pam_faillock: skip clearing user's failed attempt
Resolves: RHEL-130871 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
This commit is contained in:
Iker Pedrosa
parent
3e4bbb53e0
commit
49966cff8a
89
pam-1.6.1-pam-faillock-skip.patch
Normal file
89
pam-1.6.1-pam-faillock-skip.patch
Normal file
@ -0,0 +1,89 @@
|
||||
From 7d96d452e65ba5dec73f2c77104113977dd3aeb1 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Fri, 18 Jul 2025 16:11:39 +0200
|
||||
Subject: [PATCH] pam_faillock: skip clearing user's failed attempt
|
||||
|
||||
Automated services, like `crond` or `systemd-user`, skip the
|
||||
`auth` stack and directly invoke the `account` stack. Thus, they can
|
||||
clear the user's failed attempt records. With this new logic simply
|
||||
skip resetting the failed login counter when `auth` stack hasn't been
|
||||
been run prior to `account` stack.
|
||||
|
||||
* modules/pam_faillock/pam_faillock.c: Skip clearing the user's failed
|
||||
attempt record during `account` stack when `auth` stack isn't run.
|
||||
* modules/pam_faillock/pam_faillock.8.xml: Document new behaviour.
|
||||
|
||||
Resolves: https://issues.redhat.com/browse/RHEL-32294
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
---
|
||||
modules/pam_faillock/pam_faillock.8.xml | 8 ++++++++
|
||||
modules/pam_faillock/pam_faillock.c | 13 +++++++++++++
|
||||
2 files changed, 21 insertions(+)
|
||||
|
||||
diff --git a/modules/pam_faillock/pam_faillock.8.xml b/modules/pam_faillock/pam_faillock.8.xml
|
||||
index ce0ae050..42f87e81 100644
|
||||
--- a/modules/pam_faillock/pam_faillock.8.xml
|
||||
+++ b/modules/pam_faillock/pam_faillock.8.xml
|
||||
@@ -243,6 +243,14 @@
|
||||
user accounts allowing the adversary to infer that a particular account
|
||||
is not existing on a system.
|
||||
</para>
|
||||
+ <para>
|
||||
+ If the <option>auth</option> stack has not been run prior to the <option>account</option>
|
||||
+ stack, the logic to reset the failed login counter is intentionally skipped. This prevents
|
||||
+ automated services, such as <emphasis>crond</emphasis> or <emphasis>systemd-user</emphasis>,
|
||||
+ which might only perform account management tasks, from inadvertently clearing a user's
|
||||
+ failed attempt records. This ensures the faillock counter is only reset by a service that
|
||||
+ performs a full, successful authentication.
|
||||
+ </para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 xml:id="pam_faillock-examples">
|
||||
diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
|
||||
index 2d847aeb..a8363b6c 100644
|
||||
--- a/modules/pam_faillock/pam_faillock.c
|
||||
+++ b/modules/pam_faillock/pam_faillock.c
|
||||
@@ -62,6 +62,8 @@
|
||||
#define FAILLOCK_ACTION_AUTHSUCC 1
|
||||
#define FAILLOCK_ACTION_AUTHFAIL 2
|
||||
|
||||
+#define FAILLOCK_AUTH_EXECUTED "pam_faillock:auth_executed"
|
||||
+
|
||||
static int
|
||||
args_parse(pam_handle_t *pamh, int argc, const char **argv,
|
||||
int flags, struct options *opts)
|
||||
@@ -478,6 +480,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
||||
goto err;
|
||||
}
|
||||
|
||||
+ rv = pam_set_data(pamh, FAILLOCK_AUTH_EXECUTED, (void *)1, NULL);
|
||||
+ if (rv != PAM_SUCCESS)
|
||||
+ goto err;
|
||||
+
|
||||
if (!(opts.flags & FAILLOCK_FLAG_LOCAL_ONLY) ||
|
||||
check_local_user (pamh, opts.user) != 0) {
|
||||
switch (opts.action) {
|
||||
@@ -531,6 +537,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
|
||||
struct options opts;
|
||||
int rv, fd = -1;
|
||||
struct tally_data tallies;
|
||||
+ const void *auth_flag;
|
||||
|
||||
memset(&tallies, 0, sizeof(tallies));
|
||||
|
||||
@@ -541,6 +548,12 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
|
||||
|
||||
opts.action = FAILLOCK_ACTION_AUTHSUCC;
|
||||
|
||||
+ rv = pam_get_data(pamh, FAILLOCK_AUTH_EXECUTED, &auth_flag);
|
||||
+ if (rv == PAM_NO_MODULE_DATA) {
|
||||
+ rv = PAM_SUCCESS;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
|
||||
goto err;
|
||||
}
|
||||
--
|
||||
2.52.0
|
||||
|
||||
9
pam.spec
9
pam.spec
@ -4,7 +4,7 @@
|
||||
Summary: An extensible library which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 1.6.1
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
# The library is BSD licensed with option to relicense as GPLv2+
|
||||
# - this option is redundant as the BSD license allows that anyway.
|
||||
# pam_timestamp and pam_loginuid modules are GPLv2+.
|
||||
@ -37,6 +37,8 @@ Patch7: pam-1.6.1-pam-access-resolve-ip.patch
|
||||
Patch8: pam-1.6.1-pam-inline-pam-asprintf.patch
|
||||
# https://github.com/linux-pam/linux-pam/commit/976c20079358d133514568fc7fd95c02df8b5773
|
||||
Patch9: pam-1.6.1-pam-namespace-rebase.patch
|
||||
# https://github.com/linux-pam/linux-pam/commit/7d96d452e65ba5dec73f2c77104113977dd3aeb1
|
||||
Patch10: pam-1.6.1-pam-faillock-skip.patch
|
||||
|
||||
%{load:%{SOURCE3}}
|
||||
|
||||
@ -136,6 +138,7 @@ cp %{SOURCE18} .
|
||||
%patch -P 7 -p1 -b .pam-access-resolve-ip
|
||||
%patch -P 8 -p1 -b .pam-inline-pam-asprintf
|
||||
%patch -P 9 -p1 -b .pam-namespace-rebase
|
||||
%patch -P 10 -p1 -b .pam-faillock-skip
|
||||
|
||||
autoreconf -i
|
||||
|
||||
@ -374,6 +377,10 @@ done
|
||||
%{_pam_libdir}/libpam_misc.so.%{so_ver}*
|
||||
|
||||
%changelog
|
||||
* Mon Dec 1 2025 Iker Pedrosa <ipedrosa@redhat.com> - 1.6.1-9
|
||||
- pam_faillock: skip clearing user's failed attempt.
|
||||
Resolves: RHEL-130871
|
||||
|
||||
* Tue Jul 1 2025 Iker Pedrosa <ipedrosa@redhat.com> - 1.6.1-8
|
||||
- pam_namespace: fix potential privilege escalation.
|
||||
Resolves: CVE-2025-6020 and RHEL-101174
|
||||
|
||||
Loading…
Reference in New Issue
Block a user