diff options
Diffstat (limited to 'modules/pam_sepermit')
-rw-r--r-- | modules/pam_sepermit/.cvsignore | 10 | ||||
-rw-r--r-- | modules/pam_sepermit/Makefile.am | 43 | ||||
-rw-r--r-- | modules/pam_sepermit/README.xml | 41 | ||||
-rw-r--r-- | modules/pam_sepermit/pam_sepermit.8.xml | 189 | ||||
-rw-r--r-- | modules/pam_sepermit/pam_sepermit.c | 405 | ||||
-rw-r--r-- | modules/pam_sepermit/sepermit.conf | 11 | ||||
-rwxr-xr-x | modules/pam_sepermit/tst-pam_sepermit | 2 |
7 files changed, 0 insertions, 701 deletions
diff --git a/modules/pam_sepermit/.cvsignore b/modules/pam_sepermit/.cvsignore deleted file mode 100644 index 258e7207..00000000 --- a/modules/pam_sepermit/.cvsignore +++ /dev/null @@ -1,10 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -README -pam_sepermit.8 diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am deleted file mode 100644 index 579e142f..00000000 --- a/modules/pam_sepermit/Makefile.am +++ /dev/null @@ -1,43 +0,0 @@ -# -# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de> -# Copyright (c) 2008 Red Hat, Inc. -# - -CLEANFILES = *~ -MAINTAINERCLEANFILES = $(MANS) README - -EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf tst-pam_sepermit - -if HAVE_LIBSELINUX - TESTS = tst-pam_sepermit - man_MANS = pam_sepermit.8 -endif - -XMLS = README.xml pam_sepermit.8.xml - -securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -sepermitlockdir = ${localstatedir}/run/sepermit - -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -I$(top_srcdir)/libpam_misc/include \ - -D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \ - -D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\" - -pam_sepermit_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ -pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module -if HAVE_VERSIONING - pam_sepermit_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -endif - -if HAVE_LIBSELINUX - secureconf_DATA = sepermit.conf - sepermitlock_DATA = - - securelib_LTLIBRARIES = pam_sepermit.la -endif -if ENABLE_REGENERATE_MAN -noinst_DATA = README pam_sepermit.8 -README: pam_sepermit.8.xml --include $(top_srcdir)/Make.xml.rules -endif diff --git a/modules/pam_sepermit/README.xml b/modules/pam_sepermit/README.xml deleted file mode 100644 index bb65951c..00000000 --- a/modules/pam_sepermit/README.xml +++ /dev/null @@ -1,41 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_sepermit.8.xml"> ---> -]> - -<article> - - <articleinfo> - - <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_sepermit-name"]/*)'/> - </title> - - </articleinfo> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-description"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-options"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-examples"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-author"]/*)'/> - </section> - -</article> diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml deleted file mode 100644 index c2546b62..00000000 --- a/modules/pam_sepermit/pam_sepermit.8.xml +++ /dev/null @@ -1,189 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_sepermit"> - - <refmeta> - <refentrytitle>pam_sepermit</refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_sepermit-name"> - <refname>pam_sepermit</refname> - <refpurpose>PAM module to allow/deny login depending on SELinux enforcement state</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <cmdsynopsis id="pam_sepermit-cmdsynopsis"> - <command>pam_sepermit.so</command> - <arg choice="opt"> - debug - </arg> - <arg choice="opt"> - conf=<replaceable>/path/to/config/file</replaceable> - </arg> - </cmdsynopsis> - </refsynopsisdiv> - - <refsect1 id="pam_sepermit-description"> - <title>DESCRIPTION</title> - <para> - The pam_sepermit module allows or denies login depending on SELinux - enforcement state. - </para> - <para> - When the user which is logging in matches an entry in the config file - he is allowed access only when the SELinux is in enforcing mode. Otherwise - he is denied access. For users not matching any entry in the config file - the pam_sepermit module returns PAM_IGNORE