Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 157074 Details for
Bug 244352
TTY input audit support
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
A preliminary patch (some FIXMEs left)
pam_tty_audit.c (text/plain), 6.63 KB, created by
Miloslav Trmač
on 2007-06-15 08:34:41 UTC
(
hide
)
Description:
A preliminary patch (some FIXMEs left)
Filename:
MIME Type:
Creator:
Miloslav Trmač
Created:
2007-06-15 08:34:41 UTC
Size:
6.63 KB
patch
obsolete
>#include <errno.h> >#include <pwd.h> >#include <stdlib.h> >#include <string.h> >#include <syslog.h> >#include <sys/socket.h> >#include <unistd.h> > >#include <linux/netlink.h> >#include <security/pam_ext.h> >#include <security/pam_modules.h> >#include <security/pam_modutil.h> > >#define DATANAME "pam_tty_audit_last_state" > >/* FIXME */ >struct audit_tty_status { > __u32 enabled; /* 1 = enabled, 0 = disabled */ >}; > >#define AUDIT_TTY_GET 1014 /* Get TTY auditing status */ >#define AUDIT_TTY_SET 1015 /* Set TTY auditing status */ >#define AUDIT_USER_TTY 1124 /* Non-ICANON TTY input meaning */ > >/* Open an audit netlink socket */ >static int >nl_open (void) >{ > return socket (AF_NETLINK, SOCK_RAW, NETLINK_AUDIT); >} > >static int >nl_send (int fd, unsigned type, unsigned flags, const void *data, size_t size) >{ > struct sockaddr_nl addr; > struct msghdr msg; > struct nlmsghdr nlm; > struct iovec iov[2]; > ssize_t res; > > nlm.nlmsg_len = NLMSG_LENGTH (size); > nlm.nlmsg_type = type; > nlm.nlmsg_flags = NLM_F_REQUEST | flags; > nlm.nlmsg_seq = 0; > nlm.nlmsg_pid = 0; > iov[0].iov_base = &nlm; > iov[0].iov_len = sizeof (nlm); > iov[1].iov_base = (void *)data; > iov[1].iov_len = size; > addr.nl_family = AF_NETLINK; > addr.nl_pid = 0; > addr.nl_groups = 0; > msg.msg_name = &addr; > msg.msg_namelen = sizeof (addr); > msg.msg_iov = iov; > msg.msg_iovlen = 2; > msg.msg_control = NULL; > msg.msg_controllen = 0; > msg.msg_flags = 0; > res = sendmsg (fd, &msg, 0); > if (res == -1) > return -1; > if ((size_t)res != nlm.nlmsg_len) > { > errno = EIO; > return -1; > } > return 0; >} > >static int >nl_recv (int fd, unsigned type, void *buf, size_t size) >{ > struct sockaddr_nl addr; > struct msghdr msg; > struct nlmsghdr nlm; > struct iovec iov[2]; > ssize_t res; > > again: > iov[0].iov_base = &nlm; > iov[0].iov_len = sizeof (nlm); > msg.msg_name = &addr; > msg.msg_namelen = sizeof (addr); > msg.msg_iov = iov; > msg.msg_iovlen = 1; > msg.msg_control = NULL; > msg.msg_controllen = 0; > if (type != NLMSG_ERROR) > { > res = recvmsg (fd, &msg, MSG_PEEK); > if (res == -1) > return -1; > if (res != NLMSG_LENGTH (0)) > { > errno = EIO; > return -1; > } > if (nlm.nlmsg_type == NLMSG_ERROR) > { > struct nlmsgerr err; > > iov[1].iov_base = &err; > iov[1].iov_len = sizeof (err); > msg.msg_iovlen = 2; > res = recvmsg (fd, &msg, 0); > if (res == -1) > return -1; > if ((size_t)res != NLMSG_LENGTH (sizeof (err)) > || nlm.nlmsg_type != NLMSG_ERROR) > { > errno = EIO; > return -1; > } > if (err.error == 0) > goto again; > errno = -err.error; > return -1; > } > } > if (size != 0) > { > iov[1].iov_base = buf; > iov[1].iov_len = size; > msg.msg_iovlen = 2; > } > res = recvmsg (fd, &msg, 0); > if (res == -1) > return -1; > if ((size_t)res != NLMSG_LENGTH (size) > || nlm.nlmsg_type != type) > { > errno = EIO; > return -1; > } > return 0; >} > >static int >nl_recv_ack (int fd) >{ > struct nlmsgerr err; > > if (nl_recv (fd, NLMSG_ERROR, &err, sizeof (err)) != 0) > return -1; > if (err.error != 0) > { > errno = -err.error; > return -1; > } > return 0; >} > >static void >cleanup_old_status (pam_handle_t *pamh, void *data, int error_status) >{ > (void)pamh; > (void)error_status; > free (data); >} > >int >pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) >{ > enum command { CMD_NONE, CMD_ENABLE, CMD_DISABLE }; > > enum command command; > struct audit_tty_status *old_status, new_status; > const char *user; > uid_t user_uid; > struct passwd *pwd; > int i, fd; > > command = CMD_NONE; > > if (pam_get_user (pamh, &user, NULL) != PAM_SUCCESS) > { > pam_syslog (pamh, LOG_ERR, "error determining target user's name"); > return PAM_SESSION_ERR; > } > pwd = pam_modutil_getpwnam (pamh, user); > if (pwd == NULL) > { > pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m"); > return PAM_SESSION_ERR; > } > user_uid = pwd->pw_uid; > > /* FIXME: a config file? */ > for (i = 0; i < argc; i++) > { > if (strncmp (argv[i], "enable=", 7) == 0 > || strncmp (argv[i], "disable=", 8) == 0) > { > enum command this_command; > char *copy, *tok_data, *tok; > > this_command = *argv[i] == 'e' ? CMD_ENABLE : CMD_DISABLE; > copy = strdup (strchr (argv[i], '=') + 1); > if (copy == NULL) > return PAM_SESSION_ERR; > for (tok = strtok_r (copy, ",", &tok_data); tok != NULL; > tok = strtok_r (NULL, ",", &tok_data)) > { > pwd = pam_modutil_getpwnam (pamh, tok); > if (pwd == NULL) > { > pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok); > continue; > } > if (pwd->pw_uid == user_uid) > { > command = this_command; > break; > } > } > free (copy); > } > } > > if (command == CMD_NONE) > return PAM_SUCCESS; > > old_status = malloc (sizeof (*old_status)); > if (old_status == NULL) > return PAM_SESSION_ERR; > > fd = nl_open (); > if (fd == -1 > || nl_send (fd, AUDIT_TTY_GET, 0, NULL, 0) != 0 > || nl_recv (fd, AUDIT_TTY_GET, old_status, sizeof (*old_status)) != 0) > { > pam_syslog (pamh, LOG_ERR, "error reading current audit status: %m"); > if (fd != -1) > close (fd); > free (old_status); > return PAM_SESSION_ERR; > } > > if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0)) > { > free (old_status); > goto ok_fd; > } > > if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status) > != PAM_SUCCESS) > { > pam_syslog (pamh, LOG_ERR, "error saving old audit status"); > close (fd); > free (old_status); > return PAM_SESSION_ERR; > } > > new_status.enabled = (command == CMD_ENABLE ? 1 : 0); > if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status, > sizeof (new_status)) != 0 > || nl_recv_ack (fd) != 0) > { > pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m"); > close (fd); > return PAM_SESSION_ERR; > } > /* Fall through */ > ok_fd: > close (fd); > /* FIXME */ > pam_syslog (pamh, LOG_ERR, "changed status from %d to %d", > old_status->enabled, new_status.enabled); > return PAM_SUCCESS; >} > >int >pam_sm_close_session (pam_handle_t *pamh, int flags, int argc, > const char **argv) >{ > const void *status_; > > if (pam_get_data (pamh, DATANAME, &status_) == PAM_SUCCESS) > { > const struct audit_tty_status *status; > int fd; > > status = status_; > > fd = nl_open (); > if (fd == -1 > || nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, status, > sizeof (*status)) != 0 > || nl_recv_ack (fd) != 0) > { > pam_syslog (pamh, LOG_ERR, "error restoring audit status: %m"); > if (fd != -1) > close (fd); > return PAM_SESSION_ERR; > } > close (fd); > pam_syslog (pamh, LOG_ERR, "restored status to %d", status->enabled); > } > return PAM_SUCCESS; >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=157074">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 244352
:
157074
|
271421
|
291048
|
291049