--- a/usr/src/cmd/rad/daemon/rad_connection.c Tue May 08 11:07:57 2012 -0700
+++ b/usr/src/cmd/rad/daemon/rad_connection.c Tue May 08 16:53:42 2012 -0400
@@ -20,7 +20,7 @@
*/
/*
- * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
*/
#include <sys/types.h>
@@ -120,6 +120,10 @@
*/
conn->rm_conn_state = RCS_FREED;
if (conn->rm_conn_subject) {
+ au_event_t event_id = conn->rm_conn_subject->rs_role_assumed ?
+ ADT_role_logout : ADT_logout;
+
+ rad_conn_audit_success(conn, event_id, conn->rm_conn_subject);
rad_subject_unref(conn->rm_conn_subject);
conn->rm_conn_subject = NULL;
}
@@ -167,8 +171,7 @@
}
boolean_t
-rad_conn_setsubject(radmod_connection_t *conn, rad_subject_t *subject,
- au_event_t event_id)
+rad_conn_setsubject(radmod_connection_t *conn, rad_subject_t *subject)
{
rad_mutex_enter(&conn->rm_conn_lock);
rad_subject_t *old = conn->rm_conn_subject;
@@ -206,6 +209,8 @@
return (B_FALSE);
}
+ au_event_t event_id = subject->rs_role_assumed ?
+ ADT_role_login : ADT_login;
adt_event_data_t *event;
if ((event = adt_alloc_event(conn->rm_conn_audit, event_id))
!= NULL) {
--- a/usr/src/cmd/rad/daemon/rad_connection.h Tue May 08 11:07:57 2012 -0700
+++ b/usr/src/cmd/rad/daemon/rad_connection.h Tue May 08 16:53:42 2012 -0400
@@ -87,8 +87,7 @@
rad_subject_t *);
void rad_conn_audit_success(radmod_connection_t *, au_event_t, rad_subject_t *);
-boolean_t rad_conn_setsubject(radmod_connection_t *, rad_subject_t *,
- au_event_t);
+boolean_t rad_conn_setsubject(radmod_connection_t *, rad_subject_t *);
radmod_connection_t *rad_conn_create(boolean_t);
radmod_connection_t *rad_conn_create_fd(int, boolean_t);
void rad_conn_free(radmod_connection_t *);
--- a/usr/src/cmd/rad/daemon/rad_pam.c Tue May 08 11:07:57 2012 -0700
+++ b/usr/src/cmd/rad/daemon/rad_pam.c Tue May 08 16:53:42 2012 -0400
@@ -56,11 +56,10 @@
#include "rad_modapi_xport.h"
#include "rad_connection.h"
#include "rad_error.h"
+#include "rad_pam.h"
#include "api_pam.h"
-#define DEFAULT_SERVICE "rad"
-
typedef enum rad_pam_state {
PAMS_TURN, /* PAM's turn to do something */
CLIENTS_TURN, /* Client's turn to do something */
@@ -196,10 +195,13 @@
rad_pam_data_t *pamdata = conn->rm_conn_pam;
pam_handle_t *pamhandle;
struct pam_conv conv = { rad_pam_conv, conn };
- uint_t event = pamdata->reauth ? ADT_role_login : ADT_login;
+ au_event_t event = pamdata->reauth ? ADT_role_login : ADT_login;
int r;
- subject = rad_subject_create_ucred(NULL, B_FALSE);
+ char *pam_service = conn->rm_conn_pam_service ?
+ conn->rm_conn_pam_service : RAD_PAM_DEFAULT_SERVICE;
+
+ subject = rad_subject_create_ucred(NULL, B_FALSE, pam_service);
if (subject == NULL) {
r = PAM_SYSTEM_ERR;
goto pam_done;
@@ -217,8 +219,6 @@
"pam: processing relogin for \"%s\"\n" :
"pam: processing login for \"%s\"\n",
pamdata->user);
- char *pam_service = conn->rm_conn_pam_service ?
