Add a -a argument to id(1), which causes id(1) to print out process

audit properties, including the audit user id. This can be quite helpful in debugging audit problems. Obtained from: TrustedBSD Project MFC after: 3 days
svn path=/head/; revision=162571
2006-09-23 12:30:31 +00:00 · 2006-09-23 12:30:31 +00:00 · 5bae3124ab · 2020-12-20 02:59:44 +00:00
commit 5bae3124ab
parent 4af4fcb71a
3 changed files with 57 additions and 3 deletions
--- a/usr.bin/id/Makefile
+++ b/usr.bin/id/Makefile
@ -1,10 +1,18 @@
 #	@(#)Makefile	8.1 (Berkeley) 6/6/93
 # $FreeBSD$

+.include <bsd.own.mk>
+
 PROG=	id
 WARNS?=	6
 LINKS=	${BINDIR}/id ${BINDIR}/groups
 LINKS+=	${BINDIR}/id ${BINDIR}/whoami
 MAN=	id.1 groups.1 whoami.1

+.if ${MK_AUDIT} != "no"
+CFLAGS+=	-DUSE_BSM_AUDIT
+DPADD+=	${LIBBSM}
+LDADD+=	-lbsm
+.endif
+
 .include <bsd.prog.mk>
--- a/usr.bin/id/id.1
+++ b/usr.bin/id/id.1
@ -53,6 +53,8 @@
 .Fl P
 .Op Ar user
 .Nm
+.Fl a
+.Nm
 .Fl g Op Fl nr
 .Op Ar user
 .Nm
@ -84,6 +86,9 @@ as white-space separated numbers, in no particular order.
 Display the MAC label of the current process.
 .It Fl P
 Display the id as a password file entry.
+.It Fl a
+Display the process audit user ID and other process audit properties, which
+requires privilege.
 .It Fl g
 Display the effective group ID as a number.
 .It Fl n
--- a/usr.bin/id/id.c
+++ b/usr.bin/id/id.c
@ -48,6 +48,10 @@ __FBSDID("$FreeBSD$");
 #include <sys/param.h>
 #include <sys/mac.h>

+#ifdef USE_BSM_AUDIT
+#include <bsm/audit.h>
+#endif
+
 #include <err.h>
 #include <errno.h>
 #include <grp.h>
@ -60,6 +64,7 @@ __FBSDID("$FreeBSD$");
 void	id_print(struct passwd *, int, int, int);
 void	pline(struct passwd *);
 void	pretty(struct passwd *);
+void	auditid(void);
 void	group(struct passwd *, int);
 void	maclabel(void);
 void	usage(void);
@ -73,9 +78,11 @@ main(int argc, char *argv[])
 	struct group *gr;
 	struct passwd *pw;
 	int Gflag, Mflag, Pflag, ch, gflag, id, nflag, pflag, rflag, uflag;
+	int aflag;
 	const char *myname;

 	Gflag = Mflag = Pflag = gflag = nflag = pflag = rflag = uflag = 0;
+	aflag = 0;

 	myname = strrchr(argv[0], '/');
 	myname = (myname != NULL) ? myname + 1 : argv[0];
@ -89,7 +96,7 @@ main(int argc, char *argv[])
 	}

 	while ((ch = getopt(argc, argv,
-	    (isgroups || iswhoami) ? "" : "PGMgnpru")) != -1)
+	    (isgroups || iswhoami) ? "" : "PGMagnpru")) != -1)
 		switch(ch) {
 		case 'G':
 			Gflag = 1;
@ -100,6 +107,9 @@ main(int argc, char *argv[])
 		case 'P':
 			Pflag = 1;
 			break;
+		case 'a':
+			aflag = 1;
+			break;
 		case 'g':
 			gflag = 1;
 			break;
@ -125,7 +135,7 @@ main(int argc, char *argv[])
 	if (iswhoami && argc > 0)
 		usage();

-	switch(Gflag + Pflag + gflag + pflag + uflag) {
+	switch(Gflag + Mflag + Pflag + aflag + gflag + pflag + uflag) {
 	case 1:
 		break;
 	case 0:
@ -141,6 +151,16 @@ main(int argc, char *argv[])
 	if (Mflag && pw != NULL)
 		usage();

+#ifdef USE_BSM_AUDIT
+	if (aflag) {
+		auditid();
+		exit(0);
+	}
+#else
+	if (aflag)
+		usage();
+#endif
+
 	if (gflag) {
 		id = pw ? pw->pw_gid : rflag ? getgid() : getegid();
 		if (nflag && (gr = getgrgid(id)))
@ -278,6 +298,22 @@ id_print(struct passwd *pw, int use_ggl, int p_euid, int p_egid)
 	printf("\n");
 }

+#ifdef USE_BSM_AUDIT
+void
+auditid(void)
+{
+	auditinfo_t auditinfo;
+
+	if (getaudit(&auditinfo) < 0)
+		err(-1, "getauditinfo");
+	printf("auid=%d\n", auditinfo.ai_auid);
+	printf("mask.success=0x%08x\n", auditinfo.ai_mask.am_success);
+	printf("mask.failure=0x%08x\n", auditinfo.ai_mask.am_failure);
+	printf("termid.port=0x%08x\n", auditinfo.ai_termid.port);
+	printf("asid=%d\n", auditinfo.ai_asid);
+}
+#endif
+
 void
 group(struct passwd *pw, int nflag)
 {
@ -382,11 +418,16 @@ usage(void)
 	else if (iswhoami)
 		(void)fprintf(stderr, "usage: whoami\n");
 	else
-		(void)fprintf(stderr, "%s\n%s\n%s\n%s\n%s\n%s\n%s\n",
+		(void)fprintf(stderr, "%s\n%s\n%s\n%s%s\n%s\n%s\n%s\n",
 		    "usage: id [user]",
 		    "       id -G [-n] [user]",
 		    "       id -M",
 		    "       id -P [user]",
+#ifdef USE_BSM_AUDIT
+		    "       id -a\n",
+#else
+		    "",
+#endif
 		    "       id -g [-nr] [user]",
 		    "       id -p [user]",
 		    "       id -u [-nr] [user]");