rpms/pam/devel pam-0.79-loginuid-req-audit.patch, NONE, 1.1 pam.spec, 1.84, 1.85

[fedora-cvs-commits redhat com]

Author: tmraz

Update of /cvs/dist/rpms/pam/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv20675

Modified Files:
	pam.spec 
Added Files:
	pam-0.79-loginuid-req-audit.patch 
Log Message:
* Mon Aug 01 2005 Tomas Mraz <tmraz redhat com> 0.80-6
- add option to pam_loginuid to require auditd


pam-0.79-loginuid-req-audit.patch:
 pam_loginuid.8 |   10 ++---
 pam_loginuid.c |   99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 101 insertions(+), 8 deletions(-)

--- NEW FILE pam-0.79-loginuid-req-audit.patch ---
diff -urp Linux-PAM-0.77.orig/modules/pam_loginuid/pam_loginuid.8 Linux-PAM-0.77/modules/pam_loginuid/pam_loginuid.8
--- Linux-PAM-0.77.orig/modules/pam_loginuid/pam_loginuid.8	2005-07-29 14:53:46.000000000 -0400
+++ Linux-PAM-0.77/modules/pam_loginuid/pam_loginuid.8	2005-07-29 16:47:54.000000000 -0400
@@ -1,16 +1,16 @@
-.TH pam_loginuid 8 2005/02/10 "Red Hat Linux" "System Administrator's Manual"
+.TH pam_loginuid 8 2005/07/29 "Red Hat Linux" "System Administrator's Manual"
 .SH NAME
-pam_loginuid \- record authentication attempts to audit subsystem
+pam_loginuid \- record user's login uid to the process attribute
 .SH SYNOPSIS
 .B session required /lib/security/pam_loginuid.so
 .br
 
 .SH DESCRIPTION
-pam_loginuid sets the loginuid for the process that was authenticated. This is
-necessary for applications to be correctly audited.
+pam_loginuid sets the loginuid process attribute for the process that was authenticated. This is necessary for applications to be correctly audited. This pam module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond, at, and remote. There are probably other entry point applications besides these. You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to.
 
 .SH ARGUMENTS
-.IP none
+.IP require_auditd
+This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running.
 
 .SH EXAMPLE
 \fB/etc/pam.d/gdm\fP:
diff -urp Linux-PAM-0.77.orig/modules/pam_loginuid/pam_loginuid.c Linux-PAM-0.77/modules/pam_loginuid/pam_loginuid.c
--- Linux-PAM-0.77.orig/modules/pam_loginuid/pam_loginuid.c	2005-07-29 14:53:46.000000000 -0400
+++ Linux-PAM-0.77/modules/pam_loginuid/pam_loginuid.c	2005-07-29 20:09:06.659146856 -0400
@@ -22,6 +22,7 @@
  * PAM module that sets the login uid introduced in kernel 2.6.11
  */
 
+#include "../../_pam_aconf.h"
 #include <stdio.h>
 #include <stdarg.h>
 #include <syslog.h>
@@ -38,6 +39,11 @@
 #include <fcntl.h>
 #undef __USE_GNU
 
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#include <sys/select.h>
+#include <errno.h>
+#endif
 
 static void _pam_log(int err, const char *format, ...)
 {
@@ -76,14 +82,90 @@ static int set_loginuid(uid_t uid)
 	return rc;
 }
 