- conn->rm_conn_pam_service : DEFAULT_SERVICE;
r = pam_start(pam_service, pamdata->user, &conv, &pamhandle);
if (r != PAM_SUCCESS) {
rad_log(RL_WARN, "pam_start: %s\n", pam_strerror(NULL, r));
@@ -317,7 +317,8 @@
pam_done:
if (r == PAM_SUCCESS) {
- if (!rad_conn_setsubject(conn, subject, event))
+ subject->rs_role_assumed = pamdata->reauth;
+ if (!rad_conn_setsubject(conn, subject))
r = PAM_SYSTEM_ERR;
} else {
rad_conn_audit_failure(conn, event, ADT_FAIL_PAM + r, subject);
@@ -579,7 +580,7 @@
rad_subject_t *subject =
rad_ticket_redeem(args[1], data_to_string(args[0]));
- if (subject == NULL || !rad_conn_setsubject(conn, subject, ADT_login))
+ if (subject == NULL || !rad_conn_setsubject(conn, subject))
return (ce_system);
return (ce_ok);
--- a/usr/src/cmd/rad/daemon/rad_pam.h Tue May 08 11:07:57 2012 -0700
+++ b/usr/src/cmd/rad/daemon/rad_pam.h Tue May 08 16:53:42 2012 -0400
@@ -30,6 +30,8 @@
extern "C" {
#endif
+#define RAD_PAM_DEFAULT_SERVICE "rad"
+
void rad_pam_init(void);
#ifdef __cplusplus
--- a/usr/src/cmd/rad/daemon/rad_subject.c Tue May 08 11:07:57 2012 -0700
+++ b/usr/src/cmd/rad/daemon/rad_subject.c Tue May 08 16:53:42 2012 -0400
@@ -20,7 +20,7 @@
*/
/*
- * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
*/
#include <sys/types.h>
@@ -34,6 +34,7 @@
#include "rad_subject.h"
#include "rad_modapi.h"
+#include "rad_pam.h"
pthread_key_t rad_subject_key = PTHREAD_ONCE_KEY_NP;
@@ -50,6 +51,7 @@
rad_mutex_init(&result->rs_lock);
result->rs_refs = 1;
result->rs_complete = B_FALSE;
+ result->rs_role_assumed = B_FALSE;
rad_mutex_enter(&rad_subject_lock);
result->rs_id = subjectid++;
rad_mutex_exit(&rad_subject_lock);
@@ -93,7 +95,7 @@
}
static rad_subject_t *
-rad_subject_create_uid(uid_t uid, boolean_t init_pam)
+rad_subject_create_uid(uid_t uid, boolean_t init_pam, char *pam_svc_name)
{
rad_subject_t *result;
struct passwd *pw;
@@ -120,7 +122,9 @@
return (result);
}
- r = pam_start("login", username, &conv, &result->rs_pamhandle);
+ char *pam_service = pam_svc_name ?
+ pam_svc_name : RAD_PAM_DEFAULT_SERVICE;
+ r = pam_start(pam_service, username, &conv, &result->rs_pamhandle);
if (r != PAM_SUCCESS) {
rad_log(RL_WARN, "pam_start failed for %s: %s", username,
pam_strerror(NULL, r));
@@ -150,13 +154,14 @@
}
rad_subject_t *
-rad_subject_create_ucred(ucred_t *uc, boolean_t init_pam)
+rad_subject_create_ucred(ucred_t *uc, boolean_t init_pam, char *pam_svc_name)
{
rad_subject_t *result;
if (uc == NULL)
return (rad_subject_alloc());
- result = rad_subject_create_uid(ucred_geteuid(uc), init_pam);
+ result = rad_subject_create_uid(ucred_geteuid(uc), init_pam,
+ pam_svc_name);
if (result != NULL) {
result->rs_ucred = uc;
} else {
@@ -167,7 +172,7 @@
}
rad_subject_t *
-rad_subject_create_fd(int fd)
+rad_subject_create_fd(int fd, char *pam_svc_name)
{
ucred_t *ucred = NULL;
@@ -175,7 +180,7 @@
return (NULL);
/* frees ucred on failure */
- return (rad_subject_create_ucred(ucred, B_TRUE));
+ return (rad_subject_create_ucred(ucred, B_TRUE, pam_svc_name));
}
int
