Attachment 233451 Details for Bug 343891 – patch adding audit capabilities

[patch] patch adding audit capabilities

rsh.patch (text/plain), 11.51 KB, created by Steve Grubb on 2007-10-20 15:58:30 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Steve Grubb

Created: 2007-10-20 15:58:30 UTC

Size: 11.51 KB

patch

obsolete

>diff -urN devel.orig/netkit-rsh-0.17-audit.patch devel/netkit-rsh-0.17-audit.patch
>--- devel.orig/netkit-rsh-0.17-audit.patch	1969-12-31 19:00:00.000000000 -0500
>+++ devel/netkit-rsh-0.17-audit.patch	2007-10-20 11:54:29.000000000 -0400
>@@ -0,0 +1,256 @@
>+diff -urp netkit-rsh-0.17.orig/configure netkit-rsh-0.17/configure
>+--- netkit-rsh-0.17.orig/configure	2007-10-20 08:27:09.000000000 -0400
>++++ netkit-rsh-0.17/configure	2007-10-20 10:57:52.000000000 -0400
>+@@ -19,8 +19,9 @@
>+ Usage: configure [options]
>+     --help                Show this message
>+     --with-debug          Enable debugging
>+-    --without-pam      Disable PAM support
>++    --without-pam         Disable PAM support
>+     --without-shadow      Disable shadow password support
>++    --without-audit       Disable audit support
>+     --prefix=path         Prefix for location of files [/usr]
>+     --exec-prefix=path    Location for arch-depedent files [prefix]
>+     --installroot=root    Top of filesystem tree to install in [/]
>+@@ -47,6 +48,7 @@
>+ 	--with-c-compiler=*) CC=`echo $1 | sed 's/^[^=]*=//'` ;;
>+ 	--without-pam|--disable-pam) WITHOUT_PAM=1;;
>+ 	--without-shadow|--disable-shadow) WITHOUT_SHADOW=1;;
>++	--without-audit|--disable-audit) WITHOUT_AUDIT=1;;
>+ 	*) echo "Unrecognized option: $1"; exit 1;;
>+ esac 
>+ shift
>+@@ -342,6 +344,32 @@
>+ 
>+ ##################################################
>+ 
>++echo -n 'Checking for AUDIT... '
>++if [ x$WITHOUT_AUDIT != x ]; then
>++    echo disabled
>++else
>++cat <<EOF >__conftest.c
>++#include <stdio.h>
>++#include <libaudit.h>
>++int main() {
>++    audit_log_acct_message(1, AUDIT_USER_LOGIN, NULL, NULL, NULL, 0, NULL, NULL, NULL, 0);
>++    return 0;
>++}
>++
>++EOF
>++if (
>++      $CC $CFLAGS  __conftest.c -laudit -o __conftest || exit 1
>++   ) >/dev/null 2>&1; then
>++        echo 'yes'
>++        USE_AUDIT=1
>++    else
>++        echo 'no'
>++    fi
>++fi
>++rm -f __conftest*
>++
>++##################################################
>++
>+ echo -n 'Checking for crypt... '
>+ cat <<EOF >__conftest.c
>+ int main() { crypt("aa", "bb"); }
>+@@ -593,5 +621,6 @@
>+     echo "USE_PAM=$USE_PAM"
>+     echo "USE_SHADOW=$USE_SHADOW"
>+     echo "LIBSHADOW=$LIBSHADOW"
>++    echo "USE_AUDIT=$USE_AUDIT"
>+ ) > MCONFIG
>+ 
>+diff -urp netkit-rsh-0.17.orig/rexecd/rexecd.c netkit-rsh-0.17/rexecd/rexecd.c
>+--- netkit-rsh-0.17.orig/rexecd/rexecd.c	2007-10-20 08:27:09.000000000 -0400
>++++ netkit-rsh-0.17/rexecd/rexecd.c	2007-10-20 10:11:31.000000000 -0400
>+@@ -312,9 +312,12 @@ doit(struct sockaddr_in *fromp)
>+        PAM_password = pass;
>+        pam_error = pam_start("rexec", PAM_username, &PAM_conversation,&pamh);
>+        PAM_BAIL;
>+-       pam_set_item (pamh, PAM_RUSER, user);
