static int _audit_log(int type, const char *uname, int rc)
{
int audit_fd;
audit_fd = audit_open();
if (audit_fd < 0) {
/* You get these error codes only when the kernel doesn't have
* audit compiled in. */
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)
return PAM_SUCCESS;
helper_log_err(LOG_CRIT, "audit_open() failed: %m");
return PAM_AUTH_ERR;
}
rc = audit_log_acct_message(audit_fd, type, NULL, "PAM:unix_chkpwd",
uname, -1, NULL, NULL, NULL, rc == PAM_SUCCESS);
if (rc == -EPERM && geteuid() != 0) {
rc = 0;
}
audit_close(audit_fd);
return rc < 0 ? PAM_AUTH_ERR : PAM_SUCCESS;
}
/* Initialize the connection to the audit system */
static void
audit_init (void)
{
audit_fd = audit_open ();
if (audit_fd < 0)
dbg_log (_("Failed opening connection to the audit subsystem"));
}
int
linux_audit_record_event(int uid, const char *username, const char *hostname,
const char *ip, const char *ttyn, int success)
{
int audit_fd, rc, saved_errno;
if ((audit_fd = audit_open()) < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)
return 1; /* No audit support in kernel */
else
return 0; /* Must prevent login */
}
rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
NULL, "login", username ? username : "******",
username == NULL ? uid : -1, hostname, ip, ttyn, success);
saved_errno = errno;
close(audit_fd);
/*
* Do not report error if the error is EPERM and sshd is run as non
* root user.
*/
if ((rc == -EPERM) && (geteuid() != 0))
rc = 0;
errno = saved_errno;
return rc >= 0;
}
static int
audit_role_change(const security_context_t old_context,
const security_context_t new_context, const char *ttyn, int result)
{
int au_fd, rc = -1;
char *message;
debug_decl(audit_role_change, SUDO_DEBUG_SELINUX)
au_fd = audit_open();
if (au_fd == -1) {
/* Kernel may not have audit support. */
if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT
)
sudo_fatal(U_("unable to open audit system"));
} else {
/* audit role change using the same format as newrole(1) */
sudo_easprintf(&message, "newrole: old-context=%s new-context=%s",
old_context, new_context);
rc = audit_log_user_message(au_fd, AUDIT_USER_ROLE_CHANGE,
message, NULL, NULL, ttyn, result);
if (rc <= 0)
sudo_warn(U_("unable to send audit message"));
sudo_efree(message);
close(au_fd);
}
debug_return_int(rc);
}
static bool audit_mainloop()
{
int fd = audit_open();
if (fd < 0) {
LOGE("Failed to open audit socket: %s", strerror(errno));
return false;
}
auto close_fd = finally([&]{
audit_close(fd);
});
if (audit_setup(fd, static_cast<uint32_t>(getpid())) < 0) {
return false;
}
while (true) {
struct audit_message reply;
reply.nlh.nlmsg_type = 0;
reply.nlh.nlmsg_len = 0;
reply.data[0] = '\0';
if (audit_get_reply(fd, &reply, GET_REPLY_BLOCKING, 0) < 0) {
LOGE("Failed to get reply from audit socket: %s", strerror(errno));
return false;
}
LOGV("type=%d %.*s",
reply.nlh.nlmsg_type, reply.nlh.nlmsg_len, reply.data);
}
// unreachable
}
/* Initialize the connection to the audit system */
static void
audit_init (void)
{
audit_fd = audit_open ();
if (audit_fd < 0
/* If kernel doesn't support audit, bail out */
&& errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT)
dbg_log (_("Failed opening connection to the audit subsystem: %m"));
}
int LogAudit::getLogSocket() {
int fd = audit_open();
if (fd < 0) {
return fd;
}
if (audit_setup(fd, getpid()) < 0) {
audit_close(fd);
fd = -1;
}
return fd;
}
static void do_update_rate(uint32_t rate) {
int fd = audit_open();
if (fd == -1) {
error(EXIT_FAILURE, errno, "Unable to open audit socket");
}
int result = audit_rate_limit(fd, rate);
close(fd);
if (result < 0) {
fprintf(stderr, "Can't update audit rate limit: %d\n", result);
exit(EXIT_FAILURE);
}
}
/* Send audit message */
static
int send_audit_message(pam_handle_t *pamh, int success, security_context_t default_context,
security_context_t selected_context)
{
int rc=0;
#ifdef HAVE_LIBAUDIT
char *msg = NULL;
int audit_fd = audit_open();
security_context_t default_raw=NULL;
security_context_t selected_raw=NULL;
rc = -1;
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)
return 0; /* No audit support in kernel */
pam_syslog(pamh, LOG_ERR, "Error connecting to audit system.");
return rc;
}
if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
pam_syslog(pamh, LOG_ERR, "Error translating default context.");
default_raw = NULL;
}
if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
pam_syslog(pamh, LOG_ERR, "Error translating selected context.");
selected_raw = NULL;
}
if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
default_raw ? default_raw : (default_context ? default_context : "?"),
selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) {
pam_syslog(pamh, LOG_ERR, "Error allocating memory.");
goto out;
}
if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
msg, NULL, NULL, NULL, success) <= 0) {
pam_syslog(pamh, LOG_ERR, "Error sending audit message.");
goto out;
}
rc = 0;
out:
free(msg);
freecon(default_raw);
freecon(selected_raw);
close(audit_fd);
#else
pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success);
#endif
return rc;
}
void audit_help_open (void)
{
audit_fd = audit_open ();
if (audit_fd < 0) {
/* You get these only when the kernel doesn't have
* audit compiled in. */
if ( (errno == EINVAL)
|| (errno == EPROTONOSUPPORT)
|| (errno == EAFNOSUPPORT)) {
return;
}
(void) fputs (_("Cannot open audit interface - aborting.\n"),
stderr);
exit (EXIT_FAILURE);
}
}
/*
* Open audit connection if possible.
* Returns audit fd on success and -1 on failure.
*/
static int
linux_audit_open(void)
{
static int au_fd = -1;
if (au_fd != -1)
return au_fd;
au_fd = audit_open();
if (au_fd == -1) {
/* Kernel may not have audit support. */
if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT)
error(1, "unable to open audit system");
} else {
(void)fcntl(au_fd, F_SETFD, FD_CLOEXEC);
}
return au_fd;
}
static int count_rules(void)
{
int fd, total, rc;
fd = audit_open();
if (fd < 0)
return -1;
rc = audit_request_rules_list_data(fd);
if (rc > 0)
total = count_em(fd);
else
total = -1;
close(fd);
return total;
}
int get_audit_fd(void) {
if (!initialized) {
audit_fd = audit_open();
if (audit_fd < 0) {
if (errno != EAFNOSUPPORT && errno != EPROTONOSUPPORT)
log_error_errno(errno, "Failed to connect to audit log: %m");
audit_fd = errno ? -errno : -EINVAL;
}
initialized = true;
}
return audit_fd;
}
void
bus_selinux_audit_init(void)
{
#ifdef HAVE_LIBAUDIT
audit_fd = audit_open ();
if (audit_fd < 0)
{
/* If kernel doesn't support audit, bail out */
if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT)
return;
/* If user bus, bail out */
if (errno == EPERM && getuid() != 0)
return;
_dbus_warn ("Failed opening connection to the audit subsystem");
}
#endif /* HAVE_LIBAUDIT */
}
int do_log(void)
{
struct passwd* pwd;
int fd, status, r;
if ((!streq(action, "failed")) && (!streq(action, "login")))
return 0;
status = streq(action, "login");
if (pwd = getpwnam(username), pwd == NULL) return -1;
if (fd = audit_open(), fd == -1) return -1;
r = audit_log_acct_message(fd, AUDIT_USER_LOGIN, NULL, "login", username,
pwd->pw_uid, hostname, NULL, ttyname, status);
close(fd);
return r;
}
/*
* Open audit connection if possible.
* Returns audit fd on success and -1 on failure.
*/
static int
linux_audit_open(void)
{
static int au_fd = -1;
debug_decl(linux_audit_open, SUDOERS_DEBUG_AUDIT)
if (au_fd != -1)
debug_return_int(au_fd);
au_fd = audit_open();
if (au_fd == -1) {
/* Kernel may not have audit support. */
if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT)
au_fd = AUDIT_NOT_CONFIGURED;
else
sudo_warn(U_("unable to open audit system"));
} else {
(void)fcntl(au_fd, F_SETFD, FD_CLOEXEC);
}
debug_return_int(au_fd);
}
/*
* This function will reset everything used for each loop when loading
* a ruleset from a file.
