1882
|
1 |
--- gnome-screensaver-2.24.1-orig/configure.ac 2009-05-11 10:53:58.935363066 -0700
|
|
2 |
+++ gnome-screensaver-2.24.1/configure.ac 2009-05-11 10:54:39.210226052 -0700
|
|
3 |
@@ -584,6 +584,8 @@
|
|
4 |
AC_CHECK_LIB(rt, sigtimedwait, [AUTH_LIBS="${AUTH_LIBS} -lrt"])
|
|
5 |
fi
|
|
6 |
|
|
7 |
+ AC_CHECK_LIB(bsm, adt_start_session, [AUTH_LIBS="${AUTH_LIBS} -lbsm"])
|
|
8 |
+
|
|
9 |
AC_MSG_CHECKING(how to call pam_strerror)
|
|
10 |
AC_CACHE_VAL(ac_cv_pam_strerror_args,
|
|
11 |
[AC_TRY_COMPILE([#include <stdio.h>
|
|
12 |
|
|
13 |
--- gnome-screensaver-2.24.1/src/gs-auth-pam.c.orig 2008-04-29 19:30:08.000000000 -0700
|
|
14 |
+++ gnome-screensaver-2.24.1/src/gs-auth-pam.c 2009-05-15 11:37:22.805307934 -0700
|
|
15 |
@@ -99,6 +99,128 @@
|
|
16 |
static GCond *message_handled_condition;
|
|
17 |
static GMutex *message_handler_mutex;
|
|
18 |
|
|
19 |
+#ifdef sun
|
|
20 |
+#include <syslog.h>
|
|
21 |
+#include <bsm/adt.h>
|
|
22 |
+#include <bsm/adt_event.h>
|
|
23 |
+#include <deflt.h>
|
|
24 |
+static gboolean audit_flag_global = TRUE;
|
|
25 |
+
|
|
26 |
+/*
|
|
27 |
+ * audit_lock - audit entry to screenlock
|
|
28 |
+ *
|
|
29 |
+ * Entry Process running with appropriate privilege to generate
|
|
30 |
+ * audit records and real uid of the user.
|
|
31 |
+ *
|
|
32 |
+ * Exit ADT_screenlock audit record written.
|
|
33 |
+ */
|
|
34 |
+void
|
|
35 |
+audit_lock(void)
|
|
36 |
+{
|
|
37 |
+ adt_session_data_t *ah; /* audit session handle */
|
|
38 |
+ adt_event_data_t *event; /* audit event handle */
|
|
39 |
+
|
|
40 |
+ /* Audit start of screen lock -- equivalent to logout ;-) */
|
|
41 |
+ if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
|
|
42 |
+
|
|
43 |
+ syslog(LOG_AUTH | LOG_ALERT, "adt_start_session: %m");
|
|
44 |
+ return;
|
|
45 |
+ }
|
|
46 |
+ if ((event = adt_alloc_event(ah, ADT_screenlock)) == NULL) {
|
|
47 |
+
|
|
48 |
+ syslog(LOG_AUTH | LOG_ALERT,
|
|
49 |
+ "adt_alloc_event(ADT_screenlock): %m");
|
|
50 |
+ } else {
|
|
51 |
+ if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
|
|
52 |
+
|
|
53 |
+ syslog(LOG_AUTH | LOG_ALERT,
|
|
54 |
+ "adt_put_event(ADT_screenlock): %m");
|
|
55 |
+ }
|
|
56 |
+ adt_free_event(event);
|
|
57 |
+ }
|
|
58 |
+ (void) adt_end_session(ah);
|
|
59 |
+}
|
|
60 |
+
|
|
61 |
+/*
|
|
62 |
+ * audit_unlock - audit screen unlock
|
|
63 |
+ *
|
|
64 |
+ * Entry Process running with appropriate privilege to generate
|
|
65 |
+ * audit records and real uid of the user.
|
|
66 |
+ * pam_status = PAM error code; reason for failure.
|
|
67 |
+ *
|
|
68 |
+ * Exit ADT_screenunlock audit record written.
