summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--check/check.c19
-rw-r--r--check/check.h4
2 files changed, 22 insertions, 1 deletions
diff --git a/check/check.c b/check/check.c
index 32cd9c9..38a0164 100644
--- a/check/check.c
+++ b/check/check.c
@@ -1,4 +1,4 @@
-#define _POSIX_C_SOURCE 200809L
+#define _XOPEN_SOURCE 700
#include <errno.h>
#include <grp.h>
#include <locale.h>
@@ -6,6 +6,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <syslog.h>
#include <pwd.h>
#include <unistd.h>
@@ -63,21 +64,37 @@ int main(int argc, char *argv[])
char *user = get_username();
char *group = get_groupname();
+ openlog(PRIVEXEC_LOG_ID, LOG_PID, LOG_AUTH);
+ syslog(LOG_INFO, "checking %s:%s for permission to run %s",
+ user, group, cmd);
+
switch (get_permission(user, group, cmd)) {
case AUTHENTICATE:
+ syslog(LOG_INFO, "%s:%s requires authentication to run %s",
+ user, group, cmd);
if (authenticate(user) != 0) {
+ syslog(LOG_NOTICE, "%s:%s failed authentication for %s",
+ user, group, cmd);
fatal(0, "bad authentication");
}
/* FALLTHRU */
case AUTHORIZED:
+ syslog(LOG_INFO, "%s:%s authorized to run %s",
+ user, group, cmd);
return 0;
case DENIED:
+ syslog(LOG_NOTICE,
+ "%s:%s explicitly denied permission to run %s",
+ user, group, cmd);
fatal(0, "explicitly denied");
return 1;
case UNKNOWN:
default:
+ syslog(LOG_NOTICE,
+ "%s:%s denied permission to run %s by default",
+ user, group, cmd);
fatal(0, "denied by default");
}
diff --git a/check/check.h b/check/check.h
index e8dac77..ac45578 100644
--- a/check/check.h
+++ b/check/check.h
@@ -9,6 +9,10 @@
#define PAM_SERVICE_NAME "privexec"
#endif
+#ifndef PRIVEXEC_LOG_ID
+#define PRIVEXEC_LOG_ID "privexec"
+#endif
+
enum permission { UNKNOWN, AUTHORIZED, AUTHENTICATE, DENIED };
void fatal(int include_errno, char *fmt, ...);