*/
static int reset_vars(void)
{
list_requested = 0;
_audit_syscalladded = 0;
_audit_permadded = 0;
_audit_archadded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
action = -1;
exclude = 0;
multiple = 0;
free(rule_new);
rule_new = malloc(sizeof(struct audit_rule_data));
memset(rule_new, 0, sizeof(struct audit_rule_data));
if (fd < 0) {
if ((fd = audit_open()) < 0) {
fprintf(stderr, "Cannot open netlink audit socket\n");
return 1;
}
}
return 0;
}
int get_audit_fd(void) {
if (!initialized) {
if (have_effective_cap(CAP_AUDIT_WRITE) == 0) {
audit_fd = -EPERM;
initialized = true;
return audit_fd;
}
audit_fd = audit_open();
if (audit_fd < 0) {
if (!IN_SET(errno, EAFNOSUPPORT, EPROTONOSUPPORT))
log_error_errno(errno, "Failed to connect to audit log: %m");
audit_fd = errno ? -errno : -EINVAL;
}
initialized = true;
}
return audit_fd;
}
static void
init_auditd (NMAuditManager *self)
{
NMAuditManagerPrivate *priv = NM_AUDIT_MANAGER_GET_PRIVATE (self);
NMConfigData *data = nm_config_get_data (priv->config);
if (nm_config_data_get_value_boolean (data, NM_CONFIG_KEYFILE_GROUP_LOGGING,
NM_CONFIG_KEYFILE_KEY_AUDIT,
NM_CONFIG_DEFAULT_LOGGING_AUDIT_BOOL)) {
if (priv->auditd_fd < 0) {
priv->auditd_fd = audit_open ();
if (priv->auditd_fd < 0)
_LOGE (LOGD_CORE, "failed to open auditd socket: %s", strerror (errno));
else
_LOGD (LOGD_CORE, "socket created");
}
} else {
if (priv->auditd_fd >= 0) {
audit_close (priv->auditd_fd);
priv->auditd_fd = -1;
_LOGD (LOGD_CORE, "socket closed");
}
}
}
static void log_audit(struct login_context *cxt, int status)
{
int audit_fd;
struct passwd *pwd = cxt->pwd;
audit_fd = audit_open();
if (audit_fd == -1)
return;
if (!pwd && cxt->username)
pwd = getpwnam(cxt->username);
audit_log_acct_message(audit_fd,
AUDIT_USER_LOGIN,
NULL,
"login",
cxt->username ? cxt->username : "******",
pwd ? pwd->pw_uid : (unsigned int) -1,
cxt->hostname,
NULL,
cxt->tty_name,
status);
close(audit_fd);
}
int main(int argc, char *argv[]) {
int r;
DBusError error;
Context c;
dbus_error_init(&error);
zero(c);
#ifdef HAVE_AUDIT
c.audit_fd = -1;
#endif
if (getppid() != 1) {
log_error("This program should be invoked by init only.");
return EXIT_FAILURE;
}
if (argc != 2) {
log_error("This program requires one argument.");
return EXIT_FAILURE;
}
log_set_target(LOG_TARGET_SYSLOG_OR_KMSG);
log_parse_environment();
log_open();
#ifdef HAVE_AUDIT
if ((c.audit_fd = audit_open()) < 0)
log_error("Failed to connect to audit log: %m");
#endif
if (bus_connect(DBUS_BUS_SYSTEM, &c.bus, NULL, &error) < 0) {
log_error("Failed to get D-Bus connection: %s", bus_error_message(&error));
r = -EIO;
goto finish;
}
log_debug("systemd-update-utmp running as pid %lu", (unsigned long) getpid());
if (streq(argv[1], "reboot"))
r = on_reboot(&c);
else if (streq(argv[1], "shutdown"))
r = on_shutdown(&c);
else if (streq(argv[1], "runlevel"))
r = on_runlevel(&c);
else {
log_error("Unknown command %s", argv[1]);
r = -EINVAL;
}
log_debug("systemd-update-utmp stopped as pid %lu", (unsigned long) getpid());
finish:
#ifdef HAVE_AUDIT
if (c.audit_fd >= 0)
audit_close(c.audit_fd);
#endif
if (c.bus) {
dbus_connection_flush(c.bus);
dbus_connection_close(c.bus);
dbus_connection_unref(c.bus);
}
dbus_error_free(&error);
dbus_shutdown();
return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
}
static void do_auditd(int fd) {
struct audit_reply rep;
sigset_t sigs;
struct sigaction sa;
struct pollfd pds = {
.events = POLLIN | POLLPRI | POLLERR | POLLHUP | POLLMSG,
.revents = 0,
.fd = fd,
};
if (audit_set_pid(fd, getpid(), WAIT_YES) < 0)
return;
if (audit_set_enabled(fd, 1) < 0)
return;
memset(&sa, '\0', sizeof (sa));
sa.sa_handler = sig_done;
sigaction(SIGTERM, &sa, NULL);
sigaction(SIGINT, &sa, NULL);
sigaction(SIGHUP, &sa, NULL);
sigfillset(&sigs);
sigdelset(&sigs, SIGTERM);
sigdelset(&sigs, SIGINT);
sigdelset(&sigs, SIGHUP);
while (1) {
struct timespec timeout = { -1, -1 };
int retval;
memset(&rep, 0, sizeof(rep));
do {
retval = ppoll(&pds, 1, &timeout, &sigs);
} while (retval == -1 && errno == EINTR && !done);
if (done)
break;
if (audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0) > 0) {
/* we don't actually want to do anything here. */
;
}
}
return;
}
#endif /* USESELINUX */
int audit_daemonize(void) {
#ifdef USESELINUX
int fd;
#ifndef STANDALONE
int i;
pid_t child;
if ((child = fork()) > 0)
return 0;
for (i = 0; i < getdtablesize(); i++)
close(i);
signal(SIGTTOU, SIG_IGN);
signal(SIGTTIN, SIG_IGN);
signal(SIGTSTP, SIG_IGN);
if ((fd = open("/proc/self/oom_adj", O_RDWR)) >= 0) {
i = write(fd, "-17", 3);
close(fd);
}
#endif /* !defined(STANDALONE) */
fd = audit_open();
do_auditd(fd);
audit_close(fd);
#endif /* USESELINUX */
exit(0);
}
int main(int argc, char *argv[])
{
int retval = 1;
set_aumessage_mode(MSG_STDERR, DBG_NO);
if (argc == 1) {
usage();
return 1;
}
#ifndef DEBUG
/* Make sure we are root */
if (geteuid() != 0) {
fprintf(stderr, "You must be root to run this program.\n");
return 4;
}
#endif
/* Check where the rules are coming from: commandline or file */
if ((argc == 3) && (strcmp(argv[1], "-R") == 0)) {
fd = audit_open();
if (audit_is_enabled(fd) == 2) {
fprintf(stderr,
"The audit system is in immutable "
"mode, no rule changes allowed\n");
return 0;
} else if (errno == ECONNREFUSED) {
fprintf(stderr, "The audit system is disabled\n");
return 0;
} else if (fileopt(argv[2]))
return 1;
else {
if (continue_error < 0)
return 1;
return 0;
}
} else {
if (reset_vars()) {
free(rule_new);
return 1;
}
retval = setopt(argc, 0, argv);
if (retval == -3) {
free(rule_new);
return 0;
}
}
if (add != AUDIT_FILTER_UNSET || del != AUDIT_FILTER_UNSET) {
fd = audit_open();
if (audit_is_enabled(fd) == 2) {
fprintf(stderr,
"The audit system is in immutable "
"mode, no rule changes allowed\n");
free(rule_new);
return 0;
} else if (errno == ECONNREFUSED) {
fprintf(stderr, "The audit system is disabled\n");
free(rule_new);
return 0;
}
}
retval = handle_request(retval);
free(rule_new);
return retval;
}
int
main(int argc, char **argv)
{
int lockfd;
int nhelpers = -1;
char *coredir;
const struct lsw_conf_options *oco;
/*
* We read the intentions for how to log from command line options
* and the config file. Then we prepare to be able to log, but until
* then log to stderr (better then nothing). Once we are ready to
* actually do loggin according to the methods desired, we set the
* variables for those methods
*/
bool log_to_stderr_desired = FALSE;
bool log_to_file_desired = FALSE;
coredir = NULL;
/* set up initial defaults that need a cast */
pluto_shared_secrets_file =
DISCARD_CONST(char *, SHARED_SECRETS_FILE);
#ifdef NAT_TRAVERSAL
/** Overridden by nat_traversal= in ipsec.conf */
bool nat_traversal = FALSE;
bool nat_t_spf = TRUE; /* support port floating */
unsigned int keep_alive = 0;
bool force_keepalive = FALSE;
#endif
/** Overridden by virtual_private= in ipsec.conf */
char *virtual_private = NULL;
#ifdef LEAK_DETECTIVE
leak_detective=1;
#else
leak_detective=0;
#endif
#ifdef HAVE_LIBCAP_NG
/* Drop capabilities */
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
CAP_IPC_LOCK, CAP_AUDIT_WRITE,
-1);
/* our children must be able to CAP_NET_ADMIN to change routes.
