif /**sun*/
+
# endif /* HAVE_SIGTIMEDWAIT */
+ if (pam_auth_status == PAM_SUCCESS)
+ audit_flag_global = True;
+ else
+ audit_flag_global = False;
+#endif /*sun*/
+
/* Send status message to unlock dialog */
if (pam_auth_status == PAM_SUCCESS)
}
else
+ {
+ /* Only in failure of pam_acct_mgmt case we call audit */
+ audit_unlock (acct_rc);
+#endif /*sun*/
+
+ }
if (verbose_p)
sleep (1);
+ audit_passwd (chauth_rc);
+#endif /* sun */
+
if (chauth_rc != PAM_SUCCESS)
{
}
else
+ {
+ /* Only in failure of pam_setcred() case we call audit. */
+ audit_unlock (setcred_rc);
+#endif /*sun*/
+ }
if (verbose_p)
sleep (1);
+#endif
# endif
+# endif
};