diff --git a/shadow-4.1.0-audit-newgrp.patch b/shadow-4.1.0-audit-newgrp.patch index a94a3d4..e7a433a 100644 --- a/shadow-4.1.0-audit-newgrp.patch +++ b/shadow-4.1.0-audit-newgrp.patch @@ -1,7 +1,7 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c --- shadow-4.1.0.orig/src/newgrp.c 2007-11-18 18:15:05.000000000 -0500 -+++ shadow-4.1.0/src/newgrp.c 2008-02-12 16:45:20.000000000 -0500 -@@ -122,6 +122,8 @@ int main (int argc, char **argv) ++++ shadow-4.1.0/src/newgrp.c 2008-03-06 10:01:17.000000000 -0500 +@@ -122,6 +123,8 @@ int main (int argc, char **argv) #endif #ifdef WITH_AUDIT @@ -10,7 +10,7 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c audit_help_open (); #endif setlocale (LC_ALL, ""); -@@ -164,7 +166,7 @@ int main (int argc, char **argv) +@@ -164,7 +167,7 @@ int main (int argc, char **argv) if (!pwd) { fprintf (stderr, _("unknown UID: %u\n"), getuid ()); #ifdef WITH_AUDIT @@ -19,41 +19,69 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c getuid (), 0); #endif SYSLOG ((LOG_WARN, "unknown UID %u", getuid ())); -@@ -272,8 +274,14 @@ int main (int argc, char **argv) +@@ -272,7 +275,13 @@ int main (int argc, char **argv) if (ngroups < 0) { perror ("getgroups"); #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_START, Prog, -- "changing", NULL, getuid (), 0); + if (group) { -+ snprintf(audit_buf, sizeof(audit_buf), -+ "changing new-group=%s", group); ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=%s", group); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, getuid (), 0); + } else + audit_logger (AUDIT_CHGRP_ID, Prog, -+ "changing", NULL, getuid (), 0); + "changing", NULL, getuid (), 0); #endif exit (1); +@@ -394,13 +403,26 @@ int main (int argc, char **argv) + + if (grp->gr_passwd[0] == '\0' || + strcmp (cpasswd, grp->gr_passwd) != 0) { ++#ifdef WITH_AUDIT ++ snprintf (audit_buf, sizeof(audit_buf), ++ "authentication new_gid=%d", ++ grp->gr_gid); ++ audit_logger (AUDIT_GRP_AUTH, Prog, ++ audit_buf, NULL, getuid (), 0); ++#endif + SYSLOG ((LOG_INFO, + "Invalid password for group `%s' from `%s'", + group, name)); + sleep (1); +- fputs (_("Invalid password."), stderr); ++ fputs (_("Invalid password.\n"), stderr); + goto failure; + } ++#ifdef WITH_AUDIT ++ snprintf (audit_buf, sizeof(audit_buf), ++ "authentication new_gid=%d", grp->gr_gid); ++ audit_logger (AUDIT_GRP_AUTH, Prog, ++ audit_buf, NULL, getuid (), 1); ++#endif } -@@ -461,8 +469,14 @@ int main (int argc, char **argv) - fprintf (stderr, _("%s: failure forking: %s"), + + /* +@@ -458,10 +480,16 @@ int main (int argc, char **argv) + child = fork (); + if (child < 0) { + /* error in fork() */ +- fprintf (stderr, _("%s: failure forking: %s"), ++ fprintf (stderr, _("%s: failure forking: %s\n"), is_newgrp ? "newgrp" : "sg", strerror (errno)); #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_START, Prog, "changing", -- NULL, getuid (), 0); + if (group) { -+ snprintf(audit_buf, sizeof(audit_buf), -+ "changing new-group=%s", group); ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=%s", group); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, getuid (), 0); + } else + audit_logger (AUDIT_CHGRP_ID, Prog, "changing", -+ NULL, getuid (), 0); + NULL, getuid (), 0); #endif exit (1); - } else if (child) { -@@ -531,14 +545,24 @@ int main (int argc, char **argv) +@@ -531,14 +559,24 @@ int main (int argc, char **argv) * to the real UID. For root, this also sets the real GID to the * new group id. */ @@ -61,8 +89,8 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c + if (setgid (gid)) { perror ("setgid"); +#ifdef WITH_AUDIT -+ snprintf(audit_buf, sizeof(audit_buf), -+ "changing new-gid=%d", gid); ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_gid=%d", gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, getuid (), 0); +#endif @@ -74,44 +102,44 @@ diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_START, Prog, "changing", - NULL, getuid (), 0); -+ snprintf(audit_buf, sizeof(audit_buf), -+ "changing new-gid=%d", gid); ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_gid=%d", gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, getuid (), 0); #endif exit (1); } -@@ -551,8 +575,10 @@ int main (int argc, char **argv) +@@ -551,8 +589,10 @@ int main (int argc, char **argv) closelog (); execl ("/bin/sh", "sh", "-c", command, (char *) 0); #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_START, Prog, "changing", - NULL, getuid (), 0); -+ snprintf(audit_buf, sizeof(audit_buf), -+ "changing new-gid=%d", gid); ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_gid=%d", gid); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, getuid (), 0); #endif perror ("/bin/sh"); exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC); -@@ -618,7 +644,8 @@ int main (int argc, char **argv) +@@ -618,7 +658,8 @@ int main (int argc, char **argv) } #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 1); -+ snprintf(audit_buf, sizeof(audit_buf), "changing new-gid=%d", gid); ++ snprintf (audit_buf, sizeof(audit_buf), "changing new_gid=%d", gid); + audit_logger (AUDIT_CHGRP_ID, Prog, audit_buf, NULL, getuid (), 1); #endif /* * Exec the login shell and go away. We are trying to get back to -@@ -641,7 +668,14 @@ int main (int argc, char **argv) +@@ -641,7 +682,14 @@ int main (int argc, char **argv) */ closelog (); #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 0); + if (group) { -+ snprintf(audit_buf, sizeof(audit_buf), -+ "changing new-group=%s", group); ++ snprintf (audit_buf, sizeof(audit_buf), ++ "changing new_group=%s", group); + audit_logger (AUDIT_CHGRP_ID, Prog, + audit_buf, NULL, getuid (), 0); + } else diff --git a/shadow-utils.spec b/shadow-utils.spec index c64135d..894b84b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.0 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -22,6 +22,7 @@ Patch6: shadow-4.0.18.1-findNewUidOnce.patch Patch7: shadow-4.0.18.1-mtime.patch Patch8: shadow-4.1.0-audit-newgrp.patch Patch9: shadow-4.1.0-segfault.patch +Patch10: shadow-4.1.0-fasterReset.patch License: BSD Group: System Environment/Base @@ -56,6 +57,7 @@ are used for managing group accounts. %patch7 -p1 -b .mtime %patch8 -p1 -b .auditNewgrp %patch9 -p1 -b .segfault +%patch10 -p1 -b .fasterReset rm po/*.gmo rm po/stamp-po @@ -195,6 +197,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Mar 07 2008 Peter Vrabec 2:4.1.0-5 +- improve newgrp audit patch + * Mon Mar 03 2008 Peter Vrabec 2:4.1.0-4 - fix selinux labeling (#433757)