diff options
| author | Tomas Mraz <tm@t8m.info> | 2008-01-29 15:38:34 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2008-01-29 15:38:34 +0000 |
| commit | 538dad819245deb53f1d55109130dce2199c6730 (patch) | |
| tree | 0c379de9f0954b352fbad4375bec01c13d408952 | |
| parent | 7ac2dea8a4726532f775479a44fc4c80404980e2 (diff) | |
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-01-29 Tomas Mraz <t8m@centrum.cz>
* configure.in: Test for setkeycreatecon needs libselinux.
Add new module pam_sepermit.
* modules/Makefile.am: Add new module pam_sepermit.
* modules/pam_sepermit/.cvsignore: New file.
* modules/pam_sepermit/Makefile.am: Likewise.
* modules/pam_sepermit/README.xml: Likewise.
* modules/pam_sepermit/pam_sepermit.8.xml: Likewise.
* modules/pam_sepermit/pam_sepermit.c: Likewise.
* modules/pam_sepermit/sepermit.conf: Likewise.
* modules/pam_sepermit/tst-pam_sepermit: Likewise.
* doc/sag/pam_sepermit.xml: Likewise.
* doc/sag/pam_tty_audit.xml: Add pam_tty_audit to SAG.
| -rw-r--r-- | ChangeLog | 16 | ||||
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | configure.in | 8 | ||||
| -rw-r--r-- | doc/sag/pam_sepermit.xml | 38 | ||||
| -rw-r--r-- | doc/sag/pam_tty_audit.xml | 38 | ||||
| -rw-r--r-- | modules/pam_sepermit/.cvsignore | 10 | ||||
| -rw-r--r-- | modules/pam_sepermit/Makefile.am | 43 | ||||
| -rw-r--r-- | modules/pam_sepermit/README.xml | 41 | ||||
| -rw-r--r-- | modules/pam_sepermit/pam_sepermit.8.xml | 189 | ||||
| -rw-r--r-- | modules/pam_sepermit/pam_sepermit.c | 405 | ||||
| -rw-r--r-- | modules/pam_sepermit/sepermit.conf | 11 | ||||
| -rwxr-xr-x | modules/pam_sepermit/tst-pam_sepermit | 2 |
12 files changed, 802 insertions, 1 deletions
@@ -1,3 +1,19 @@ +2008-01-29 Tomas Mraz <t8m@centrum.cz> + + * configure.in: Test for setkeycreatecon needs libselinux. + Add new module pam_sepermit. + * modules/Makefile.am: Add new module pam_sepermit. + * modules/pam_sepermit/.cvsignore: New file. + * modules/pam_sepermit/Makefile.am: Likewise. + * modules/pam_sepermit/README.xml: Likewise. + * modules/pam_sepermit/pam_sepermit.8.xml: Likewise. + * modules/pam_sepermit/pam_sepermit.c: Likewise. + * modules/pam_sepermit/sepermit.conf: Likewise. + * modules/pam_sepermit/tst-pam_sepermit: Likewise. + * doc/sag/pam_sepermit.xml: Likewise. + + * doc/sag/pam_tty_audit.xml: Add pam_tty_audit to SAG. + 2008-01-29 Miloslav Trmac <mitr@redhat.com> * modules/pam_tty_audit/README.xml: Add notes section. @@ -8,6 +8,8 @@ Linux-PAM NEWS -- history of user-visible changes. and number of sessions (pam_limits) to the Linux audit subsystem. * Support sha256 and sha512 algorithms in pam_unix when they are supported by crypt(). +* New pam_sepermit.so module for allowing/rejecting access based on + SELinux mode. Release 0.99.9.0 * misc_conv no longer blocks SIGINT; applications that don't want diff --git a/configure.in b/configure.in index cd92f80a..90349a14 100644 --- a/configure.in +++ b/configure.in @@ -393,6 +393,7 @@ AC_SUBST(LIBDB) AM_CONDITIONAL([HAVE_LIBDB], [test ! -z "$LIBDB"]) AC_CHECK_LIB([nsl],[yp_get_default_domain], LIBNSL="-lnsl", LIBNSL="") +BACKUP_LIBS=$LIBS LIBS="$LIBS $LIBNSL" AC_CHECK_FUNCS(yp_get_default_domain) LIBS=$BACKUP_LIBS @@ -410,6 +411,10 @@ AC_SUBST(LIBSELINUX) AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"]) if test ! -z "$LIBSELINUX" ; then AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in]) + BACKUP_LIBS=$LIBS + LIBS="$LIBS $LIBSELINUX" + AC_CHECK_FUNCS(setkeycreatecon) + LIBS=$BACKUP_LIBS fi dnl Checks for header files. @@ -442,7 +447,7 @@ AC_CHECK_FUNCS(fseeko gethostname gettimeofday lckpwdf mkdir select) AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname) AC_CHECK_FUNCS(getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r) AC_CHECK_FUNCS(getgrouplist getline getdelim) -AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af setkeycreatecon) +AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af) AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) @@ -531,6 +536,7 @@ AC_OUTPUT(Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \ modules/pam_rhosts/Makefile \ modules/pam_rootok/Makefile modules/pam_exec/Makefile \ modules/pam_securetty/Makefile modules/pam_selinux/Makefile \ + modules/pam_sepermit/Makefile \ modules/pam_shells/Makefile modules/pam_stress/Makefile \ modules/pam_succeed_if/Makefile modules/pam_tally/Makefile \ modules/pam_time/Makefile modules/pam_tty_audit/Makefile \ diff --git a/doc/sag/pam_sepermit.xml b/doc/sag/pam_sepermit.xml new file mode 100644 index 00000000..6ef9e0f8 --- /dev/null +++ b/doc/sag/pam_sepermit.xml @@ -0,0 +1,38 @@ +<?xml version='1.0' encoding='UTF-8'?