Cross Reference: xscreensaver-11-pam_audit.diff
xref
: /
solaris-desktop
/
patches
/
xscreensaver-11-pam_audit.diff
Home
History
Annotate
Line#
Navigate
Download
Search
only in
./
19033
N/A
/*
19033
N/A
* Copyright (c) 2006, 2010, Oracle
and
/
or
its affiliates. All rights reserved.
19033
N/A
*
19033
N/A
* Permission is hereby granted, free of charge, to any person obtaining a
19033
N/A
* copy of this software and associated documentation files (the "Software"),
19033
N/A
* to deal in the Software without restriction, including without limitation
19033
N/A
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
19033
N/A
*
and
/
or
sell copies of the Software, and to permit persons to whom the
19033
N/A
* Software is furnished to do so, subject to the following conditions:
19033
N/A
*
19033
N/A
* The above copyright notice and this permission notice (including the next
19033
N/A
* paragraph) shall be included in all copies or substantial portions of the
19033
N/A
* Software.
19033
N/A
*
19033
N/A
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19033
N/A
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19033
N/A
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19033
N/A
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19033
N/A
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
19033
N/A
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
19033
N/A
* DEALINGS IN THE SOFTWARE.
19033
N/A
*/
19033
N/A
19033
N/A
Fixes
for
bugs
:
19033
N/A
5015296
,
P1
,
gnome
/
screensaver
-
xscreensaver
doesn
't audit
19033
N/A
6417168, P3,
gnome
/
screensaver
- xscreensaver loops while trying to unlock a session for a user whose password was expired
19844
N/A
19844
N/A
Also ensures that Xscreensaver on Solaris only uses PAM, and never attempts
19844
N/A
to fallback to direct use of getpwent(), which isn'
t
audited
19033
N/A
---
19844
N/A
driver
/
Makefile
.
in
|
6
+-
19033
N/A
driver
/
passwd
-
pam
.c |
158
++++++++++++++++++++++++++++++++++++++++++++++++++-
19844
N/A
driver
/
passwd
.c |
4
+
19844
N/A
3
files
changed
,
163
insertions
(+),
5
deletions
(-)
19033
N/A
19033
N/A
diff
--
git
xscreensaver
-
5.12
/
driver
/
Makefile
.
in
xscreensaver
-
5.12
/
driver
/
Makefile
.
in
19033
N/A
---
xscreensaver
-
5.12
/
driver
/
Makefile
.
in
19033
N/A
+++
xscreensaver
-
5.12
/
driver
/
Makefile
.
in
19844
N/A
@@ -
109
,
8
+
109
,
8
@@
TRUSTED_LIBS
= -
lglib
-
2.0
-
lsecdb
19844
N/A
TRUSTED_SRCS
=
trusted
-
utils
.c
19844
N/A
TRUSTED_OBJS
=
trusted
-
utils
.o
19844
N/A
19844
N/A
-
PWENT_SRCS
=
passwd
-
pwent
.c
19844
N/A
-
PWENT_OBJS
=
passwd
-
pwent
.o
19844
N/A
+
PWENT_SRCS
= #
passwd
-
pwent
.c -
Not
used
in
Solaris
builds
19844
N/A
+
PWENT_OBJS
= #
passwd
-
pwent
.o -
Not
used
in
Solaris
builds
19844
N/A
19844
N/A
KERBEROS_SRCS
=
passwd
-
kerberos
.c
19844
N/A
KERBEROS_OBJS
=
passwd
-
kerberos
.o
19033
N/A
@@ -
218
,
7
+
218
,
7
@@
PDF2JPEG_LIBS
= -
framework
Cocoa
19033
N/A
SAVER_LIBS
= $(
LIBS
) $(
X_LIBS
) $(
XMU_LIBS
) @
SAVER_LIBS
@ \
19033
N/A
$(
XDPMS_LIBS
) $(
XINERAMA_LIBS
) $(
GL_LIBS
) $(
X_PRE_LIBS
