From c9c4faaf50c66d5e4d1b9d6c450c206c12f09f8a Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Thu, 27 Oct 2011 14:55:55 +0000 Subject: Rename all .cvsignore files to .gitignore --- modules/pam_tty_audit/.cvsignore | 8 -------- modules/pam_tty_audit/.gitignore | 8 ++++++++ 2 files changed, 8 insertions(+), 8 deletions(-) delete mode 100644 modules/pam_tty_audit/.cvsignore create mode 100644 modules/pam_tty_audit/.gitignore (limited to 'modules/pam_tty_audit') diff --git a/modules/pam_tty_audit/.cvsignore b/modules/pam_tty_audit/.cvsignore deleted file mode 100644 index aefb9d6f..00000000 --- a/modules/pam_tty_audit/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_tty_audit.8 diff --git a/modules/pam_tty_audit/.gitignore b/modules/pam_tty_audit/.gitignore new file mode 100644 index 00000000..aefb9d6f --- /dev/null +++ b/modules/pam_tty_audit/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_tty_audit.8 -- cgit v1.2.3 From 3e7fb3233efe776d867be9d34b4b6e83ec59df86 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Thu, 27 Oct 2011 14:55:55 +0000 Subject: Update .gitignore files * .gitignore: Add common ignore patterns. * m4/.gitignore: Unignore local m4 files. * dynamic/.gitignore: Unignore Makefile. * libpamc/test/modules/.gitignore: Likewise. * libpamc/test/regress/.gitignore: Likewise. * po/.gitignore: Add Makevars.template. * conf/.gitignore: Remove common ignore patterns. * conf/pam_conv1/.gitignore: Likewise. * doc/.gitignore: Likewise. * doc/specs/.gitignore: Likewise. * doc/specs/formatter/.gitignore: Likewise. * examples/.gitignore: Likewise. * modules/pam_filter/upperLOWER/.gitignore: Likewise. * modules/pam_mkhomedir/.gitignore: Likewise. * modules/pam_selinux/.gitignore: Likewise. * modules/pam_stress/.gitignore: Likewise. * modules/pam_tally/.gitignore: Likewise. * modules/pam_tally2/.gitignore: Likewise. * modules/pam_timestamp/.gitignore: Likewise. * modules/pam_unix/.gitignore: Likewise. * tests/.gitignore: Likewise. * xtests/.gitignore: Likewise. * doc/adg/.gitignore: Remove. * doc/man/.gitignore: Remove. * doc/mwg/.gitignore: Remove. * doc/sag/.gitignore: Remove. * libpamc/.gitignore: Remove. * libpamc/test/.gitignore: Remove. * libpam/.gitignore: Remove. * libpam_misc/.gitignore: Remove. * modules/.gitignore: Remove. * modules/pam_access/.gitignore: Remove. * modules/pam_cracklib/.gitignore: Remove. * modules/pam_debug/.gitignore: Remove. * modules/pam_deny/.gitignore: Remove. * modules/pam_echo/.gitignore: Remove. * modules/pam_env/.gitignore: Remove. * modules/pam_exec/.gitignore: Remove. * modules/pam_faildelay/.gitignore: Remove. * modules/pam_filter/.gitignore: Remove. * modules/pam_ftp/.gitignore: Remove. * modules/pam_group/.gitignore: Remove. * modules/pam_issue/.gitignore: Remove. * modules/pam_keyinit/.gitignore: Remove. * modules/pam_lastlog/.gitignore: Remove. * modules/pam_limits/.gitignore: Remove. * modules/pam_listfile/.gitignore: Remove. * modules/pam_localuser/.gitignore: Remove. * modules/pam_loginuid/.gitignore: Remove. * modules/pam_mail/.gitignore: Remove. * modules/pam_motd/.gitignore: Remove. * modules/pam_namespace/.gitignore: Remove. * modules/pam_nologin/.gitignore: Remove. * modules/pam_permit/.gitignore: Remove. * modules/pam_pwhistory/.gitignore: Remove. * modules/pam_rhosts/.gitignore: Remove. * modules/pam_rootok/.gitignore: Remove. * modules/pam_securetty/.gitignore: Remove. * modules/pam_sepermit/.gitignore: Remove. * modules/pam_shells/.gitignore: Remove. * modules/pam_succeed_if/.gitignore: Remove. * modules/pam_time/.gitignore: Remove. * modules/pam_tty_audit/.gitignore: Remove. * modules/pam_umask/.gitignore: Remove. * modules/pam_userdb/.gitignore: Remove. * modules/pam_warn/.gitignore: Remove. * modules/pam_wheel/.gitignore: Remove. * modules/pam_xauth/.gitignore: Remove. --- modules/pam_tty_audit/.gitignore | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 