|
|
Author: tmraz
Update of /cvs/dist/rpms/pam/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv15727
Modified Files:
pam-0.77-audit.patch pam.spec
Added Files:
pam-0.79-loginuid-req-audit.patch
Log Message:
* Wed Aug 24 2005 Tomas Mraz <tmraz@xxxxxxxxxx> 0.79-9.5
- add option to pam_loginuid to require auditd
- don't fail in audit code when audit is not compiled in
on the newest kernels (#166422)
pam-0.79-loginuid-req-audit.patch:
pam_loginuid.8 | 10 ++---
pam_loginuid.c | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
2 files changed, 109 insertions(+), 8 deletions(-)
--- NEW FILE pam-0.79-loginuid-req-audit.patch ---
--- Linux-PAM-0.79/modules/pam_loginuid/pam_loginuid.8.req-audit
2005-08-01 09:48:02.000000000 +0200
+++ Linux-PAM-0.79/modules/pam_loginuid/pam_loginuid.8 2005-08-01
09:50:39.000000000 +0200
@@ -1,16 +1,16 @@
-.TH pam_loginuid 8 2005/02/10 "Red Hat Linux" "System Administrator's Manual"
+.TH pam_loginuid 8 2005/07/29 "Red Hat Linux" "System Administrator's Manual"
.SH NAME
-pam_loginuid \- record authentication attempts to audit subsystem
+pam_loginuid \- record user's login uid to the process attribute
.SH SYNOPSIS
.B session required /lib/security/pam_loginuid.so
.br
.SH DESCRIPTION
-pam_loginuid sets the loginuid for the process that was authenticated. This is
-necessary for applications to be correctly audited.
+pam_loginuid sets the loginuid process attribute for the process that was
authenticated. This is necessary for applications to be correctly audited. This
pam module should only be used for entry point applications like: login, sshd,
gdm, vsftpd, crond, at, and remote. There are probably other entry point
applications besides these. You should not use it for applications like sudo or
su as that defeats the purpose by changing the loginuid to the account they
just switched to.
.SH ARGUMENTS
-.IP none
+.IP require_auditd
+This option, when given, will cause this module to query the audit daemon
status and deny logins if it is not running.
.SH EXAMPLE
\fB/etc/pam.d/gdm\fP:
--- Linux-PAM-0.79/modules/pam_loginuid/pam_loginuid.c.req-audit
2005-08-01 09:48:02.000000000 +0200
+++ Linux-PAM-0.79/modules/pam_loginuid/pam_loginuid.c 2005-08-24
10:57:29.000000000 +0200
@@ -22,6 +22,7 @@
* PAM module that sets the login uid introduced in kernel 2.6.11
*/
+#include "../../_pam_aconf.h"
#include <stdio.h>
#include <stdarg.h>
#include <syslog.h>
@@ -38,6 +39,11 @@
#include <fcntl.h>
#undef __USE_GNU
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#include <sys/select.h>
+#include <errno.h>
+#endif
static void _pam_log(int err, const char *format, ...)
{
@@ -76,14 +82,98 @@
return rc;
}
+#ifdef HAVE_LIBAUDIT
+/*
+ * This function is called only if "require_auditd" option is passed. It is
+ * called after loginuid has been set. The purpose is to disallow logins
+ * should the audit daemon not be running or crashed. It returns PAM_SUCCESS
+ * if the audit daemon is running and PAM_SESSION_ERR otherwise.
+ */
+static int check_auditd(void)
+{
+ int fd, retval;
+
+ fd = audit_open();
+ if (fd < 0) {
+ /* This is here to let people that build their own kernel
+ and disable the audit system get in. You get these error
+ codes only when the kernel doesn't have audit
+ compiled in. */
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return PAM_SUCCESS;
+ return PAM_SESSION_ERR;
+ }
+ retval = audit_request_status(fd);
+ if (retval > 0) {
+ struct audit_reply rep;
+ int i;
+ int timeout = 30; /* tenths of seconds */
+ fd_set read_mask;
+
+ FD_ZERO(&read_mask);
+ FD_SET(fd, &read_mask);
+
+ for (i = 0; i < timeout; i++) {
+ struct timeval t;
+ int rc;
+
+ t.tv_sec = 0;
+ t.tv_usec = 100000;
+ do {
+ rc = select(fd+1, &read_mask, NULL, NULL, &t);
+ } while (rc < 0 && errno == EINTR);
+
+ rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0);
+ if (rc > 0) {
+ /* If we get done or error, break out */
+ if (rep.type == NLMSG_DONE ||
+ rep.type == NLMSG_ERROR)
+ break;
+
+ /* If its not status, keep looping */
+ if (rep.type != AUDIT_GET)
+ continue;
+
+ /* Found it... */
+ close(fd);
+ if (rep.status->pid == 0)
