Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.bin/login PR/42540: Ed Ravin: /usr/bin/login does not lo...
details: https://anonhg.NetBSD.org/src/rev/aa3cf6f1fb51
branches: trunk
changeset: 750392:aa3cf6f1fb51
user: christos <christos%NetBSD.org@localhost>
date: Tue Dec 29 19:26:13 2009 +0000
description:
PR/42540: Ed Ravin: /usr/bin/login does not log normal logins, and does not
log ip addresses.
- Factor out the common code in login.c and login_pam.c into common.c
- Always log a login event
- Check passed in sockaddr against the one from getpeername(2).
diffstat:
usr.bin/login/Makefile | 3 +-
usr.bin/login/common.c | 393 ++++++++++++++++++++++++++++++++++++++++++++++
usr.bin/login/common.h | 53 ++++++
usr.bin/login/login.c | 334 +-------------------------------------
usr.bin/login/login_pam.c | 222 ++-----------------------
5 files changed, 485 insertions(+), 520 deletions(-)
diffs (truncated from 1178 to 300 lines):
diff -r a7c835837cae -r aa3cf6f1fb51 usr.bin/login/Makefile
--- a/usr.bin/login/Makefile Tue Dec 29 18:07:28 2009 +0000
+++ b/usr.bin/login/Makefile Tue Dec 29 19:26:13 2009 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.50 2009/04/14 22:15:22 lukem Exp $
+# $NetBSD: Makefile,v 1.51 2009/12/29 19:26:13 christos Exp $
# @(#)Makefile 8.1 (Berkeley) 7/19/93
WARNS?= 2 # XXX -Wcast-qual issues
@@ -13,6 +13,7 @@
BINOWN= root
BINMODE=4555
+SRCS+= common.c
.if (${USE_PAM} != "no")
SRCS+= login_pam.c
LDADD+= -lpam ${PAM_STATIC_LDADD}
diff -r a7c835837cae -r aa3cf6f1fb51 usr.bin/login/common.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/usr.bin/login/common.c Tue Dec 29 19:26:13 2009 +0000
@@ -0,0 +1,393 @@
+/* $NetBSD: common.c,v 1.1 2009/12/29 19:26:13 christos Exp $ */
+
+/*-
+ * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994
+ * The Regents of the University of California. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+#include <sys/cdefs.h>
+__RCSID("$NetBSD: common.c,v 1.1 2009/12/29 19:26:13 christos Exp $");
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <fcntl.h>
+#include <ttyent.h>
+#include <setjmp.h>
+#include <time.h>
+#include <pwd.h>
+#include <err.h>
+#include <vis.h>
+#include <util.h>
+
+#include "pathnames.h"
+#include "common.h"
+
+#if defined(KERBEROS5)
+#define NBUFSIZ (MAXLOGNAME + 1 + 5) /* .root suffix */
+#else
+#define NBUFSIZ (MAXLOGNAME + 1)
+#endif
+
+#ifdef SUPPORT_UTMP
+#include <utmp.h>
+static void doutmp(void);
+static void dolastlog(int);
+#endif
+#ifdef SUPPORT_UTMPX
+#include <utmpx.h>
+static void doutmpx(void);
+static void dolastlogx(int);
+#endif
+
+/*
+ * This bounds the time given to login. Not a define so it can
+ * be patched on machines where it's too small.
+ */
+u_int timeout = 300;
+
+void decode_ss(const char *);
+struct passwd *pwd;
+int failures, have_ss;
+char term[64], *envinit[1], *hostname, *username, *tty, *nested;
+struct timeval now;
+struct sockaddr_storage ss;
+
+void
+getloginname(void)
+{
+ int ch;
+ char *p;
+ static char nbuf[NBUFSIZ];
+
+ for (;;) {
+ (void)printf("login: ");
+ for (p = nbuf; (ch = getchar()) != '\n'; ) {
+ if (ch == EOF) {
+ badlogin(username);
+ exit(EXIT_FAILURE);
+ }
+ if (p < nbuf + (NBUFSIZ - 1))
+ *p++ = ch;
+ }
+ if (p > nbuf) {
+ if (nbuf[0] == '-')
+ (void)fprintf(stderr,
+ "login names may not start with '-'.\n");
+ else {
+ *p = '\0';
+ username = nbuf;
+ break;
+ }
+ }
+ }
+}
+
+int
+rootterm(char *ttyn)
+{
+ struct ttyent *t;
+
+ return ((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE);
+}
+
+static jmp_buf motdinterrupt;
+
+void
+motd(char *fname)
+{
+ int fd, nchars;
+ sig_t oldint;
+ char tbuf[8192];
+
+ if ((fd = open(fname ? fname : _PATH_MOTDFILE, O_RDONLY, 0)) < 0)
+ return;
+ oldint = signal(SIGINT, sigint);