> +<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" + "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<section id='sag-pam_sepermit'> + <title>pam_sepermit - allow/reject access based on SELinux mode</title> + <cmdsynopsis> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_sepermit-cmdsynopsis"]/*)'/> + </cmdsynopsis> + <section id='sag-pam_sepermit-description'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-description"]/*)'/> + </section> + <section id='sag-pam_sepermit-options'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-options"]/*)'/> + </section> + <section id='sag-pam_sepermit-services'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-services"]/*)'/> + </section> + <section id='sag-pam_sepermit-return_values'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-return_values"]/*)'/> + </section> + <section id='sag-pam_sepermit-files'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-files"]/*)'/> + </section> + <section id='sag-pam_sepermit-examples'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-examples"]/*)'/> + </section> + <section id='sag-pam_sepermit-author'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-author"]/*)'/> + </section> +</section> diff --git a/doc/sag/pam_tty_audit.xml b/doc/sag/pam_tty_audit.xml new file mode 100644 index 00000000..55e73862 --- /dev/null +++ b/doc/sag/pam_tty_audit.xml @@ -0,0 +1,38 @@ +<?xml version='1.0' encoding='UTF-8'?> +<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" + "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<section id='sag-pam_tty_audit'> + <title>pam_tty_audit - enable/disable tty auditing</title> + <cmdsynopsis> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_tty_audit-cmdsynopsis"]/*)'/> + </cmdsynopsis> + <section id='sag-pam_tty_audit-description'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-description"]/*)'/> + </section> + <section id='sag-pam_tty_audit-options'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-options"]/*)'/> + </section> + <section id='sag-pam_tty_audit-services'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-services"]/*)'/> + </section> + <section id='sag-pam_tty_audit-return_values'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-return_values"]/*)'/> + </section> + <section id='sag-pam_tty_audit-notes'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/> + </section> + <section id='sag-pam_tty_audit-examples'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/> + </section> + <section id='sag-pam_tty_audit-author'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-author"]/*)'/> + </section> +</section> diff --git a/modules/pam_sepermit/.cvsignore b/modules/pam_sepermit/.cvsignore new file mode 100644 index 00000000..258e7207 --- /dev/null +++ b/modules/pam_sepermit/.cvsignore @@ -0,0 +1,10 @@ +*.la +*.lo +*.so +*~ +.deps +.libs +Makefile +Makefile.in +README +pam_sepermit.8 diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am new file mode 100644 index 00000000..09a60a3a --- /dev/null +++ b/modules/pam_sepermit/Makefile.am @@ -0,0 +1,43 @@ +# +# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de> +# Copyright (c) 2008 Red Hat, Inc. +# + +CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README + +EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf tst-pam_sepermit + +if HAVE_LIBSELINUX + TESTS = tst-pam_sepermit + man_MANS = pam_sepermit.8 +endif + +XMLS = README.xml pam_sepermit.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +sepermitlockdir = /var/run/sepermit + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -I$(top_srcdir)/libpam_misc/include \ + -D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \ + -D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\" + +pam_sepermit_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ +pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module +if HAVE_VERSIONING + pam_sepermit_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +secureconf_DATA = sepermit.conf +sepermitlock_DATA = + +if HAVE_LIBSELINUX + securelib_LTLIBRARIES = pam_sepermit.la +endif +if ENABLE_REGENERATE_MAN +noinst_DATA = README pam_sepermit.8 +README: pam_sepermit.8.xml +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/modules/pam_sepermit/README.xml b/modules/pam_sepermit/README.xml new file mode 100644 index 00000000..bb65951c --- /dev/null +++ b/modules/pam_sepermit/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_sepermit.