>+-       pam_set_item (pamh, PAM_RHOST, remote);	       
>+-       pam_set_item (pamh, PAM_TTY, "rexec");   /* we don't have a tty yet! */
>++       pam_error = pam_set_item (pamh, PAM_RUSER, user);
>++       PAM_BAIL;
>++       pam_error = pam_set_item (pamh, PAM_RHOST, remote);	       
>++       PAM_BAIL;
>++       pam_error = pam_set_item (pamh, PAM_TTY, "rexec");   /* we don't have a tty yet! */
>++       PAM_BAIL;
>+        pam_error = pam_authenticate(pamh, 0);
>+        PAM_BAIL;
>+        pam_error = pam_acct_mgmt(pamh, 0);
>+diff -urp netkit-rsh-0.17.orig/rlogind/auth.c netkit-rsh-0.17/rlogind/auth.c
>+--- netkit-rsh-0.17.orig/rlogind/auth.c	2007-10-20 08:27:09.000000000 -0400
>++++ netkit-rsh-0.17/rlogind/auth.c	2007-10-20 09:06:54.000000000 -0400
>+@@ -117,17 +117,39 @@ int auth_checkauth(const char *remoteuse
>+     retval = pam_start("rlogin", localuser, &conv, &pamh);
>+     if (retval != PAM_SUCCESS) {
>+ 	syslog(LOG_ERR, "pam_start: %s\n", pam_strerror(pamh, retval));
>++        pam_end(pamh, retval);
>+ 	fatal(STDERR_FILENO, "initialization failed", 0);
>+     }
>+ 	
>+-    pam_set_item(pamh, PAM_USER, localuser);
>+-    pam_set_item(pamh, PAM_RUSER, remoteuser);
>+-    pam_set_item(pamh, PAM_RHOST, host);
>+-    pam_set_item(pamh, PAM_TTY, "rlogin");   /* we don't have a tty yet! */
>++    retval = pam_set_item(pamh, PAM_USER, localuser);
>++    if (retval != PAM_SUCCESS) {
>++	syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retval));
>++	pam_end(pamh, retval);
>++	fatal(STDERR_FILENO, "initialization failed", 0);
>++    }
>++    retval = pam_set_item(pamh, PAM_RUSER, remoteuser);
>++    if (retval != PAM_SUCCESS) {
>++	syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retval));
>++	pam_end(pamh, retval);
>++	fatal(STDERR_FILENO, "initialization failed", 0);
>++    }
>++    retval = pam_set_item(pamh, PAM_RHOST, host);
>++    if (retval != PAM_SUCCESS) {
>++	syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retval));
>++	pam_end(pamh, retval);
>++	fatal(STDERR_FILENO, "initialization failed", 0);
>++    }
>++    retval = pam_set_item(pamh, PAM_TTY, "rlogin");   /* we don't have a tty yet! */
>++    if (retval != PAM_SUCCESS) {
>++	syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retval));
>++	pam_end(pamh, retval);
>++	fatal(STDERR_FILENO, "initialization failed", 0);
>++    }
>+ 	
>+     network_confirm();
>+     retval = attempt_auth();
>+     if ((retval == PAM_ACCT_EXPIRED) || (retval == PAM_PERM_DENIED)) {
>++	pam_end(pamh, retval);
>+ 	syslog(LOG_ERR, "PAM authentication denied for in.rlogind");
>+ 	exit(1);
>+     } else if (retval != PAM_SUCCESS) {
>+diff -urp netkit-rsh-0.17.orig/rlogind/rlogind.c netkit-rsh-0.17/rlogind/rlogind.c
>+--- netkit-rsh-0.17.orig/rlogind/rlogind.c	2007-10-20 08:27:09.000000000 -0400
>++++ netkit-rsh-0.17/rlogind/rlogind.c	2007-10-20 08:59:13.000000000 -0400
>+@@ -357,9 +357,9 @@ static void child(const char *hname, con
>+     }
>+     termenv[3] = NULL;
>+ 
>++    auth_finish();
>++    closeall();
>+     if (authenticated) {
>+-	auth_finish();
>+-	closeall();
>+ 	execle(_PATH_LOGIN, "login", "-p",
