rpms/rsh/devel netkit-rsh-0.17-audit.patch, NONE, 1.1 rexec.pam, 1.6, 1.7 rlogin.pam, 1.5, 1.6 rsh.pam, 1.5, 1.6 rsh.spec, 1.40, 1.41
Adam Tkac (atkac)
fedora-extras-commits at redhat.com
Fri Oct 26 07:14:00 UTC 2007
Author: atkac
Update of /cvs/pkgs/rpms/rsh/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10419
Modified Files:
rexec.pam rlogin.pam rsh.pam rsh.spec
Added Files:
netkit-rsh-0.17-audit.patch
Log Message:
- update for audit
- patches from Steve Grubb
netkit-rsh-0.17-audit.patch:
--- NEW FILE netkit-rsh-0.17-audit.patch ---
diff -urp netkit-rsh-0.17.orig/configure netkit-rsh-0.17/configure
--- netkit-rsh-0.17.orig/configure 2007-10-20 08:27:09.000000000 -0400
+++ netkit-rsh-0.17/configure 2007-10-20 10:57:52.000000000 -0400
@@ -19,8 +19,9 @@
Usage: configure [options]
--help Show this message
--with-debug Enable debugging
- --without-pam Disable PAM support
+ --without-pam Disable PAM support
--without-shadow Disable shadow password support
+ --without-audit Disable audit support
--prefix=path Prefix for location of files [/usr]
--exec-prefix=path Location for arch-depedent files [prefix]
--installroot=root Top of filesystem tree to install in [/]
@@ -47,6 +48,7 @@
--with-c-compiler=*) CC=`echo $1 | sed 's/^[^=]*=//'` ;;
--without-pam|--disable-pam) WITHOUT_PAM=1;;
--without-shadow|--disable-shadow) WITHOUT_SHADOW=1;;
+ --without-audit|--disable-audit) WITHOUT_AUDIT=1;;
*) echo "Unrecognized option: $1"; exit 1;;
esac
shift
@@ -342,6 +344,32 @@
##################################################
+echo -n 'Checking for AUDIT... '
+if [ x$WITHOUT_AUDIT != x ]; then
+ echo disabled
+else
+cat <<EOF >__conftest.c
+#include <stdio.h>
+#include <libaudit.h>
+int main() {
+ audit_log_acct_message(1, AUDIT_USER_LOGIN, NULL, NULL, NULL, 0, NULL, NULL, NULL, 0);
+ return 0;
+}
+
+EOF
+if (
+ $CC $CFLAGS __conftest.c -laudit -o __conftest || exit 1
+ ) >/dev/null 2>&1; then
+ echo 'yes'
+ USE_AUDIT=1
+ else
+ echo 'no'
+ fi
+fi
+rm -f __conftest*
+
+##################################################
+
echo -n 'Checking for crypt... '
cat <<EOF >__conftest.c
int main() { crypt("aa", "bb"); }
@@ -593,5 +621,6 @@
echo "USE_PAM=$USE_PAM"
echo "USE_SHADOW=$USE_SHADOW"
echo "LIBSHADOW=$LIBSHADOW"
+ echo "USE_AUDIT=$USE_AUDIT"
) > MCONFIG
diff -urp netkit-rsh-0.17.orig/rexecd/rexecd.c netkit-rsh-0.17/rexecd/rexecd.c
--- netkit-rsh-0.17.orig/rexecd/rexecd.c 2007-10-20 08:27:09.000000000 -0400
+++ netkit-rsh-0.17/rexecd/rexecd.c 2007-10-20 10:11:31.000000000 -0400
@@ -312,9 +312,12 @@ doit(struct sockaddr_in *fromp)
PAM_password = pass;
pam_error = pam_start("rexec", PAM_username, &PAM_conversation,&pamh);
PAM_BAIL;
- pam_set_item (pamh, PAM_RUSER, user);
- pam_set_item (pamh, PAM_RHOST, remote);
- pam_set_item (pamh, PAM_TTY, "rexec"); /* we don't have a tty yet! */
+ pam_error = pam_set_item (pamh, PAM_RUSER, user);
+ PAM_BAIL;
+ pam_error = pam_set_item (pamh, PAM_RHOST, remote);
+ PAM_BAIL;
+ pam_error = pam_set_item (pamh, PAM_TTY, "rexec"); /* we don't have a tty yet! */
+ PAM_BAIL;
pam_error = pam_authenticate(pamh, 0);
PAM_BAIL;
pam_error = pam_acct_mgmt(pamh, 0);
diff -urp netkit-rsh-0.17.orig/rlogind/auth.c netkit-rsh-0.17/rlogind/auth.c
--- netkit-rsh-0.17.orig/rlogind/auth.c 2007-10-20 08:27:09.000000000 -0400
+++ netkit-rsh-0.17/rlogind/auth.c 2007-10-20 09:06:54.000000000 -0400
@@ -117,17 +117,39 @@ int auth_checkauth(const char *remoteuse
retval = pam_start("rlogin", localuser, &conv, &pamh);
if (retval != PAM_SUCCESS) {
syslog(LOG_ERR, "pam_start: %s\n", pam_strerror(pamh, retval));
+ pam_end(pamh, retval);
fatal(STDERR_FILENO, "initialization failed", 0);
}
- pam_set_item(pamh, PAM_USER, localuser);
- pam_set_item(pamh, PAM_RUSER, remoteuser);