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_sepermit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_sepermit-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-author"]/*)'/> + </section> + +</article> diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml new file mode 100644 index 00000000..c2546b62 --- /dev/null +++ b/modules/pam_sepermit/pam_sepermit.8.xml @@ -0,0 +1,189 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_sepermit"> + + <refmeta> + <refentrytitle>pam_sepermit</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_sepermit-name"> + <refname>pam_sepermit</refname> + <refpurpose>PAM module to allow/deny login depending on SELinux enforcement state</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_sepermit-cmdsynopsis"> + <command>pam_sepermit.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + conf=<replaceable>/path/to/config/file</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_sepermit-description"> + <title>DESCRIPTION</title> + <para> + The pam_sepermit module allows or denies login depending on SELinux + enforcement state. + </para> + <para> + When the user which is logging in matches an entry in the config file + he is allowed access only when the SELinux is in enforcing mode. Otherwise + he is denied access. For users not matching any entry in the config file + the pam_sepermit module returns PAM_IGNORE return value. + </para> + <para> + The config file contains a simple list of user names one per line. If the + <replaceable>name</replaceable> is prefixed with <emphasis>@</emphasis> character it means that all + users in the group <replaceable>name</replaceable> match. If it is prefixed + with a <emphasis>%</emphasis> character the SELinux user is used to match against the <replaceable>name</replaceable> + instead of the account name. Note that when SELinux is disabled the + SELinux user assigned to the account cannot be determined. This means that + such entries are never matched when SELinux is disabled and pam_sepermit + will return PAM_IGNORE. + </para> + <para> + Each user name in the configuration file can have optional arguments separated + by <emphasis>:</emphasis> character. The only currently recognized argument is <emphasis>exclusive</emphasis>. + The pam_sepermit module will allow only single concurrent user session for + the user with this argument specified and it will attempt to kill all processes + of the user after logout. + </para> + </refsect1> + + <refsect1 id="pam_sepermit-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Turns on debugging via + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>conf=<replaceable>/path/to/config/file</replaceable></option> + </term> + <listitem> + <para> + Path to alternative config file overriding the default. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_sepermit-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>auth</option> and <option>account</option> + services are supported. + </para> + </refsect1> + + <refsect1 id='pam_sepermit-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + SELinux is disabled or in the permissive mode and the user + matches. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + SELinux is in the enforcing mode and the user matches. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + The user does not match any entry in the config file. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The module was unable to determine the user's name. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + Error during reading or parsing the config file. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_sepermit-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/security/sepermit.conf</filename></term> + <listitem> + <para>Default configuration file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_sepermit-examples'> + <title>EXAMPLES</title> + <programlisting> +auth [success=done ignore=ignore default=bad] pam_sepermit.so +auth required pam_unix.so +account required pam_unix.so +session required pam_permit.so + </programlisting> + </refsect1> + + <refsect1 id='pam_sepermit-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_sepermit-author'> + <title>AUTHOR</title> + <para> + pam_sepermit was written by Tomas Mraz <tmraz@redhat.com>. + </para> + </refsect1> + +</refentry> diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c new file mode 100644 index 00000000..377fc2c5 --- /dev/null +++ b/modules/pam_sepermit/pam_sepermit.c @@ -0,0 +1,405 @@ +/****************************************************************************** + * A module for Linux-PAM that allows/denies acces based on SELinux state. + * + * Copyright (c) 2007, 2008 Red Hat, Inc. + * Originally written by Tomas Mraz <tmraz@redhat.com> + * Contributions by Dan Walsh <dwalsh@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "config.h" + +#include <errno.h> +#include <pwd.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <syslog.h> +#include <ctype.h> +#include <signal.h> +#include <limits.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <unistd.h> +#include <pwd.h> +#include <dirent.h> + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> + +#include <selinux/selinux.h> + +#define MODULE "pam_sepermit" +#define OPT_DELIM ":" + +struct lockfd { + uid_t uid; + int fd; + int debug; +}; + +#define PROC_BASE "/proc" +#define MAX_NAMES (int)(sizeof(unsigned long)*8) + +static int +match_process_uid(pid_t pid, uid_t uid) +{ + char buf[128]; + uid_t puid; + FILE *f; + int re = 0; + + snprintf (buf, sizeof buf, PROC_BASE "/%d/status", pid); + if (!(f = fopen (buf, "r"))) + return 0; + + while (fgets(buf, sizeof buf, f)) { + if (sscanf (buf, "Uid:\t%d", &puid)) { + re = uid == puid; + break; + } + } + fclose(f); + return re; +} + +static int +check_running (pam_handle_t *pamh, uid_t uid, int killall, int debug) +{ + DIR *dir; + struct dirent *de; + pid_t *pid_table, pid, self; + int i; + int pids, max_pids; + int running = 0; + self = getpid(); + if (!(dir = opendir(PROC_BASE))) { + pam_syslog(pamh, LOG_ERR, "Failed to open proc directory file %s:", PROC_BASE); + return -1; + } + max_pids = 256; + pid_table = malloc(max_pids * sizeof (pid_t)); + if (!pid_table) { + pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); + return -1; + } + pids = 0; + while ((de = readdir (dir)) != NULL) { + if (!(pid = (pid_t)atoi(de->d_name)) || pid == self) + continue; + + if (pids == max_pids) { + if (!(pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)))) { + pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); + return -1; + } + max_pids *= 2; + } + pid_table[pids++] = pid; + } + + (void)closedir(dir); + + for (i = 0; i < pids; i++) { + pid_t id; + + if (match_process_uid(pid_table[i], uid) == 0) + continue; + id = pid_table[i]; + + if (killall) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Attempting to kill %d", id); + kill(id, SIGKILL); + } + running++; + } + + free(pid_table); + return running; +} + +static void +sepermit_unlock(pam_handle_t *pamh, void *plockfd, int error_status UNUSED) +{ + struct lockfd *lockfd = plockfd; + struct flock fl; + + memset(&fl, 0, sizeof(fl)); + fl.l_type = F_UNLCK; + fl.l_whence = SEEK_SET; + + if (lockfd->debug) + pam_syslog(pamh, LOG_ERR, "Unlocking fd: %d uid: %d", lockfd->fd, lockfd->uid); + + /* Don't kill uid==0 */ + if (lockfd->uid) + /* This is a DOS but it prevents an app from forking to prevent killing */ + while(check_running(pamh, lockfd->uid, 1, lockfd->debug) > 0) + continue; + + fcntl(lockfd->fd, F_SETLK, &fl); + close(lockfd->fd); + free(lockfd); +} + +static int +sepermit_lock(pam_handle_t *pamh, const char *user, int debug) +{ + char buf[PATH_MAX]; + struct flock fl; + + memset(&fl, 0, sizeof(fl)); + fl.l_type = F_WRLCK; + fl.l_whence = SEEK_SET; + + struct passwd *pw = pam_modutil_getpwnam( pamh, user ); + if (!pw) { + pam_syslog(pamh, LOG_ERR, "Unable to find uid for user %s", user); + return -1; + } + if (check_running(pamh, pw->pw_uid, 0, debug) > 0) { + pam_syslog(pamh, LOG_ERR, "User %s processes are running. Exclusive login not allowed", user); + return -1; + } + + snprintf(buf, sizeof(buf), "%s/%d.lock", SEPERMIT_LOCKDIR, pw->pw_uid); + int fd = open(buf, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR); + if (fd < 0) { + pam_syslog(pamh, LOG_ERR, "Unable to open lock file %s/%d.lock", SEPERMIT_LOCKDIR, pw->pw_uid); + return -1; + } + + if (fcntl(fd, F_SETLK, &fl) == -1) { + pam_syslog(pamh, LOG_ERR, "User %s with exclusive login already logged