Written-by: Miloslav Trmac Reviewed-by: Tomas Mraz diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml --- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 2008-01-02 11:28:26.000000000 +0100 +++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml 2008-01-02 11:29:55.000000000 +0100 @@ -19,10 +19,10 @@ pam_tty_audit.so - disable=usernames + disable=patterns - enable=usernames + enable=patterns @@ -40,27 +40,40 @@ - + - For each user matching one of comma-separated - , disable - TTY auditing. This overrides any older - option for the same user name. + For each user matching one of comma-separated glob + , disable + TTY auditing. This overrides any previous + option matchin the same user name on the command line. - + - For each user matching one of comma-separated - , enable - TTY auditing. This overrides any older - option for the same user name. + For each user matching one of comma-separated glob + , enable + TTY auditing. This overrides any previous + option matching the same user name on the command line. + + + + + + + + + + Set the TTY audit flag when opening the session, but do not restore + it when closing the session. Using this option is necessary for + some services that don't fork() to run the + authenticated session, such as sudo. @@ -99,17 +112,24 @@ + + NOTES + + When TTY auditing is enabled, it is inherited by all processes started by + that user. In particular, daemons restarted by an user will still have + TTY auditing enabled, and audit TTY input even by other users unless + auditing for these users is explicitly disabled. Therefore, it is + recommended to use as the first option for + most daemons using PAM. + + + EXAMPLES Audit all administrative actions. -login root required pam_tty_audit.so enable=root -su root required pam_tty_audit.so enable=root -su-l root required pam_tty_audit.so enable=root -sudo root required pam_tty_audit.so enable=root -sudo-l root required pam_tty_audit.so enable=root -sshd root required pam_tty_audit.so enable=root +session required pam_tty_audit.so disable=* enable=root diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml --- Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 2008-01-02 11:28:26.000000000 +0100 +++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml 2008-01-02 11:28:26.000000000 +0100 @@ -25,6 +25,11 @@
+
+ +
+
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c --- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 2008-01-02 11:28:26.000000000 +0100 +++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c 2008-01-02 11:28:26.000000000 +0100 @@ -1,4 +1,4 @@ -/* Copyright © 2007 Red Hat, Inc. All rights reserved. +/* Copyright © 2007, 2008 Red Hat, Inc. All rights reserved. Red Hat author: Miloslav Trmač Redistribution and use in source and binary forms of Linux-PAM, with @@ -37,7 +37,7 @@ DAMAGE. */ #include -#include +#include #include #include #include @@ -197,9 +197,7 @@ pam_sm_open_session (pam_handle_t *pamh, enum command command; struct audit_tty_status *old_status, new_status; const char *user; - uid_t user_uid; - struct passwd *pwd; - int i, fd; + int i, fd, open_only; (void)flags; @@ -208,15 +206,9 @@ pam_sm_open_session (pam_handle_t *pamh, pam_syslog (pamh, LOG_ERR, "error determining target user's name"); return PAM_SESSION_ERR; } - pwd = pam_modutil_getpwnam (pamh, user); - if (pwd == NULL) - { - pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m"); - return PAM_SESSION_ERR; - } - user_uid = pwd->pw_uid; command = CMD_NONE; + open_only = 0; for (i = 0; i < argc; i++) { if (strncmp (argv[i], "enable=", 7) == 0 @@ -232,13 +224,7 @@ pam_sm_open_session (pam_handle_t *pamh, for (tok = strtok_r (copy, ",", &tok_data); tok != NULL; tok = strtok_r (NULL, ",", &tok_data)) { - pwd = pam_modutil_getpwnam (pamh, tok); - if (pwd == NULL) - { - pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok); - continue; - } - if (pwd->pw_uid == user_uid) + if (fnmatch (tok, user, 0) == 0) { command = this_command; break; @@ -246,6 +232,13 @@ pam_sm_open_session (pam_handle_t *pamh, } free (copy); } + else if (strcmp (argv[i], "open_only") == 0) + open_only = 1; + else + { + pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]); + return PAM_SESSION_ERR; + } } if (command == CMD_NONE) return PAM_SUCCESS; @@ -266,13 +259,15 @@ pam_sm_open_session (pam_handle_t *pamh, return PAM_SESSION_ERR; } - if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0)) + new_status.enabled = (command == CMD_ENABLE ? 1 : 0); + if (old_status->enabled == new_status.enabled) { free (old_status); goto ok_fd; } - if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status) + if (open_only == 0 + && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status) != PAM_SUCCESS) { pam_syslog (pamh, LOG_ERR, "error saving old audit status"); @@ -281,13 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh, return PAM_SESSION_ERR; } - new_status.enabled = (command == CMD_ENABLE ? 1 : 0); if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status, sizeof (new_status)) != 0 || nl_recv_ack (fd) != 0) { pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m"); close (fd); + if (open_only != 0) + free (old_status); return PAM_SESSION_ERR; } /* Fall through */ @@ -295,6 +291,8 @@ pam_sm_open_session (pam_handle_t *pamh, close (fd); pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d", old_status->enabled, new_status.enabled); + if (open_only != 0) + free (old_status); return PAM_SUCCESS; }