Página Principal Explorar Ajuda
Iniciar Sessão
8516
/
Test
1
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Ramo: master
Ramos Etiquetas
Test
/
EVSE
/
GPL
/
linux-pam-1.5.2
/
modules
/
pam_tty_audit
/
pam_tty_audit.c

pam_tty_audit.c 12 KB
Link permanente Histórico Em bruto

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450 
  1. /* Copyright © 2007, 2008 Red Hat, Inc. All rights reserved.
    2. 

  2.    Red Hat author: Miloslav Trmač <mitr@redhat.com>
    3. 

  3. 

  4.    Redistribution and use in source and binary forms of Linux-PAM, with
    5. 

  5.    or without modification, are permitted provided that the following
    6. 

  6.    conditions are met:
    7. 

  7. 

  8.    1. Redistributions of source code must retain any existing copyright
    9. 

  9.       notice, and this entire permission notice in its entirety,
    10. 

  10.       including the disclaimer of warranties.
    11. 

  11. 

  12.    2. Redistributions in binary form must reproduce all prior and current
    13. 

  13.       copyright notices, this list of conditions, and the following
    14. 

  14.       disclaimer in the documentation and/or other materials provided
    15. 

  15.       with the distribution.
    16. 

  16. 

  17.    3. The name of any author may not be used to endorse or promote
    18. 

  18.       products derived from this software without their specific prior
    19. 

  19.       written permission.
    20. 

  20. 

  21.    ALTERNATIVELY, this product may be distributed under the terms of the
    22. 

  22.    GNU General Public License, in which case the provisions of the GNU
    23. 

  23.    GPL are required INSTEAD OF the above restrictions.  (This clause is
    24. 

  24.    necessary due to a potential conflict between the GNU GPL and the
    25. 

  25.    restrictions contained in a BSD-style copyright.)
    26. 

  26. 

  27.    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
    28. 

  28.    WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
    29. 

  29.    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
    30. 

  30.    IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
    31. 

  31.    INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
    32. 

  32.    BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
    33. 

  33.    OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
    34. 

  34.    ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
    35. 

  35.    TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
    36. 

  36.    USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
    37. 

  37.    DAMAGE. */
    38. 

  38. 

  39. #include "config.h"
    40. 

  40. #include <errno.h>
    41. 

  41. #include <fnmatch.h>
    42. 

  42. #include <stdlib.h>
    43. 

  43. #include <string.h>
    44. 

  44. #include <syslog.h>
    45. 

  45. #include <sys/socket.h>
    46. 

  46. #include <unistd.h>
    47. 

  47. 

  48. #include <libaudit.h>
    49. 

  49. #include <linux/netlink.h>
    50. 

  50. 

  51. #include <security/pam_ext.h>
    52. 

  52. #include <security/pam_modules.h>
    53. 

  53. #include <security/pam_modutil.h>
    54. 

  54. 

  55. #include "pam_cc_compat.h"
    56. 

  56. #include "pam_inline.h"
    57. 

  57. 

  58. #define DATANAME "pam_tty_audit_last_state"
    59. 

  59. 

  60. /* Open an audit netlink socket */
    61. 

  61. static int
    62. 

  62. nl_open (void)
    63. 

  63. {
    64. 

  64.   return socket (AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
    65. 

  65. }
    66. 

  66. 

  67. static int
    68. 

  68. nl_send (int fd, unsigned type, unsigned flags, const void *data, size_t size)
    69. 

  69. {
    70. 

  70.   struct sockaddr_nl addr;
    71. 

  71.   struct msghdr msg;
    72. 

  72.   struct nlmsghdr nlm;
    73. 

  73.   struct iovec iov[2];
    74. 

  74.   ssize_t res;
    75. 

  75. 

  76.   nlm.nlmsg_len = NLMSG_LENGTH (size);
    77. 

  77.   nlm.nlmsg_type = type;
    78. 

  78.   nlm.nlmsg_flags = NLM_F_REQUEST | flags;
    79. 

  79.   nlm.nlmsg_seq = 0;
    80. 

  80.   nlm.nlmsg_pid = 0;
    81. 

  81.   iov[0].iov_base = &nlm;
    82. 

  82.   iov[0].iov_len = sizeof (nlm);
    83. 

  83.   DIAG_PUSH_IGNORE_CAST_QUAL;
    84. 

  84.   iov[1].iov_base = (void *)data;
    85. 

