390 lines
14 KiB
C
390 lines
14 KiB
C
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
|
|
*
|
|
* Copyright (C) 2004, 2008 Sun Microsystems, Inc.
|
|
* Copyright (C) 2005, 2008 Red Hat, Inc.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2, or (at your option)
|
|
* any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301, USA.
|
|
*
|
|
* Written by: Brian A. Cameron <Brian.Cameron@sun.com>
|
|
* Gary Winiger <Gary.Winiger@sun.com>
|
|
* Ray Strode <rstrode@redhat.com>
|
|
* Steve Grubb <sgrubb@redhat.com>
|
|
*/
|
|
#include "config.h"
|
|
#include "gdm-session-solaris-auditor.h"
|
|
#include "gdm-common.h"
|
|
|
|
#include <syslog.h>
|
|
#include <security/pam_appl.h>
|
|
#include <pwd.h>
|
|
|
|
#include <fcntl.h>
|
|
#include <bsm/adt.h>
|
|
#include <bsm/adt_event.h>
|
|
|
|
#include <glib.h>
|
|
#include <glib-object.h>
|
|
#include <glib/gi18n.h>
|
|
|
|
struct _GdmSessionSolarisAuditor
|
|
{
|
|
GdmSessionAuditor parent;
|
|
|
|
adt_session_data_t *audit_session_handle;
|
|
|
|
guint password_change_initiated : 1;
|
|
guint password_changed : 1;
|
|
guint user_accredited : 1;
|
|
|
|
/* cached values to prevent repeated calls
|
|
* to getpwnam
|
|
*/
|
|
char *username;
|
|
uid_t uid;
|
|
gid_t gid;
|
|
};
|
|
|
|
static void gdm_session_solaris_auditor_finalize (GObject *object);
|
|
|
|
G_DEFINE_TYPE (GdmSessionSolarisAuditor, gdm_session_solaris_auditor, GDM_TYPE_SESSION_AUDITOR)
|
|
|
|
static void
|
|
gdm_session_solaris_auditor_report_password_changed (GdmSessionAuditor *auditor)
|
|
{
|
|
GdmSessionSolarisAuditor *solaris_auditor;
|
|
|
|
solaris_auditor = GDM_SESSION_SOLARIS_AUDITOR (auditor);
|
|
solaris_auditor->password_change_initiated = TRUE;
|
|
solaris_auditor->password_changed = TRUE;
|
|
}
|
|
|
|
static void
|
|
gdm_session_solaris_auditor_report_password_change_failure (GdmSessionAuditor *auditor)
|
|
{
|
|
GdmSessionSolarisAuditor *solaris_auditor;
|
|
|
|
solaris_auditor = GDM_SESSION_SOLARIS_AUDITOR (auditor);
|
|
solaris_auditor->password_change_initiated = TRUE;
|
|
solaris_auditor->password_changed = FALSE;
|
|
}
|
|
|
|
static void
|
|
gdm_session_solaris_auditor_report_user_accredited (GdmSessionAuditor *auditor)
|
|
{
|
|
GdmSessionSolarisAuditor *solaris_auditor;
|
|
|
|
solaris_auditor = GDM_SESSION_SOLARIS_AUDITOR (auditor);
|
|
solaris_auditor->user_accredited = TRUE;
|
|
}
|
|
|
|
static void
|
|
gdm_session_solaris_auditor_report_login (GdmSessionAuditor *auditor)
|
|
{
|
|
GdmSessionSolarisAuditor *solaris_auditor;
|
|
adt_session_data_t *adt_ah; /* Audit session handle */
|
|
adt_event_data_t *event; /* Event to generate */
|
|
|
|
solaris_auditor = GDM_SESSION_SOLARIS_AUDITOR (auditor);
|
|
|
|
g_return_if_fail (solaris_auditor->username != NULL);
|
|
|
|
adt_ah = NULL;
|
|
if (adt_start_session (&adt_ah, NULL, ADT_USE_PROC_DATA) != 0) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_start_session (ADT_login): %m");
|
|
goto cleanup;
|
|
}
|
|
|
|
if (adt_set_user (adt_ah, solaris_auditor->uid,
|
|
solaris_auditor->gid, solaris_auditor->uid,
|
|
solaris_auditor->gid, NULL, ADT_USER) != 0) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_set_user (ADT_login, %s): %m",
|
|
solaris_auditor->username);
|
|
}
|
|
|
|
event = adt_alloc_event (adt_ah, ADT_login);
|
|
if (event == NULL) {
|
|
syslog (LOG_AUTH | LOG_ALERT, "adt_alloc_event (ADT_login): %m");
|
|
} else if (adt_put_event (event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_put_event (ADT_login, ADT_SUCCESS): %m");
|
|
}
|
|
|
|
if (solaris_auditor->password_changed) {
|
|
|
|
g_assert (solaris_auditor->password_change_initiated);
|
|
|
|
/* Also audit password change */
|
|
adt_free_event (event);
|
|
event = adt_alloc_event (adt_ah, ADT_passwd);
|
|
if (event == NULL) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_alloc_event (ADT_passwd): %m");
|
|
