audit the module names that granted access
- pam_faillock: update to latest version
This commit is contained in:
parent
e3a692cb19
commit
b582f50a36
@ -1,6 +1,6 @@
|
||||
diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in
|
||||
--- Linux-PAM-1.1.1/configure.in.faillock 2010-09-17 15:58:41.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/configure.in 2010-09-17 15:58:41.000000000 +0200
|
||||
--- Linux-PAM-1.1.1/configure.in.faillock 2010-10-20 15:46:34.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/configure.in 2011-01-25 18:24:43.000000000 +0100
|
||||
@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
||||
modules/pam_access/Makefile modules/pam_cracklib/Makefile \
|
||||
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
||||
@ -11,8 +11,8 @@ diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in
|
||||
modules/pam_ftp/Makefile modules/pam_group/Makefile \
|
||||
modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
|
||||
diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml
|
||||
--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2010-09-17 16:05:56.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2010-09-17 16:08:26.000000000 +0200
|
||||
--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||
+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2011-01-25 18:24:43.000000000 +0100
|
||||
@@ -0,0 +1,38 @@
|
||||
+<?xml version='1.0' encoding='UTF-8'?>
|
||||
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||
@ -53,8 +53,8 @@ diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/s
|
||||
+ </section>
|
||||
+</section>
|
||||
diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am
|
||||
--- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/modules/Makefile.am 2010-09-17 15:58:41.000000000 +0200
|
||||
--- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-10-20 15:46:34.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/modules/Makefile.am 2011-01-25 18:24:43.000000000 +0100
|
||||
@@ -3,7 +3,7 @@
|
||||
#
|
||||
|
||||
@ -65,9 +65,9 @@ diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Ma
|
||||
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
|
||||
pam_listfile pam_localuser pam_loginuid pam_mail \
|
||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2010-09-17 15:58:41.000000000 +0200
|
||||
@@ -0,0 +1,147 @@
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2011-01-25 18:24:56.000000000 +0100
|
||||
@@ -0,0 +1,158 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||
+ *
|
||||
@ -111,13 +111,14 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <sys/file.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <fcntl.h>
|
||||
+#include <security/pam_modutil.h>
|
||||
+
|
||||
+#include "faillock.h"
|
||||
+
|
||||
+int
|
||||
+open_tally (const char *dir, const char *user, int create)
|
||||
+open_tally (const char *dir, const char *user, uid_t uid, int create)
|
||||
+{
|
||||
+ char *path;
|
||||
+ int flags = O_RDWR;
|
||||
@ -144,8 +145,18 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.
|
||||
+
|
||||
+ fd = open(path, flags, 0600);
|
||||
+
|
||||
+ if (fd != -1)
|
||||
+ free(path);
|
||||
+
|
||||
+ if (fd != -1) {
|
||||
+ struct stat st;
|
||||
+
|
||||
+ while (flock(fd, LOCK_EX) == -1 && errno == EINTR);
|
||||
+ if (fstat(fd, &st) == 0) {
|
||||
+ if (st.st_uid != uid) {
|
||||
+ fchown(fd, uid, -1);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return fd;
|
||||
+}
|
||||
@ -216,9 +227,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.
|
||||
+ return 0;
|
||||
+}
|
||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2010-09-17 15:58:41.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2010-09-17 15:58:41.000000000 +0200
|
||||
@@ -0,0 +1,72 @@
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2011-01-25 18:24:56.000000000 +0100
|
||||
@@ -0,0 +1,73 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||
+ *
|
||||
@ -266,6 +277,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.
|
||||
+#define _FAILLOCK_H
|
||||
+
|
||||
+#include <stdint.h>
|
||||
+#include <sys/types.h>
|
||||
+
|
||||
+#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */
|
||||
+#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */
|
||||
@ -286,14 +298,14 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.
