Relevant BUGIDs:

Purpose of commit: new feature and cleanup Commit summary: --------------- 2007-12-07 Tomas Mraz <t8m@centrum.cz> * libpam/libpam.map: Add LIBPAM_MODUTIL_1.1 version. * libpam/pam_audit.c: Add _pam_audit_open() and pam_modutil_audit_write(). (_pam_auditlog): Call _pam_audit_open(). * libpam/include/security/pam_modutil.h: Add pam_modutil_audit_write(). * modules/pam_access/pam_access.8.xml: Add noaudit option. Document auditing. * modules/pam_access/pam_access.c: Move fs, sep, pam_access_debug, and only_new_group_syntax variables to struct login_info. Add noaudit member. (_parse_args): Adjust for the move of variables and add support for noaudit option. (group_match): Add debug parameter. (string_match): Likewise. (network_netmask_match): Likewise. (login_access): Adjust for the move of variables. Add nonall_match. Add call to pam_modutil_audit_write(). (list_match): Adjust for the move of variables. (user_match): Likewise. (from_match): Likewise. (pam_sm_authenticate): Call _parse_args() earlier. * modules/pam_limits/pam_limits.8.xml: Add noaudit option. Document auditing. * modules/pam_limits/pam_limits.c (_pam_parse): Add noaudit option. (setup_limits): Call pam_modutil_audit_write(). * modules/pam_time/pam_time.8.xml: Add debug and noaudit options. Document auditing. * modules/pam_time/pam_time.c: Add option parsing (_pam_parse()). (check_account): Call _pam_parse(). Call pam_modutil_audit_write() and pam_syslog() on login denials.
author: Tomas Mraz <tm@t8m.info> 2007-12-07 15:40:01 +0000
committer: Tomas Mraz <tm@t8m.info> 2007-12-07 15:40:01 +0000
commit: 8ae5f5769c4c611ca6918450bbe6e55dfa4e5926 (patch)
tree: a217a8080c67dbd2189a3fcdb3f627223e8f6101 /libpam
parent: 67b5cdd945120d8b0fe4c40fe9df576fa5c2a9a2 (diff)
download: pam-8ae5f5769c4c611ca6918450bbe6e55dfa4e5926.tar.gz
pam-8ae5f5769c4c611ca6918450bbe6e55dfa4e5926.tar.bz2
pam-8ae5f5769c4c611ca6918450bbe6e55dfa4e5926.zip
3 files changed, 53 insertions, 6 deletions
diff --git a/libpam/include/security/pam_modutil.h b/libpam/include/security/pam_modutil.h
index efb72436..ffdf5ad0 100644
--- a/libpam/include/security/pam_modutil.h
+++ b/libpam/include/security/pam_modutil.h
@@ -97,6 +97,9 @@ pam_modutil_read(int fd, char *buffer, int count);
 extern int
 pam_modutil_write(int fd, const char *buffer, int count);
 
+extern int PAM_NONNULL((1,3))
+pam_modutil_audit_write(pam_handle_t *pamh, int type,
+			const char *message, int retval);
 #ifdef __cplusplus
 }
 #endif
diff --git a/libpam/libpam.map b/libpam/libpam.map
index 1c2c4480..e37fc356 100644
--- a/libpam/libpam.map
+++ b/libpam/libpam.map
@@ -45,3 +45,8 @@ LIBPAM_MODUTIL_1.0 {
     pam_modutil_read;
     pam_modutil_write;
 };
+
+LIBPAM_MODUTIL_1.1 {
+  global:
+    pam_modutil_audit_write;
+} LIBPAM_MODUTIL_1.0;
diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c
index 240d4a89..a9d72176 100644
--- a/libpam/pam_audit.c
+++ b/libpam/pam_audit.c
@@ -56,26 +56,39 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
     return rc;
 }
 
-int
-_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
+static int
+_pam_audit_open(pam_handle_t *pamh)
 {
-  const char *message;
-  int type;
   int audit_fd;
-
   audit_fd = audit_open();
   if (audit_fd < 0) {
     /* You get these error codes only when the kernel doesn't have
      * audit compiled in. */
     if (errno == EINVAL || errno == EPROTONOSUPPORT ||
         errno == EAFNOSUPPORT)
-        return retval;
+        return -2;
 
     /* this should only fail in case of extreme resource shortage,
      * need to prevent login in that case for CAPP compliance.
      */
     pam_syslog(pamh, LOG_CRIT, "audit_open() failed: %m");
+    return -1;
+  }
+
+  return audit_fd;
+}
+
+int
+_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
+{
+  const char *message;
+  int type;
+  int audit_fd;
+
+  if ((audit_fd=_pam_audit_open(pamh)) == -1) {
     return PAM_SYSTEM_ERR;
+  } else if (audit_fd == -2) {
+    return retval;
   }
 
   switch (action) {
@@ -142,4 +155,30 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED)
   return 0;
 }
 
+int
+pam_modutil_audit_write(pam_handle_t *pamh, int type,
+    const char *message, int retval)
+{
+  int audit_fd;
+  int rc;
+	
+  if ((audit_fd=_pam_audit_open(pamh)) == -1) {
+    return PAM_SYSTEM_ERR;
+  } else if (audit_fd == -2) {
+    return retval;
+  }
+
+  rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval);
+
+  audit_close(audit_fd);
+  
+  return rc < 0 ? PAM_SYSTEM_ERR : PAM_SUCCESS;
+}
+
+#else
+int pam_modutil_audit_write(pam_handle_t *pamh UNUSED, int type UNUSED,
+    const char *message UNUSED, int retval UNUSED)
+{
+  return PAM_SUCCESS;
+}
 #endif /* HAVE_LIBAUDIT */
author	Tomas Mraz <tm@t8m.info>	2007-12-07 15:40:01 +0000
committer	Tomas Mraz <tm@t8m.info>	2007-12-07 15:40:01 +0000
commit	8ae5f5769c4c611ca6918450bbe6e55dfa4e5926 (patch)
tree	a217a8080c67dbd2189a3fcdb3f627223e8f6101 /libpam
parent	67b5cdd945120d8b0fe4c40fe9df576fa5c2a9a2 (diff)
download	pam-8ae5f5769c4c611ca6918450bbe6e55dfa4e5926.tar.gz pam-8ae5f5769c4c611ca6918450bbe6e55dfa4e5926.tar.bz2 pam-8ae5f5769c4c611ca6918450bbe6e55dfa4e5926.zip