rpms / rsh

Clone
Source Code
GIT

Blame netkit-rsh-0.17-audit.patch

epel8 epel8-playground f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f7 f8 f9 main rawhide
  1.   rawhide
  2.   netkit-rsh-0.17-audit.patch
Blob History Raw
Adam Tkac 6f20f98 
diff -up netkit-rsh-0.17/rshd/Makefile.audit netkit-rsh-0.17/rshd/Makefile
Adam Tkac 6f20f98 
--- netkit-rsh-0.17/rshd/Makefile.audit	2008-03-25 12:33:26.000000000 +0100
Adam Tkac 6f20f98 
+++ netkit-rsh-0.17/rshd/Makefile	2008-03-25 12:33:26.000000000 +0100
Adam Tkac 196989d 
@@ -9,6 +9,10 @@ ifeq ($(USE_PAM),1)
Adam Tkac 196989d 
 CFLAGS += -DUSE_PAM
Adam Tkac 196989d 
 LIBS += -ldl -lpam -lpam_misc
Adam Tkac 196989d 
 endif
Adam Tkac 196989d 
+ifeq ($(USE_AUDIT),1)
Adam Tkac 196989d 
+CFLAGS += -DUSE_AUDIT
Adam Tkac 196989d 
+LIBS += -ldl -laudit
Adam Tkac 196989d 
+endif
Adam Tkac 196989d
Adam Tkac 196989d 
 rshd: $(OBJS)
Adam Tkac 196989d 
 	$(CC) $(LDFLAGS) $^ $(LIBS) -o $@
Adam Tkac 6f20f98 
diff -up netkit-rsh-0.17/rshd/rshd.c.audit netkit-rsh-0.17/rshd/rshd.c
Adam Tkac 6f20f98 
--- netkit-rsh-0.17/rshd/rshd.c.audit	2008-03-25 12:33:26.000000000 +0100
Adam Tkac 6f20f98 
+++ netkit-rsh-0.17/rshd/rshd.c	2008-03-25 12:35:37.000000000 +0100
Adam Tkac 196989d 
@@ -90,6 +90,10 @@ char rcsid[] =
Adam Tkac 196989d 
 static pam_handle_t *pamh;
Adam Tkac 196989d 
 #endif /* USE_PAM */
Adam Tkac 196989d
Adam Tkac 196989d 
+#ifdef USE_AUDIT
Adam Tkac 196989d 
+#include <libaudit.h>
Adam Tkac 196989d 
+#endif /* USE_AUDIT */
Adam Tkac 196989d 
+
Adam Tkac 196989d 
 #define	OPTIONS	"aDhlLn"
Adam Tkac 196989d
Adam Tkac 196989d 
 static int keepalive = 1;
Adam Tkac 6f20f98 
@@ -224,6 +228,14 @@ static void stderr_parent(int sock, int
Adam Tkac 6f20f98 
     exit(0);
Adam Tkac 6f20f98 
 }
Adam Tkac 6f20f98
Adam Tkac 6f20f98 
+#define PAM_SET_ITEM(item,val) \
Adam Tkac 6f20f98 
+    do { \
Adam Tkac 6f20f98 
+	retcode = pam_set_item(pamh, (item), (val)); \
Adam Tkac 6f20f98 
+	if (retcode != PAM_SUCCESS) { \
Adam Tkac 6f20f98 
+	    syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retcode)); \
Adam Tkac 6f20f98 
+	    exit (1); \
Adam Tkac 6f20f98 
+	} \
Adam Tkac 6f20f98 
+    } while (0)
Adam Tkac 6f20f98
Adam Tkac 6f20f98 
 static struct passwd *doauth(const char *remuser,
Adam Tkac 6f20f98 
 			     const char *hostname,
Adam Tkac 6f20f98 
@@ -243,9 +255,10 @@ static struct passwd *doauth(const char
Adam Tkac 196989d 
 	syslog(LOG_ERR, "pam_start: %s\n", pam_strerror(pamh, retcode));
Adam Tkac 196989d 
 	exit (1);
Adam Tkac 196989d 
     }
Adam Tkac 196989d 
-    pam_set_item (pamh, PAM_RUSER, remuser);
Adam Tkac 196989d 
