From b582f50a364c9cb9d070d43b3858fc067ad989ef Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 13 Aug 2014 15:35:49 +0200 Subject: [PATCH] audit the module names that granted access - pam_faillock: update to latest version --- pam-1.1.1-faillock.patch | 117 ++++++------ pam-1.1.8-audit-grantor.patch | 344 ++++++++++++++++++++++++++++++++++ pam.spec | 8 +- 3 files changed, 415 insertions(+), 54 deletions(-) create mode 100644 pam-1.1.8-audit-grantor.patch diff --git a/pam-1.1.1-faillock.patch b/pam-1.1.1-faillock.patch index eaee896..d3f41bf 100644 --- a/pam-1.1.1-faillock.patch +++ b/pam-1.1.1-faillock.patch @@ -1,6 +1,6 @@ diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in ---- Linux-PAM-1.1.1/configure.in.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/configure.in 2010-09-17 15:58:41.000000000 +0200 +--- Linux-PAM-1.1.1/configure.in.faillock 2010-10-20 15:46:34.000000000 +0200 ++++ Linux-PAM-1.1.1/configure.in 2011-01-25 18:24:43.000000000 +0100 @@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil modules/pam_access/Makefile modules/pam_cracklib/Makefile \ modules/pam_debug/Makefile modules/pam_deny/Makefile \ @@ -11,8 +11,8 @@ diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in modules/pam_ftp/Makefile modules/pam_group/Makefile \ modules/pam_issue/Makefile modules/pam_keyinit/Makefile \ diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml ---- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2010-09-17 16:05:56.000000000 +0200 -+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2010-09-17 16:08:26.000000000 +0200 +--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2011-01-25 18:24:43.000000000 +0100 @@ -0,0 +1,38 @@ + + + diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am ---- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/Makefile.am 2010-09-17 15:58:41.000000000 +0200 +--- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-10-20 15:46:34.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/Makefile.am 2011-01-25 18:24:43.000000000 +0100 @@ -3,7 +3,7 @@ # @@ -65,9 +65,9 @@ diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Ma pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ pam_listfile pam_localuser pam_loginuid pam_mail \ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,147 @@ +--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2011-01-25 18:24:56.000000000 +0100 +@@ -0,0 +1,158 @@ +/* + * Copyright (c) 2010 Tomas Mraz + * @@ -111,13 +111,14 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1. +#include +#include +#include ++#include +#include +#include + +#include "faillock.h" + +int -+open_tally (const char *dir, const char *user, int create) ++open_tally (const char *dir, const char *user, uid_t uid, int create) +{ + char *path; + int flags = O_RDWR; @@ -144,8 +145,18 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1. + + fd = open(path, flags, 0600); + -+ if (fd != -1) ++ free(path); ++ ++ if (fd != -1) { ++ struct stat st; ++ + while (flock(fd, LOCK_EX) == -1 && errno == EINTR); ++ if (fstat(fd, &st) == 0) { ++ if (st.st_uid != uid) { ++ fchown(fd, uid, -1); ++ } ++ } ++ } + + return fd; +} @@ -216,9 +227,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1. + return 0; +} diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,72 @@ +--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2011-01-25 18:24:56.000000000 +0100 +@@ -0,0 +1,73 @@ +/* + * Copyright (c) 2010 Tomas Mraz + * @@ -266,6 +277,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1. +#define _FAILLOCK_H + +#include ++#include + +#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ +#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ @@ -286,14 +298,14 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1. + +#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" + -+int open_tally(const char *dir, const char *user, int create); ++int open_tally(const char *dir, const char *user, uid_t uid, int create); +int read_tally(int fd, struct tally_data *tallies); +int update_tally(int fd, struct tally_data *tallies); +#endif + diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2010-09-17 15:58:41.000000000 +0200 +--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2011-01-25 18:24:43.000000000 +0100 @@ -0,0 +1,123 @@ + + diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c ---- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2010-09-17 15:58:41.000000000 +0200 +--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2011-01-25 18:24:56.000000000 +0100 @@ -0,0 +1,233 @@ +/* + * Copyright (c) 2010 Tomas Mraz @@ -466,8 +478,6 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo +#include +#include +#include -+#include -+#include +#ifdef HAVE_LIBAUDIT +#include +#endif @@ -532,8 +542,11 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo + int fd; + int rv; + struct tally_data tallies; ++ struct passwd *pwd; + -+ fd = open_tally(opts->dir, user, 0); ++ pwd = getpwnam(user); ++ ++ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0); + + if (fd == -1) { + if (errno == ENOENT) { @@ -560,9 +573,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo +#ifdef HAVE_LIBAUDIT + } + if ((audit_fd=audit_open()) >= 0) { -+ struct passwd *pwd; + -+ if ((pwd=getpwnam(user)) != NULL) { ++ if (pwd != NULL) { + snprintf(buf, sizeof(buf), "faillock reset uid=%u", + pwd->pw_uid); + audit_log_user_message(audit_fd, AUDIT_USER_ACCT, @@ -656,8 +668,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo +} + diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am ---- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2010-09-17 15:58:41.000000000 +0200 +--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2011-01-25 18:24:43.000000000 +0100 @@ -0,0 +1,43 @@ +# +# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk @@ -703,9 +715,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1 +-include $(top_srcdir)/Make.xml.rules +endif diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c ---- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,550 @@ +--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2011-01-25 18:24:56.000000000 +0100 +@@ -0,0 +1,553 @@ +/* + * Copyright (c) 2010 Tomas Mraz + * @@ -921,7 +933,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + + opts->now = time(NULL); + -+ tfd = open_tally(opts->dir, opts->user, 0); ++ tfd = open_tally(opts->dir, opts->user, opts->uid, 0); + + *fd = tfd; + @@ -997,9 +1009,14 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- +{ + int rv; + -+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); -+ if (rv == -1) { -+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); ++ if (*fd == -1) { ++ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); ++ } ++ else { ++ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); ++ if (rv == -1) { ++ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); ++ } + } +} + @@ -1014,7 +1031,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + const void *source = NULL; + + if (*fd == -1) { -+ *fd = open_tally(opts->dir, opts->user, 1); ++ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); + } + if (*fd == -1) { + if (errno == EACCES) { @@ -1171,7 +1188,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + + case FAILLOCK_ACTION_AUTHSUCC: + rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_SUCCESS && fd != -1) { ++ if (rv == PAM_SUCCESS) { + reset_tally(pamh, &opts, &fd); + } + break; @@ -1219,10 +1236,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + return rv; + } + -+ check_tally(pamh, &opts, &tallies, &fd); -+ if (fd != -1) { -+ reset_tally(pamh, &opts, &fd); -+ } ++ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */ ++ reset_tally(pamh, &opts, &fd); + + tally_cleanup(&tallies, fd); + @@ -1257,9 +1272,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- +#endif /* #ifdef PAM_STATIC */ + diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,396 @@ +--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2011-01-25 18:24:56.000000000 +0100 +@@ -0,0 +1,392 @@ + + @@ -1539,13 +1554,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux- + from the pam_tally2 module setup. + + -+ There is no setuid wrapper for access to the data file such as when the -+ pam_faillock.so module is called from -+ a screensaver. As this would make it impossible to share PAM configuration -+ with such services the following workaround is used: If the data file -+ cannot be opened because of insufficient permissions -+ (EACCES) the module returns -+ PAM_SUCCESS. ++ The individual files with the failure records are created as owned by ++ the user. This allows pam_faillock.so module ++ to work correctly when it is called from a screensaver. + + + Note that using the module in without the @@ -1657,8 +1668,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux- + + diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2010-09-17 15:58:41.000000000 +0200 +--- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2011-01-25 18:24:43.000000000 +0100 @@ -0,0 +1,46 @@ + + diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock ---- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2010-09-17 15:58:41.000000000 +0200 +--- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2011-01-25 18:24:43.000000000 +0100 @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_faillock.so diff --git a/pam-1.1.8-audit-grantor.patch b/pam-1.1.8-audit-grantor.patch new file mode 100644 index 0000000..f131fd3 --- /dev/null +++ b/pam-1.1.8-audit-grantor.patch @@ -0,0 +1,344 @@ +diff --git a/libpam/pam_account.c b/libpam/pam_account.c +index 572acc4..3a4fb1f 100644 +--- a/libpam/pam_account.c ++++ b/libpam/pam_account.c +@@ -19,9 +19,5 @@ int pam_acct_mgmt(pam_handle_t *pamh, int flags) + + retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags); +-#endif +- + return retval; + } +diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c +index 531746a..63a4ea5 100644 +--- a/libpam/pam_audit.c ++++ b/libpam/pam_audit.c +@@ -28,14 +28,15 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, + const char *message, int retval) + { + static int old_errno = -1; +- int rc; +- char buf[32]; +- +- snprintf(buf, sizeof(buf), "PAM:%s", message); +- +- rc = audit_log_acct_message (audit_fd, type, NULL, buf, +- (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", +- -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS ); ++ int rc = -ENOMEM; ++ char *buf = NULL; ++ ++ if (asprintf(&buf, "PAM:%s", message) >= 0) { ++ rc = audit_log_acct_message(audit_fd, type, NULL, buf, ++ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", ++ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS); ++ free(buf); ++ } + + /* libaudit sets errno to his own negative error code. This can be + an official errno number, but must not. It can also be a audit +@@ -78,12 +79,65 @@ _pam_audit_open(pam_handle_t *pamh) + return audit_fd; + } + ++static char * ++_pam_list_grantors(struct handler *hlist, const char *message, int retval) ++{ ++ char *buf; ++ char *list = NULL; ++ ++ if (retval == PAM_SUCCESS) { ++ struct handler *h; ++ char *p = NULL; ++ size_t len = 0; ++ ++ h = hlist; ++ ++ while (h != NULL) { ++ if (h->grantor) { ++ len += strlen(h->mod_name) + 1; ++ } ++ ++ h = h->next; ++ } ++ ++ list = malloc(len); ++ if (list == NULL) { ++ return NULL; ++ } ++ ++ h = hlist; ++ ++ while (h != NULL) { ++ if (h->grantor) { ++ if (p == NULL) { ++ p = list; ++ } else { ++ p = stpcpy(p, ","); ++ } ++ ++ p = stpcpy(p, h->mod_name); ++ } ++ ++ h = h->next; ++ } ++ } ++ ++ if (asprintf(&buf, "%s grantor=%s", message, list ? list : "?") < 0) { ++ free(list); ++ return NULL; ++ } ++ ++ free(list); ++ return buf; ++} ++ + int +-_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) ++_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h) + { + const char *message; + int type; + int audit_fd; ++ char *buf = NULL; + + if ((audit_fd=_pam_audit_open(pamh)) == -1) { + return PAM_SYSTEM_ERR; +@@ -134,9 +188,18 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) + retval = PAM_SYSTEM_ERR; + } + +- if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0) ++ buf = _pam_list_grantors(h, message, retval); ++ if (buf == NULL) { ++ /* allocation failure */ ++ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m"); ++ retval = PAM_SYSTEM_ERR; ++ } ++ ++ if (_pam_audit_writelog(pamh, audit_fd, type, buf ? buf : message, retval) < 0) + retval = PAM_SYSTEM_ERR; + ++ free(buf); ++ + audit_close(audit_fd); + return retval; + } +@@ -149,7 +212,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED) + * stacks having been run. Assume that this is sshd faking + * things for an unknown user. + */ +- _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0); ++ _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0, NULL); + } + + return 0; +diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c +index 5984fa5..1e7bc6e 100644 +--- a/libpam/pam_auth.c ++++ b/libpam/pam_auth.c +@@ -45,10 +45,6 @@ int pam_authenticate(pam_handle_t *pamh, int flags) + prelude_send_alert(pamh, retval); + #endif + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags); +-#endif +- + return retval; + } + +@@ -71,10 +67,6 @@ int pam_setcred(pam_handle_t *pamh, int flags) + + retval = _pam_dispatch(pamh, flags, PAM_SETCRED); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags); +-#endif +- + D(("pam_setcred exit")); + + return retval; +diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c +index eb52c82..ccfc372 100644 +--- a/libpam/pam_dispatch.c ++++ b/libpam/pam_dispatch.c +@@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, + status = retval; + } + } +- if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) { +- goto decision_made; ++ if ( impression == _PAM_POSITIVE ) { ++ if ( retval == PAM_SUCCESS ) { ++ h->grantor = 1; ++ } ++ ++ if ( action == _PAM_ACTION_DONE ) { ++ goto decision_made; ++ } + } + break; + +@@ -308,6 +314,14 @@ decision_made: /* by getting here we have made a decision */ + return status; + } + ++static void _pam_clear_grantors(struct handler *h) ++{ ++ while (h != NULL) { ++ h->grantor = 0; ++ h = h->next; ++ } ++} ++ + /* + * This function translates the module dispatch request into a pointer + * to the stack of modules that will actually be