|
||||
+
|
||||
+#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
|
||||
+
|
||||
+int open_tally(const char *dir, const char *user, int create);
|
||||
+int open_tally(const char *dir, const char *user, uid_t uid, int create);
|
||||
+int read_tally(int fd, struct tally_data *tallies);
|
||||
+int update_tally(int fd, struct tally_data *tallies);
|
||||
+#endif
|
||||
+
|
||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2011-01-25 18:24:43.000000000 +0100
|
||||
@@ -0,0 +1,123 @@
|
||||
+<?xml version="1.0" encoding='UTF-8'?>
|
||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||
@ -419,8 +431,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-
|
||||
+
|
||||
+</refentry>
|
||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2010-09-17 15:58:41.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2010-09-17 15:58:41.000000000 +0200
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2011-01-25 18:24:56.000000000 +0100
|
||||
@@ -0,0 +1,233 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||
@ -466,8 +478,6 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo
|
||||
+#include <errno.h>
|
||||
+#include <pwd.h>
|
||||
+#include <time.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <unistd.h>
|
||||
+#ifdef HAVE_LIBAUDIT
|
||||
+#include <libaudit.h>
|
||||
+#endif
|
||||
@ -532,8 +542,11 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo
|
||||
+ int fd;
|
||||
+ int rv;
|
||||
+ struct tally_data tallies;
|
||||
+ struct passwd *pwd;
|
||||
+
|
||||
+ fd = open_tally(opts->dir, user, 0);
|
||||
+ pwd = getpwnam(user);
|
||||
+
|
||||
+ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0);
|
||||
+
|
||||
+ if (fd == -1) {
|
||||
+ if (errno == ENOENT) {
|
||||
@ -560,9 +573,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo
|
||||
+#ifdef HAVE_LIBAUDIT
|
||||
+ }
|
||||
+ if ((audit_fd=audit_open()) >= 0) {
|
||||
+ struct passwd *pwd;
|
||||
+
|
||||
+ if ((pwd=getpwnam(user)) != NULL) {
|
||||
+ if (pwd != NULL) {
|
||||
+ snprintf(buf, sizeof(buf), "faillock reset uid=%u",
|
||||
+ pwd->pw_uid);
|
||||
+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
||||
@ -656,8 +668,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo
|
||||
+}
|
||||
+
|
||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2010-09-17 15:58:41.000000000 +0200
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2011-01-25 18:24:43.000000000 +0100
|
||||
@@ -0,0 +1,43 @@
|
||||
+#
|
||||
+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
|
||||
@ -703,9 +715,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1
|
||||
+-include $(top_srcdir)/Make.xml.rules
|
||||
+endif
|
||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200
|
||||
@@ -0,0 +1,550 @@
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2011-01-25 18:24:56.000000000 +0100
|
||||
@@ -0,0 +1,553 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||
+ *
|
||||
@ -921,7 +933,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
||||
+
|
||||
+ opts->now = time(NULL);
|
||||
+
|
||||
+ tfd = open_tally(opts->dir, opts->user, 0);
|
||||
+ tfd = open_tally(opts->dir, opts->user, opts->uid, 0);
|
||||
+
|
||||
+ *fd = tfd;
|
||||
+
|
||||
@ -997,9 +1009,14 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
||||
+{
|
||||
+ int rv;
|
||||
+
|
||||
+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
|
||||
+ if (rv == -1) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
|
||||
+ if (*fd == -1) {
|
||||
+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1);
|
||||
+ }
|
||||
+ else {
|
||||
+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
|
||||
+ if (rv == -1) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
@ -1014,7 +1031,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
||||
+ const void *source = NULL;
|
||||
+
|
||||
+ if (*fd == -1) {
|
||||
+ *fd = open_tally(opts->dir, opts->user, 1);
|
||||
+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1);
|
||||
+ }
|
||||
+ if (*fd == -1) {
|
||||
+ if (errno == EACCES) {
|
||||
@ -1171,7 +1188,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
||||
+
|
||||
+ case FAILLOCK_ACTION_AUTHSUCC:
|
||||
+ rv = check_tally(pamh, &opts, &tallies, &fd);
|
||||
+ if (rv == PAM_SUCCESS && fd != -1) {
|
||||
+ if (rv == PAM_SUCCESS) {
|
||||
+ reset_tally(pamh, &opts, &fd);
|
||||
+ }
|
||||
+ break;
|
||||
@ -1219,10 +1236,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
||||
+ return rv;
|
||||
+ }
|
||||
+
|
||||
+ check_tally(pamh, &opts, &tallies, &fd);
|
||||
+ if (fd != -1) {
|
||||
+ reset_tally(pamh, &opts, &fd);
|
||||
+ }
|
||||
+ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */
|
||||
+ reset_tally(pamh, &opts, &fd);
|
||||
+
|
||||
+ tally_cleanup(&tallies, fd);
|
||||
+
|
||||
@ -1257,9 +1272,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
||||
+#endif /* #ifdef PAM_STATIC */
|
||||
+
|
||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
|
||||
@@ -0,0 +1,396 @@
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2011-01-25 18:24:56.000000000 +0100
|
||||
@@ -0,0 +1,392 @@
|
||||
+<?xml version="1.0" encoding='UTF-8'?>
|
||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
||||
@ -1539,13 +1554,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
|
||||
+ from the <emphasis>pam_tally2</emphasis> module setup.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ There is no setuid wrapper for access to the data file such as when the
|
||||
+ <emphasis remap='B'>pam_faillock.so</emphasis> module is called from
|
||||
+ a screensaver. As this would make it impossible to share PAM configuration
|
||||
+ with such services the following workaround is used: If the data file
|
||||
+ cannot be opened because of insufficient permissions
|
||||
+ (<errorcode>EACCES</errorcode>) the module returns
|
||||
+ <errorcode>PAM_SUCCESS</errorcode>.
