Use the correct AUDIT_CHGRP_ID event instead of
AUDIT_USER_START, when changing the user space group ID with newgrp or sg. Thanks to sgrubb@redhat.com for the patch.
This commit is contained in:
nekral-guest
parent
1599d3d128
commit
a8bc585e33
@ -1,3 +1,9 @@
|
|||||||
|
2008-02-14 Nicolas François <nicolas.francois@centraliens.net>
|
||||||
|
|
||||||
|
* NEWS, src/newgrp.c: Use the correct AUDIT_CHGRP_ID event instead of
|
||||||
|
AUDIT_USER_START, when changing the user space group ID with
|
||||||
|
newgrp or sg. Thanks to sgrubb@redhat.com for the patch.
|
||||||
|
|
||||||
2008-02-10 Nicolas François <nicolas.francois@centraliens.net>
|
2008-02-10 Nicolas François <nicolas.francois@centraliens.net>
|
||||||
|
|
||||||
* src/usermod.c: Reset oflg with uflg if the new UID is equal to
|
* src/usermod.c: Reset oflg with uflg if the new UID is equal to
|
||||||
|
|||||||
2
NEWS
2
NEWS
@ -32,6 +32,8 @@ shadow-4.1.0 -> shadow-4.1.1 UNRELEASED
|
|||||||
* Fix segfault when an user returns to an unknown GID (either the user
|
* Fix segfault when an user returns to an unknown GID (either the user
|
||||||
was deleted during the user's newgrp session or the user's passwd
|
was deleted during the user's newgrp session or the user's passwd
|
||||||
entry referenced an invalid group). Add a syslog warning in that case.
|
entry referenced an invalid group). Add a syslog warning in that case.
|
||||||
|
* Use the correct AUDIT_CHGRP_ID event instead of AUDIT_USER_START, when
|
||||||
|
changing the user space group ID with newgrp or sg.
|
||||||
- newusers
|
- newusers
|
||||||
* The new users are no more added to the list of members of their groups
|
* The new users are no more added to the list of members of their groups
|
||||||
because the membership is already set by their primary group.
|
because the membership is already set by their primary group.
|
||||||
|
|||||||
57
src/newgrp.c
57
src/newgrp.c
@ -245,8 +245,15 @@ static void syslog_sg (const char *name, const char *group)
|
|||||||
fprintf (stderr, _("%s: failure forking: %s"),
|
fprintf (stderr, _("%s: failure forking: %s"),
|
||||||
is_newgrp ? "newgrp" : "sg", strerror (errno));
|
is_newgrp ? "newgrp" : "sg", strerror (errno));
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
audit_logger (AUDIT_USER_START, Prog, "changing",
|
if (group) {
|
||||||
|
snprintf (audit_buf, sizeof(audit_buf),
|
||||||
|
"changing new-group=%s", group);
|
||||||
|
audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
|
audit_buf, NULL, getuid (), 0);
|
||||||
|
} else {
|
||||||
|
audit_logger (AUDIT_CHGRP_ID, Prog, "changing",
|
||||||
NULL, getuid (), 0);
|
NULL, getuid (), 0);
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
exit (1);
|
exit (1);
|
||||||
} else if (child) {
|
} else if (child) {
|
||||||
@ -322,6 +329,8 @@ int main (int argc, char **argv)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
|
char audit_buf[80];
|
||||||
|
|
||||||
audit_help_open ();
|
audit_help_open ();
|
||||||
#endif
|
#endif
|
||||||
setlocale (LC_ALL, "");
|
setlocale (LC_ALL, "");
|
||||||
@ -364,7 +373,7 @@ int main (int argc, char **argv)
|
|||||||
if (!pwd) {
|
if (!pwd) {
|
||||||
fprintf (stderr, _("unknown UID: %u\n"), getuid ());
|
fprintf (stderr, _("unknown UID: %u\n"), getuid ());
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
audit_logger (AUDIT_USER_START, Prog, "changing", NULL,
|
audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL,
|
||||||
getuid (), 0);
|
getuid (), 0);
|
||||||
#endif
|
#endif
|
||||||
SYSLOG ((LOG_WARN, "unknown UID %u", getuid ()));
|
SYSLOG ((LOG_WARN, "unknown UID %u", getuid ()));
|
||||||
@ -473,8 +482,15 @@ int main (int argc, char **argv)
|
|||||||
if (ngroups < 0) {
|
if (ngroups < 0) {
|
||||||
perror ("getgroups");
|
perror ("getgroups");
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
audit_logger (AUDIT_USER_START, Prog,
|
if (group) {
|
||||||
|
snprintf (audit_buf, sizeof(audit_buf),
|
||||||
|
"changing new-group=%s", group);
|
||||||
|
audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
|
audit_buf, NULL, getuid (), 0);
|
||||||
|
} else {
|
||||||
|
audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
"changing", NULL, getuid (), 0);
|
"changing", NULL, getuid (), 0);
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
exit (1);
|
exit (1);
|
||||||
}
|
}
|
||||||
@ -595,14 +611,24 @@ int main (int argc, char **argv)
|
|||||||
* to the real UID. For root, this also sets the real GID to the
|
* to the real UID. For root, this also sets the real GID to the
|
||||||
* new group id.