) \
19033
N/A
-
lXt
-
lX11
-
lXext
$(
X_EXTRA_LIBS
) \
19033
N/A
- $(
PASSWD_LIBS
)
19033
N/A
+ -
lbsm
$(
PASSWD_LIBS
)
19033
N/A
19033
N/A
CMD_LIBS
= $(
LIBS
) $(
X_LIBS
) \
19033
N/A
$(
X_PRE_LIBS
) -
lX11
-
lXext
$(
X_EXTRA_LIBS
)
19033
N/A
diff
--
git
xscreensaver
-
5.12
/
driver
/
passwd
-
pam
.c
xscreensaver
-
5.12
/
driver
/
passwd
-
pam
.c
19033
N/A
---
xscreensaver
-
5.12
/
driver
/
passwd
-
pam
.c
19033
N/A
+++
xscreensaver
-
5.12
/
driver
/
passwd
-
pam
.c
19033
N/A
@@ -
47
,
6
+
47
,
8
@@
19033
N/A
19033
N/A
#
ifdef
__sun
19033
N/A
#
include
<
deflt
.h>
19033
N/A
+#
include
<
bsm/adt.h
>
19033
N/A
+#
include
<
bsm/adt_event.h
>
19033
N/A
#
endif
19033
N/A
19033
N/A
extern
char
*
blurb
(
void
);
19033
N/A
@@ -
81
,
6
+
83
,
9
@@
extern
void
unblock_sigchld
(
void
);
19033
N/A
#
undef
countof
19033
N/A
#
define
countof
(x) (
sizeof
((x))/
sizeof
(*(x)))
19033
N/A
19033
N/A
+
static
struct
pam_response
*
reply
=
0
;
/*making it global so we can free it */
19033
N/A
+
static
int
replies
=
0
;
19033
N/A
+
19033
N/A
/* Some time between Red Hat 4.2 and 7.0, the words were transposed
19033
N/A
in the various PAM_x_CRED macro names. Yay!
19033
N/A
*/
19033
N/A
@@ -
178
,
6
+
183
,
124
@@
Bool
pam_priv_init
(
int
argc
,
char
**
argv
,
Bool
verbose_p
);
19033
N/A
*/
19033
N/A
static
void
*
suns_pam_implementation_blows
=
0
;
19033
N/A
19033
N/A
+#
ifdef
__sun
19033
N/A
+#
include
<
syslog
.h>
19033
N/A
+#
include
<
bsm/adt.h
>
19033
N/A
+#
include
<
bsm/adt_event.h
>
19033
N/A
+
19033
N/A
+
static
Bool
audit_flag_global
=
True
;
19033
N/A
+
19033
N/A
+
/*
19033
N/A
+ * audit_lock - audit entry to screenlock
19033
N/A
+ *
19033
N/A
+ * Entry Process running with appropriate privilege to generate
19033
N/A
+ * audit records and real uid of the user.
19033
N/A
+ *
19033
N/A
+ * Exit ADT_screenlock audit record written.
19033
N/A
+ */
19033
N/A
+
void
19033
N/A
+
audit_lock
(
void
)
19033
N/A
+{
19033
N/A
+
adt_session_data_t
*
ah
;
/* audit session handle */
19033
N/A
+
adt_event_data_t
*
event
;
/* audit event handle */
19033
N/A
+
19033
N/A
+
/* Audit start of screen lock -- equivalent to logout ;-) */
19033
N/A
+
if
(
adt_start_session
(&
ah
,
NULL
,
ADT_USE_PROC_DATA
) !=
0
)
19033
N/A
+ {
19033
N/A
+
syslog
(
LOG_AUTH
|
LOG_ALERT
,
"adt_start_session: %m"
);
19033
N/A
+
return
;
19033
N/A
+ }
19033
N/A
+
if
((
event
=
adt_alloc_event
(
ah
,
ADT_screenlock
)) ==
NULL
)
19033
N/A
+ {
19033
N/A
+
syslog
(
LOG_AUTH
|
LOG_ALERT
,
"adt_alloc_event(ADT_screenlock): %m"
);
19033
N/A
+ }
else
{
19033
N/A
+
if
(
adt_put_event
(
event
,
ADT_SUCCESS
,
ADT_SUCCESS
) !=
0
)
19033
N/A
+ {
19033
N/A
+
syslog
(
LOG_AUTH
|
LOG_ALERT
,
"adt_put_event(ADT_screenlock): %m"
);
19033
N/A
+ }
19033
N/A
+
adt_free_event
(
event
);
19033
N/A
+ }
19033
N/A
+ (
void
)
adt_end_session
(
ah
);
19033
N/A
+}
19033
N/A
+
19033
N/A
+
/*
19033
N/A
+ * audit_unlock - audit screen unlock
19033
N/A
+ *
19033
N/A
+ * Entry Process running with appropriate privilege to generate
19033
N/A
+ * audit records and real uid of the user.