- pam_set_item(pamh, PAM_RHOST, host);
- pam_set_item(pamh, PAM_TTY, "rlogin"); /* we don't have a tty yet! */
+ retval = pam_set_item(pamh, PAM_USER, localuser);
+ if (retval != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retval));
+ pam_end(pamh, retval);
+ fatal(STDERR_FILENO, "initialization failed", 0);
+ }
+ retval = pam_set_item(pamh, PAM_RUSER, remoteuser);
+ if (retval != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retval));
+ pam_end(pamh, retval);
+ fatal(STDERR_FILENO, "initialization failed", 0);
+ }
+ retval = pam_set_item(pamh, PAM_RHOST, host);
+ if (retval != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retval));
+ pam_end(pamh, retval);
+ fatal(STDERR_FILENO, "initialization failed", 0);
+ }
+ retval = pam_set_item(pamh, PAM_TTY, "rlogin"); /* we don't have a tty yet! */
+ if (retval != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retval));
+ pam_end(pamh, retval);
+ fatal(STDERR_FILENO, "initialization failed", 0);
+ }
network_confirm();
retval = attempt_auth();
if ((retval == PAM_ACCT_EXPIRED) || (retval == PAM_PERM_DENIED)) {
+ pam_end(pamh, retval);
syslog(LOG_ERR, "PAM authentication denied for in.rlogind");
exit(1);
} else if (retval != PAM_SUCCESS) {
diff -urp netkit-rsh-0.17.orig/rlogind/rlogind.c netkit-rsh-0.17/rlogind/rlogind.c
--- netkit-rsh-0.17.orig/rlogind/rlogind.c 2007-10-20 08:27:09.000000000 -0400
+++ netkit-rsh-0.17/rlogind/rlogind.c 2007-10-20 08:59:13.000000000 -0400
@@ -357,9 +357,9 @@ static void child(const char *hname, con
}
termenv[3] = NULL;
+ auth_finish();
+ closeall();
if (authenticated) {
- auth_finish();
- closeall();
execle(_PATH_LOGIN, "login", "-p",
"-h", hname, "-f", localuser, NULL, termenv);
}
@@ -368,8 +368,6 @@ static void child(const char *hname, con
syslog(LOG_AUTH|LOG_INFO, "rlogin with an option as a name!");
exit(1);
}
- auth_finish();
- closeall();
execle(_PATH_LOGIN, "login", "-p",
"-h", hname, localuser, NULL, termenv);
}
diff -urp netkit-rsh-0.17.orig/rshd/Makefile netkit-rsh-0.17/rshd/Makefile
--- netkit-rsh-0.17.orig/rshd/Makefile 2007-10-20 08:27:09.000000000 -0400
+++ netkit-rsh-0.17/rshd/Makefile 2007-10-20 11:00:49.000000000 -0400
@@ -9,6 +9,10 @@ ifeq ($(USE_PAM),1)
CFLAGS += -DUSE_PAM
LIBS += -ldl -lpam -lpam_misc
endif
+ifeq ($(USE_AUDIT),1)
+CFLAGS += -DUSE_AUDIT
+LIBS += -ldl -laudit
+endif
rshd: $(OBJS)
$(CC) $(LDFLAGS) $^ $(LIBS) -o $@
diff -urp netkit-rsh-0.17.orig/rshd/rshd.c netkit-rsh-0.17/rshd/rshd.c
--- netkit-rsh-0.17.orig/rshd/rshd.c 2007-10-20 08:27:09.000000000 -0400
+++ netkit-rsh-0.17/rshd/rshd.c 2007-10-20 11:04:16.000000000 -0400
@@ -90,6 +90,10 @@ char rcsid[] =
static pam_handle_t *pamh;
#endif /* USE_PAM */
+#ifdef USE_AUDIT
+#include <libaudit.h>
+#endif /* USE_AUDIT */
+
#define OPTIONS "aDhlLn"
static int keepalive = 1;
@@ -243,9 +247,21 @@ static struct passwd *doauth(const char
syslog(LOG_ERR, "pam_start: %s\n", pam_strerror(pamh, retcode));
exit (1);
}
- pam_set_item (pamh, PAM_RUSER, remuser);
- pam_set_item (pamh, PAM_RHOST, hostname);
- pam_set_item (pamh, PAM_TTY, "rsh"); /* we don't use a tty, so punt */
+ retcode = pam_set_item (pamh, PAM_RUSER, remuser);
+ if (retcode != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retcode));
+ exit (1);
+ }
+ retcode = pam_set_item (pamh, PAM_RHOST, hostname);
+ if (retcode != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retcode));
+ exit (1);
+ }
+ retcode = pam_set_item (pamh, PAM_TTY, "rsh"); /* we don't use a tty, so punt */
+ if (retcode != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retcode));
+ exit (1);
+ }
retcode = pam_authenticate(pamh, 0);
if (retcode == PAM_SUCCESS) {
@@ -365,6 +381,27 @@ static const char *findhostname(struct s
return NULL; /* not reachable */
}