  85.   DIAG_POP_IGNORE_CAST_QUAL;
    86. 

  86.   iov[1].iov_len = size;
    87. 

  87.   addr.nl_family = AF_NETLINK;
    88. 

  88.   addr.nl_pid = 0;
    89. 

  89.   addr.nl_groups = 0;
    90. 

  90.   msg.msg_name = &addr;
    91. 

  91.   msg.msg_namelen = sizeof (addr);
    92. 

  92.   msg.msg_iov = iov;
    93. 

  93.   msg.msg_iovlen = 2;
    94. 

  94.   msg.msg_control = NULL;
    95. 

  95.   msg.msg_controllen = 0;
    96. 

  96.   msg.msg_flags = 0;
    97. 

  97.   res = sendmsg (fd, &msg, 0);
    98. 

  98.   if (res == -1)
    99. 

  99.     return -1;
    100. 

  100.   if ((size_t)res != nlm.nlmsg_len)
    101. 

  101.     {
    102. 

  102.       errno = EIO;
    103. 

  103.       return -1;
    104. 

  104.     }
    105. 

  105.   return 0;
    106. 

  106. }
    107. 

  107. 

  108. static int
    109. 

  109. nl_recv (int fd, unsigned type, void *buf, size_t size)
    110. 

  110. {
    111. 

  111.   struct sockaddr_nl addr;
    112. 

  112.   struct msghdr msg;
    113. 

  113.   struct nlmsghdr nlm;
    114. 

  114.   struct iovec iov[2];
    115. 

  115.   ssize_t res, resdiff;
    116. 

  116. 

  117.  again:
    118. 

  118.   iov[0].iov_base = &nlm;
    119. 

  119.   iov[0].iov_len = sizeof (nlm);
    120. 

  120.   msg.msg_name = &addr;
    121. 

  121.   msg.msg_namelen = sizeof (addr);
    122. 

  122.   msg.msg_iov = iov;
    123. 

  123.   msg.msg_iovlen = 1;
    124. 

  124.   msg.msg_control = NULL;
    125. 

  125.   msg.msg_controllen = 0;
    126. 

  126.   msg.msg_flags = 0;
    127. 

  127.   if (type != NLMSG_ERROR)
    128. 

  128.     {
    129. 

  129.       res = recvmsg (fd, &msg, MSG_PEEK);
    130. 

  130.       if (res == -1)
    131. 

  131. 	return -1;
    132. 

  132.       if (res != NLMSG_LENGTH (0))
    133. 

  133. 	{
    134. 

  134. 	  errno = EIO;
    135. 

  135. 	  return -1;
    136. 

  136. 	}
    137. 

  137.       if (nlm.nlmsg_type == NLMSG_ERROR)
    138. 

  138. 	{
    139. 

  139. 	  struct nlmsgerr err;
    140. 

  140. 

  141. 	  iov[1].iov_base = &err;
    142. 

  142. 	  iov[1].iov_len = sizeof (err);
    143. 

  143. 	  msg.msg_iovlen = 2;
    144. 

  144. 	  res = recvmsg (fd, &msg, 0);
    145. 

  145. 	  if (res == -1)
    146. 

  146. 	    return -1;
    147. 

  147. 	  if ((size_t)res != NLMSG_LENGTH (sizeof (err))
    148. 

  148. 	      || nlm.nlmsg_type != NLMSG_ERROR)
    149. 

  149. 	    {
    150. 

  150. 	      errno = EIO;
    151. 

  151. 	      return -1;
    152. 

  152. 	    }
    153. 

  153. 	  if (err.error == 0)
    154. 

  154. 	    goto again;
    155. 

  155. 	  errno = -err.error;
    156. 

  156. 	  return -1;
    157. 

  157. 	}
    158. 

  158.     }
    159. 

  159.   if (size != 0)
    160. 

  160.     {
    161. 

  161.       iov[1].iov_base = buf;
    162. 

  162.       iov[1].iov_len = size;
    163. 

  163.       msg.msg_iovlen = 2;
    164. 

  164.     }
    165. 

  165.   res = recvmsg (fd, &msg, 0);
    166. 

  166.   if (res == -1)
    167. 

  167.     return -1;
    168. 

  168.   resdiff = NLMSG_LENGTH(size) - (size_t)res;
    169. 

  169.   if (resdiff < 0
    170. 

  170.       || nlm.nlmsg_type != type)
    171. 

  171.     {
    172. 

  172.       errno = EIO;
    173. 

