- wildcard match support in pam_tty_audit (by Miloslav Trmač)
This commit is contained in:
parent
a36aa37b04
commit
b99939ffb4
233
pam-0.99.8.1-tty-audit2.patch
Normal file
233
pam-0.99.8.1-tty-audit2.patch
Normal file
@ -0,0 +1,233 @@
|
|||||||
|
Written-by: Miloslav Trmac <mitr@redhat.com>
|
||||||
|
Reviewed-by: Tomas Mraz <tmraz@redhat.com>
|
||||||
|
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml
|
||||||
|
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 2008-01-02 11:28:26.000000000 +0100
|
||||||
|
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml 2008-01-02 11:29:55.000000000 +0100
|
||||||
|
@@ -19,10 +19,10 @@
|
||||||
|
<cmdsynopsis id="pam_tty_audit-cmdsynopsis">
|
||||||
|
<command>pam_tty_audit.so</command>
|
||||||
|
<arg choice="opt">
|
||||||
|
- disable=<replaceable>usernames</replaceable>
|
||||||
|
+ disable=<replaceable>patterns</replaceable>
|
||||||
|
</arg>
|
||||||
|
<arg choice="opt">
|
||||||
|
- enable=<replaceable>usernames</replaceable>
|
||||||
|
+ enable=<replaceable>patterns</replaceable>
|
||||||
|
</arg>
|
||||||
|
</cmdsynopsis>
|
||||||
|
</refsynopsisdiv>
|
||||||
|
@@ -40,27 +40,40 @@
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>
|
||||||
|
- <option>disable=<replaceable>usernames</replaceable></option>
|
||||||
|
+ <option>disable=<replaceable>patterns</replaceable></option>
|
||||||
|
</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
- For each user matching one of comma-separated
|
||||||
|
- <option><replaceable>usernames</replaceable></option>, disable
|
||||||
|
- TTY auditing. This overrides any older <option>enable</option>
|
||||||
|
- option for the same user name.
|
||||||
|
+ For each user matching one of comma-separated glob
|
||||||
|
+ <option><replaceable>patterns</replaceable></option>, disable
|
||||||
|
+ TTY auditing. This overrides any previous <option>enable</option>
|
||||||
|
+ option matchin the same user name on the command line.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term>
|
||||||
|
- <option>enable=<replaceable>usernames</replaceable></option>
|
||||||
|
+ <option>enable=<replaceable>patterns</replaceable></option>
|
||||||
|
</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
- For each user matching one of comma-separated
|
||||||
|
- <option><replaceable>usernames</replaceable></option>, enable
|
||||||
|
- TTY auditing. This overrides any older <option>disable</option>
|
||||||
|
- option for the same user name.
|
||||||
|
+ For each user matching one of comma-separated glob
|
||||||
|
+ <option><replaceable>patterns</replaceable></option>, enable
|
||||||
|
+ TTY auditing. This overrides any previous <option>disable</option>
|
||||||
|
+ option matching the same user name on the command line.
|
||||||
|
+ </para>
|
||||||
|
+ </listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term>
|
||||||
|
+ <option>open_only</option>
|
||||||
|
+ </term>
|
||||||
|
+ <listitem>
|
||||||
|
+ <para>
|
||||||
|
+ Set the TTY audit flag when opening the session, but do not restore
|
||||||
|
+ it when closing the session. Using this option is necessary for
|
||||||
|
+ some services that don't <function>fork()</function> to run the
|
||||||
|
+ authenticated session, such as <command>sudo</command>.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
@@ -99,17 +112,24 @@
|
||||||
|
</variablelist>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
+ <refsect1 id='pam_tty_audit-notes'>
|
||||||
|
+ <title>NOTES</title>
|
||||||
|
+ <para>
|
||||||
|
+ When TTY auditing is enabled, it is inherited by all processes started by
|
||||||
|
+ that user. In particular, daemons restarted by an user will still have
|
||||||
|
+ TTY auditing enabled, and audit TTY input even by other users unless
|
||||||
|
+ auditing for these users is explicitly disabled. Therefore, it is
|
||||||
|
+ recommended to use <option>disable=*</option> as the first option for
|
||||||
|
+ most daemons using PAM.