>+ 	       "-h", hname, "-f", localuser, NULL, termenv);
>+     } 
>+@@ -368,8 +368,6 @@ static void child(const char *hname, con
>+ 	    syslog(LOG_AUTH|LOG_INFO, "rlogin with an option as a name!");
>+ 	    exit(1);
>+ 	}
>+-	auth_finish();
>+-	closeall();
>+ 	execle(_PATH_LOGIN, "login", "-p",
>+ 	       "-h", hname, localuser, NULL, termenv);
>+     }
>+diff -urp netkit-rsh-0.17.orig/rshd/Makefile netkit-rsh-0.17/rshd/Makefile
>+--- netkit-rsh-0.17.orig/rshd/Makefile	2007-10-20 08:27:09.000000000 -0400
>++++ netkit-rsh-0.17/rshd/Makefile	2007-10-20 11:00:49.000000000 -0400
>+@@ -9,6 +9,10 @@ ifeq ($(USE_PAM),1)
>+ CFLAGS += -DUSE_PAM
>+ LIBS += -ldl -lpam -lpam_misc
>+ endif
>++ifeq ($(USE_AUDIT),1)
>++CFLAGS += -DUSE_AUDIT
>++LIBS += -ldl -laudit
>++endif
>+ 
>+ rshd: $(OBJS)
>+ 	$(CC) $(LDFLAGS) $^ $(LIBS) -o $@
>+diff -urp netkit-rsh-0.17.orig/rshd/rshd.c netkit-rsh-0.17/rshd/rshd.c
>+--- netkit-rsh-0.17.orig/rshd/rshd.c	2007-10-20 08:27:09.000000000 -0400
>++++ netkit-rsh-0.17/rshd/rshd.c	2007-10-20 11:04:16.000000000 -0400
>+@@ -90,6 +90,10 @@ char rcsid[] = 
>+ static pam_handle_t *pamh;
>+ #endif /* USE_PAM */
>+ 
>++#ifdef USE_AUDIT
>++#include <libaudit.h>
>++#endif /* USE_AUDIT */
>++
>+ #define	OPTIONS	"aDhlLn"
>+ 
>+ static int keepalive = 1;
>+@@ -243,9 +247,21 @@ static struct passwd *doauth(const char 
>+ 	syslog(LOG_ERR, "pam_start: %s\n", pam_strerror(pamh, retcode));
>+ 	exit (1);
>+     }
>+-    pam_set_item (pamh, PAM_RUSER, remuser);
>+-    pam_set_item (pamh, PAM_RHOST, hostname);
>+-    pam_set_item (pamh, PAM_TTY, "rsh");  /* we don't use a tty, so punt */
>++    retcode = pam_set_item (pamh, PAM_RUSER, remuser);
>++    if (retcode != PAM_SUCCESS) {
>++	syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retcode));
>++	exit (1);
>++    }
>++    retcode = pam_set_item (pamh, PAM_RHOST, hostname);
>++    if (retcode != PAM_SUCCESS) {
>++	syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retcode));
>++	exit (1);
>++    }
>++    retcode = pam_set_item (pamh, PAM_TTY, "rsh");  /* we don't use a tty, so punt */
>++    if (retcode != PAM_SUCCESS) {
>++	syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retcode));
>++	exit (1);
>++    }
>+     
>+     retcode = pam_authenticate(pamh, 0);
>+     if (retcode == PAM_SUCCESS) {
>+@@ -365,6 +381,27 @@ static const char *findhostname(struct s
>+ 	return NULL; /* not reachable */
>+ }
>+ 
>++static int log_audit(const char *username, int uid, const char *hostname,
>++			int success)
>++{
>++#ifdef USE_AUDIT
>++	int audit_fd = audit_open();
>++	if (audit_fd < 0) {
>++		if (errno != EINVAL && errno != EPROTONOSUPPORT &&
>++					errno != EAFNOSUPPORT) 
>++			return 1;
>++	} else {
>++		int rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
>++				NULL, "login", username, uid, hostname, NULL,
>++				"rsh", success);
>++		close(audit_fd);
>++		if (rc <= 0) 
>++			return 1;
>++	}
>++#endif
>++	return 0;
>++}
>++
>+ static void
>+ doit(struct sockaddr_storage *fromp, socklen_t fromlen)
>+ {
>+@@ -435,14 +472,21 @@ doit(struct sockaddr_storage *fromp, soc
>+ 	setpwent();
>+ 	pwd = doauth(remuser, hostname, locuser);
