From 54ab4cf43142a61b3585a5bfc5e410ce68e801cd Mon Sep 17 00:00:00 2001 From: Thibault Godouet Date: Sun, 10 Apr 2011 15:03:08 +0100 Subject: [PATCH] Added libaudit support --- allow.c | 53 +++++++++++++++++++++++++++++++----------------- conf.c | 6 +++--- config.h.in | 9 ++++++++ configure.in | 47 ++++++++++++++++++++++++++++++++++++++++-- doc/en/todo.sgml | 2 +- global.h | 4 ++++ 6 files changed, 96 insertions(+), 25 deletions(-) diff --git a/allow.c b/allow.c index a573ad6..daf2766 100644 --- a/allow.c +++ b/allow.c @@ -82,32 +82,47 @@ is_allowed(char *user) int deny = 0; /* check if user is in passwd file */ - if ( getpwnam(user) == NULL ) - return 0; + if ( getpwnam(user) != NULL ) { - /* check if user is in fcron.allow and/or in fcron.deny files */ - allow = in_file(user, fcronallow); - deny = in_file(user, fcrondeny); + /* check if user is in fcron.allow and/or in fcron.deny files */ + allow = in_file(user, fcronallow); + deny = in_file(user, fcrondeny); - if ( allow == -1 && deny == -1 ) - /* neither fcron.allow nor fcron.deny exist : - * we consider that user is allowed */ - return 1; + /* in_file() returns: + * -1 if file doesn't exist + * 0 if string is not in file, + * 1 if it is in file + * and 2 if file contains "all" string */ - if ( allow == -1 && deny == 0 ) - return 1; + if ( allow == -1 && deny == -1 ) + /* neither fcron.allow nor fcron.deny exist : + * we consider that user is allowed */ + return 1; + + if ( allow == -1 && deny == 0 ) + return 1; - if ( deny == -1 && allow == 1 ) - return 1; + if ( deny == -1 && allow == 1 ) + return 1; - if ( allow == 1 ) - if ( deny != 1 ) - return 1; - if ( allow == 2 ) - if ( deny <= 0 ) - return 1; + if ( allow == 1 && deny != 1 ) + return 1; + if ( allow == 2 && deny <= 0 ) + return 1; + + } /* if we gets here, user is not allowed */ + +#ifdef WITH_AUDIT + { + int audit_fd = audit_open(); + audit_log_user_message(audit_fd, AUDIT_USER_START, "fcron deny", + NULL, NULL, NULL, 0); + close(audit_fd); + } +#endif + return 0; } diff --git a/conf.c b/conf.c index ff885fd..c45b449 100644 --- a/conf.c +++ b/conf.c @@ -512,10 +512,10 @@ read_file(const char *file_name, cf_t *cf, int is_system_startup) #ifdef WITH_SELINUX /* - * Since crontab files are not directly executed, - * crond must ensure that the crontab file has + * Since fcrontab files are not directly executed, + * fcrond must ensure that the fcrontab file has * a context that is appropriate for the context of - * the user cron job. It performs an entrypoint + * the user fcron job. It performs an entrypoint * permission check for this purpose. */ #ifdef SYSFCRONTAB diff --git a/config.h.in b/config.h.in index 72dbffc..d823d05 100644 --- a/config.h.in +++ b/config.h.in @@ -352,6 +352,9 @@ /* Define if you have the header file. */ #undef HAVE_GRP_H +/* Define if you have the header file. */ +#undef HAVE_LIBAUDIT_H + /* Define if you have the header file. */ #undef HAVE_LIMITS_H @@ -433,12 +436,18 @@ /* Define if you have the header file. */ #undef HAVE_UNISTD_H +/* Define if you have the