*/
capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET,
CAP_NET_ADMIN, -1);
capng_apply(CAPNG_SELECT_BOTH);
#endif
#ifdef DEBUG
libreswan_passert_fail = passert_fail;
#endif
if(getenv("PLUTO_WAIT_FOR_GDB")) {
sleep(120);
}
/* handle arguments */
for (;;)
{
# define DBG_OFFSET 256
static const struct option long_opts[] = {
/* name, has_arg, flag, val */
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'v' },
{ "config", required_argument, NULL, 'z' },
{ "nofork", no_argument, NULL, 'd' },
{ "stderrlog", no_argument, NULL, 'e' },
{ "logfile", required_argument, NULL, 'g' },
{ "plutostderrlogtime", no_argument, NULL, 't' },
{ "noklips", no_argument, NULL, 'n' },
{ "use-nostack", no_argument, NULL, 'n' },
{ "use-none", no_argument, NULL, 'n' },
{ "force_busy", no_argument, NULL, 'D' },
{ "strictcrlpolicy", no_argument, NULL, 'r' },
{ "crlcheckinterval", required_argument, NULL, 'x'},
{ "uniqueids", no_argument, NULL, 'u' },
{ "useklips", no_argument, NULL, 'k' },
{ "use-klips", no_argument, NULL, 'k' },
{ "use-auto", no_argument, NULL, 'G' },
{ "usenetkey", no_argument, NULL, 'K' },
{ "use-netkey", no_argument, NULL, 'K' },
{ "use-mast", no_argument, NULL, 'M' },
{ "use-mastklips", no_argument, NULL, 'M' },
{ "use-bsdkame", no_argument, NULL, 'F' },
{ "interface", required_argument, NULL, 'i' },
{ "listen", required_argument, NULL, 'L' },
{ "ikeport", required_argument, NULL, 'p' },
{ "natikeport", required_argument, NULL, 'q' },
{ "ctlbase", required_argument, NULL, 'b' },
{ "secretsfile", required_argument, NULL, 's' },
{ "perpeerlogbase", required_argument, NULL, 'P' },
{ "perpeerlog", no_argument, NULL, 'l' },
{ "noretransmits", no_argument, NULL, 'R' },
{ "coredir", required_argument, NULL, 'C' },
{ "ipsecdir", required_argument, NULL, 'f' },
{ "ipsec_dir", required_argument, NULL, 'f' },
{ "foodgroupsdir", required_argument, NULL, 'f' },
{ "adns", required_argument, NULL, 'a' },
#ifdef NAT_TRAVERSAL
{ "nat_traversal", no_argument, NULL, '1' },
{ "keep_alive", required_argument, NULL, '2' },
{ "force_keepalive", no_argument, NULL, '3' },
{ "disable_port_floating", no_argument, NULL, '4' },
{ "debug-nat_t", no_argument, NULL, '5' },
{ "debug-nattraversal", no_argument, NULL, '5' },
{ "debug-nat-t", no_argument, NULL, '5' },
#endif
{ "virtual_private", required_argument, NULL, '6' },
{ "nhelpers", required_argument, NULL, 'j' },
#ifdef HAVE_LABELED_IPSEC
{ "secctx_attr_value", required_argument, NULL, 'w' },
#endif
#ifdef DEBUG
{ "debug-none", no_argument, NULL, 'N' },
{ "debug-all", no_argument, NULL, 'A' },
{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
{ "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-crypto", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
{ "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
{ "debug-netkey", no_argument, NULL, DBG_NETKEY + DBG_OFFSET },
{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
{ "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
{ "debug-oppoinfo", no_argument, NULL, DBG_OPPOINFO + DBG_OFFSET },
{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
{ "debug-dpd", no_argument, NULL, DBG_DPD + DBG_OFFSET },
{ "debug-x509", no_argument, NULL, DBG_X509 + DBG_OFFSET },
{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
{ "debug-pfkey", no_argument, NULL, DBG_PFKEY + DBG_OFFSET },
{ "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
{ "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
{ "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
{ "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
{ "impair-sa-creation", no_argument, NULL, IMPAIR_SA_CREATION + DBG_OFFSET },
{ "impair-die-oninfo", no_argument, NULL, IMPAIR_DIE_ONINFO + DBG_OFFSET },
{ "impair-jacob-two-two", no_argument, NULL, IMPAIR_JACOB_TWO_TWO + DBG_OFFSET },
{ "impair-major-version-bump", no_argument, NULL, IMPAIR_MAJOR_VERSION_BUMP + DBG_OFFSET },
{ "impair-minor-version-bump", no_argument, NULL, IMPAIR_MINOR_VERSION_BUMP + DBG_OFFSET },
{ "impair-retransmits", no_argument, NULL, IMPAIR_RETRANSMITS + DBG_OFFSET },
{ "impair-send-bogus-isakmp-flag", no_argument, NULL, IMPAIR_SEND_BOGUS_ISAKMP_FLAG + DBG_OFFSET },
#endif
{ 0,0,0,0 }
};
/* Note: we don't like the way short options get parsed
* by getopt_long, so we simply pass an empty string as
* the list. It could be "hvdenp:l:s:" "NARXPECK".
*/
int c = getopt_long(argc, argv, "", long_opts, NULL);
/** Note: "breaking" from case terminates loop */
switch (c)
{
case EOF: /* end of flags */
break;
case 0: /* long option already handled */
continue;
case ':': /* diagnostic already printed by getopt_long */
case '?': /* diagnostic already printed by getopt_long */
usage("");
break; /* not actually reached */
case 'h': /* --help */
usage(NULL);
break; /* not actually reached */
case 'C':
coredir = clone_str(optarg, "coredir");
continue;
case 'v': /* --version */
{
printf("%s%s\n", ipsec_version_string(),
compile_time_interop_options);
}
exit(0); /* not exit_pluto because we are not initialized yet */
break; /* not actually reached */
case 'j': /* --nhelpers */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing number of pluto helpers");
{
char *endptr;
long count = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| count < -1)
usage("<nhelpers> must be a positive number, 0 or -1");
nhelpers = count;
}
continue;
#ifdef HAVE_LABELED_IPSEC
case 'w': /* --secctx_attr_value*/
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing (positive integer) value of secctx_attr_value (needed only if using labeled ipsec)");
{
char *endptr;
long value = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| (value != SECCTX && value !=10) )
usage("<secctx_attr_value> must be a positive number (32001 by default, 10 for backward compatibility, or any other future number assigned by IANA)");
secctx_attr_value = (u_int16_t)value;
}
continue;
#endif
case 'd': /* --nofork*/
fork_desired = FALSE;
continue;
case 'e': /* --stderrlog */
log_to_stderr_desired = TRUE;
continue;
case 'g': /* --logfile */
pluto_log_file = optarg;
log_to_file_desired = TRUE;
continue;
case 't': /* --plutostderrlogtime */
log_with_timestamp = TRUE;
continue;
case 'G': /* --use-auto */
libreswan_log("The option --use-auto is obsoleted, falling back to --use-netkey\n");
kern_interface = USE_NETKEY;
continue;
case 'k': /* --use-klips */
kern_interface = USE_KLIPS;
continue;
case 'L': /* --listen ip_addr */
{
ip_address lip;
err_t e = ttoaddr(optarg,0,0,&lip);
if(e) {
libreswan_log("invalid listen argument ignored: %s\n",e);
} else {
pluto_listen = clone_str(optarg, "pluto_listen");
libreswan_log("bind() will be filtered for %s\n",pluto_listen);
}
}
continue;
case 'M': /* --use-mast */
kern_interface = USE_MASTKLIPS;
continue;
case 'F': /* --use-bsdkame */
kern_interface = USE_BSDKAME;
continue;
case 'K': /* --use-netkey */
kern_interface = USE_NETKEY;
continue;
case 'n': /* --use-nostack */
kern_interface = NO_KERNEL;
continue;
case 'D': /* --force_busy */
force_busy = TRUE;
continue
;
case 'r': /* --strictcrlpolicy */
strict_crl_policy = TRUE;
continue
;
case 'R':
no_retransmits = TRUE;
continue;
case 'x': /* --crlcheckinterval <time>*/
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing interval time");
{
char *endptr;
long interval = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| interval <= 0)
usage("<interval-time> must be a positive number");
crl_check_interval = interval;
}
continue
;
case 'u': /* --uniqueids */
uniqueIDs = TRUE;
continue;
case 'i': /* --interface <ifname|ifaddr> */
if (!use_interface(optarg))
usage("too many --interface specifications");
continue;
/*
* This option does not really work, as this is the "left"
* site only, you also need --to --ikeport again later on
* It will result in: yourport -> 500, still not bypassing filters
*/
case 'p': /* --ikeport <portnumber> */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing port number");
{
char *endptr;
long port = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| port <= 0 || port > 0x10000)
usage("<port-number> must be a number between 1 and 65535");
pluto_port = port;
}
continue;
#ifdef NAT_TRAVERSAL
case 'q': /* --natikeport <portnumber> */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing port number");
{
char *endptr;
long port = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| port <= 0 || port > 0x10000)
usage("<port-number> must be a number between 1 and 65535");
pluto_natt_float_port = port;
}
continue;
#endif
case 'b': /* --ctlbase <path> */
ctlbase = optarg;
if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
, "%s%s", ctlbase, CTL_SUFFIX) == -1)
usage("<path>" CTL_SUFFIX " too long for sun_path");
