diff options
Diffstat (limited to 'modules/pam_tty_audit')
-rw-r--r-- | modules/pam_tty_audit/README | 17 | ||||
-rw-r--r-- | modules/pam_tty_audit/pam_tty_audit.8 | 28 | ||||
-rw-r--r-- | modules/pam_tty_audit/pam_tty_audit.8.xml | 26 | ||||
-rw-r--r-- | modules/pam_tty_audit/pam_tty_audit.c | 83 |
4 files changed, 130 insertions, 24 deletions
diff --git a/modules/pam_tty_audit/README b/modules/pam_tty_audit/README index 83e58c3a..ac947a32 100644 --- a/modules/pam_tty_audit/README +++ b/modules/pam_tty_audit/README @@ -11,15 +11,15 @@ OPTIONS disable=patterns - For each user matching one of comma-separated glob patterns, disable TTY - auditing. This overrides any previous enable option matching the same user - name on the command line. + For each user matching patterns, disable TTY auditing. This overrides any + previous enable option matching the same user name on the command line. See + NOTES for further description of patterns. enable=patterns - For each user matching one of comma-separated glob patterns, enable TTY - auditing. This overrides any previous disable option matching the same user - name on the command line. + For each user matching patterns, enable TTY auditing. This overrides any + previous disable option matching the same user name on the command line. + See NOTES for further description of patterns. open_only @@ -45,6 +45,11 @@ the first option for most daemons using PAM. To view the data that was logged by the kernel to audit use the command aureport --tty. +The patterns are comma separated lists of glob patterns or ranges of uids. A +range is specified as min_uid:max_uid where one of these values can be empty. +If min_uid is empty only user with the uid max_uid will be matched. If max_uid +is empty users with the uid greater than or equal to min_uid will be matched. + EXAMPLES Audit all administrative actions. diff --git a/modules/pam_tty_audit/pam_tty_audit.8 b/modules/pam_tty_audit/pam_tty_audit.8 index 616f7d7e..e0800815 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8 +++ b/modules/pam_tty_audit/pam_tty_audit.8 @@ -2,12 +2,12 @@ .\" Title: pam_tty_audit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 04/11/2016 +.\" Date: 05/18/2018 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_TTY_AUDIT" "8" "04/11/2016" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TTY_AUDIT" "8" "05/18/2018" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -39,18 +39,20 @@ The pam_tty_audit PAM module is used to enable or disable TTY auditing\&. By def .PP \fBdisable=\fR\fB\fIpatterns\fR\fR .RS 4 -For each user matching one of comma\-separated glob +For each user matching \fB\fIpatterns\fR\fR, disable TTY auditing\&. This overrides any previous \fBenable\fR -option matching the same user name on the command line\&. +option matching the same user name on the command line\&. See NOTES for further description of +\fB\fIpatterns\fR\fR\&. .RE .PP \fBenable=\fR\fB\fIpatterns\fR\fR .RS 4 -For each user matching one of comma\-separated glob +For each user matching \fB\fIpatterns\fR\fR, enable TTY auditing\&. This overrides any previous \fBdisable\fR -option matching the same user name on the command line\&. +option matching the same user name on the command line\&. See NOTES for further description of +\fB\fIpatterns\fR\fR\&. .RE .PP \fBopen_only\fR @@ -89,6 +91,20 @@ as the first option for most daemons using PAM\&. .PP To view the data that was logged by the kernel to audit use the command \fBaureport \-\-tty\fR\&. +.PP +The +\fB\fIpatterns\fR\fR +are comma separated lists of glob patterns or ranges of uids\&. A range is specified as +\fImin_uid\fR:\fImax_uid\fR +where one of these values can be empty\&. If +\fImin_uid\fR +is empty only user with the uid +\fImax_uid\fR +will be matched\&. If +\fImax_uid\fR +is empty users with the uid greater than or equal to +\fImin_uid\fR +will be matched\&. .SH "EXAMPLES" .PP Audit all administrative actions\&. diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml index 552353ce..59a3406d 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8.xml +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -44,10 +44,10 @@ </term> <listitem> <para> - For each user matching one of comma-separated glob - <option><replaceable>patterns</replaceable></option>, disable - TTY auditing. This overrides any previous <option>enable</option> - option matching the same user name on the command line. + For each user matching <option><replaceable>patterns</replaceable></option>, + disable TTY auditing. This overrides