-    pam_set_item (pamh, PAM_RHOST, hostname);
Adam Tkac 196989d 
-    pam_set_item (pamh, PAM_TTY, "rsh");  /* we don't use a tty, so punt */
Adam Tkac 6f20f98 
+
Adam Tkac 6f20f98 
+    PAM_SET_ITEM(PAM_RUSER, remuser);
Adam Tkac 6f20f98 
+    PAM_SET_ITEM(PAM_RHOST, hostname);
Adam Tkac 6f20f98 
+    PAM_SET_ITEM(PAM_TTY, "rsh");  /* we don't use a tty, so punt */
Adam Tkac 196989d
Adam Tkac 196989d 
     retcode = pam_authenticate(pamh, 0);
Adam Tkac 196989d 
     if (retcode == PAM_SUCCESS) {
Adam Tkac 6f20f98 
@@ -365,6 +378,27 @@ static const char *findhostname(struct s
Adam Tkac 196989d 
 	return NULL; /* not reachable */
Adam Tkac 196989d 
 }
Adam Tkac 196989d
Adam Tkac 196989d 
+static int log_audit(const char *username, int uid, const char *hostname,
Adam Tkac 196989d 
+			int success)
Adam Tkac 196989d 
+{
Adam Tkac 196989d 
+#ifdef USE_AUDIT
Adam Tkac 196989d 
+	int audit_fd = audit_open();
Adam Tkac 196989d 
+	if (audit_fd < 0) {
Adam Tkac 196989d 
+		if (errno != EINVAL && errno != EPROTONOSUPPORT &&
Adam Tkac 196989d 
+					errno != EAFNOSUPPORT)
Adam Tkac 196989d 
+			return 1;
Adam Tkac 196989d 
+	} else {
Adam Tkac 196989d 
+		int rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
Adam Tkac 196989d 
+				NULL, "login", username, uid, hostname, NULL,
Adam Tkac 196989d 
+				"rsh", success);
Adam Tkac 196989d 
+		close(audit_fd);
Adam Tkac 196989d 
+		if (rc <= 0)
Adam Tkac 196989d 
+			return 1;
Adam Tkac 196989d 
+	}
Adam Tkac 196989d 
+#endif
Adam Tkac 196989d 
+	return 0;
Adam Tkac 196989d 
+}
Adam Tkac 196989d 
+
Adam Tkac 196989d 
 static void
Adam Tkac 196989d 
 doit(struct sockaddr_storage *fromp, socklen_t fromlen)
Adam Tkac 196989d 
 {
Adam Tkac 6f20f98 
@@ -435,14 +469,21 @@ doit(struct sockaddr_storage *fromp, soc
Adam Tkac 196989d 
 	setpwent();
Adam Tkac 196989d 
 	pwd = doauth(remuser, hostname, locuser);
Adam Tkac 196989d 
 	if (pwd == NULL) {
Adam Tkac aa01253 
+		if (log_audit(remuser, -1, hostname, 0) > 0) {
Adam Tkac 196989d 
+			fail("Error sending audit event.\n",
Adam Tkac 196989d 
+			     remuser, hostname, locuser, cmdbuf);
Adam Tkac 196989d 
+		}
Adam Tkac 196989d 
 		fail("Permission denied.\n",
Adam Tkac 196989d 
 		     remuser, hostname, locuser, cmdbuf);
Adam Tkac 196989d 
 	}
Adam Tkac 196989d 
-
Adam Tkac 196989d 
 	if (pwd->pw_uid != 0 && !access(_PATH_NOLOGIN, F_OK)) {
Adam Tkac 196989d 
 		error("Logins currently disabled.\n");
Adam Tkac 196989d 
 		exit(1);
Adam Tkac 196989d 
 	}
Adam Tkac aa01253 
+	if (log_audit(NULL, pwd->pw_uid, hostname, 1) > 0) {
Adam Tkac 196989d 
+		fail("Error sending audit event.\n",
Adam Tkac 196989d 
