10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
53050Sgww * Common Development and Distribution License (the "License").
63050Sgww * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate * See the License for the specific language governing permissions
110Sstevel@tonic-gate * and limitations under the License.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate *
190Sstevel@tonic-gate * CDDL HEADER END
200Sstevel@tonic-gate */
210Sstevel@tonic-gate /*
22*11537SCasper.Dik@Sun.COM * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
230Sstevel@tonic-gate * Use is subject to license terms.
240Sstevel@tonic-gate */
250Sstevel@tonic-gate
260Sstevel@tonic-gate #include <assert.h>
273050Sgww #include <priv.h>
280Sstevel@tonic-gate #include <pwd.h>
290Sstevel@tonic-gate #include <signal.h>
300Sstevel@tonic-gate #include <stdlib.h>
310Sstevel@tonic-gate #include <string.h>
320Sstevel@tonic-gate #include <syslog.h>
330Sstevel@tonic-gate #include <unistd.h>
340Sstevel@tonic-gate #include <sys/wait.h>
350Sstevel@tonic-gate
360Sstevel@tonic-gate #include <bsm/adt.h>
370Sstevel@tonic-gate #include <bsm/adt_event.h>
380Sstevel@tonic-gate #include "login_audit.h"
390Sstevel@tonic-gate
400Sstevel@tonic-gate /*
410Sstevel@tonic-gate * Key assumption: login is single threaded.
420Sstevel@tonic-gate */
430Sstevel@tonic-gate static void audit_logout(adt_session_data_t *);
440Sstevel@tonic-gate
450Sstevel@tonic-gate /*
460Sstevel@tonic-gate * if audit is not enabled, the adt_*() functions simply return without
470Sstevel@tonic-gate * doing anything. In the success case, the credential has already been
480Sstevel@tonic-gate * setup with audit data by PAM.
490Sstevel@tonic-gate */
500Sstevel@tonic-gate
510Sstevel@tonic-gate /*
520Sstevel@tonic-gate * There is no information passed to login.c from rlogin or telnet
530Sstevel@tonic-gate * about the terminal id. They both set the tid before they
540Sstevel@tonic-gate * exec login; the value is picked up by adt_start_session() and is
550Sstevel@tonic-gate * carefully *not* overwritten by adt_load_hostname().
560Sstevel@tonic-gate */
570Sstevel@tonic-gate
580Sstevel@tonic-gate void
audit_success(uint_t event_id,struct passwd * pwd,char * optional_text)590Sstevel@tonic-gate audit_success(uint_t event_id, struct passwd *pwd, char *optional_text)
600Sstevel@tonic-gate {
610Sstevel@tonic-gate adt_session_data_t *ah;
620Sstevel@tonic-gate adt_event_data_t *event;
630Sstevel@tonic-gate int rc;
640Sstevel@tonic-gate
650Sstevel@tonic-gate assert(pwd != NULL);
660Sstevel@tonic-gate
670Sstevel@tonic-gate if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA)) {
683050Sgww syslog(LOG_AUTH | LOG_ALERT, "login adt_start_session(): %m");
690Sstevel@tonic-gate return;
700Sstevel@tonic-gate }
710Sstevel@tonic-gate if (adt_set_user(ah, pwd->pw_uid, pwd->pw_gid,
720Sstevel@tonic-gate pwd->pw_uid, pwd->pw_gid, NULL, ADT_USER)) {
733050Sgww syslog(LOG_AUTH | LOG_ALERT, "login adt_set_user(): %m");
740Sstevel@tonic-gate (void) adt_end_session(ah);
750Sstevel@tonic-gate return;
760Sstevel@tonic-gate }
770Sstevel@tonic-gate event = adt_alloc_event(ah, event_id);
780Sstevel@tonic-gate
790Sstevel@tonic-gate if (event == NULL)
800Sstevel@tonic-gate return;
810Sstevel@tonic-gate
820Sstevel@tonic-gate switch (event_id) {
830Sstevel@tonic-gate case ADT_zlogin:
840Sstevel@tonic-gate event->adt_zlogin.message = optional_text;
850Sstevel@tonic-gate break;
860Sstevel@tonic-gate default:
870Sstevel@tonic-gate break;
880Sstevel@tonic-gate }
890Sstevel@tonic-gate rc = adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS);
900Sstevel@tonic-gate
910Sstevel@tonic-gate (void) adt_free_event(event);
920Sstevel@tonic-gate if (rc) {
930Sstevel@tonic-gate (void) adt_end_session(ah);
943050Sgww syslog(LOG_AUTH | LOG_ALERT, "login adt_put_event(): %m");
950Sstevel@tonic-gate return;
960Sstevel@tonic-gate }
970Sstevel@tonic-gate /*
980Sstevel@tonic-gate * The code above executes whether or not audit is enabled.