if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
, "%s%s", ctlbase, INFO_SUFFIX) == -1)
usage("<path>" INFO_SUFFIX " too long for sun_path");
if (snprintf(pluto_lock, sizeof(pluto_lock)
, "%s%s", ctlbase, LOCK_SUFFIX) == -1)
usage("<path>" LOCK_SUFFIX " must fit");
continue;
case 's': /* --secretsfile <secrets-file> */
pluto_shared_secrets_file = optarg;
continue;
case 'f': /* --ipsecdir <ipsec-dir> */
(void)lsw_init_ipsecdir(optarg);
continue;
case 'a': /* --adns <pathname> */
pluto_adns_option = optarg;
continue;
#ifdef DEBUG
case 'N': /* --debug-none */
base_debugging = DBG_NONE;
continue;
case 'A': /* --debug-all */
base_debugging = DBG_ALL;
continue;
#endif
case 'P': /* --perpeerlogbase */
base_perpeer_logdir = optarg;
continue;
case 'l':
log_to_perpeer = TRUE;
continue;
#ifdef NAT_TRAVERSAL
case '1': /* --nat_traversal */
nat_traversal = TRUE;
continue;
case '2': /* --keep_alive */
keep_alive = atoi(optarg);
continue;
case '3': /* --force_keepalive */
force_keepalive = TRUE;
continue;
case '4': /* --disable_port_floating */
nat_t_spf = FALSE;
continue;
#ifdef DEBUG
case '5': /* --debug-nat_t */
base_debugging |= DBG_NATT;
continue;
#endif
#endif
case '6': /* --virtual_private */
virtual_private = optarg;
continue;
case 'z': /* --config */
;
/* Config struct to variables mapper. This will overwrite */
/* all previously set options. Keep this in the same order than */
/* long_opts[] is. */
struct starter_config *cfg = read_cfg_file(optarg);
set_cfg_string(&pluto_log_file, cfg->setup.strings[KSF_PLUTOSTDERRLOG]);
fork_desired = cfg->setup.options[KBF_PLUTOFORK]; /* plutofork= */
log_with_timestamp =
cfg->setup.options[KBF_PLUTOSTDERRLOGTIME];
force_busy = cfg->setup.options[KBF_FORCEBUSY];
strict_crl_policy = cfg->setup.options[KBF_STRICTCRLPOLICY];
crl_check_interval = cfg->setup.options[KBF_CRLCHECKINTERVAL];
uniqueIDs = cfg->setup.options[KBF_UNIQUEIDS];
/*
* We don't check interfaces= here because that part has been dealt
* with in _stackmanager before we started
*/
set_cfg_string(&pluto_listen, cfg->setup.strings[KSF_LISTEN]);
pluto_port = cfg->setup.options[KBF_IKEPORT]; /* --ikeport */
/* no config option: ctlbase */
set_cfg_string(&pluto_shared_secrets_file, cfg->setup.strings[KSF_SECRETSFILE]); /* --secrets */
if(cfg->setup.strings[KSF_IPSECDIR] != NULL &&
*cfg->setup.strings[KSF_IPSECDIR] != 0) {
lsw_init_ipsecdir(cfg->setup.strings[KSF_IPSECDIR]); /* --ipsecdir */
}
set_cfg_string(&base_perpeer_logdir, cfg->setup.strings[KSF_PERPEERDIR]); /* --perpeerlogbase */
log_to_perpeer = cfg->setup.options[KBF_PERPEERLOG]; /* --perpeerlog */
no_retransmits = !cfg->setup.options[KBF_RETRANSMITS]; /* --noretransmits */
set_cfg_string(&coredir, cfg->setup.strings[KSF_DUMPDIR]); /* --dumpdir */
/* no config option: pluto_adns_option */
#ifdef NAT_TRAVERSAL
pluto_natt_float_port = cfg->setup.options[KBF_NATIKEPORT];
nat_traversal = cfg->setup.options[KBF_NATTRAVERSAL];
keep_alive = cfg->setup.options[KBF_KEEPALIVE];
force_keepalive = cfg->setup.options[KBF_FORCE_KEEPALIVE];
nat_t_spf = !cfg->setup.options[KBF_DISABLEPORTFLOATING];
#endif
set_cfg_string(&virtual_private,
cfg->setup.strings[KSF_VIRTUALPRIVATE]);
nhelpers = cfg->setup.options[KBF_NHELPERS];
#ifdef HAVE_LABELED_IPSEC
secctx_attr_value = cfg->setup.options[KBF_SECCTX];
#endif
#ifdef DEBUG
base_debugging = cfg->setup.options[KBF_PLUTODEBUG];
#endif
char *protostack = cfg->setup.strings[KSF_PROTOSTACK];
if (protostack == NULL || *protostack == 0)
kern_interface = USE_NETKEY;
else if (strcmp(protostack, "none") == 0)
kern_interface = NO_KERNEL;
else if (strcmp(protostack, "auto") == 0)
{
libreswan_log("The option protostack=auto is obsoleted, falling back to protostack=netkey\n");
kern_interface = USE_NETKEY;
}
else if (strcmp(protostack, "klips") == 0)
kern_interface = USE_KLIPS;
else if (strcmp(protostack, "mast") == 0)
kern_interface = USE_MASTKLIPS;
else if (strcmp(protostack, "netkey") == 0 ||
strcmp(protostack, "native") == 0)
kern_interface = USE_NETKEY;
else if (strcmp(protostack, "bsd") == 0 ||
strcmp(protostack, "kame") == 0 ||
strcmp(protostack, "bsdkame") == 0)
kern_interface = USE_BSDKAME;
else if (strcmp(protostack, "win2k") == 0)
kern_interface = USE_WIN2K;
confread_free(cfg);
continue;
default:
#ifdef DEBUG
if (c >= DBG_OFFSET)
{
base_debugging |= c - DBG_OFFSET;
continue;
}
# undef DBG_OFFSET
#endif
bad_case(c);
}
break;
}
if (optind != argc)
usage("unexpected argument");
reset_debugging();
#ifdef HAVE_NO_FORK
fork_desired = FALSE;
nhelpers = 0;
#endif
/* default coredir to location compatible with SElinux */
if(!coredir) {
coredir = clone_str("/var/run/pluto", "coredir");
}
if(chdir(coredir) == -1) {
int e = errno;
libreswan_log("pluto: chdir() do dumpdir failed (%d: %s)\n",
e, strerror(e));
}
oco = lsw_init_options();
lockfd = create_lock();
/* select between logging methods */
if (log_to_stderr_desired || log_to_file_desired) {
log_to_syslog = FALSE;
}
if (!log_to_stderr_desired)
log_to_stderr = FALSE;
#ifdef DEBUG
#if 0
if(kernel_ops->set_debug) {
(*kernel_ops->set_debug)(cur_debugging, DBG_log, DBG_log);
}
#endif
#endif
/** create control socket.
* We must create it before the parent process returns so that
* there will be no race condition in using it. The easiest
* place to do this is before the daemon fork.
*/
{
err_t ugh = init_ctl_socket();
if (ugh != NULL)
{
fprintf(stderr, "pluto: %s", ugh);
exit_pluto(1);
}
}
/* If not suppressed, do daemon fork */
if (fork_desired)
{
{
pid_t pid = fork();
if (pid < 0)
{
int e = errno;
fprintf(stderr, "pluto: fork failed (%d %s)\n",
errno, strerror(e));
exit_pluto(1);
}
if (pid != 0)
{
/* parent: die, after filling PID into lock file.
* must not use exit_pluto: lock would be removed!
*/
exit(fill_lock(lockfd, pid)? 0 : 1);
}
}
if (setsid() < 0)
{
int e = errno;
fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
errno, strerror(e));
exit_pluto(1);
}
}
else
{
/* no daemon fork: we have to fill in lock file */
(void) fill_lock(lockfd, getpid());
if (isatty(fileno(stdout)))
{
fprintf(stdout, "Pluto initialized\n");
fflush(stdout);
}
}
/** Close everything but ctl_fd and (if needed) stderr.
* There is some danger that a library that we don't know
* about is using some fd that we don't know about.
* I guess we'll soon find out.
*/
{
int i;
for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
if ((!log_to_stderr || i != 2)
&& i != ctl_fd)
close(i);
/* make sure that stdin, stdout, stderr are reserved */
if (open("/dev/null", O_RDONLY) != 0)
lsw_abort();
if (dup2(0, 1) != 1)
lsw_abort();
if (!log_to_stderr && dup2(0, 2) != 2)
lsw_abort();
}
init_constants();
pluto_init_log();
pluto_init_nss(oco->confddir);
#ifdef FIPS_CHECK
const char *package_files[]= { IPSECLIBDIR"/setup",
IPSECLIBDIR"/addconn",
IPSECLIBDIR"/auto",
IPSECLIBDIR"/barf",
IPSECLIBDIR"/eroute",
IPSECLIBDIR"/ikeping",
IPSECLIBDIR"/readwriteconf",
IPSECLIBDIR"/_keycensor",
IPSECLIBDIR"/klipsdebug",
IPSECLIBDIR"/look",
IPSECLIBDIR"/newhostkey",
IPSECLIBDIR"/pf_key",
IPSECLIBDIR"/_pluto_adns",
IPSECLIBDIR"/_plutorun",
IPSECLIBDIR"/ranbits",
IPSECLIBDIR"/_realsetup",
IPSECLIBDIR"/rsasigkey",
IPSECLIBDIR"/pluto",
IPSECLIBDIR"/_secretcensor",
IPSECLIBDIR"/secrets",
IPSECLIBDIR"/showhostkey",
IPSECLIBDIR"/spi",
IPSECLIBDIR"/spigrp",
IPSECLIBDIR"/_stackmanager",
IPSECLIBDIR"/tncfg",
IPSECLIBDIR"/_updown",
IPSECLIBDIR"/_updown.klips",
IPSECLIBDIR"/_updown.mast",
IPSECLIBDIR"/_updown.netkey",
IPSECLIBDIR"/verify",
IPSECLIBDIR"/whack",
IPSECSBINDIR"/ipsec",
NULL
};
if (Pluto_IsFIPS() && !FIPSCHECK_verify_files(package_files)) {
loglog(RC_LOG_SERIOUS, "FATAL: FIPS integrity verification test failed");
exit_pluto(10);
}
#else
libreswan_log("FIPS integrity support [disabled]");
#endif
#ifdef HAVE_LIBCAP_NG
libreswan_log("libcap-ng support [enabled]");
#else
libreswan_log("libcap-ng support [disabled]");
#endif
#ifdef USE_LINUX_AUDIT
libreswan_log("Linux audit support [enabled]");
/* test and log if audit is enabled on the system */
int audit_fd, rc;
audit_fd = audit_open();
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)
{
loglog(RC_LOG_SERIOUS, "Warning: kernel has no audit support");
} else {
loglog(RC_LOG_SERIOUS, "FATAL (SOON): audit_open() failed : %s", strerror(errno));
/* temp disabled exit_pluto(10); */
}
}
rc = audit_log_acct_message(audit_fd, AUDIT_USER_START, NULL,
"starting pluto daemon", NULL, -1, NULL, NULL, NULL, 1);
close(audit_fd);
if (rc < 0) {
loglog(RC_LOG_SERIOUS, "FATAL: audit_log_acct_message failed: %s", strerror(errno));
exit_pluto(10);
}
#else
libreswan_log("Linux audit support [disabled]");
#endif
/* Note: some scripts may look for this exact message -- don't change
* ipsec barf was one, but it no longer does.
