New upstream version 1.3.1

4 files changed, 130 insertions, 24 deletions

diff --git a/modules/pam_tty_audit/README b/modules/pam_tty_audit/README
index 83e58c3a..ac947a32 100644
--- a/modules/pam_tty_audit/README
+++ b/modules/pam_tty_audit/README
@@ -11,15 +11,15 @@ OPTIONS
 
 disable=patterns
 
-    For each user matching one of comma-separated glob patterns, disable TTY
-    auditing. This overrides any previous enable option matching the same user
-    name on the command line.
+    For each user matching patterns, disable TTY auditing. This overrides any
+    previous enable option matching the same user name on the command line. See
+    NOTES for further description of patterns.
 
 enable=patterns
 
-    For each user matching one of comma-separated glob patterns, enable TTY
-    auditing. This overrides any previous disable option matching the same user
-    name on the command line.
+    For each user matching patterns, enable TTY auditing. This overrides any
+    previous disable option matching the same user name on the command line.
+    See NOTES for further description of patterns.
 
 open_only
 
@@ -45,6 +45,11 @@ the first option for most daemons using PAM.
 To view the data that was logged by the kernel to audit use the command 
 aureport --tty.
 
+The patterns are comma separated lists of glob patterns or ranges of uids. A
+range is specified as min_uid:max_uid where one of these values can be empty.
+If min_uid is empty only user with the uid max_uid will be matched. If max_uid
+is empty users with the uid greater than or equal to min_uid will be matched.
+
 EXAMPLES
 
 Audit all administrative actions.
diff --git a/modules/pam_tty_audit/pam_tty_audit.8 b/modules/pam_tty_audit/pam_tty_audit.8
index 616f7d7e..e0800815 100644
--- a/modules/pam_tty_audit/pam_tty_audit.8
+++ b/modules/pam_tty_audit/pam_tty_audit.8
@@ -2,12 +2,12 @@
 .\"     Title: pam_tty_audit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 04/11/2016
+.\"      Date: 05/18/2018
 .\"    Manual: Linux-PAM Manual
 .\"    Source: Linux-PAM Manual
 .\"  Language: English
 .\"
-.TH "PAM_TTY_AUDIT" "8" "04/11/2016" "Linux-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_TTY_AUDIT" "8" "05/18/2018" "Linux-PAM Manual" "Linux\-PAM Manual"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -39,18 +39,20 @@ The pam_tty_audit PAM module is used to enable or disable TTY auditing\&. By def
 .PP
 \fBdisable=\fR\fB\fIpatterns\fR\fR
 .RS 4
-For each user matching one of comma\-separated glob
+For each user matching
 \fB\fIpatterns\fR\fR, disable TTY auditing\&. This overrides any previous
 \fBenable\fR
-option matching the same user name on the command line\&.
+option matching the same user name on the command line\&. See NOTES for further description of
+\fB\fIpatterns\fR\fR\&.
 .RE
 .PP
 \fBenable=\fR\fB\fIpatterns\fR\fR
 .RS 4
-For each user matching one of comma\-separated glob
+For each user matching
 \fB\fIpatterns\fR\fR, enable TTY auditing\&. This overrides any previous
 \fBdisable\fR
-option matching the same user name on the command line\&.
+option matching the same user name on the command line\&. See NOTES for further description of
+\fB\fIpatterns\fR\fR\&.
 .RE
 .PP
 \fBopen_only\fR
@@ -89,6 +91,20 @@ as the first option for most daemons using PAM\&.
 .PP
 To view the data that was logged by the kernel to audit use the command
 \fBaureport \-\-tty\fR\&.
+.PP
+The
+\fB\fIpatterns\fR\fR
+are comma separated lists of glob patterns or ranges of uids\&. A range is specified as
+\fImin_uid\fR:\fImax_uid\fR
+where one of these values can be empty\&. If
+\fImin_uid\fR
+is empty only user with the uid
+\fImax_uid\fR
+will be matched\&. If
+\fImax_uid\fR
+is empty users with the uid greater than or equal to
+\fImin_uid\fR
+will be matched\&.
 .SH "EXAMPLES"
 .PP
 Audit all administrative actions\&.
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
index 552353ce..59a3406d 100644
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
@@ -44,10 +44,10 @@
         </term>
         <listitem>
           <para>
-	    For each user matching one of comma-separated glob
-	    <option><replaceable>patterns</replaceable></option>, disable
-	    TTY auditing.  This overrides any previous <option>enable</option>
-	    option matching the same user name on the command line.
+	    For each user matching <option><replaceable>patterns</replaceable></option>,
+	    disable TTY auditing.  This overrides any previous <option>enable</option>
+	    option matching the same user name on the command line. See NOTES
+	    for further description of <option><replaceable>patterns</replaceable></option>.
           </para>
         </listitem>
       </varlistentry>
@@ -57,10 +57,10 @@
         </term>
         <listitem>
           <para>
-	    For each user matching one of comma-separated glob
-	    <option><replaceable>patterns</replaceable></option>, enable
-	    TTY auditing.  This overrides any previous <option>disable</option>
-	    option matching the same user name on the command line.
+	    For each user matching <option><replaceable>patterns</replaceable></option>,
+	    enable TTY auditing.  This overrides any previous <option>disable</option>
+	    option matching the same user name on the command line. See NOTES
+	    for further description of <option><replaceable>patterns</replaceable></option>.
           </para>
         </listitem>
       </varlistentry>
@@ -139,6 +139,16 @@
       To view the data that was logged by the kernel to audit use
       the command <command>aureport --tty</command>.
     </para>
+    <para>
+      The <option><replaceable>patterns</replaceable></option> are comma separated
+      lists of glob patterns or ranges of uids. A range is specified as
+      <replaceable>min_uid</replaceable>:<replaceable>max_uid</replaceable> where
+      one of these values can be empty. If <replaceable>min_uid</replaceable> is
+      empty only user with the uid <replaceable>max_uid</replaceable> will be
+      matched. If <replaceable>max_uid</replaceable> is empty users with the uid
+      greater than or equal to <replaceable>min_uid</replaceable> will be
+      matched.
+    </para>
   </refsect1>
 
