diff options
Diffstat (limited to 'usr/src/lib')
| -rw-r--r-- | usr/src/lib/libbc/libc/gen/common/getfaudflgs.c | 86 | ||||
| -rw-r--r-- | usr/src/lib/libbc/sparc/Makefile | 5 | ||||
| -rw-r--r-- | usr/src/lib/libbsm/Makefile | 5 | ||||
| -rw-r--r-- | usr/src/lib/libbsm/Makefile.com | 4 | ||||
| -rw-r--r-- | usr/src/lib/libbsm/audit_user.txt | 34 | ||||
| -rw-r--r-- | usr/src/lib/libbsm/common/au_usermask.c | 113 | ||||
| -rw-r--r-- | usr/src/lib/libbsm/common/audit_user.c | 141 | ||||
| -rw-r--r-- | usr/src/lib/libbsm/common/libbsm.h | 14 | ||||
| -rw-r--r-- | usr/src/lib/libbsm/common/mapfile-vers | 6 | ||||
| -rw-r--r-- | usr/src/lib/libsecdb/user_attr.txt | 5 | 
10 files changed, 67 insertions, 346 deletions
| diff --git a/usr/src/lib/libbc/libc/gen/common/getfaudflgs.c b/usr/src/lib/libbc/libc/gen/common/getfaudflgs.c deleted file mode 100644 index 7a17b58af9..0000000000 --- a/usr/src/lib/libbc/libc/gen/common/getfaudflgs.c +++ /dev/null @@ -1,86 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License").  You may not use this file except in compliance - * with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * Copyright 1992 Sun Microsystems, Inc.  All rights reserved. - * Use is subject to license terms. - */ - -#pragma ident	"%Z%%M%	%I%	%E% SMI" - -#include <sys/types.h> -#include <sys/label.h> -#include <sys/audit.h> - -#define MAXSTRLEN 360 - -/*	getfaudflgs.c */ - -/* - * getfauditflags() - combines system event flag mask with user event - *                               flag masks. - * - * input: usremasks->as_success - always audit on success - *        usremasks->as_failure - always audit on failure - *        usrdmasks->as_success - never audit on success - *        usrdmasks->as_failure - never audit on failure - * - * output: lastmasks->as_success - audit on success - *         lastmasks->as_failure - audit on failure - * - * returns:  0 - ok - *          -1 - error - */ - -int -getfauditflags(audit_state_t *usremasks, audit_state_t *usrdmasks, -    audit_state_t *lastmasks) -{	  -	int len = MAXSTRLEN, retstat = 0; -	char s_auditstring[MAXSTRLEN]; -	audit_state_t masks; -  -	masks.as_success = 0; -	masks.as_failure = 0; -	/*  -	 * get system audit mask and convert to bit mask  -	 */ -	if ((getacflg(s_auditstring, len)) >= 0)  { -		if ((getauditflagsbin(s_auditstring, &masks)) != 0) -	        	retstat = -1; -	} else -		retstat = -1; -  -	/*  -	 * combine system and user event masks  -	 */ -	if (retstat == 0) { -		lastmasks->as_success = masks.as_success; -		lastmasks->as_failure = masks.as_failure; -  -		lastmasks->as_success |= usremasks->as_success; -		lastmasks->as_failure |= usremasks->as_failure; -  -		lastmasks->as_success &= ~(usrdmasks->as_success); -		lastmasks->as_failure &= ~(usrdmasks->as_failure); -	} -	return (retstat); -} diff --git a/usr/src/lib/libbc/sparc/Makefile b/usr/src/lib/libbc/sparc/Makefile index b36c5a35ab..a0c3098dfc 100644 --- a/usr/src/lib/libbc/sparc/Makefile +++ b/usr/src/lib/libbc/sparc/Makefile @@ -19,8 +19,7 @@  # CDDL HEADER END  #  # -# Copyright 2010 Sun Microsystems, Inc.  All rights reserved. -# Use is subject to license terms. +# Copyright (c) 1990, 2010, Oracle and/or its affiliates. All rights reserved.  #  # @@ -61,7 +60,7 @@ clock.o closedir.o crypt.o ctime.o ctype_.o\  drand48.o dysize.o errlst.o execvp.o exit.o exportent.o ecvt.o\  fabs.o fmod.o frexp.o\  fstab.o ftok.o ftw.o getacinfo.o getauid.o getauditflags.o \ -getcwd.o getenv.o getfaudflgs.o getgraent.o getlogin.o \ +getcwd.o getenv.o getgraent.o getlogin.o \  getopt.o getsubopt.o getpwaent.o  getttyent.o\  getttynam.o getusershell.o grpauth.o hsearch.o\  ieee_globals.o index.o isatty.o \ diff --git a/usr/src/lib/libbsm/Makefile b/usr/src/lib/libbsm/Makefile index e437475e3b..9b522bff9e 100644 --- a/usr/src/lib/libbsm/Makefile +++ b/usr/src/lib/libbsm/Makefile @@ -19,8 +19,7 @@  # CDDL HEADER END  #  # -# Copyright 2009 Sun Microsystems, Inc.  All rights reserved. -# Use is subject to license terms. +# Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.  #  include ../Makefile.lib @@ -71,7 +70,7 @@ clean clobber delete: $(SUBDIRS)  ROOTETCSECURITY = 	$(ROOT)/etc/security  $(ROOTETCSECURITY) := 	DIRMODE = 0755 -ESFILES =		audit_class audit_control audit_event audit_user +ESFILES =		audit_class audit_control audit_event  ESSRC =			$(ESFILES:%=%.txt)  ETCSECURITYFILES =	$(ESFILES:%=$(ROOTETCSECURITY)/%)  $(ETCSECURITYFILES) :=	FILEMODE = 0644 diff --git a/usr/src/lib/libbsm/Makefile.com b/usr/src/lib/libbsm/Makefile.com index f3c98c8467..857b565826 100644 --- a/usr/src/lib/libbsm/Makefile.com +++ b/usr/src/lib/libbsm/Makefile.com @@ -19,8 +19,7 @@  # CDDL HEADER END  #  # -# Copyright 2010 Sun Microsystems, Inc.  All rights reserved. -# Use is subject to license terms. +# Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.  #  LIBRARY =	libbsm.a @@ -53,7 +52,6 @@ OBJECTS=	adr.o \  		audit_rshd.o \  		audit_settid.o \  		audit_shutdown.o \ -		audit_user.o \  		bsm.o \  		generic.o \  		getacinfo.o \ diff --git a/usr/src/lib/libbsm/audit_user.txt b/usr/src/lib/libbsm/audit_user.txt deleted file mode 100644 index e951336a85..0000000000 --- a/usr/src/lib/libbsm/audit_user.txt +++ /dev/null @@ -1,34 +0,0 @@ -# -# Copyright 2005 Sun Microsystems, Inc.  All rights reserved. -# Use is subject to license terms. -# -# CDDL HEADER START -# -# The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License").  You may not use this file except in compliance -# with the License. -# -# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE -# or http://www.opensolaris.org/os/licensing. -# See the License for the specific language governing permissions -# and limitations under the License. -# -# When distributing Covered Code, include this CDDL HEADER in each -# file and include the License file at usr/src/OPENSOLARIS.LICENSE. -# If applicable, add the following below this CDDL HEADER, with the -# fields enclosed by brackets "[]" replaced with your own identifying -# information: Portions Copyright [yyyy] [name of copyright owner] -# -# CDDL HEADER END -# -# ident	"%Z%%M%	%I%	%E% SMI" -# -# -# User Level Audit User File -# -# File Format -# -#	username:always:never -# -root:lo:no diff --git a/usr/src/lib/libbsm/common/au_usermask.c b/usr/src/lib/libbsm/common/au_usermask.c index 4ab8313fe4..a693c1f4cb 100644 --- a/usr/src/lib/libbsm/common/au_usermask.c +++ b/usr/src/lib/libbsm/common/au_usermask.c @@ -20,83 +20,90 @@   */  /* - * Copyright 2009 Sun Microsystems, Inc.  