rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c8a6aadf10
pam/pam-1.1.6-tty-audit-echo.patch
Tomas Mraz c8a6aadf10 use links instead of w3m to create txt documentation 
- recognize login session in pam_sepermit to prevent gdm from locking (#969174)
- add support for disabling password logging in pam_tty_audit
2013-08-07 18:24:04 +02:00

101 lines
4.1 KiB
Diff
Raw Blame History

diff -up Linux-PAM-1.1.6/configure.in.tty-audit-echo Linux-PAM-1.1.6/configure.in
--- Linux-PAM-1.1.6/configure.in.tty-audit-echo 2013-08-07 15:41:08.245745447 +0200
+++ Linux-PAM-1.1.6/configure.in 2013-08-07 18:13:04.358958936 +0200
@@ -386,6 +386,10 @@ if test x"$WITH_LIBAUDIT" != xno ; then
fi
if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
+
+ AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [],
+ AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]),
+ [[#include <libaudit.h>]])
fi
else
LIBAUDIT=""
diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml
--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml 2013-08-07 18:08:55.310028229 +0200
@@ -77,6 +77,19 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>log_passwd</option>
+ </term>
+ <listitem>
+ <para>
+ Log keystrokes when ECHO mode is off but ICANON mode is active.
+ This is the mode in which the tty is placed during password entry.
+ By default, passwords are not logged. This option may not be
+ available on older kernels (3.9?).
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -161,6 +174,8 @@ session required pam_tty_audit.so disabl
<para>
pam_tty_audit was written by Miloslav Trma&ccaron;
&lt;mitr@redhat.com&gt;.
+ The log_passwd option was added by Richard Guy Briggs
+ &lt;rgb@redhat.com&gt;.
</para>
</refsect1>
diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c
--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c 2013-08-07 18:09:29.428694493 +0200
@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh,
struct audit_tty_status *old_status, new_status;
const char *user;
int i, fd, open_only;
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ int log_passwd;
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
(void)flags;
@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh,
command = CMD_NONE;
open_only = 0;
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ log_passwd = 0;
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
for (i = 0; i < argc; i++)
{
if (strncmp (argv[i], "enable=", 7) == 0
@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh,
}
else if (strcmp (argv[i], "open_only") == 0)
open_only = 1;
+ else if (strcmp (argv[i], "log_passwd") == 0)
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ log_passwd = 1;
+#else /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+ pam_syslog (pamh, LOG_WARNING,
+ "The log_passwd option was not available at compile time.");
+#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel."
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
else
{
pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh,
}
new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
- if (old_status->enabled == new_status.enabled)
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ new_status.log_passwd = log_passwd;
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+ if (old_status->enabled == new_status.enabled
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ && old_status->log_passwd == new_status.log_passwd
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+ )
{
open_only = 1; /* to clean up old_status */
goto ok_fd;
Reference in New Issue View Git Blame Copy Permalink