+#ifdef HAVE_LIBAUDIT
+/*
+ * This function is called only if "require_auditd" option is passed. It is
+ * called after loginuid has been set. The purpose is to disallow logins
+ * should the audit daemon not be running or crashed. It returns PAM_SUCCESS
+ * if the audit daemon is running  and PAM_SESSION_ERR otherwise.
+ */
+static int check_auditd(void)
+{
+	int fd, retval;
+
+	fd = audit_open();
+	if (fd < 0)
+		return PAM_SESSION_ERR;
+	retval = audit_request_status(fd);
+	if (retval > 0) {
+		struct audit_reply rep;
+		int i;
+		int timeout = 30; /* tenths of seconds */
+		fd_set read_mask;
+
+		FD_ZERO(&read_mask);
+		FD_SET(fd, &read_mask);
+
+		for (i = 0; i < timeout; i++) {
+			struct timeval t;
+			int rc;
+
+			t.tv_sec  = 0;
+			t.tv_usec = 100000;
+			do {
+				rc = select(fd+1, &read_mask, NULL, NULL, &t);
+			} while (rc < 0 && errno == EINTR);
+
+			rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0);
+			if (rc > 0) {
+				/* If we get done or error, break out */
+				if (rep.type == NLMSG_DONE ||
+						rep.type == NLMSG_ERROR)
+					break;
+
+				/* If its not status, keep looping */
+				if (rep.type != AUDIT_GET)
+					continue;
+
+				/* Found it... */
+				close(fd);
+				if (rep.status->pid == 0)
+					return PAM_SESSION_ERR;
+				else
+					return PAM_SUCCESS;
+			}
+		}
+	}
+	close(fd);
+	if (retval == -ECONNREFUSED) {
+		/* This is here to let people that build their own kernel
+		   and disable the audit system get in. ECONNREFUSED is
+		   issued by the kernel when there is "no on listening". */
+		return PAM_SUCCESS;
+	} else if (retval == -EPERM && getuid() != 0) {
+		/* If we get this, then the kernel supports auditing
+		 * but we don't have enough privilege to write to the
+		 * socket. Therefore, we have already been authenticated
+		 * and we are a common user. Just act as though auditing
+		 * is not enabled. Any other error we take seriously. */
+		return PAM_SUCCESS;
+	}
+
+	return PAM_SESSION_ERR;
+}
+#endif
+
 /*
  * Initialize audit session for user
  */
 static int
 _pam_loginuid(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
-	char		*user = NULL;
-	struct passwd	*pwd;
+	char *user = NULL;
+	struct passwd *pwd;
+#ifdef HAVE_LIBAUDIT
+	int require_auditd = 0;
+#endif
 
 	/* get user name */
 	if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS)
@@ -104,7 +186,18 @@ _pam_loginuid(pam_handle_t *pamh, int fl
 		return PAM_SESSION_ERR;
 	}
 
-	return PAM_SUCCESS;
+#ifdef HAVE_LIBAUDIT
+	while (argc-- > 0) {
+		if (strcmp(*argv, "require_auditd") == 0)
+			require_auditd = 1;
+		argv++;
+	}
+
+	if (require_auditd)
+		return check_auditd();
+	else
+#endif
+		return PAM_SUCCESS;
 }
 
 /*


Index: pam.spec
===================================================================
RCS file: /cvs/dist/rpms/pam/devel/pam.spec,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -r1.84 -r1.85
--- pam.spec	28 Jul 2005 09:40:49 -0000	1.84
+++ pam.spec	1 Aug 2005 09:14:07 -0000	1.85
@@ -12,7 +12,7 @@
 Summary: A security tool which provides authentication for applications.
 Name: pam
 Version: 0.80
-Release: 5
+Release: 6
 License: GPL or BSD
 Group: System Environment/Base
 Source0: ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@@ -29,6 +29,7 @@
 Patch34: pam-0.77-dbpam.patch
 Patch61: pam-pwdbselinux.patch
 Patch65: pam-0.77-audit.patch
+Patch66: pam-0.79-loginuid-req-audit.patch
 Patch70: pam-0.80-selinux-nofail.patch
 Patch71: pam-0.80-install-perms.patch
 Patch72: pam-0.80-pie.patch
@@ -92,6 +93,7 @@
 %endif
 %if %{WITH_AUDIT}
 %patch65 -p1 -b .audit
+%patch66 -p1 -b .req-audit
 %endif
 %patch70 -p1 -b .nofail
 %patch71 -p1 -b .install-perms
@@ -370,7 +372,10 @@
 %{_libdir}/libpam_misc.so
 
 %changelog
-* Thu Jul 28 2005 Tomas Mraz <tmraz redhat com> 0.80-5
+* Mon Aug 01 2005 Tomas Mraz <tmraz redhat com> 0.80-6
+- add option to pam_loginuid to require auditd
+ 
+* Fri Jul 29 2005 Tomas Mraz <tmraz redhat com> 0.80-5
 - fix NULL dereference in pam_userdb (#164418)
 
 * Tue Jul 26 2005 Tomas Mraz <tmraz redhat com> 0.80-4