|
||||
+ The individual files with the failure records are created as owned by
|
||||
+ the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module
|
||||
+ to work correctly when it is called from a screensaver.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Note that using the module in <option>preauth</option> without the
|
||||
@ -1657,8 +1668,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
|
||||
+
|
||||
+</refentry>
|
||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2010-09-17 15:58:41.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2010-09-17 15:58:41.000000000 +0200
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2011-01-25 18:24:43.000000000 +0100
|
||||
@@ -0,0 +1,46 @@
|
||||
+<?xml version="1.0" encoding='UTF-8'?>
|
||||
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||
@ -1707,8 +1718,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.
|
||||
+
|
||||
+</article>
|
||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2010-09-17 15:58:41.000000000 +0200
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2010-09-17 15:58:41.000000000 +0200
|
||||
--- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2011-01-25 18:24:43.000000000 +0100
|
||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2011-01-25 18:24:43.000000000 +0100
|
||||
@@ -0,0 +1,2 @@
|
||||
+#!/bin/sh
|
||||
+../../tests/tst-dlopen .libs/pam_faillock.so
|
||||
|
344
pam-1.1.8-audit-grantor.patch
Normal file
344
pam-1.1.8-audit-grantor.patch
Normal file
@ -0,0 +1,344 @@
|
||||
diff --git a/libpam/pam_account.c b/libpam/pam_account.c
|
||||
index 572acc4..3a4fb1f 100644
|
||||
--- a/libpam/pam_account.c
|
||||
+++ b/libpam/pam_account.c
|
||||
@@ -19,9 +19,5 @@ int pam_acct_mgmt(pam_handle_t *pamh, int flags)
|
||||
|
||||
retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT);
|
||||
|
||||
-#ifdef HAVE_LIBAUDIT
|
||||
- retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags);
|
||||
-#endif
|
||||
-
|
||||
return retval;
|
||||
}
|
||||
diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c
|
||||
index 531746a..63a4ea5 100644
|
||||
--- a/libpam/pam_audit.c
|
||||
+++ b/libpam/pam_audit.c
|
||||
@@ -28,14 +28,15 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
|
||||
const char *message, int retval)
|
||||
{
|
||||
static int old_errno = -1;
|
||||
- int rc;
|
||||
- char buf[32];
|
||||
-
|
||||
- snprintf(buf, sizeof(buf), "PAM:%s", message);
|
||||
-
|
||||
- rc = audit_log_acct_message (audit_fd, type, NULL, buf,
|
||||
- (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
|
||||
- -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS );
|
||||
+ int rc = -ENOMEM;
|
||||
+ char *buf = NULL;
|
||||
+
|
||||
+ if (asprintf(&buf, "PAM:%s", message) >= 0) {
|
||||
+ rc = audit_log_acct_message(audit_fd, type, NULL, buf,
|
||||
+ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
|
||||
+ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS);
|
||||
+ free(buf);
|
||||
+ }
|
||||
|
||||
/* libaudit sets errno to his own negative error code. This can be
|
||||
an official errno number, but must not. It can also be a audit
|
||||
@@ -78,12 +79,65 @@ _pam_audit_open(pam_handle_t *pamh)
|
||||
return audit_fd;
|
||||
}
|
||||
|
||||
+static char *
|
||||
+_pam_list_grantors(struct handler *hlist, const char *message, int retval)
|
||||
+{
|
||||
+ char *buf;
|
||||
+ char *list = NULL;
|
||||
+
|
||||
+ if (retval == PAM_SUCCESS) {
|
||||
