OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gdm?expand=0&rev=8

gdm-2.13.0.4-audit-login.patch

@@ -0,0 +1,171 @@
+--- gdm-2.13.0.4/daemon/verify-pam.c.audit-login	2005-12-21 23:50:43.000000000 -0500
++++ gdm-2.13.0.4/daemon/verify-pam.c	2006-01-08 23:41:38.000000000 -0500
+@@ -47,6 +47,14 @@
+ #include <bsm/adt_event.h>
+ #endif	/* HAVE_ADT */
+ 
++#define  AU_FAILED 0
++#define  AU_SUCCESS 1
++#ifdef HAVE_LIBAUDIT
++#include <libaudit.h>
++#else
++#define log_to_audit_system(l,h,d,s)	do { ; } while (0)
++#endif
++
+ /* Evil, but this way these things are passed to the child session */
+ static pam_handle_t *pamh = NULL;
+ 
+@@ -783,6 +791,53 @@ create_pamh (GdmDisplay *d,
+ 	return TRUE;
+ }
+ 
++/**
++ * log_to_audit_system:
++ * @login: Name of user
++ * @hostname: Name of host machine
++ * @tty: Name of display 
++ * @success: 1 for success, 0 for failure
++ *
++ * Logs the success or failure of the login attempt with the linux kernel
++ * audit system. The intent is to capture failed events where the user
++ * fails authentication or otherwise is not permitted to login. There are
++ * many other places where pam could potentially fail and cause login to 
++ * fail, but these are system failures rather than the signs of an account
++ * being hacked.
++ *
++ * Returns nothing.
++ */
++
++#ifdef HAVE_LIBAUDIT
++static void 
++log_to_audit_system(const char *login,
++		const char *hostname,
++		const char *tty,
++		gboolean success)
++{
++	struct passwd *pw;
++	char buf[64];
++	int audit_fd;
++
++	audit_fd = audit_open();
++	if (login)
++		pw = getpwnam(login);
++	else {
++		login = "unknown";
++		pw = NULL;
++	}
++	if (pw) {
++		snprintf(buf, sizeof(buf), "uid=%d", pw->pw_uid);
++		audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
++			buf, hostname, NULL, tty, (int)success);
++	} else {
++		snprintf(buf, sizeof(buf), "acct=%s", login);
++		audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
++			buf, hostname, NULL, tty, (int)success);
++	}
++	close(audit_fd);
++}
++#endif
+ 
+ /**
+  * gdm_verify_user:
+@@ -875,6 +930,9 @@ authenticate_again:
+     /* Start authentication session */
+     did_we_ask_for_password = FALSE;
+     if ((pamerr = pam_authenticate (pamh, null_tok)) != PAM_SUCCESS) {
++	    /* Log the failed login attempt */
++	    log_to_audit_system(tmp_PAM_USER, d->hostname, display, AU_FAILED);
++
+ 	    if ( ! ve_string_empty (selected_user)) {
+ 		    pam_handle_t *tmp_pamh;
+ 
+@@ -962,6 +1020,8 @@ authenticate_again:
+ 	  ( ! gdm_get_value_bool (GDM_KEY_ALLOW_REMOTE_ROOT) && ! local) ) &&
+ 	pwent != NULL &&
+ 	pwent->pw_uid == 0) {
++	    /* Log the failed login attempt */
++	    log_to_audit_system(login, d->hostname, display, AU_FAILED);
+ 	    gdm_error (_("Root login disallowed on display '%s'"),
+ 		       display);
+ 	    gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
+@@ -989,6 +1049,8 @@ authenticate_again:
+ 	break;
+     case PAM_NEW_AUTHTOK_REQD :
+ 	if ((pamerr = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK)) != PAM_SUCCESS) {
++	    /* Log the failed login attempt */
++	    log_to_audit_system(login, d->hostname, display, AU_FAILED);
+ 	    gdm_error (_("Authentication token change failed for user %s"), login);
+ 	    gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX, 
+ 		    _("\nThe change of the authentication token failed. "
+@@ -1006,18 +1068,24 @@ authenticate_again:
+ #endif	/* HAVE_ADT */
+         break;
+     case PAM_ACCT_EXPIRED :
++	/* Log the failed login attempt */
++	log_to_audit_system(login, d->hostname, display, AU_FAILED);
+ 	gdm_error (_("User %s no longer permitted to access the system"), login);
+ 	gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX, 
+ 		_("\nThe system administrator has disabled your account."));
+ 	error_msg_given = TRUE;
+ 	goto pamerr;
+     case PAM_PERM_DENIED :
++	/* Log the failed login attempt */
++	log_to_audit_system(login, d->hostname, display, AU_FAILED);
+ 	gdm_error (_("User %s not permitted to gain access at this time"), login);
+ 	gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX, 
+ 		_("\nThe system administrator has disabled access to the system temporarily."));
+ 	error_msg_given = TRUE;
+ 	goto pamerr;
+     default :
++	/* Log the failed login attempt */
++	log_to_audit_system(login, d->hostname, display, AU_FAILED);
+ 	if (gdm_slave_action_pending ())
+ 	    gdm_error (_("Couldn't set acct. mgmt for %s"), login);
+ 	goto pamerr;
+@@ -1069,6 +1137,8 @@ authenticate_again:
+ 		    gdm_error (_("Couldn't open session for %s"), login);
+ 	    goto pamerr;
+     }
++    /* Login succeeded */
++    log_to_audit_system(login, d->hostname, display, AU_SUCCESS);
+ 
+     /* Workaround to avoid gdm messages being logged as PAM_pwdb */
+     closelog ();
+--- gdm-2.13.0.4/configure.ac.audit-login	2006-01-02 07:52:23.000000000 -0500
++++ gdm-2.13.0.4/configure.ac	2006-01-08 23:37:16.000000000 -0500
+@@ -72,6 +72,10 @@ AC_ARG_WITH(dmx,
+ 
+ AC_ARG_WITH(selinux, [  --with-selinux  Add SELinux support])
+ 
++AC_ARG_WITH(libaudit,
++  [  --with-libaudit=[auto/yes/no]  Add Linux audit support [default=auto]],,
++  with_libaudit=auto)
++
+ withval=""
+ AC_ARG_WITH(post-path,
+ [  --with-post-path=<PATH>   add PATH to end of user's PATH when logging in],[
+@@ -888,6 +892,24 @@ else
+    AC_MSG_RESULT(no)
+ fi
+ 
++# Check for Linux auditing API
++#
++# libaudit detection
++if test x$with_libaudit = xno ; then
++    have_libaudit=no;
++else
++    # See if we have audit daemon library
++    AC_CHECK_LIB(audit, audit_log_user_message,
++                 have_libaudit=yes, have_libaudit=no)
++fi
++
++AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)
++
++if test x$have_libaudit = xyes ; then
++    EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -laudit"
++    AC_DEFINE(HAVE_LIBAUDIT,1,[linux audit support])
++fi
++
+ # Check for Solaris auditing API
+ # Note, Solaris auditing not supported for Solaris 9 or earlier and
+ # should not be used on these versions of Solaris if auditing is