19033
N/A
+ * pam_status = PAM error code; reason for failure.
19033
N/A
+ *
19033
N/A
+ * Exit ADT_screenunlock audit record written.
19033
N/A
+ */
19033
N/A
+
static
void
19033
N/A
+
audit_unlock
(
int
pam_status
)
19033
N/A
+{
19033
N/A
+
adt_session_data_t
*
ah
;
/* audit session handle */
19033
N/A
+
adt_event_data_t
*
event
;
/* audit event handle */
19033
N/A
+
19033
N/A
+
if
(
adt_start_session
(&
ah
,
NULL
,
ADT_USE_PROC_DATA
) !=
0
)
19033
N/A
+ {
19033
N/A
+
syslog
(
LOG_AUTH
|
LOG_ALERT
,
19033
N/A
+
"adt_start_session(ADT_screenunlock): %m"
);
19033
N/A
+
return
;
19033
N/A
+ }
19033
N/A
+
if
((
event
=
adt_alloc_event
(
ah
,
ADT_screenunlock
)) ==
NULL
)
19033
N/A
+ {
19033
N/A
+
syslog
(
LOG_AUTH
|
LOG_ALERT
,
19033
N/A
+
"adt_alloc_event(ADT_screenunlock): %m"
);
19033
N/A
+ }
else
{
19033
N/A
+
if
(
adt_put_event
(
event
,
19033
N/A
+
pam_status
==
PAM_SUCCESS
?
ADT_SUCCESS
:
ADT_FAILURE
,
19033
N/A
+
pam_status
==
PAM_SUCCESS
?
ADT_SUCCESS
19033
N/A
+ :
ADT_FAIL_PAM
+
pam_status
)
19033
N/A
+ !=
0
)
19033
N/A
+ {
19033
N/A
+
syslog
(
LOG_AUTH
|
LOG_ALERT
,
19033
N/A
+
"adt_put_event(ADT_screenunlock(%s): %m"
,
19033
N/A
+
pam_strerror
(
NULL
,
pam_status
));
19033
N/A
+ }
19033
N/A
+
adt_free_event
(
event
);
19033
N/A
+ }
19033
N/A
+ (
void
)
adt_end_session
(
ah
);
19033
N/A
+}
19033
N/A
+
19033
N/A
+
/*
19033
N/A
+ * audit_passwd - audit password change
19033
N/A
+ * Entry Process running with appropriate privilege to generate
19033
N/A
+ * audit records and real uid of the user.
19033
N/A
+ * pam_status = PAM error code; reason for failure.
19033
N/A
+ *
19033
N/A
+ * Exit ADT_passwd audit record written.
19033
N/A
+ */
19033
N/A
+
static
void
19033
N/A
+
audit_passwd
(
int
pam_status
)
19033
N/A
+{
19033
N/A
+
adt_session_data_t
*
ah
;
/* audit session handle */
19033
N/A
+
adt_event_data_t
*
event
;
/* audit event handle */
19033
N/A
+
19033
N/A
+
if
(
adt_start_session
(&
ah
,
NULL
,
ADT_USE_PROC_DATA
) !=
0
)
19033
N/A
+ {
19033
N/A
+
syslog
(
LOG_AUTH
|
LOG_ALERT
,
"adt_start_session(ADT_passwd): %m"
);
19033
N/A
+
return
;
19033
N/A
+ }
19033
N/A
+
if
((
event
=
adt_alloc_event
(
ah
,
ADT_passwd
)) ==
NULL
)
19033
N/A
+ {
19033
N/A
+
syslog
(
LOG_AUTH
|
LOG_ALERT
,
"adt_alloc_event(ADT_passwd): %m"
);
19033
N/A
+ }
else
{
19033
N/A
+
if
(
adt_put_event
(
event
,
19033
N/A
+
pam_status
==
PAM_SUCCESS
?
