diff options
Diffstat (limited to 'modules/pam_time')
-rw-r--r-- | modules/pam_time/README | 3 | ||||
-rw-r--r-- | modules/pam_time/pam_time.8.xml | 37 | ||||
-rw-r--r-- | modules/pam_time/pam_time.c | 50 |
3 files changed, 87 insertions, 3 deletions
diff --git a/modules/pam_time/README b/modules/pam_time/README index abafd936..05eaec2c 100644 --- a/modules/pam_time/README +++ b/modules/pam_time/README @@ -14,6 +14,9 @@ from which they are making their request. By default rules for time/port access are taken from config file /etc/security/ time.conf. +If Linux PAM is compiled with audit support the module will report when it +denies access. + EXAMPLES These are some example lines which might be specified in /etc/security/ diff --git a/modules/pam_time/pam_time.8.xml b/modules/pam_time/pam_time.8.xml index de7bcad3..e0b149a7 100644 --- a/modules/pam_time/pam_time.8.xml +++ b/modules/pam_time/pam_time.8.xml @@ -22,6 +22,12 @@ <refsynopsisdiv> <cmdsynopsis id="pam_time-cmdsynopsis"> <command>pam_time.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + noaudit + </arg> </cmdsynopsis> </refsynopsisdiv> @@ -41,11 +47,40 @@ By default rules for time/port access are taken from config file <filename>/etc/security/time.conf</filename>. </para> + <para> + If Linux PAM is compiled with audit support the module will report + when it denies access. + </para> </refsect1> <refsect1 id="pam_time-options"> <title>OPTIONS</title> - <para>This module does not recognise any options.</para> + <variablelist> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Some debug informations are printed with + <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>noaudit</option> + </term> + <listitem> + <para> + Do not report logins at disallowed time to the audit subsystem. + </para> + </listitem> + </varlistentry> + + </variablelist> </refsect1> <refsect1 id="pam_time-services"> diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c index 56b418f4..8e3b2486 100644 --- a/modules/pam_time/pam_time.c +++ b/modules/pam_time/pam_time.c @@ -22,9 +22,16 @@ #include <fcntl.h> #include <netdb.h> +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#endif + #define PAM_TIME_BUFLEN 1000 #define FIELD_SEPARATOR ';' /* this is new as of .02 */ +#define PAM_DEBUG_ARG 0x0001 +#define PAM_NO_AUDIT 0x0002 + #ifndef TRUE # define TRUE 1 #endif @@ -46,6 +53,29 @@ typedef enum { AND, OR } operator; #include <security/_pam_macros.h> #include <security/pam_modules.h> #include <security/pam_ext.h> +#include <security/pam_modutil.h> + +static int +_pam_parse (const pam_handle_t *pamh, int argc, const char **argv) +{ + int ctrl = 0; + + /* step through arguments */ + for (; argc-- > 0; ++argv) { + + /* generic options */ + + if (!strcmp(*argv, "debug")) { + ctrl |= PAM_DEBUG_ARG; + } else if (!strcmp(*argv, "noaudit")) { + ctrl |= PAM_NO_AUDIT; + } else { + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } + } + + return ctrl; +} /* --- static functions for checking whether the user should be let in --- */ @@ -567,11 +597,15 @@ check_account(pam_handle_t *pamh, const char *service, PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) + int argc, const char **argv) { const void *service=NULL, *void_tty=NULL; const char *tty; const char *user=NULL; + int ctrl; + int rv; + + ctrl = _pam_parse(pamh, argc, argv); /* set service name */ @@ -620,7 +654,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, D(("user=%s", user)); D(("tty=%s", tty)); - return check_account(pamh, service, tty, user); + rv = check_account(pamh, service, tty, user); + if (rv != PAM_SUCCESS) { +#ifdef HAVE_LIBAUDIT + if (!(ctrl & PAM_NO_AUDIT)) { + pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_TIME, + "pam_time", rv); /* ignore return value as we fail anyway */ + } +#endif + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, "user %s rejected", user); + } + } + return rv; } /* end of module definition */ |