run. the +@@ -318,21 +332,21 @@ decision_made: /* by getting here we have made a decision */ + int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + { + struct handler *h = NULL; +- int retval, use_cached_chain; ++ int retval = PAM_SYSTEM_ERR, use_cached_chain; + _pam_boolean resumed; + + IF_NO_PAMH("_pam_dispatch", pamh, PAM_SYSTEM_ERR); + + if (__PAM_FROM_MODULE(pamh)) { + D(("called from a module!?")); +- return PAM_SYSTEM_ERR; ++ goto end; + } + + /* Load all modules, resolve all symbols */ + + if ((retval = _pam_init_handlers(pamh)) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "unable to dispatch function"); +- return retval; ++ goto end; + } + + use_cached_chain = _PAM_PLEASE_FREEZE; +@@ -360,7 +374,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + break; + default: + pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); +- return PAM_ABORT; ++ retval = PAM_ABORT; ++ goto end; + } + + if (h == NULL) { /* there was no handlers.conf... entry; will use +@@ -393,11 +408,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + pam_syslog(pamh, LOG_ERR, + "application failed to re-exec stack [%d:%d]", + pamh->former.choice, choice); +- return PAM_ABORT; ++ retval = PAM_ABORT; ++ goto end; + } + resumed = PAM_TRUE; + } else { + resumed = PAM_FALSE; ++ _pam_clear_grantors(h); + } + + __PAM_TO_MODULE(pamh); +@@ -417,5 +434,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + pamh->former.choice = PAM_NOT_STACKED; + } + ++end: ++ ++#ifdef HAVE_LIBAUDIT ++ if (choice != PAM_CHAUTHTOK || flags & PAM_UPDATE_AUTHTOK || retval != PAM_SUCCESS) { ++ retval = _pam_auditlog(pamh, choice, retval, flags, h); ++ } ++#endif ++ + return retval; + } +diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c +index 02714f7..e3f8ff6 100644 +--- a/libpam/pam_handlers.c ++++ b/libpam/pam_handlers.c +@@ -889,6 +889,7 @@ int _pam_add_handler(pam_handle_t *pamh + (*handler_p)->argc = argc; + (*handler_p)->argv = argv; /* not a copy */ + (*handler_p)->mod_name = extract_modulename(mod_path); ++ (*handler_p)->grantor = 0; + (*handler_p)->next = NULL; + + /* some of the modules have a second calling function */ +@@ -921,6 +922,7 @@ int _pam_add_handler(pam_handle_t *pamh + (*handler_p2)->argv = NULL; /* no arguments */ + } + (*handler_p2)->mod_name = extract_modulename(mod_path); ++ (*handler_p2)->grantor = 0; + (*handler_p2)->next = NULL; + } + +diff --git a/libpam/pam_password.c b/libpam/pam_password.c +index 75db5e5..592e01f 100644 +--- a/libpam/pam_password.c ++++ b/libpam/pam_password.c +@@ -57,9 +57,5 @@ int pam_chauthtok(pam_handle_t *pamh, int flags) + D(("will resume when ready", retval)); + } + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags); +-#endif +- + return retval; + } +diff --git a/libpam/pam_private.h b/libpam/pam_private.h +index 134dc72..d93283c 100644 +--- a/libpam/pam_private.h ++++ b/libpam/pam_private.h +@@ -55,6 +55,7 @@ struct handler { + struct handler *next; + char *mod_name; + int stack_level; ++ int grantor; + }; + + #define PAM_HT_MODULE 0 +@@ -316,7 +317,7 @@ if ((pamh) == NULL) { \ + do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0) + + #ifdef HAVE_LIBAUDIT +-extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags); ++extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h); + extern int _pam_audit_end(pam_handle_t *pamh, int pam_status); + #endif + +diff --git a/libpam/pam_session.c b/libpam/pam_session.c +index 512153f..cb393c1 100644 +--- a/libpam/pam_session.c ++++ b/libpam/pam_session.c +@@ -22,9 +22,6 @@ int pam_open_session(pam_handle_t *pamh, int flags) + } + retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags); +-#endif + return retval; + } + +@@ -43,10 +40,6 @@ int pam_close_session(pam_handle_t *pamh, int flags) + + retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags); +-#endif +- + return retval; + + } diff --git a/pam.spec b/pam.spec index 048ec94..95b30aa 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.8 -Release: 14%{?dist} +Release: 15%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -50,6 +50,7 @@ Patch35: pam-1.1.8-cve-2013-7041.patch Patch36: pam-1.1.8-cve-2014-2583.patch Patch37: pam-1.1.8-loginuid-container.patch Patch38: pam-1.1.8-opasswd-tolerant.patch +Patch39: pam-1.1.8-audit-grantor.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -134,6 +135,7 @@ cp %{SOURCE18} . %patch36 -p1 -b .timestamp-ruser %patch37 -p1 -b .container %patch38 -p1 -b .opasswd-tolerant +%patch39 -p1 -b .grantor %build autoreconf -i @@ -384,6 +386,10 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Wed Aug 13 2014 Tomáš Mráz 1.1.8-15 +- audit the module names that granted access +- pam_faillock: update to latest version + * Wed Jul 30 2014 Tom Callaway - 1.1.8-14 - fix license handling