add logging for permission checks and results

1 files changed, 18 insertions, 1 deletions

diff --git a/check/check.c b/check/check.c
index 32cd9c9..38a0164 100644
--- a/check/check.c
+++ b/check/check.c
@@ -1,4 +1,4 @@
-#define _POSIX_C_SOURCE 200809L
+#define _XOPEN_SOURCE 700
 #include <errno.h>
 #include <grp.h>
 #include <locale.h>
@@ -6,6 +6,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <syslog.h>
 #include <pwd.h>
 #include <unistd.h>
 
@@ -63,21 +64,37 @@ int main(int argc, char *argv[])
 	char *user = get_username();
 	char *group = get_groupname();
 
+	openlog(PRIVEXEC_LOG_ID, LOG_PID, LOG_AUTH);
+	syslog(LOG_INFO, "checking %s:%s for permission to run %s",
+		user, group, cmd);
+
 	switch (get_permission(user, group, cmd)) {
 	case AUTHENTICATE:
+		syslog(LOG_INFO, "%s:%s requires authentication to run %s",
+			user, group, cmd);
 		if (authenticate(user) != 0) {
+			syslog(LOG_NOTICE, "%s:%s failed authentication for %s",
+				user, group, cmd);
 			fatal(0, "bad authentication");
 		}
 		/* FALLTHRU */
 	case AUTHORIZED:
+		syslog(LOG_INFO, "%s:%s authorized to run %s",
+			user, group, cmd);
 		return 0;
 
 	case DENIED:
+		syslog(LOG_NOTICE,
+			"%s:%s explicitly denied permission to run %s",
+			user, group, cmd);
 		fatal(0, "explicitly denied");
 		return 1;
 	
 	case UNKNOWN:
 	default:
+		syslog(LOG_NOTICE,
+			"%s:%s denied permission to run %s by default",
+			user, group, cmd);
 		fatal(0, "denied by default");
 	}