diff options
| -rw-r--r-- | ChangeLog | 10 | ||||
| -rw-r--r-- | modules/pam_sepermit/Makefile.am | 10 | ||||
| -rw-r--r-- | modules/pam_sepermit/pam_sepermit.8.xml | 19 | ||||
| -rw-r--r-- | modules/pam_sepermit/pam_sepermit.c | 22 | ||||
| -rw-r--r-- | modules/pam_sepermit/sepermit.conf.5.xml | 110 |
5 files changed, 151 insertions, 20 deletions
@@ -1,3 +1,13 @@ +2009-11-02 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_sepermit/Makefile.am: Add sepermit.conf(5) manual page. + * modules/pam_sepermit/pam_sepermit.8.xml: Add reference to + sepermit.conf(5). Drop some redundant text. + * modules/pam_sepermit/sepermit.conf.5.xml: New file. + + * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Implement the ignore + option in sepermit.conf. + 2009-10-29 Tomas Mraz <t8m@centrum.cz> * modules/pam_xauth/Makefile.am: Link with libselinux. diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am index 579e142f..9211a938 100644 --- a/modules/pam_sepermit/Makefile.am +++ b/modules/pam_sepermit/Makefile.am @@ -1,19 +1,19 @@ # # Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de> -# Copyright (c) 2008 Red Hat, Inc. +# Copyright (c) 2008, 2009 Red Hat, Inc. # CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf tst-pam_sepermit +EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf sepermit.conf.5 tst-pam_sepermit if HAVE_LIBSELINUX TESTS = tst-pam_sepermit - man_MANS = pam_sepermit.8 + man_MANS = pam_sepermit.8 sepermit.conf.5 endif -XMLS = README.xml pam_sepermit.8.xml +XMLS = README.xml pam_sepermit.8.xml sepermit.conf.5.xml securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) @@ -37,7 +37,7 @@ if HAVE_LIBSELINUX securelib_LTLIBRARIES = pam_sepermit.la endif if ENABLE_REGENERATE_MAN -noinst_DATA = README pam_sepermit.8 +noinst_DATA = README pam_sepermit.8 sepermit.conf.5 README: pam_sepermit.8.xml -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml index 36730721..30d9cc54 100644 --- a/modules/pam_sepermit/pam_sepermit.8.xml +++ b/modules/pam_sepermit/pam_sepermit.8.xml @@ -40,7 +40,7 @@ the pam_sepermit module returns PAM_IGNORE return value. </para> <para> - The config file contains a simple list of user names one per line. If the + The config file contains a list of user names one per line with optional arguments. If the <replaceable>name</replaceable> is prefixed with <emphasis>@</emphasis> character it means that all users in the group <replaceable>name</replaceable> match. If it is prefixed with a <emphasis>%</emphasis> character the SELinux user is used to match against the <replaceable>name</replaceable> @@ -50,12 +50,11 @@ will return PAM_IGNORE. </para> <para> - Each user name in the configuration file can have optional arguments separated - by <emphasis>:</emphasis> character. The only currently recognized argument is <emphasis>exclusive</emphasis>. - The pam_sepermit module will allow only single concurrent user session for - the user with this argument specified and it will attempt to kill all processes - of the user after logout. + See <citerefentry> + <refentrytitle>sepermit.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry> for details. </para> + </refsect1> <refsect1 id="pam_sepermit-options"> @@ -168,6 +167,9 @@ session required pam_permit.so <title>SEE ALSO</title> <para> <citerefentry> + <refentrytitle>sepermit.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> @@ -176,13 +178,16 @@ session required pam_permit.so <citerefentry> <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> </citerefentry> + <citerefentry> + <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> </para> </refsect1> <refsect1 id='pam_sepermit-author'> <title>AUTHOR</title> <para> - pam_sepermit was written by Tomas Mraz <tmraz@redhat.com>. + pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat.com>. </para> </refsect1> diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index 0fd95619..df0a2b1c 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -1,7 +1,7 @@ /****************************************************************************** * A module for Linux-PAM that allows/denies acces based on SELinux state. * - * Copyright (c) 2007, 2008 Red Hat, Inc. + * Copyright (c) 2007, 2008, 2009 Red Hat, Inc. * Originally written by Tomas Mraz <tmraz@redhat.com> * Contributions by Dan Walsh <dwalsh@redhat.com> * @@ -231,7 +231,7 @@ sepermit_lock(pam_handle_t *pamh, const char *user, int debug) /* return 0 when matched, -1 