>+ 	if (pwd == NULL) {
>++		if (log_audit(remuser, pwd->pw_uid, hostname, 0) <= 0) {
>++			fail("Error sending audit event.\n", 
>++			     remuser, hostname, locuser, cmdbuf);
>++		}
>+ 		fail("Permission denied.\n", 
>+ 		     remuser, hostname, locuser, cmdbuf);
>+ 	}
>+-
>+ 	if (pwd->pw_uid != 0 && !access(_PATH_NOLOGIN, F_OK)) {
>+ 		error("Logins currently disabled.\n");
>+ 		exit(1);
>+ 	}
>++	if (log_audit(remuser, pwd->pw_uid, hostname, 1) <= 0) {
>++		fail("Error sending audit event.\n", 
>++		     remuser, hostname, locuser, cmdbuf);
>++	}
>+ 
>+ 	(void) write(2, "\0", 1);
>+ 	sent_null = 1;
>diff -urN devel.orig/rexec.pam devel/rexec.pam
>--- devel.orig/rexec.pam	2007-10-20 11:53:38.000000000 -0400
>+++ devel/rexec.pam	2007-10-20 11:54:29.000000000 -0400
>@@ -8,3 +8,4 @@
> account    include      system-auth
> session	   optional     pam_keyinit.so    force revoke
> session    include      system-auth
>+session    required     pam_loginuid.so
>diff -urN devel.orig/rlogin.pam devel/rlogin.pam
>--- devel.orig/rlogin.pam	2007-10-20 11:53:38.000000000 -0400
>+++ devel/rlogin.pam	2007-10-20 11:54:29.000000000 -0400
>@@ -10,3 +10,4 @@
> password   include      system-auth
> session	   optional     pam_keyinit.so    force revoke
> session    include      system-auth
>+session    required     pam_loginuid.so
>diff -urN devel.orig/rsh.pam devel/rsh.pam
>--- devel.orig/rsh.pam	2007-10-20 11:53:38.000000000 -0400
>+++ devel/rsh.pam	2007-10-20 11:54:29.000000000 -0400
>@@ -8,3 +8,4 @@
> account    include      system-auth
> session	   optional     pam_keyinit.so    force revoke
> session    include      system-auth
>+session    required     pam_loginuid.so
>diff -urN devel.orig/rsh.spec devel/rsh.spec
>--- devel.orig/rsh.spec	2007-10-20 11:53:38.000000000 -0400
>+++ devel/rsh.spec	2007-10-20 11:54:29.000000000 -0400
>@@ -1,7 +1,7 @@
> Summary: Clients for remote access commands (rsh, rlogin, rcp).
> Name: rsh
> Version: 0.17
>-Release: 44%{?dist}
>+Release: 45%{?dist}
> License: BSD
> Group: Applications/Internet
> 
>@@ -10,6 +10,7 @@
> BuildPrereq: ncurses-devel
> 
> BuildRequires: pam-devel
>+BuildRequires: audit-libs-devel >= 1.5
> 
> Source: ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/netkit-rsh-%{version}.tar.gz
> Source1: rexec.pam
>@@ -52,6 +53,7 @@
> Patch31: netkit-rsh-0.17-pam_env.patch
> Patch33: netkit-rsh-0.17-dns.patch
> Patch34: netkit-rsh-0.17-nohostcheck-compat.patch
>+Patch35: netkit-rsh-0.17-audit.patch
> 
> %description
> The rsh package contains a set of programs which allow users to run
>@@ -115,6 +117,7 @@
> %patch31 -p1 -b .pam_env
> %patch33 -p1 -b .dns
> %patch34 -p1 -b .compat
>+%patch35 -p1 -b .audit
> 
> # No, I don't know what this is doing in the tarball.
> rm -f rexec/rexec
>@@ -183,6 +186,9 @@
> %{_mandir}/man8/*.8*
> 
> %changelog
>+* Sat Oct 20 2007 Steve Grubb <sgrubb@redhat.com> 0.17-45
>+- update for audit
>+
> * Tue Oct 16 2007 Adam Tkac <atkac redhat com> 0.17-44
> - added -D option for compatibility with F8 test releases
> - fixed rsh-server description

Actions: View | Diff

Attachments on bug 343891: 233451