*/
{
const char *vc = ipsec_version_code();
#ifdef PLUTO_SENDS_VENDORID
const char *v = init_pluto_vendorid();
libreswan_log("Starting Pluto (Libreswan Version %s%s; Vendor ID %s) pid:%u"
, vc, compile_time_interop_options, v, getpid());
#else
libreswan_log("Starting Pluto (Libreswan Version %s%s) pid:%u"
, vc, compile_time_interop_options, getpid());
#endif
if(Pluto_IsFIPS()) {
libreswan_log("Pluto is running in FIPS mode");
} else {
libreswan_log("Pluto is NOT running in FIPS mode");
}
if((vc[0]=='c' && vc[1]=='v' && vc[2]=='s') ||
(vc[2]=='g' && vc[3]=='i' && vc[4]=='t')) {
/*
* when people build RPMs from CVS or GIT, make sure they
* get blamed appropriately, and that we get some way to
* identify who did it, and when they did it. Use string concat,
* so that strings the binary can or classic SCCS "what", will find
* stuff too.
*/
libreswan_log("@(#) built on "__DATE__":" __TIME__ " by " BUILDER);
}
#if defined(USE_1DES)
libreswan_log("WARNING: 1DES is enabled");
#endif
}
if(coredir) {
libreswan_log("core dump dir: %s", coredir);
}
if(pluto_shared_secrets_file) {
libreswan_log("secrets file: %s", pluto_shared_secrets_file);
}
#ifdef LEAK_DETECTIVE
libreswan_log("LEAK_DETECTIVE support [enabled]");
#else
libreswan_log("LEAK_DETECTIVE support [disabled]");
#endif
#ifdef HAVE_OCF
{
struct stat buf;
errno=0;
if( stat("/dev/crypto",&buf) != -1)
libreswan_log("OCF support for IKE via /dev/crypto [enabled]");
else
libreswan_log("OCF support for IKE via /dev/crypto [failed:%s]", strerror(errno));
}
#else
libreswan_log("OCF support for IKE [disabled]");
#endif
/* Check for SAREF support */
#ifdef KLIPS_MAST
#include <ipsec_saref.h>
{
int e, sk, saref;
saref = 1;
errno=0;
sk = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_REFINFO, &saref, sizeof(saref));
if (e == -1 ) {
libreswan_log("SAref support [disabled]: %s" , strerror(errno));
}
else {
libreswan_log("SAref support [enabled]");
}
errno=0;
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_BINDREF, &saref, sizeof(saref));
if (e == -1 ) {
libreswan_log("SAbind support [disabled]: %s" , strerror(errno));
}
else {
libreswan_log("SAbind support [enabled]");
}
close(sk);
}
#endif
libreswan_log("NSS crypto [enabled]");
#ifdef XAUTH_HAVE_PAM
libreswan_log("XAUTH PAM support [enabled]");
#else
libreswan_log("XAUTH PAM support [disabled]");
#endif
#ifdef HAVE_STATSD
libreswan_log("HAVE_STATSD notification via /bin/libreswan-statsd enabled");
#else
libreswan_log("HAVE_STATSD notification support [disabled]");
#endif
/** Log various impair-* functions if they were enabled */
if(DBGP(IMPAIR_BUST_MI2))
libreswan_log("Warning: IMPAIR_BUST_MI2 enabled");
if(DBGP(IMPAIR_BUST_MR2))
libreswan_log("Warning: IMPAIR_BUST_MR2 enabled");
if(DBGP(IMPAIR_SA_CREATION))
libreswan_log("Warning: IMPAIR_SA_CREATION enabled");
if(DBGP(IMPAIR_JACOB_TWO_TWO))
libreswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled");
if(DBGP(IMPAIR_DIE_ONINFO))
libreswan_log("Warning: IMPAIR_DIE_ONINFO enabled");
if(DBGP(IMPAIR_MAJOR_VERSION_BUMP))
libreswan_log("Warning: IMPAIR_MAJOR_VERSION_BUMP enabled");
if(DBGP(IMPAIR_MINOR_VERSION_BUMP))
libreswan_log("Warning: IMPAIR_MINOR_VERSION_BUMP enabled");
if(DBGP(IMPAIR_RETRANSMITS))
libreswan_log("Warning: IMPAIR_RETRANSMITS enabled");
if(DBGP(IMPAIR_SEND_BOGUS_ISAKMP_FLAG))
libreswan_log("Warning: IMPAIR_SEND_BOGUS_ISAKMP_FLAG enabled");
if(DBGP(IMPAIR_DELAY_ADNS_KEY_ANSWER))
libreswan_log("Warning: IMPAIR_DELAY_ADNS_KEY_ANSWER enabled");
if(DBGP(IMPAIR_DELAY_ADNS_TXT_ANSWER))
libreswan_log("Warning: IMPAIR_DELAY_ADNS_TXT_ANSWER enabled");
/** Initialize all of the various features */
#ifdef NAT_TRAVERSAL
init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
#endif
init_virtual_ip(virtual_private);
/* obsoletd by nss code init_rnd_pool(); */
init_timer();
init_secret();
init_states();
init_connections();
init_crypto();
init_crypto_helpers(nhelpers);
load_lswcrypto();
init_demux();
init_kernel();
init_adns();
init_id();
#ifdef TPM
init_tpm();
#endif
#if defined(LIBCURL) || defined(LDAP_VER)
init_fetch();
#endif
/* loading X.509 CA certificates */
load_authcerts("CA cert", oco->cacerts_dir, AUTH_CA);
#if 0
/* unused */
/* loading X.509 AA certificates */
load_authcerts("AA cert", oco->aacerts_dir, AUTH_AA);
#endif
/* loading X.509 CRLs */
load_crls();
/* loading attribute certificates (experimental) */
load_acerts();
/*Loading CA certs from NSS DB*/
load_authcerts_from_nss("CA cert", AUTH_CA);
#ifdef HAVE_LABELED_IPSEC
init_avc();
#endif
daily_log_event();
call_server();
return -1; /* Shouldn't ever reach this */
}
int main(int argc, char *argv[])
{
struct sigaction sa;
struct rlimit limit;
int i, c, rc;
int opt_foreground = 0, opt_allow_links = 0;
enum startup_state opt_startup = startup_enable;
extern char *optarg;
extern int optind;
struct ev_loop *loop;
struct ev_io netlink_watcher;
struct ev_signal sigterm_watcher;
struct ev_signal sighup_watcher;
struct ev_signal sigusr1_watcher;
struct ev_signal sigusr2_watcher;
struct ev_signal sigchld_watcher;
/* Get params && set mode */
while ((c = getopt(argc, argv, "flns:")) != -1) {
switch (c) {
case 'f':
opt_foreground = 1;
break;
case 'l':
opt_allow_links=1;
break;
case 'n':
do_fork = 0;
break;
case 's':
for (i=0; i<startup_INVALID; i++) {
if (strncmp(optarg, startup_states[i],
strlen(optarg)) == 0) {
opt_startup = i;
break;
}
}
if (i == startup_INVALID) {
fprintf(stderr, "unknown startup mode '%s'\n",
optarg);
usage();
}
break;
default:
usage();
}
}
/* check for trailing command line following options */
if (optind < argc) {
usage();
}
if (opt_allow_links)
set_allow_links(1);
if (opt_foreground) {
config.daemonize = D_FOREGROUND;
set_aumessage_mode(MSG_STDERR, DBG_YES);
} else {
config.daemonize = D_BACKGROUND;
set_aumessage_mode(MSG_SYSLOG, DBG_NO);
(void) umask( umask( 077 ) | 022 );
}
#ifndef DEBUG
/* Make sure we are root */
if (getuid() != 0) {
fprintf(stderr, "You must be root to run this program.\n");
return 4;
}
#endif
/* Register sighandlers */
sa.sa_flags = 0 ;
sigemptyset( &sa.sa_mask ) ;
/* Ignore all signals by default */
sa.sa_handler = SIG_IGN;
for (i=1; i<NSIG; i++)
sigaction( i, &sa, NULL );
atexit(clean_exit);
/* Raise the rlimits in case we're being started from a shell
* with restrictions. Not a fatal error. */
limit.rlim_cur = RLIM_INFINITY;
limit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_FSIZE, &limit);
setrlimit(RLIMIT_CPU, &limit);
/* Load the Configuration File */
if (load_config(&config, TEST_AUDITD))
return 6;
if (config.priority_boost != 0) {
errno = 0;
rc = nice((int)-config.priority_boost);
if (rc == -1 && errno) {
audit_msg(LOG_ERR, "Cannot change priority (%s)",
strerror(errno));
return 1;
}
}
/* Daemonize or stay in foreground for debugging */
if (config.daemonize == D_BACKGROUND) {
if (become_daemon() != 0) {
audit_msg(LOG_ERR, "Cannot daemonize (%s)",
strerror(errno));
tell_parent(FAILURE);
return 1;
}
openlog("auditd", LOG_PID, LOG_DAEMON);
}
/* Init netlink */
if ((fd = audit_open()) < 0) {
audit_msg(LOG_ERR, "Cannot open netlink audit socket");
tell_parent(FAILURE);
return 1;
}
/* Init the event handler thread */
write_pid_file();
if (init_event(&config)) {
if (pidfile)
unlink(pidfile);
tell_parent(FAILURE);
return 1;
}
if (init_dispatcher(&config)) {
if (pidfile)
unlink(pidfile);
tell_parent(FAILURE);
return 1;
}
/* Get machine name ready for use */
if (resolve_node(&config)) {
if (pidfile)
unlink(pidfile);
tell_parent(FAILURE);
return 1;
}
/* Write message to log that we are alive */
{
struct utsname ubuf;
char start[DEFAULT_BUF_SZ];
const char *fmt = audit_lookup_format((int)config.log_format);
if (fmt == NULL)
fmt = "UNKNOWN";
if (uname(&ubuf) != 0) {
if (pidfile)
unlink(pidfile);
tell_parent(FAILURE);
return 1;
}
if (getsubj(subj))
snprintf(start, sizeof(start),
"auditd start, ver=%s format=%s "
"kernel=%.56s auid=%u pid=%d subj=%s res=success",
VERSION, fmt, ubuf.release,
