234 lines
8.4 KiB
Diff
234 lines
8.4 KiB
Diff
Written-by: Miloslav Trmac <mitr@redhat.com>
|
|
Reviewed-by: Tomas Mraz <tmraz@redhat.com>
|
|
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml
|
|
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 2008-01-02 11:28:26.000000000 +0100
|
|
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml 2008-01-02 11:29:55.000000000 +0100
|
|
@@ -19,10 +19,10 @@
|
|
<cmdsynopsis id="pam_tty_audit-cmdsynopsis">
|
|
<command>pam_tty_audit.so</command>
|
|
<arg choice="opt">
|
|
- disable=<replaceable>usernames</replaceable>
|
|
+ disable=<replaceable>patterns</replaceable>
|
|
</arg>
|
|
<arg choice="opt">
|
|
- enable=<replaceable>usernames</replaceable>
|
|
+ enable=<replaceable>patterns</replaceable>
|
|
</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
@@ -40,27 +40,40 @@
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>
|
|
- <option>disable=<replaceable>usernames</replaceable></option>
|
|
+ <option>disable=<replaceable>patterns</replaceable></option>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
- For each user matching one of comma-separated
|
|
- <option><replaceable>usernames</replaceable></option>, disable
|
|
- TTY auditing. This overrides any older <option>enable</option>
|
|
- option for the same user name.
|
|
+ For each user matching one of comma-separated glob
|
|
+ <option><replaceable>patterns</replaceable></option>, disable
|
|
+ TTY auditing. This overrides any previous <option>enable</option>
|
|
+ option matchin the same user name on the command line.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>
|
|
- <option>enable=<replaceable>usernames</replaceable></option>
|
|
+ <option>enable=<replaceable>patterns</replaceable></option>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
- For each user matching one of comma-separated
|
|
- <option><replaceable>usernames</replaceable></option>, enable
|
|
- TTY auditing. This overrides any older <option>disable</option>
|
|
- option for the same user name.
|
|
+ For each user matching one of comma-separated glob
|
|
+ <option><replaceable>patterns</replaceable></option>, enable
|
|
+ TTY auditing. This overrides any previous <option>disable</option>
|
|
+ option matching the same user name on the command line.
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
+ <varlistentry>
|
|
+ <term>
|
|
+ <option>open_only</option>
|
|
+ </term>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Set the TTY audit flag when opening the session, but do not restore
|
|
+ it when closing the session. Using this option is necessary for
|
|
+ some services that don't <function>fork()</function> to run the
|
|
+ authenticated session, such as <command>sudo</command>.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
@@ -99,17 +112,24 @@
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
+ <refsect1 id='pam_tty_audit-notes'>
|
|
+ <title>NOTES</title>
|
|
+ <para>
|
|
+ When TTY auditing is enabled, it is inherited by all processes started by
|
|
+ that user. In particular, daemons restarted by an user will still have
|
|
+ TTY auditing enabled, and audit TTY input even by other users unless
|
|
+ auditing for these users is explicitly disabled. Therefore, it is
|
|
+ recommended to use <option>disable=*</option> as the first option for
|
|
+ most daemons using PAM.
|
|
+ </para>
|
|
+ </refsect1>
|
|
+
|
|
<refsect1 id='pam_tty_audit-examples'>
|
|
<title>EXAMPLES</title>
|
|
<para>
|
|
Audit all administrative actions.
|
|
<programlisting>
|
|
-login root required pam_tty_audit.so enable=root
|
|
-su root required pam_tty_audit.so enable=root
|
|
-su-l root required pam_tty_audit.so enable=root
|
|
-sudo root required pam_tty_audit.so enable=root
|
|
-sudo-l root required pam_tty_audit.so enable=root
|
|
-sshd root required pam_tty_audit.so enable=root
|
|
+session required pam_tty_audit.so disable=* enable=root
|
|
</programlisting>
|
|
</para>
|
|
</refsect1>
|
|
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml
|
|
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 2008-01-02 11:28:26.000000000 +0100
|
|
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml 2008-01-02 11:28:26.000000000 +0100
|
|
@@ -25,6 +25,11 @@
|
|
|
|
<section>
|
|
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
+ href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/>
|
|
+ </section>
|
|
+
|
|
+ <section>
|
|
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/>
|
|
</section>
|
|
|
|
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c
|
|
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 2008-01-02 11:28:26.000000000 +0100
|
|
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c 2008-01-02 11:28:26.000000000 +0100
|
|
@@ -1,4 +1,4 @@
|
|
-/* Copyright © 2007 Red Hat, Inc. All rights reserved.