|
|
69 |
+ */
|
|
70 |
+static void
|
|
71 |
+audit_unlock(int pam_status)
|
|
72 |
+{
|
|
73 |
+ adt_session_data_t *ah; /* audit session handle */
|
|
74 |
+ adt_event_data_t *event;/* audit event handle */
|
|
75 |
+
|
|
76 |
+ if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
|
|
77 |
+
|
|
78 |
+ syslog(LOG_AUTH | LOG_ALERT,
|
|
79 |
+ "adt_start_session(ADT_screenunlock): %m");
|
|
80 |
+ return;
|
|
81 |
+ }
|
|
82 |
+ if ((event = adt_alloc_event(ah, ADT_screenunlock)) == NULL) {
|
|
83 |
+
|
|
84 |
+ syslog(LOG_AUTH | LOG_ALERT,
|
|
85 |
+ "adt_alloc_event(ADT_screenunlock): %m");
|
|
86 |
+ } else {
|
|
87 |
+ if (adt_put_event(event,
|
|
88 |
+ pam_status == PAM_SUCCESS ? ADT_SUCCESS : ADT_FAILURE,
|
|
89 |
+ pam_status == PAM_SUCCESS ? ADT_SUCCESS : ADT_FAIL_PAM +
|
|
90 |
+ pam_status) != 0) {
|
|
91 |
+
|
|
92 |
+ syslog(LOG_AUTH | LOG_ALERT,
|
|
93 |
+ "adt_put_event(ADT_screenunlock(%s): %m",
|
|
94 |
+ pam_strerror(NULL, pam_status));
|
|
95 |
+ }
|
|
96 |
+ adt_free_event(event);
|
|
97 |
+ }
|
|
98 |
+ (void) adt_end_session(ah);
|
|
99 |
+}
|
|
100 |
+
|
|
101 |
+/*
|
|
102 |
+ * audit_passwd - audit password change
|
|
103 |
+ * Entry Process running with appropriate privilege to generate
|
|
104 |
+ * audit records and real uid of the user.
|
|
105 |
+ * pam_status = PAM error code; reason for failure.
|
|
106 |
+ *
|
|
107 |
+ * Exit ADT_passwd audit record written.
|
|
108 |
+ */
|
|
109 |
+static void
|
|
110 |
+audit_passwd(int pam_status)
|
|
111 |
+{
|
|
112 |
+ adt_session_data_t *ah; /* audit session handle */
|
|
113 |
+ adt_event_data_t *event; /* audit event handle */
|
|
114 |
+
|
|
115 |
+ if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
|
|
116 |
+
|
|
117 |
+ syslog(LOG_AUTH | LOG_ALERT,
|
|
118 |
+ "adt_start_session(ADT_passwd): %m");
|
|
119 |
+ return;
|
|
120 |
+ }
|
|
121 |
+ if ((event = adt_alloc_event(ah, ADT_passwd)) == NULL) {
|
|
122 |
+
|
|
123 |
+ syslog(LOG_AUTH | LOG_ALERT,
|
|
124 |
+ "adt_alloc_event(ADT_passwd): %m");
|
|
125 |
+ } else {
|
|
126 |
+ if (adt_put_event(event,
|
|
127 |
+ pam_status == PAM_SUCCESS ? ADT_SUCCESS : ADT_FAILURE,
|
|
128 |
+ pam_status == PAM_SUCCESS ? ADT_SUCCESS : ADT_FAIL_PAM +
|
|
129 |
+ pam_status) != 0) {
|
|
130 |
+
|
|
131 |
+ syslog(LOG_AUTH | LOG_ALERT,
|
|
132 |
+ "adt_put_event(ADT_passwd(%s): %m",
|
|
133 |
+ pam_strerror(NULL, pam_status));
|
|
134 |
+ }
|
|
135 |
+ adt_free_event(event);
|
|
136 |
+ }
|
|
137 |
+ (void) adt_end_session(ah);
|
|
138 |
+}
|
|
139 |
+#endif /* sun */
|
|
140 |
+
|
|
141 |
GQuark
|
|
142 |
gs_auth_error_quark (void)
|
|
143 |
{
|
|
144 |
@@ -481,14 +603,34 @@
|
|
145 |
|
|
146 |
static int
|
|
147 |
gs_auth_thread_func (int auth_operation_fd)
|
|
148 |
-{
|
|
149 |
- static const int flags = 0;
|
|
150 |
+{
|
|
151 |
