17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5a98aba88Sgww * Common Development and Distribution License (the "License"). 6a98aba88Sgww * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 22*634e26ecSCasper H.S. Dik * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 237c478bd9Sstevel@tonic-gate * Use is subject to license terms. 247c478bd9Sstevel@tonic-gate */ 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate #include <assert.h> 27a98aba88Sgww #include <priv.h> 287c478bd9Sstevel@tonic-gate #include <pwd.h> 297c478bd9Sstevel@tonic-gate #include <signal.h> 307c478bd9Sstevel@tonic-gate #include <stdlib.h> 317c478bd9Sstevel@tonic-gate #include <string.h> 327c478bd9Sstevel@tonic-gate #include <syslog.h> 337c478bd9Sstevel@tonic-gate #include <unistd.h> 347c478bd9Sstevel@tonic-gate #include <sys/wait.h> 357c478bd9Sstevel@tonic-gate 367c478bd9Sstevel@tonic-gate #include <bsm/adt.h> 377c478bd9Sstevel@tonic-gate #include <bsm/adt_event.h> 387c478bd9Sstevel@tonic-gate #include "login_audit.h" 397c478bd9Sstevel@tonic-gate 407c478bd9Sstevel@tonic-gate /* 417c478bd9Sstevel@tonic-gate * Key assumption: login is single threaded. 427c478bd9Sstevel@tonic-gate */ 437c478bd9Sstevel@tonic-gate static void audit_logout(adt_session_data_t *); 447c478bd9Sstevel@tonic-gate 457c478bd9Sstevel@tonic-gate /* 467c478bd9Sstevel@tonic-gate * if audit is not enabled, the adt_*() functions simply return without 477c478bd9Sstevel@tonic-gate * doing anything. In the success case, the credential has already been 487c478bd9Sstevel@tonic-gate * setup with audit data by PAM. 497c478bd9Sstevel@tonic-gate */ 507c478bd9Sstevel@tonic-gate 517c478bd9Sstevel@tonic-gate /* 527c478bd9Sstevel@tonic-gate * There is no information passed to login.c from rlogin or telnet 537c478bd9Sstevel@tonic-gate * about the terminal id. They both set the tid before they 547c478bd9Sstevel@tonic-gate * exec login; the value is picked up by adt_start_session() and is 557c478bd9Sstevel@tonic-gate * carefully *not* overwritten by adt_load_hostname(). 567c478bd9Sstevel@tonic-gate */ 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate void 597c478bd9Sstevel@tonic-gate audit_success(uint_t event_id, struct passwd *pwd, char *optional_text) 607c478bd9Sstevel@tonic-gate { 617c478bd9Sstevel@tonic-gate adt_session_data_t *ah; 627c478bd9Sstevel@tonic-gate adt_event_data_t *event; 637c478bd9Sstevel@tonic-gate int rc; 647c478bd9Sstevel@tonic-gate 657c478bd9Sstevel@tonic-gate assert(pwd != NULL); 667c478bd9Sstevel@tonic-gate 677c478bd9Sstevel@tonic-gate if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA)) { 68a98aba88Sgww syslog(LOG_AUTH | LOG_ALERT, "login adt_start_session(): %m"); 697c478bd9Sstevel@tonic-gate return; 707c478bd9Sstevel@tonic-gate } 717c478bd9Sstevel@tonic-gate if (adt_set_user(ah, pwd->pw_uid, pwd->pw_gid, 727c478bd9Sstevel@tonic-gate pwd->pw_uid, pwd->pw_gid, NULL, ADT_USER)) { 73a98aba88Sgww syslog(LOG_AUTH | LOG_ALERT, "login adt_set_user(): %m"); 