audit_getloginuid(), getpid(), subj);
else
snprintf(start, sizeof(start),
"auditd start, ver=%s format=%s "
"kernel=%.56s auid=%u pid=%d res=success",
VERSION, fmt, ubuf.release,
audit_getloginuid(), getpid());
if (send_audit_event(AUDIT_DAEMON_START, start)) {
audit_msg(LOG_ERR, "Cannot send start message");
if (pidfile)
unlink(pidfile);
shutdown_dispatcher();
tell_parent(FAILURE);
return 1;
}
}
/* Tell kernel not to kill us */
avoid_oom_killer();
/* let config manager init */
init_config_manager();
if (opt_startup != startup_nochange && (audit_is_enabled(fd) < 2) &&
audit_set_enabled(fd, (int)opt_startup) < 0) {
char emsg[DEFAULT_BUF_SZ];
if (*subj)
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d subj=%s res=failed",
audit_getloginuid(), getpid(), subj);
else
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d res=failed",
audit_getloginuid(), getpid());
stop = 1;
send_audit_event(AUDIT_DAEMON_ABORT, emsg);
audit_msg(LOG_ERR,
"Unable to set initial audit startup state to '%s', exiting",
startup_states[opt_startup]);
close_down();
if (pidfile)
unlink(pidfile);
shutdown_dispatcher();
tell_parent(FAILURE);
return 1;
}
/* Tell the kernel we are alive */
if (audit_set_pid(fd, getpid(), WAIT_YES) < 0) {
char emsg[DEFAULT_BUF_SZ];
if (*subj)
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d subj=%s res=failed",
audit_getloginuid(), getpid(), subj);
else
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d res=failed",
audit_getloginuid(), getpid());
stop = 1;
send_audit_event(AUDIT_DAEMON_ABORT, emsg);
audit_msg(LOG_ERR, "Unable to set audit pid, exiting");
close_down();
if (pidfile)
unlink(pidfile);
shutdown_dispatcher();
tell_parent(FAILURE);
return 1;
}
/* Depending on value of opt_startup (-s) set initial audit state */
loop = ev_default_loop (EVFLAG_NOENV);
ev_io_init (&netlink_watcher, netlink_handler, fd, EV_READ);
ev_io_start (loop, &netlink_watcher);
ev_signal_init (&sigterm_watcher, term_handler, SIGTERM);
ev_signal_start (loop, &sigterm_watcher);
ev_signal_init (&sighup_watcher, hup_handler, SIGHUP);
ev_signal_start (loop, &sighup_watcher);
ev_signal_init (&sigusr1_watcher, user1_handler, SIGUSR1);
ev_signal_start (loop, &sigusr1_watcher);
ev_signal_init (&sigusr2_watcher, user2_handler, SIGUSR2);
ev_signal_start (loop, &sigusr2_watcher);
ev_signal_init (&sigchld_watcher, child_handler, SIGCHLD);
ev_signal_start (loop, &sigchld_watcher);
if (auditd_tcp_listen_init (loop, &config)) {
char emsg[DEFAULT_BUF_SZ];
if (*subj)
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d subj=%s res=failed",
audit_getloginuid(), getpid(), subj);
else
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d res=failed",
audit_getloginuid(), getpid());
stop = 1;
send_audit_event(AUDIT_DAEMON_ABORT, emsg);
tell_parent(FAILURE);
} else {
/* Now tell parent that everything went OK */
tell_parent(SUCCESS);
audit_msg(LOG_NOTICE,
"Init complete, auditd %s listening for events (startup state %s)",
VERSION,
startup_states[opt_startup]);
}
/* Parent should be gone by now... */
if (do_fork)
close(init_pipe[1]);
// Init complete, start event loop
if (!stop)
ev_loop (loop, 0);
auditd_tcp_listen_uninit (loop, &config);
// Tear down IO watchers Part 1
ev_signal_stop (loop, &sighup_watcher);
ev_signal_stop (loop, &sigusr1_watcher);
ev_signal_stop (loop, &sigusr2_watcher);
ev_signal_stop (loop, &sigterm_watcher);
/* Write message to log that we are going down */
rc = audit_request_signal_info(fd);
if (rc > 0) {
struct audit_reply trep;
rc = get_reply(fd, &trep, rc);
if (rc > 0) {
char txt[MAX_AUDIT_MESSAGE_LENGTH];
snprintf(txt, sizeof(txt),
"auditd normal halt, sending auid=%u "
"pid=%d subj=%s res=success",
trep.signal_info->uid,
trep.signal_info->pid,
trep.signal_info->ctx);
send_audit_event(AUDIT_DAEMON_END, txt);
}
}
if (rc <= 0)
send_audit_event(AUDIT_DAEMON_END,
"auditd normal halt, sending auid=? "
"pid=? subj=? res=success");
free(rep);
// Tear down IO watchers Part 2
ev_io_stop (loop, &netlink_watcher);
// Give DAEMON_END event a little time to be sent in case
// of remote logging
usleep(10000); // 10 milliseconds
shutdown_dispatcher();
// Tear down IO watchers Part 3
ev_signal_stop (loop, &sigchld_watcher);
close_down();
free_config(&config);
ev_default_destroy();
return 0;
}
/*
* Algorithm:
* check that user is root
* check to see if program exists
* if so fork, child waits for parent
* parent clears audit rules, loads audit all syscalls with child's pid
* parent tells child to go & waits for sigchld
* child exec's program
* parent deletes rules after getting sigchld
*/
int main(int argc, char *argv[])
{
int fd[2];
int pid,cmd=1;
char buf[2];
if (argc < 2) {
usage();
return 1;
}
if (strcmp(argv[cmd], "-h") == 0) {
usage();
return 1;
}
if (strcmp(argv[cmd], "-r") == 0) {
threat = 1;
cmd++;
}
if (getuid() != 0) {
fprintf(stderr, "You must be root to run this program.\n");
return 1;
}
if (access(argv[cmd], X_OK)) {
if (errno == ENOENT)
fprintf(stderr, "Error - can't find: %s\n", argv[cmd]);
else
fprintf(stderr, "Error checking %s (%s)\n",
argv[cmd], strerror(errno));
return 1;
}
set_aumessage_mode(MSG_STDERR, DBG_NO);
switch (count_rules())
{
case -1:
if (errno == ECONNREFUSED)
fprintf(stderr,
"The audit system is disabled\n");
else
fprintf(stderr,
"Error - can't get rule count.\n");
return 1;
case 0:
break;
default:
fprintf(stderr,
"autrace cannot be run with rules loaded.\n"
"Please delete all rules using 'auditctl -D' if you "
"really wanted to\nrun this command.\n");
return 1;
}
if (pipe(fd) != 0) {
fprintf(stderr, "Error creating pipe.\n");
return 1;
}
switch ((pid=fork()))
{
case -1:
fprintf(stderr, "Error forking.\n");
return 1;
case 0: /* Child */
close(fd[1]);
printf("Waiting to execute: %s\n", argv[cmd]);
while (read(fd[0], buf, 1) == -1 && errno == EINTR)
/* blank */ ;
close(fd[0]);
execvp(argv[cmd], &argv[cmd]);
fprintf(stderr, "Failed to exec %s\n", argv[cmd]);
return 1;
default: /* Parent */
close(fd[0]);
fcntl(fd[1], F_SETFD, FD_CLOEXEC);
{
char field[16];
int audit_fd;
audit_fd = audit_open();
if (audit_fd < 0)
exit(1);
snprintf(field, sizeof(field), "pid=%d", pid);
if (insert_rule(audit_fd, field)) {
kill(pid,SIGTERM);
(void)delete_all_rules(audit_fd);
exit(1);
}
snprintf(field, sizeof(field), "ppid=%d", pid);
if (insert_rule(audit_fd, field)) {
kill(pid,SIGTERM);
(void)delete_all_rules(audit_fd);
exit(1);
}
sleep(1);
if (write(fd[1],"1", 1) != 1) {
kill(pid,SIGTERM);
(void)delete_all_rules(audit_fd);
exit(1);
}
waitpid(pid, NULL, 0);
close(fd[1]);
puts("Cleaning up...");
(void)delete_all_rules(audit_fd);
close(audit_fd);
}
printf("Trace complete. "
"You can locate the records with "
"\'ausearch -i -p %d\'\n",
pid);
break;
}
return 0;
}
/*
* login - create a new login session for a user
*
* login is typically called by getty as the second step of a
* new user session. getty is responsible for setting the line
* characteristics to a reasonable set of values and getting
* the name of the user to be logged in. login may also be
* called to create a new user session on a pty for a variety
* of reasons, such as X servers or network logins.
*
* the flags which login supports are
*
* -p - preserve the environment
* -r - perform autologin protocol for rlogin
* -f - do not perform authentication, user is preauthenticated
* -h - the name of the remote host
*/
int main (int argc, char **argv)
{
const char *tmptty;
char tty[BUFSIZ];
#ifdef RLOGIN
char term[128] = "";
#endif /* RLOGIN */
#if defined(HAVE_STRFTIME) && !defined(USE_PAM)
char ptime[80];
#endif
unsigned int delay;
unsigned int retries;
bool failed;
bool subroot = false;
#ifndef USE_PAM
bool is_console;
#endif
int err;
const char *cp;
char *tmp;
char fromhost[512];
struct passwd *pwd = NULL;
char **envp = environ;
const char *failent_user;
/*@null@*/struct utmp *utent;
#ifdef USE_PAM
int retcode;
pid_t child;
char *pam_user = NULL;
#else
struct spwd *spwd = NULL;
#endif
/*
* Some quick initialization.