|
* new group id.
|
||||||
*/
|
*/
|
||||||
if (setgid (gid))
|
if (setgid (gid)) {
|
||||||
perror ("setgid");
|
perror ("setgid");
|
||||||
|
#ifdef WITH_AUDIT
|
||||||
|
snprintf (audit_buf, sizeof(audit_buf),
|
||||||
|
"changing new-gid=%d", gid);
|
||||||
|
audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
|
audit_buf, NULL, getuid (), 0);
|
||||||
|
#endif
|
||||||
|
exit (1);
|
||||||
|
}
|
||||||
|
|
||||||
if (setuid (getuid ())) {
|
if (setuid (getuid ())) {
|
||||||
perror ("setuid");
|
perror ("setuid");
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
audit_logger (AUDIT_USER_START, Prog, "changing",
|
snprintf (audit_buf, sizeof(audit_buf),
|
||||||
NULL, getuid (), 0);
|
"changing new-gid=%d", gid);
|
||||||
|
audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
|
audit_buf, NULL, getuid (), 0);
|
||||||
#endif
|
#endif
|
||||||
exit (1);
|
exit (1);
|
||||||
}
|
}
|
||||||
@ -615,8 +641,10 @@ int main (int argc, char **argv)
|
|||||||
closelog ();
|
closelog ();
|
||||||
execl ("/bin/sh", "sh", "-c", command, (char *) 0);
|
execl ("/bin/sh", "sh", "-c", command, (char *) 0);
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
audit_logger (AUDIT_USER_START, Prog, "changing",
|
snprintf (audit_buf, sizeof(audit_buf),
|
||||||
NULL, getuid (), 0);
|
"changing new-gid=%d", gid);
|
||||||
|
audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
|
audit_buf, NULL, getuid (), 0);
|
||||||
#endif
|
#endif
|
||||||
perror ("/bin/sh");
|
perror ("/bin/sh");
|
||||||
exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
|
exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
|
||||||
@ -682,7 +710,8 @@ int main (int argc, char **argv)
|
|||||||
}
|
}
|
||||||
|
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 1);
|
snprintf (audit_buf, sizeof(audit_buf), "changing new-gid=%d", gid);
|
||||||
|
audit_logger (AUDIT_CHGRP_ID, Prog, audit_buf, NULL, getuid (), 1);
|
||||||
#endif
|
#endif
|
||||||
/*
|
/*
|
||||||
* Exec the login shell and go away. We are trying to get back to
|
* Exec the login shell and go away. We are trying to get back to
|
||||||
@ -705,7 +734,15 @@ int main (int argc, char **argv)
|
|||||||
*/
|
*/
|
||||||
closelog ();
|
closelog ();
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 0);
|
if (group) {
|
||||||
|
snprintf (audit_buf, sizeof(audit_buf),
|
||||||
|
"changing new-group=%s", group);
|
||||||
|
audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
|
audit_buf, NULL, getuid (), 0);
|
||||||
|
} else {
|
||||||
|
audit_logger (AUDIT_CHGRP_ID, Prog,
|
||||||
|
"changing", NULL, getuid (), 0);
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
exit (1);
|
exit (1);
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user