gdm.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Feb 27 02:40:31 CET 2007 - hpj@suse.de
+
+- Added gdm-2.13.0.4-audit-login.patch, which fixes Novell bug
+  #234133 (GDM cannot log authentication attempts).
+
 -------------------------------------------------------------------
 Wed Feb 14 01:11:33 CET 2007 - hpj@suse.de
 

gdm.spec

@@ -25,7 +25,7 @@ License:        GNU General Public License (GPL)
 Group:          System/GUI/GNOME
 Autoreqprov:    on
 Version:        2.16.1
-Release:        57
+Release:        59
 Summary:        The GNOME 2.x Display Manager
 Source:         %{name}-%{version}.tar.bz2
 Source1:        gdm.pamd
@@ -56,6 +56,7 @@ Patch29:        gdm-gdmsetup.patch
 Patch30:        gdm-conf-custom-sysconfig.patch
 Patch31:        gdm-bufferoverrun.patch
 Patch32:        gdm-trunk-string-literal-cmp.patch
+Patch33:        gdm-2.13.0.4-audit-login.patch
 URL:            http://www.gnome.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Docdir:         %{_defaultdocdir}
@@ -107,6 +108,7 @@ gnome-patch-translation-prepare
 %patch30
 %patch31 -p1
 %patch32
+%patch33 -p1
 gnome-patch-translation-update
 
 %build
@@ -229,7 +231,10 @@ sed -i s:DISPLAYMANAGER=/opt/gnome/sbin/gdm:DISPLAYMANAGER=/usr/sbin/gdm:g etc/i
 # FIXME: Should be moved to filesystem:
 %dir /usr/share/xsessions
 
-%changelog -n gdm
+%changelog
+* Tue Feb 27 2007 - hpj@suse.de
+- Added gdm-2.13.0.4-audit-login.patch, which fixes Novell bug
+  [#234133] (GDM cannot log authentication attempts).
 * Wed Feb 14 2007 - hpj@suse.de
 - Add gdm-trunk-string-literal-cmp.patch. Fixes #233655.
 * Mon Feb 12 2007 - sbrabec@suse.cz