+ struct handler *h;
|
||||
+ char *p = NULL;
|
||||
+ size_t len = 0;
|
||||
+
|
||||
+ h = hlist;
|
||||
+
|
||||
+ while (h != NULL) {
|
||||
+ if (h->grantor) {
|
||||
+ len += strlen(h->mod_name) + 1;
|
||||
+ }
|
||||
+
|
||||
+ h = h->next;
|
||||
+ }
|
||||
+
|
||||
+ list = malloc(len);
|
||||
+ if (list == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ h = hlist;
|
||||
+
|
||||
+ while (h != NULL) {
|
||||
+ if (h->grantor) {
|
||||
+ if (p == NULL) {
|
||||
+ p = list;
|
||||
+ } else {
|
||||
+ p = stpcpy(p, ",");
|
||||
+ }
|
||||
+
|
||||
+ p = stpcpy(p, h->mod_name);
|
||||
+ }
|
||||
+
|
||||
+ h = h->next;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (asprintf(&buf, "%s grantor=%s", message, list ? list : "?") < 0) {
|
||||
+ free(list);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ free(list);
|
||||
+ return buf;
|
||||
+}
|
||||
+
|
||||
int
|
||||
-_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
|
||||
+_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h)
|
||||
{
|
||||
const char *message;
|
||||
int type;
|
||||
int audit_fd;
|
||||
+ char *buf = NULL;
|
||||
|
||||
if ((audit_fd=_pam_audit_open(pamh)) == -1) {
|
||||
return PAM_SYSTEM_ERR;
|
||||
@@ -134,9 +188,18 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
|
||||
retval = PAM_SYSTEM_ERR;
|
||||
}
|
||||
|
||||
- if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0)
|
||||
+ buf = _pam_list_grantors(h, message, retval);
|
||||
+ if (buf == NULL) {
|
||||
+ /* allocation failure */
|
||||
+ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m");
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+
|
||||
+ if (_pam_audit_writelog(pamh, audit_fd, type, buf ? buf : message, retval) < 0)
|
||||
retval = PAM_SYSTEM_ERR;
|
||||
|
||||
+ free(buf);
|
||||
+
|
||||
audit_close(audit_fd);
|
||||
return retval;
|
||||
}
|
||||
@@ -149,7 +212,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED)
|
||||
* stacks having been run. Assume that this is sshd faking
|
||||
* things for an unknown user.
|
||||
*/
|
||||
- _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0);
|
||||
+ _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0, NULL);
|
||||
}
|
||||
|
||||
return 0;
|
||||
diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c
|
||||
index 5984fa5..1e7bc6e 100644
|
||||
--- a/libpam/pam_auth.c
|
||||
+++ b/libpam/pam_auth.c
|
||||
@@ -45,10 +45,6 @@ int pam_authenticate(pam_handle_t *pamh, int flags)
|
||||
prelude_send_alert(pamh, retval);
|
||||
#endif
|
||||
|
||||
-#ifdef HAVE_LIBAUDIT
|
||||
- retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags);
|
||||
-#endif
|
||||
-
|
||||
return retval;
|
||||
}
|
||||
|
||||
@@ -71,10 +67,6 @@ int pam_setcred(pam_handle_t *pamh, int flags)
|
||||
|
||||
retval = _pam_dispatch(pamh, flags, PAM_SETCRED);
|
||||
|
||||
-#ifdef HAVE_LIBAUDIT
|
||||
- retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags);
|
||||
-#endif
|
||||
-
|
||||
D(("pam_setcred exit"));
|
||||
|
||||
return retval;
|
||||
diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c
|
||||
index eb52c82..ccfc372 100644
|
||||
--- a/libpam/pam_dispatch.c
|
||||
+++ b/libpam/pam_dispatch.c
|
||||
@@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
|
||||
status = retval;
|
||||
}
|
||||
}
|
||||
- if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) {
|
||||
- goto decision_made;
|
||||
+ if ( impression == _PAM_POSITIVE ) {
|
||||