+ if (setjmp(motdinterrupt) == 0)
+ while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)
+ (void)write(fileno(stdout), tbuf, nchars);
+ (void)signal(SIGINT, oldint);
+ (void)close(fd);
+}
+
+/* ARGSUSED */
+void
+sigint(int signo)
+{
+
+ longjmp(motdinterrupt, 1);
+}
+
+/* ARGSUSED */
+void
+timedout(int signo)
+{
+
+ (void)fprintf(stderr, "Login timed out after %d seconds\n", timeout);
+ exit(EXIT_FAILURE);
+}
+
+void
+update_db(int quietlog, int rootlogin, int fflag)
+{
+ struct sockaddr_storage ass;
+ char assbuf[1024];
+ socklen_t alen;
+ const char *hname;
+ int remote;
+
+ hname = (hostname == NULL) ? "?" : hostname;
+ if (getpeername(STDIN_FILENO, (struct sockaddr *)&ass, &alen) != -1) {
+ (void)sockaddr_snprintf(assbuf,
+ sizeof(assbuf), "%A (%a)", (void *)&ass);
+ if (have_ss) {
+ char ssbuf[1024];
+ (void)sockaddr_snprintf(ssbuf,
+ sizeof(ssbuf), "%A (%a)", (void *)&ss);
+ if (memcmp(&ass, &ss, alen) != 0)
+ syslog(LOG_NOTICE,
+ "login %s on tty %s address mismatch "
+ "passed %s != actual %s", username, tty,
+ ssbuf, assbuf);
+ } else
+ ss = ass;
+ remote = 1;
+ } else if (have_ss) {
+ (void)sockaddr_snprintf(assbuf,
+ sizeof(assbuf), "%A (%a)", (void *)&ss);
+ remote = 1;
+ } else if (hostname) {
+ (void)snprintf(assbuf, sizeof(assbuf), "? ?");
+ remote = 1;
+ } else
+ remote = 0;
+
+ /* If fflag is on, assume caller/authenticator has logged root login. */
+ if (rootlogin && fflag == 0) {
+ if (remote)
+ syslog(LOG_NOTICE, "ROOT LOGIN (%s) on tty %s from %s /"
+ " %s", username, tty, hname, assbuf);
+ else
+ syslog(LOG_NOTICE, "ROOT LOGIN (%s) on tty %s",
+ username, tty);
+ } else if (nested != NULL) {
+ if (remote)
+ syslog(LOG_NOTICE, "login %s to %s on tty %s from %s / "
+ "%s", nested, pwd->pw_name, tty, hname, assbuf);
+ else
+ syslog(LOG_NOTICE, "login %s to %s on tty %s", nested,
+ pwd->pw_name, tty);
+ } else {
+ if (remote)
+ syslog(LOG_NOTICE, "login %s on tty %s from %s / %s",
+ pwd->pw_name, tty, hname, assbuf);
+ else
+ syslog(LOG_NOTICE, "login %s on tty %s",
+ pwd->pw_name, tty);
+ }
+ (void)gettimeofday(&now, NULL);
+#ifdef SUPPORT_UTMPX
+ doutmpx();
+ dolastlogx(quietlog);
+ quietlog = 1;
+#endif
+#ifdef SUPPORT_UTMP
+ doutmp();
+ dolastlog(quietlog);
+#endif
+}
+
+#ifdef SUPPORT_UTMPX
+static void
+doutmpx(void)
+{
+ struct utmpx utmpx;
+ char *t;
+
+ memset((void *)&utmpx, 0, sizeof(utmpx));
+ utmpx.ut_tv = now;
+ (void)strncpy(utmpx.ut_name, username, sizeof(utmpx.ut_name));
+ if (hostname) {
+ (void)strncpy(utmpx.ut_host, hostname, sizeof(utmpx.ut_host));
+ utmpx.ut_ss = ss;
+ }
+ (void)strncpy(utmpx.ut_line, tty, sizeof(utmpx.ut_line));
+ utmpx.ut_type = USER_PROCESS;
+ utmpx.ut_pid = getpid();
+ t = tty + strlen(tty);
+ if (t - tty >= sizeof(utmpx.ut_id)) {
+ (void)strncpy(utmpx.ut_id, t - sizeof(utmpx.ut_id),
+ sizeof(utmpx.ut_id));
+ } else {
+ (void)strncpy(utmpx.ut_id, tty, sizeof(utmpx.ut_id));
+ }
+ if (pututxline(&utmpx) == NULL)
+ syslog(LOG_NOTICE, "Cannot update utmpx: %m");
+ endutxent();
+ if (updwtmpx(_PATH_WTMPX, &utmpx) != 0)
+ syslog(LOG_NOTICE, "Cannot update wtmpx: %m");
+}
+
+static void
+dolastlogx(int quiet)
+{
+ struct lastlogx ll;
+ if (!quiet && getlastlogx(_PATH_LASTLOGX, pwd->pw_uid, &ll) != NULL) {
+ time_t t = (time_t)ll.ll_tv.tv_sec;
+ (void)printf("Last login: %.24s ", ctime(&t));
+ if (*ll.ll_host != '\0')
+ (void)printf("from %.*s ",
+ (int)sizeof(ll.ll_host),
+ ll.ll_host);
+ (void)printf("on %.*s\n",
+ (int)sizeof(ll.ll_line),
+ ll.ll_line);
+ }
+ ll.ll_tv = now;
+ (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line));
+ if (hostname)
+ (void)strncpy(ll.ll_host, hostname, sizeof(ll.ll_host));
+ else
+ (void)memset(ll.ll_host, '\0', sizeof(ll.ll_host));
Home |
Main Index |
Thread Index |
Old Index