From 2d79d6172837d6d458f08e19169b97677593c772 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 2 Nov 2009 16:09:07 +0000 Subject: [PATCH] Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2009-11-02 Tomas Mraz * modules/pam_sepermit/Makefile.am: Add sepermit.conf(5) manual page. * modules/pam_sepermit/pam_sepermit.8.xml: Add reference to sepermit.conf(5). Drop some redundant text. * modules/pam_sepermit/sepermit.conf.5.xml: New file. * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Implement the ignore option in sepermit.conf. --- ChangeLog | 10 +++ modules/pam_sepermit/Makefile.am | 10 +-- modules/pam_sepermit/pam_sepermit.8.xml | 19 ++-- modules/pam_sepermit/pam_sepermit.c | 22 +++-- modules/pam_sepermit/sepermit.conf.5.xml | 110 +++++++++++++++++++++++ 5 files changed, 151 insertions(+), 20 deletions(-) create mode 100644 modules/pam_sepermit/sepermit.conf.5.xml diff --git a/ChangeLog b/ChangeLog index 80308260..2295c747 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2009-11-02 Tomas Mraz + + * modules/pam_sepermit/Makefile.am: Add sepermit.conf(5) manual page. + * modules/pam_sepermit/pam_sepermit.8.xml: Add reference to + sepermit.conf(5). Drop some redundant text. + * modules/pam_sepermit/sepermit.conf.5.xml: New file. + + * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Implement the ignore + option in sepermit.conf. + 2009-10-29 Tomas Mraz * modules/pam_xauth/Makefile.am: Link with libselinux. diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am index 579e142f..9211a938 100644 --- a/modules/pam_sepermit/Makefile.am +++ b/modules/pam_sepermit/Makefile.am @@ -1,19 +1,19 @@ # # Copyright (c) 2005, 2006, 2007 Thorsten Kukuk -# Copyright (c) 2008 Red Hat, Inc. +# Copyright (c) 2008, 2009 Red Hat, Inc. # CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf tst-pam_sepermit +EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf sepermit.conf.5 tst-pam_sepermit if HAVE_LIBSELINUX TESTS = tst-pam_sepermit - man_MANS = pam_sepermit.8 + man_MANS = pam_sepermit.8 sepermit.conf.5 endif -XMLS = README.xml pam_sepermit.8.xml +XMLS = README.xml pam_sepermit.8.xml sepermit.conf.5.xml securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) @@ -37,7 +37,7 @@ if HAVE_LIBSELINUX securelib_LTLIBRARIES = pam_sepermit.la endif if ENABLE_REGENERATE_MAN -noinst_DATA = README pam_sepermit.8 +noinst_DATA = README pam_sepermit.8 sepermit.conf.5 README: pam_sepermit.8.xml -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml index 36730721..30d9cc54 100644 --- a/modules/pam_sepermit/pam_sepermit.8.xml +++ b/modules/pam_sepermit/pam_sepermit.8.xml @@ -40,7 +40,7 @@ the pam_sepermit module returns PAM_IGNORE return value. - The config file contains a simple list of user names one per line. If the + The config file contains a list of user names one per line with optional arguments. If the name is prefixed with @ character it means that all users in the group name match. If it is prefixed with a % character the SELinux user is used to match against the name @@ -50,12 +50,11 @@ will return PAM_IGNORE. - Each user name in the configuration file can have optional arguments separated - by : character. The only currently recognized argument is exclusive. - The pam_sepermit module will allow only single concurrent user session for - the user with this argument specified and it will attempt to kill all processes - of the user after logout. + See + sepermit.conf5 + for details. + @@ -167,6 +166,9 @@ session required pam_permit.so SEE ALSO + + sepermit.conf5 + , pam.conf5 , @@ -176,13 +178,16 @@ session required pam_permit.so pam8 + + selinux8 + AUTHOR - pam_sepermit was written by Tomas Mraz <tmraz@redhat.com>. + pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat.com>. diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index 0fd95619..df0a2b1c 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -1,7 +1,7 @@ /****************************************************************************** * A module for Linux-PAM that allows/denies acces based on SELinux state. * - * Copyright (c) 2007, 2008 Red Hat, Inc. + * Copyright (c) 2007, 2008, 2009 Red Hat, Inc. * Originally written by Tomas Mraz * Contributions by Dan Walsh * @@ -231,7 +231,7 @@ sepermit_lock(pam_handle_t *pamh, const char *user, int debug) /* return 0 when matched, -1 when unmatched, pam error otherwise */ static int sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, - const char *seuser, int debug, int sense) + const char *seuser, int debug, int *sense) { FILE *f; char *line = NULL; @@ -239,6 +239,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, size_t len = 0; int matched = 0; int exclusive = 0; + int ignore = 0; f = fopen(cfgfile, "r"); @@ -284,7 +285,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, if (debug) pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start); if (strcmp(seuser, start) == 0) { - matched = 1; + matched = 1; } break; default: @@ -298,6 +299,8 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, while ((opt=strtok_r(NULL, OPT_DELIM, &sptr)) != NULL) { if (strcmp(opt, "exclusive") == 0) exclusive = 1; + else if (strcmp(opt, "ignore") == 0) + ignore = 1; else if (debug) { pam_syslog(pamh, LOG_NOTICE, "Unknown user option: %s", opt); } @@ -307,10 +310,13 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, free(line); fclose(f); if (matched) { - if (sense == PAM_SUCCESS && geteuid() == 0 && exclusive) - return sepermit_lock(pamh, user, debug); - else - return 0; + if (*sense == PAM_SUCCESS) { + if (ignore) + *sense = PAM_IGNORE; + if (geteuid() == 0 && exclusive) + return sepermit_lock(pamh, user, debug); + } + return 0; } else return -1; @@ -365,7 +371,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, if (debug && sense != PAM_SUCCESS) pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match"); - rv = sepermit_match(pamh, cfgfile, user, seuser, debug, sense); + rv = sepermit_match(pamh, cfgfile, user, seuser, debug, &sense); if (debug) pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv); diff --git a/modules/pam_sepermit/sepermit.conf.5.xml b/modules/pam_sepermit/sepermit.conf.5.xml new file mode 100644 index 00000000..511480f6 --- /dev/null +++ b/modules/pam_sepermit/sepermit.conf.5.xml @@ -0,0 +1,110 @@ + + + + + + + sepermit.conf + 5 + Linux-PAM Manual + + + + sepermit.conf + configuration file for the pam_sepermit module + + + + DESCRIPTION + + The lines of the configuration file have the following syntax: + + + <user>[:<option>:<option>...] + + + The user can be specified in the following manner: + + + + + a username + + + + + a groupname, with @group syntax. + This should not be confused with netgroups. + + + + + a SELinux user name with %seuser syntax. + + + + + + The recognized options are: + + + + + + + + Only single login session will be allowed for the user + and the user's processes will be killed on logout. + + + + + + + + The module will never return PAM_SUCCESS status for the user. + It will return PAM_IGNORE if SELinux is in the enforcing mode, + and PAM_AUTH_ERR otherwise. It is useful if you want to support + passwordless guest users and other confined users with passwords + simultaneously. + + + + + + + The lines which start with # character are comments and are ignored. + + + + + EXAMPLES + + These are some example lines which might be specified in + /etc/security/sepermit.conf. + + +%guest_u:exclusive +%staff_u:ignore +%user_u:ignore + + + + + SEE ALSO + + pam_sepermit8, + pam.d5, + pam8, + selinux8, + + + + + AUTHOR + + pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat.com> + + + -- 2.40.0