--- a/usr/src/cmd/rad/daemon/rad_subject.h Tue May 08 11:07:57 2012 -0700
+++ b/usr/src/cmd/rad/daemon/rad_subject.h Tue May 08 16:53:42 2012 -0400
@@ -20,7 +20,7 @@
*/
/*
- * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
*/
#ifndef _RAD_SUBJECT_H
@@ -55,10 +55,11 @@
/* State */
int rs_nthreads; /* Number of outstanding requests */
+ boolean_t rs_role_assumed; /* True if subject assumes a role */
} rad_subject_t;
-rad_subject_t *rad_subject_create_ucred(ucred_t *, boolean_t);
-rad_subject_t *rad_subject_create_fd(int);
+rad_subject_t *rad_subject_create_ucred(ucred_t *, boolean_t, char *);
+rad_subject_t *rad_subject_create_fd(int, char *);
int rad_subject_set_user(rad_subject_t *, const char *);
void rad_subject_store(rad_subject_t *);
--- a/usr/src/cmd/rad/mod/xport_pipe/mod_xport_pipe.c Tue May 08 11:07:57 2012 -0700
+++ b/usr/src/cmd/rad/mod/xport_pipe/mod_xport_pipe.c Tue May 08 16:53:42 2012 -0400
@@ -20,7 +20,7 @@
*/
/*
- * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
*/
#include <sys/types.h>
@@ -66,7 +66,7 @@
}
if (uc == NULL ||
- (subject = rad_subject_create_ucred(uc, B_FALSE)) == NULL) {
+ (subject = rad_subject_create_ucred(uc, B_FALSE, NULL)) == NULL) {
rad_log(RL_ERROR, "failed to allocate connection");
adr_stream_close(stream);
adr_stream_free(stream);
@@ -96,7 +96,7 @@
conn->rm_conn_xport = stream;
conn->rm_conn_proto_ops = proto;
- if (!rad_conn_setsubject(conn, subject, ADT_login)) {
+ if (!rad_conn_setsubject(conn, subject)) {
rad_log(RL_WARN, "failed to set connection subject");
rad_conn_close(conn);
rad_conn_free(conn);
--- a/usr/src/cmd/rad/mod/xport_tcp/mod_xport_tcp.c Tue May 08 11:07:57 2012 -0700
+++ b/usr/src/cmd/rad/mod/xport_tcp/mod_xport_tcp.c Tue May 08 16:53:42 2012 -0400
@@ -81,7 +81,8 @@
if (noauth) {
ucred_t *uc = ucred_get(P_MYID);
if (uc == NULL ||
- (subject = rad_subject_create_ucred(uc, B_FALSE)) == NULL) {
+ (subject = rad_subject_create_ucred(uc, B_FALSE,
+ pam_service)) == NULL) {
rad_log(RL_ERROR, "failed to allocate subject");
return (rm_system);
}
@@ -123,7 +124,7 @@
if (noauth) {
assert(subject != NULL);
rad_subject_ref(subject);
- if (!rad_conn_setsubject(conn, subject, ADT_login)) {
+ if (!rad_conn_setsubject(conn, subject)) {
rad_log(RL_WARN,
"failed to set connection subject");
rad_conn_close(conn);
--- a/usr/src/cmd/rad/mod/xport_unix/mod_xport_unix.c Tue May 08 11:07:57 2012 -0700
+++ b/usr/src/cmd/rad/mod/xport_unix/mod_xport_unix.c Tue May 08 16:53:42 2012 -0400
@@ -224,8 +224,8 @@
rad_log(RL_DEBUG, "Connection accepted.\n");
/* subject allocation failure and missing ucred are conflated */
- rad_subject_t *subject = peercred ? rad_subject_create_fd(afd) :
- NULL;
+ rad_subject_t *subject = peercred ?
+ rad_subject_create_fd(afd, pam_service) : NULL;
if (control) {
if (subject == NULL) {
@@ -259,7 +259,7 @@
conn->rm_conn_pam_service = pam_service;
if (subject != NULL &&
- !rad_conn_setsubject(conn, subject, ADT_login)) {
+ !rad_conn_setsubject(conn, subject)) {
rad_conn_close(conn);
rad_conn_free(conn);
rad_log(RL_WARN, "failed to set connection subject");