  173.       return -1;
    174. 

  174.     }
    175. 

  175.   else if (resdiff > 0)
    176. 

  176.     {
    177. 

  177.       memset((char *)buf + size - resdiff, 0, resdiff);
    178. 

  178.     }
    179. 

  179.   return 0;
    180. 

  180. }
    181. 

  181. 

  182. static int
    183. 

  183. nl_recv_ack (int fd)
    184. 

  184. {
    185. 

  185.   struct nlmsgerr err;
    186. 

  186. 

  187.   if (nl_recv (fd, NLMSG_ERROR, &err, sizeof (err)) != 0)
    188. 

  188.     return -1;
    189. 

  189.   if (err.error != 0)
    190. 

  190.     {
    191. 

  191.       errno = -err.error;
    192. 

  192.       return -1;
    193. 

  193.     }
    194. 

  194.   return 0;
    195. 

  195. }
    196. 

  196. 

  197. static void
    198. 

  198. cleanup_old_status (pam_handle_t *pamh, void *data, int error_status)
    199. 

  199. {
    200. 

  200.   (void)pamh;
    201. 

  201.   (void)error_status;
    202. 

  202.   free (data);
    203. 

  203. }
    204. 

  204. 

  205. enum uid_range { UID_RANGE_NONE, UID_RANGE_MM, UID_RANGE_MIN,
    206. 

  206.     UID_RANGE_ONE, UID_RANGE_ERR };
    207. 

  207. 

  208. static enum uid_range
    209. 

  209. parse_uid_range(pam_handle_t *pamh, const char *s,
    210. 

  210.                 uid_t *min_uid, uid_t *max_uid)
    211. 

  211. {
    212. 

  212.     const char *range = s;
    213. 

  213.     const char *pmax;
    214. 

  214.     char *endptr;
    215. 

  215.     enum uid_range rv = UID_RANGE_MM;
    216. 

  216. 

  217.     if ((pmax=strchr(range, ':')) == NULL)
    218. 

  218.         return UID_RANGE_NONE;
    219. 

  219.     ++pmax;
    220. 

  220. 

  221.     if (range[0] == ':')
    222. 

  222.         rv = UID_RANGE_ONE;
    223. 

  223.     else {
    224. 

  224.             errno = 0;
    225. 

  225.             *min_uid = strtoul (range, &endptr, 10);
    226. 

  226.             if (errno != 0 || (range == endptr) || *endptr != ':') {
    227. 

  227.                 pam_syslog(pamh, LOG_DEBUG,
    228. 

  228.                            "wrong min_uid value in '%s'", s);
    229. 

  229.                 return UID_RANGE_ERR;
    230. 

  230.             }
    231. 

  231.     }
    232. 

  232. 

  233.     if (*pmax == '\0') {
    234. 

  234.         if (rv == UID_RANGE_ONE)
    235. 

  235.             return UID_RANGE_ERR;
    236. 

  236. 

  237.         return UID_RANGE_MIN;
    238. 

  238.     }
    239. 

  239. 

  240.     errno = 0;
    241. 

  241.     *max_uid = strtoul (pmax, &endptr, 10);
    242. 

  242.     if (errno != 0 || (pmax == endptr) || *endptr != '\0') {
    243. 

  243.         pam_syslog(pamh, LOG_DEBUG,
    244. 

  244.                    "wrong max_uid value in '%s'", s);
    245. 

  245.         return UID_RANGE_ERR;
    246. 

  246.     }
    247. 

  247. 

  248.     if (rv == UID_RANGE_ONE)
    249. 

  249.         *min_uid = *max_uid;
    250. 

  250.     return rv;
    251. 

  251. }
    252. 

  252. 

  253. int
    254. 

  254. pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
    255. 

  255. {
    256. 

  256.   enum command { CMD_NONE, CMD_ENABLE, CMD_DISABLE };
    257. 

  257. 

  258.   enum command command;
    259. 

  259.   struct audit_tty_status *old_status, new_status;
    260. 

  260.   const char *user;
    261. 

  261.   int i, fd, open_only;
    262. 

  262.   struct passwd *pwd;
    263. 

  263. #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
    264. 

  264.   int log_passwd;
    265. 

  265. #endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
    266. 

  266. 

  267.   (void)flags;
    268. 

  268. 

  269.   if (pam_get_user (pamh, &user, NULL) != PAM_SUCCESS)
    270. 

  270.     {
    271. 