|
||||||
|
+ </para>
|
||||||
|
+ </refsect1>
|
||||||
|
+
|
||||||
|
<refsect1 id='pam_tty_audit-examples'>
|
||||||
|
<title>EXAMPLES</title>
|
||||||
|
<para>
|
||||||
|
Audit all administrative actions.
|
||||||
|
<programlisting>
|
||||||
|
-login root required pam_tty_audit.so enable=root
|
||||||
|
-su root required pam_tty_audit.so enable=root
|
||||||
|
-su-l root required pam_tty_audit.so enable=root
|
||||||
|
-sudo root required pam_tty_audit.so enable=root
|
||||||
|
-sudo-l root required pam_tty_audit.so enable=root
|
||||||
|
-sshd root required pam_tty_audit.so enable=root
|
||||||
|
+session required pam_tty_audit.so disable=* enable=root
|
||||||
|
</programlisting>
|
||||||
|
</para>
|
||||||
|
</refsect1>
|
||||||
|
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml
|
||||||
|
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 2008-01-02 11:28:26.000000000 +0100
|
||||||
|
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml 2008-01-02 11:28:26.000000000 +0100
|
||||||
|
@@ -25,6 +25,11 @@
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||||
|
+ href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/>
|
||||||
|
+ </section>
|
||||||
|
+
|
||||||
|
+ <section>
|
||||||
|
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||||
|
href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c
|
||||||
|
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 2008-01-02 11:28:26.000000000 +0100
|
||||||
|
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c 2008-01-02 11:28:26.000000000 +0100
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-/* Copyright © 2007 Red Hat, Inc. All rights reserved.
|
||||||
|
+/* Copyright © 2007, 2008 Red Hat, Inc. All rights reserved.
|
||||||
|
Red Hat author: Miloslav Trmač <mitr@redhat.com>
|
||||||
|
|
||||||
|
Redistribution and use in source and binary forms of Linux-PAM, with
|
||||||
|
@@ -37,7 +37,7 @@
|
||||||
|
DAMAGE. */
|
||||||
|
|
||||||
|
#include <errno.h>
|
||||||
|
-#include <pwd.h>
|
||||||
|
+#include <fnmatch.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <syslog.h>
|
||||||
|
@@ -197,9 +197,7 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||||
|
enum command command;
|
||||||
|
struct audit_tty_status *old_status, new_status;
|
||||||
|
const char *user;
|
||||||
|
- uid_t user_uid;
|
||||||
|
- struct passwd *pwd;
|
||||||
|
- int i, fd;
|
||||||
|
+ int i, fd, open_only;
|
||||||
|
|
||||||
|
(void)flags;
|
||||||
|
|
||||||
|
@@ -208,15 +206,9 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||||
|
pam_syslog (pamh, LOG_ERR, "error determining target user's name");
|
||||||
|
return PAM_SESSION_ERR;
|
||||||
|
}
|
||||||
|
- pwd = pam_modutil_getpwnam (pamh, user);
|
||||||
|
- if (pwd == NULL)
|
||||||
|
- {
|
||||||
|
- pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m");
|
||||||
|
- return PAM_SESSION_ERR;
|
||||||
|
- }
|
||||||
|
- user_uid = pwd->pw_uid;
|
||||||
|
|
||||||
|
command = CMD_NONE;
|
||||||
|
+ open_only = 0;
|
||||||
|
for (i = 0; i < argc; i++)
|
||||||
|
{
|
||||||
|
if (strncmp (argv[i], "enable=", 7) == 0
|
||||||
|
@@ -232,13 +224,7 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||||
|
for (tok = strtok_r (copy, ",", &tok_data); tok != NULL;
|
||||||
|
tok = strtok_r (NULL, ",", &tok_data))
|
||||||
|
{
|
||||||
|
- pwd = pam_modutil_getpwnam (pamh, tok);
|
||||||
|
- if (pwd == NULL)
|
||||||
|
- {
|
||||||
|
- pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok);
|
||||||
|
- continue;
|
||||||
|
- }
|
||||||
|
- if (pwd->pw_uid == user_uid)
|
||||||
|
+ if (fnmatch (tok, user, 0) == 0)
|
||||||
|
{
|
||||||
|
command = this_command;
|
||||||
|
break;
|
||||||
|
@@ -246,6 +232,13 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||||
|
}
|
||||||
|
free (copy);
|
||||||
|
}
|
||||||
|
+ else if (strcmp (argv[i], "open_only") == 0)
|
||||||
|
+ open_only = 1;