audit library (-laudit). */ +#undef HAVE_LIBAUDIT + /* Define if you have the dgc library (-ldgc). */ #undef HAVE_LIBDGC /* Define if you have the pam library (-lpam). */ #undef HAVE_LIBPAM +/* Have audit trails (libaudit) support */ +#undef WITH_AUDIT + /* Have SE Linux support */ #undef WITH_SELINUX diff --git a/configure.in b/configure.in index 1261a89..b726699 100644 --- a/configure.in +++ b/configure.in @@ -54,7 +54,7 @@ AC_CHECK_HEADERS(stdarg.h) AC_CHECK_HEADERS(termios.h) AC_CHECK_HEADERS(strings.h) AC_CHECK_HEADERS(sys/types.h sys/socket.h sys/un.h) -AC_CHECK_HEADERS(security/pam_appl.h pam/pam_appl.h crypt.h shadow.h) +AC_CHECK_HEADERS(security/pam_appl.h pam/pam_appl.h crypt.h shadow.h libaudit.h) AC_CHECK_HEADERS(sys/resource.h) AC_CHECK_HEADERS(grp.h) @@ -84,6 +84,7 @@ AC_FUNC_STRFTIME AC_FUNC_WAIT3 AC_CHECK_LIB(xnet, shutdown) AC_CHECK_LIB(selinux, getcon, [selinuxavail=1], [selinuxavail=0]) +AC_CHECK_LIB(audit, audit_open, [auditavail=1], [auditavail=0]) AC_CHECK_FUNC(getloadavg, [getloadavg=1], [getloadavg=0]) AC_CHECK_LIB(kstat, kstat_open, [kstat=1], [kstat=0]) if test $getloadavg -eq 1; then @@ -422,6 +423,7 @@ WARNING : fcrondyn=0 usepam=0 useselinux=0 + useaudit=0 ;; *) AC_MSG_ERROR(Invalid argument : please use 'yes' or 'no'.) @@ -761,6 +763,40 @@ AC_DEFINE_UNQUOTED(ANSWERALL, "$answerall") AC_SUBST(ANSWERALL) +AC_MSG_CHECKING(if audit trails should be enabled if available) +AC_ARG_WITH(audit, +[ --with-audit=[yes|no] Enable (or not) audit trails if available (default: yes).], +[ case "$withval" in + no) + useaudit=0 + ;; + yes) + useaudit=1 + ;; + *) + AC_MSG_ERROR(Must be set to either "yes" or "no".) + ;; + esac ] +) +if test useaudit = "0"; then + AC_MSG_RESULT(no) +elif test "$useaudit" = "1" && test "$auditavail" != 1; then + useaudit=0 + AC_MSG_RESULT(not available) + AC_MSG_ERROR([ + You requested audit trails to be enabled, but libaudit was not found. +]) +elif test "$auditavail" = 1; then + useaudit=1 + AC_MSG_RESULT(yes) + LIBS="$LIBS -laudit" + AC_DEFINE(WITH_AUDIT) +else + useaudit=0 + AC_MSG_RESULT(no) +fi + + if test "$usepam" = ""; then usepam=1 fi @@ -976,6 +1012,13 @@ else echo "no" fi +echo -n "Audit trails : " +if test "$useaudit" -eq 1; then + echo "yes" +else + echo "no" +fi + echo -n "PAM : " if test "$usepam" -eq 1; then echo "yes" @@ -998,7 +1041,7 @@ else fi echo -n "Load average support : " -if test "$getloadavg" -eq 1 -o ! -z "$proc"; then +if test "$getloadavg" -eq 1 -o -n "$proc"; then echo "yes" else echo "no" diff --git a/doc/en/todo.sgml b/doc/en/todo.sgml index d336187..05fdf41 100644 --- a/doc/en/todo.sgml +++ b/doc/en/todo.sgml @@ -25,7 +25,7 @@ A copy of the license is included in gfdl.sgml. High priority - add audit (libaudit) + add audit (libaudit) + TEST Use directory notifications (FAM) / inotify, and support a fcrontab diff --git a/global.h b/global.h index 3c2491f..7952c7a 100644 --- a/global.h +++ b/global.h @@ -128,6 +128,10 @@ #include #endif +#ifdef WITH_AUDIT +#include +#endif + #ifdef HAVE_LIBPAM #include "pam.h" #endif -- 2.40.0