- wildcard match support in pam_tty_audit (by Miloslav Trmač)

This commit is contained in:
Tomáš Mráz 2008-01-02 10:42:27 +00:00
parent a36aa37b04
commit b99939ffb4
2 changed files with 239 additions and 1 deletions

View File

@ -0,0 +1,233 @@
Written-by: Miloslav Trmac <mitr@redhat.com>
Reviewed-by: Tomas Mraz <tmraz@redhat.com>
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 2008-01-02 11:28:26.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml 2008-01-02 11:29:55.000000000 +0100
@@ -19,10 +19,10 @@
<cmdsynopsis id="pam_tty_audit-cmdsynopsis">
<command>pam_tty_audit.so</command>
<arg choice="opt">
- disable=<replaceable>usernames</replaceable>
+ disable=<replaceable>patterns</replaceable>
</arg>
<arg choice="opt">
- enable=<replaceable>usernames</replaceable>
+ enable=<replaceable>patterns</replaceable>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -40,27 +40,40 @@
<variablelist>
<varlistentry>
<term>
- <option>disable=<replaceable>usernames</replaceable></option>
+ <option>disable=<replaceable>patterns</replaceable></option>
</term>
<listitem>
<para>
- For each user matching one of comma-separated
- <option><replaceable>usernames</replaceable></option>, disable
- TTY auditing. This overrides any older <option>enable</option>
- option for the same user name.
+ For each user matching one of comma-separated glob
+ <option><replaceable>patterns</replaceable></option>, disable
+ TTY auditing. This overrides any previous <option>enable</option>
+ option matchin the same user name on the command line.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
- <option>enable=<replaceable>usernames</replaceable></option>
+ <option>enable=<replaceable>patterns</replaceable></option>
</term>
<listitem>
<para>
- For each user matching one of comma-separated
- <option><replaceable>usernames</replaceable></option>, enable
- TTY auditing. This overrides any older <option>disable</option>
- option for the same user name.
+ For each user matching one of comma-separated glob
+ <option><replaceable>patterns</replaceable></option>, enable
+ TTY auditing. This overrides any previous <option>disable</option>
+ option matching the same user name on the command line.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>open_only</option>
+ </term>
+ <listitem>
+ <para>
+ Set the TTY audit flag when opening the session, but do not restore
+ it when closing the session. Using this option is necessary for
+ some services that don't <function>fork()</function> to run the
+ authenticated session, such as <command>sudo</command>.
</para>
</listitem>
</varlistentry>
@@ -99,17 +112,24 @@
</variablelist>
</refsect1>
+ <refsect1 id='pam_tty_audit-notes'>
+ <title>NOTES</title>
+ <para>
+ When TTY auditing is enabled, it is inherited by all processes started by
+ that user. In particular, daemons restarted by an user will still have
+ TTY auditing enabled, and audit TTY input even by other users unless
+ auditing for these users is explicitly disabled. Therefore, it is
+ recommended to use <option>disable=*</option> as the first option for
+ most daemons using PAM.
+ </para>
+ </refsect1>
+
<refsect1 id='pam_tty_audit-examples'>
<title>EXAMPLES</title>
<para>
Audit all administrative actions.
<programlisting>
-login root required pam_tty_audit.so enable=root
-su root required pam_tty_audit.so enable=root
-su-l root required pam_tty_audit.so enable=root
-sudo root required pam_tty_audit.so enable=root
-sudo-l root required pam_tty_audit.so enable=root
-sshd root required pam_tty_audit.so enable=root
+session required pam_tty_audit.so disable=* enable=root
</programlisting>
</para>
</refsect1>
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 2008-01-02 11:28:26.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml 2008-01-02 11:28:26.000000000 +0100
@@ -25,6 +25,11 @@
<section>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/>
</section>
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 2008-01-02 11:28:26.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c 2008-01-02 11:28:26.000000000 +0100
