Merge branch 'master' into f21
Conflicts: pam.spec
This commit is contained in:
commit
b378efa913
@ -1,6 +1,6 @@
|
|||||||
diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in
|
diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in
|
||||||
--- Linux-PAM-1.1.1/configure.in.faillock 2010-09-17 15:58:41.000000000 +0200
|
--- Linux-PAM-1.1.1/configure.in.faillock 2010-10-20 15:46:34.000000000 +0200
|
||||||
+++ Linux-PAM-1.1.1/configure.in 2010-09-17 15:58:41.000000000 +0200
|
+++ Linux-PAM-1.1.1/configure.in 2011-01-25 18:24:43.000000000 +0100
|
||||||
@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
||||||
modules/pam_access/Makefile modules/pam_cracklib/Makefile \
|
modules/pam_access/Makefile modules/pam_cracklib/Makefile \
|
||||||
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
||||||
@ -11,8 +11,8 @@ diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in
|
|||||||
modules/pam_ftp/Makefile modules/pam_group/Makefile \
|
modules/pam_ftp/Makefile modules/pam_group/Makefile \
|
||||||
modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
|
modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
|
||||||
diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml
|
diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml
|
||||||
--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2010-09-17 16:05:56.000000000 +0200
|
--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2010-09-17 16:08:26.000000000 +0200
|
+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2011-01-25 18:24:43.000000000 +0100
|
||||||
@@ -0,0 +1,38 @@
|
@@ -0,0 +1,38 @@
|
||||||
+<?xml version='1.0' encoding='UTF-8'?>
|
+<?xml version='1.0' encoding='UTF-8'?>
|
||||||
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||||
@ -53,8 +53,8 @@ diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/s
|
|||||||
+ </section>
|
+ </section>
|
||||||
+</section>
|
+</section>
|
||||||
diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am
|
diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am
|
||||||
--- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200
|
--- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-10-20 15:46:34.000000000 +0200
|
||||||
+++ Linux-PAM-1.1.1/modules/Makefile.am 2010-09-17 15:58:41.000000000 +0200
|
+++ Linux-PAM-1.1.1/modules/Makefile.am 2011-01-25 18:24:43.000000000 +0100
|
||||||
@@ -3,7 +3,7 @@
|
@@ -3,7 +3,7 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -65,9 +65,9 @@ diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Ma
|
|||||||
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
|
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
|
||||||
pam_listfile pam_localuser pam_loginuid pam_mail \
|
pam_listfile pam_localuser pam_loginuid pam_mail \
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c
|
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
|
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2010-09-17 15:58:41.000000000 +0200
|
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2011-01-25 18:24:56.000000000 +0100
|
||||||
@@ -0,0 +1,147 @@
|
@@ -0,0 +1,158 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||||
+ *
|
+ *
|
||||||
@ -111,13 +111,14 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.
|
|||||||
+#include <sys/types.h>
|
+#include <sys/types.h>
|
||||||
+#include <sys/stat.h>
|
+#include <sys/stat.h>
|
||||||
+#include <sys/file.h>
|
+#include <sys/file.h>
|
||||||
|
+#include <sys/stat.h>
|
||||||
+#include <fcntl.h>
|
+#include <fcntl.h>
|
||||||
+#include <security/pam_modutil.h>
|
+#include <security/pam_modutil.h>
|
||||||
+
|
+
|
||||||
+#include "faillock.h"
|
+#include "faillock.h"
|
||||||
+
|
+
|
||||||
+int
|
+int
|
||||||
+open_tally (const char *dir, const char *user, int create)
|
+open_tally (const char *dir, const char *user, uid_t uid, int create)
|
||||||
+{
|
+{
|
||||||
+ char *path;
|
+ char *path;
|
||||||
+ int flags = O_RDWR;
|
+ int flags = O_RDWR;
|
||||||
@ -144,8 +145,18 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.
|
|||||||
+
|
+
|
||||||
+ fd = open(path, flags, 0600);
|
+ fd = open(path, flags, 0600);
|
||||||
+
|
+
|
||||||
+ if (fd != -1)
|
+ free(path);
|
||||||
|
+
|
||||||
|
+ if (fd != -1) {
|
||||||
|
+ struct stat st;
|
||||||
|
+
|
||||||
+ while (flock(fd, LOCK_EX) == -1 && errno == EINTR);
|
+ while (flock(fd, LOCK_EX) == -1 && errno == EINTR);
|
||||||
|
+ if (fstat(fd, &st) == 0) {
|
||||||
|
+ if (st.st_uid != uid) {
|
||||||
|
+ fchown(fd, uid, -1);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ return fd;
|
+ return fd;
|
||||||
+}
|
+}
|
||||||
@ -216,9 +227,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.
|
|||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h
|
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2010-09-17 15:58:41.000000000 +0200
|
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2010-09-17 15:58:41.000000000 +0200
|
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2011-01-25 18:24:56.000000000 +0100
|
||||||
@@ -0,0 +1,72 @@
|
@@ -0,0 +1,73 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||||
+ *
|
+ *
|
||||||
@ -266,6 +277,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.
