diff --git a/pam-0.99.8.1-tty-audit2.patch b/pam-0.99.8.1-tty-audit2.patch new file mode 100644 index 0000000..4978913 --- /dev/null +++ b/pam-0.99.8.1-tty-audit2.patch @@ -0,0 +1,233 @@ +Written-by: Miloslav Trmac +Reviewed-by: Tomas Mraz +diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml +--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit2 2008-01-02 11:28:26.000000000 +0100 ++++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml 2008-01-02 11:29:55.000000000 +0100 +@@ -19,10 +19,10 @@ + + pam_tty_audit.so + +- disable=usernames ++ disable=patterns + + +- enable=usernames ++ enable=patterns + + + +@@ -40,27 +40,40 @@ + + + +- ++ + + + +- For each user matching one of comma-separated +- , disable +- TTY auditing. This overrides any older +- option for the same user name. ++ For each user matching one of comma-separated glob ++ , disable ++ TTY auditing. This overrides any previous ++ option matchin the same user name on the command line. + + + + + +- ++ + + + +- For each user matching one of comma-separated +- , enable +- TTY auditing. This overrides any older +- option for the same user name. ++ For each user matching one of comma-separated glob ++ , enable ++ TTY auditing. This overrides any previous ++ option matching the same user name on the command line. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Set the TTY audit flag when opening the session, but do not restore ++ it when closing the session. Using this option is necessary for ++ some services that don't fork() to run the ++ authenticated session, such as sudo. + + + +@@ -99,17 +112,24 @@ + + + ++ ++ NOTES ++ ++ When TTY auditing is enabled, it is inherited by all processes started by ++ that user. In particular, daemons restarted by an user will still have ++ TTY auditing enabled, and audit TTY input even by other users unless ++ auditing for these users is explicitly disabled. Therefore, it is ++ recommended to use as the first option for ++ most daemons using PAM. ++ ++ ++ + + EXAMPLES + + Audit all administrative actions. + +-login root required pam_tty_audit.so enable=root +-su root required pam_tty_audit.so enable=root +-su-l root required pam_tty_audit.so enable=root +-sudo root required pam_tty_audit.so enable=root +-sudo-l root required pam_tty_audit.so enable=root +-sshd root required pam_tty_audit.so enable=root ++session required pam_tty_audit.so disable=* enable=root + + + +diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml +--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml.tty-audit2 2008-01-02 11:28:26.000000000 +0100 ++++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml 2008-01-02 11:28:26.000000000 +0100 +@@ -25,6 +25,11 @@ + +
+ ++
++ ++
++ +
+ +diff -up Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c +--- Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c.tty-audit2 2008-01-02 11:28:26.000000000 +0100 ++++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c 2008-01-02 11:28:26.000000000 +0100 +@@ -1,4 +1,4 @@ +-/* Copyright © 2007 Red Hat, Inc. All rights reserved. ++/* Copyright © 2007, 2008 Red Hat, Inc. All rights reserved. + Red Hat author: Miloslav Trmač + + Redistribution and use in source and binary forms of Linux-PAM, with +@@ -37,7 +37,7 @@ + DAMAGE. */ + + #include +-#include ++#include + #include + #include + #include +@@ -197,9 +197,7 @@ pam_sm_open_session (pam_handle_t *pamh, + enum command command; + struct audit_tty_status *old_status, new_status; + const char *user; +- uid_t user_uid; +- struct passwd *pwd; +- int i, fd; ++ int i, fd, open_only; + + (void)flags; + +@@ -208,15 +206,9 @@ pam_sm_open_session (pam_handle_t *pamh, + pam_syslog (pamh, LOG_ERR, "error determining target user's name"); + return PAM_SESSION_ERR; + } +- pwd = pam_modutil_getpwnam (pamh, user); +- if (pwd == NULL) +- { +- pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m"); +- return PAM_SESSION_ERR; +- } +- user_uid = pwd->pw_uid; + + command = CMD_NONE; ++ open_only = 0; + for (i = 0; i < argc; i++) + { + if (strncmp (argv[i], "enable=", 7) == 0 +@@ -232,13 +224,7 @@ pam_sm_open_session (pam_handle_t *pamh, + for (tok = strtok_r (copy, ",", &tok_data); tok != NULL; + tok = strtok_r (NULL, ",", &tok_data)) + { +- pwd = pam_modutil_getpwnam (pamh, tok); +- if (pwd == NULL) +- { +- pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok); +- continue; +- } +- if (pwd->pw_uid == user_uid) ++ if (fnmatch (tok, user, 0) == 0) + { + command = this_command; + break; +@@ -246,6 +232,13 @@ pam_sm_open_session (pam_handle_t *pamh, + } + free (copy); + } ++ else if (strcmp (argv[i], "open_only") == 0) ++ open_only = 1; ++ else ++ { ++ pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]); ++ return PAM_SESSION_ERR; ++ } + } + if (command == CMD_NONE) + return PAM_SUCCESS; +@@ -266,13 +259,15 @@ pam_sm_open_session (pam_handle_t *pamh, + return PAM_SESSION_ERR; + } + +- if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0)) ++ new_status.enabled = (command == CMD_ENABLE ? 1 : 0); ++ if (old_status->enabled == new_status.enabled) + { + free (old_status); + goto ok_fd; + } + +- if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status) ++ if (open_only == 0 ++ && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status) + != PAM_SUCCESS) + { + pam_syslog (pamh, LOG_ERR, "error saving old audit status"); +@@ -281,13 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh, + return PAM_SESSION_ERR; + } + +- new_status.enabled = (command == CMD_ENABLE ? 1 : 0); + if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status, + sizeof (new_status)) != 0 + || nl_recv_ack (fd) != 0) + { + pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m"); + close (fd); ++ if (open_only != 0) ++ free (old_status); + return PAM_SESSION_ERR; + } + /* Fall through */ +@@ -295,6 +291,8 @@ pam_sm_open_session (pam_handle_t *pamh, + close (fd); + pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d", + old_status->enabled, new_status.enabled); ++ if (open_only != 0) ++ free (old_status); + return PAM_SUCCESS; + } + diff --git a/pam.spec b/pam.spec index 1cfb032..e4e1c72 100644 --- a/pam.spec +++ b/pam.spec @@ -11,7 +11,7 @@ Summary: A security tool which provides authentication for applications Name: pam Version: 0.99.8.1 -Release: 12%{?dist} +Release: 13%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, # pam_rhosts_auth module is BSD with advertising @@ -46,6 +46,7 @@ Patch46: pam-0.99.8.1-succif-in-operator.patch Patch47: pam-0.99.8.1-xauth-no-free.patch Patch48: pam-0.99.8.1-substack.patch Patch49: pam-0.99.8.1-tty-audit.patch +Patch50: pam-0.99.8.1-tty-audit2.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: cracklib, cracklib-dicts >= 2.8 @@ -119,6 +120,7 @@ popd %patch47 -p1 -b .no-free %patch48 -p0 -b .substack %patch49 -p1 -b .tty-audit +%patch50 -p1 -b .tty-audit2 autoreconf @@ -412,6 +414,9 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Wed Jan 2 2008 Tomas Mraz 0.99.8.1-13 +- wildcard match support in pam_tty_audit (by Miloslav Trmač) + * Thu Nov 29 2007 Tomas Mraz 0.99.8.1-12 - add pam_tty_audit module (#244352) - written by Miloslav Trmač