  271.       pam_syslog(pamh, LOG_NOTICE, "cannot determine user name");
    272. 

  272.       return PAM_SESSION_ERR;
    273. 

  273.     }
    274. 

  274. 

  275.   pwd = pam_modutil_getpwnam(pamh, user);
    276. 

  276.   if (pwd == NULL)
    277. 

  277.     {
    278. 

  278.       pam_syslog(pamh, LOG_NOTICE,
    279. 

  279.                  "open_session unknown user '%s'", user);
    280. 

  280.       return PAM_SESSION_ERR;
    281. 

  281.     }
    282. 

  282. 

  283.   command = CMD_NONE;
    284. 

  284.   open_only = 0;
    285. 

  285. #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
    286. 

  286.   log_passwd = 0;
    287. 

  287. #endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
    288. 

  288.   for (i = 0; i < argc; i++)
    289. 

  289.     {
    290. 

  290.       const char *str;
    291. 

  291. 

  292.       if ((str = pam_str_skip_prefix(argv[i], "enable=")) != NULL
    293. 

  293. 	  || (str = pam_str_skip_prefix(argv[i], "disable=")) != NULL)
    294. 

  294. 	{
    295. 

  295. 	  enum command this_command;
    296. 

  296. 	  char *copy, *tok_data, *tok;
    297. 

  297. 

  298. 	  this_command = *argv[i] == 'e' ? CMD_ENABLE : CMD_DISABLE;
    299. 

  299. 	  copy = strdup (str);
    300. 

  300. 	  if (copy == NULL)
    301. 

  301. 	    return PAM_SESSION_ERR;
    302. 

  302. 	  for (tok = strtok_r (copy, ",", &tok_data);
    303. 

  303. 	       tok != NULL && command != this_command;
    304. 

  304. 	       tok = strtok_r (NULL, ",", &tok_data))
    305. 

  305. 	    {
    306. 

  306. 	      uid_t min_uid = 0, max_uid = 0;
    307. 

  307. 	      switch (parse_uid_range(pamh, tok, &min_uid, &max_uid))
    308. 

  308. 		{
    309. 

  309. 		case UID_RANGE_NONE:
    310. 

  310. 		    if (fnmatch (tok, user, 0) == 0)
    311. 

  311. 			command = this_command;
    312. 

  312. 		    break;
    313. 

  313. 		case UID_RANGE_MM:
    314. 

  314. 		    if (pwd->pw_uid >= min_uid && pwd->pw_uid <= max_uid)
    315. 

  315. 			command = this_command;
    316. 

  316. 		    break;
    317. 

  317. 		case UID_RANGE_MIN:
    318. 

  318. 		    if (pwd->pw_uid >= min_uid)
    319. 

  319. 			command = this_command;
    320. 

  320. 		    break;
    321. 

  321. 		case UID_RANGE_ONE:
    322. 

  322. 		    if (pwd->pw_uid == max_uid)
    323. 

  323. 			command = this_command;
    324. 

  324. 		    break;
    325. 

  325. 		case UID_RANGE_ERR:
    326. 

  326. 		    break;
    327. 

  327. 		}
    328. 

  328. 	    }
    329. 

  329. 	  free (copy);
    330. 

  330. 	}
    331. 

  331.       else if (strcmp (argv[i], "open_only") == 0)
    332. 

  332. 	open_only = 1;
    333. 

  333.       else if (strcmp (argv[i], "log_passwd") == 0)
    334. 

  334. #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
    335. 

  335.         log_passwd = 1;
    336. 

  336. #else /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
    337. 

  337.         pam_syslog (pamh, LOG_WARNING,
    338. 

  338.                     "The log_passwd option was not available at compile time.");
    339. 

  339. #warning "pam_tty_audit: The log_passwd option is not available.  Please upgrade your headers/kernel."
    340. 

  340. #endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
    341. 

  341.       else
    342. 

  342. 	{
    343. 

  343. 	  pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
    344. 

  344. 	}
    345. 

  345.     }
    346. 

  346.   if (command == CMD_NONE)
    347. 

  347.     return PAM_SUCCESS;
    348. 

  348. 

  349.   old_status = malloc (sizeof (*old_status));
    350. 

  350.   if (old_status == NULL)
    351. 

  351.     return PAM_SESSION_ERR;
    352. 

  352. 

  353.   fd = nl_open ();
    354. 

  354.   if (fd == -1
    355. 

  355.       && errno == EPROTONOSUPPORT)
    356. 

