2 Commits f2c1450995 ... 3dfe8bd2c0

Author SHA1 Message Date
  Jakob Kaivo 3dfe8bd2c0 add logging for permission checks and results 9 months ago
  Jakob Kaivo 29037b8e6e use separate group for check 9 months ago
3 changed files with 26 additions and 3 deletions
  1. 4 2
      Makefile
  2. 18 1
      check/check.c
  3. 4 0
      check/check.h

+ 4 - 2
Makefile

@@ -3,6 +3,7 @@
 PRIVEXECBINDIR=/usr/local/bin
 PRIVEXECDIR=/usr/local/lib/privexec
 PRIVEXECGROUP=_privexec
+PRIVCHECKGROUP=_privcheck
 
 all:
 	cd check; make
@@ -13,14 +14,15 @@ install: all
 	mkdir -p $(PRIVEXECDIR)
 	cp -f check/check $(PRIVEXECDIR)
 	strip $(PRIVEXECDIR)/check
-	chown root:$(PRIVEXECGROUP) $(PRIVEXECDIR)/check
-	chmod 550 $(PRIVEXECDIR)/check
+	chown root:$(PRIVCHECKGROUP) $(PRIVEXECDIR)/check
+	chmod 2555 $(PRIVEXECDIR)/check
 
 	cp -f exec/exec $(PRIVEXECDIR)
 	strip $(PRIVEXECDIR)/exec
 	chown root:$(PRIVEXECGROUP) $(PRIVEXECDIR)/exec
 	chmod 4550 $(PRIVEXECDIR)/exec
 
+	mkdir -p $(PRIVEXECBINDIR)
 	cp -f privexec/privexec $(PRIVEXECBINDIR)
 	strip $(PRIVEXECBINDIR)/privexec
 	chown root:$(PRIVEXECGROUP) $(PRIVEXECBINDIR)/privexec

+ 18 - 1
check/check.c

@@ -1,4 +1,4 @@
-#define _POSIX_C_SOURCE 200809L
+#define _XOPEN_SOURCE 700
 #include <errno.h>
 #include <grp.h>
 #include <locale.h>
@@ -6,6 +6,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <syslog.h>
 #include <pwd.h>
 #include <unistd.h>
 
@@ -63,21 +64,37 @@ int main(int argc, char *argv[])
 	char *user = get_username();
 	char *group = get_groupname();
 
+	openlog(PRIVEXEC_LOG_ID, LOG_PID, LOG_AUTH);
+	syslog(LOG_INFO, "checking %s:%s for permission to run %s",
+		user, group, cmd);
+
 	switch (get_permission(user, group, cmd)) {
 	case AUTHENTICATE:
+		syslog(LOG_INFO, "%s:%s requires authentication to run %s",
+			user, group, cmd);
 		if (authenticate(user) != 0) {
+			syslog(LOG_NOTICE, "%s:%s failed authentication for %s",
+				user, group, cmd);
 			fatal(0, "bad authentication");
 		}
 		/* FALLTHRU */
 	case AUTHORIZED:
+		syslog(LOG_INFO, "%s:%s authorized to run %s",
+			user, group, cmd);
 		return 0;
 
 	case DENIED:
+		syslog(LOG_NOTICE,
+			"%s:%s explicitly denied permission to run %s",
+			user, group, cmd);
 		fatal(0, "explicitly denied");
 		return 1;
 	
 	case UNKNOWN:
 	default:
+		syslog(LOG_NOTICE,
+			"%s:%s denied permission to run %s by default",
+			user, group, cmd);
 		fatal(0, "denied by default");
 	}
 

+ 4 - 0
check/check.h

@@ -9,6 +9,10 @@
 #define PAM_SERVICE_NAME	"privexec"
 #endif
 
+#ifndef PRIVEXEC_LOG_ID
+#define PRIVEXEC_LOG_ID		"privexec"
+#endif
+
 enum permission { UNKNOWN, AUTHORIZED, AUTHENTICATE, DENIED };
 
 void fatal(int include_errno, char *fmt, ...);