+static int log_audit(const char *username, int uid, const char *hostname,
+ int success)
+{
+#ifdef USE_AUDIT
+ int audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
+ errno != EAFNOSUPPORT)
+ return 1;
+ } else {
+ int rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+ NULL, "login", username, uid, hostname, NULL,
+ "rsh", success);
+ close(audit_fd);
+ if (rc <= 0)
+ return 1;
+ }
+#endif
+ return 0;
+}
+
static void
doit(struct sockaddr_storage *fromp, socklen_t fromlen)
{
@@ -435,14 +472,21 @@ doit(struct sockaddr_storage *fromp, soc
setpwent();
pwd = doauth(remuser, hostname, locuser);
if (pwd == NULL) {
+ if (log_audit(remuser, pwd->pw_uid, hostname, 0) <= 0) {
+ fail("Error sending audit event.\n",
+ remuser, hostname, locuser, cmdbuf);
+ }
fail("Permission denied.\n",
remuser, hostname, locuser, cmdbuf);
}
-
if (pwd->pw_uid != 0 && !access(_PATH_NOLOGIN, F_OK)) {
error("Logins currently disabled.\n");
exit(1);
}
+ if (log_audit(remuser, pwd->pw_uid, hostname, 1) <= 0) {
+ fail("Error sending audit event.\n",
+ remuser, hostname, locuser, cmdbuf);
+ }
(void) write(2, "\0", 1);
sent_null = 1;
Index: rexec.pam
===================================================================
RCS file: /cvs/pkgs/rpms/rsh/devel/rexec.pam,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- rexec.pam 17 Jul 2006 12:51:26 -0000 1.6
+++ rexec.pam 26 Oct 2007 07:13:24 -0000 1.7
@@ -8,3 +8,4 @@
account include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
+session required pam_loginuid.so
Index: rlogin.pam
===================================================================
RCS file: /cvs/pkgs/rpms/rsh/devel/rlogin.pam,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- rlogin.pam 17 Jul 2006 12:51:26 -0000 1.5
+++ rlogin.pam 26 Oct 2007 07:13:24 -0000 1.6
@@ -10,3 +10,4 @@
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
+session required pam_loginuid.so
Index: rsh.pam
===================================================================
RCS file: /cvs/pkgs/rpms/rsh/devel/rsh.pam,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- rsh.pam 17 Jul 2006 12:51:26 -0000 1.5
+++ rsh.pam 26 Oct 2007 07:13:24 -0000 1.6
@@ -8,3 +8,4 @@
account include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
+session required pam_loginuid.so
Index: rsh.spec
===================================================================
RCS file: /cvs/pkgs/rpms/rsh/devel/rsh.spec,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- rsh.spec 16 Oct 2007 13:28:47 -0000 1.40
+++ rsh.spec 26 Oct 2007 07:13:24 -0000 1.41
@@ -1,7 +1,7 @@
Summary: Clients for remote access commands (rsh, rlogin, rcp).
Name: rsh
Version: 0.17
-Release: 44%{?dist}
+Release: 45%{?dist}
License: BSD
Group: Applications/Internet
@@ -10,6 +10,7 @@
BuildPrereq: ncurses-devel
BuildRequires: pam-devel
+BuildRequires: audit-libs-devel >= 1.5
Source: ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/netkit-rsh-%{version}.tar.gz
Source1: rexec.pam
@@ -52,6 +53,7 @@
Patch31: netkit-rsh-0.17-pam_env.patch
Patch33: netkit-rsh-0.17-dns.patch
Patch34: netkit-rsh-0.17-nohostcheck-compat.patch
+Patch35: netkit-rsh-0.17-audit.patch
%description
The rsh package contains a set of programs which allow users to run
@@ -115,6 +117,7 @@
%patch31 -p1 -b .pam_env
%patch33 -p1 -b .dns
%patch34 -p1 -b .compat
+%patch35 -p1 -b .audit
# No, I don't know what this is doing in the tarball.
rm -f rexec/rexec
@@ -183,6 +186,9 @@
%{_mandir}/man8/*.8*
%changelog
+* Sat Oct 20 2007 Steve Grubb <sgrubb at redhat.com> 0.17-45
+- update for audit
+
* Tue Oct 16 2007 Adam Tkac <atkac redhat com> 0.17-44
- added -D option for compatibility with F8 test releases
- fixed rsh-server description
More information about the fedora-extras-commits
mailing list