All rights reserved. - * Use is subject to license terms. + * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.   */ -#include <sys/types.h> -#include <stdio.h> -#include <bsm/audit.h> +#include <errno.h> +#include <nss.h> +#include <secdb.h> +#include <stdlib.h> +#include <string.h> +#include <user_attr.h> +#include <zone.h> +  #include <bsm/libbsm.h> -#define	AUDITSTRING_LEN 512 +#include <adt_xlate.h>		/* adt_write_syslog */ + +/* ARGSUSED */ +static int +audit_flags(const char *name, kva_t *kva, void *ctxt, void *pres) +{ +	char *val; + +	if ((val = kva_match(kva, USERATTR_AUDIT_FLAGS_KW)) != NULL) { +		if ((*(char **)ctxt = strdup(val)) == NULL) { +			adt_write_syslog("au_user_mask strdup failed", errno); +		} +		return (1); +	} +	return (0); +}  /* - * Initialize audit preselection mask. This function should be used - * by applications like login that set the process preselection mask - * when a connection or a session is created. - * - * First, the system wide default audit flags are obtained - *	from the audit_control(5) file. - * - * Next, the "always audit" flags, obtained from the audit_user(5) database, - *	are added. - * - * Finally, the "never audit" flags, also obtained from the audit_user(5) - *	database, are subtracted. + * Build user's audit preselection mask.   * - * The mask returned can be expressed as: + * per-user audit flags are optional and may be missing. + * If global zone auditing is set, a local zone cannot reduce the default + * flags.   * - * (default audit flags + alway audit flags) - never audit flags - * - * If the lookup to audit_control(5) fails, then this function returns - * an error.  If the lookup to audit_user(5), the function silently - * continues. + * success flags = (system default success flags + per-user always success) - + *			per-user never success flags + * failure flags = (system default failure flags + per-user always failure) - + *			per-user never failure flags   */ +  int -au_user_mask(char *username, au_mask_t *p_mask) +au_user_mask(char *user, au_mask_t *mask)  { -	char auditstring[AUDITSTRING_LEN]; -	au_user_ent_t *p_user = NULL; -	int retval = -1; +	char		*last = NULL; +	char		deflt[360];	/* matches stuff in getac*.c */ +	char		*user_flags = NULL; -	if (p_mask == NULL) +	if (mask == NULL) {  		return (-1); +	}  	/* -	 * Get the system wide default audit flags out of the audit_control(5) -	 * file. +	 * Get the default audit flags.  	 */ +  	setac(); -	if (getacflg(auditstring, AUDITSTRING_LEN) == 0) { -		if (getauditflagsbin(auditstring, p_mask) == 0) { -			retval = 0; -		} +	if (getacflg(deflt, sizeof (deflt)) != 0) { +		endac(); +		return (-1);  	}  	endac(); +	(void) getauditflagsbin(deflt, mask);  	/* -	 * If you can't get the system wide flags, return an error code -	 * now and don't bother trying to get the user specific flags. +	 * Get per-user audit flags.  	 */ -	if (retval != 0) { -		return (-1); -	} +	(void) _enum_attrs(user, audit_flags, &user_flags, NULL); +	if (user_flags != NULL) { +		au_user_ent_t  per_user; -	/* -	 * Get the always audit flags and the never audit flags from -	 * the audit_user(5) database. -	 */ -	setauuser(); -	if ((p_user = getauusernam(username)) != (au_user_ent_t *)NULL) { -		/* Add always audit flags. */ -		p_mask->as_success |= p_user->au_always.as_success; -		p_mask->as_failure |= p_user->au_always.as_failure; -		/* Subtract never audit flags.  */ -		p_mask->as_success &= ~(p_user->au_never.as_success); -		p_mask->as_failure &= ~(p_user->au_never.as_failure); +		(void) getauditflagsbin(_strtok_escape(user_flags, +		    KV_AUDIT_DELIMIT, &last), &(per_user.au_always)); +		(void) getauditflagsbin(_strtok_escape(NULL, +		    KV_AUDIT_DELIMIT, &last), &(per_user.au_never)); +		/* merge default and per-user */ +		mask->as_success |= per_user.au_always.as_success; +		mask->as_failure |= per_user.au_always.as_failure; +		mask->as_success &= ~(per_user.au_never.as_success); +		mask->as_failure &= ~(per_user.au_never.as_failure); +		free(user_flags);  	} -	endauuser();  	return (0);  } diff --git a/usr/src/lib/libbsm/common/audit_user.c b/usr/src/lib/libbsm/common/audit_user.c deleted file mode 100644 index 8342687717..0000000000 --- a/usr/src/lib/libbsm/common/audit_user.c +++ /dev/null @@ -1,141 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ - -/* - * Copyright 2010 Sun Microsystems, Inc.  All rights reserved. - * Use is subject to license terms. - */ - -/* Interfaces to audit_user(4) (/etc/security/audit_user) */ - -#include <stdio.h> -#include <limits.h> -#include <sys/types.h> -#include <string.h> -#include <bsm/audit.h> -#include <bsm/libbsm.h> -#include <synch.h> -#include <nss_dbdefs.h> -#include <stdlib.h> -#include <utmpx.h> - -#define	MAX_USERNAME	sizeof (((struct utmpx *)0)->ut_user) - -static mutex_t mutex_userfile = DEFAULTMUTEX; -static au_user_ent_t *auuserstr2ent(au_user_ent_t *, au_user_str_t *); - -/* Externs from libnsl */ -extern void _setauuser(void); -extern void _endauuser(void); -extern au_user_str_t *_getauuserent(au_user_str_t *, char *, int, int *); -extern au_user_str_t *_getauusernam(char *, au_user_str_t *, char *, int, -    int *); - -void -setauuser() -{ -	(void) mutex_lock(&mutex_userfile); -	_setauuser(); -	(void) mutex_unlock(&mutex_userfile); -} - -void -endauuser() -{ -	(void) mutex_lock(&mutex_userfile); -	_endauuser(); -	(void) mutex_unlock(&mutex_userfile); -} - -au_user_ent_t * -getauuserent() -{ -	static au_user_ent_t au_user_entry; -	static char	logname[MAX_USERNAME+1]; - -	/* initialize au_user_entry structure */ -	au_user_entry.au_name = logname; - -	return (getauuserent_r(&au_user_entry)); - -} - -au_user_ent_t * -getauuserent_r(au_user_ent_t *au_user_entry) -{ -	au_user_str_t	us; -	au_user_str_t	*tmp; -	char 		buf[NSS_BUFLEN_AUDITUSER]; -	int 		errp = 0; - -	(void) mutex_lock(&mutex_userfile); -	(void) memset(buf, NULL, NSS_BUFLEN_AUDITUSER); -	tmp = _getauuserent(&us, buf, NSS_BUFLEN_AUDITUSER, &errp); -	(void) mutex_unlock(&mutex_userfile); - -	return (auuserstr2ent(au_user_entry, tmp)); -} - -au_user_ent_t * -getauusernam(char *name) -{ -	static au_user_ent_t u; -	static char	logname[MAX_USERNAME+1]; - -	/* initialize au_user_entry structure */ -	u.au_name = logname; - -	return (getauusernam_r(&u, name)); -} - -au_user_ent_t * -getauusernam_r(au_user_ent_t *u, char *name) -{ -	au_user_str_t	us; -	au_user_str_t	