+		     remuser, hostname, locuser, cmdbuf);
Adam Tkac 196989d 
+	}
Adam Tkac 196989d
Adam Tkac 196989d 
 	(void) write(2, "\0", 1);
Adam Tkac 196989d 
 	sent_null = 1;
Adam Tkac 6f20f98 
diff -up netkit-rsh-0.17/rexecd/rexecd.c.audit netkit-rsh-0.17/rexecd/rexecd.c
Adam Tkac 6f20f98 
--- netkit-rsh-0.17/rexecd/rexecd.c.audit	2008-03-25 12:33:26.000000000 +0100
Adam Tkac 6f20f98 
+++ netkit-rsh-0.17/rexecd/rexecd.c	2008-03-25 12:33:26.000000000 +0100
Adam Tkac 6f20f98 
@@ -312,9 +312,12 @@ doit(struct sockaddr_in *fromp)
Adam Tkac 6f20f98 
        PAM_password = pass;
Adam Tkac 6f20f98 
        pam_error = pam_start("rexec", PAM_username, &PAM_conversation,&pamh);
Adam Tkac 6f20f98 
        PAM_BAIL;
Adam Tkac 6f20f98 
-       pam_set_item (pamh, PAM_RUSER, user);
Adam Tkac 6f20f98 
-       pam_set_item (pamh, PAM_RHOST, remote);
Adam Tkac 6f20f98 
-       pam_set_item (pamh, PAM_TTY, "rexec");   /* we don't have a tty yet! */
Adam Tkac 6f20f98 
+       pam_error = pam_set_item (pamh, PAM_RUSER, user);
Adam Tkac 6f20f98 
+       PAM_BAIL;
Adam Tkac 6f20f98 
+       pam_error = pam_set_item (pamh, PAM_RHOST, remote);
Adam Tkac 6f20f98 
+       PAM_BAIL;
Adam Tkac 6f20f98 
+       pam_error = pam_set_item (pamh, PAM_TTY, "rexec");   /* we don't have a tty yet! */
Adam Tkac 6f20f98 
+       PAM_BAIL;
Adam Tkac 6f20f98 
        pam_error = pam_authenticate(pamh, 0);
Adam Tkac 6f20f98 
        PAM_BAIL;
Adam Tkac 6f20f98 
        pam_error = pam_acct_mgmt(pamh, 0);
Adam Tkac 6f20f98 
diff -up netkit-rsh-0.17/rlogind/auth.c.audit netkit-rsh-0.17/rlogind/auth.c
Adam Tkac 6f20f98 
--- netkit-rsh-0.17/rlogind/auth.c.audit	2008-03-25 12:33:26.000000000 +0100
Adam Tkac 6f20f98 
+++ netkit-rsh-0.17/rlogind/auth.c	2008-03-25 12:33:26.000000000 +0100
Adam Tkac 6f20f98 
@@ -102,6 +102,16 @@ static int attempt_auth(void) {
Adam Tkac 6f20f98 
     return retval;
Adam Tkac 6f20f98 
 }
Adam Tkac 6f20f98
Adam Tkac 6f20f98 
+#define PAM_SET_ITEM(item,val) \
Adam Tkac 6f20f98 
+    do { \
Adam Tkac 6f20f98 
+	retval = pam_set_item(pamh, (item), (val)); \
Adam Tkac 6f20f98 
+	if (retval != PAM_SUCCESS) { \
Adam Tkac 6f20f98 
+	    syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retval)); \
Adam Tkac 6f20f98 
+	    pam_end(pamh, retval); \
Adam Tkac 6f20f98 
+	    fatal(STDERR_FILENO, "initialization failed", 0); \
Adam Tkac 6f20f98 
+	} \
Adam Tkac 6f20f98 
+    } while (0)
Adam Tkac 6f20f98 
+
Adam Tkac 6f20f98 
 /*
Adam Tkac 6f20f98 
  * This function must either die, return -1 on authentication failure,
Adam Tkac 6f20f98 
  * or return 0 on authentication success. Dying is discouraged.