modules/pam_tty_audit/.gitignore (limited to 'modules/pam_tty_audit') diff --git a/modules/pam_tty_audit/.gitignore b/modules/pam_tty_audit/.gitignore deleted file mode 100644 index aefb9d6f..00000000 --- a/modules/pam_tty_audit/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_tty_audit.8 -- cgit v1.2.3 From dc8b23cf9228ed432e9b7b2ee2209a06283241c0 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 28 Oct 2011 02:28:38 +0000 Subject: Use libpam.la/libpam_misc.la to link with -lpam/-lpam_misc GNU automake documentation recommends to avoid using -l options in LDADD or LIBADD when referring to libraries built by the package. Instead, it recommends to write the file name of the library explicitly, and use -l option only to list third-party libraries. As result, the default value of *_DEPENDENCIES will list all local libraries and omit the other ones. * modules/pam_access/Makefile.am (pam_access_la_LIBADD): Replace "-L$(top_builddir)/libpam -lpam" with "$(top_builddir)/libpam/libpam.la", to follow GNU automake recommendations. * modules/pam_cracklib/Makefile.am (pam_cracklib_la_LIBADD): Likewise. * modules/pam_debug/Makefile.am (pam_debug_la_LIBADD): Likewise. * modules/pam_deny/Makefile.am (pam_deny_la_LIBADD): Likewise. * modules/pam_echo/Makefile.am (pam_echo_la_LIBADD): Likewise. * modules/pam_env/Makefile.am (pam_env_la_LIBADD): Likewise. * modules/pam_exec/Makefile.am (pam_exec_la_LIBADD): Likewise. * modules/pam_faildelay/Makefile.am (pam_faildelay_la_LIBADD): Likewise. * modules/pam_filter/Makefile.am (pam_filter_la_LIBADD): Likewise. * modules/pam_filter/upperLOWER/Makefile.am (LDADD): Likewise. * modules/pam_ftp/Makefile.am (pam_ftp_la_LIBADD): Likewise. * modules/pam_group/Makefile.am (pam_group_la_LIBADD): Likewise. * modules/pam_issue/Makefile.am (pam_issue_la_LIBADD): Likewise. * modules/pam_keyinit/Makefile.am (pam_keyinit_la_LIBADD): Likewise. * modules/pam_lastlog/Makefile.am (pam_lastlog_la_LIBADD): Likewise. * modules/pam_limits/Makefile.am (pam_limits_la_LIBADD): Likewise. * modules/pam_listfile/Makefile.am (pam_listfile_la_LIBADD): Likewise. * modules/pam_localuser/Makefile.am (pam_localuser_la_LIBADD): Likewise. * modules/pam_loginuid/Makefile.am (pam_loginuid_la_LIBADD): Likewise. * modules/pam_mail/Makefile.am (pam_mail_la_LIBADD): Likewise. * modules/pam_mkhomedir/Makefile.am (pam_mkhomedir_la_LIBADD, mkhomedir_helper_LDADD): Likewise. * modules/pam_motd/Makefile.am (pam_motd_la_LIBADD): Likewise. * modules/pam_namespace/Makefile.am (pam_namespace_la_LIBADD): Likewise. * modules/pam_nologin/Makefile.am (pam_nologin_la_LIBADD): Likewise. * modules/pam_permit/Makefile.am (pam_permit_la_LIBADD): Likewise. * modules/pam_pwhistory/Makefile.am (pam_pwhistory_la_LIBADD): Likewise. * modules/pam_rhosts/Makefile.am (pam_rhosts_la_LIBADD): Likewise. * modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Likewise. * modules/pam_securetty/Makefile.am (pam_securetty_la_LIBADD): Likewise. * modules/pam_sepermit/Makefile.am (pam_sepermit_la_LIBADD): Likewise. * modules/pam_shells/Makefile.am (pam_shells_la_LIBADD): Likewise. * modules/pam_stress/Makefile.am (pam_stress_la_LIBADD): Likewise. * modules/pam_succeed_if/Makefile.am (pam_succeed_if_la_LIBADD): Likewise. * modules/pam_tally/Makefile.am (pam_tally_la_LIBADD): Likewise. * modules/pam_tally2/Makefile.am (pam_tally2_la_LIBADD, pam_tally2_LDADD): Likewise. * modules/pam_time/Makefile.am (pam_time_la_LIBADD): Likewise. * modules/pam_timestamp/Makefile.am (pam_timestamp_la_LIBADD, pam_timestamp_check_LDADD, hmacfile_LDADD): Likewise. * modules/pam_tty_audit/Makefile.am (pam_tty_audit_la_LIBADD): Likewise. * modules/pam_umask/Makefile.am (pam_umask_la_LIBADD): Likewise. * modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Likewise. * modules/pam_userdb/Makefile.am (pam_userdb_la_LIBADD): Likewise. * modules/pam_warn/Makefile.am (pam_warn_la_LIBADD): Likewise. * modules/pam_wheel/Makefile.am (pam_wheel_la_LIBADD): Likewise. * modules/pam_xauth/Makefile.am (pam_xauth_la_LIBADD): Likewise. * tests/Makefile.am (LDADD): Likewise. * examples/Makefile.am (LDADD): Replace "-L$(top_builddir)/libpam -lpam" with "$(top_builddir)/libpam/libpam.la", and "-L$(top_builddir)/libpam_misc -lpam_misc" with "$(top_builddir)/libpam_misc/libpam_misc.la", to follow GNU automake recommendations. * xtests/Makefile.am (LDADD): Likewise. * modules/pam_selinux/Makefile.am (pam_selinux_la_LIBADD): Likewise. --- modules/pam_tty_audit/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_tty_audit') diff --git a/modules/pam_tty_audit/Makefile.am b/modules/pam_tty_audit/Makefile.am index 38c13c03..63784835 100644 --- a/modules/pam_tty_audit/Makefile.am +++ b/modules/pam_tty_audit/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif if HAVE_AUDIT_TTY_STATUS - pam_tty_audit_la_LIBADD = -L$(top_builddir)/libpam -lpam + pam_tty_audit_la_LIBADD = $(top_builddir)/libpam/libpam.la securelib_LTLIBRARIES = pam_tty_audit.la endif -- cgit v1.2.3 From 333686501468f66160c8eb50ae23f1dc08b82e12 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Fri, 21 Jun 2013 08:29:00 -0400 Subject: pam_tty_audit: add an option to control logging of passwords: log_passwd Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode with echo set to off to do this. This feature (icanon and !echo) can be used to avoid logging passwords by audit while still logging the rest of the command. Adding a member to the struct audit_tty_status passed in by pam_tty_audit allows control of logging passwords per task. * configure.in: autoconf bits to conditionally add support at compile time depending on struct audit_tty_status kernel header version. * modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module log_passwd option. * modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added "log_passwd" option parsing. Signed-off-by: Richard Guy Briggs --- modules/pam_tty_audit/pam_tty_audit.8.xml | 15 +++++++++++++++ modules/pam_tty_audit/pam_tty_audit.c | 23 ++++++++++++++++++++++- 2 files changed, 37 insertions(+), 1 deletion(-) (limited to 'modules/pam_tty_audit') diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml index 447b8454..552353ce 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8.xml +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -77,6 +77,19 @@ + + + + + + + Log keystrokes when ECHO mode is off but ICANON mode is active. + This is the mode in which the tty is placed during password entry. + By default, passwords are not logged. This option may not be + available on older kernels (3.9?). + + + @@ -161,6 +174,8 @@ session required pam_tty_audit.so disable=* enable=root pam_tty_audit was written by Miloslav Trmač <mitr@redhat.com>. + The log_passwd option was added by Richard Guy Briggs + <rgb@redhat.com>. diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index 080f4950..a3b590db 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) struct audit_tty_status *old_status, new_status; const char *user; int i, fd, open_only; +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + int log_passwd; +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ (void)flags; @@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) command = CMD_NONE; open_only = 0; +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + log_passwd = 0; +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ for (i = 0; i < argc; i++) { if (strncmp (argv[i], "enable=", 7) == 0 @@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) } else if (strcmp (argv[i], "open_only") == 0) open_only = 1; + else if (strcmp (argv[i], "log_passwd") == 0) +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + log_passwd = 1; +#else /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ + pam_syslog (pamh, LOG_WARNING, + "The log_passwd option was not available at compile time."); +#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel." +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ else { pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]); @@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) } new_status.enabled = (command == CMD_ENABLE ? 