|
|||||||
+#define _FAILLOCK_H
|
+#define _FAILLOCK_H
|
||||||
+
|
+
|
||||||
+#include <stdint.h>
|
+#include <stdint.h>
|
||||||
|
+#include <sys/types.h>
|
||||||
+
|
+
|
||||||
+#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */
|
+#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */
|
||||||
+#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */
|
+#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */
|
||||||
@ -286,14 +298,14 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.
|
|||||||
+
|
+
|
||||||
+#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
|
+#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
|
||||||
+
|
+
|
||||||
+int open_tally(const char *dir, const char *user, int create);
|
+int open_tally(const char *dir, const char *user, uid_t uid, int create);
|
||||||
+int read_tally(int fd, struct tally_data *tallies);
|
+int read_tally(int fd, struct tally_data *tallies);
|
||||||
+int update_tally(int fd, struct tally_data *tallies);
|
+int update_tally(int fd, struct tally_data *tallies);
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml
|
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
|
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
|
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2011-01-25 18:24:43.000000000 +0100
|
||||||
@@ -0,0 +1,123 @@
|
@@ -0,0 +1,123 @@
|
||||||
+<?xml version="1.0" encoding='UTF-8'?>
|
+<?xml version="1.0" encoding='UTF-8'?>
|
||||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||||
@ -419,9 +431,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-
|
|||||||
+
|
+
|
||||||
+</refentry>
|
+</refentry>
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c
|
diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2010-09-17 15:58:41.000000000 +0200
|
--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2010-09-17 15:58:41.000000000 +0200
|
+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2011-01-25 18:24:56.000000000 +0100
|
||||||
@@ -0,0 +1,233 @@
|
@@ -0,0 +1,235 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||||
+ *
|
+ *
|
||||||
@ -532,8 +544,11 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo
|
|||||||
+ int fd;
|
+ int fd;
|
||||||
+ int rv;
|
+ int rv;
|
||||||
+ struct tally_data tallies;
|
+ struct tally_data tallies;
|
||||||
|
+ struct passwd *pwd;
|
||||||
+
|
+
|
||||||
+ fd = open_tally(opts->dir, user, 0);
|
+ pwd = getpwnam(user);
|
||||||
|
+
|
||||||
|
+ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0);
|
||||||
+
|
+
|
||||||
+ if (fd == -1) {
|
+ if (fd == -1) {
|
||||||
+ if (errno == ENOENT) {
|
+ if (errno == ENOENT) {
|
||||||
@ -560,9 +575,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo
|
|||||||
+#ifdef HAVE_LIBAUDIT
|
+#ifdef HAVE_LIBAUDIT
|
||||||
+ }
|
+ }
|
||||||
+ if ((audit_fd=audit_open()) >= 0) {
|
+ if ((audit_fd=audit_open()) >= 0) {
|
||||||
+ struct passwd *pwd;
|
|
||||||
+
|
+
|
||||||
+ if ((pwd=getpwnam(user)) != NULL) {
|
+ if (pwd != NULL) {
|
||||||
+ snprintf(buf, sizeof(buf), "faillock reset uid=%u",
|
+ snprintf(buf, sizeof(buf), "faillock reset uid=%u",
|
||||||
+ pwd->pw_uid);
|
+ pwd->pw_uid);
|
||||||
+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
||||||
@ -656,8 +670,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am
|
diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200
|
--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2010-09-17 15:58:41.000000000 +0200
|
+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2011-01-25 18:24:43.000000000 +0100
|
||||||
@@ -0,0 +1,43 @@
|
@@ -0,0 +1,43 @@
|
||||||
+#
|
+#
|
||||||
+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
|
+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
|
||||||
@ -703,9 +717,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1
|
|||||||
+-include $(top_srcdir)/Make.xml.rules
|
+-include $(top_srcdir)/Make.xml.rules
|
||||||
+endif
|
+endif
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c
|
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
|
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200
|
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2011-01-25 18:24:56.000000000 +0100
|
||||||
@@ -0,0 +1,550 @@
|
@@ -0,0 +1,556 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||||
+ *
|
+ *
|
||||||
@ -921,7 +935,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
|||||||
+
|
+
|
||||||
+ opts->now = time(NULL);
|
+ opts->now = time(NULL);
|
||||||
+
|
+
|
||||||
+ tfd = open_tally(opts->dir, opts->user, 0);
|
+ tfd = open_tally(opts->dir, opts->user, opts->uid, 0);
|
||||||
+
|
+
|
||||||
+ *fd = tfd;
|
+ *fd = tfd;
|
||||||
+
|
+
|
||||||
@ -972,6 +986,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
|||||||
+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
|
+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
|
||||||
+ char buf[64];
|
+ char buf[64];
|
||||||
+ int audit_fd;
|
+ int audit_fd;
|
||||||
|
+ const void *rhost = NULL, *tty = NULL;
|
||||||
+
|
+
|
||||||
+ audit_fd = audit_open();
|
+ audit_fd = audit_open();
|
||||||
+ /* If there is an error & audit support is in the kernel report error */
|
+ /* If there is an error & audit support is in the kernel report error */
|
||||||
@ -979,9 +994,11 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
|||||||
+ errno == EAFNOSUPPORT))
