tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-31 01:35:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

- (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM

Browse Source 
audit breakage in Solaris 11.  Patch from Magnus Johansson.
This commit is contained in:
Darren Tucker 2012-02-24 10:40:41 +11:00
parent a3f297de91
commit 93a2d41505
3 changed files with 89 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -1,3 +1,7 @@
20120224
- (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM
audit breakage in Solaris 11. Patch from Magnus Johansson.
20120215 20120215
- (tim) [openbsd-compat/bsd-misc.h sshd.c] Fix conflicting return type for - (tim) [openbsd-compat/bsd-misc.h sshd.c] Fix conflicting return type for
unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c

79
audit-bsm.c
View File

@ -1,4 +1,4 @@
/* $Id: audit-bsm.c,v 1.7 2011/01/17 10:15:29 dtucker Exp $ */ /* $Id: audit-bsm.c,v 1.8 2012/02/23 23:40:43 dtucker Exp $ */
/* /*
* TODO * TODO
@ -45,6 +45,10 @@
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
#ifdef BROKEN_BSM_API
#include <libscf.h>
#endif
#include "ssh.h" #include "ssh.h"
#include "log.h" #include "log.h"
#include "key.h" #include "key.h"
@ -114,6 +118,12 @@ extern int aug_daemon_session(void);
extern Authctxt *the_authctxt; extern Authctxt *the_authctxt;
static AuditInfoTermID ssh_bsm_tid; static AuditInfoTermID ssh_bsm_tid;
#ifdef BROKEN_BSM_API
/* For some reason this constant is no longer defined
in Solaris 11. */
#define BSM_TEXTBUFSZ 256
#endif
/* Below is the low-level BSM interface code */ /* Below is the low-level BSM interface code */
/* /*
@ -161,6 +171,65 @@ aug_get_machine(char *host, u_int32_t *addr, u_int32_t *type)
} }
#endif #endif
#ifdef BROKEN_BSM_API
/*
In Solaris 11 the audit daemon has been moved to SMF. In the process
they simply dropped getacna() from the API, since it read from a now
non-existent config file. This function re-implements getacna() to
read from the SMF repository instead.
*/
int
getacna(char *auditstring, int len)
{
scf_handle_t *handle = NULL;
scf_property_t *property = NULL;
scf_value_t *value = NULL;
int ret = 0;
handle = scf_handle_create(SCF_VERSION);
if (handle == NULL)
return -2; /* The man page for getacna on Solaris 10 states
we should return -2 in case of error and set
errno to indicate the error. We don't bother
with errno here, though, since the only use
of this function below doesn't check for errors
anyway.
*/
ret = scf_handle_bind(handle);
if (ret == -1)
return -2;
property = scf_property_create(handle);
if (property == NULL)
return -2;
ret = scf_handle_decode_fmri(handle,
"svc:/system/auditd:default/:properties/preselection/naflags",
NULL, NULL, NULL, NULL, property, 0);
if (ret == -1)
return -2;
value = scf_value_create(handle);
if (value == NULL)
return -2;
ret = scf_property_get_value(property, value);
if (ret == -1)
return -2;
ret = scf_value_get_astring(value, auditstring, len);
if (ret == -1)
return -2;
scf_value_destroy(value);
scf_property_destroy(property);
scf_handle_destroy(handle);
return 0;
}
#endif
/* /*
* Check if the specified event is selected (enabled) for auditing. * Check if the specified event is selected (enabled) for auditing.
* Returns 1 if the event is selected, 0 if not and -1 on failure. * Returns 1 if the event is selected, 0 if not and -1 on failure.
@ -213,7 +282,15 @@ bsm_audit_record(int typ, char *string, au_event_t event_no)
(void) au_write(ad, au_to_text(string)); (void) au_write(ad, au_to_text(string));
(void) au_write(ad, AUToReturnFunc(typ, rc)); (void) au_write(ad, AUToReturnFunc(typ, rc));
#ifdef BROKEN_BSM_API
/* The last argument is the event modifier flags. For
some seemingly undocumented reason it was added in
Solaris 11. */
rc = au_close(ad, AU_TO_WRITE, event_no, 0);
#else
rc = au_close(ad, AU_TO_WRITE, event_no); rc = au_close(ad, AU_TO_WRITE, event_no);
#endif
if (rc < 0) if (rc < 0)
error("BSM audit: %s failed to write \"%s\" record: %s", error("BSM audit: %s failed to write \"%s\" record: %s",
__func__, string, strerror(errno)); __func__, string, strerror(errno));

9
configure.ac
View File

@ -1,4 +1,4 @@
# $Id: configure.ac,v 1.486 2012/01/17 03:03:37 dtucker Exp $ # $Id: configure.ac,v 1.487 2012/02/23 23:40:43 dtucker Exp $
# #
# Copyright (c) 1999-2004 Damien Miller # Copyright (c) 1999-2004 Damien Miller
# #
@ -15,7 +15,7 @@
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
AC_REVISION($Revision: 1.486 $) AC_REVISION($Revision: 1.487 $)
AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_SRCDIR([ssh.c])
AC_LANG([C]) AC_LANG([C])
@ -1434,6 +1434,11 @@ AC_ARG_WITH([audit],
# These are optional # These are optional
AC_CHECK_FUNCS([getaudit_addr aug_get_machine]) AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module]) AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
if test "$sol2ver" -eq 11; then
SSHDLIBS="$SSHDLIBS -lscf"
AC_DEFINE([BROKEN_BSM_API], [1],
[The system has incomplete BSM API])
fi
;; ;;
linux) linux)
AC_MSG_RESULT([linux]) AC_MSG_RESULT([linux])