Adam Tkac 6f20f98 
@@ -117,17 +127,19 @@ int auth_checkauth(const char *remoteuse
Adam Tkac 6f20f98 
     retval = pam_start("rlogin", localuser, &conv, &pamh);
Adam Tkac 6f20f98 
     if (retval != PAM_SUCCESS) {
Adam Tkac 6f20f98 
 	syslog(LOG_ERR, "pam_start: %s\n", pam_strerror(pamh, retval));
Adam Tkac 6f20f98 
+        pam_end(pamh, retval);
Adam Tkac 6f20f98 
 	fatal(STDERR_FILENO, "initialization failed", 0);
Adam Tkac 6f20f98 
     }
Adam Tkac 6f20f98
Adam Tkac 6f20f98 
-    pam_set_item(pamh, PAM_USER, localuser);
Adam Tkac 6f20f98 
-    pam_set_item(pamh, PAM_RUSER, remoteuser);
Adam Tkac 6f20f98 
-    pam_set_item(pamh, PAM_RHOST, host);
Adam Tkac 6f20f98 
-    pam_set_item(pamh, PAM_TTY, "rlogin");   /* we don't have a tty yet! */
Adam Tkac 6f20f98 
-
Adam Tkac 6f20f98 
+    PAM_SET_ITEM(PAM_USER, localuser);
Adam Tkac 6f20f98 
+    PAM_SET_ITEM(PAM_RUSER, remoteuser);
Adam Tkac 6f20f98 
+    PAM_SET_ITEM(PAM_RHOST, host);
Adam Tkac 6f20f98 
+    PAM_SET_ITEM(PAM_TTY, "rlogin");   /* we don't have a tty yet! */
Adam Tkac 6f20f98 
+
Adam Tkac 6f20f98 
     network_confirm();
Adam Tkac 6f20f98 
     retval = attempt_auth();
Adam Tkac 6f20f98 
     if ((retval == PAM_ACCT_EXPIRED) || (retval == PAM_PERM_DENIED)) {
Adam Tkac 6f20f98 
+	pam_end(pamh, retval);
Adam Tkac 6f20f98 
 	syslog(LOG_ERR, "PAM authentication denied for in.rlogind");
Adam Tkac 6f20f98 
 	exit(1);
Adam Tkac 6f20f98 
     } else if (retval != PAM_SUCCESS) {
Adam Tkac 6f20f98 
diff -up netkit-rsh-0.17/rlogind/rlogind.c.audit netkit-rsh-0.17/rlogind/rlogind.c
Adam Tkac 6f20f98 
--- netkit-rsh-0.17/rlogind/rlogind.c.audit	2008-03-25 12:33:26.000000000 +0100
Adam Tkac 6f20f98 
+++ netkit-rsh-0.17/rlogind/rlogind.c	2008-03-25 12:33:26.000000000 +0100
Adam Tkac 6f20f98 
@@ -357,9 +357,9 @@ static void child(const char *hname, con
Adam Tkac 6f20f98 
     }
Adam Tkac 6f20f98 
     termenv[3] = NULL;
Adam Tkac 6f20f98
Adam Tkac 6f20f98 
+    auth_finish();
Adam Tkac 6f20f98 
+    closeall();
Adam Tkac 6f20f98 
     if (authenticated) {
Adam Tkac 6f20f98 
-	auth_finish();
Adam Tkac 6f20f98 
-	closeall();
Adam Tkac 6f20f98 
 	execle(_PATH_LOGIN, "login", "-p",
Adam Tkac 6f20f98 
 	       "-h", hname, "-f", localuser, NULL, termenv);
Adam Tkac 6f20f98 
     }
Adam Tkac 6f20f98 
@@ -368,8 +368,6 @@ static void child(const char *hname, con
Adam Tkac 6f20f98 
 	    syslog(LOG_AUTH|LOG_INFO, "rlogin with an option as a name!");
Adam Tkac 6f20f98 
 	    exit(1);
Adam Tkac 6f20f98 
 	}
Adam Tkac 6f20f98 
-	auth_finish();
Adam Tkac 6f20f98 
-	closeall();
Adam Tkac 6f20f98 
 	execle(_PATH_LOGIN, "login", "-p",
Adam Tkac 6f20f98 
 	       "-h", hname, localuser, NULL, termenv);
Adam Tkac 6f20f98 
     }
Adam Tkac 6f20f98 
diff -up netkit-rsh-0.17/configure.audit netkit-rsh-0.17/configure
Adam Tkac 6f20f98 
--- netkit-rsh-0.17/configure.audit	2000-07-29 20:00:29.000000000 +0200
Adam Tkac 6f20f98 
+++ netkit-rsh-0.17/configure	2008-03-25 12:33:26.000000000 +0100
