+2009-11-02 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_sepermit/Makefile.am: Add sepermit.conf(5) manual page.
+ * modules/pam_sepermit/pam_sepermit.8.xml: Add reference to
+ sepermit.conf(5). Drop some redundant text.
+ * modules/pam_sepermit/sepermit.conf.5.xml: New file.
+
+ * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Implement the ignore
+ option in sepermit.conf.
+
2009-10-29 Tomas Mraz <t8m@centrum.cz>
* modules/pam_xauth/Makefile.am: Link with libselinux.
#
# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de>
-# Copyright (c) 2008 Red Hat, Inc.
+# Copyright (c) 2008, 2009 Red Hat, Inc.
#
CLEANFILES = *~
MAINTAINERCLEANFILES = $(MANS) README
-EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf tst-pam_sepermit
+EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf sepermit.conf.5 tst-pam_sepermit
if HAVE_LIBSELINUX
TESTS = tst-pam_sepermit
- man_MANS = pam_sepermit.8
+ man_MANS = pam_sepermit.8 sepermit.conf.5
endif
-XMLS = README.xml pam_sepermit.8.xml
+XMLS = README.xml pam_sepermit.8.xml sepermit.conf.5.xml
securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
securelib_LTLIBRARIES = pam_sepermit.la
endif
if ENABLE_REGENERATE_MAN
-noinst_DATA = README pam_sepermit.8
+noinst_DATA = README pam_sepermit.8 sepermit.conf.5
README: pam_sepermit.8.xml
-include $(top_srcdir)/Make.xml.rules
endif
the pam_sepermit module returns PAM_IGNORE return value.
</para>
<para>
- The config file contains a simple list of user names one per line. If the
+ The config file contains a list of user names one per line with optional arguments. If the
<replaceable>name</replaceable> is prefixed with <emphasis>@</emphasis> character it means that all
users in the group <replaceable>name</replaceable> match. If it is prefixed
with a <emphasis>%</emphasis> character the SELinux user is used to match against the <replaceable>name</replaceable>
will return PAM_IGNORE.
</para>
<para>
- Each user name in the configuration file can have optional arguments separated
- by <emphasis>:</emphasis> character. The only currently recognized argument is <emphasis>exclusive</emphasis>.
- The pam_sepermit module will allow only single concurrent user session for
- the user with this argument specified and it will attempt to kill all processes
- of the user after logout.
+ See <citerefentry>
+ <refentrytitle>sepermit.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry> for details.
</para>
+
</refsect1>
<refsect1 id="pam_sepermit-options">
<refsect1 id='pam_sepermit-see_also'>
<title>SEE ALSO</title>
<para>
+ <citerefentry>
+ <refentrytitle>sepermit.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
<citerefentry>
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
+ <citerefentry>
+ <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
</para>
</refsect1>
<refsect1 id='pam_sepermit-author'>
<title>AUTHOR</title>
<para>
- pam_sepermit was written by Tomas Mraz <tmraz@redhat.com>.
+ pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat.com>.
</para>
</refsect1>
/******************************************************************************
* A module for Linux-PAM that allows/denies acces based on SELinux state.
*
- * Copyright (c) 2007, 2008 Red Hat, Inc.
+ * Copyright (c) 2007, 2008, 2009 Red Hat, Inc.
* Originally written by Tomas Mraz <tmraz@redhat.com>
* Contributions by Dan Walsh <dwalsh@redhat.com>
*
/* return 0 when matched, -1 when unmatched, pam error otherwise */
static int
sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
- const char *seuser, int debug, int sense)
+ const char *seuser, int debug, int *sense)
{
FILE *f;
char *line = NULL;
size_t len = 0;
int matched = 0;
int exclusive = 0;
+ int ignore = 0;
f = fopen(cfgfile, "r");
if (debug)
pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start);
if (strcmp(seuser, start) == 0) {
- matched = 1;
+ matched = 1;
}
break;
default:
while ((opt=strtok_r(NULL, OPT_DELIM, &sptr)) != NULL) {
if (strcmp(opt, "exclusive") == 0)
exclusive = 1;
+ else if (strcmp(opt, "ignore") == 0)
+ ignore = 1;
else if (debug) {
pam_syslog(pamh, LOG_NOTICE, "Unknown user option: %s", opt);
}
free(line);
fclose(f);
if (matched) {
- if (sense == PAM_SUCCESS && geteuid() == 0 && exclusive)
- return sepermit_lock(pamh, user, debug);
- else
- return 0;
+ if (*sense == PAM_SUCCESS) {
+ if (ignore)
+ *sense = PAM_IGNORE;
+ if (geteuid() == 0 && exclusive)
+ return sepermit_lock(pamh, user, debug);
+ }
+ return 0;
}
else
return -1;
if (debug && sense != PAM_SUCCESS)
pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match");
- rv = sepermit_match(pamh, cfgfile, user, seuser, debug, sense);
+ rv = sepermit_match(pamh, cfgfile, user, seuser, debug, &sense);
if (debug)
pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv);
--- /dev/null
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="sepermit.conf">
+
+ <refmeta>
+ <refentrytitle>sepermit.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname>sepermit.conf</refname>
+ <refpurpose>configuration file for the pam_sepermit module</refpurpose>
+ </refnamediv>
+
+ <refsect1 id='sepermit.conf-description'>
+ <title>DESCRIPTION</title>
+ <para>
+ The lines of the configuration file have the following syntax:
+ </para>
+ <para>
+ <replaceable><user></replaceable>[:<replaceable><option></replaceable>:<replaceable><option></replaceable>...]
+ </para>
+ <para>
+ The <emphasis remap='B'>user</emphasis> can be specified in the following manner:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ a username
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ a groupname, with <emphasis remap='B'>@group</emphasis> syntax.
+ This should not be confused with netgroups.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ a SELinux user name with <emphasis remap='B'>%seuser</emphasis> syntax.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>
+ The recognized options are:
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>exclusive</option></term>
+ <listitem>
+ <para>
+ Only single login session will be allowed for the user
+ and the user's processes will be killed on logout.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>ignore</option></term>
+ <listitem>
+ <para>
+ The module will never return PAM_SUCCESS status for the user.
+ It will return PAM_IGNORE if SELinux is in the enforcing mode,
+ and PAM_AUTH_ERR otherwise. It is useful if you want to support
+ passwordless guest users and other confined users with passwords
+ simultaneously.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>
+ The lines which start with # character are comments and are ignored.
+ </para>
+ </refsect1>
+
+ <refsect1 id="sepermit.conf-examples">
+ <title>EXAMPLES</title>
+ <para>
+ These are some example lines which might be specified in
+ <filename>/etc/security/sepermit.conf</filename>.
+ </para>
+ <programlisting>
+%guest_u:exclusive
+%staff_u:ignore
+%user_u:ignore
+ </programlisting>
+ </refsect1>
+
+ <refsect1 id="sepermit.conf-see_also">
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry><refentrytitle>pam_sepermit</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ </para>
+ </refsect1>
+
+ <refsect1 id="sepermit.conf-author">
+ <title>AUTHOR</title>
+ <para>
+ pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat.com>
+ </para>
+ </refsect1>
+</refentry>
projects / linux-pam / commitdiff