} else if (adt_put_event (event, ADT_SUCCESS,
|
|
ADT_SUCCESS) != 0) {
|
|
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_put_event (ADT_passwd, ADT_SUCCESS): %m");
|
|
}
|
|
}
|
|
|
|
adt_free_event (event);
|
|
|
|
cleanup:
|
|
solaris_auditor->audit_session_handle = adt_ah;
|
|
}
|
|
|
|
static void
|
|
gdm_session_solaris_auditor_report_login_failure (GdmSessionAuditor *auditor,
|
|
int pam_error_code,
|
|
const char *pam_error_string)
|
|
{
|
|
GdmSessionSolarisAuditor *solaris_auditor;
|
|
char *hostname;
|
|
char *display_device;
|
|
adt_session_data_t *ah; /* Audit session handle */
|
|
adt_event_data_t *event; /* Event to generate */
|
|
adt_termid_t *tid; /* Terminal ID for failures */
|
|
|
|
solaris_auditor = GDM_SESSION_SOLARIS_AUDITOR (auditor);
|
|
g_object_get (G_OBJECT (auditor),
|
|
"hostname", &hostname,
|
|
"display-device", &display_device, NULL);
|
|
|
|
if (solaris_auditor->user_accredited) {
|
|
if (adt_start_session (&ah, NULL, ADT_USE_PROC_DATA) != 0) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_start_session (ADT_login, ADT_FAILURE): %m");
|
|
goto cleanup;
|
|
}
|
|
} else {
|
|
if (adt_start_session (&ah, NULL, 0) != 0) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_start_session (ADT_login, ADT_FAILURE): %m");
|
|
goto cleanup;
|
|
}
|
|
|
|
/* If display is on console or VT */
|
|
if (hostname != NULL && hostname[0] != '\0') {
|
|
/* Login from a remote host */
|
|
if (adt_load_hostname (hostname, &tid) != 0) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_loadhostname (%s): %m", hostname);
|
|
}
|
|
} else {
|
|
/* login from the local host */
|
|
if (adt_load_ttyname (display_device, &tid) != 0) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_loadhostname (localhost): %m");
|
|
}
|
|
}
|
|
|
|
if (adt_set_user (ah,
|
|
solaris_auditor->username != NULL ? solaris_auditor->uid : ADT_NO_ATTRIB,
|
|
solaris_auditor->username != NULL ? solaris_auditor->gid : ADT_NO_ATTRIB,
|
|
solaris_auditor->username != NULL ? solaris_auditor->uid : ADT_NO_ATTRIB,
|
|
solaris_auditor->username != NULL ? solaris_auditor->gid : ADT_NO_ATTRIB,
|
|
tid, ADT_NEW) != 0) {
|
|
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_set_user (%s): %m",
|
|
solaris_auditor->username != NULL ? solaris_auditor->username : "ADT_NO_ATTRIB");
|
|
}
|
|
}
|
|
|
|
event = adt_alloc_event (ah, ADT_login);
|
|
|
|
if (event == NULL) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_alloc_event (ADT_login, ADT_FAILURE): %m");
|
|
goto done;
|
|
} else if (adt_put_event (event, ADT_FAILURE,
|
|
ADT_FAIL_PAM + pam_error_code) != 0) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_put_event (ADT_login (ADT_FAIL, %s): %m",
|
|
pam_error_string);
|
|
}
|
|
|
|
if (solaris_auditor->password_change_initiated) {
|
|
/* Also audit password change */
|
|
adt_free_event (event);
|
|
|
|
event = adt_alloc_event (ah, ADT_passwd);
|
|
if (event == NULL) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_alloc_event (ADT_passwd): %m");
|
|
goto done;
|
|
}
|
|
|
|
if (solaris_auditor->password_changed) {
|
|
if (adt_put_event (event, ADT_SUCCESS,
|
|
ADT_SUCCESS) != 0) {
|
|
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_put_event (ADT_passwd, ADT_SUCCESS): "
|
|
"%m");
|
|
}
|
|
} else {
|
|
if (adt_put_event (event, ADT_FAILURE,
|
|
ADT_FAIL_PAM + pam_error_code) != 0) {
|
|
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_put_event (ADT_passwd, ADT_FAILURE): "
|
|
"%m");
|
|
}
|
|
}
|
|
}
|
|
adt_free_event (event);
|
|
|
|
done:
|
|
/* Reset process audit state. this process is being reused.*/
|
|
if ((adt_set_user (ah, ADT_NO_AUDIT, ADT_NO_AUDIT, ADT_NO_AUDIT,
|
|
ADT_NO_AUDIT, NULL, ADT_NEW) != 0) ||
|
|
(adt_set_proc (ah) != 0)) {
|
|
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_put_event (ADT_login (ADT_FAILURE reset, %m)");
|
|
}
|
|
(void) adt_end_session (ah);
|
|
|
