summaryrefslogtreecommitdiff
path: root/modules/pam_limits/pam_limits.c
diff options
context:
space:
mode:
authorTomas Mraz <tm@t8m.info>2007-12-07 15:40:01 +0000
committerTomas Mraz <tm@t8m.info>2007-12-07 15:40:01 +0000
commit8ae5f5769c4c611ca6918450bbe6e55dfa4e5926 (patch)
treea217a8080c67dbd2189a3fcdb3f627223e8f6101 /modules/pam_limits/pam_limits.c
parent67b5cdd945120d8b0fe4c40fe9df576fa5c2a9a2 (diff)
Relevant BUGIDs:
Purpose of commit: new feature and cleanup Commit summary: --------------- 2007-12-07 Tomas Mraz <t8m@centrum.cz> * libpam/libpam.map: Add LIBPAM_MODUTIL_1.1 version. * libpam/pam_audit.c: Add _pam_audit_open() and pam_modutil_audit_write(). (_pam_auditlog): Call _pam_audit_open(). * libpam/include/security/pam_modutil.h: Add pam_modutil_audit_write(). * modules/pam_access/pam_access.8.xml: Add noaudit option. Document auditing. * modules/pam_access/pam_access.c: Move fs, sep, pam_access_debug, and only_new_group_syntax variables to struct login_info. Add noaudit member. (_parse_args): Adjust for the move of variables and add support for noaudit option. (group_match): Add debug parameter. (string_match): Likewise. (network_netmask_match): Likewise. (login_access): Adjust for the move of variables. Add nonall_match. Add call to pam_modutil_audit_write(). (list_match): Adjust for the move of variables. (user_match): Likewise. (from_match): Likewise. (pam_sm_authenticate): Call _parse_args() earlier. * modules/pam_limits/pam_limits.8.xml: Add noaudit option. Document auditing. * modules/pam_limits/pam_limits.c (_pam_parse): Add noaudit option. (setup_limits): Call pam_modutil_audit_write(). * modules/pam_time/pam_time.8.xml: Add debug and noaudit options. Document auditing. * modules/pam_time/pam_time.c: Add option parsing (_pam_parse()). (check_account): Call _pam_parse(). Call pam_modutil_audit_write() and pam_syslog() on login denials.
Diffstat (limited to 'modules/pam_limits/pam_limits.c')
-rw-r--r--modules/pam_limits/pam_limits.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index d65e64bf..f1e29b85 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -41,6 +41,10 @@
#include <pwd.h>
#include <locale.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
+
/* Module defines */
#define LINE_LENGTH 1024
@@ -101,6 +105,7 @@ struct pam_limit_s {
#define PAM_DEBUG_ARG 0x0001
#define PAM_DO_SETREUID 0x0002
#define PAM_UTMP_EARLY 0x0004
+#define PAM_NO_AUDIT 0x0008
/* Limits from globbed files. */
#define LIMITS_CONF_GLOB LIMITS_FILE_DIR
@@ -126,6 +131,8 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
ctrl |= PAM_DO_SETREUID;
} else if (!strcmp(*argv,"utmp_early")) {
ctrl |= PAM_UTMP_EARLY;
+ } else if (!strcmp(*argv,"noaudit")) {
+ ctrl |= PAM_NO_AUDIT;
} else {
pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
}
@@ -595,6 +602,13 @@ static int setup_limits(pam_handle_t *pamh,
D(("skip login limit check for uid=0"));
} else if (pl->login_limit > 0) {
if (check_logins(pamh, uname, pl->login_limit, ctrl, pl) == LOGIN_ERR) {
+#ifdef HAVE_LIBAUDIT
+ if (!(ctrl & PAM_NO_AUDIT)) {
+ pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_SESSIONS,
+ "pam_limits", PAM_PERM_DENIED);
+ /* ignore return value as we fail anyway */
+ }
+#endif
retval |= LOGIN_ERR;
}
} else if (pl->login_limit == 0) {