Attachment 291048 Details for Bug 244352 – An incremental patch

[patch] An incremental patch

pam-incremental.patch (text/plain), 7.82 KB, created by Miloslav Trmač on 2008-01-08 11:26:03 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Miloslav Trmač

Created: 2008-01-08 11:26:03 UTC

Size: 7.82 KB

patch

obsolete

>diff --exclude '*.o' --exclude '*~' --exclude '*.tty_audit' -urN Linux-PAM/modules/pam_tty_audit/pam_tty_audit.c Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c
>--- Linux-PAM/modules/pam_tty_audit/pam_tty_audit.c	2007-12-16 00:06:34.000000000 +0100
>+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.c	2008-01-01 07:54:37.000000000 +0100
>@@ -1,4 +1,4 @@
>-/* Copyright Â© 2007 Red Hat, Inc. All rights reserved.
>+/* Copyright Â© 2007, 2008 Red Hat, Inc. All rights reserved.
>    Red Hat author: Miloslav TrmaÄ <mitr@redhat.com>
> 
>    Redistribution and use in source and binary forms of Linux-PAM, with
>@@ -37,7 +37,7 @@
>    DAMAGE. */
> 
> #include <errno.h>
>-#include <pwd.h>
>+#include <fnmatch.h>
> #include <stdlib.h>
> #include <string.h>
> #include <syslog.h>
>@@ -197,9 +197,7 @@
>   enum command command;
>   struct audit_tty_status *old_status, new_status;
>   const char *user;
>-  uid_t user_uid;
>-  struct passwd *pwd;
>-  int i, fd;
>+  int i, fd, open_only;
> 
>   (void)flags;
> 
>@@ -208,15 +206,9 @@
>       pam_syslog (pamh, LOG_ERR, "error determining target user's name");
>       return PAM_SESSION_ERR;
>     }
>-  pwd = pam_modutil_getpwnam (pamh, user);
>-  if (pwd == NULL)
>-    {
>-      pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m");
>-      return PAM_SESSION_ERR;
>-    }
>-  user_uid = pwd->pw_uid;
> 
>   command = CMD_NONE;
>+  open_only = 0;
>   for (i = 0; i < argc; i++)
>     {
>       if (strncmp (argv[i], "enable=", 7) == 0
>@@ -232,13 +224,7 @@
> 	  for (tok = strtok_r (copy, ",", &tok_data); tok != NULL;
> 	       tok = strtok_r (NULL, ",", &tok_data))
> 	    {
>-	      pwd = pam_modutil_getpwnam (pamh, tok);
>-	      if (pwd == NULL)
>-		{
>-		  pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok);
>-		  continue;
>-		}
>-	      if (pwd->pw_uid == user_uid)
>+	      if (fnmatch (tok, user, 0) == 0)
> 		{
> 		  command = this_command;
> 		  break;
>@@ -246,6 +232,13 @@
> 	    }
> 	  free (copy);
> 	}
>+      else if (strcmp (argv[i], "open_only") == 0)
>+	open_only = 1;
>+      else
>+	{
>+	  pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
>+	  return PAM_SESSION_ERR;
>+	}
>     }
>   if (command == CMD_NONE)
>     return PAM_SUCCESS;
>@@ -266,13 +259,15 @@
>       return PAM_SESSION_ERR;
>     }
> 
>+  new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
>   if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0))
>     {
>       free (old_status);
>       goto ok_fd;
>     }
> 
>-  if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
>+  if (open_only == 0
>+      && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
>       != PAM_SUCCESS)
>     {
>       pam_syslog (pamh, LOG_ERR, "error saving old audit status");
>@@ -281,13 +276,14 @@
>       return PAM_SESSION_ERR;
>     }
> 
>-  new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
>   if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status,
> 	       sizeof (new_status)) != 0
>       || nl_recv_ack (fd) != 0)
>     {
>       pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m");
>       close (fd);
>+      if (open_only != 0)
>+	free (old_status);
>       return PAM_SESSION_ERR;
>     }
>   /* Fall through */
>@@ -295,6 +291,8 @@
>   close (fd);
>   pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d",
> 	      old_status->enabled, new_status.enabled);
>+  if (open_only != 0)
>+    free (old_status);
>   return PAM_SUCCESS;
> }
> 
>diff --exclude '*.o' --exclude '*~' --exclude '*.tty_audit' -urN Linux-PAM/modules/pam_tty_audit/pam_tty_audit.8.xml Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml
>--- Linux-PAM/modules/pam_tty_audit/pam_tty_audit.8.xml	2007-12-16 00:06:34.000000000 +0100
>+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/pam_tty_audit.8.xml	2008-01-01 07:45:55.000000000 +0100
>@@ -19,10 +19,10 @@
>     <cmdsynopsis id="pam_tty_audit-cmdsynopsis">
>       <command>pam_tty_audit.so</command>