|
+ errno == EAFNOSUPPORT))
|
||||||
+ return PAM_SYSTEM_ERR;
|
+ return PAM_SYSTEM_ERR;
|
||||||
+
|
+
|
||||||
|
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
|
||||||
|
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
|
||||||
+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
|
+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
|
||||||
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
|
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
|
||||||
+ NULL, NULL, NULL, 1);
|
+ rhost, NULL, tty, 1);
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+ opts->flags |= FAILLOCK_FLAG_UNLOCKED;
|
+ opts->flags |= FAILLOCK_FLAG_UNLOCKED;
|
||||||
@ -997,10 +1014,15 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
|||||||
+{
|
+{
|
||||||
+ int rv;
|
+ int rv;
|
||||||
+
|
+
|
||||||
|
+ if (*fd == -1) {
|
||||||
|
+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1);
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
|
+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
|
||||||
+ if (rv == -1) {
|
+ if (rv == -1) {
|
||||||
+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
|
+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
|
||||||
+ }
|
+ }
|
||||||
|
+ }
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+static int
|
+static int
|
||||||
@ -1014,7 +1036,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
|||||||
+ const void *source = NULL;
|
+ const void *source = NULL;
|
||||||
+
|
+
|
||||||
+ if (*fd == -1) {
|
+ if (*fd == -1) {
|
||||||
+ *fd = open_tally(opts->dir, opts->user, 1);
|
+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1);
|
||||||
+ }
|
+ }
|
||||||
+ if (*fd == -1) {
|
+ if (*fd == -1) {
|
||||||
+ if (errno == EACCES) {
|
+ if (errno == EACCES) {
|
||||||
@ -1171,7 +1193,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
|||||||
+
|
+
|
||||||
+ case FAILLOCK_ACTION_AUTHSUCC:
|
+ case FAILLOCK_ACTION_AUTHSUCC:
|
||||||
+ rv = check_tally(pamh, &opts, &tallies, &fd);
|
+ rv = check_tally(pamh, &opts, &tallies, &fd);
|
||||||
+ if (rv == PAM_SUCCESS && fd != -1) {
|
+ if (rv == PAM_SUCCESS) {
|
||||||
+ reset_tally(pamh, &opts, &fd);
|
+ reset_tally(pamh, &opts, &fd);
|
||||||
+ }
|
+ }
|
||||||
+ break;
|
+ break;
|
||||||
@ -1219,10 +1241,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
|||||||
+ return rv;
|
+ return rv;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ check_tally(pamh, &opts, &tallies, &fd);
|
+ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */
|
||||||
+ if (fd != -1) {
|
|
||||||
+ reset_tally(pamh, &opts, &fd);
|
+ reset_tally(pamh, &opts, &fd);
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
+ tally_cleanup(&tallies, fd);
|
+ tally_cleanup(&tallies, fd);
|
||||||
+
|
+
|
||||||
@ -1257,9 +1277,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
|||||||
+#endif /* #ifdef PAM_STATIC */
|
+#endif /* #ifdef PAM_STATIC */
|
||||||
+
|
+
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml
|
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
|
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
|
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2011-01-25 18:24:56.000000000 +0100
|
||||||
@@ -0,0 +1,396 @@
|
@@ -0,0 +1,392 @@
|
||||||
+<?xml version="1.0" encoding='UTF-8'?>
|
+<?xml version="1.0" encoding='UTF-8'?>
|
||||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
||||||
@ -1539,13 +1559,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
|
|||||||
+ from the <emphasis>pam_tally2</emphasis> module setup.
|
+ from the <emphasis>pam_tally2</emphasis> module setup.
|
||||||
+ </para>
|
+ </para>
|
||||||
+ <para>
|
+ <para>
|
||||||
+ There is no setuid wrapper for access to the data file such as when the
|
+ The individual files with the failure records are created as owned by
|
||||||
+ <emphasis remap='B'>pam_faillock.so</emphasis> module is called from
|
+ the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module
|
||||||
+ a screensaver. As this would make it impossible to share PAM configuration
|
+ to work correctly when it is called from a screensaver.
|
||||||
+ with such services the following workaround is used: If the data file
|
|
||||||
+ cannot be opened because of insufficient permissions
|
|
||||||
+ (<errorcode>EACCES</errorcode>) the module returns
|
|
||||||
+ <errorcode>PAM_SUCCESS</errorcode>.
|
|
||||||
+ </para>
|
+ </para>
|
||||||
+ <para>
|
+ <para>
|
||||||
+ Note that using the module in <option>preauth</option> without the
|
+ Note that using the module in <option>preauth</option> without the
|
||||||
@ -1657,8 +1673,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
|
|||||||
+
|
+
|
||||||
+</refentry>
|
+</refentry>
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml
|
diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2010-09-17 15:58:41.000000000 +0200
|
--- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2010-09-17 15:58:41.000000000 +0200
|
+++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2011-01-25 18:24:43.000000000 +0100
|
||||||
@@ -0,0 +1,46 @@
|
@@ -0,0 +1,46 @@
|
||||||
+<?xml version="1.0" encoding='UTF-8'?>
|
+<?xml version="1.0" encoding='UTF-8'?>
|
||||||
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||||
@ -1707,8 +1723,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.