747c478bd9Sstevel@tonic-gate (void) adt_end_session(ah); 757c478bd9Sstevel@tonic-gate return; 767c478bd9Sstevel@tonic-gate } 777c478bd9Sstevel@tonic-gate event = adt_alloc_event(ah, event_id); 787c478bd9Sstevel@tonic-gate 797c478bd9Sstevel@tonic-gate if (event == NULL) 807c478bd9Sstevel@tonic-gate return; 817c478bd9Sstevel@tonic-gate 827c478bd9Sstevel@tonic-gate switch (event_id) { 837c478bd9Sstevel@tonic-gate case ADT_zlogin: 847c478bd9Sstevel@tonic-gate event->adt_zlogin.message = optional_text; 857c478bd9Sstevel@tonic-gate break; 867c478bd9Sstevel@tonic-gate default: 877c478bd9Sstevel@tonic-gate break; 887c478bd9Sstevel@tonic-gate } 897c478bd9Sstevel@tonic-gate rc = adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS); 907c478bd9Sstevel@tonic-gate 917c478bd9Sstevel@tonic-gate (void) adt_free_event(event); 927c478bd9Sstevel@tonic-gate if (rc) { 937c478bd9Sstevel@tonic-gate (void) adt_end_session(ah); 94a98aba88Sgww syslog(LOG_AUTH | LOG_ALERT, "login adt_put_event(): %m"); 957c478bd9Sstevel@tonic-gate return; 967c478bd9Sstevel@tonic-gate } 977c478bd9Sstevel@tonic-gate /* 987c478bd9Sstevel@tonic-gate * The code above executes whether or not audit is enabled. 997c478bd9Sstevel@tonic-gate * However audit_logout must only execute if audit is 1007c478bd9Sstevel@tonic-gate * enabled so we don't fork unnecessarily. 1017c478bd9Sstevel@tonic-gate */ 1027c478bd9Sstevel@tonic-gate if (adt_audit_enabled()) { 1037c478bd9Sstevel@tonic-gate switch (event_id) { 1047c478bd9Sstevel@tonic-gate case ADT_login: 1057c478bd9Sstevel@tonic-gate case ADT_rlogin: 1067c478bd9Sstevel@tonic-gate case ADT_telnet: 1077c478bd9Sstevel@tonic-gate case ADT_zlogin: 1087c478bd9Sstevel@tonic-gate audit_logout(ah); /* fork to catch logout */ 1097c478bd9Sstevel@tonic-gate break; 1107c478bd9Sstevel@tonic-gate } 1117c478bd9Sstevel@tonic-gate } 1127c478bd9Sstevel@tonic-gate (void) adt_end_session(ah); 1137c478bd9Sstevel@tonic-gate } 1147c478bd9Sstevel@tonic-gate 1157c478bd9Sstevel@tonic-gate /* 1167c478bd9Sstevel@tonic-gate * errors are ignored since there is no action to take on error 1177c478bd9Sstevel@tonic-gate */ 1187c478bd9Sstevel@tonic-gate static void 1197c478bd9Sstevel@tonic-gate audit_logout(adt_session_data_t *ah) 1207c478bd9Sstevel@tonic-gate { 1217c478bd9Sstevel@tonic-gate adt_event_data_t *logout; 1227c478bd9Sstevel@tonic-gate int status; /* wait status */ 1237c478bd9Sstevel@tonic-gate pid_t pid; 124a98aba88Sgww priv_set_t *priv; /* waiting process privs */ 125a98aba88Sgww 126a98aba88Sgww if ((logout = adt_alloc_event(ah, ADT_logout)) == NULL) { 127a98aba88Sgww syslog(LOG_AUTH | LOG_ALERT, 128a98aba88Sgww "adt_alloc_event(ADT_logout): %m"); 129a98aba88Sgww return; 130a98aba88Sgww } 131a98aba88Sgww if ((priv = priv_allocset()) == NULL) { 132a98aba88Sgww syslog(LOG_AUTH | LOG_ALERT, 133*634e26ecSCasper H.S. Dik "login audit_logout: could not alloc basic privs: %m"); 134a98aba88Sgww adt_free_event(logout); 135a98aba88Sgww return; 136a98aba88Sgww } 137a98aba88Sgww 138a98aba88Sgww /* 139a98aba88Sgww * The child returns and continues the login processing. 