>       <arg choice="opt">
>-	disable=<replaceable>usernames</replaceable>
>+	disable=<replaceable>patterns</replaceable>
>       </arg>
>       <arg choice="opt">
>-	enable=<replaceable>usernames</replaceable>
>+	enable=<replaceable>patterns</replaceable>
>       </arg>
>     </cmdsynopsis>
>   </refsynopsisdiv>
>@@ -40,27 +40,40 @@
>     <variablelist>
>       <varlistentry>
>         <term>
>-          <option>disable=<replaceable>usernames</replaceable></option>
>+          <option>disable=<replaceable>patterns</replaceable></option>
>         </term>
>         <listitem>
>           <para>
>-	    For each user matching one of comma-separated
>-	    <option><replaceable>usernames</replaceable></option>, disable
>+	    For each user matching one of comma-separated glob
>+	    <option><replaceable>patterns</replaceable></option>, disable
> 	    TTY auditing.  This overrides any older <option>enable</option>
>-	    option for the same user name.
>+	    option matching the same user name.
>           </para>
>         </listitem>
>       </varlistentry>
>       <varlistentry>
>         <term>
>-          <option>enable=<replaceable>usernames</replaceable></option>
>+          <option>enable=<replaceable>patterns</replaceable></option>
>         </term>
>         <listitem>
>           <para>
>-	    For each user matching one of comma-separated
>-	    <option><replaceable>usernames</replaceable></option>, enable
>+	    For each user matching one of comma-separated glob
>+	    <option><replaceable>patterns</replaceable></option>, enable
> 	    TTY auditing.  This overrides any older <option>disable</option>
>-	    option for the same user name.
>+	    option matching the same user name.
>+          </para>
>+        </listitem>
>+      </varlistentry>
>+      <varlistentry>
>+        <term>
>+          <option>open_only</option>
>+        </term>
>+        <listitem>
>+          <para>
>+	    Set the TTY audit flag when opening the session, but do not restore
>+	    it when closing the session.  Using this option is necessary for
>+	    some services that don't <function>fork()</function> to run the
>+	    authenticated session, such as <command>sudo</command>.
>           </para>
>         </listitem>
>       </varlistentry>
>@@ -99,17 +112,24 @@
>     </variablelist>
>   </refsect1>
> 
>+  <refsect1 id='pam_tty_audit-notes'>
>+    <title>NOTES</title>
>+    <para>
>+      When TTY auditing is enabled, it is inherited by all processes started by
>+      that user.  In particular, daemons restarted by an user will still have
>+      TTY auditing enabled, and audit TTY input even by other users unless
>+      auditing for these users is explicitly disabled.  Therefore, it is
>+      recommended to use <option>disable=*</option> as the first option for
>+      most daemons using PAM.
>+    </para>
>+  </refsect1>
>+
>   <refsect1 id='pam_tty_audit-examples'>
>     <title>EXAMPLES</title>
>     <para>
>       Audit all administrative actions.
>       <programlisting>
>-login   root     required       pam_tty_audit.so enable=root
>-su      root     required       pam_tty_audit.so enable=root
>-su-l    root     required       pam_tty_audit.so enable=root
>-sudo    root     required       pam_tty_audit.so enable=root
>-sudo-l  root     required       pam_tty_audit.so enable=root
>-sshd    root     required       pam_tty_audit.so enable=root
>+session required pam_tty_audit.so disable=* enable=root
>       </programlisting>
>     </para>
>   </refsect1>
>diff --exclude '*.o' --exclude '*~' --exclude '*.tty_audit' -urN Linux-PAM/modules/pam_tty_audit/README.xml Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml
>--- Linux-PAM/modules/pam_tty_audit/README.xml	2007-12-16 00:06:34.000000000 +0100
>+++ Linux-PAM-0.99.8.1/modules/pam_tty_audit/README.xml	2007-12-16 17:54:28.000000000 +0100
>@@ -25,6 +25,11 @@
> 
>   <section>
>     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
>+      href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/>
>+  </section>
>+
>+  <section>
>+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
>       href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/>
>   </section>
>

Actions: View | Diff

Attachments on bug 244352: 157074 | 271421 | 291048 | 291049