Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 291048 Details for
Bug 244352
TTY input audit support
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
An incremental patch
pam-incremental.patch (text/plain), 7.82 KB, created by
Miloslav Trmač
on 2008-01-08 11:26:03 UTC
(
hide
)
Description:
An incremental patch
Filename:
MIME Type:
Creator:
Miloslav Trmač
Created:
2008-01-08 11:26:03 UTC
Size:
7.82 KB
patch
obsolete
>diff --exclude '*.o' --exclude '*~' --exclude '*.tty_audit' -urN Linux-PAM/modules/pam_tty_audit/pam_tty_audit.c Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c >--- Linux-PAM/modules/pam_tty_audit/pam_tty_audit.c 2007-12-16 00:06:34.000000000 +0100 >+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c 2008-01-01 07:54:37.000000000 +0100 >@@ -1,4 +1,4 @@ >-/* Copyright © 2007 Red Hat, Inc. All rights reserved. >+/* Copyright © 2007, 2008 Red Hat, Inc. All rights reserved. > Red Hat author: Miloslav TrmaÄ <mitr@redhat.com> > > Redistribution and use in source and binary forms of Linux-PAM, with >@@ -37,7 +37,7 @@ > DAMAGE. */ > > #include <errno.h> >-#include <pwd.h> >+#include <fnmatch.h> > #include <stdlib.h> > #include <string.h> > #include <syslog.h> >@@ -197,9 +197,7 @@ > enum command command; > struct audit_tty_status *old_status, new_status; > const char *user; >- uid_t user_uid; >- struct passwd *pwd; >- int i, fd; >+ int i, fd, open_only; > > (void)flags; > >@@ -208,15 +206,9 @@ > pam_syslog (pamh, LOG_ERR, "error determining target user's name"); > return PAM_SESSION_ERR; > } >- pwd = pam_modutil_getpwnam (pamh, user); >- if (pwd == NULL) >- { >- pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m"); >- return PAM_SESSION_ERR; >- } >- user_uid = pwd->pw_uid; > > command = CMD_NONE; >+ open_only = 0; > for (i = 0; i < argc; i++) > { > if (strncmp (argv[i], "enable=", 7) == 0 >@@ -232,13 +224,7 @@ > for (tok = strtok_r (copy, ",", &tok_data); tok != NULL; > tok = strtok_r (NULL, ",", &tok_data)) > { >- pwd = pam_modutil_getpwnam (pamh, tok); >- if (pwd == NULL) >- { >- pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok); >- continue; >- } >- if (pwd->pw_uid == user_uid) >+ if (fnmatch (tok, user, 0) == 0) > { > command = this_command; > break; >@@ -246,6 +232,13 @@ > } > free (copy); > } >+ else if (strcmp (argv[i], "open_only") == 0) >+ open_only = 1; >+ else >+ { >+ pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]); >+ return PAM_SESSION_ERR; >+ } > } > if (command == CMD_NONE) > return PAM_SUCCESS; >@@ -266,13 +259,15 @@ > return PAM_SESSION_ERR; > } > >+ new_status.enabled = (command == CMD_ENABLE ? 1 : 0); > if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0)) > { > free (old_status); > goto ok_fd; > } > >- if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status) >+ if (open_only == 0 >+ && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status) > != PAM_SUCCESS) > { > pam_syslog (pamh, LOG_ERR, "error saving old audit status"); >@@ -281,13 +276,14 @@ > return PAM_SESSION_ERR; > } > >- new_status.enabled = (command == CMD_ENABLE ? 1 : 0); > if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status, > sizeof (new_status)) != 0 > || nl_recv_ack (fd) != 0) > { > pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m"); > close (fd); >+ if (open_only != 0) >+ free (old_status); > return PAM_SESSION_ERR; > } > /* Fall through */ >@@ -295,6 +291,8 @@ > close (fd); > pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d", > old_status->enabled, new_status.enabled); >+ if (open_only != 0) >+ free (old_status); > return PAM_SUCCESS; > } > >diff --exclude '*.o' --exclude '*~' --exclude '*.tty_audit' -urN Linux-PAM/modules/pam_tty_audit/pam_tty_audit.8.xml Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml >--- Linux-PAM/modules/pam_tty_audit/pam_tty_audit.8.xml 2007-12-16 00:06:34.000000000 +0100 >+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml 2008-01-01 07:45:55.000000000 +0100 >@@ -19,10 +19,10 @@ > <cmdsynopsis id="pam_tty_audit-cmdsynopsis"> > <command>pam_tty_audit.so</command> > <arg choice="opt"> >- disable=<replaceable>usernames</replaceable> >+ disable=<replaceable>patterns</replaceable> > </arg> > <arg choice="opt"> >- enable=<replaceable>usernames</replaceable> >+ enable=<replaceable>patterns</replaceable> > </arg> > </cmdsynopsis> > </refsynopsisdiv> >@@ -40,27 +40,40 @@ > <variablelist> > <varlistentry> > <term> >- <option>disable=<replaceable>usernames</replaceable></option> >+ <option>disable=<replaceable>patterns</replaceable></option> > </term> > <listitem> > <para> >- For each user matching one of comma-separated >- <option><replaceable>usernames</replaceable></option>, disable >+ For each user matching one of comma-separated glob >+ <option><replaceable>patterns</replaceable></option>, disable > TTY auditing. This overrides any older <option>enable</option> >- option for the same user name. >+ option matching the same user name. > </para> > </listitem> > </varlistentry> > <varlistentry> > <term> >- <option>enable=<replaceable>usernames</replaceable></option> >+ <option>enable=<replaceable>patterns</replaceable></option> > </term> > <listitem> > <para> >- For each user matching one of comma-separated >- <option><replaceable>usernames</replaceable></option>, enable >+ For each user matching one of comma-separated glob >+ <option><replaceable>patterns</replaceable></option>, enable > TTY auditing. This overrides any older <option>disable</option> >- option for the same user name. >+ option matching the same user name. >+ </para> >+ </listitem> >+ </varlistentry> >+ <varlistentry> >+ <term> >+ <option>open_only</option> >+ </term> >+ <listitem> >+ <para> >+ Set the TTY audit flag when opening the session, but do not restore >+ it when closing the session. Using this option is necessary for >+ some services that don't <function>fork()</function> to run the >+ authenticated session, such as <command>sudo</command>. > </para> > </listitem> > </varlistentry> >@@ -99,17 +112,24 @@ > </variablelist> > </refsect1> > >+ <refsect1 id='pam_tty_audit-notes'> >+ <title>NOTES</title> >+ <para> >+ When TTY auditing is enabled, it is inherited by all processes started by >+ that user. In particular, daemons restarted by an user will still have >+ TTY auditing enabled, and audit TTY input even by other users unless >+ auditing for these users is explicitly disabled. Therefore, it is >+ recommended to use <option>disable=*</option> as the first option for >+ most daemons using PAM. >+ </para> >+ </refsect1> >+ > <refsect1 id='pam_tty_audit-examples'> > <title>EXAMPLES</title> > <para> > Audit all administrative actions. > <programlisting> >-login root required pam_tty_audit.so enable=root >-su root required pam_tty_audit.so enable=root >-su-l root required pam_tty_audit.so enable=root >-sudo root required pam_tty_audit.so enable=root >-sudo-l root required pam_tty_audit.so enable=root >-sshd root required pam_tty_audit.so enable=root >+session required pam_tty_audit.so disable=* enable=root > </programlisting> > </para> > </refsect1> >diff --exclude '*.o' --exclude '*~' --exclude '*.tty_audit' -urN Linux-PAM/modules/pam_tty_audit/README.xml Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml >--- Linux-PAM/modules/pam_tty_audit/README.xml 2007-12-16 00:06:34.000000000 +0100 >+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml 2007-12-16 17:54:28.000000000 +0100 >@@ -25,6 +25,11 @@ > > <section> > <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" >+ href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/> >+ </section> >+ >+ <section> >+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" > href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/> > </section> >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 244352
:
157074
|
271421
| 291048 |
291049