1 : 0); - if (old_status->enabled == new_status.enabled) +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + new_status.log_passwd = log_passwd; +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ + if (old_status->enabled == new_status.enabled +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + && old_status->log_passwd == new_status.log_passwd +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ + ) { open_only = 1; /* to clean up old_status */ goto ok_fd; -- cgit v1.2.3 From 40ff0c583388d1bb1ef1abfd8522d4aa45f6a7ec Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Thu, 27 Jun 2013 15:31:16 -0400 Subject: pam_tty_audit: fix a typo that crept in during patch review * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Replace all occurrences of HAVE_AUDIT_TTY_STATUS_LOG_PASSWD with HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD. * configure.in (HAVE_AUDIT_TTY_STATUS_LOG_PASSWD): Remove. Signed-off-by: Richard Guy Briggs Signed-off-by: Dmitry V. Levin --- modules/pam_tty_audit/pam_tty_audit.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'modules/pam_tty_audit') diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index a3b590db..7dc37395 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -201,9 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) struct audit_tty_status *old_status, new_status; const char *user; int i, fd, open_only; -#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD +#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD int log_passwd; -#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ +#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ (void)flags; @@ -215,9 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) command = CMD_NONE; open_only = 0; -#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD +#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD log_passwd = 0; -#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ +#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ for (i = 0; i < argc; i++) { if (strncmp (argv[i], "enable=", 7) == 0 @@ -244,13 +244,13 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) else if (strcmp (argv[i], "open_only") == 0) open_only = 1; else if (strcmp (argv[i], "log_passwd") == 0) -#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD +#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD log_passwd = 1; -#else /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ +#else /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ pam_syslog (pamh, LOG_WARNING, "The log_passwd option was not available at compile time."); #warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel." -#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ +#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ else { pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]); @@ -276,13 +276,13 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) } new_status.enabled = (command == CMD_ENABLE ? 1 : 0); -#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD +#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD new_status.log_passwd = log_passwd; -#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ +#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ if (old_status->enabled == new_status.enabled -#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD +#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD && old_status->log_passwd == new_status.log_passwd -#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ +#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ ) { open_only = 1; /* to clean up old_status */ -- cgit v1.2.3