ADT_SUCCESS
:
ADT_FAILURE
,
19033
N/A
+
pam_status
==
PAM_SUCCESS
?
ADT_SUCCESS
19033
N/A
+ :
ADT_FAIL_PAM
+
pam_status
)
19033
N/A
+ !=
0
)
19033
N/A
+ {
19033
N/A
+
syslog
(
LOG_AUTH
|
LOG_ALERT
,
"adt_put_event(ADT_passwd(%s): %m"
,
19033
N/A
+
pam_strerror
(
NULL
,
pam_status
));
19033
N/A
+ }
19033
N/A
+
adt_free_event
(
event
);
19033
N/A
+ }
19033
N/A
+ (
void
)
adt_end_session
(
ah
);
19033
N/A
+}
19033
N/A
+#
endif
/* sun */
19033
N/A
19033
N/A
/**
19033
N/A
* This function is the PAM conversation driver. It conducts a full
19033
N/A
@@ -231,6 +354,12 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
19033
N/A
fprintf (stderr, "%s: pam_start (\"%s\", \"%s\", ...) ==> %d (%s)\n",
19033
N/A
blurb(), service, si->user,
19033
N/A
status, PAM_STRERROR (pamh, status));
19033
N/A
+
19033
N/A
+#ifdef __sun
19033
N/A
+ if (audit_flag_global) /* We want one audit lock log per lock */
19033
N/A
+
audit_lock
();
19033
N/A
+#
endif
/**sun*/
19033
N/A
+
19033
N/A
if
(
status
!=
PAM_SUCCESS
)
goto
DONE
;
19033
N/A
19033
N/A
#
ifdef
__sun
19033
N/A
@@ -
307
,
6
+
436
,
14
@@
pam_try_unlock
(
saver_info
*
si
,
Bool
verbose_p
,
19033
N/A
#
endif
/* HAVE_SIGTIMEDWAIT */
19033
N/A
unblock_sigchld
();
19033
N/A
19033
N/A
+#
ifdef
__sun
19033
N/A
+
audit_unlock
(
pam_auth_status
);
19033
N/A
+
if
(
pam_auth_status
==
PAM_SUCCESS
)
19033
N/A
+
audit_flag_global
=
True
;
19033
N/A
+
else
19033
N/A
+
audit_flag_global
=
False
;
19033
N/A
+#
endif
/*sun*/
19033
N/A
+
19033
N/A
#
ifdef
HAVE_XSCREENSAVER_LOCK
19033
N/A
/* Send status message to unlock dialog */
19033
N/A
if
(
pam_auth_status
==
PAM_SUCCESS
)
19033
N/A
@@ -
354
,
7
+
491
,
14
@@
pam_try_unlock
(
saver_info
*
si
,
Bool
verbose_p
,
19098
N/A
write_to_child
(
si
,
"ul_acct_ok"
,
PAM_STRERROR
(
pamh
,
acct_rc
));
19098
N/A
}
19033
N/A
else
19033
N/A
-
write_to_child
(
si
,
"ul_acct_fail"
,
PAM_STRERROR
(
pamh
,
acct_rc
));
19033
N/A
+ {
19033
N/A
+#
ifdef
__sun
19033
N/A
+
/* Only in failure of pam_acct_mgmt case we call audit */
19033
N/A
+
audit_unlock
(
acct_rc
);
19033
N/A
+#
endif
/*sun*/
19033
N/A
+
19033
N/A
+
write_to_child
(
si
,
"ul_acct_fail"
,
PAM_STRERROR
(
pamh
,
acct_rc
));
19033
N/A
+ }
19033
N/A
if
(
verbose_p
)
19033
N/A
sleep
(
1
);
19033
N/A
#
endif
19033
N/A
@@ -
383
,
6
+
527
,
10
@@
pam_try_unlock
(
saver_info
*
si
,
Bool
verbose_p
,
19033
N/A
fprintf
(
stderr
,
"%s: pam_chauthtok (...) ==> %d (%s)\n"