any previous <option>enable</option> + option matching the same user name on the command line. See NOTES + for further description of <option><replaceable>patterns</replaceable></option>. </para> </listitem> </varlistentry> @@ -57,10 +57,10 @@ </term> <listitem> <para> - For each user matching one of comma-separated glob - <option><replaceable>patterns</replaceable></option>, enable - TTY auditing. This overrides any previous <option>disable</option> - option matching the same user name on the command line. + For each user matching <option><replaceable>patterns</replaceable></option>, + enable TTY auditing. This overrides any previous <option>disable</option> + option matching the same user name on the command line. See NOTES + for further description of <option><replaceable>patterns</replaceable></option>. </para> </listitem> </varlistentry> @@ -139,6 +139,16 @@ To view the data that was logged by the kernel to audit use the command <command>aureport --tty</command>. </para> + <para> + The <option><replaceable>patterns</replaceable></option> are comma separated + lists of glob patterns or ranges of uids. A range is specified as + <replaceable>min_uid</replaceable>:<replaceable>max_uid</replaceable> where + one of these values can be empty. If <replaceable>min_uid</replaceable> is + empty only user with the uid <replaceable>max_uid</replaceable> will be + matched. If <replaceable>max_uid</replaceable> is empty users with the uid + greater than or equal to <replaceable>min_uid</replaceable> will be + matched. + </para> </refsect1> <refsect1 id='pam_tty_audit-examples'> diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index bce3ab77..79e5d511 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -199,6 +199,54 @@ cleanup_old_status (pam_handle_t *pamh, void *data, int error_status) free (data); } +enum uid_range { UID_RANGE_NONE, UID_RANGE_MM, UID_RANGE_MIN, + UID_RANGE_ONE, UID_RANGE_ERR }; + +static enum uid_range +parse_uid_range(pam_handle_t *pamh, const char *s, + uid_t *min_uid, uid_t *max_uid) +{ + const char *range = s; + const char *pmax; + char *endptr; + enum uid_range rv = UID_RANGE_MM; + + if ((pmax=strchr(range, ':')) == NULL) + return UID_RANGE_NONE; + ++pmax; + + if (range[0] == ':') + rv = UID_RANGE_ONE; + else { + errno = 0; + *min_uid = strtoul (range, &endptr, 10); + if (errno != 0 || (range == endptr) || *endptr != ':') { + pam_syslog(pamh, LOG_DEBUG, + "wrong min_uid value in '%s'", s); + return UID_RANGE_ERR; + } + } + + if (*pmax == '\0') { + if (rv == UID_RANGE_ONE) + return UID_RANGE_ERR; + + return UID_RANGE_MIN; + } + + errno = 0; + *max_uid = strtoul (pmax, &endptr, 10); + if (errno != 0 || (pmax == endptr) || *endptr != '\0') { + pam_syslog(pamh, LOG_DEBUG, + "wrong max_uid value in '%s'", s); + return UID_RANGE_ERR; + } + + if (rv == UID_RANGE_ONE) + *min_uid = *max_uid; + return rv; +} + int pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) { @@ -208,6 +256,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) struct audit_tty_status *old_status, new_status; const char *user; int i, fd, open_only; + struct passwd *pwd; #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD int log_passwd; #endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ @@ -220,6 +269,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_SESSION_ERR; } + pwd = pam_modutil_getpwnam(pamh, user); + if (pwd == NULL) + { + pam_syslog(pamh, LOG_WARNING, + "open_session unknown user '%s'", user); + return PAM_SESSION_ERR; + } + command = CMD_NONE; open_only = 0; #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD @@ -237,13 +294,31 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) copy = strdup (strchr (argv[i], '=') + 1); if (copy == NULL) return PAM_SESSION_ERR; - for (tok = strtok_r (copy, ",", &tok_data); tok != NULL; + for (tok = strtok_r (copy, ",", &tok_data); + tok != NULL && command != this_command; tok = strtok_r (NULL, ",", &tok_data)) { - if (fnmatch (tok, user, 0) == 0) + uid_t min_uid = 0, max_uid = 0; + switch (parse_uid_range(pamh, tok, &min_uid, &max_uid)) { - command = this_command; - break; + case UID_RANGE_NONE: + if (fnmatch (tok, user, 0) == 0) + command = this_command; + break; + case UID_RANGE_MM: + if (pwd->pw_uid >= min_uid && pwd->pw_uid <= max_uid) + command = this_command; + break; + case UID_RANGE_MIN: + if (pwd->pw_uid >= min_uid) + command = this_command; + break; + case UID_RANGE_ONE: + if (pwd->pw_uid == max_uid) + command = this_command; + break; + case UID_RANGE_ERR: + break; } } free (copy); |