in", user); + close(fd); + return -1; + } + struct lockfd *lockfd=calloc(1, sizeof(struct lockfd)); + if (!lockfd) { + close(fd); + pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); + return -1; + } + lockfd->uid = pw->pw_uid; + lockfd->debug = debug; + lockfd->fd=fd; + pam_set_data(pamh, MODULE, lockfd, sepermit_unlock); + return 0; +} + +/* return 0 when matched, -1 when unmatched, pam error otherwise */ +static int +sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, + const char *seuser, int debug) +{ + FILE *f; + char *line = NULL; + char *start; + size_t len = 0; + int matched = 0; + int exclusive = 0; + + f = fopen(cfgfile, "r"); + + if (!f) { + pam_syslog(pamh, LOG_ERR, "Failed to open config file %s: %m", cfgfile); + return PAM_SERVICE_ERR; + } + + while (!matched && getline(&line, &len, f) != -1) { + size_t n; + char *sptr; + char *opt; + + if (line[0] == '#') + continue; + + start = line; + while (isspace(*start)) + ++start; + n = strlen(start); + while (n > 0 && isspace(start[n-1])) { + --n; + } + if (n == 0) + continue; + + start[n] = '\0'; + start = strtok_r(start, OPT_DELIM, &sptr); + + switch (start[0]) { + case '@': + ++start; + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Matching user %s against group %s", user, start); + if (pam_modutil_user_in_group_nam_nam(pamh, user, start)) { + matched = 1; + } + break; + case '%': + ++start; + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start); + if (strcmp(seuser, start) == 0) { + matched = 1; + } + break; + default: + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Matching user %s against user %s", user, start); + if (strcmp(user, start) == 0) { + matched = 1; + } + } + if (matched) + while ((opt=strtok_r(NULL, OPT_DELIM, &sptr)) != NULL) { + if (strcmp(opt, "exclusive") == 0) + exclusive = 1; + else if (debug) { + pam_syslog(pamh, LOG_NOTICE, "Unknown user option: %s", opt); + } + } + } + + free(line); + fclose(f); + if (matched) + return exclusive ? sepermit_lock(pamh, user, debug) : 0; + else + return -1; +} + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int i; + int rv; + int debug = 0; + int sense = PAM_AUTH_ERR; + const char *user = NULL; + char *seuser = NULL; + char *level = NULL; + const char *cfgfile = SEPERMIT_CONF_FILE; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; + } + if (strcmp(argv[i], "conf=") == 0) { + cfgfile = argv[i] + 5; + } + } + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Parsing config file: %s", cfgfile); + + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL + || *user == '\0') { + pam_syslog(pamh, LOG_ERR, "Cannot determine the user's name"); + return PAM_USER_UNKNOWN; + } + + if (is_selinux_enabled() > 0) { + if (security_getenforce() == 1) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Enforcing mode, access will be allowed on match"); + sense = PAM_SUCCESS; + } + + if (getseuserbyname(user, &seuser, &level) != 0) { + seuser = NULL; + level = NULL; + pam_syslog(pamh, LOG_ERR, "getseuserbyname failed: %m"); + } + } + + if (debug && sense != PAM_SUCCESS) + pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match"); + + rv = sepermit_match(pamh, cfgfile, user, seuser, debug); + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv); + + free(seuser); + free(level); + + switch (rv) { + case -1: + return PAM_IGNORE; + case 0: + return sense; + } + + return rv; +} + +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_access_modstruct = { + "pam_sepermit", + pam_sm_authenticate, + pam_sm_setcred, + pam_sm_acct_mgmt, + NULL, + NULL, + NULL +}; +#endif + diff --git a/modules/pam_sepermit/sepermit.conf b/modules/pam_sepermit/sepermit.conf new file mode 100644 index 00000000..951f3dfe --- /dev/null +++ b/modules/pam_sepermit/sepermit.conf @@ -0,0 +1,11 @@ +# /etc/security/sepermit.conf +# +# Each line contains either: +# - an user name +# - a group name, with @group syntax +# - a SELinux user name, with %seuser syntax +# Each line can contain optional arguments separated by : +# The possible arguments are: +# - exclusive - only single login session will +# be allowed for the user and the user's processes +# will be killed on logout diff --git a/modules/pam_sepermit/tst-pam_sepermit b/modules/pam_sepermit/tst-pam_sepermit new file mode 100755 index 00000000..6e6d2363 --- /dev/null +++ b/modules/pam_sepermit/tst-pam_sepermit @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_sepermit.so |