diff -up netkit-rsh-0.17/rshd/Makefile.audit netkit-rsh-0.17/rshd/Makefile --- netkit-rsh-0.17/rshd/Makefile.audit 2008-03-25 12:33:26.000000000 +0100 +++ netkit-rsh-0.17/rshd/Makefile 2008-03-25 12:33:26.000000000 +0100 @@ -9,6 +9,10 @@ ifeq ($(USE_PAM),1) CFLAGS += -DUSE_PAM LIBS += -ldl -lpam -lpam_misc endif +ifeq ($(USE_AUDIT),1) +CFLAGS += -DUSE_AUDIT +LIBS += -ldl -laudit +endif rshd: $(OBJS) $(CC) $(LDFLAGS) $^ $(LIBS) -o $@ diff -up netkit-rsh-0.17/rshd/rshd.c.audit netkit-rsh-0.17/rshd/rshd.c --- netkit-rsh-0.17/rshd/rshd.c.audit 2008-03-25 12:33:26.000000000 +0100 +++ netkit-rsh-0.17/rshd/rshd.c 2008-03-25 12:35:37.000000000 +0100 @@ -90,6 +90,10 @@ char rcsid[] = static pam_handle_t *pamh; #endif /* USE_PAM */ +#ifdef USE_AUDIT +#include +#endif /* USE_AUDIT */ + #define OPTIONS "aDhlLn" static int keepalive = 1; @@ -224,6 +228,14 @@ static void stderr_parent(int sock, int exit(0); } +#define PAM_SET_ITEM(item,val) \ + do { \ + retcode = pam_set_item(pamh, (item), (val)); \ + if (retcode != PAM_SUCCESS) { \ + syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retcode)); \ + exit (1); \ + } \ + } while (0) static struct passwd *doauth(const char *remuser, const char *hostname, @@ -243,9 +255,10 @@ static struct passwd *doauth(const char syslog(LOG_ERR, "pam_start: %s\n", pam_strerror(pamh, retcode)); exit (1); } - pam_set_item (pamh, PAM_RUSER, remuser); - pam_set_item (pamh, PAM_RHOST, hostname); - pam_set_item (pamh, PAM_TTY, "rsh"); /* we don't use a tty, so punt */ + + PAM_SET_ITEM(PAM_RUSER, remuser); + PAM_SET_ITEM(PAM_RHOST, hostname); + PAM_SET_ITEM(PAM_TTY, "rsh"); /* we don't use a tty, so punt */ retcode = pam_authenticate(pamh, 0); if (retcode == PAM_SUCCESS) { @@ -365,6 +378,27 @@ static const char *findhostname(struct s return NULL; /* not reachable */ } +static int log_audit(const char *username, int uid, const char *hostname, + int success) +{ +#ifdef USE_AUDIT + int audit_fd = audit_open(); + if (audit_fd < 0) { + if (errno != EINVAL && errno != EPROTONOSUPPORT && + errno != EAFNOSUPPORT) + return 1; + } else { + int rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, + NULL, "login", username, uid, hostname, NULL, + "rsh", success); + close(audit_fd); + if (rc <= 0) + return 1; + } +#endif + return 0; +} + static void doit(struct sockaddr_storage *fromp, socklen_t fromlen) { @@ -435,14 +469,21 @@ doit(struct sockaddr_storage *fromp, soc setpwent(); pwd = doauth(remuser, hostname, locuser); if (pwd == NULL) { + if (log_audit(remuser, -1, hostname, 0) > 0) { + fail("Error sending audit event.\n", + remuser, hostname, locuser, cmdbuf); + } fail("Permission denied.\n", remuser, hostname, locuser, cmdbuf); } - if (pwd->pw_uid != 0 && !access(_PATH_NOLOGIN, F_OK)) { error("Logins currently disabled.\n"); exit(1); } + if (log_audit(NULL, pwd->pw_uid, hostname, 1) > 0) { + fail("Error sending audit event.\n", + remuser, hostname, locuser, cmdbuf); + } (void) write(2, "\0", 1); sent_null = 1; diff -up netkit-rsh-0.17/rexecd/rexecd.c.audit netkit-rsh-0.17/rexecd/rexecd.c --- netkit-rsh-0.17/rexecd/rexecd.c.audit 2008-03-25 12:33:26.000000000 +0100 +++ netkit-rsh-0.17/rexecd/rexecd.c 2008-03-25 12:33:26.000000000 +0100 @@ -312,9 +312,12 @@ doit(struct sockaddr_in *fromp) PAM_password = pass; pam_error = pam_start("rexec", PAM_username, &PAM_conversation,&pamh); PAM_BAIL; - pam_set_item (pamh, PAM_RUSER, user); - pam_set_item (pamh, PAM_RHOST, remote); - pam_set_item (pamh, PAM_TTY, "rexec"); /* we don't have a tty yet! */ + pam_error = pam_set_item (pamh, PAM_RUSER, user); + PAM_BAIL; + pam_error = pam_set_item (pamh, PAM_RHOST, remote); + PAM_BAIL; + pam_error = pam_set_item (pamh, PAM_TTY, "rexec"); /* we don't have a tty yet! */ + PAM_BAIL; pam_error = pam_authenticate(pamh, 0); PAM_BAIL; pam_error = pam_acct_mgmt(pamh, 0); diff -up netkit-rsh-0.17/rlogind/auth.c.audit netkit-rsh-0.17/rlogind/auth.c --- netkit-rsh-0.17/rlogind/auth.c.audit 2008-03-25 12:33:26.000000000 +0100 +++ netkit-rsh-0.17/rlogind/auth.c 2008-03-25 12:33:26.000000000 +0100 @@ -102,6 +102,16 @@ static int attempt_auth(void) { return retval; } +#define PAM_SET_ITEM(item,val) \ + do { \ + retval = pam_set_item(pamh, (item), (val)); \ + if (retval != PAM_SUCCESS) { \ + syslog(LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, retval)); \ + pam_end(pamh, retval); \ + fatal(STDERR_FILENO, "initialization failed", 0); \ + } \ + } while (0) + /* * This function must either die, return -1 on authentication failure, * or return 0 on authentication success. Dying is discouraged. @@ -117,17 +127,19 @@ int auth_checkauth(const char *remoteuse retval = pam_start("rlogin", localuser, &conv, &pamh); if (retval != PAM_SUCCESS) { syslog(LOG_ERR, "pam_start: %s\n", pam_strerror(pamh, retval)); + pam_end(pamh, retval); fatal(STDERR_FILENO, "initialization failed", 0); } - pam_set_item(pamh, PAM_USER, localuser); - pam_set_item(pamh, PAM_RUSER, remoteuser); - pam_set_item(pamh, PAM_RHOST, host); - pam_set_item(pamh, PAM_TTY, "rlogin"); /* we don't have a tty yet! */ - + PAM_SET_ITEM(PAM_USER, localuser); + PAM_SET_ITEM(PAM_RUSER, remoteuser); + PAM_SET_ITEM(PAM_RHOST, host); + PAM_SET_ITEM(PAM_TTY, "rlogin"); /* we don't have a tty yet! */ + network_confirm(); retval = attempt_auth(); if ((retval == PAM_ACCT_EXPIRED) || (retval == PAM_PERM_DENIED)) { + pam_end(pamh, retval); syslog(LOG_ERR, "PAM authentication denied for in.rlogind"); exit(1); } else if (retval != PAM_SUCCESS) { diff -up netkit-rsh-0.17/rlogind/rlogind.c.audit netkit-rsh-0.17/rlogind/rlogind.c --- netkit-rsh-0.17/rlogind/rlogind.c.audit 2008-03-25 12:33:26.000000000 +0100 +++ netkit-rsh-0.17/rlogind/rlogind.c 2008-03-25 12:33:26.000000000 +0100 @@ -357,9 +357,9 @@ static void child(const char *hname, con } termenv[3] = NULL; + auth_finish(); + closeall(); if (authenticated) { - auth_finish(); - closeall(); execle(_PATH_LOGIN, "login", "-p", "-h", hname, "-f", localuser, NULL, termenv); } @@ -368,8 +368,6 @@ static void child(const char *hname, con syslog(LOG_AUTH|LOG_INFO, "rlogin with an option as a name!"); exit(1); } - auth_finish(); - closeall(); execle(_PATH_LOGIN, "login", "-p", "-h", hname, localuser, NULL, termenv); } diff -up netkit-rsh-0.17/configure.audit netkit-rsh-0.17/configure --- netkit-rsh-0.17/configure.audit 2000-07-29 20:00:29.000000000 +0200 +++ netkit-rsh-0.17/configure 2008-03-25 12:33:26.000000000 +0100 @@ -19,8 +19,9 @@ while [ x$1 != x ]; do case $1 in Usage: configure [options] --help Show this message --with-debug Enable debugging - --without-pam Disable PAM support + --without-pam Disable PAM support --without-shadow Disable shadow password support + --without-audit Disable audit support --prefix=path Prefix for location of files [/usr] --exec-prefix=path Location for arch-depedent files [prefix] --installroot=root Top of filesystem tree to install in [/] @@ -47,6 +48,7 @@ EOF --with-c-compiler=*) CC=`echo $1 | sed 's/^[^=]*=//'` ;; --without-pam|--disable-pam) WITHOUT_PAM=1;; --without-shadow|--disable-shadow) WITHOUT_SHADOW=1;; + --without-audit|--disable-audit) WITHOUT_AUDIT=1;; *) echo "Unrecognized option: $1"; exit 1;; esac shift @@ -342,6 +344,32 @@ rm -f __conftest* ################################################## +echo -n 'Checking for AUDIT... ' +if [ x$WITHOUT_AUDIT != x ]; then + echo disabled +else +cat <__conftest.c +#include +#include +int main() { + audit_log_acct_message(1, AUDIT_USER_LOGIN, NULL, NULL, NULL, 0, NULL, NULL, NULL, 0); + return 0; +} + +EOF +if ( + $CC $CFLAGS __conftest.c -laudit -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo 'yes' + USE_AUDIT=1 + else + echo 'no' + fi +fi +rm -f __conftest* + +################################################## + echo -n 'Checking for crypt... ' cat <__conftest.c int main() { crypt("aa", "bb"); } @@ -593,5 +621,6 @@ echo 'Generating MCONFIG...' echo "USE_PAM=$USE_PAM" echo "USE_SHADOW=$USE_SHADOW" echo "LIBSHADOW=$LIBSHADOW" + echo "USE_AUDIT=$USE_AUDIT" ) > MCONFIG