~jkaivo/privexec

3dfe8bd2c04f0f81d149186e17ab526cf6b8773b — Jakob Kaivo 1 year, 5 months ago 29037b8
add logging for permission checks and results
2 files changed, 22 insertions(+), 1 deletions(-)

M check/check.c
M check/check.h
M check/check.c => check/check.c +18 -1
@@ 1,4 1,4 @@
#define _POSIX_C_SOURCE 200809L
#define _XOPEN_SOURCE 700
#include <errno.h>
#include <grp.h>
#include <locale.h>


@@ 6,6 6,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <pwd.h>
#include <unistd.h>



@@ 63,21 64,37 @@ int main(int argc, char *argv[])
	char *user = get_username();
	char *group = get_groupname();

	openlog(PRIVEXEC_LOG_ID, LOG_PID, LOG_AUTH);
	syslog(LOG_INFO, "checking %s:%s for permission to run %s",
		user, group, cmd);

	switch (get_permission(user, group, cmd)) {
	case AUTHENTICATE:
		syslog(LOG_INFO, "%s:%s requires authentication to run %s",
			user, group, cmd);
		if (authenticate(user) != 0) {
			syslog(LOG_NOTICE, "%s:%s failed authentication for %s",
				user, group, cmd);
			fatal(0, "bad authentication");
		}
		/* FALLTHRU */
	case AUTHORIZED:
		syslog(LOG_INFO, "%s:%s authorized to run %s",
			user, group, cmd);
		return 0;

	case DENIED:
		syslog(LOG_NOTICE,
			"%s:%s explicitly denied permission to run %s",
			user, group, cmd);
		fatal(0, "explicitly denied");
		return 1;
	
	case UNKNOWN:
	default:
		syslog(LOG_NOTICE,
			"%s:%s denied permission to run %s by default",
			user, group, cmd);
		fatal(0, "denied by default");
	}


M check/check.h => check/check.h +4 -0
@@ 9,6 9,10 @@
#define PAM_SERVICE_NAME	"privexec"
#endif

#ifndef PRIVEXEC_LOG_ID
#define PRIVEXEC_LOG_ID		"privexec"
#endif

enum permission { UNKNOWN, AUTHORIZED, AUTHENTICATE, DENIED };

void fatal(int include_errno, char *fmt, ...);