--- a/patches/xscreensaver-14-pam_audit.diff Wed Jun 02 03:23:43 2010 +0000
+++ b/patches/xscreensaver-14-pam_audit.diff Wed Jun 02 03:25:58 2010 +0000
@@ -59,7 +59,7 @@
/* Some time between Red Hat 4.2 and 7.0, the words were transposed
in the various PAM_x_CRED macro names. Yay!
*/
-@@ -183,6 +188,129 @@ Bool pam_priv_init (int argc, char **argv, Bool verbose_p);
+@@ -186,6 +191,124 @@ Bool pam_priv_init (int argc, char **argv, Bool verbose_p);
*/
static void *suns_pam_implementation_blows = 0;
@@ -81,8 +81,8 @@
+void
+audit_lock(void)
+{
-+ adt_session_data_t *ah; /* audit session handle */
-+ adt_event_data_t *event; /* audit event handle */
++ adt_session_data_t *ah; /* audit session handle */
++ adt_event_data_t *event; /* audit event handle */
+
+ /* Audit start of screen lock -- equivalent to logout ;-) */
+ if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0)
@@ -92,14 +92,12 @@
+ }
+ if ((event = adt_alloc_event(ah, ADT_screenlock)) == NULL)
+ {
-+ syslog(LOG_AUTH | LOG_ALERT,
-+ "adt_alloc_event(ADT_screenlock): %m");
++ syslog(LOG_AUTH | LOG_ALERT, "adt_alloc_event(ADT_screenlock): %m");
+ } else {
+ if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0)
-+ {
-+ syslog(LOG_AUTH | LOG_ALERT,
-+ "adt_put_event(ADT_screenlock): %m");
-+ }
++ {
++ syslog(LOG_AUTH | LOG_ALERT, "adt_put_event(ADT_screenlock): %m");
++ }
+ adt_free_event(event);
+ }
+ (void) adt_end_session(ah);
@@ -117,30 +115,30 @@
+static void
+audit_unlock(int pam_status)
+{
-+ adt_session_data_t *ah; /* audit session handle */
-+ adt_event_data_t *event; /* audit event handle */
++ adt_session_data_t *ah; /* audit session handle */
++ adt_event_data_t *event; /* audit event handle */
+
+ if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0)
+ {
+ syslog(LOG_AUTH | LOG_ALERT,
-+ "adt_start_session(ADT_screenunlock): %m");
++ "adt_start_session(ADT_screenunlock): %m");
+ return;
+ }
+ if ((event = adt_alloc_event(ah, ADT_screenunlock)) == NULL)
+ {
+ syslog(LOG_AUTH | LOG_ALERT,
-+ "adt_alloc_event(ADT_screenunlock): %m");
++ "adt_alloc_event(ADT_screenunlock): %m");
+ } else {
+ if (adt_put_event(event,
-+ pam_status == PAM_SUCCESS ? ADT_SUCCESS : ADT_FAILURE,
-+ pam_status == PAM_SUCCESS ? ADT_SUCCESS
-+ : ADT_FAIL_PAM + pam_status)
-+ != 0)
-+ {
-+ syslog(LOG_AUTH | LOG_ALERT,
-+ "adt_put_event(ADT_screenunlock(%s): %m",
-+ pam_strerror(NULL, pam_status));
-+ }
++ pam_status == PAM_SUCCESS ? ADT_SUCCESS : ADT_FAILURE,
++ pam_status == PAM_SUCCESS ? ADT_SUCCESS
++ : ADT_FAIL_PAM + pam_status)
++ != 0)
++ {
++ syslog(LOG_AUTH | LOG_ALERT,
++ "adt_put_event(ADT_screenunlock(%s): %m",
++ pam_strerror(NULL, pam_status));
++ }
+ adt_free_event(event);
+ }
+ (void) adt_end_session(ah);
@@ -157,30 +155,27 @@
+static void
+audit_passwd(int pam_status)
+{
-+ adt_session_data_t *ah; /* audit session handle */
-+ adt_event_data_t *event; /* audit event handle */
++ adt_session_data_t *ah; /* audit session handle */
++ adt_event_data_t *event; /* audit event handle */
+
+ if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0)
+ {
-+ syslog(LOG_AUTH | LOG_ALERT,
-+ "adt_start_session(ADT_passwd): %m");
++ syslog(LOG_AUTH | LOG_ALERT, "adt_start_session(ADT_passwd): %m");
+ return;
+ }
+ if ((event = adt_alloc_event(ah, ADT_passwd)) == NULL)
+ {
-+ syslog(LOG_AUTH | LOG_ALERT,
-+ "adt_alloc_event(ADT_passwd): %m");
++ syslog(LOG_AUTH | LOG_ALERT, "adt_alloc_event(ADT_passwd): %m");
+ } else {
+ if (adt_put_event(event,