+ int flags = 0;
|
|
152 |
int status;
|
|
153 |
int status2;
|
|
154 |
struct timespec timeout;
|
|
155 |
sigset_t set;
|
|
156 |
const void *p;
|
|
157 |
|
|
158 |
+#ifdef sun
|
|
159 |
+ if (audit_flag_global) /* We want one audit lock log per lock */
|
|
160 |
+ audit_lock();
|
|
161 |
+
|
|
162 |
+ /* Check /etc/default/login to see if we should add
|
|
163 |
+ PAM_DISALLOW_NULL_AUTHTOK to pam_flags */
|
|
164 |
+ if (defopen("/etc/default/login") == 0) {
|
|
165 |
+ char *ptr;
|
|
166 |
+ int tflags = defcntl(DC_GETFLAGS, 0);
|
|
167 |
+ TURNOFF(tflags, DC_CASE);
|
|
168 |
+ (void) defcntl(DC_SETFLAGS, tflags);
|
|
169 |
+ if ((ptr = defread("PASSREQ=")) != NULL &&
|
|
170 |
+ strcasecmp("YES", ptr) == 0) {
|
|
171 |
+ flags |= PAM_DISALLOW_NULL_AUTHTOK;
|
|
172 |
+ }
|
|
173 |
+
|
|
174 |
+ (void) defopen((char *)NULL); /* close current file */
|
|
175 |
+ }
|
|
176 |
+#endif /* sun */
|
|
177 |
+
|
|
178 |
timeout.tv_sec = 0;
|
|
179 |
timeout.tv_nsec = 1;
|
|
180 |
|
|
181 |
@@ -499,6 +641,12 @@
|
|
182 |
sigtimedwait (&set, NULL, &timeout);
|
|
183 |
unblock_sigchld ();
|
|
184 |
|
|
185 |
+#ifdef sun
|
|
186 |
+ audit_unlock(status);
|
|
187 |
+ if (status == PAM_SUCCESS) audit_flag_global = TRUE;
|
|
188 |
+ else audit_flag_global = FALSE;
|
|
189 |
+#endif /* sun */
|
|
190 |
+
|
|
191 |
if (gs_auth_get_verbose ()) {
|
|
192 |
g_message (" pam_authenticate (...) ==> %d (%s)",
|
|
193 |
status,
|
|
194 |
@@ -528,11 +676,32 @@
|
|
195 |
PAM_STRERROR (pam_handle, status2));
|
|
196 |
}
|
|
197 |
|
|
198 |
+#ifdef sun
|
|
199 |
+ if (status2 != PAM_SUCCESS)
|
|
200 |
+ audit_unlock(status2);
|
|
201 |
+#endif /* sun */
|
|
202 |
+
|
|
203 |
/* FIXME: should we handle these? */
|
|
204 |
switch (status2) {
|
|
205 |
case PAM_SUCCESS:
|
|
206 |
break;
|
|
207 |
case PAM_NEW_AUTHTOK_REQD:
|
|
208 |
+#ifdef sun
|
|
209 |
+ {
|
|
210 |
+ int tst;
|
|
211 |
+ for (int i=0; i<3; i++)
|
|
212 |
+ {
|
|
213 |
+ tst = pam_chauthtok(pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
|
|
214 |
+ if (tst == PAM_AUTHTOK_ERR ||
|
|
215 |
+ tst == PAM_TRY_AGAIN )
|
|
216 |
+ {
|
|
217 |
+ i = 0; /* Reset num tries we need to do to change expired passwd */
|
|
218 |
+ }
|
|
219 |
+ else break; /* get out of the loop */
|
|
220 |
+ } /* for */
|
|
221 |
+ audit_passwd(tst);
|
|
222 |
+#endif /* sun */
|
|
223 |
+ }
|
|
224 |
break;
|
|
225 |
case PAM_AUTHINFO_UNAVAIL:
|
|
226 |
break;
|
|
227 |
@@ -560,6 +729,12 @@
|
|
228 |
PAM_STRERROR (pam_handle, status2));
|
|
229 |
}
|
|
230 |
|
|
231 |
+#ifdef sun
|
|
232 |
+ if (status2 != PAM_SUCCESS)
|
|
233 |
+ /* Only in failure of pam_setcred() case we call audit. */
|
|
234 |
+ audit_unlock(status2);
|
|
235 |
+#endif /* sun */
|
|
236 |
+
|
|
237 |
done:
|
|
238 |
/* we're done, close the fd and wake up the main
|
|
239 |
* loop
|