|
|||||||
+
|
+
|
||||||
+</article>
|
+</article>
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock
|
diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2010-09-17 15:58:41.000000000 +0200
|
--- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2010-09-17 15:58:41.000000000 +0200
|
+++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2011-01-25 18:24:43.000000000 +0100
|
||||||
@@ -0,0 +1,2 @@
|
@@ -0,0 +1,2 @@
|
||||||
+#!/bin/sh
|
+#!/bin/sh
|
||||||
+../../tests/tst-dlopen .libs/pam_faillock.so
|
+../../tests/tst-dlopen .libs/pam_faillock.so
|
||||||
|
@ -1,167 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.c
|
|
||||||
--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.c 2010-11-10 11:46:07.000000000 +0100
|
|
||||||
@@ -41,13 +41,14 @@
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/stat.h>
|
|
||||||
#include <sys/file.h>
|
|
||||||
+#include <sys/stat.h>
|
|
||||||
#include <fcntl.h>
|
|
||||||
#include <security/pam_modutil.h>
|
|
||||||
|
|
||||||
#include "faillock.h"
|
|
||||||
|
|
||||||
int
|
|
||||||
-open_tally (const char *dir, const char *user, int create)
|
|
||||||
+open_tally (const char *dir, const char *user, uid_t uid, int create)
|
|
||||||
{
|
|
||||||
char *path;
|
|
||||||
int flags = O_RDWR;
|
|
||||||
@@ -69,8 +70,18 @@ open_tally (const char *dir, const char
|
|
||||||
|
|
||||||
fd = open(path, flags, 0600);
|
|
||||||
|
|
||||||
- if (fd != -1)
|
|
||||||
+ free(path);
|
|
||||||
+
|
|
||||||
+ if (fd != -1) {
|
|
||||||
+ struct stat st;
|
|
||||||
+
|
|
||||||
while (flock(fd, LOCK_EX) == -1 && errno == EINTR);
|
|
||||||
+ if (fstat(fd, &st) == 0) {
|
|
||||||
+ if (st.st_uid != uid) {
|
|
||||||
+ fchown(fd, uid, -1);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
return fd;
|
|
||||||
}
|
|
||||||
diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.h
|
|
||||||
--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver 2010-11-10 11:46:07.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.h 2010-11-10 11:46:07.000000000 +0100
|
|
||||||
@@ -45,6 +45,7 @@
|
|
||||||
#define _FAILLOCK_H
|
|
||||||
|
|
||||||
#include <stdint.h>
|
|
||||||
+#include <sys/types.h>
|
|
||||||
|
|
||||||
#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */
|
|
||||||
#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */
|
|
||||||
@@ -65,7 +66,7 @@ struct tally_data {
|
|
||||||
|
|
||||||
#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
|
|
||||||
|
|
||||||
-int open_tally(const char *dir, const char *user, int create);
|
|
||||||
+int open_tally(const char *dir, const char *user, uid_t uid, int create);
|
|
||||||
int read_tally(int fd, struct tally_data *tallies);
|
|
||||||
int update_tally(int fd, struct tally_data *tallies);
|
|
||||||
#endif
|
|
||||||
diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/main.c
|
|
||||||
--- Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver 2010-11-10 11:46:07.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.1.3/modules/pam_faillock/main.c 2010-11-10 11:46:07.000000000 +0100
|
|
||||||
@@ -106,8 +106,11 @@ do_user(struct options *opts, const char
|
|
||||||
int fd;
|
|
||||||
int rv;
|
|
||||||
struct tally_data tallies;
|
|
||||||
+ struct passwd *pwd;
|
|
||||||
|
|
||||||
- fd = open_tally(opts->dir, user, 0);
|
|
||||||
+ pwd = getpwnam(user);
|
|
||||||
+
|
|
||||||
+ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0);
|
|
||||||
|
|
||||||
if (fd == -1) {
|
|
||||||
if (errno == ENOENT) {
|
|
||||||
@@ -134,9 +137,8 @@ do_user(struct options *opts, const char
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
}
|
|
||||||
if ((audit_fd=audit_open()) >= 0) {
|
|
||||||
- struct passwd *pwd;
|
|
||||||
|
|
||||||
- if ((pwd=getpwnam(user)) != NULL) {
|
|
||||||
+ if (pwd != NULL) {
|
|
||||||
snprintf(buf, sizeof(buf), "faillock reset uid=%u",
|
|
||||||
pwd->pw_uid);
|
|
||||||
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
|
||||||
diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c
|
|
||||||
--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c 2010-11-10 11:46:07.000000000 +0100
|
|
||||||
@@ -213,7 +213,7 @@ check_tally(pam_handle_t *pamh, struct o
|
|
||||||
|
|
||||||
opts->now = time(NULL);
|
|
||||||
|
|
||||||
- tfd = open_tally(opts->dir, opts->user, 0);
|
|
||||||
+ tfd = open_tally(opts->dir, opts->user, opts->uid, 0);
|
|
||||||
|
|
||||||
*fd = tfd;
|
|
||||||
|
|
||||||
@@ -289,9 +289,14 @@ reset_tally(pam_handle_t *pamh, struct o
|
|
||||||
{
|
|
||||||
int rv;
|
|
||||||
|
|
||||||
- while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
|
|
||||||
- if (rv == -1) {
|
|
||||||
- pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
|
|
||||||
+ if (*fd == -1) {
|
|
||||||
+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1);
|
|
||||||
+ }
|
|
||||||