-+ pam_status == PAM_SUCCESS ? ADT_SUCCESS : ADT_FAILURE,
-+ pam_status == PAM_SUCCESS ? ADT_SUCCESS
-+ : ADT_FAIL_PAM + pam_status)
-+ != 0)
-+ {
-+ syslog(LOG_AUTH | LOG_ALERT,
-+ "adt_put_event(ADT_passwd(%s): %m",
-+ pam_strerror(NULL, pam_status));
-+ }
++ pam_status == PAM_SUCCESS ? ADT_SUCCESS : ADT_FAILURE,
++ pam_status == PAM_SUCCESS ? ADT_SUCCESS
++ : ADT_FAIL_PAM + pam_status)
++ != 0)
++ {
++ syslog(LOG_AUTH | LOG_ALERT, "adt_put_event(ADT_passwd(%s): %m",
++ pam_strerror(NULL, pam_status));
++ }
+ adt_free_event(event);
+ }
+ (void) adt_end_session(ah);
@@ -189,7 +184,7 @@
/**
* This function is the PAM conversation driver. It conducts a full
-@@ -235,6 +363,12 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
+@@ -239,6 +362,12 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
fprintf (stderr, "%s: pam_start (\"%s\", \"%s\", ...) ==> %d (%s)\n",
blurb(), service, si->user,
status, PAM_STRERROR (pamh, status));
@@ -202,7 +197,7 @@
if (status != PAM_SUCCESS) goto DONE;
/* copying from xlock */
-@@ -311,6 +445,14 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
+@@ -315,6 +444,14 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
# endif /* HAVE_SIGTIMEDWAIT */
unblock_sigchld();
@@ -214,23 +209,27 @@
+ audit_flag_global = False;
+#endif /*sun*/
+
- /* Send status message to unlock dialog ***/
+ #ifdef HAVE_XSCREENSAVER_LOCK
+ /* Send status message to unlock dialog */
if (pam_auth_status == PAM_SUCCESS)
- {
-@@ -370,6 +512,11 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
- }
+@@ -367,7 +504,14 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
+ if (acct_rc == PAM_SUCCESS)
+ write_to_child (si, "ul_acct_ok", PAM_STRERROR(pamh, acct_rc));
else
- {
+- write_to_child (si, "ul_acct_fail", PAM_STRERROR(pamh, acct_rc));
++ {
+#ifdef __sun
+ /* Only in failure of pam_acct_mgmt case we call audit */
+ audit_unlock (acct_rc);
+#endif /*sun*/
+
- write_to_child (si, "ul_acct_fail");
- tmp_buf = (char*)PAM_STRERROR(pamh, acct_rc);
- write_to_child (si, tmp_buf);
-@@ -401,6 +548,10 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
- fprintf (stderr, "%s: pam_chauthtok (...) ==> %d (%s)\n",
++ write_to_child (si, "ul_acct_fail", PAM_STRERROR(pamh, acct_rc));
++ }
+ if (verbose_p)
+ sleep (1);
+ #endif
+@@ -396,6 +540,10 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
+ fprintf (stderr, "%s: pam_chauthtok (...) ==> %d (%s)\n",
blurb(), chauth_rc, PAM_STRERROR(pamh, chauth_rc));
+#ifdef __sun
@@ -240,19 +239,22 @@
if (chauth_rc != PAM_SUCCESS)
{
pam_auth_status = chauth_rc;
-@@ -442,6 +593,11 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
- }
+@@ -429,7 +577,13 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
+ if (setcred_rc == PAM_SUCCESS)
+ write_to_child (si, "ul_setcred_ok", PAM_STRERROR(pamh, setcred_rc));
else
- {
+- write_to_child (si, "ul_setcred_fail", PAM_STRERROR(pamh, setcred_rc));
++ {
+#ifdef __sun
+ /* Only in failure of pam_setcred() case we call audit. */
+ audit_unlock (setcred_rc);
+#endif /*sun*/
-+
- write_to_child (si, "ul_setcred_fail");
- tmp_buf = (char*)PAM_STRERROR(pamh, setcred_rc);
- write_to_child (si, tmp_buf);
-@@ -739,6 +895,11 @@ pam_conversation (int nmsgs,
++ write_to_child (si, "ul_setcred_fail", PAM_STRERROR(pamh, setcred_rc));
++ }
+ if (verbose_p)
+ sleep (1);
+ #endif
+@@ -714,6 +868,11 @@ pam_conversation (int nmsgs,
default:
ret = -1;
@@ -264,3 +266,4 @@
goto end;
} /* end switch */
}
+