|
cleanup:
|
|
g_free (hostname);
|
|
g_free (display_device);
|
|
}
|
|
|
|
static void
|
|
gdm_session_solaris_auditor_report_logout (GdmSessionAuditor *auditor)
|
|
{
|
|
GdmSessionSolarisAuditor *solaris_auditor;
|
|
adt_session_data_t *adt_ah; /* Audit session handle */
|
|
adt_event_data_t *event; /* Event to generate */
|
|
|
|
solaris_auditor = GDM_SESSION_SOLARIS_AUDITOR (auditor);
|
|
|
|
adt_ah = solaris_auditor->audit_session_handle;
|
|
|
|
event = adt_alloc_event (adt_ah, ADT_logout);
|
|
if (event == NULL) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_alloc_event (ADT_logout): %m");
|
|
} else if (adt_put_event (event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_put_event (ADT_logout, ADT_SUCCESS): %m");
|
|
}
|
|
|
|
adt_free_event (event);
|
|
|
|
/* Reset process audit state. this process is being reused. */
|
|
if ((adt_set_user (adt_ah, ADT_NO_AUDIT, ADT_NO_AUDIT, ADT_NO_AUDIT,
|
|
ADT_NO_AUDIT, NULL, ADT_NEW) != 0) ||
|
|
(adt_set_proc (adt_ah) != 0)) {
|
|
syslog (LOG_AUTH | LOG_ALERT,
|
|
"adt_set_proc (ADT_logout reset): %m");
|
|
}
|
|
|
|
(void) adt_end_session (adt_ah);
|
|
solaris_auditor->audit_session_handle = NULL;
|
|
}
|
|
|
|
static void
|
|
gdm_session_solaris_auditor_class_init (GdmSessionSolarisAuditorClass *klass)
|
|
{
|
|
GObjectClass *object_class;
|
|
GdmSessionAuditorClass *auditor_class;
|
|
|
|
object_class = G_OBJECT_CLASS (klass);
|
|
auditor_class = GDM_SESSION_AUDITOR_CLASS (klass);
|
|
|
|
object_class->finalize = gdm_session_solaris_auditor_finalize;
|
|
|
|
auditor_class->report_password_changed = gdm_session_solaris_auditor_report_password_changed;
|
|
auditor_class->report_password_change_failure = gdm_session_solaris_auditor_report_password_change_failure;
|
|
auditor_class->report_user_accredited = gdm_session_solaris_auditor_report_user_accredited;
|
|
auditor_class->report_login = gdm_session_solaris_auditor_report_login;
|
|
auditor_class->report_login_failure = gdm_session_solaris_auditor_report_login_failure;
|
|
auditor_class->report_logout = gdm_session_solaris_auditor_report_logout;
|
|
}
|
|
|
|
static void
|
|
on_username_set (GdmSessionSolarisAuditor *auditor)
|
|
{
|
|
char *username;
|
|
struct passwd *passwd_entry = NULL;
|
|
|
|
g_object_get (G_OBJECT (auditor), "username", &username, NULL);
|
|
|
|
if (username != NULL) {
|
|
gdm_get_pwent_for_name (username, &passwd_entry);
|
|
}
|
|
|
|
if (passwd_entry != NULL) {
|
|
auditor->uid = passwd_entry->pw_uid;
|
|
auditor->gid = passwd_entry->pw_gid;
|
|
auditor->username = g_strdup (passwd_entry->pw_name);
|
|
} else {
|
|
g_free (auditor->username);
|
|
auditor->username = NULL;
|
|
auditor->uid = (uid_t) -1;
|
|
auditor->gid = (gid_t) -1;
|
|
}
|
|
|
|
g_free (username);
|
|
}
|
|
|
|
static void
|
|
gdm_session_solaris_auditor_init (GdmSessionSolarisAuditor *auditor)
|
|
{
|
|
g_signal_connect (G_OBJECT (auditor), "notify::username",
|
|
G_CALLBACK (on_username_set), NULL);
|
|
|
|
auditor->uid = (uid_t) -1;
|
|
auditor->gid = (gid_t) -1;
|
|
}
|
|
|
|
static void
|
|
gdm_session_solaris_auditor_finalize (GObject *object)
|
|
{
|
|
GdmSessionSolarisAuditor *solaris_auditor;
|
|
GObjectClass *parent_class;
|
|
|
|
solaris_auditor = GDM_SESSION_SOLARIS_AUDITOR (object);
|
|
|
|
g_free (solaris_auditor->username);
|
|
solaris_auditor->username = NULL;
|
|
|
|
parent_class = G_OBJECT_CLASS (gdm_session_solaris_auditor_parent_class);
|
|
|
|
if (parent_class->finalize != NULL) {
|
|
parent_class->finalize (object);
|
|
}
|
|
}
|
|
|
|
GdmSessionAuditor *
|
|
gdm_session_solaris_auditor_new (const char *hostname,
|
|
const char *display_device)
|
|
{
|
|
GObject *auditor;
|
|
|
|
auditor = g_object_new (GDM_TYPE_SESSION_SOLARIS_AUDITOR,
|
|
"hostname", hostname,
|
|
"display-device", display_device,
|
|
NULL);
|
|
|
|
return GDM_SESSION_AUDITOR (auditor);
|
|
}
|
|
|
|
|