+ else {
|
|
||||||
+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
|
|
||||||
+ if (rv == -1) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -306,7 +311,7 @@ write_tally(pam_handle_t *pamh, struct o
|
|
||||||
const void *source = NULL;
|
|
||||||
|
|
||||||
if (*fd == -1) {
|
|
||||||
- *fd = open_tally(opts->dir, opts->user, 1);
|
|
||||||
+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1);
|
|
||||||
}
|
|
||||||
if (*fd == -1) {
|
|
||||||
if (errno == EACCES) {
|
|
||||||
@@ -463,7 +468,7 @@ pam_sm_authenticate(pam_handle_t *pamh,
|
|
||||||
|
|
||||||
case FAILLOCK_ACTION_AUTHSUCC:
|
|
||||||
rv = check_tally(pamh, &opts, &tallies, &fd);
|
|
||||||
- if (rv == PAM_SUCCESS && fd != -1) {
|
|
||||||
+ if (rv == PAM_SUCCESS) {
|
|
||||||
reset_tally(pamh, &opts, &fd);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
@@ -511,10 +516,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
|
|
||||||
- check_tally(pamh, &opts, &tallies, &fd);
|
|
||||||
- if (fd != -1) {
|
|
||||||
- reset_tally(pamh, &opts, &fd);
|
|
||||||
- }
|
|
||||||
+ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */
|
|
||||||
+ reset_tally(pamh, &opts, &fd);
|
|
||||||
|
|
||||||
tally_cleanup(&tallies, fd);
|
|
||||||
|
|
||||||
diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml
|
|
||||||
--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver 2010-11-10 11:46:07.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml 2010-11-10 11:47:14.000000000 +0100
|
|
||||||
@@ -277,13 +277,9 @@
|
|
||||||
from the <emphasis>pam_tally2</emphasis> module setup.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
- There is no setuid wrapper for access to the data file such as when the
|
|
||||||
- <emphasis remap='B'>pam_faillock.so</emphasis> module is called from
|
|
||||||
- a screensaver. As this would make it impossible to share PAM configuration
|
|
||||||
- with such services the following workaround is used: If the data file
|
|
||||||
- cannot be opened because of insufficient permissions
|
|
||||||
- (<errorcode>EACCES</errorcode>) the module returns
|
|
||||||
- <errorcode>PAM_SUCCESS</errorcode>.
|
|
||||||
+ The individual files with the failure records are created as owned by
|
|
||||||
+ the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module
|
|
||||||
+ to work correctly when it is called from a screensaver.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
Note that using the module in <option>preauth</option> without the
|
|
344
pam-1.1.8-audit-grantor.patch
Normal file
344
pam-1.1.8-audit-grantor.patch
Normal file
@ -0,0 +1,344 @@
|
|||||||
|
diff --git a/libpam/pam_account.c b/libpam/pam_account.c
|
||||||
|
index 572acc4..3a4fb1f 100644
|
||||||
|
--- a/libpam/pam_account.c
|
||||||
|
+++ b/libpam/pam_account.c
|
||||||
|
@@ -19,9 +19,5 @@ int pam_acct_mgmt(pam_handle_t *pamh, int flags)
|
||||||
|
|
||||||
|
retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT);
|
||||||
|
|
||||||
|
-#ifdef HAVE_LIBAUDIT
|
||||||
|
- retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags);
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c
|
||||||
|
index 531746a..63a4ea5 100644
|
||||||
|
--- a/libpam/pam_audit.c
|
||||||
|
+++ b/libpam/pam_audit.c
|
||||||
|
@@ -28,14 +28,15 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
|
||||||
|
const char *message, int retval)
|
||||||
|
{
|
||||||
|
static int old_errno = -1;
|
||||||
|
- int rc;
|
||||||
|
- char buf[32];
|
||||||
|
-
|
||||||
|
- snprintf(buf, sizeof(buf), "PAM:%s", message);
|
||||||
|
-
|
||||||
|
- rc = audit_log_acct_message (audit_fd, type, NULL, buf,
|
||||||
|
- (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
|
||||||
|
- -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS );
|
||||||
|
+ int rc = -ENOMEM;
|
||||||
|
+ char *buf = NULL;
|
||||||
|
+
|
||||||
|
+ if (asprintf(&buf, "PAM:%s", message) >= 0) {
|
||||||
|
+ rc = audit_log_acct_message(audit_fd, type, NULL, buf,
|
||||||
|
+ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
|
||||||
|
+ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS);
|
||||||
|
+ free(buf);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* libaudit sets errno to his own negative error code. This can be
|
||||||
|
an official errno number, but must not. It can also be a audit
|
||||||
|
@@ -78,12 +79,65 @@ _pam_audit_open(pam_handle_t *pamh)
|
||||||
|
return audit_fd;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static char *
|
||||||
|
+_pam_list_grantors(struct handler *hlist, const char *message, int retval)
|
||||||
|
+{
|
||||||
|
+ char *buf;
|
||||||
|
+ char *list = NULL;
|
||||||
|
+
|
||||||
|
+ if (retval == PAM_SUCCESS) {
|
||||||
|
+ struct handler *h;
|
||||||
|
+ char *p = NULL;
|
||||||
|
+ size_t len = 0;
|
||||||
|
+
|
||||||
|
+ h = hlist;
|
||||||
|
+