return value. - </para> - <para> - The config file contains a simple list of user names one per line. If the - <replaceable>name</replaceable> is prefixed with <emphasis>@</emphasis> character it means that all - users in the group <replaceable>name</replaceable> match. If it is prefixed - with a <emphasis>%</emphasis> character the SELinux user is used to match against the <replaceable>name</replaceable> - instead of the account name. Note that when SELinux is disabled the - SELinux user assigned to the account cannot be determined. This means that - such entries are never matched when SELinux is disabled and pam_sepermit - will return PAM_IGNORE. - </para> - <para> - Each user name in the configuration file can have optional arguments separated - by <emphasis>:</emphasis> character. The only currently recognized argument is <emphasis>exclusive</emphasis>. - The pam_sepermit module will allow only single concurrent user session for - the user with this argument specified and it will attempt to kill all processes - of the user after logout. - </para> - </refsect1> - - <refsect1 id="pam_sepermit-options"> - <title>OPTIONS</title> - <variablelist> - <varlistentry> - <term> - <option>debug</option> - </term> - <listitem> - <para> - Turns on debugging via - <citerefentry> - <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>conf=<replaceable>/path/to/config/file</replaceable></option> - </term> - <listitem> - <para> - Path to alternative config file overriding the default. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_sepermit-services"> - <title>MODULE SERVICES PROVIDED</title> - <para> - Only the <option>auth</option> and <option>account</option> - services are supported. - </para> - </refsect1> - - <refsect1 id='pam_sepermit-return_values'> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_AUTH_ERR</term> - <listitem> - <para> - SELinux is disabled or in the permissive mode and the user - matches. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - SELinux is in the enforcing mode and the user matches. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_IGNORE</term> - <listitem> - <para> - The user does not match any entry in the config file. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para> - The module was unable to determine the user's name. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SERVICE_ERR</term> - <listitem> - <para> - Error during reading or parsing the config file. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_sepermit-files"> - <title>FILES</title> - <variablelist> - <varlistentry> - <term><filename>/etc/security/sepermit.conf</filename></term> - <listitem> - <para>Default configuration file</para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_sepermit-examples'> - <title>EXAMPLES</title> - <programlisting> -auth [success=done ignore=ignore default=bad] pam_sepermit.so -auth required pam_unix.so -account required pam_unix.so -session required pam_permit.so - </programlisting> - </refsect1> - - <refsect1 id='pam_sepermit-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_sepermit-author'> - <title>AUTHOR</title> - <para> - pam_sepermit was written by Tomas Mraz <tmraz@redhat.com>. - </para> - </refsect1> - -</refentry> diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c deleted file mode 100644 index 47f95030..00000000 --- a/modules/pam_sepermit/pam_sepermit.c +++ /dev/null @@ -1,405 +0,0 @@ -/****************************************************************************** - * A module for Linux-PAM that allows/denies acces based on SELinux state. - * - * Copyright (c) 2007, 2008 Red Hat, Inc. - * Originally written by Tomas Mraz <tmraz@redhat.com> - * Contributions by Dan Walsh <dwalsh@redhat.com> - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include "config.h" - -#include <errno.h> -#include <pwd.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <ctype.h> -#include <signal.h> -#include <limits.