diff options
| author | Tomas Mraz <tm@t8m.info> | 2008-01-29 15:09:29 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2008-01-29 15:09:29 +0000 |
| commit | 7ac2dea8a4726532f775479a44fc4c80404980e2 (patch) | |
| tree | 59729130b960a95673d75f9a5a0172e80ff19af5 /modules/pam_tty_audit | |
| parent | 93852756cbb7f5f003c8ef82d306255ba99200f1 (diff) | |
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-01-29 Miloslav Trmac <mitr@redhat.com>
* modules/pam_tty_audit/README.xml: Add notes section.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Describe patterns
support and open_only option. Add notes.
* modules/pam_tty_audit/pam_tty_audit.c(pam_sm_open_session): Add
support for pattern matching and the open_only option.
Diffstat (limited to 'modules/pam_tty_audit')
| -rw-r--r-- | modules/pam_tty_audit/README.xml | 5 | ||||
| -rw-r--r-- | modules/pam_tty_audit/pam_tty_audit.8.xml | 47 | ||||
| -rw-r--r-- | modules/pam_tty_audit/pam_tty_audit.c | 42 |
3 files changed, 61 insertions, 33 deletions
diff --git a/modules/pam_tty_audit/README.xml b/modules/pam_tty_audit/README.xml index 85b27733..4dad6bbe 100644 --- a/modules/pam_tty_audit/README.xml +++ b/modules/pam_tty_audit/README.xml @@ -25,6 +25,11 @@ <section> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/> </section> diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml index f65762ad..f6f0602f 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8.xml +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -19,10 +19,10 @@ <cmdsynopsis id="pam_tty_audit-cmdsynopsis"> <command>pam_tty_audit.so</command> <arg choice="opt"> - disable=<replaceable>usernames</replaceable> + disable=<replaceable>patterns</replaceable> </arg> <arg choice="opt"> - enable=<replaceable>usernames</replaceable> + enable=<replaceable>patterns</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> @@ -40,27 +40,40 @@ <variablelist> <varlistentry> <term> - <option>disable=<replaceable>usernames</replaceable></option> + <option>disable=<replaceable>patterns</replaceable></option> </term> <listitem> <para> - For each user matching one of comma-separated - <option><replaceable>usernames</replaceable></option>, disable + For each user matching one of comma-separated glob + <option><replaceable>patterns</replaceable></option>, disable TTY auditing. This overrides any previous <option>enable</option> - option for the same user name on the command line. + option matchin the same user name on the command line. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>enable=<replaceable>usernames</replaceable></option> + <option>enable=<replaceable>patterns</replaceable></option> </term> <listitem> <para> - For each user matching one of comma-separated - <option><replaceable>usernames</replaceable></option>, enable + For each user matching one of comma-separated glob + <option><replaceable>patterns</replaceable></option>, enable TTY auditing. This overrides any previous <option>disable</option> - option for the same user name on the command line. + option matching the same user name on the command line. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>open_only</option> + </term> + <listitem> + <para> + Set the TTY audit flag when opening the session, but do not restore + it when closing the session. Using this option is necessary for + some services that don't <function>fork()</function> to run the + authenticated session, such as <command>sudo</command>. </para> </listitem> </varlistentry> @@ -99,12 +112,24 @@ </variablelist> </refsect1> + <refsect1 id='pam_tty_audit-notes'> + <title>NOTES</title> + <para> + When TTY auditing is enabled, it is inherited by all processes started by + that user. In particular, daemons restarted by an user will still have + TTY auditing enabled, and audit TTY input even by other users unless + auditing for these users is explicitly disabled. Therefore, it is + recommended to use <option>disable=*</option> as the first option for + most daemons using PAM. + </para> + </refsect1> + <refsect1 id='pam_tty_audit-examples'> <title>EXAMPLES</title> <para> Audit all administrative actions. <programlisting> -session required pam_tty_audit.so enable=root +session required pam_tty_audit.so disable=* enable=root </programlisting> </para> </refsect1> diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index 5e6211bc..d57dbbe3 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -1,4 +1,4 @@ -/* Copyright © 2007 Red Hat, Inc. All rights reserved. +/* Copyright © 2007, 2008 Red Hat, Inc. All rights reserved. Red Hat author: Miloslav Trmač <mitr@redhat.com> Redistribution and use in source and binary forms of Linux-PAM, with @@ -37,7 +37,7 @@ DAMAGE. */ #include <errno.h> -#include <pwd.h> +#include <fnmatch.h> #include <stdlib.h> #include <string.h> #include <syslog.h> @@ -200,9 +200,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) enum command command; struct audit_tty_status *old_status, new_status; const char *user; - uid_t user_uid; - struct passwd *pwd; - int i, fd; + int i, fd, open_only; (void)flags; @@ -211,15 +209,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) pam_syslog (pamh, LOG_ERR, "error determining target user's name"); return PAM_SESSION_ERR; } - pwd = pam_modutil_getpwnam (pamh, user); - if (pwd == NULL) - { - pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m"); - return PAM_SESSION_ERR; - } - user_uid = pwd->pw_uid; command = CMD_NONE; + open_only = 0; for (i = 0; i < argc; i++) { if (strncmp (argv[i], "enable=", 7) == 0 @@ -235,13 +227,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) for (tok = strtok_r (copy, ",", &tok_data); tok != NULL; tok = strtok_r (NULL, ",", &tok_data)) { - pwd = pam_modutil_getpwnam (pamh, tok); - if (pwd == NULL) - { - pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok); - continue; - } - if (pwd->pw_uid == user_uid) + if (fnmatch (tok, user, 0) == 0) { command = this_command; break; @@ -249,6 +235,13 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) } free (copy); } + else if (strcmp (argv[i], "open_only") == 0) + open_only = 1; + else + { + pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]); + return PAM_SESSION_ERR; + } } if (command == CMD_NONE) return PAM_SUCCESS; @@ -269,13 +262,15 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_SESSION_ERR; } - if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0)) + new_status.enabled = (command == CMD_ENABLE ? 1 : 0); + if (old_status->enabled == new_status.enabled) { free (old_status); goto ok_fd; } - if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status) + if (open_only == 0 + && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status) != PAM_SUCCESS) { pam_syslog (pamh, LOG_ERR, "error saving old audit status"); @@ -284,13 +279,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_SESSION_ERR; } - new_status.enabled = (command == CMD_ENABLE ? 1 : 0); if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status, sizeof (new_status)) != 0 || nl_recv_ack (fd) != 0) { pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m"); close (fd); + if (open_only != 0) + free (old_status); return PAM_SESSION_ERR; } /* Fall through */ @@ -298,6 +294,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) close (fd); pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d", old_status->enabled, new_status.enabled); + if (open_only != 0) + free (old_status); return PAM_SUCCESS; } |