Date: Mon, 13 Feb 2006 00:51:26 GMT From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 91655 for review Message-ID: <200602130051.k1D0pQN1032893@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=91655 Change 91655 by csjp@csjp_xor on 2006/02/13 00:50:26 - Check to see if we are runing as root, if we aren't the drop the call to audit failure. - Re-arrange the max login name logic so we don't audit failure due to excessive login name lengths when we are not root. - Don't attempt to audit after we have called setusercontext(), as it is possible that we are no longer running with the required privilege. - Move successful audits to right after the authentication succeeds. Discussed with: wsalamon Affected files ... .. //depot/projects/trustedbsd/audit3/usr.bin/su/su.c#6 edit Differences ... ==== //depot/projects/trustedbsd/audit3/usr.bin/su/su.c#6 (text+ko) ==== @@ -209,22 +209,19 @@ usage(); /* NOTREACHED */ - if (strlen(user) > MAXLOGNAME - 1) { -#ifdef USE_BSM_AUDIT - audit_su(getuid(), AUDIT_SU_FAILURE); -#endif - errx(1, "username too long"); - } - /* * Try to provide more helpful debugging output if su(1) is running * non-setuid, or was run from a file system not mounted setuid. */ if (geteuid() != 0) { + errx(1, "not running setuid"); + } + + if (strlen(user) > MAXLOGNAME - 1) { #ifdef USE_BSM_AUDIT audit_su(getuid(), AUDIT_SU_FAILURE); #endif - errx(1, "not running setuid"); + errx(1, "username too long"); } nargv = malloc(sizeof(char *) * (size_t)(argc + 4)); @@ -310,6 +307,9 @@ username, user, mytty); errx(1, "Sorry"); } +#ifdef USE_BSM_AUDIT + audit_su(ruid, AUDIT_SU_SUCCESS); +#endif retcode = pam_get_item(pamh, PAM_USER, (const void **)&p); if (retcode == PAM_SUCCESS) user = p; @@ -572,9 +572,6 @@ /* csh strips the first character... */ *np.a = asthem ? "-su" : iscsh == YES ? "_su" : "su"; -#ifdef USE_BSM_AUDIT - audit_su(ruid, AUDIT_SU_SUCCESS); -#endif if (ruid != 0) syslog(LOG_NOTICE, "%s to %s%s", username, user, ontty());
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602130051.k1D0pQN1032893>