*/
sanitize_env ();
(void) setlocale (LC_ALL, "");
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
initenv ();
amroot = (getuid () == 0);
Prog = Basename (argv[0]);
if (geteuid() != 0) {
fprintf (stderr, _("%s: Cannot possibly work without effective root\n"), Prog);
exit (1);
}
process_flags (argc, argv);
if ((isatty (0) == 0) || (isatty (1) == 0) || (isatty (2) == 0)) {
exit (1); /* must be a terminal */
}
utent = get_current_utmp ();
/*
* Be picky if run by normal users (possible if installed setuid
* root), but not if run by root. This way it still allows logins
* even if your getty is broken, or if something corrupts utmp,
* but users must "exec login" which will use the existing utmp
* entry (will not overwrite remote hostname). --marekm
*/
if (!amroot && (NULL == utent)) {
(void) puts (_("No utmp entry. You must exec \"login\" from the lowest level \"sh\""));
exit (1);
}
/* NOTE: utent might be NULL afterwards */
tmptty = ttyname (0);
if (NULL == tmptty) {
tmptty = "UNKNOWN";
}
STRFCPY (tty, tmptty);
#ifndef USE_PAM
is_console = console (tty);
#endif
if (rflg || hflg) {
/*
* Add remote hostname to the environment. I think
* (not sure) I saw it once on Irix. --marekm
*/
addenv ("REMOTEHOST", hostname);
}
if (fflg) {
preauth_flag = true;
}
if (hflg) {
reason = PW_RLOGIN;
}
#ifdef RLOGIN
if (rflg) {
assert (NULL == username);
username = xmalloc (USER_NAME_MAX_LENGTH + 1);
username[USER_NAME_MAX_LENGTH] = '\0';
if (do_rlogin (hostname, username, USER_NAME_MAX_LENGTH, term, sizeof term)) {
preauth_flag = true;
} else {
free (username);
username = NULL;
}
}
#endif /* RLOGIN */
OPENLOG ("login");
setup_tty ();
#ifndef USE_PAM
(void) umask (getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
{
/*
* Use the ULIMIT in the login.defs file, and if
* there isn't one, use the default value. The
* user may have one for themselves, but otherwise,
* just take what you get.
*/
long limit = getdef_long ("ULIMIT", -1L);
if (limit != -1) {
set_filesize_limit (limit);
}
}
#endif
/*
* The entire environment will be preserved if the -p flag
* is used.
*/
if (pflg) {
while (NULL != *envp) { /* add inherited environment, */
addenv (*envp, NULL); /* some variables change later */
envp++;
}
}
#ifdef RLOGIN
if (term[0] != '\0') {
addenv ("TERM", term);
} else
#endif /* RLOGIN */
{
/* preserve TERM from getty */
if (!pflg) {
tmp = getenv ("TERM");
if (NULL != tmp) {
addenv ("TERM", tmp);
}
}
}
init_env ();
if (optind < argc) { /* now set command line variables */
set_env (argc - optind, &argv[optind]);
}
if (rflg || hflg) {
cp = hostname;
#ifdef HAVE_STRUCT_UTMP_UT_HOST
} else if ((NULL != utent) && ('\0' != utent->ut_host[0])) {
cp = utent->ut_host;
#endif /* HAVE_STRUCT_UTMP_UT_HOST */
} else {
cp = "";
}
if ('\0' != *cp) {
snprintf (fromhost, sizeof fromhost,
" on '%.100s' from '%.200s'", tty, cp);
} else {
snprintf (fromhost, sizeof fromhost,
" on '%.100s'", tty);
}
top:
/* only allow ALARM sec. for login */
(void) signal (SIGALRM, alarm_handler);
timeout = getdef_unum ("LOGIN_TIMEOUT", ALARM);
if (timeout > 0) {
(void) alarm (timeout);
}
environ = newenvp; /* make new environment active */
delay = getdef_unum ("FAIL_DELAY", 1);
retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
#ifdef USE_PAM
retcode = pam_start ("login", username, &conv, &pamh);
if (retcode != PAM_SUCCESS) {
fprintf (stderr,
_("login: PAM Failure, aborting: %s\n"),
pam_strerror (pamh, retcode));
SYSLOG ((LOG_ERR, "Couldn't initialize PAM: %s",
pam_strerror (pamh, retcode)));
exit (99);
}
/*
* hostname & tty are either set to NULL or their correct values,
* depending on how much we know. We also set PAM's fail delay to
* ours.
*
* PAM_RHOST and PAM_TTY are used for authentication, only use
* information coming from login or from the caller (e.g. no utmp)
*/
retcode = pam_set_item (pamh, PAM_RHOST, hostname);
PAM_FAIL_CHECK;
retcode = pam_set_item (pamh, PAM_TTY, tty);
PAM_FAIL_CHECK;
#ifdef HAS_PAM_FAIL_DELAY
retcode = pam_fail_delay (pamh, 1000000 * delay);
PAM_FAIL_CHECK;
#endif
/* if fflg, then the user has already been authenticated */
if (!fflg) {
unsigned int failcount = 0;
char hostn[256];
char loginprompt[256]; /* That's one hell of a prompt :) */
/* Make the login prompt look like we want it */
if (gethostname (hostn, sizeof (hostn)) == 0) {
snprintf (loginprompt,
sizeof (loginprompt),
_("%s login: "******"login: "******"TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
failcount, fromhost, failent_user));
fprintf(stderr,
_("Maximum number of tries exceeded (%u)\n"),
failcount);
PAM_END;
exit(0);
} else if (retcode == PAM_ABORT) {
/* Serious problems, quit now */
(void) fputs (_("login: abort requested by PAM\n"), stderr);
SYSLOG ((LOG_ERR,"PAM_ABORT returned from pam_authenticate()"));
PAM_END;
exit(99);
} else if (retcode != PAM_SUCCESS) {
SYSLOG ((LOG_NOTICE,"FAILED LOGIN (%u)%s FOR '%s', %s",
failcount, fromhost, failent_user,
pam_strerror (pamh, retcode)));
failed = true;
}
if (!failed) {
break;
}
#ifdef WITH_AUDIT
audit_fd = audit_open ();
audit_log_acct_message (audit_fd,
AUDIT_USER_LOGIN,
NULL, /* Prog. name */
"login",
failent_user,
AUDIT_NO_ID,
hostname,
NULL, /* addr */
tty,
0); /* result */
close (audit_fd);
#endif /* WITH_AUDIT */
(void) puts ("");
(void) puts (_("Login incorrect"));
if (failcount >= retries) {
SYSLOG ((LOG_NOTICE,
"TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
failcount, fromhost, failent_user));
fprintf(stderr,
_("Maximum number of tries exceeded (%u)\n"),
failcount);
PAM_END;
exit(0);
}
/*
* Let's give it another go around.
* Even if a username was given on the command
* line, prompt again for the username.
*/
retcode = pam_set_item (pamh, PAM_USER, NULL);
PAM_FAIL_CHECK;
}
/* We don't get here unless they were authenticated above */
(void) alarm (0);
}
/* Check the account validity */
retcode = pam_acct_mgmt (pamh, 0);
if (retcode == PAM_NEW_AUTHTOK_REQD) {
retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
}
PAM_FAIL_CHECK;
/* Open the PAM session */
get_pam_user (&pam_user);
retcode = pam_open_session (pamh, hushed (pam_user) ? PAM_SILENT : 0);
PAM_FAIL_CHECK;
/* Grab the user information out of the password file for future usage
* First get the username that we are actually using, though.
*
* From now on, we will discard changes of the user (PAM_USER) by
* PAM APIs.
*/
get_pam_user (&pam_user);
if (NULL != username) {
free (username);
}
username = pam_user;
failent_user = get_failent_user (username);
pwd = xgetpwnam (username);
if (NULL == pwd) {
SYSLOG ((LOG_ERR, "cannot find user %s", failent_user));
exit (1);
}
/* This set up the process credential (group) and initialize the
* supplementary group access list.
* This has to be done before pam_setcred
*/
if (setup_groups (pwd) != 0) {
exit (1);
}
retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
PAM_FAIL_CHECK;
/* NOTE: If pam_setcred changes PAM_USER, this will not be taken
* into account.
*/
#else /* ! USE_PAM */
while (true) { /* repeatedly get login/password pairs */
/* user_passwd is always a pointer to this constant string
* or a passwd or shadow password that will be memzero by
* pw_free / spw_free.
* Do not free() user_passwd. */
const char *user_passwd = "!";
/* Do some cleanup to avoid keeping entries we do not need
* anymore. */
if (NULL != pwd) {
pw_free (pwd);
pwd = NULL;
}
if (NULL != spwd) {
spw_free (spwd);
spwd = NULL;
}
failed = false; /* haven't failed authentication yet */
if (NULL == username) { /* need to get a login id */
if (subroot) {
closelog ();
exit (1);
}
preauth_flag = false;
username = xmalloc (USER_NAME_MAX_LENGTH + 1);
username[USER_NAME_MAX_LENGTH] = '\0';
login_prompt (_("\n%s login: "******"!",
* the account is locked and the user cannot
* login, even if they have been
* "pre-authenticated."
*/
if ( ('!' == user_passwd[0])
|| ('*' == user_passwd[0])) {
failed = true;
}
}
if (strcmp (user_passwd, SHADOW_PASSWD_STRING) == 0) {
spwd = xgetspnam (username);
if (NULL != spwd) {
user_passwd = spwd->sp_pwdp;
} else {
/* The user exists in passwd, but not in
* shadow. SHADOW_PASSWD_STRING indicates
* that the password shall be in shadow.
*/
SYSLOG ((LOG_WARN,
"no shadow password for '%s'%s",
username, fromhost));
}
}
/*
* The -r and -f flags provide a name which has already
* been authenticated by some server.
*/
if (preauth_flag) {
goto auth_ok;
}
if (pw_auth (user_passwd, username, reason, (char *) 0) == 0) {
goto auth_ok;
}
SYSLOG ((LOG_WARN, "invalid password for '%s' %s",
failent_user, fromhost));
failed = true;
auth_ok:
/*
* This is the point where all authenticated users wind up.