990Sstevel@tonic-gate * However audit_logout must only execute if audit is
1000Sstevel@tonic-gate * enabled so we don't fork unnecessarily.
1010Sstevel@tonic-gate */
1020Sstevel@tonic-gate if (adt_audit_enabled()) {
1030Sstevel@tonic-gate switch (event_id) {
1040Sstevel@tonic-gate case ADT_login:
1050Sstevel@tonic-gate case ADT_rlogin:
1060Sstevel@tonic-gate case ADT_telnet:
1070Sstevel@tonic-gate case ADT_zlogin:
1080Sstevel@tonic-gate audit_logout(ah); /* fork to catch logout */
1090Sstevel@tonic-gate break;
1100Sstevel@tonic-gate }
1110Sstevel@tonic-gate }
1120Sstevel@tonic-gate (void) adt_end_session(ah);
1130Sstevel@tonic-gate }
1140Sstevel@tonic-gate
1150Sstevel@tonic-gate /*
1160Sstevel@tonic-gate * errors are ignored since there is no action to take on error
1170Sstevel@tonic-gate */
1180Sstevel@tonic-gate static void
audit_logout(adt_session_data_t * ah)1190Sstevel@tonic-gate audit_logout(adt_session_data_t *ah)
1200Sstevel@tonic-gate {
1210Sstevel@tonic-gate adt_event_data_t *logout;
1220Sstevel@tonic-gate int status; /* wait status */
1230Sstevel@tonic-gate pid_t pid;
1243050Sgww priv_set_t *priv; /* waiting process privs */
1253050Sgww
1263050Sgww if ((logout = adt_alloc_event(ah, ADT_logout)) == NULL) {
1273050Sgww syslog(LOG_AUTH | LOG_ALERT,
1283050Sgww "adt_alloc_event(ADT_logout): %m");
1293050Sgww return;
1303050Sgww }
1313050Sgww if ((priv = priv_allocset()) == NULL) {
1323050Sgww syslog(LOG_AUTH | LOG_ALERT,
133*11537SCasper.Dik@Sun.COM "login audit_logout: could not alloc basic privs: %m");
1343050Sgww adt_free_event(logout);
1353050Sgww return;
1363050Sgww }
1373050Sgww
1383050Sgww /*
1393050Sgww * The child returns and continues the login processing.
1403050Sgww * The parent's sole job is to wait for child exit, write the
1413050Sgww * logout audit record, and replay the child's exit code.
1423050Sgww */
1430Sstevel@tonic-gate
1440Sstevel@tonic-gate if ((pid = fork()) == 0) {
1453050Sgww /* child */
1460Sstevel@tonic-gate
1470Sstevel@tonic-gate adt_free_event(logout);
1483050Sgww priv_freeset(priv);
1493050Sgww return;
1503050Sgww }
1513050Sgww if (pid == -1) {
1523050Sgww /* failure */
1533050Sgww
1543050Sgww syslog(LOG_AUTH | LOG_ALERT,
1553050Sgww "login audit_logout: could not fork: %m");
1563050Sgww adt_free_event(logout);
1573050Sgww priv_freeset(priv);
1583050Sgww return;
1590Sstevel@tonic-gate }
1603050Sgww
1613050Sgww /* parent process */
1623050Sgww
1633050Sgww /*
1643050Sgww * When this routine is called, the current working
1653050Sgww * directory is the user's home directory and there are
1663050Sgww * unknown open files. For the waiting process, change the
1673050Sgww * current directory to root and close files so that the
1683050Sgww * user's home directory and anything else can be unmounted
1693050Sgww * if necessary.
1703050Sgww */
1713050Sgww if (chdir("/") != 0) {
1723050Sgww syslog(LOG_AUTH | LOG_ALERT,
1733050Sgww "login audit_logut: could not chdir /: %m");
1743050Sgww }
1753050Sgww /*
1763050Sgww * Reduce privileges to just those needed.
