- wildcard match support in pam_tty_audit (by Miloslav Trmač)

pam-0.99.8.1-tty-audit2.patch

@@ -0,0 +1,233 @@
+Written-by: Miloslav Trmac <mitr@redhat.com>
+Reviewed-by: Tomas Mraz <tmraz@redhat.com>
+diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml
+--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2	2008-01-02 11:28:26.000000000 +0100
++++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml	2008-01-02 11:29:55.000000000 +0100
+@@ -19,10 +19,10 @@
+     <cmdsynopsis id="pam_tty_audit-cmdsynopsis">
+       <command>pam_tty_audit.so</command>
+       <arg choice="opt">
+-	disable=<replaceable>usernames</replaceable>
++	disable=<replaceable>patterns</replaceable>
+       </arg>
+       <arg choice="opt">
+-	enable=<replaceable>usernames</replaceable>
++	enable=<replaceable>patterns</replaceable>
+       </arg>
+     </cmdsynopsis>
+   </refsynopsisdiv>
+@@ -40,27 +40,40 @@
+     <variablelist>
+       <varlistentry>
+         <term>
+-          <option>disable=<replaceable>usernames</replaceable></option>
++          <option>disable=<replaceable>patterns</replaceable></option>
+         </term>
+         <listitem>
+           <para>
+-	    For each user matching one of comma-separated
+-	    <option><replaceable>usernames</replaceable></option>, disable
+-	    TTY auditing.  This overrides any older <option>enable</option>
+-	    option for the same user name.
++	    For each user matching one of comma-separated glob
++	    <option><replaceable>patterns</replaceable></option>, disable
++	    TTY auditing.  This overrides any previous <option>enable</option>
++	    option matchin the same user name on the command line.
+           </para>
+         </listitem>
+       </varlistentry>
+       <varlistentry>
+         <term>
+-          <option>enable=<replaceable>usernames</replaceable></option>
++          <option>enable=<replaceable>patterns</replaceable></option>
+         </term>
+         <listitem>
+           <para>
+-	    For each user matching one of comma-separated
+-	    <option><replaceable>usernames</replaceable></option>, enable
+-	    TTY auditing.  This overrides any older <option>disable</option>
+-	    option for the same user name.
++	    For each user matching one of comma-separated glob
++	    <option><replaceable>patterns</replaceable></option>, enable
++	    TTY auditing.  This overrides any previous <option>disable</option>
++	    option matching the same user name on the command line.
++          </para>
++        </listitem>
++      </varlistentry>
++      <varlistentry>
++        <term>
++          <option>open_only</option>
++        </term>
++        <listitem>
++          <para>
++           Set the TTY audit flag when opening the session, but do not restore
++           it when closing the session.  Using this option is necessary for
++           some services that don't <function>fork()</function> to run the
++           authenticated session, such as <command>sudo</command>.
+           </para>
+         </listitem>
+       </varlistentry>
+@@ -99,17 +112,24 @@
+     </variablelist>
+   </refsect1>
+ 
++  <refsect1 id='pam_tty_audit-notes'>
++    <title>NOTES</title>
++    <para>
++      When TTY auditing is enabled, it is inherited by all processes started by
++      that user.  In particular, daemons restarted by an user will still have
++      TTY auditing enabled, and audit TTY input even by other users unless
++      auditing for these users is explicitly disabled.  Therefore, it is
++      recommended to use <option>disable=*</option> as the first option for
++      most daemons using PAM.
++    </para>
++  </refsect1>
++
+   <refsect1 id='pam_tty_audit-examples'>
+     <title>EXAMPLES</title>
+     <para>
+       Audit all administrative actions.
+       <programlisting>
+-login   root     required       pam_tty_audit.so enable=root
+-su      root     required       pam_tty_audit.so enable=root
+-su-l    root     required       pam_tty_audit.so enable=root
+-sudo    root     required       pam_tty_audit.so enable=root
+-sudo-l  root     required       pam_tty_audit.so enable=root
+-sshd    root     required       pam_tty_audit.so enable=root
++session	required pam_tty_audit.so disable=* enable=root
+       </programlisting>
+     </para>
+   </refsect1>
+diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml
+--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2	2008-01-02 11:28:26.000000000 +0100
++++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml	2008-01-02 11:28:26.000000000 +0100
+@@ -25,6 +25,11 @@
+ 
+   <section>
+     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++      href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/>
++  </section>
++
++  <section>