140a98aba88Sgww * The parent's sole job is to wait for child exit, write the 141a98aba88Sgww * logout audit record, and replay the child's exit code. 142a98aba88Sgww */ 1437c478bd9Sstevel@tonic-gate 1447c478bd9Sstevel@tonic-gate if ((pid = fork()) == 0) { 145a98aba88Sgww /* child */ 146a98aba88Sgww 147a98aba88Sgww adt_free_event(logout); 148a98aba88Sgww priv_freeset(priv); 1497c478bd9Sstevel@tonic-gate return; 150a98aba88Sgww } 151a98aba88Sgww if (pid == -1) { 152a98aba88Sgww /* failure */ 153a98aba88Sgww 154a98aba88Sgww syslog(LOG_AUTH | LOG_ALERT, 155a98aba88Sgww "login audit_logout: could not fork: %m"); 156a98aba88Sgww adt_free_event(logout); 157a98aba88Sgww priv_freeset(priv); 158a98aba88Sgww return; 159a98aba88Sgww } 160a98aba88Sgww 161a98aba88Sgww /* parent process */ 162a98aba88Sgww 1637c478bd9Sstevel@tonic-gate /* 1647c478bd9Sstevel@tonic-gate * When this routine is called, the current working 165a98aba88Sgww * directory is the user's home directory and there are 166a98aba88Sgww * unknown open files. For the waiting process, change the 167a98aba88Sgww * current directory to root and close files so that the 168a98aba88Sgww * user's home directory and anything else can be unmounted 169a98aba88Sgww * if necessary. 1707c478bd9Sstevel@tonic-gate */ 1717c478bd9Sstevel@tonic-gate if (chdir("/") != 0) { 1727c478bd9Sstevel@tonic-gate syslog(LOG_AUTH | LOG_ALERT, 173a98aba88Sgww "login audit_logut: could not chdir /: %m"); 1747c478bd9Sstevel@tonic-gate } 175a98aba88Sgww /* 176a98aba88Sgww * Reduce privileges to just those needed. 177a98aba88Sgww */ 178*634e26ecSCasper H.S. Dik priv_basicset(priv); 179*634e26ecSCasper H.S. Dik (void) priv_delset(priv, PRIV_PROC_EXEC); 180*634e26ecSCasper H.S. Dik (void) priv_delset(priv, PRIV_PROC_FORK); 181*634e26ecSCasper H.S. Dik (void) priv_delset(priv, PRIV_PROC_INFO); 182*634e26ecSCasper H.S. Dik (void) priv_delset(priv, PRIV_PROC_SESSION); 183*634e26ecSCasper H.S. Dik (void) priv_delset(priv, PRIV_FILE_LINK_ANY); 184a98aba88Sgww if ((priv_addset(priv, PRIV_PROC_AUDIT) != 0) || 185a98aba88Sgww (setppriv(PRIV_SET, PRIV_PERMITTED, priv) != 0)) { 186a98aba88Sgww syslog(LOG_AUTH | LOG_ALERT, 187a98aba88Sgww "login audit_logout: could not reduce privs: %m"); 188a98aba88Sgww } 189a98aba88Sgww closefrom(0); 190a98aba88Sgww priv_freeset(priv); 1917c478bd9Sstevel@tonic-gate while (pid != waitpid(pid, &status, 0)) 1927c478bd9Sstevel@tonic-gate continue; 1937c478bd9Sstevel@tonic-gate 1947c478bd9Sstevel@tonic-gate (void) adt_put_event(logout, ADT_SUCCESS, ADT_SUCCESS); 1957c478bd9Sstevel@tonic-gate adt_free_event(logout); 196a98aba88Sgww (void) adt_end_session(ah); 197a98aba88Sgww exit(WEXITSTATUS(status)); 1987c478bd9Sstevel@tonic-gate } 1997c478bd9Sstevel@tonic-gate 2007c478bd9Sstevel@tonic-gate /* 2017c478bd9Sstevel@tonic-gate * errors are ignored since there is no action to take on error. 