Adam Tkac 6f20f98 
@@ -19,8 +19,9 @@ while [ x$1 != x ]; do case $1 in
Adam Tkac 6f20f98 
 Usage: configure [options]
Adam Tkac 6f20f98 
     --help                Show this message
Adam Tkac 6f20f98 
     --with-debug          Enable debugging
Adam Tkac 6f20f98 
-    --without-pam      Disable PAM support
Adam Tkac 6f20f98 
+    --without-pam         Disable PAM support
Adam Tkac 6f20f98 
     --without-shadow      Disable shadow password support
Adam Tkac 6f20f98 
+    --without-audit       Disable audit support
Adam Tkac 6f20f98 
     --prefix=path         Prefix for location of files [/usr]
Adam Tkac 6f20f98 
     --exec-prefix=path    Location for arch-depedent files [prefix]
Adam Tkac 6f20f98 
     --installroot=root    Top of filesystem tree to install in [/]
Adam Tkac 6f20f98 
@@ -47,6 +48,7 @@ EOF
Adam Tkac 6f20f98 
 	--with-c-compiler=*) CC=`echo $1 | sed 's/^[^=]*=//'` ;;
Adam Tkac 6f20f98 
 	--without-pam|--disable-pam) WITHOUT_PAM=1;;
Adam Tkac 6f20f98 
 	--without-shadow|--disable-shadow) WITHOUT_SHADOW=1;;
Adam Tkac 6f20f98 
+	--without-audit|--disable-audit) WITHOUT_AUDIT=1;;
Adam Tkac 6f20f98 
 	*) echo "Unrecognized option: $1"; exit 1;;
Adam Tkac 6f20f98 
 esac
Adam Tkac 6f20f98 
 shift
Adam Tkac 6f20f98 
@@ -342,6 +344,32 @@ rm -f __conftest*
Adam Tkac 6f20f98
Adam Tkac 6f20f98 
 ##################################################
Adam Tkac 6f20f98
Adam Tkac 6f20f98 
+echo -n 'Checking for AUDIT... '
Adam Tkac 6f20f98 
+if [ x$WITHOUT_AUDIT != x ]; then
Adam Tkac 6f20f98 
+    echo disabled
Adam Tkac 6f20f98 
+else
Adam Tkac 6f20f98 
+cat <<EOF >__conftest.c
Adam Tkac 6f20f98 
+#include <stdio.h>
Adam Tkac 6f20f98 
+#include <libaudit.h>
Adam Tkac 6f20f98 
+int main() {
Adam Tkac 6f20f98 
+    audit_log_acct_message(1, AUDIT_USER_LOGIN, NULL, NULL, NULL, 0, NULL, NULL, NULL, 0);
Adam Tkac 6f20f98 
+    return 0;
Adam Tkac 6f20f98 
+}
Adam Tkac 6f20f98 
+
Adam Tkac 6f20f98 
+EOF
Adam Tkac 6f20f98 
+if (
Adam Tkac 6f20f98 
+      $CC $CFLAGS  __conftest.c -laudit -o __conftest || exit 1
Adam Tkac 6f20f98 
+   ) >/dev/null 2>&1; then
Adam Tkac 6f20f98 
+        echo 'yes'
Adam Tkac 6f20f98 
+        USE_AUDIT=1
Adam Tkac 6f20f98 
+    else
Adam Tkac 6f20f98 
+        echo 'no'
Adam Tkac 6f20f98 
+    fi
Adam Tkac 6f20f98 
+fi
Adam Tkac 6f20f98 
+rm -f __conftest*
Adam Tkac 6f20f98 
+
Adam Tkac 6f20f98 
+##################################################
Adam Tkac 6f20f98 
+
Adam Tkac 6f20f98 
 echo -n 'Checking for crypt... '
Adam Tkac 6f20f98 
 cat <<EOF >__conftest.c
Adam Tkac 6f20f98 
 int main() { crypt("aa", "bb"); }
Adam Tkac 6f20f98 
@@ -593,5 +621,6 @@ echo 'Generating MCONFIG...'
Adam Tkac 6f20f98 
     echo "USE_PAM=$USE_PAM"
Adam Tkac 6f20f98 
     echo "USE_SHADOW=$USE_SHADOW"
Adam Tkac 6f20f98 
     echo "LIBSHADOW=$LIBSHADOW"
Adam Tkac 6f20f98 
+    echo "USE_AUDIT=$USE_AUDIT"
Adam Tkac 6f20f98 
 ) > MCONFIG
Adam Tkac 6f20f98
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.