From 3dfe8bd2c04f0f81d149186e17ab526cf6b8773b Mon Sep 17 00:00:00 2001 From: Jakob Kaivo Date: Thu, 18 Feb 2021 12:16:37 -0500 Subject: add logging for permission checks and results --- check/check.c | 19 ++++++++++++++++++- check/check.h | 4 ++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/check/check.c b/check/check.c index 32cd9c9..38a0164 100644 --- a/check/check.c +++ b/check/check.c @@ -1,4 +1,4 @@ -#define _POSIX_C_SOURCE 200809L +#define _XOPEN_SOURCE 700 #include #include #include @@ -6,6 +6,7 @@ #include #include #include +#include #include #include @@ -63,21 +64,37 @@ int main(int argc, char *argv[]) char *user = get_username(); char *group = get_groupname(); + openlog(PRIVEXEC_LOG_ID, LOG_PID, LOG_AUTH); + syslog(LOG_INFO, "checking %s:%s for permission to run %s", + user, group, cmd); + switch (get_permission(user, group, cmd)) { case AUTHENTICATE: + syslog(LOG_INFO, "%s:%s requires authentication to run %s", + user, group, cmd); if (authenticate(user) != 0) { + syslog(LOG_NOTICE, "%s:%s failed authentication for %s", + user, group, cmd); fatal(0, "bad authentication"); } /* FALLTHRU */ case AUTHORIZED: + syslog(LOG_INFO, "%s:%s authorized to run %s", + user, group, cmd); return 0; case DENIED: + syslog(LOG_NOTICE, + "%s:%s explicitly denied permission to run %s", + user, group, cmd); fatal(0, "explicitly denied"); return 1; case UNKNOWN: default: + syslog(LOG_NOTICE, + "%s:%s denied permission to run %s by default", + user, group, cmd); fatal(0, "denied by default"); } diff --git a/check/check.h b/check/check.h index e8dac77..ac45578 100644 --- a/check/check.h +++ b/check/check.h @@ -9,6 +9,10 @@ #define PAM_SERVICE_NAME "privexec" #endif +#ifndef PRIVEXEC_LOG_ID +#define PRIVEXEC_LOG_ID "privexec" +#endif + enum permission { UNKNOWN, AUTHORIZED, AUTHENTICATE, DENIED }; void fatal(int include_errno, char *fmt, ...); -- cgit v1.2.1