|
||||||
|
+ while (h != NULL) {
|
||||||
|
+ if (h->grantor) {
|
||||||
|
+ len += strlen(h->mod_name) + 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ h = h->next;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ list = malloc(len);
|
||||||
|
+ if (list == NULL) {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ h = hlist;
|
||||||
|
+
|
||||||
|
+ while (h != NULL) {
|
||||||
|
+ if (h->grantor) {
|
||||||
|
+ if (p == NULL) {
|
||||||
|
+ p = list;
|
||||||
|
+ } else {
|
||||||
|
+ p = stpcpy(p, ",");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ p = stpcpy(p, h->mod_name);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ h = h->next;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (asprintf(&buf, "%s grantor=%s", message, list ? list : "?") < 0) {
|
||||||
|
+ free(list);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(list);
|
||||||
|
+ return buf;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int
|
||||||
|
-_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
|
||||||
|
+_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h)
|
||||||
|
{
|
||||||
|
const char *message;
|
||||||
|
int type;
|
||||||
|
int audit_fd;
|
||||||
|
+ char *buf = NULL;
|
||||||
|
|
||||||
|
if ((audit_fd=_pam_audit_open(pamh)) == -1) {
|
||||||
|
return PAM_SYSTEM_ERR;
|
||||||
|
@@ -134,9 +188,18 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
|
||||||
|
retval = PAM_SYSTEM_ERR;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0)
|
||||||
|
+ buf = _pam_list_grantors(h, message, retval);
|
||||||
|
+ if (buf == NULL) {
|
||||||
|
+ /* allocation failure */
|
||||||
|
+ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m");
|
||||||
|
+ retval = PAM_SYSTEM_ERR;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (_pam_audit_writelog(pamh, audit_fd, type, buf ? buf : message, retval) < 0)
|
||||||
|
retval = PAM_SYSTEM_ERR;
|
||||||
|
|
||||||
|
+ free(buf);
|
||||||
|
+
|
||||||
|
audit_close(audit_fd);
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
@@ -149,7 +212,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED)
|
||||||
|
* stacks having been run. Assume that this is sshd faking
|
||||||
|
* things for an unknown user.
|
||||||
|
*/
|
||||||
|
- _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0);
|
||||||
|
+ _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c
|
||||||
|
index 5984fa5..1e7bc6e 100644
|
||||||
|
--- a/libpam/pam_auth.c
|
||||||
|
+++ b/libpam/pam_auth.c
|
||||||
|
@@ -45,10 +45,6 @@ int pam_authenticate(pam_handle_t *pamh, int flags)
|
||||||
|
prelude_send_alert(pamh, retval);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-#ifdef HAVE_LIBAUDIT
|
||||||
|
- retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags);
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -71,10 +67,6 @@ int pam_setcred(pam_handle_t *pamh, int flags)
|
||||||
|
|
||||||
|
retval = _pam_dispatch(pamh, flags, PAM_SETCRED);
|
||||||
|
|
||||||
|
-#ifdef HAVE_LIBAUDIT
|
||||||
|
- retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags);
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
D(("pam_setcred exit"));
|
||||||
|
|
||||||
|
return retval;
|
||||||
|
diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c
|
||||||
|
index eb52c82..ccfc372 100644
|
||||||
|
--- a/libpam/pam_dispatch.c
|
||||||
|
+++ b/libpam/pam_dispatch.c
|
||||||
|
@@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
|
||||||
|
status = retval;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) {
|
||||||
|
- goto decision_made;
|
||||||
|
+ if ( impression == _PAM_POSITIVE ) {
|
||||||
|
+ if ( retval == PAM_SUCCESS ) {
|
||||||
|
+ h->grantor = 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if ( action == _PAM_ACTION_DONE ) {
|
||||||
|
+ goto decision_made;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
@@ -308,6 +314,14 @@ decision_made: /* by getting here we have made a decision */
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void _pam_clear_grantors(struct handler *h)
|
||||||
|
+{
|
||||||
|
+ while (h != NULL) {
|
||||||
|
+ h->grantor = 0;
|
||||||
|
+ h = h->next;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* This function translates the module dispatch request into a pointer
|
||||||
|
* to the stack of modules that will actually be run. the
|
||||||
|
@@ -318,21 +332,21 @@ decision_made: /* by getting here we have made a decision */
|
||||||
|
int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||||
|
{
|
||||||
|
struct handler *h = NULL;
|
||||||
|
- int retval, use_cached_chain;
|
||||||
|
+ int retval = PAM_SYSTEM_ERR, use_cached_chain;
|
||||||
|
_pam_boolean resumed;
|
||||||
|
|
||||||
|
IF_NO_PAMH("_pam_dispatch", pamh, PAM_SYSTEM_ERR);
|
||||||
|
|
||||||
|
if (__PAM_FROM_MODULE(pamh)) {
|
||||||
|
D(("called from a module!?"));
