Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------
2008-01-29  Miloslav Trmac  <mitr@redhat.com>

        * modules/pam_tty_audit/README.xml: Add notes section.
        * modules/pam_tty_audit/pam_tty_audit.8.xml: Describe patterns
        support and open_only option. Add notes.
        * modules/pam_tty_audit/pam_tty_audit.c(pam_sm_open_session): Add
        support for pattern matching and the open_only option.

3 files changed, 61 insertions, 33 deletions

diff --git a/modules/pam_tty_audit/README.xml b/modules/pam_tty_audit/README.xml
index 85b27733..4dad6bbe 100644
--- a/modules/pam_tty_audit/README.xml
+++ b/modules/pam_tty_audit/README.xml
@@ -25,6 +25,11 @@
 
   <section>
     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
       href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/>
   </section>
 
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
index f65762ad..f6f0602f 100644
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
@@ -19,10 +19,10 @@
     <cmdsynopsis id="pam_tty_audit-cmdsynopsis">
       <command>pam_tty_audit.so</command>
       <arg choice="opt">
-	disable=<replaceable>usernames</replaceable>
+	disable=<replaceable>patterns</replaceable>
       </arg>
       <arg choice="opt">
-	enable=<replaceable>usernames</replaceable>
+	enable=<replaceable>patterns</replaceable>
       </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -40,27 +40,40 @@
     <variablelist>
       <varlistentry>
         <term>
-          <option>disable=<replaceable>usernames</replaceable></option>
+          <option>disable=<replaceable>patterns</replaceable></option>
         </term>
         <listitem>
           <para>
-	    For each user matching one of comma-separated
-	    <option><replaceable>usernames</replaceable></option>, disable
+	    For each user matching one of comma-separated glob
+	    <option><replaceable>patterns</replaceable></option>, disable
 	    TTY auditing.  This overrides any previous <option>enable</option>
-	    option for the same user name on the command line.
+	    option matchin the same user name on the command line.
           </para>
         </listitem>
       </varlistentry>
       <varlistentry>
         <term>
-          <option>enable=<replaceable>usernames</replaceable></option>
+          <option>enable=<replaceable>patterns</replaceable></option>
         </term>
         <listitem>
           <para>
-	    For each user matching one of comma-separated
-	    <option><replaceable>usernames</replaceable></option>, enable
+	    For each user matching one of comma-separated glob
+	    <option><replaceable>patterns</replaceable></option>, enable
 	    TTY auditing.  This overrides any previous <option>disable</option>
-	    option for the same user name on the command line.
+	    option matching the same user name on the command line.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>open_only</option>
+        </term>
+        <listitem>
+          <para>
+           Set the TTY audit flag when opening the session, but do not restore
+           it when closing the session.  Using this option is necessary for
+           some services that don't <function>fork()</function> to run the
+           authenticated session, such as <command>sudo</command>.
           </para>
         </listitem>
       </varlistentry>
@@ -99,12 +112,24 @@
     </variablelist>
   </refsect1>
 
+  <refsect1 id='pam_tty_audit-notes'>
+    <title>NOTES</title>
+    <para>
+      When TTY auditing is enabled, it is inherited by all processes started by
+      that user.  In particular, daemons restarted by an user will still have
+      TTY auditing enabled, and audit TTY input even by other users unless
+      auditing for these users is explicitly disabled.  Therefore, it is
+      recommended to use <option>disable=*</option> as the first option for
+      most daemons using PAM.
+    </para>
+  </refsect1>
+
   <refsect1 id='pam_tty_audit-examples'>
     <title>EXAMPLES</title>
     <para>
       Audit all administrative actions.
       <programlisting>
-session		required	pam_tty_audit.so enable=root
+session	required pam_tty_audit.so disable=* enable=root
       </programlisting>
     </para>
   </refsect1>
diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c
index 5e6211bc..d57dbbe3 100644
--- a/modules/pam_tty_audit/pam_tty_audit.c
+++ b/modules/pam_tty_audit/pam_tty_audit.c
@@ -1,4 +1,4 @@
-/* Copyright © 2007 Red Hat, Inc. All rights reserved.
+/* Copyright © 2007, 2008 Red Hat, Inc. All rights reserved.
    Red Hat author: Miloslav Trmač <mitr@redhat.com>
 
    Redistribution and use in source and binary forms of Linux-PAM, with
@@ -37,7 +37,7 @@
    DAMAGE. */
 
 #include <errno.h>
-#include <pwd.h>
+#include <fnmatch.h>
 #include <stdlib.h>
 #include <string.h>
 #include <syslog.h>
@@ -200,9 +200,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
   enum command command;
   struct audit_tty_status *old_status, new_status;
   const char *user;
-  uid_t user_uid;
-  struct passwd *pwd;
-  int i, fd;
+  int i, fd, open_only;
 
   (void)flags;
 
@@ -211,15 +209,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
       pam_syslog (pamh, LOG_ERR, "error determining target user's name");
       return PAM_SESSION_ERR;
     }
-  pwd = pam_modutil_getpwnam (pamh, user);
-  if (pwd == NULL)
-    {
-      pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m");
-      return PAM_SESSION_ERR;
-    }
-  user_uid = pwd->pw_uid;
 
   command = CMD_NONE;
+  open_only = 0;
   for (i = 0; i < argc; i++)
     {
       if (strncmp (argv[i], "enable=", 7) == 0
@@ -235,13 +227,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
 	  for (tok = strtok_r (copy, ",", &tok_data); tok != NULL;
 	       tok = strtok_r (NULL, ",", &tok_data))
 	    {
-	      pwd = pam_modutil_getpwnam (pamh, tok);
-	      if (pwd == NULL)
-		{
-		  pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok);
-		  continue;
-		}
-	      if (pwd->pw_uid == user_uid)
+	      if (fnmatch (tok, user, 0) == 0)
 		{
 		  command = this_command;
 		  break;
@@ -249,6 +235,13 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
 	    }
 	  free (copy);
 	}
+      else if (strcmp (argv[i], "open_only") == 0)
+	open_only = 1;
+      else
+	{
+	  pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
+	  return PAM_SESSION_ERR;
+	}
     }
   if (command == CMD_NONE)
     return PAM_SUCCESS;
@@ -269,13 +262,15 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
       return PAM_SESSION_ERR;
     }
 
-  if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0))
+  new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
+  if (old_status->enabled == new_status.enabled)
     {
       free (old_status);
       goto ok_fd;
     }
 
-  if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
+  if (open_only == 0
+      && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
       != PAM_SUCCESS)
     {
       pam_syslog (pamh, LOG_ERR, "error saving old audit status");
@@ -284,13 +279,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
       return PAM_SESSION_ERR;
     }
 
-  new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
   if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status,
 	       sizeof (new_status)) != 0
       || nl_recv_ack (fd) != 0)
     {
       pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m");
       close (fd);
+      if (open_only != 0)
+	free (old_status);
       return PAM_SESSION_ERR;
     }
   /* Fall through */
@@ -298,6 +294,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
   close (fd);
   pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d",
 	      old_status->enabled, new_status.enabled);
+  if (open_only != 0)
+    free (old_status);
   return PAM_SUCCESS;
 }