summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorRichard Guy Briggs <rgb@redhat.com>2013-05-03 14:03:50 -0400
committerEric Paris <eparis@redhat.com>2013-04-30 15:31:28 -0400
commit46e959ea2969cc1668d09b0dc55226946cf781f1 (patch)
tree40481f42587257039bd7b898c2aec95e1c01656f /drivers
parentbde02ca858448cf54a4226774dd1481f3bcc455e (diff)
audit: add an option to control logging of passwords with pam_tty_audit
Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode to do this while shutting off echo. This pair of features (icanon and !echo) can be used to avoid logging passwords by audit while still logging the rest of the command. Adding a member (log_passwd) to the struct audit_tty_status passed in by pam_tty_audit allows control of canonical mode without echo per task. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/tty/tty_audit.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 755d418019c..5f386820218 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -138,6 +138,7 @@ void tty_audit_fork(struct signal_struct *sig)
spin_lock_irqsave(&current->sighand->siglock, flags);
sig->audit_tty = current->signal->audit_tty;
+ sig->audit_tty_log_passwd = current->signal->audit_tty_log_passwd;
spin_unlock_irqrestore(&current->sighand->siglock, flags);
}
@@ -275,10 +276,18 @@ void tty_audit_add_data(struct tty_struct *tty, unsigned char *data,
{
struct tty_audit_buf *buf;
int major, minor;
+ int audit_log_tty_passwd;
+ unsigned long flags;
if (unlikely(size == 0))
return;
+ spin_lock_irqsave(&current->sighand->siglock, flags);
+ audit_log_tty_passwd = current->signal->audit_tty_log_passwd;
+ spin_unlock_irqrestore(&current->sighand->siglock, flags);
+ if (!audit_log_tty_passwd && icanon && !L_ECHO(tty))
+ return;
+
if (tty->driver->type == TTY_DRIVER_TYPE_PTY
&& tty->driver->subtype == PTY_TYPE_MASTER)
return;