+ return PAM_SESSION_ERR;
+ else
+ return PAM_SUCCESS;
+ }
+ }
+ }
+ close(fd);
+ if (retval == -ECONNREFUSED) {
+ /* This is here to let people that build their own kernel
+ and disable the audit system get in. ECONNREFUSED is
+ issued by the kernel when there is "no on listening". */
+ return PAM_SUCCESS;
+ } else if (retval == -EPERM && getuid() != 0) {
+ /* If we get this, then the kernel supports auditing
+ * but we don't have enough privilege to write to the
+ * socket. Therefore, we have already been authenticated
+ * and we are a common user. Just act as though auditing
+ * is not enabled. Any other error we take seriously. */
+ return PAM_SUCCESS;
+ }
+
+ return PAM_SESSION_ERR;
+}
+#endif
+
/*
* Initialize audit session for user
*/
static int
_pam_loginuid(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
- char *user = NULL;
- struct passwd *pwd;
+ char *user = NULL;
+ struct passwd *pwd;
+#ifdef HAVE_LIBAUDIT
+ int require_auditd = 0;
+#endif
/* get user name */
if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS)
@@ -104,7 +194,18 @@
return PAM_SESSION_ERR;
}
- return PAM_SUCCESS;
+#ifdef HAVE_LIBAUDIT
+ while (argc-- > 0) {
+ if (strcmp(*argv, "require_auditd") == 0)
+ require_auditd = 1;
+ argv++;
+ }
+
+ if (require_auditd)
+ return check_auditd();
+ else
+#endif
+ return PAM_SUCCESS;
}
/*
pam-0.77-audit.patch:
Make.Rules.in | 4
_pam_aconf.h.in | 3
configure.in | 5 +
libpam/pam_account.c | 4
libpam/pam_auth.c | 8 +
libpam/pam_end.c | 4
libpam/pam_log.c | 203 ++++++++++++++++++++++++++++++++++++++++++++++++++
libpam/pam_password.c | 4
libpam/pam_private.h | 9 ++
libpam/pam_session.c | 19 ++++
libpam/pam_start.c | 3
11 files changed, 262 insertions(+), 4 deletions(-)
Index: pam-0.77-audit.patch
===================================================================
RCS file: /cvs/dist/rpms/pam/FC-4/pam-0.77-audit.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- pam-0.77-audit.patch 17 Jun 2005 11:05:00 -0000 1.5
+++ pam-0.77-audit.patch 24 Aug 2005 09:39:27 -0000 1.6
@@ -76,7 +76,7 @@
#ifdef __hpux
# include <stdio.h>
-@@ -373,3 +374,204 @@
+@@ -373,3 +374,205 @@
D(("done."));
}
@@ -202,9 +202,10 @@
+
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
-+ /* You get ECONNREFUSED only when the kernel doesn't have
++ /* You get these error codes only when the kernel doesn't have
+ * audit compiled in. */
-+ if (errno == ECONNREFUSED)
++ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
++ errno == EAFNOSUPPORT)
+ return retval;
+
+ /* this should only fail in case of extreme resource shortage,
Index: pam.spec
===================================================================
RCS file: /cvs/dist/rpms/pam/FC-4/pam.spec,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -r1.84 -r1.85
--- pam.spec 29 Jul 2005 09:47:38 -0000 1.84
+++ pam.spec 24 Aug 2005 09:39:27 -0000 1.85
@@ -12,7 +12,7 @@
Summary: A security tool which provides authentication for applications.
Name: pam
Version: 0.79
-Release: 9.4
+Release: 9.5
License: GPL or BSD
Group: System Environment/Base
Source0:
ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@@ -41,6 +41,7 @@
Patch76: pam-0.79-xauth-unsetenv.patch
Patch77: pam-0.79-console-perms-d.patch
Patch78: pam-0.79-userdb-test-null.patch
+Patch79: pam-0.79-loginuid-req-audit.patch
BuildRoot: %{_tmppath}/%{name}-root
Requires: cracklib, cracklib-dicts >= 2.8, glib2, initscripts >= 3.94
@@ -112,6 +113,9 @@
%patch76 -p1 -b .xauth-unset
%patch77 -p1 -b .perms-d
%patch78 -p1 -b .test-null
+%if %{WITH_AUDIT}
+%patch79 -p1 -b .req-audit
+%endif
for readme in modules/pam_*/README ; do
cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e
's|^modules/||'`
@@ -384,6 +388,11 @@
%{_libdir}/libpam_misc.so
%changelog
+* Wed Aug 24 2005 Tomas Mraz <tmraz@xxxxxxxxxx> 0.79-9.5
+- add option to pam_loginuid to require auditd
+- don't fail in audit code when audit is not compiled in
+ on the newest kernels (#166422)
+
* Fri Jul 29 2005 Tomas Mraz <tmraz@xxxxxxxxxx> 0.79-9.4
- fix NULL dereference in pam_userdb (#164418)
- fix 64bit bug in pam_pwdb
--
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits
|
|