|
||||||
|
- return PAM_SYSTEM_ERR;
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Load all modules, resolve all symbols */
|
||||||
|
|
||||||
|
if ((retval = _pam_init_handlers(pamh)) != PAM_SUCCESS) {
|
||||||
|
pam_syslog(pamh, LOG_ERR, "unable to dispatch function");
|
||||||
|
- return retval;
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
use_cached_chain = _PAM_PLEASE_FREEZE;
|
||||||
|
@@ -360,7 +374,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
|
||||||
|
- return PAM_ABORT;
|
||||||
|
+ retval = PAM_ABORT;
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (h == NULL) { /* there was no handlers.conf... entry; will use
|
||||||
|
@@ -393,11 +408,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||||
|
pam_syslog(pamh, LOG_ERR,
|
||||||
|
"application failed to re-exec stack [%d:%d]",
|
||||||
|
pamh->former.choice, choice);
|
||||||
|
- return PAM_ABORT;
|
||||||
|
+ retval = PAM_ABORT;
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
resumed = PAM_TRUE;
|
||||||
|
} else {
|
||||||
|
resumed = PAM_FALSE;
|
||||||
|
+ _pam_clear_grantors(h);
|
||||||
|
}
|
||||||
|
|
||||||
|
__PAM_TO_MODULE(pamh);
|
||||||
|
@@ -417,5 +434,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||||
|
pamh->former.choice = PAM_NOT_STACKED;
|
||||||
|
}
|
||||||
|
|
||||||
|
+end:
|
||||||
|
+
|
||||||
|
+#ifdef HAVE_LIBAUDIT
|
||||||
|
+ if (choice != PAM_CHAUTHTOK || flags & PAM_UPDATE_AUTHTOK || retval != PAM_SUCCESS) {
|
||||||
|
+ retval = _pam_auditlog(pamh, choice, retval, flags, h);
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
|
||||||
|
index 02714f7..e3f8ff6 100644
|
||||||
|
--- a/libpam/pam_handlers.c
|
||||||
|
+++ b/libpam/pam_handlers.c
|
||||||
|
@@ -889,6 +889,7 @@ int _pam_add_handler(pam_handle_t *pamh
|
||||||
|
(*handler_p)->argc = argc;
|
||||||
|
(*handler_p)->argv = argv; /* not a copy */
|
||||||
|
(*handler_p)->mod_name = extract_modulename(mod_path);
|
||||||
|
+ (*handler_p)->grantor = 0;
|
||||||
|
(*handler_p)->next = NULL;
|
||||||
|
|
||||||
|
/* some of the modules have a second calling function */
|
||||||
|
@@ -921,6 +922,7 @@ int _pam_add_handler(pam_handle_t *pamh
|
||||||
|
(*handler_p2)->argv = NULL; /* no arguments */
|
||||||
|
}
|
||||||
|
(*handler_p2)->mod_name = extract_modulename(mod_path);
|
||||||
|
+ (*handler_p2)->grantor = 0;
|
||||||
|
(*handler_p2)->next = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/libpam/pam_password.c b/libpam/pam_password.c
|
||||||
|
index 75db5e5..592e01f 100644
|
||||||
|
--- a/libpam/pam_password.c
|
||||||
|
+++ b/libpam/pam_password.c
|
||||||
|
@@ -57,9 +57,5 @@ int pam_chauthtok(pam_handle_t *pamh, int flags)
|
||||||
|
D(("will resume when ready", retval));
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifdef HAVE_LIBAUDIT
|
||||||
|
- retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags);
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
|
||||||
|
index 134dc72..d93283c 100644
|
||||||
|
--- a/libpam/pam_private.h
|
||||||
|
+++ b/libpam/pam_private.h
|
||||||
|
@@ -55,6 +55,7 @@ struct handler {
|
||||||
|
struct handler *next;
|
||||||
|
char *mod_name;
|
||||||
|
int stack_level;
|
||||||
|
+ int grantor;
|
||||||
|
};
|
||||||
|
|
||||||
|
#define PAM_HT_MODULE 0
|
||||||
|
@@ -316,7 +317,7 @@ if ((pamh) == NULL) { \
|
||||||
|
do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0)
|
||||||
|
|
||||||
|
#ifdef HAVE_LIBAUDIT
|
||||||
|
-extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags);
|
||||||
|
+extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h);
|
||||||
|
extern int _pam_audit_end(pam_handle_t *pamh, int pam_status);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff --git a/libpam/pam_session.c b/libpam/pam_session.c
|
||||||
|
index 512153f..cb393c1 100644
|
||||||
|
--- a/libpam/pam_session.c
|
||||||
|
+++ b/libpam/pam_session.c
|
||||||
|
@@ -22,9 +22,6 @@ int pam_open_session(pam_handle_t *pamh, int flags)
|
||||||
|
}
|
||||||
|
retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION);
|
||||||
|
|
||||||
|
-#ifdef HAVE_LIBAUDIT
|
||||||
|
- retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags);
|
||||||
|
-#endif
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -43,10 +40,6 @@ int pam_close_session(pam_handle_t *pamh, int flags)
|
||||||
|
|
||||||
|
retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION);
|
||||||
|
|
||||||
|
-#ifdef HAVE_LIBAUDIT
|
||||||
|
- retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags);
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
return retval;
|
||||||
|
|
||||||
|
}
|
10
pam.spec
10
pam.spec
@ -3,7 +3,7 @@
|
|||||||
Summary: An extensible library which provides authentication for applications
|
Summary: An extensible library which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 1.1.8