  356.     {
    357. 

  357.       pam_syslog (pamh, LOG_WARNING, "unable to open audit socket, audit not "
    358. 

  358.                   "supported; tty_audit skipped");
    359. 

  359.       free (old_status);
    360. 

  360.       return PAM_IGNORE;
    361. 

  361.     }
    362. 

  362.   else if (fd == -1
    363. 

  363.       || nl_send (fd, AUDIT_TTY_GET, 0, NULL, 0) != 0
    364. 

  364.       || nl_recv (fd, AUDIT_TTY_GET, old_status, sizeof (*old_status)) != 0)
    365. 

  365.     {
    366. 

  366.       pam_syslog (pamh, LOG_ERR, "error reading current audit status: %m");
    367. 

  367.       if (fd != -1)
    368. 

  368. 	close (fd);
    369. 

  369.       free (old_status);
    370. 

  370.       return PAM_SESSION_ERR;
    371. 

  371.     }
    372. 

  372. 

  373.   memcpy(&new_status, old_status, sizeof(new_status));
    374. 

  374. 

  375.   new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
    376. 

  376. #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
    377. 

  377.   new_status.log_passwd = log_passwd;
    378. 

  378. #endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
    379. 

  379.   if (old_status->enabled == new_status.enabled
    380. 

  380. #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
    381. 

  381.       && old_status->log_passwd == new_status.log_passwd
    382. 

  382. #endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
    383. 

  383.      )
    384. 

  384.     {
    385. 

  385.       open_only = 1; /* to clean up old_status */
    386. 

  386.       goto ok_fd;
    387. 

  387.     }
    388. 

  388. 

  389.   if (open_only == 0
    390. 

  390.       && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status)
    391. 

  391.       != PAM_SUCCESS)
    392. 

  392.     {
    393. 

  393.       pam_syslog (pamh, LOG_ERR, "error saving old audit status");
    394. 

  394.       close (fd);
    395. 

  395.       free (old_status);
    396. 

  396.       return PAM_SESSION_ERR;
    397. 

  397.     }
    398. 

  398. 

  399.   if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status,
    400. 

  400. 	       sizeof (new_status)) != 0
    401. 

  401.       || nl_recv_ack (fd) != 0)
    402. 

  402.     {
    403. 

  403.       pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m");
    404. 

  404.       close (fd);
    405. 

  405.       if (open_only != 0)
    406. 

  406. 	free (old_status);
    407. 

  407.       return PAM_SESSION_ERR;
    408. 

  408.     }
    409. 

  409.   /* Fall through */
    410. 

  410.  ok_fd:
    411. 

  411.   close (fd);
    412. 

  412.   pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d",
    413. 

  413. 	      old_status->enabled, new_status.enabled);
    414. 

  414.   if (open_only != 0)
    415. 

  415.     free (old_status);
    416. 

  416.   return PAM_SUCCESS;
    417. 

  417. }
    418. 

  418. 

  419. int
    420. 

  420. pam_sm_close_session (pam_handle_t *pamh, int flags, int argc,
    421. 

  421. 		      const char **argv)
    422. 

  422. {
    423. 

  423.   const void *status_;
    424. 

  424. 

  425.   (void)flags;
    426. 

  426.   (void)argc;
    427. 

  427.   (void)argv;
    428. 

  428.   if (pam_get_data (pamh, DATANAME, &status_) == PAM_SUCCESS)
    429. 

  429.     {
    430. 

  430.       const struct audit_tty_status *status;
    431. 

  431.       int fd;
    432. 

  432. 

  433.       status = status_;
    434. 

  434. 

  435.       fd = nl_open ();
    436. 

  436.       if (fd == -1
    437. 

  437. 	  || nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, status,
    438. 

  438. 		      sizeof (*status)) != 0
    439. 

  439. 	  || nl_recv_ack (fd) != 0)
    440. 

  440. 	{
    441. 

  441. 	  pam_syslog (pamh, LOG_ERR, "error restoring audit status: %m");
    442. 

  442. 	  if (fd != -1)
    443. 

  443. 	    close (fd);
    444. 

  444. 	  return PAM_SESSION_ERR;
    445. 

  445. 	}
    446. 

  446.       close (fd);
    447. 

  447.       pam_syslog (pamh, LOG_DEBUG, "restored status to %d", status->enabled);
    448. 

  448.     }
    449. 

  449.   return PAM_SUCCESS;
    450. 

  450. }
    451.