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
|
||||||
|
+ return PAM_SESSION_ERR;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
if (command == CMD_NONE)
|
||||||
|
return PAM_SUCCESS;
|
||||||
|
@@ -266,13 +259,15 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||||
|
return PAM_SESSION_ERR;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0))
|
||||||
|
+ new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
|
||||||
|
+ if (old_status->enabled == new_status.enabled)
|
||||||
|
{
|
||||||
|
free (old_status);
|
||||||
|
goto ok_fd;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
|
||||||
|
+ if (open_only == 0
|
||||||
|
+ && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
|
||||||
|
!= PAM_SUCCESS)
|
||||||
|
{
|
||||||
|
pam_syslog (pamh, LOG_ERR, "error saving old audit status");
|
||||||
|
@@ -281,13 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||||
|
return PAM_SESSION_ERR;
|
||||||
|
}
|
||||||
|
|
||||||
|
- new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
|
||||||
|
if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status,
|
||||||
|
sizeof (new_status)) != 0
|
||||||
|
|| nl_recv_ack (fd) != 0)
|
||||||
|
{
|
||||||
|
pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m");
|
||||||
|
close (fd);
|
||||||
|
+ if (open_only != 0)
|
||||||
|
+ free (old_status);
|
||||||
|
return PAM_SESSION_ERR;
|
||||||
|
}
|
||||||
|
/* Fall through */
|
||||||
|
@@ -295,6 +291,8 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||||
|
close (fd);
|
||||||
|
pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d",
|
||||||
|
old_status->enabled, new_status.enabled);
|
||||||
|
+ if (open_only != 0)
|
||||||
|
+ free (old_status);
|
||||||
|
return PAM_SUCCESS;
|
||||||
|
}
|
||||||
|
|
7
pam.spec
7
pam.spec
@ -11,7 +11,7 @@
|
|||||||
Summary: A security tool which provides authentication for applications
|
Summary: A security tool which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 0.99.8.1
|
Version: 0.99.8.1
|
||||||
Release: 12%{?dist}
|
Release: 13%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
|
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
|
||||||
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
|
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
|
||||||
# pam_rhosts_auth module is BSD with advertising
|
# pam_rhosts_auth module is BSD with advertising
|
||||||
@ -46,6 +46,7 @@ Patch46: pam-0.99.8.1-succif-in-operator.patch
|
|||||||
Patch47: pam-0.99.8.1-xauth-no-free.patch
|
Patch47: pam-0.99.8.1-xauth-no-free.patch
|
||||||
Patch48: pam-0.99.8.1-substack.patch
|
Patch48: pam-0.99.8.1-substack.patch
|
||||||
Patch49: pam-0.99.8.1-tty-audit.patch
|
Patch49: pam-0.99.8.1-tty-audit.patch
|
||||||
|
Patch50: pam-0.99.8.1-tty-audit2.patch
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
Requires: cracklib, cracklib-dicts >= 2.8
|
Requires: cracklib, cracklib-dicts >= 2.8
|
||||||
@ -119,6 +120,7 @@ popd
|
|||||||
%patch47 -p1 -b .no-free
|
%patch47 -p1 -b .no-free
|
||||||
%patch48 -p0 -b .substack
|
%patch48 -p0 -b .substack
|
||||||
%patch49 -p1 -b .tty-audit
|
%patch49 -p1 -b .tty-audit
|
||||||
|
%patch50 -p1 -b .tty-audit2
|
||||||
|
|
||||||
autoreconf
|
autoreconf
|
||||||
|
|
||||||
@ -412,6 +414,9 @@ fi
|
|||||||
%doc doc/adg/*.txt doc/adg/html
|
%doc doc/adg/*.txt doc/adg/html
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 2 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-13
|
||||||
|
- wildcard match support in pam_tty_audit (by Miloslav Trmač)
|
||||||
|
|
||||||
* Thu Nov 29 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-12
|
* Thu Nov 29 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-12
|
||||||
- add pam_tty_audit module (#244352) - written by Miloslav Trmač
|
- add pam_tty_audit module (#244352) - written by Miloslav Trmač
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user