diff options
| author | Tomas Mraz <tm@t8m.info> | 2007-12-07 15:40:01 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2007-12-07 15:40:01 +0000 |
| commit | 8ae5f5769c4c611ca6918450bbe6e55dfa4e5926 (patch) | |
| tree | a217a8080c67dbd2189a3fcdb3f627223e8f6101 /modules/pam_limits/pam_limits.c | |
| parent | 67b5cdd945120d8b0fe4c40fe9df576fa5c2a9a2 (diff) | |
| download | pam-8ae5f5769c4c611ca6918450bbe6e55dfa4e5926.tar.gz pam-8ae5f5769c4c611ca6918450bbe6e55dfa4e5926.tar.bz2 pam-8ae5f5769c4c611ca6918450bbe6e55dfa4e5926.zip | |
Relevant BUGIDs:
Purpose of commit: new feature and cleanup
Commit summary:
---------------
2007-12-07 Tomas Mraz <t8m@centrum.cz>
* libpam/libpam.map: Add LIBPAM_MODUTIL_1.1 version.
* libpam/pam_audit.c: Add _pam_audit_open() and
pam_modutil_audit_write().
(_pam_auditlog): Call _pam_audit_open().
* libpam/include/security/pam_modutil.h: Add pam_modutil_audit_write().
* modules/pam_access/pam_access.8.xml: Add noaudit option.
Document auditing.
* modules/pam_access/pam_access.c: Move fs, sep, pam_access_debug, and
only_new_group_syntax variables to struct login_info. Add noaudit
member.
(_parse_args): Adjust for the move of variables and add support for
noaudit option.
(group_match): Add debug parameter.
(string_match): Likewise.
(network_netmask_match): Likewise.
(login_access): Adjust for the move of variables. Add nonall_match.
Add call to pam_modutil_audit_write().
(list_match): Adjust for the move of variables.
(user_match): Likewise.
(from_match): Likewise.
(pam_sm_authenticate): Call _parse_args() earlier.
* modules/pam_limits/pam_limits.8.xml: Add noaudit option.
Document auditing.
* modules/pam_limits/pam_limits.c (_pam_parse): Add noaudit option.
(setup_limits): Call pam_modutil_audit_write().
* modules/pam_time/pam_time.8.xml: Add debug and noaudit options.
Document auditing.
* modules/pam_time/pam_time.c: Add option parsing (_pam_parse()).
(check_account): Call _pam_parse(). Call pam_modutil_audit_write()
and pam_syslog() on login denials.
Diffstat (limited to 'modules/pam_limits/pam_limits.c')
| -rw-r--r-- | modules/pam_limits/pam_limits.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c index d65e64bf..f1e29b85 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -41,6 +41,10 @@ #include <pwd.h> #include <locale.h> +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#endif + /* Module defines */ #define LINE_LENGTH 1024 @@ -101,6 +105,7 @@ struct pam_limit_s { #define PAM_DEBUG_ARG 0x0001 #define PAM_DO_SETREUID 0x0002 #define PAM_UTMP_EARLY 0x0004 +#define PAM_NO_AUDIT 0x0008 /* Limits from globbed files. */ #define LIMITS_CONF_GLOB LIMITS_FILE_DIR @@ -126,6 +131,8 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, ctrl |= PAM_DO_SETREUID; } else if (!strcmp(*argv,"utmp_early")) { ctrl |= PAM_UTMP_EARLY; + } else if (!strcmp(*argv,"noaudit")) { + ctrl |= PAM_NO_AUDIT; } else { pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } @@ -595,6 +602,13 @@ static int setup_limits(pam_handle_t *pamh, D(("skip login limit check for uid=0")); } else if (pl->login_limit > 0) { if (check_logins(pamh, uname, pl->login_limit, ctrl, pl) == LOGIN_ERR) { +#ifdef HAVE_LIBAUDIT + if (!(ctrl & PAM_NO_AUDIT)) { + pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_SESSIONS, + "pam_limits", PAM_PERM_DENIED); + /* ignore return value as we fail anyway */ + } +#endif retval |= LOGIN_ERR; } } else if (pl->login_limit == 0) { |