|
|
+/* Copyright © 2007, 2008 Red Hat, Inc. All rights reserved.
|
|
Red Hat author: Miloslav Trmač <mitr@redhat.com>
|
|
|
|
Redistribution and use in source and binary forms of Linux-PAM, with
|
|
@@ -37,7 +37,7 @@
|
|
DAMAGE. */
|
|
|
|
#include <errno.h>
|
|
-#include <pwd.h>
|
|
+#include <fnmatch.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <syslog.h>
|
|
@@ -197,9 +197,7 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
enum command command;
|
|
struct audit_tty_status *old_status, new_status;
|
|
const char *user;
|
|
- uid_t user_uid;
|
|
- struct passwd *pwd;
|
|
- int i, fd;
|
|
+ int i, fd, open_only;
|
|
|
|
(void)flags;
|
|
|
|
@@ -208,15 +206,9 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
pam_syslog (pamh, LOG_ERR, "error determining target user's name");
|
|
return PAM_SESSION_ERR;
|
|
}
|
|
- pwd = pam_modutil_getpwnam (pamh, user);
|
|
- if (pwd == NULL)
|
|
- {
|
|
- pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m");
|
|
- return PAM_SESSION_ERR;
|
|
- }
|
|
- user_uid = pwd->pw_uid;
|
|
|
|
command = CMD_NONE;
|
|
+ open_only = 0;
|
|
for (i = 0; i < argc; i++)
|
|
{
|
|
if (strncmp (argv[i], "enable=", 7) == 0
|
|
@@ -232,13 +224,7 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
for (tok = strtok_r (copy, ",", &tok_data); tok != NULL;
|
|
tok = strtok_r (NULL, ",", &tok_data))
|
|
{
|
|
- pwd = pam_modutil_getpwnam (pamh, tok);
|
|
- if (pwd == NULL)
|
|
- {
|
|
- pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok);
|
|
- continue;
|
|
- }
|
|
- if (pwd->pw_uid == user_uid)
|
|
+ if (fnmatch (tok, user, 0) == 0)
|
|
{
|
|
command = this_command;
|
|
break;
|
|
@@ -246,6 +232,13 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
}
|
|
free (copy);
|
|
}
|
|
+ else if (strcmp (argv[i], "open_only") == 0)
|
|
+ open_only = 1;
|
|
+ else
|
|
+ {
|
|
+ pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
|
|
+ return PAM_SESSION_ERR;
|
|
+ }
|
|
}
|
|
if (command == CMD_NONE)
|
|
return PAM_SUCCESS;
|
|
@@ -266,13 +259,15 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
return PAM_SESSION_ERR;
|
|
}
|
|
|
|
- if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0))
|
|
+ new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
|
|
+ if (old_status->enabled == new_status.enabled)
|
|
{
|
|
free (old_status);
|
|
goto ok_fd;
|
|
}
|
|
|
|
- if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
|
|
+ if (open_only == 0
|
|
+ && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
|
|
!= PAM_SUCCESS)
|
|
{
|
|
pam_syslog (pamh, LOG_ERR, "error saving old audit status");
|
|
@@ -281,13 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
return PAM_SESSION_ERR;
|
|
}
|
|
|
|
- new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
|
|
if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status,
|
|
sizeof (new_status)) != 0
|
|
|| nl_recv_ack (fd) != 0)
|
|
{
|
|
pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m");
|
|
close (fd);
|
|
+ if (open_only != 0)
|
|
+ free (old_status);
|
|
return PAM_SESSION_ERR;
|
|
}
|
|
/* Fall through */
|
|
@@ -295,6 +291,8 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
close (fd);
|
|
pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d",
|
|
old_status->enabled, new_status.enabled);
|
|
+ if (open_only != 0)
|
|
+ free (old_status);
|
|
return PAM_SUCCESS;
|
|
}
|
|
|