rpms/pam/devel pam-0.99.8.1-tty-audit2.patch, NONE, 1.1 pam.spec, 1.163, 1.164

Tomas Mraz (tmraz) fedora-extras-commits at redhat.com
Wed Jan 2 10:43:04 UTC 2008


Author: tmraz

Update of /cvs/pkgs/rpms/pam/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31781

Modified Files:
	pam.spec 
Added Files:
	pam-0.99.8.1-tty-audit2.patch 
Log Message:
* Wed Jan  2 2008 Tomas Mraz <tmraz at redhat.com> 0.99.8.1-13
- wildcard match support in pam_tty_audit (by Miloslav Trmač)


pam-0.99.8.1-tty-audit2.patch:

--- NEW FILE pam-0.99.8.1-tty-audit2.patch ---
Written-by: Miloslav Trmac <mitr at redhat.com>
Reviewed-by: Tomas Mraz <tmraz at redhat.com>
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2	2008-01-02 11:28:26.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml	2008-01-02 11:29:55.000000000 +0100
@@ -19,10 +19,10 @@
     <cmdsynopsis id="pam_tty_audit-cmdsynopsis">
       <command>pam_tty_audit.so</command>
       <arg choice="opt">
-	disable=<replaceable>usernames</replaceable>
+	disable=<replaceable>patterns</replaceable>
       </arg>
       <arg choice="opt">
-	enable=<replaceable>usernames</replaceable>
+	enable=<replaceable>patterns</replaceable>
       </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -40,27 +40,40 @@
     <variablelist>
       <varlistentry>
         <term>
-          <option>disable=<replaceable>usernames</replaceable></option>
+          <option>disable=<replaceable>patterns</replaceable></option>
         </term>
         <listitem>
           <para>
-	    For each user matching one of comma-separated
-	    <option><replaceable>usernames</replaceable></option>, disable
-	    TTY auditing.  This overrides any older <option>enable</option>
-	    option for the same user name.
+	    For each user matching one of comma-separated glob
+	    <option><replaceable>patterns</replaceable></option>, disable
+	    TTY auditing.  This overrides any previous <option>enable</option>
+	    option matchin the same user name on the command line.
           </para>
         </listitem>
       </varlistentry>
       <varlistentry>
         <term>
-          <option>enable=<replaceable>usernames</replaceable></option>
+          <option>enable=<replaceable>patterns</replaceable></option>
         </term>
         <listitem>
           <para>
-	    For each user matching one of comma-separated
-	    <option><replaceable>usernames</replaceable></option>, enable
-	    TTY auditing.  This overrides any older <option>disable</option>
-	    option for the same user name.
+	    For each user matching one of comma-separated glob
+	    <option><replaceable>patterns</replaceable></option>, enable
+	    TTY auditing.  This overrides any previous <option>disable</option>
+	    option matching the same user name on the command line.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>open_only</option>
+        </term>
+        <listitem>
+          <para>
+           Set the TTY audit flag when opening the session, but do not restore
+           it when closing the session.  Using this option is necessary for
+           some services that don't <function>fork()</function> to run the
+           authenticated session, such as <command>sudo</command>.
           </para>
         </listitem>
       </varlistentry>
@@ -99,17 +112,24 @@
     </variablelist>
   </refsect1>
 
+  <refsect1 id='pam_tty_audit-notes'>
+    <title>NOTES</title>
+    <para>
+      When TTY auditing is enabled, it is inherited by all processes started by
+      that user.  In particular, daemons restarted by an user will still have
+      TTY auditing enabled, and audit TTY input even by other users unless
+      auditing for these users is explicitly disabled.  Therefore, it is
+      recommended to use <option>disable=*</option> as the first option for
+      most daemons using PAM.
+    </para>
+  </refsect1>
+
   <refsect1 id='pam_tty_audit-examples'>
     <title>EXAMPLES</title>
     <para>
       Audit all administrative actions.
       <programlisting>
-login   root     required       pam_tty_audit.so enable=root
-su      root     required       pam_tty_audit.so enable=root
-su-l    root     required       pam_tty_audit.so enable=root
-sudo    root     required       pam_tty_audit.so enable=root
-sudo-l  root     required       pam_tty_audit.so enable=root
-sshd    root     required       pam_tty_audit.so enable=root
+session	required pam_tty_audit.so disable=* enable=root
       </programlisting>
     </para>
   </refsect1>
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2	2008-01-02 11:28:26.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml	2008-01-02 11:28:26.000000000 +0100
@@ -25,6 +25,11 @@
 
   <section>
     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
       href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/>
   </section>
 
diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c
--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2	2008-01-02 11:28:26.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c	2008-01-02 11:28:26.000000000 +0100
@@ -1,4 +1,4 @@
-/* Copyright © 2007 Red Hat, Inc. All rights reserved.
+/* Copyright © 2007, 2008 Red Hat, Inc. All rights reserved.
    Red Hat author: Miloslav Trmač <mitr at redhat.com>
 