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <unistd.h> -#include <pwd.h> -#include <dirent.h> - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> -#include <security/pam_modutil.h> -#include <security/pam_ext.h> - -#include <selinux/selinux.h> - -#define MODULE "pam_sepermit" -#define OPT_DELIM ":" - -struct lockfd { - uid_t uid; - int fd; - int debug; -}; - -#define PROC_BASE "/proc" -#define MAX_NAMES (int)(sizeof(unsigned long)*8) - -static int -match_process_uid(pid_t pid, uid_t uid) -{ - char buf[128]; - uid_t puid; - FILE *f; - int re = 0; - - snprintf (buf, sizeof buf, PROC_BASE "/%d/status", pid); - if (!(f = fopen (buf, "r"))) - return 0; - - while (fgets(buf, sizeof buf, f)) { - if (sscanf (buf, "Uid:\t%d", &puid)) { - re = uid == puid; - break; - } - } - fclose(f); - return re; -} - -static int -check_running (pam_handle_t *pamh, uid_t uid, int killall, int debug) -{ - DIR *dir; - struct dirent *de; - pid_t *pid_table, pid, self; - int i; - int pids, max_pids; - int running = 0; - self = getpid(); - if (!(dir = opendir(PROC_BASE))) { - pam_syslog(pamh, LOG_ERR, "Failed to open proc directory file %s:", PROC_BASE); - return -1; - } - max_pids = 256; - pid_table = malloc(max_pids * sizeof (pid_t)); - if (!pid_table) { - pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); - return -1; - } - pids = 0; - while ((de = readdir (dir)) != NULL) { - if (!(pid = (pid_t)atoi(de->d_name)) || pid == self) - continue; - - if (pids == max_pids) { - if (!(pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)))) { - pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); - return -1; - } - max_pids *= 2; - } - pid_table[pids++] = pid; - } - - (void)closedir(dir); - - for (i = 0; i < pids; i++) { - pid_t id; - - if (match_process_uid(pid_table[i], uid) == 0) - continue; - id = pid_table[i]; - - if (killall) { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Attempting to kill %d", id); - kill(id, SIGKILL); - } - running++; - } - - free(pid_table); - return running; -} - -static void -sepermit_unlock(pam_handle_t *pamh, void *plockfd, int error_status UNUSED) -{ - struct lockfd *lockfd = plockfd; - struct flock fl; - - memset(&fl, 0, sizeof(fl)); - fl.l_type = F_UNLCK; - fl.l_whence = SEEK_SET; - - if (lockfd->debug) - pam_syslog(pamh, LOG_ERR, "Unlocking fd: %d uid: %d", lockfd->fd, lockfd->uid); - - /* Don't kill uid==0 */ - if (lockfd->uid) - /* This is a DOS but it prevents an app from forking to prevent killing */ - while(check_running(pamh, lockfd->uid, 1, lockfd->debug) > 0) - continue; - - fcntl(lockfd->fd, F_SETLK, &fl); - close(lockfd->fd); - free(lockfd); -} - -static int -sepermit_lock(pam_handle_t *pamh, const char *user, int debug) -{ - char buf[PATH_MAX]; - struct flock fl; - - memset(&fl, 0, sizeof(fl)); - fl.l_type = F_WRLCK; - fl.l_whence = SEEK_SET; - - struct passwd *pw = pam_modutil_getpwnam( pamh, user ); - if (!pw) { - pam_syslog(pamh, LOG_ERR, "Unable to find uid for user %s", user); - return -1; - } - if (check_running(pamh, pw->pw_uid, 0, debug) > 0) { - pam_syslog(pamh, LOG_ERR, "User %s processes are running. Exclusive login not allowed", user); - return -1; - } - - snprintf(buf, sizeof(buf), "%s/%d.lock", SEPERMIT_LOCKDIR, pw->pw_uid); - int fd = open(buf, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR); - if (fd < 0) { - pam_syslog(pamh, LOG_ERR, "Unable to open lock file %s/%d.lock", SEPERMIT_LOCKDIR, pw->pw_uid); - return -1; - } - - if (fcntl(fd, F_SETLK, &fl) == -1) { - pam_syslog(pamh, LOG_ERR, "User %s with exclusive login already logged in", user); - close(fd); - return -1; - } - struct lockfd *lockfd=calloc(1, sizeof(struct lockfd)); - if (!lockfd) { - close(fd); - pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); - return -1; - } - lockfd->uid = pw->pw_uid; - lockfd->debug = debug; - lockfd->fd=fd; - pam_set_data(pamh, MODULE, lockfd, sepermit_unlock); - return 0; -} - -/* return 0 when matched, -1 when unmatched, pam error otherwise */ -static int -sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, - const char *seuser, int debug) -{ - FILE *f; - char *line = NULL; - char *start; - size_t len = 0; - int matched = 0; - int exclusive = 0; - - f = fopen(cfgfile, "r"); - - if (!f) { - pam_syslog(pamh, LOG_ERR, "Failed to open config file %s: %m", cfgfile); - return PAM_SERVICE_ERR; - } - - while (!matched && getline(&line, &len, f) != -1) { - size_t n; - char *sptr; - char *opt; - - if (line[0] == '#') - continue; - - start = line; - while (isspace(*start)) - ++start; - n = strlen(start); - while (n > 0 && isspace(start[n-1])) { - --n; - } - if (n == 0) - continue; - - start[n] = '\0'; - start = strtok_r(start, OPT_DELIM, &sptr); - - switch (start[0]) { - case '@': - ++start; - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Matching user %s against group %s", user, start); - if (pam_modutil_user_in_group_nam_nam(pamh, user, start)) { - matched = 1; - } - break; - case '%': - ++start; - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start); - if (strcmp(seuser, start) == 0) { - matched = 1; - } - break; - default: - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Matching user %s against user %s", user, start); - if (strcmp(user, start) == 0) { - matched = 1; - } - } - if (matched) - while ((opt=strtok_r(NULL, OPT_DELIM, &sptr)) != NULL) { - if (strcmp(opt, "exclusive") == 0) - exclusive = 1; - else if (debug) { - pam_syslog(pamh, LOG_NOTICE, "Unknown user option: %s", opt); - } - } - } - - free(line); - fclose(f); - if (matched) - return exclusive ? sepermit_lock(pamh, user, debug) : 0; - else - return -1; -} - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - int i; - int rv; - int debug = 0; - int sense = PAM_AUTH_ERR; - const char *user = NULL; - char *seuser = NULL; - char *level = NULL; - const char *cfgfile = SEPERMIT_CONF_FILE; - - /* Parse arguments. */ - for (i = 0; i < argc; i++) { - if (strcmp(argv[i], "debug") == 0) { - debug = 1; - } - if (strcmp(argv[i], "conf=") == 0) { - cfgfile = argv[i] + 5; - } - } - - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Parsing config file: %s", cfgfile); - - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { - pam_syslog(pamh, LOG_ERR, "Cannot determine the user's name"); - return PAM_USER_UNKNOWN; - } - - if (is_selinux_enabled() > 0) { - if (security_getenforce() == 1) { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Enforcing mode, access will be allowed on match"); - sense = PAM_SUCCESS; - } - - if (getseuserbyname(user, &seuser, &level) != 0) { - seuser = NULL; - level = NULL; - pam_syslog(pamh, LOG_ERR, "getseuserbyname failed: %m"); - } - } - - if (debug && sense != PAM_SUCCESS) - pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match"); - - rv = sepermit_match(pamh, cfgfile, user, seuser, debug); - - if (debug) - pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv); - - free(seuser); - free(level); - - switch (rv) { - case -1: - return PAM_IGNORE; - case 0: - return sense; - } - - return rv; -} - -PAM_EXTERN int -pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) -{ - return PAM_IGNORE; -} - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - return pam_sm_authenticate(pamh, flags, argc, argv); -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_sepermit_modstruct = { - "pam_sepermit", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - NULL, - NULL, - NULL -}; -#endif - diff --git a/modules/pam_sepermit/sepermit.conf b/modules/pam_sepermit/sepermit.conf deleted file mode 100644 index 951f3dfe..00000000 --- a/modules/pam_sepermit/sepermit.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/security/sepermit.conf -# -# Each line contains either: -# - an user name -# - a group name, with @group syntax -# - a SELinux user name, with %seuser syntax -# Each line can contain optional arguments separated by : -# The possible arguments are: -# - exclusive - only single login session will -# be allowed for the user and the user's processes -# will be killed on logout diff --git a/modules/pam_sepermit/tst-pam_sepermit b/modules/pam_sepermit/tst-pam_sepermit deleted file mode 100755 index 6e6d2363..00000000 --- a/modules/pam_sepermit/tst-pam_sepermit +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -../../tests/tst-dlopen .libs/pam_sepermit.so |