|
Version: 1.1.8
|
||||||
Release: 14%{?dist}
|
Release: 15%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+
|
# The library is BSD licensed with option to relicense as GPLv2+
|
||||||
# - this option is redundant as the BSD license allows that anyway.
|
# - this option is redundant as the BSD license allows that anyway.
|
||||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||||
@ -35,7 +35,6 @@ Patch5: pam-1.1.0-notally.patch
|
|||||||
Patch8: pam-1.1.1-faillock.patch
|
Patch8: pam-1.1.1-faillock.patch
|
||||||
Patch9: pam-1.1.6-noflex.patch
|
Patch9: pam-1.1.6-noflex.patch
|
||||||
Patch10: pam-1.1.3-nouserenv.patch
|
Patch10: pam-1.1.3-nouserenv.patch
|
||||||
Patch12: pam-1.1.3-faillock-screensaver.patch
|
|
||||||
Patch13: pam-1.1.6-limits-user.patch
|
Patch13: pam-1.1.6-limits-user.patch
|
||||||
Patch15: pam-1.1.6-full-relro.patch
|
Patch15: pam-1.1.6-full-relro.patch
|
||||||
# FIPS related - non upstreamable
|
# FIPS related - non upstreamable
|
||||||
@ -50,6 +49,7 @@ Patch35: pam-1.1.8-cve-2013-7041.patch
|
|||||||
Patch36: pam-1.1.8-cve-2014-2583.patch
|
Patch36: pam-1.1.8-cve-2014-2583.patch
|
||||||
Patch37: pam-1.1.8-loginuid-container.patch
|
Patch37: pam-1.1.8-loginuid-container.patch
|
||||||
Patch38: pam-1.1.8-opasswd-tolerant.patch
|
Patch38: pam-1.1.8-opasswd-tolerant.patch
|
||||||
|
Patch39: pam-1.1.8-audit-grantor.patch
|
||||||
|
|
||||||
%define _pamlibdir %{_libdir}
|
%define _pamlibdir %{_libdir}
|
||||||
%define _moduledir %{_libdir}/security
|
%define _moduledir %{_libdir}/security
|
||||||
@ -121,7 +121,6 @@ cp %{SOURCE18} .
|
|||||||
%patch8 -p1 -b .faillock
|
%patch8 -p1 -b .faillock
|
||||||
%patch9 -p1 -b .noflex
|
%patch9 -p1 -b .noflex
|
||||||
%patch10 -p1 -b .nouserenv
|
%patch10 -p1 -b .nouserenv
|
||||||
%patch12 -p1 -b .screensaver
|
|
||||||
%patch13 -p1 -b .limits
|
%patch13 -p1 -b .limits
|
||||||
%patch15 -p1 -b .relro
|
%patch15 -p1 -b .relro
|
||||||
%patch20 -p1 -b .no-fallback
|
%patch20 -p1 -b .no-fallback
|
||||||
@ -134,6 +133,7 @@ cp %{SOURCE18} .
|
|||||||
%patch36 -p1 -b .timestamp-ruser
|
%patch36 -p1 -b .timestamp-ruser
|
||||||
%patch37 -p1 -b .container
|
%patch37 -p1 -b .container
|
||||||
%patch38 -p1 -b .opasswd-tolerant
|
%patch38 -p1 -b .opasswd-tolerant
|
||||||
|
%patch39 -p1 -b .grantor
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf -i
|
autoreconf -i
|
||||||
@ -384,6 +384,10 @@ fi
|
|||||||
%doc doc/adg/*.txt doc/adg/html
|
%doc doc/adg/*.txt doc/adg/html
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 13 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-15
|
||||||
|
- audit the module names that granted access
|
||||||
|
- pam_faillock: update to latest version
|
||||||
|
|
||||||
* Wed Jul 30 2014 Tom Callaway <spot@fedoraproject.org> - 1.1.8-14
|
* Wed Jul 30 2014 Tom Callaway <spot@fedoraproject.org> - 1.1.8-14
|
||||||
- fix license handling
|
- fix license handling
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user