From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 7 May 2018 20:42:59 +0000 (-0400)
Subject: Log when non-root ksu authorization fails
X-Git-Tag: krb5-1.17-beta1~116
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6cfa5c113e981f14f70ccafa20abfa5c46b665ba;p=thirdparty%2Fkrb5.git

Log when non-root ksu authorization fails

If non-root user attempts to ksu but is denied by policy, log to
syslog at LOG_WARNING in keeping with other failure messages.

ticket: 8270
---

diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 30f6db7716..6fa74a536a 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -414,6 +414,16 @@ main (argc, argv)
     if (hp){
         if (gb_err) fprintf(stderr, "%s", gb_err);
         fprintf(stderr, _("account %s: authorization failed\n"), target_user);
+
+        if (cmd != NULL) {
+            syslog(LOG_WARNING,
+                   "Account %s: authorization for %s for execution of %s failed",
+                   target_user, source_user, cmd);
+        } else {
+            syslog(LOG_WARNING, "Account %s: authorization of %s failed",
+                   target_user, source_user);
+        }
+
         exit(1);
     }