* If you reach this far, your password has been
* authenticated and so on.
*/
if ( !failed
&& (NULL != pwd)
&& (0 == pwd->pw_uid)
&& !is_console) {
SYSLOG ((LOG_CRIT, "ILLEGAL ROOT LOGIN %s", fromhost));
failed = true;
}
if ( !failed
&& !login_access (username, ('\0' != *hostname) ? hostname : tty)) {
SYSLOG ((LOG_WARN, "LOGIN '%s' REFUSED %s",
username, fromhost));
failed = true;
}
if ( (NULL != pwd)
&& getdef_bool ("FAILLOG_ENAB")
&& !failcheck (pwd->pw_uid, &faillog, failed)) {
SYSLOG ((LOG_CRIT,
"exceeded failure limit for '%s' %s",
username, fromhost));
failed = true;
}
if (!failed) {
break;
}
/* don't log non-existent users */
if ((NULL != pwd) && getdef_bool ("FAILLOG_ENAB")) {
failure (pwd->pw_uid, tty, &faillog);
}
if (getdef_str ("FTMP_FILE") != NULL) {
#ifdef USE_UTMPX
struct utmpx *failent =
prepare_utmpx (failent_user,
tty,
/* FIXME: or fromhost? */hostname,
utent);
#else /* !USE_UTMPX */
struct utmp *failent =
prepare_utmp (failent_user,
tty,
hostname,
utent);
#endif /* !USE_UTMPX */
failtmp (failent_user, failent);
free (failent);
}
retries--;
if (retries <= 0) {
SYSLOG ((LOG_CRIT, "REPEATED login failures%s",
fromhost));
}
/*
* If this was a passwordless account and we get here, login
* was denied (securetty, faillog, etc.). There was no
* password prompt, so do it now (will always fail - the bad
* guys won't see that the passwordless account exists at
* all). --marekm
*/
if (user_passwd[0] == '\0') {
pw_auth ("!", username, reason, (char *) 0);
}
/*
* Authentication of this user failed.
* The username must be confirmed in the next try.
*/
free (username);
username = NULL;
/*
* Wait a while (a la SVR4 /usr/bin/login) before attempting
* to login the user again. If the earlier alarm occurs
* before the sleep() below completes, login will exit.
*/
if (delay > 0) {
(void) sleep (delay);
}
(void) puts (_("Login incorrect"));
/* allow only one attempt with -r or -f */
if (rflg || fflg || (retries <= 0)) {
closelog ();
exit (1);
}
} /* while (true) */
#endif /* ! USE_PAM */
assert (NULL != username);
assert (NULL != pwd);
(void) alarm (0); /* turn off alarm clock */
#ifndef USE_PAM /* PAM does this */
/*
* porttime checks moved here, after the user has been
* authenticated. now prints a message, as suggested
* by Ivan Nejgebauer <*****@*****.**>. --marekm
*/
if ( getdef_bool ("PORTTIME_CHECKS_ENAB")
&& !isttytime (username, tty, time ((time_t *) 0))) {
SYSLOG ((LOG_WARN, "invalid login time for '%s'%s",
username, fromhost));
closelog ();
bad_time_notify ();
exit (1);
}
check_nologin (pwd->pw_uid == 0);
#endif
if (getenv ("IFS")) { /* don't export user IFS ... */
addenv ("IFS= \t\n", NULL); /* ... instead, set a safe IFS */
}
if (pwd->pw_shell[0] == '*') { /* subsystem root */
pwd->pw_shell++; /* skip the '*' */
subsystem (pwd); /* figure out what to execute */
subroot = true; /* say I was here again */
endpwent (); /* close all of the file which were */
endgrent (); /* open in the original rooted file */
endspent (); /* system. they will be re-opened */
#ifdef SHADOWGRP
endsgent (); /* in the new rooted file system */
#endif
goto top; /* go do all this all over again */
}
#ifdef WITH_AUDIT
audit_fd = audit_open ();
audit_log_acct_message (audit_fd,
AUDIT_USER_LOGIN,
NULL, /* Prog. name */
"login",
username,
AUDIT_NO_ID,
hostname,
NULL, /* addr */
tty,
1); /* result */
close (audit_fd);
#endif /* WITH_AUDIT */
#ifndef USE_PAM /* pam_lastlog handles this */
if (getdef_bool ("LASTLOG_ENAB")) { /* give last login and log this one */
dolastlog (&ll, pwd, tty, hostname);
}
#endif
#ifndef USE_PAM /* PAM handles this as well */
/*
* Have to do this while we still have root privileges, otherwise we
* don't have access to /etc/shadow.
*/
if (NULL != spwd) { /* check for age of password */
if (expire (pwd, spwd)) {
/* The user updated her password, get the new
* entries.
* Use the x variants because we need to keep the
* entry for a long time, and there might be other
* getxxyy in between.
*/
pw_free (pwd);
pwd = xgetpwnam (username);
if (NULL == pwd) {
SYSLOG ((LOG_ERR,
"cannot find user %s after update of expired password",
username));
exit (1);
}
spw_free (spwd);
spwd = xgetspnam (username);
}
}
setup_limits (pwd); /* nice, ulimit etc. */
#endif /* ! USE_PAM */
chown_tty (pwd);
#ifdef USE_PAM
/*
* We must fork before setuid() because we need to call
* pam_close_session() as root.
*/
(void) signal (SIGINT, SIG_IGN);
child = fork ();
if (child < 0) {
/* error in fork() */
fprintf (stderr, _("%s: failure forking: %s"),
Prog, strerror (errno));
PAM_END;
exit (0);
} else if (child != 0) {
/*
* parent - wait for child to finish, then cleanup
* session
*/
wait (NULL);
PAM_END;
exit (0);
}
/* child */
#endif
/* If we were init, we need to start a new session */
if (getppid() == 1) {
setsid();
if (ioctl(0, TIOCSCTTY, 1) != 0) {
fprintf (stderr, _("TIOCSCTTY failed on %s"), tty);
}
}
/*
* The utmp entry needs to be updated to indicate the new status
* of the session, the new PID and SID.
*/
update_utmp (username, tty, hostname, utent);
/* The pwd and spwd entries for the user have been copied.
*
* Close all the files so that unauthorized access won't occur.
*/
endpwent (); /* stop access to password file */
endgrent (); /* stop access to group file */
endspent (); /* stop access to shadow passwd file */
#ifdef SHADOWGRP
endsgent (); /* stop access to shadow group file */
#endif
/* Drop root privileges */
#ifndef USE_PAM
if (setup_uid_gid (pwd, is_console))
#else
/* The group privileges were already dropped.
* See setup_groups() above.
*/
if (change_uid (pwd))
#endif
{
exit (1);
}
setup_env (pwd); /* set env vars, cd to the home dir */
#ifdef USE_PAM
{
const char *const *env;
env = (const char *const *) pam_getenvlist (pamh);
while ((NULL != env) && (NULL != *env)) {
addenv (*env, NULL);
env++;
}
}
#endif
(void) setlocale (LC_ALL, "");
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
if (!hushed (username)) {
addenv ("HUSHLOGIN=FALSE", NULL);
/*
* pam_unix, pam_mail and pam_lastlog should take care of
* this
*/
#ifndef USE_PAM
motd (); /* print the message of the day */
if ( getdef_bool ("FAILLOG_ENAB")
&& (0 != faillog.fail_cnt)) {
failprint (&faillog);
/* Reset the lockout times if logged in */
if ( (0 != faillog.fail_max)
&& (faillog.fail_cnt >= faillog.fail_max)) {
(void) puts (_("Warning: login re-enabled after temporary lockout."));
SYSLOG ((LOG_WARN,
"login '%s' re-enabled after temporary lockout (%d failures)",
username, (int) faillog.fail_cnt));
}
}
if ( getdef_bool ("LASTLOG_ENAB")
&& (ll.ll_time != 0)) {
time_t ll_time = ll.ll_time;
#ifdef HAVE_STRFTIME
(void) strftime (ptime, sizeof (ptime),
"%a %b %e %H:%M:%S %z %Y",
localtime (&ll_time));
printf (_("Last login: %s on %s"),
ptime, ll.ll_line);
#else
printf (_("Last login: %.19s on %s"),
ctime (&ll_time), ll.ll_line);
#endif
#ifdef HAVE_LL_HOST /* __linux__ || SUN4 */
if ('\0' != ll.ll_host[0]) {
printf (_(" from %.*s"),
(int) sizeof ll.ll_host, ll.ll_host);
}
#endif
printf (".\n");
}
agecheck (spwd);
mailcheck (); /* report on the status of mail */
#endif /* !USE_PAM */
} else {
addenv ("HUSHLOGIN=TRUE", NULL);
}
ttytype (tty);
(void) signal (SIGQUIT, SIG_DFL); /* default quit signal */
(void) signal (SIGTERM, SIG_DFL); /* default terminate signal */
(void) signal (SIGALRM, SIG_DFL); /* default alarm signal */
(void) signal (SIGHUP, SIG_DFL); /* added this. --marekm */
(void) signal (SIGINT, SIG_DFL); /* default interrupt signal */
if (0 == pwd->pw_uid) {
SYSLOG ((LOG_NOTICE, "ROOT LOGIN %s", fromhost));
} else if (getdef_bool ("LOG_OK_LOGINS")) {
SYSLOG ((LOG_INFO, "'%s' logged in %s", username, fromhost));
}
closelog ();
tmp = getdef_str ("FAKE_SHELL");
if (NULL != tmp) {
err = shell (tmp, pwd->pw_shell, newenvp); /* fake shell */
} else {
/* exec the shell finally */
err = shell (pwd->pw_shell, (char *) 0, newenvp);
}
return ((err == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
}