+ if ( retval == PAM_SUCCESS ) {
|
||||
+ h->grantor = 1;
|
||||
+ }
|
||||
+
|
||||
+ if ( action == _PAM_ACTION_DONE ) {
|
||||
+ goto decision_made;
|
||||
+ }
|
||||
}
|
||||
break;
|
||||
|
||||
@@ -308,6 +314,14 @@ decision_made: /* by getting here we have made a decision */
|
||||
return status;
|
||||
}
|
||||
|
||||
+static void _pam_clear_grantors(struct handler *h)
|
||||
+{
|
||||
+ while (h != NULL) {
|
||||
+ h->grantor = 0;
|
||||
+ h = h->next;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* This function translates the module dispatch request into a pointer
|
||||
* to the stack of modules that will actually be run. the
|
||||
@@ -318,21 +332,21 @@ decision_made: /* by getting here we have made a decision */
|
||||
int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||
{
|
||||
struct handler *h = NULL;
|
||||
- int retval, use_cached_chain;
|
||||
+ int retval = PAM_SYSTEM_ERR, use_cached_chain;
|
||||
_pam_boolean resumed;
|
||||
|
||||
IF_NO_PAMH("_pam_dispatch", pamh, PAM_SYSTEM_ERR);
|
||||
|
||||
if (__PAM_FROM_MODULE(pamh)) {
|
||||
D(("called from a module!?"));
|
||||
- return PAM_SYSTEM_ERR;
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
/* Load all modules, resolve all symbols */
|
||||
|
||||
if ((retval = _pam_init_handlers(pamh)) != PAM_SUCCESS) {
|
||||
pam_syslog(pamh, LOG_ERR, "unable to dispatch function");
|
||||
- return retval;
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
use_cached_chain = _PAM_PLEASE_FREEZE;
|
||||
@@ -360,7 +374,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||
break;
|
||||
default:
|
||||
pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
|
||||
- return PAM_ABORT;
|
||||
+ retval = PAM_ABORT;
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
if (h == NULL) { /* there was no handlers.conf... entry; will use
|
||||
@@ -393,11 +408,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||
pam_syslog(pamh, LOG_ERR,
|
||||
"application failed to re-exec stack [%d:%d]",
|
||||
pamh->former.choice, choice);
|
||||
- return PAM_ABORT;
|
||||
+ retval = PAM_ABORT;
|
||||
+ goto end;
|
||||
}
|
||||
resumed = PAM_TRUE;
|
||||
} else {
|
||||
resumed = PAM_FALSE;
|
||||
+ _pam_clear_grantors(h);
|
||||
}
|
||||
|
||||
__PAM_TO_MODULE(pamh);
|
||||
@@ -417,5 +434,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||
pamh->former.choice = PAM_NOT_STACKED;
|
||||
}
|
||||
|
||||
+end:
|
||||
+
|
||||
+#ifdef HAVE_LIBAUDIT
|
||||
+ if (choice != PAM_CHAUTHTOK || flags & PAM_UPDATE_AUTHTOK || retval != PAM_SUCCESS) {
|
||||
+ retval = _pam_auditlog(pamh, choice, retval, flags, h);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
return retval;
|
||||
}
|
||||
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
|
||||
index 02714f7..e3f8ff6 100644
|
||||
--- a/libpam/pam_handlers.c
|
||||
+++ b/libpam/pam_handlers.c
|
||||
@@ -889,6 +889,7 @@ int _pam_add_handler(pam_handle_t *pamh
|
||||
(*handler_p)->argc = argc;
|
||||
(*handler_p)->argv = argv; /* not a copy */
|
||||
(*handler_p)->mod_name = extract_modulename(mod_path);
|
||||
+ (*handler_p)->grantor = 0;
|
||||
(*handler_p)->next = NULL;
|
||||
|
||||
/* some of the modules have a second calling function */
|
||||
@@ -921,6 +922,7 @@ int _pam_add_handler(pam_handle_t *pamh
|
||||
(*handler_p2)->argv = NULL; /* no arguments */
|
||||
}
|
||||
(*handler_p2)->mod_name = extract_modulename(mod_path);
|
||||
+ (*handler_p2)->grantor = 0;
|
||||