*tmp; -	char		buf[NSS_BUFLEN_AUDITUSER]; -	int		errp = 0; - -	if (name == NULL) { -		return ((au_user_ent_t *)NULL); -	} -	tmp = _getauusernam(name, &us, buf, NSS_BUFLEN_AUDITUSER, &errp); - -	return (auuserstr2ent(u, tmp)); -} - -static au_user_ent_t * -auuserstr2ent(au_user_ent_t *ue, au_user_str_t *us) -{ -	if (us == NULL) -		return (NULL); - -	if (getauditflagsbin(us->au_always, &ue->au_always) < 0) { -		return (NULL); -	} -	if (getauditflagsbin(us->au_never, &ue->au_never) < 0) { -		ue->au_never.am_success = AU_MASK_NONE; -		ue->au_never.am_failure = AU_MASK_NONE; -	} -	(void) strncpy(ue->au_name, us->au_name, MAX_USERNAME); - -	return (ue); -} diff --git a/usr/src/lib/libbsm/common/libbsm.h b/usr/src/lib/libbsm/common/libbsm.h index 54b1b4b152..b3f63e28b4 100644 --- a/usr/src/lib/libbsm/common/libbsm.h +++ b/usr/src/lib/libbsm/common/libbsm.h @@ -176,18 +176,6 @@ extern au_class_ent_t *getauclassnam(char *);  extern au_class_ent_t *getauclassnam_r(au_class_ent_t *, char *);  /* - * Functions that manipulate audit attributes of users - */ - -void	setauuser(void); -void	endauuser(void); - -au_user_ent_t *getauuserent(void); -au_user_ent_t *getauuserent_r(au_user_ent_t *); -au_user_ent_t *getauusernam(char *); -au_user_ent_t *getauusernam_r(au_user_ent_t *, char *); - -/*   * Functions that manipulate the audit control file   */ @@ -239,8 +227,6 @@ extern int	setaudit(auditinfo_t *);  extern int	setaudit_addr(auditinfo_addr_t *, int);  extern int	setauid(au_id_t *); -#define	BSM_TEXTBUFSZ	256 /* size of string for generic text token */ -  /*   * Defines for au_preselect(3)   */ diff --git a/usr/src/lib/libbsm/common/mapfile-vers b/usr/src/lib/libbsm/common/mapfile-vers index 673d72efe6..671dd66d10 100644 --- a/usr/src/lib/libbsm/common/mapfile-vers +++ b/usr/src/lib/libbsm/common/mapfile-vers @@ -67,8 +67,6 @@ SYMBOL_VERSION SUNW_0.8 {  	getauevent_r;  	getauevnam_r;  	getauevnum_r; -	getauuserent_r; -	getauusernam_r;  } SUNW_0.7;  SYMBOL_VERSION SUNW_0.7 { @@ -99,7 +97,6 @@ SYMBOL_VERSION SUNW_0.7 {  	endac;  	endauclass;  	endauevent; -	endauuser;  	getacdir;  	getacflg;  	getacmin; @@ -114,15 +111,12 @@ SYMBOL_VERSION SUNW_0.7 {  	getauevnonam;  	getauevnum;  	getauid; -	getauuserent; -	getauusernam;  	getfauditflags;  	setac;  	setauclass;  	setaudit;  	setauevent;  	setauid; -	setauuser;  };  SYMBOL_VERSION SUNWprivate_1.1 { diff --git a/usr/src/lib/libsecdb/user_attr.txt b/usr/src/lib/libsecdb/user_attr.txt index ac804537c9..aa31d7373b 100644 --- a/usr/src/lib/libsecdb/user_attr.txt +++ b/usr/src/lib/libsecdb/user_attr.txt @@ -1,6 +1,5 @@  # -# Copyright 2010 Sun Microsystems, Inc.  All rights reserved. -# Use is subject to license terms. +# Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.  #  # CDDL HEADER START  # @@ -26,7 +25,7 @@  # user attributes. see user_attr(4)  #  # -root::::auths=solaris.*,solaris.grant;profiles=All;lock_after_retries=no;min_label=admin_low;clearance=admin_high +root::::auths=solaris.*,solaris.grant;profiles=All;audit_flags=lo\:no;lock_after_retries=no;min_label=admin_low;clearance=admin_high  lp::::profiles=Printer Management  adm::::profiles=Log Management  dladm::::auths=solaris.smf.manage.wpa,solaris.smf.modify | 