2027c478bd9Sstevel@tonic-gate * 2037c478bd9Sstevel@tonic-gate * If the user id is invalid, pwd is NULL. 2047c478bd9Sstevel@tonic-gate */ 2057c478bd9Sstevel@tonic-gate void 2067c478bd9Sstevel@tonic-gate audit_failure(uint_t event_id, int failure_code, struct passwd *pwd, 2077c478bd9Sstevel@tonic-gate const char *hostname, const char *ttyname, char *optional_text) 2087c478bd9Sstevel@tonic-gate { 2097c478bd9Sstevel@tonic-gate adt_session_data_t *ah; 2107c478bd9Sstevel@tonic-gate adt_event_data_t *event; 2117c478bd9Sstevel@tonic-gate uid_t uid; 2127c478bd9Sstevel@tonic-gate gid_t gid; 2137c478bd9Sstevel@tonic-gate adt_termid_t *p_tid; 2147c478bd9Sstevel@tonic-gate 2157c478bd9Sstevel@tonic-gate if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA)) 2167c478bd9Sstevel@tonic-gate return; 2177c478bd9Sstevel@tonic-gate 2187c478bd9Sstevel@tonic-gate uid = ADT_NO_ATTRIB; 2197c478bd9Sstevel@tonic-gate gid = ADT_NO_ATTRIB; 2207c478bd9Sstevel@tonic-gate if (pwd != NULL) { 2217c478bd9Sstevel@tonic-gate uid = pwd->pw_uid; 2227c478bd9Sstevel@tonic-gate gid = pwd->pw_gid; 2237c478bd9Sstevel@tonic-gate } 2247c478bd9Sstevel@tonic-gate /* 2257c478bd9Sstevel@tonic-gate * If this is a remote login, in.rlogind or in.telnetd has 2267c478bd9Sstevel@tonic-gate * already set the terminal id, in which case 2277c478bd9Sstevel@tonic-gate * adt_load_hostname() will use the preset terminal id and 2287c478bd9Sstevel@tonic-gate * ignore hostname. (If no remote host and ttyname is NULL, 2297c478bd9Sstevel@tonic-gate * let adt_load_ttyname() figure out what to do.) 2307c478bd9Sstevel@tonic-gate */ 2317c478bd9Sstevel@tonic-gate if (*hostname == '\0') 2327c478bd9Sstevel@tonic-gate (void) adt_load_ttyname(ttyname, &p_tid); 2337c478bd9Sstevel@tonic-gate else 2347c478bd9Sstevel@tonic-gate (void) adt_load_hostname(hostname, &p_tid); 2357c478bd9Sstevel@tonic-gate 2367c478bd9Sstevel@tonic-gate if (adt_set_user(ah, uid, gid, uid, gid, p_tid, ADT_NEW)) { 2377c478bd9Sstevel@tonic-gate (void) adt_end_session(ah); 2387c478bd9Sstevel@tonic-gate if (p_tid != NULL) 2397c478bd9Sstevel@tonic-gate free(p_tid); 2407c478bd9Sstevel@tonic-gate return; 2417c478bd9Sstevel@tonic-gate } 2427c478bd9Sstevel@tonic-gate if (p_tid != NULL) 2437c478bd9Sstevel@tonic-gate free(p_tid); 2447c478bd9Sstevel@tonic-gate 2457c478bd9Sstevel@tonic-gate event = adt_alloc_event(ah, event_id); 2467c478bd9Sstevel@tonic-gate if (event == NULL) { 2477c478bd9Sstevel@tonic-gate return; 2487c478bd9Sstevel@tonic-gate } 2497c478bd9Sstevel@tonic-gate switch (event_id) { 2507c478bd9Sstevel@tonic-gate case ADT_zlogin: 2517c478bd9Sstevel@tonic-gate event->adt_zlogin.message = optional_text; 2527c478bd9Sstevel@tonic-gate break; 2537c478bd9Sstevel@tonic-gate } 2547c478bd9Sstevel@tonic-gate (void) adt_put_event(event, ADT_FAILURE, failure_code); 2557c478bd9Sstevel@tonic-gate 2567c478bd9Sstevel@tonic-gate adt_free_event(event); 2577c478bd9Sstevel@tonic-gate (void) adt_end_session(ah); 2587c478bd9Sstevel@tonic-gate } 259