(*handler_p2)->next = NULL;
|
||||
}
|
||||
|
||||
diff --git a/libpam/pam_password.c b/libpam/pam_password.c
|
||||
index 75db5e5..592e01f 100644
|
||||
--- a/libpam/pam_password.c
|
||||
+++ b/libpam/pam_password.c
|
||||
@@ -57,9 +57,5 @@ int pam_chauthtok(pam_handle_t *pamh, int flags)
|
||||
D(("will resume when ready", retval));
|
||||
}
|
||||
|
||||
-#ifdef HAVE_LIBAUDIT
|
||||
- retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags);
|
||||
-#endif
|
||||
-
|
||||
return retval;
|
||||
}
|
||||
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
|
||||
index 134dc72..d93283c 100644
|
||||
--- a/libpam/pam_private.h
|
||||
+++ b/libpam/pam_private.h
|
||||
@@ -55,6 +55,7 @@ struct handler {
|
||||
struct handler *next;
|
||||
char *mod_name;
|
||||
int stack_level;
|
||||
+ int grantor;
|
||||
};
|
||||
|
||||
#define PAM_HT_MODULE 0
|
||||
@@ -316,7 +317,7 @@ if ((pamh) == NULL) { \
|
||||
do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0)
|
||||
|
||||
#ifdef HAVE_LIBAUDIT
|
||||
-extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags);
|
||||
+extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h);
|
||||
extern int _pam_audit_end(pam_handle_t *pamh, int pam_status);
|
||||
#endif
|
||||
|
||||
diff --git a/libpam/pam_session.c b/libpam/pam_session.c
|
||||
index 512153f..cb393c1 100644
|
||||
--- a/libpam/pam_session.c
|
||||
+++ b/libpam/pam_session.c
|
||||
@@ -22,9 +22,6 @@ int pam_open_session(pam_handle_t *pamh, int flags)
|
||||
}
|
||||
retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION);
|
||||
|
||||
-#ifdef HAVE_LIBAUDIT
|
||||
- retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags);
|
||||
-#endif
|
||||
return retval;
|
||||
}
|
||||
|
||||
@@ -43,10 +40,6 @@ int pam_close_session(pam_handle_t *pamh, int flags)
|
||||
|
||||
retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION);
|
||||
|
||||
-#ifdef HAVE_LIBAUDIT
|
||||
- retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags);
|
||||
-#endif
|
||||
-
|
||||
return retval;
|
||||
|
||||
}
|
8
pam.spec
8
pam.spec
@ -3,7 +3,7 @@
|
||||
Summary: An extensible library which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 1.1.8
|
||||
Release: 14%{?dist}
|
||||
Release: 15%{?dist}
|
||||
# The library is BSD licensed with option to relicense as GPLv2+
|
||||
# - this option is redundant as the BSD license allows that anyway.
|
||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||
@ -50,6 +50,7 @@ Patch35: pam-1.1.8-cve-2013-7041.patch
|
||||
Patch36: pam-1.1.8-cve-2014-2583.patch
|
||||
Patch37: pam-1.1.8-loginuid-container.patch
|
||||
Patch38: pam-1.1.8-opasswd-tolerant.patch
|
||||
Patch39: pam-1.1.8-audit-grantor.patch
|
||||
|
||||
%define _pamlibdir %{_libdir}
|
||||
%define _moduledir %{_libdir}/security
|
||||
@ -134,6 +135,7 @@ cp %{SOURCE18} .
|
||||
%patch36 -p1 -b .timestamp-ruser
|
||||
%patch37 -p1 -b .container
|
||||
%patch38 -p1 -b .opasswd-tolerant
|
||||
%patch39 -p1 -b .grantor
|
||||
|
||||
%build
|
||||
autoreconf -i
|
||||
@ -384,6 +386,10 @@ fi
|
||||
%doc doc/adg/*.txt doc/adg/html
|
||||
|
||||
%changelog
|
||||
* Wed Aug 13 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-15
|
||||
- audit the module names that granted access
|
||||
- pam_faillock: update to latest version
|
||||
|
||||
* Wed Jul 30 2014 Tom Callaway <spot@fedoraproject.org> - 1.1.8-14
|
||||
- fix license handling
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user