summaryrefslogtreecommitdiff
path: root/modules/pam_time
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_time')
-rw-r--r--modules/pam_time/README3
-rw-r--r--modules/pam_time/pam_time.8.xml37
-rw-r--r--modules/pam_time/pam_time.c50
3 files changed, 87 insertions, 3 deletions
diff --git a/modules/pam_time/README b/modules/pam_time/README
index abafd936..05eaec2c 100644
--- a/modules/pam_time/README
+++ b/modules/pam_time/README
@@ -14,6 +14,9 @@ from which they are making their request.
By default rules for time/port access are taken from config file /etc/security/
time.conf.
+If Linux PAM is compiled with audit support the module will report when it
+denies access.
+
EXAMPLES
These are some example lines which might be specified in /etc/security/
diff --git a/modules/pam_time/pam_time.8.xml b/modules/pam_time/pam_time.8.xml
index de7bcad3..e0b149a7 100644
--- a/modules/pam_time/pam_time.8.xml
+++ b/modules/pam_time/pam_time.8.xml
@@ -22,6 +22,12 @@
<refsynopsisdiv>
<cmdsynopsis id="pam_time-cmdsynopsis">
<command>pam_time.so</command>
+ <arg choice="opt">
+ debug
+ </arg>
+ <arg choice="opt">
+ noaudit
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -41,11 +47,40 @@
By default rules for time/port access are taken from config file
<filename>/etc/security/time.conf</filename>.
</para>
+ <para>
+ If Linux PAM is compiled with audit support the module will report
+ when it denies access.
+ </para>
</refsect1>
<refsect1 id="pam_time-options">
<title>OPTIONS</title>
- <para>This module does not recognise any options.</para>
+ <variablelist>
+
+ <varlistentry>
+ <term>
+ <option>debug</option>
+ </term>
+ <listitem>
+ <para>
+ Some debug informations are printed with
+ <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>noaudit</option>
+ </term>
+ <listitem>
+ <para>
+ Do not report logins at disallowed time to the audit subsystem.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
</refsect1>
<refsect1 id="pam_time-services">
diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c
index 56b418f4..8e3b2486 100644
--- a/modules/pam_time/pam_time.c
+++ b/modules/pam_time/pam_time.c
@@ -22,9 +22,16 @@
#include <fcntl.h>
#include <netdb.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
+
#define PAM_TIME_BUFLEN 1000
#define FIELD_SEPARATOR ';' /* this is new as of .02 */
+#define PAM_DEBUG_ARG 0x0001
+#define PAM_NO_AUDIT 0x0002
+
#ifndef TRUE
# define TRUE 1
#endif
@@ -46,6 +53,29 @@ typedef enum { AND, OR } operator;
#include <security/_pam_macros.h>
#include <security/pam_modules.h>
#include <security/pam_ext.h>
+#include <security/pam_modutil.h>
+
+static int
+_pam_parse (const pam_handle_t *pamh, int argc, const char **argv)
+{
+ int ctrl = 0;
+
+ /* step through arguments */
+ for (; argc-- > 0; ++argv) {
+
+ /* generic options */
+
+ if (!strcmp(*argv, "debug")) {
+ ctrl |= PAM_DEBUG_ARG;
+ } else if (!strcmp(*argv, "noaudit")) {
+ ctrl |= PAM_NO_AUDIT;
+ } else {
+ pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
+ }
+ }
+
+ return ctrl;
+}
/* --- static functions for checking whether the user should be let in --- */
@@ -567,11 +597,15 @@ check_account(pam_handle_t *pamh, const char *service,
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
+ int argc, const char **argv)
{
const void *service=NULL, *void_tty=NULL;
const char *tty;
const char *user=NULL;
+ int ctrl;
+ int rv;
+
+ ctrl = _pam_parse(pamh, argc, argv);
/* set service name */
@@ -620,7 +654,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
D(("user=%s", user));
D(("tty=%s", tty));
- return check_account(pamh, service, tty, user);
+ rv = check_account(pamh, service, tty, user);
+ if (rv != PAM_SUCCESS) {
+#ifdef HAVE_LIBAUDIT
+ if (!(ctrl & PAM_NO_AUDIT)) {
+ pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_TIME,
+ "pam_time", rv); /* ignore return value as we fail anyway */
+ }
+#endif
+ if (ctrl & PAM_DEBUG_ARG) {
+ pam_syslog(pamh, LOG_DEBUG, "user %s rejected", user);
+ }
+ }
+ return rv;
}
/* end of module definition */