   <refsect1 id='pam_tty_audit-examples'>
diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c
index bce3ab77..79e5d511 100644
--- a/modules/pam_tty_audit/pam_tty_audit.c
+++ b/modules/pam_tty_audit/pam_tty_audit.c
@@ -199,6 +199,54 @@ cleanup_old_status (pam_handle_t *pamh, void *data, int error_status)
   free (data);
 }
 
+enum uid_range { UID_RANGE_NONE, UID_RANGE_MM, UID_RANGE_MIN,
+    UID_RANGE_ONE, UID_RANGE_ERR };
+
+static enum uid_range
+parse_uid_range(pam_handle_t *pamh, const char *s,
+                uid_t *min_uid, uid_t *max_uid)
+{
+    const char *range = s;
+    const char *pmax;
+    char *endptr;
+    enum uid_range rv = UID_RANGE_MM;
+
+    if ((pmax=strchr(range, ':')) == NULL)
+        return UID_RANGE_NONE;
+    ++pmax;
+
+    if (range[0] == ':')
+        rv = UID_RANGE_ONE;
+    else {
+            errno = 0;
+            *min_uid = strtoul (range, &endptr, 10);
+            if (errno != 0 || (range == endptr) || *endptr != ':') {
+                pam_syslog(pamh, LOG_DEBUG,
+                           "wrong min_uid value in '%s'", s);
+                return UID_RANGE_ERR;
+            }
+    }
+
+    if (*pmax == '\0') {
+        if (rv == UID_RANGE_ONE)
+            return UID_RANGE_ERR;
+
+        return UID_RANGE_MIN;
+    }
+
+    errno = 0;
+    *max_uid = strtoul (pmax, &endptr, 10);
+    if (errno != 0 || (pmax == endptr) || *endptr != '\0') {
+        pam_syslog(pamh, LOG_DEBUG,
+                   "wrong max_uid value in '%s'", s);
+        return UID_RANGE_ERR;
+    }
+
+    if (rv == UID_RANGE_ONE)
+        *min_uid = *max_uid;
+    return rv;
+}
+
 int
 pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
@@ -208,6 +256,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
   struct audit_tty_status *old_status, new_status;
   const char *user;
   int i, fd, open_only;
+  struct passwd *pwd;
 #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
   int log_passwd;
 #endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
@@ -220,6 +269,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
       return PAM_SESSION_ERR;
     }
 
+  pwd = pam_modutil_getpwnam(pamh, user);
+  if (pwd == NULL)
+    {
+      pam_syslog(pamh, LOG_WARNING,
+                 "open_session unknown user '%s'", user);
+      return PAM_SESSION_ERR;
+    }
+
   command = CMD_NONE;
   open_only = 0;
 #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
@@ -237,13 +294,31 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
 	  copy = strdup (strchr (argv[i], '=') + 1);
 	  if (copy == NULL)
 	    return PAM_SESSION_ERR;
-	  for (tok = strtok_r (copy, ",", &tok_data); tok != NULL;
+	  for (tok = strtok_r (copy, ",", &tok_data);
+	       tok != NULL && command != this_command;
 	       tok = strtok_r (NULL, ",", &tok_data))
 	    {
-	      if (fnmatch (tok, user, 0) == 0)
+	      uid_t min_uid = 0, max_uid = 0;
+	      switch (parse_uid_range(pamh, tok, &min_uid, &max_uid))
 		{
-		  command = this_command;
-		  break;
+		case UID_RANGE_NONE:
+		    if (fnmatch (tok, user, 0) == 0)
+			command = this_command;
+		    break;
+		case UID_RANGE_MM:
+		    if (pwd->pw_uid >= min_uid && pwd->pw_uid <= max_uid)
+			command = this_command;
+		    break;
+		case UID_RANGE_MIN:
+		    if (pwd->pw_uid >= min_uid)
+			command = this_command;
+		    break;
+		case UID_RANGE_ONE:
+		    if (pwd->pw_uid == max_uid)
+			command = this_command;
+		    break;
+		case UID_RANGE_ERR:
+		    break;
 		}
 	    }
 	  free (copy);