,
19033
N/A
blurb
(),
chauth_rc
,
PAM_STRERROR
(
pamh
,
chauth_rc
));
19033
N/A
19033
N/A
+#
ifdef
__sun
19033
N/A
+
audit_passwd
(
chauth_rc
);
19033
N/A
+#
endif
/* sun */
19033
N/A
+
19033
N/A
if
(
chauth_rc
!=
PAM_SUCCESS
)
19033
N/A
{
19033
N/A
pam_auth_status
=
chauth_rc
;
19098
N/A
@@ -
419
,
7
+
567
,
13
@@
pam_try_unlock
(
saver_info
*
si
,
Bool
verbose_p
,
19098
N/A
write_to_child
(
si
,
"ul_setcred_ok"
,
PAM_STRERROR
(
pamh
,
setcred_rc
));
19098
N/A
}
19033
N/A
else
19033
N/A
-
write_to_child
(
si
,
"ul_setcred_fail"
,
PAM_STRERROR
(
pamh
,
setcred_rc
));
19033
N/A
+ {
19033
N/A
+#
ifdef
__sun
19033
N/A
+
/* Only in failure of pam_setcred() case we call audit. */
19033
N/A
+
audit_unlock
(
setcred_rc
);
19033
N/A
+#
endif
/*sun*/
19033
N/A
+
write_to_child
(
si
,
"ul_setcred_fail"
,
PAM_STRERROR
(
pamh
,
setcred_rc
));
19033
N/A
+ }
19033
N/A
if
(
verbose_p
)
19033
N/A
sleep
(
1
);
19033
N/A
#
endif
19844
N/A
diff
--
git
xscreensaver
-
5.12
/
driver
/
passwd
.c
xscreensaver
-
5.12
/
driver
/
passwd
.c
19844
N/A
---
xscreensaver
-
5.12
/
driver
/
passwd
.c
19844
N/A
+++
xscreensaver
-
5.12
/
driver
/
passwd
.c
19844
N/A
@@ -
79
,
9
+
79
,
11
@@
extern
void
pam_try_unlock
(
saver_info
*
si
,
Bool
verbose_p
,
19844
N/A
extern
Bool
ext_priv_init
(
int
argc
,
char
**
argv
,
Bool
verbose_p
);
19844
N/A
extern
Bool
ext_passwd_valid_p
(
const
char
*
typed_passwd
,
Bool
verbose_p
);
19844
N/A
#
endif
19844
N/A
+#
ifndef
__sun
/* Only use PAM on Solaris, not direct getpwent */
19844
N/A
extern
Bool
pwent_lock_init
(
int
argc
,
char
**
argv
,
Bool
verbose_p
);
19844
N/A
extern
Bool
pwent_priv_init
(
int
argc
,
char
**
argv
,
Bool
verbose_p
);
19844
N/A
extern
Bool
pwent_passwd_valid_p
(
const
char
*
typed_passwd
,
Bool
verbose_p
);
19844
N/A
+#
endif
19844
N/A
19844
N/A
Bool
lock_priv_init
(
int
argc
,
char
**
argv
,
Bool
verbose_p
);
19844
N/A
Bool
lock_init
(
int
argc
,
char
**
argv
,
Bool
verbose_p
);
19844
N/A
@@ -
105
,
8
+
107
,
10
@@
struct
auth_methods
methods
[] = {
19844
N/A
{
"external"
,
0
,
ext_priv_init
,
ext_passwd_valid_p
,
0
,
19844
N/A
False
,
False
},
19844
N/A
#
endif
19844
N/A
+#
ifndef
__sun
/* Only use PAM on Solaris, not direct getpwent */
19844
N/A
{
"normal"
,
pwent_lock_init
,
pwent_priv_init
,
pwent_passwd_valid_p
,
0
,
19844
N/A
False
,
False
}
19844
N/A
+#
endif
19844
N/A
};
19844
N/A
19844
N/A
19033
N/A