1773050Sgww */
178*11537SCasper.Dik@Sun.COM priv_basicset(priv);
179*11537SCasper.Dik@Sun.COM (void) priv_delset(priv, PRIV_PROC_EXEC);
180*11537SCasper.Dik@Sun.COM (void) priv_delset(priv, PRIV_PROC_FORK);
181*11537SCasper.Dik@Sun.COM (void) priv_delset(priv, PRIV_PROC_INFO);
182*11537SCasper.Dik@Sun.COM (void) priv_delset(priv, PRIV_PROC_SESSION);
183*11537SCasper.Dik@Sun.COM (void) priv_delset(priv, PRIV_FILE_LINK_ANY);
1843050Sgww if ((priv_addset(priv, PRIV_PROC_AUDIT) != 0) ||
1853050Sgww (setppriv(PRIV_SET, PRIV_PERMITTED, priv) != 0)) {
1863050Sgww syslog(LOG_AUTH | LOG_ALERT,
1873050Sgww "login audit_logout: could not reduce privs: %m");
1883050Sgww }
1893050Sgww closefrom(0);
1903050Sgww priv_freeset(priv);
1913050Sgww while (pid != waitpid(pid, &status, 0))
1923050Sgww continue;
1933050Sgww
1943050Sgww (void) adt_put_event(logout, ADT_SUCCESS, ADT_SUCCESS);
1953050Sgww adt_free_event(logout);
1963050Sgww (void) adt_end_session(ah);
1973050Sgww exit(WEXITSTATUS(status));
1980Sstevel@tonic-gate }
1990Sstevel@tonic-gate
2000Sstevel@tonic-gate /*
2010Sstevel@tonic-gate * errors are ignored since there is no action to take on error.
2020Sstevel@tonic-gate *
2030Sstevel@tonic-gate * If the user id is invalid, pwd is NULL.
2040Sstevel@tonic-gate */
2050Sstevel@tonic-gate void
audit_failure(uint_t event_id,int failure_code,struct passwd * pwd,const char * hostname,const char * ttyname,char * optional_text)2060Sstevel@tonic-gate audit_failure(uint_t event_id, int failure_code, struct passwd *pwd,
2070Sstevel@tonic-gate const char *hostname, const char *ttyname, char *optional_text)
2080Sstevel@tonic-gate {
2090Sstevel@tonic-gate adt_session_data_t *ah;
2100Sstevel@tonic-gate adt_event_data_t *event;
2110Sstevel@tonic-gate uid_t uid;
2120Sstevel@tonic-gate gid_t gid;
2130Sstevel@tonic-gate adt_termid_t *p_tid;
2140Sstevel@tonic-gate
2150Sstevel@tonic-gate if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA))
2160Sstevel@tonic-gate return;
2170Sstevel@tonic-gate
2180Sstevel@tonic-gate uid = ADT_NO_ATTRIB;
2190Sstevel@tonic-gate gid = ADT_NO_ATTRIB;
2200Sstevel@tonic-gate if (pwd != NULL) {
2210Sstevel@tonic-gate uid = pwd->pw_uid;
2220Sstevel@tonic-gate gid = pwd->pw_gid;
2230Sstevel@tonic-gate }
2240Sstevel@tonic-gate /*
2250Sstevel@tonic-gate * If this is a remote login, in.rlogind or in.telnetd has
2260Sstevel@tonic-gate * already set the terminal id, in which case
2270Sstevel@tonic-gate * adt_load_hostname() will use the preset terminal id and
2280Sstevel@tonic-gate * ignore hostname. (If no remote host and ttyname is NULL,
2290Sstevel@tonic-gate * let adt_load_ttyname() figure out what to do.)
2300Sstevel@tonic-gate */
2310Sstevel@tonic-gate if (*hostname == '\0')
2320Sstevel@tonic-gate (void) adt_load_ttyname(ttyname, &p_tid);
2330Sstevel@tonic-gate else
2340Sstevel@tonic-gate (void) adt_load_hostname(hostname, &p_tid);
2350Sstevel@tonic-gate
2360Sstevel@tonic-gate if (adt_set_user(ah, uid, gid, uid, gid, p_tid, ADT_NEW)) {
2370Sstevel@tonic-gate (void) adt_end_session(ah);
2380Sstevel@tonic-gate if (p_tid != NULL)
2390Sstevel@tonic-gate free(p_tid);
2400Sstevel@tonic-gate return;
2410Sstevel@tonic-gate }
2420Sstevel@tonic-gate if (p_tid != NULL)
2430Sstevel@tonic-gate free(p_tid);
2440Sstevel@tonic-gate
2450Sstevel@tonic-gate event = adt_alloc_event(ah, event_id);
2460Sstevel@tonic-gate if (event == NULL) {
2470Sstevel@tonic-gate return;
2480Sstevel@tonic-gate }
2490Sstevel@tonic-gate switch (event_id) {
2500Sstevel@tonic-gate case ADT_zlogin:
2510Sstevel@tonic-gate event->adt_zlogin.message = optional_text;
2520Sstevel@tonic-gate break;
2530Sstevel@tonic-gate }
2540Sstevel@tonic-gate (void) adt_put_event(event, ADT_FAILURE, failure_code);
2550Sstevel@tonic-gate
2560Sstevel@tonic-gate adt_free_event(event);
2570Sstevel@tonic-gate (void) adt_end_session(ah);
2580Sstevel@tonic-gate }
259