    Redistribution and use in source and binary forms of Linux-PAM, with
@@ -37,7 +37,7 @@
    DAMAGE. */
 
 #include <errno.h>
-#include <pwd.h>
+#include <fnmatch.h>
 #include <stdlib.h>
 #include <string.h>
 #include <syslog.h>
@@ -197,9 +197,7 @@ pam_sm_open_session (pam_handle_t *pamh,
   enum command command;
   struct audit_tty_status *old_status, new_status;
   const char *user;
-  uid_t user_uid;
-  struct passwd *pwd;
-  int i, fd;
+  int i, fd, open_only;
 
   (void)flags;
 
@@ -208,15 +206,9 @@ pam_sm_open_session (pam_handle_t *pamh,
       pam_syslog (pamh, LOG_ERR, "error determining target user's name");
       return PAM_SESSION_ERR;
     }
-  pwd = pam_modutil_getpwnam (pamh, user);
-  if (pwd == NULL)
-    {
-      pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m");
-      return PAM_SESSION_ERR;
-    }
-  user_uid = pwd->pw_uid;
 
   command = CMD_NONE;
+  open_only = 0;
   for (i = 0; i < argc; i++)
     {
       if (strncmp (argv[i], "enable=", 7) == 0
@@ -232,13 +224,7 @@ pam_sm_open_session (pam_handle_t *pamh,
 	  for (tok = strtok_r (copy, ",", &tok_data); tok != NULL;
 	       tok = strtok_r (NULL, ",", &tok_data))
 	    {
-	      pwd = pam_modutil_getpwnam (pamh, tok);
-	      if (pwd == NULL)
-		{
-		  pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok);
-		  continue;
-		}
-	      if (pwd->pw_uid == user_uid)
+	      if (fnmatch (tok, user, 0) == 0)
 		{
 		  command = this_command;
 		  break;
@@ -246,6 +232,13 @@ pam_sm_open_session (pam_handle_t *pamh,
 	    }
 	  free (copy);
 	}
+      else if (strcmp (argv[i], "open_only") == 0)
+	open_only = 1;
+      else
+	{
+	  pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
+	  return PAM_SESSION_ERR;
+	}
     }
   if (command == CMD_NONE)
     return PAM_SUCCESS;
@@ -266,13 +259,15 @@ pam_sm_open_session (pam_handle_t *pamh,
       return PAM_SESSION_ERR;
     }
 
-  if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0))
+  new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
+  if (old_status->enabled == new_status.enabled)
     {
       free (old_status);
       goto ok_fd;
     }
 
-  if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
+  if (open_only == 0
+      && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
       != PAM_SUCCESS)
     {
       pam_syslog (pamh, LOG_ERR, "error saving old audit status");
@@ -281,13 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh,
       return PAM_SESSION_ERR;
     }
 
-  new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
   if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status,
 	       sizeof (new_status)) != 0
       || nl_recv_ack (fd) != 0)
     {
       pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m");
       close (fd);
+      if (open_only != 0)
+	free (old_status);
       return PAM_SESSION_ERR;
     }
   /* Fall through */
@@ -295,6 +291,8 @@ pam_sm_open_session (pam_handle_t *pamh,
   close (fd);
   pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d",
 	      old_status->enabled, new_status.enabled);
+  if (open_only != 0)
+    free (old_status);
   return PAM_SUCCESS;
 }
 


Index: pam.spec
===================================================================
RCS file: /cvs/pkgs/rpms/pam/devel/pam.spec,v
retrieving revision 1.163
retrieving revision 1.164
diff -u -r1.163 -r1.164
--- pam.spec	29 Nov 2007 13:20:28 -0000	1.163
+++ pam.spec	2 Jan 2008 10:42:27 -0000	1.164
@@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.8.1
-Release: 12%{?dist}
+Release: 13%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -46,6 +46,7 @@
 Patch47: pam-0.99.8.1-xauth-no-free.patch
 Patch48: pam-0.99.8.1-substack.patch
 Patch49: pam-0.99.8.1-tty-audit.patch
+Patch50: pam-0.99.8.1-tty-audit2.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: cracklib, cracklib-dicts >= 2.8
@@ -119,6 +120,7 @@
 %patch47 -p1 -b .no-free
 %patch48 -p0 -b .substack
 %patch49 -p1 -b .tty-audit
+%patch50 -p1 -b .tty-audit2
 
 autoreconf
 
@@ -412,6 +414,9 @@
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Wed Jan  2 2008 Tomas Mraz <tmraz at redhat.com> 0.99.8.1-13
+- wildcard match support in pam_tty_audit (by Miloslav Trmač)
+
 * Thu Nov 29 2007 Tomas Mraz <tmraz at redhat.com> 0.99.8.1-12
 - add pam_tty_audit module (#244352) - written by Miloslav Trmač
 




More information about the fedora-extras-commits mailing list