++    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+       href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/>
+   </section>
+ 
+diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c
+--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2	2008-01-02 11:28:26.000000000 +0100
++++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c	2008-01-02 11:28:26.000000000 +0100
+@@ -1,4 +1,4 @@
+-/* Copyright © 2007 Red Hat, Inc. All rights reserved.
++/* Copyright © 2007, 2008 Red Hat, Inc. All rights reserved.
+    Red Hat author: Miloslav Trmač <mitr@redhat.com>
+ 
+    Redistribution and use in source and binary forms of Linux-PAM, with
+@@ -37,7 +37,7 @@
+    DAMAGE. */
+ 
+ #include <errno.h>
+-#include <pwd.h>
++#include <fnmatch.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <syslog.h>
+@@ -197,9 +197,7 @@ pam_sm_open_session (pam_handle_t *pamh,
+   enum command command;
+   struct audit_tty_status *old_status, new_status;
+   const char *user;
+-  uid_t user_uid;
+-  struct passwd *pwd;
+-  int i, fd;
++  int i, fd, open_only;
+ 
+   (void)flags;
+ 
+@@ -208,15 +206,9 @@ pam_sm_open_session (pam_handle_t *pamh,
+       pam_syslog (pamh, LOG_ERR, "error determining target user's name");
+       return PAM_SESSION_ERR;
+     }
+-  pwd = pam_modutil_getpwnam (pamh, user);
+-  if (pwd == NULL)
+-    {
+-      pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m");
+-      return PAM_SESSION_ERR;
+-    }
+-  user_uid = pwd->pw_uid;
+ 
+   command = CMD_NONE;
++  open_only = 0;
+   for (i = 0; i < argc; i++)
+     {
+       if (strncmp (argv[i], "enable=", 7) == 0
+@@ -232,13 +224,7 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 	  for (tok = strtok_r (copy, ",", &tok_data); tok != NULL;
+ 	       tok = strtok_r (NULL, ",", &tok_data))
+ 	    {
+-	      pwd = pam_modutil_getpwnam (pamh, tok);
+-	      if (pwd == NULL)
+-		{
+-		  pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok);
+-		  continue;
+-		}
+-	      if (pwd->pw_uid == user_uid)
++	      if (fnmatch (tok, user, 0) == 0)
+ 		{
+ 		  command = this_command;
+ 		  break;
+@@ -246,6 +232,13 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 	    }
+ 	  free (copy);
+ 	}
++      else if (strcmp (argv[i], "open_only") == 0)
++	open_only = 1;
++      else
++	{
++	  pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
++	  return PAM_SESSION_ERR;
++	}
+     }
+   if (command == CMD_NONE)
+     return PAM_SUCCESS;
+@@ -266,13 +259,15 @@ pam_sm_open_session (pam_handle_t *pamh,
+       return PAM_SESSION_ERR;
+     }
+ 
+-  if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0))
++  new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
++  if (old_status->enabled == new_status.enabled)
+     {
+       free (old_status);
+       goto ok_fd;
+     }
+ 
+-  if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
++  if (open_only == 0
++      && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
+       != PAM_SUCCESS)
+     {
+       pam_syslog (pamh, LOG_ERR, "error saving old audit status");
+@@ -281,13 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh,
+       return PAM_SESSION_ERR;
+     }
+ 
+-  new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
+   if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status,
+ 	       sizeof (new_status)) != 0
+       || nl_recv_ack (fd) != 0)
+     {
+       pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m");
+       close (fd);
++      if (open_only != 0)
++	free (old_status);
+       return PAM_SESSION_ERR;
+     }
+   /* Fall through */
+@@ -295,6 +291,8 @@ pam_sm_open_session (pam_handle_t *pamh,
+   close (fd);
+   pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d",
+ 	      old_status->enabled, new_status.enabled);
++  if (open_only != 0)
++    free (old_status);
+   return PAM_SUCCESS;
+ }
+ 

pam.spec

@@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.8.1
-Release: 12%{?dist}
+Release: 13%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -46,6 +46,7 @@ Patch46: pam-0.99.8.1-succif-in-operator.patch
 Patch47: pam-0.99.8.1-xauth-no-free.patch
 Patch48: pam-0.99.8.1-substack.patch
 Patch49: pam-0.99.8.1-tty-audit.patch
+Patch50: pam-0.99.8.1-tty-audit2.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: cracklib, cracklib-dicts >= 2.8
@@ -119,6 +120,7 @@ popd
 %patch47 -p1 -b .no-free
 %patch48 -p0 -b .substack
 %patch49 -p1 -b .tty-audit
+%patch50 -p1 -b .tty-audit2
 
 autoreconf
 
@@ -412,6 +414,9 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Wed Jan  2 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-13
+- wildcard match support in pam_tty_audit (by Miloslav Trmač)
+
 * Thu Nov 29 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-12
 - add pam_tty_audit module (#244352) - written by Miloslav Trmač