Integrate audit_submit(3) bits into su. This means that records for

successful and failed su attempts will be recorded using the AUE_su event type (login or lo class) if auditing is present in the system. Currently, the records will have a header, subject, text (with the actual diagnostics), a return and trailer token. See audit_submit(3) for more information. Reviewed by: rwatson Obtained from: TrustedBSD Project
2006-09-01 13:39:02 +00:00 · 2006-09-01 13:39:02 +00:00 · 5c107d0b0f
commit 5c107d0b0f
parent c62317c442
2 changed files with 76 additions and 6 deletions
--- a/usr.bin/su/Makefile
+++ b/usr.bin/su/Makefile
@ -1,11 +1,19 @@
 #	@(#)Makefile	8.1 (Berkeley) 7/19/93
 # $FreeBSD$

+.include <bsd.own.mk>
+
 PROG=	su

 DPADD=	${LIBUTIL} ${LIBPAM}
 LDADD=	-lutil ${MINUSLPAM}

+.if ${MK_AUDIT} != "no"
+CFLAGS+= -DUSE_BSM_AUDIT
+DPADD+=  ${LIBBSM}
+LDADD+=  -lbsm
+.endif
+
 BINOWN=	root
 BINMODE=4555
 PRECIOUSPROG=
--- a/usr.bin/su/su.c
+++ b/usr.bin/su/su.c
@ -81,6 +81,11 @@ __FBSDID("$FreeBSD$");
 #include <sys/resource.h>
 #include <sys/wait.h>

+#ifdef USE_BSM_AUDIT
+#include <bsm/libbsm.h>
+#include <bsm/audit_uevents.h>
+#endif
+
 #include <err.h>
 #include <errno.h>
 #include <grp.h>
@ -93,6 +98,7 @@ __FBSDID("$FreeBSD$");
 #include <string.h>
 #include <syslog.h>
 #include <unistd.h>
+#include <stdarg.h>

 #include <security/pam_appl.h>
 #include <security/openpam.h>
@ -164,6 +170,10 @@ main(int argc, char *argv[])
 	const char	*p, *user, *shell, *mytty, **nargv;
 	struct sigaction sa, sa_int, sa_quit, sa_pipe;
 	int temp, fds[2];
+#ifdef USE_BSM_AUDIT
+	const char	*aerr;
+	au_id_t		 auid;
+#endif

 	shell = class = cleanenv = NULL;
 	asme = asthem = fastlogin = statusp = 0;
@ -204,9 +214,6 @@ main(int argc, char *argv[])
 		usage();
 	/* NOTREACHED */

-	if (strlen(user) > MAXLOGNAME - 1)
-		errx(1, "username too long");
-
 	/*
 	 * Try to provide more helpful debugging output if su(1) is running
 	 * non-setuid, or was run from a file system not mounted setuid.
@ -214,6 +221,21 @@ main(int argc, char *argv[])
 	if (geteuid() != 0)
 		errx(1, "not running setuid");

+#ifdef USE_BSM_AUDIT
+	if (getauid(&auid) < 0 && errno != ENOSYS) {
+		syslog(LOG_AUTH | LOG_ERR, "getauid: %s", strerror(errno));
+		errx(1, "Permission denied");
+	}
+#endif
+	if (strlen(user) > MAXLOGNAME - 1) {
+#ifdef USE_BSM_AUDIT
+		if (audit_submit(AUE_su, auid,
+		    1, EPERM, "username too long: '%s'", user))
+			errx(1, "Permission denied");
+#endif
+		errx(1, "username too long");
+	}
+
 	nargv = malloc(sizeof(char *) * (size_t)(argc + 4));
 	if (nargv == NULL)
 		errx(1, "malloc failure");
@ -239,8 +261,14 @@ main(int argc, char *argv[])
 	pwd = getpwnam(username);
 	if (username == NULL || pwd == NULL || pwd->pw_uid != ruid)
 		pwd = getpwuid(ruid);
-	if (pwd == NULL)
+	if (pwd == NULL) {
+#ifdef USE_BSM_AUDIT
+		if (audit_submit(AUE_su, auid, 1, EPERM,
+		    "unable to determine invoking subject: '%s'", username))
+			errx(1, "Permission denied");
+#endif
 		errx(1, "who are you?");
+	}

 	username = strdup(pwd->pw_name);
 	if (username == NULL)
@ -275,10 +303,19 @@ main(int argc, char *argv[])

 	retcode = pam_authenticate(pamh, 0);
 	if (retcode != PAM_SUCCESS) {
+#ifdef USE_BSM_AUDIT
+		if (audit_submit(AUE_su, auid, 1, EPERM, "bad su %s to %s on %s",
+		    username, user, mytty))
+			errx(1, "Permission denied");
+#endif
 		syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s on %s",
 		    username, user, mytty);
 		errx(1, "Sorry");
 	}
+#ifdef USE_BSM_AUDIT
+	if (audit_submit(AUE_su, auid, 0, 0, "successful authentication"))
+		errx(1, "Permission denied");
+#endif
 	retcode = pam_get_item(pamh, PAM_USER, (const void **)&p);
 	if (retcode == PAM_SUCCESS)
 		user = p;
@ -286,20 +323,39 @@ main(int argc, char *argv[])
 		syslog(LOG_ERR, "pam_get_item(PAM_USER): %s",
 		    pam_strerror(pamh, retcode));
 	pwd = getpwnam(user);
-	if (pwd == NULL)
+	if (pwd == NULL) {
+#ifdef USE_BSM_AUDIT
+		if (audit_submit(AUE_su, auid, 1, EPERM,
+		    "unknown subject: %s", user))
+			errx(1, "Permission denied");
+#endif
 		errx(1, "unknown login: %s", user);
+	}

 	retcode = pam_acct_mgmt(pamh, 0);
 	if (retcode == PAM_NEW_AUTHTOK_REQD) {
 		retcode = pam_chauthtok(pamh,
 			PAM_CHANGE_EXPIRED_AUTHTOK);
 		if (retcode != PAM_SUCCESS) {
+#ifdef USE_BSM_AUDIT
+			aerr = pam_strerror(pamh, retcode);
+			if (aerr == NULL)
+				aerr = "Unknown PAM error";
+			if (audit_submit(AUE_su, auid, 1, EPERM,
+			    "pam_chauthtok: %s", aerr))
+				errx(1, "Permission denied");
+#endif
 			syslog(LOG_ERR, "pam_chauthtok: %s",
 			    pam_strerror(pamh, retcode));
 			errx(1, "Sorry");
 		}
 	}
 	if (retcode != PAM_SUCCESS) {
+#ifdef USE_BSM_AUDIT
+		if (audit_submit(AUE_su, auid, 1, EPERM, "pam_acct_mgmt: %s",
+		    pam_strerror(pamh, retcode)))
+			errx(1, "Permission denied");
+#endif
 		syslog(LOG_ERR, "pam_acct_mgmt: %s",
 			pam_strerror(pamh, retcode));
 		errx(1, "Sorry");
@ -309,8 +365,14 @@ main(int argc, char *argv[])
 	if (class == NULL)
 		lc = login_getpwclass(pwd);
 	else {
-		if (ruid != 0)
+		if (ruid != 0) {
+#ifdef USE_BSM_AUDIT
+			if (audit_submit(AUE_su, auid, 1, EPERM,
+			    "only root may use -c"))
+				errx(1, "Permission denied");
+#endif
 			errx(1, "only root may use -c");
+		}
 		lc = login_getclass(class);
 		if (lc == NULL)
 			errx(1, "unknown class: %s", class);