pam/pam-0.99.8.1-tty-audit2.patch

234 lines
8.4 KiB
Diff
Raw Normal View History

Written-by: Miloslav Trmac <mitr@redhat.com>
Reviewed-by: Tomas Mraz <tmraz@redhat.com>
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 2008-01-02 11:28:26.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml 2008-01-02 11:29:55.000000000 +0100
@@ -19,10 +19,10 @@
<cmdsynopsis id="pam_tty_audit-cmdsynopsis">
<command>pam_tty_audit.so</command>
<arg choice="opt">
- disable=<replaceable>usernames</replaceable>
+ disable=<replaceable>patterns</replaceable>
</arg>
<arg choice="opt">
- enable=<replaceable>usernames</replaceable>
+ enable=<replaceable>patterns</replaceable>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -40,27 +40,40 @@
<variablelist>
<varlistentry>
<term>
- <option>disable=<replaceable>usernames</replaceable></option>
+ <option>disable=<replaceable>patterns</replaceable></option>
</term>
<listitem>
<para>
- For each user matching one of comma-separated
- <option><replaceable>usernames</replaceable></option>, disable
- TTY auditing. This overrides any older <option>enable</option>
- option for the same user name.
+ For each user matching one of comma-separated glob
+ <option><replaceable>patterns</replaceable></option>, disable
+ TTY auditing. This overrides any previous <option>enable</option>
+ option matchin the same user name on the command line.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
- <option>enable=<replaceable>usernames</replaceable></option>
+ <option>enable=<replaceable>patterns</replaceable></option>
</term>
<listitem>
<para>
- For each user matching one of comma-separated
- <option><replaceable>usernames</replaceable></option>, enable
- TTY auditing. This overrides any older <option>disable</option>
- option for the same user name.
+ For each user matching one of comma-separated glob
+ <option><replaceable>patterns</replaceable></option>, enable
+ TTY auditing. This overrides any previous <option>disable</option>
+ option matching the same user name on the command line.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>open_only</option>
+ </term>
+ <listitem>
+ <para>
+ Set the TTY audit flag when opening the session, but do not restore
+ it when closing the session. Using this option is necessary for
+ some services that don't <function>fork()</function> to run the
+ authenticated session, such as <command>sudo</command>.
</para>
</listitem>
</varlistentry>
@@ -99,17 +112,24 @@
</variablelist>
</refsect1>
+ <refsect1 id='pam_tty_audit-notes'>
+ <title>NOTES</title>
+ <para>
+ When TTY auditing is enabled, it is inherited by all processes started by
+ that user. In particular, daemons restarted by an user will still have
+ TTY auditing enabled, and audit TTY input even by other users unless
+ auditing for these users is explicitly disabled. Therefore, it is
+ recommended to use <option>disable=*</option> as the first option for
+ most daemons using PAM.
+ </para>
+ </refsect1>
+
<refsect1 id='pam_tty_audit-examples'>
<title>EXAMPLES</title>
<para>
Audit all administrative actions.
<programlisting>
-login root required pam_tty_audit.so enable=root
-su root required pam_tty_audit.so enable=root
-su-l root required pam_tty_audit.so enable=root
-sudo root required pam_tty_audit.so enable=root
-sudo-l root required pam_tty_audit.so enable=root
-sshd root required pam_tty_audit.so enable=root
+session required pam_tty_audit.so disable=* enable=root
</programlisting>
</para>
</refsect1>
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 2008-01-02 11:28:26.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml 2008-01-02 11:28:26.000000000 +0100
@@ -25,6 +25,11 @@
<section>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/>
</section>
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 2008-01-02 11:28:26.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c 2008-01-02 11:28:26.000000000 +0100
@@ -1,4 +1,4 @@
-/* Copyright © 2007 Red Hat, Inc. All rights reserved.
+/* Copyright © 2007, 2008 Red Hat, Inc. All rights reserved.
Red Hat author: Miloslav Trmač <mitr@redhat.com>
Redistribution and use in source and binary forms of Linux-PAM, with
@@ -37,7 +37,7 @@
DAMAGE. */
#include <errno.h>
-#include <pwd.h>
+#include <fnmatch.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
@@ -197,9 +197,7 @@ pam_sm_open_session (pam_handle_t *pamh,
enum command command;
struct audit_tty_status *old_status, new_status;
const char *user;
- uid_t user_uid;
- struct passwd *pwd;
- int i, fd;
+ int i, fd, open_only;
(void)flags;
@@ -208,15 +206,9 @@ pam_sm_open_session (pam_handle_t *pamh,
pam_syslog (pamh, LOG_ERR, "error determining target user's name");
return PAM_SESSION_ERR;
}
- pwd = pam_modutil_getpwnam (pamh, user);
- if (pwd == NULL)
- {
- pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m");
- return PAM_SESSION_ERR;
- }
- user_uid = pwd->pw_uid;
command = CMD_NONE;
+ open_only = 0;
for (i = 0; i < argc; i++)
{
if (strncmp (argv[i], "enable=", 7) == 0
@@ -232,13 +224,7 @@ pam_sm_open_session (pam_handle_t *pamh,
for (tok = strtok_r (copy, ",", &tok_data); tok != NULL;
tok = strtok_r (NULL, ",", &tok_data))
{
- pwd = pam_modutil_getpwnam (pamh, tok);
- if (pwd == NULL)
- {
- pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok);
- continue;
- }
- if (pwd->pw_uid == user_uid)
+ if (fnmatch (tok, user, 0) == 0)
{
command = this_command;
break;
@@ -246,6 +232,13 @@ pam_sm_open_session (pam_handle_t *pamh,
}
free (copy);
}
+ else if (strcmp (argv[i], "open_only") == 0)
+ open_only = 1;
+ else
+ {
+ pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
+ return PAM_SESSION_ERR;
+ }
}
if (command == CMD_NONE)
return PAM_SUCCESS;
@@ -266,13 +259,15 @@ pam_sm_open_session (pam_handle_t *pamh,
return PAM_SESSION_ERR;
}
- if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0))
+ new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
+ if (old_status->enabled == new_status.enabled)
{
free (old_status);
goto ok_fd;
}
- if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
+ if (open_only == 0
+ && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
!= PAM_SUCCESS)
{
pam_syslog (pamh, LOG_ERR, "error saving old audit status");
@@ -281,13 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh,
return PAM_SESSION_ERR;
}
- new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status,
sizeof (new_status)) != 0
|| nl_recv_ack (fd) != 0)
{
pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m");
close (fd);
+ if (open_only != 0)
+ free (old_status);
return PAM_SESSION_ERR;
}
/* Fall through */
@@ -295,6 +291,8 @@ pam_sm_open_session (pam_handle_t *pamh,
close (fd);
pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d",
old_status->enabled, new_status.enabled);
+ if (open_only != 0)
+ free (old_status);
return PAM_SUCCESS;
}