@@ -1,4 +1,4 @@
-/* Copyright © 2007 Red Hat, Inc. All rights reserved.
+/* Copyright © 2007, 2008 Red Hat, Inc. All rights reserved.
Red Hat author: Miloslav Trmač <mitr@redhat.com>
Redistribution and use in source and binary forms of Linux-PAM, with
@@ -37,7 +37,7 @@
DAMAGE. */
#include <errno.h>
-#include <pwd.h>
+#include <fnmatch.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
@@ -197,9 +197,7 @@ pam_sm_open_session (pam_handle_t *pamh,
enum command command;
struct audit_tty_status *old_status, new_status;
const char *user;
- uid_t user_uid;
- struct passwd *pwd;
- int i, fd;
+ int i, fd, open_only;
(void)flags;
@@ -208,15 +206,9 @@ pam_sm_open_session (pam_handle_t *pamh,
pam_syslog (pamh, LOG_ERR, "error determining target user's name");
return PAM_SESSION_ERR;
}
- pwd = pam_modutil_getpwnam (pamh, user);
- if (pwd == NULL)
- {
- pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m");
- return PAM_SESSION_ERR;
- }
- user_uid = pwd->pw_uid;
command = CMD_NONE;
+ open_only = 0;
for (i = 0; i < argc; i++)
{
if (strncmp (argv[i], "enable=", 7) == 0
@@ -232,13 +224,7 @@ pam_sm_open_session (pam_handle_t *pamh,
for (tok = strtok_r (copy, ",", &tok_data); tok != NULL;
tok = strtok_r (NULL, ",", &tok_data))
{
- pwd = pam_modutil_getpwnam (pamh, tok);
- if (pwd == NULL)
- {
- pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok);
- continue;
- }
- if (pwd->pw_uid == user_uid)
+ if (fnmatch (tok, user, 0) == 0)
{
command = this_command;
break;
@@ -246,6 +232,13 @@ pam_sm_open_session (pam_handle_t *pamh,
}
free (copy);
}
+ else if (strcmp (argv[i], "open_only") == 0)
+ open_only = 1;
+ else
+ {
+ pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
+ return PAM_SESSION_ERR;
+ }
}
if (command == CMD_NONE)
return PAM_SUCCESS;
@@ -266,13 +259,15 @@ pam_sm_open_session (pam_handle_t *pamh,
return PAM_SESSION_ERR;
}
- if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0))
+ new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
+ if (old_status->enabled == new_status.enabled)
{
free (old_status);
goto ok_fd;
}
- if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
+ if (open_only == 0
+ && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
!= PAM_SUCCESS)
{
pam_syslog (pamh, LOG_ERR, "error saving old audit status");
@@ -281,13 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh,
return PAM_SESSION_ERR;
}
- new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status,
sizeof (new_status)) != 0
|| nl_recv_ack (fd) != 0)
{
pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m");
close (fd);
+ if (open_only != 0)
+ free (old_status);
return PAM_SESSION_ERR;
}
/* Fall through */
@@ -295,6 +291,8 @@ pam_sm_open_session (pam_handle_t *pamh,
close (fd);
pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d",
old_status->enabled, new_status.enabled);
+ if (open_only != 0)
+ free (old_status);
return PAM_SUCCESS;
}

View File

@ -11,7 +11,7 @@
Summary: A security tool which provides authentication for applications
Name: pam
Version: 0.99.8.1
Release: 12%{?dist}
Release: 13%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
# pam_rhosts_auth module is BSD with advertising
@ -46,6 +46,7 @@ Patch46: pam-0.99.8.1-succif-in-operator.patch
Patch47: pam-0.99.8.1-xauth-no-free.patch
Patch48: pam-0.99.8.1-substack.patch
Patch49: pam-0.99.8.1-tty-audit.patch
Patch50: pam-0.99.8.1-tty-audit2.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: cracklib, cracklib-dicts >= 2.8
@ -119,6 +120,7 @@ popd
%patch47 -p1 -b .no-free
%patch48 -p0 -b .substack
%patch49 -p1 -b .tty-audit
%patch50 -p1 -b .tty-audit2
autoreconf
@ -412,6 +414,9 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
* Wed Jan 2 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-13
- wildcard match support in pam_tty_audit (by Miloslav Trmač)
* Thu Nov 29 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-12
- add pam_tty_audit module (#244352) - written by Miloslav Trmač