when unmatched, pam error otherwise */ static int sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, - const char *seuser, int debug, int sense) + const char *seuser, int debug, int *sense) { FILE *f; char *line = NULL; @@ -239,6 +239,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, size_t len = 0; int matched = 0; int exclusive = 0; + int ignore = 0; f = fopen(cfgfile, "r"); @@ -284,7 +285,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, if (debug) pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start); if (strcmp(seuser, start) == 0) { - matched = 1; + matched = 1; } break; default: @@ -298,6 +299,8 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, while ((opt=strtok_r(NULL, OPT_DELIM, &sptr)) != NULL) { if (strcmp(opt, "exclusive") == 0) exclusive = 1; + else if (strcmp(opt, "ignore") == 0) + ignore = 1; else if (debug) { pam_syslog(pamh, LOG_NOTICE, "Unknown user option: %s", opt); } @@ -307,10 +310,13 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, free(line); fclose(f); if (matched) { - if (sense == PAM_SUCCESS && geteuid() == 0 && exclusive) - return sepermit_lock(pamh, user, debug); - else - return 0; + if (*sense == PAM_SUCCESS) { + if (ignore) + *sense = PAM_IGNORE; + if (geteuid() == 0 && exclusive) + return sepermit_lock(pamh, user, debug); + } + return 0; } else return -1; @@ -365,7 +371,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, if (debug && sense != PAM_SUCCESS) pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match"); - rv = sepermit_match(pamh, cfgfile, user, seuser, debug, sense); + rv = sepermit_match(pamh, cfgfile, user, seuser, debug, &sense); if (debug) pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv); diff --git a/modules/pam_sepermit/sepermit.conf.5.xml b/modules/pam_sepermit/sepermit.conf.5.xml new file mode 100644 index 00000000..511480f6 --- /dev/null +++ b/modules/pam_sepermit/sepermit.conf.5.xml @@ -0,0 +1,110 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="sepermit.conf"> + + <refmeta> + <refentrytitle>sepermit.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>sepermit.conf</refname> + <refpurpose>configuration file for the pam_sepermit module</refpurpose> + </refnamediv> + + <refsect1 id='sepermit.conf-description'> + <title>DESCRIPTION</title> + <para> + The lines of the configuration file have the following syntax: + </para> + <para> + <replaceable><user></replaceable>[:<replaceable><option></replaceable>:<replaceable><option></replaceable>...] + </para> + <para> + The <emphasis remap='B'>user</emphasis> can be specified in the following manner: + </para> + <itemizedlist> + <listitem> + <para> + a username + </para> + </listitem> + <listitem> + <para> + a groupname, with <emphasis remap='B'>@group</emphasis> syntax. + This should not be confused with netgroups. + </para> + </listitem> + <listitem> + <para> + a SELinux user name with <emphasis remap='B'>%seuser</emphasis> syntax. + </para> + </listitem> + </itemizedlist> + + <para> + The recognized options are: + </para> + + <variablelist> + <varlistentry> + <term><option>exclusive</option></term> + <listitem> + <para> + Only single login session will be allowed for the user + and the user's processes will be killed on logout. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>ignore</option></term> + <listitem> + <para> + The module will never return PAM_SUCCESS status for the user. + It will return PAM_IGNORE if SELinux is in the enforcing mode, + and PAM_AUTH_ERR otherwise. It is useful if you want to support + passwordless guest users and other confined users with passwords + simultaneously. + </para> + </listitem> + </varlistentry> + </variablelist> + + <para> + The lines which start with # character are comments and are ignored. + </para> + </refsect1> + + <refsect1 id="sepermit.conf-examples"> + <title>EXAMPLES</title> + <para> + These are some example lines which might be specified in + <filename>/etc/security/sepermit.conf</filename>. + </para> + <programlisting> +%guest_u:exclusive +%staff_u:ignore +%user_u:ignore + </programlisting> + </refsect1> + + <refsect1 id="sepermit.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>pam_sepermit</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + </para> + </refsect1> + + <refsect1 id="sepermit.conf-author"> + <title>AUTHOR</title> + <para> + pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat.com> + </para> + </refsect1> +</refentry> |