pam_faillock: add possibility to set unlock_time to never

This commit is contained in:
Tomas Mraz 2015-10-16 15:31:12 +02:00
parent 6818550d2a
commit d55e35278c
4 changed files with 78 additions and 102 deletions

View File

@ -1,27 +1,3 @@
diff -up Linux-PAM-1.1.8/modules/pam_faillock/main.c.audit-user-mgmt Linux-PAM-1.1.8/modules/pam_faillock/main.c
--- Linux-PAM-1.1.8/modules/pam_faillock/main.c.audit-user-mgmt 2014-10-17 12:09:12.928490104 +0200
+++ Linux-PAM-1.1.8/modules/pam_faillock/main.c 2014-10-17 12:09:43.001169008 +0200
@@ -127,7 +127,6 @@ do_user(struct options *opts, const char
}
if (opts->reset) {
#ifdef HAVE_LIBAUDIT
- char buf[64];
int audit_fd;
#endif
@@ -141,10 +140,8 @@ do_user(struct options *opts, const char
if ((audit_fd=audit_open()) >= 0) {
if (pwd != NULL) {
- snprintf(buf, sizeof(buf), "faillock reset uid=%u",
- pwd->pw_uid);
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, NULL, rv == 0);
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
+ "faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0);
}
close(audit_fd);
}
diff -up Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c diff -up Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c
--- Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt 2013-06-18 16:11:21.000000000 +0200 --- Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-17 12:09:12.965490940 +0200 +++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-17 12:09:12.965490940 +0200

View File

@ -19,26 +19,6 @@ diff -up Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro Linux-PAM-1.1.8/m
configfile.tab.c: configfile.y configfile.tab.c: configfile.y
$(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $< $(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $<
diff -up Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am 2014-09-10 17:16:11.102808189 +0200
@@ -19,7 +19,7 @@ secureconfdir = $(SCONFIGDIR)
noinst_HEADERS = faillock.h
-faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@
pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module
@@ -28,6 +28,7 @@ if HAVE_VERSIONING
pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
+faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
securelib_LTLIBRARIES = pam_faillock.la
diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200 --- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200
+++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200 +++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200

View File

@ -1,6 +1,6 @@
diff -up Linux-PAM-1.2.0/configure.ac.faillock Linux-PAM-1.2.0/configure.ac diff -up Linux-PAM-1.2.1/configure.ac.faillock Linux-PAM-1.2.1/configure.ac
--- Linux-PAM-1.2.0/configure.ac.faillock 2015-05-15 15:52:13.794506394 +0200 --- Linux-PAM-1.2.1/configure.ac.faillock 2015-06-25 10:42:21.477374752 +0200
+++ Linux-PAM-1.2.0/configure.ac 2015-05-15 15:52:13.798506486 +0200 +++ Linux-PAM-1.2.1/configure.ac 2015-06-25 10:42:21.501375246 +0200
@@ -621,7 +621,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil @@ -621,7 +621,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
modules/pam_access/Makefile modules/pam_cracklib/Makefile \ modules/pam_access/Makefile modules/pam_cracklib/Makefile \
modules/pam_debug/Makefile modules/pam_deny/Makefile \ modules/pam_debug/Makefile modules/pam_deny/Makefile \
@ -10,9 +10,9 @@ diff -up Linux-PAM-1.2.0/configure.ac.faillock Linux-PAM-1.2.0/configure.ac
modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \ modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
modules/pam_ftp/Makefile modules/pam_group/Makefile \ modules/pam_ftp/Makefile modules/pam_group/Makefile \
modules/pam_issue/Makefile modules/pam_keyinit/Makefile \ modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
diff -up Linux-PAM-1.2.0/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.2.0/doc/sag/pam_faillock.xml diff -up Linux-PAM-1.2.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.2.1/doc/sag/pam_faillock.xml
--- Linux-PAM-1.2.0/doc/sag/pam_faillock.xml.faillock 2015-05-15 15:52:13.799506509 +0200 --- Linux-PAM-1.2.1/doc/sag/pam_faillock.xml.faillock 2015-06-25 10:42:21.482374855 +0200
+++ Linux-PAM-1.2.0/doc/sag/pam_faillock.xml 2015-05-15 15:52:13.799506509 +0200 +++ Linux-PAM-1.2.1/doc/sag/pam_faillock.xml 2015-06-25 10:42:21.482374855 +0200
@@ -0,0 +1,38 @@ @@ -0,0 +1,38 @@
+<?xml version='1.0' encoding='UTF-8'?> +<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" +<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
@ -52,9 +52,9 @@ diff -up Linux-PAM-1.2.0/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.2.0/doc/s
+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/> + href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
+ </section> + </section>
+</section> +</section>
diff -up Linux-PAM-1.2.0/modules/Makefile.am.faillock Linux-PAM-1.2.0/modules/Makefile.am diff -up Linux-PAM-1.2.1/modules/Makefile.am.faillock Linux-PAM-1.2.1/modules/Makefile.am
--- Linux-PAM-1.2.0/modules/Makefile.am.faillock 2015-05-15 15:52:13.797506463 +0200 --- Linux-PAM-1.2.1/modules/Makefile.am.faillock 2015-06-25 10:42:21.480374814 +0200
+++ Linux-PAM-1.2.0/modules/Makefile.am 2015-05-15 15:52:13.799506509 +0200 +++ Linux-PAM-1.2.1/modules/Makefile.am 2015-06-25 10:42:21.482374855 +0200
@@ -3,7 +3,7 @@ @@ -3,7 +3,7 @@
# #
@ -64,9 +64,9 @@ diff -up Linux-PAM-1.2.0/modules/Makefile.am.faillock Linux-PAM-1.2.0/modules/Ma
pam_env pam_exec pam_faildelay pam_filter pam_ftp \ pam_env pam_exec pam_faildelay pam_filter pam_ftp \
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
pam_listfile pam_localuser pam_loginuid pam_mail \ pam_listfile pam_localuser pam_loginuid pam_mail \
diff -up Linux-PAM-1.2.0/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.2.0/modules/pam_faillock/faillock.c diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.c
--- Linux-PAM-1.2.0/modules/pam_faillock/faillock.c.faillock 2015-05-15 15:52:13.799506509 +0200 --- Linux-PAM-1.2.1/modules/pam_faillock/faillock.c.faillock 2015-06-25 10:42:21.482374855 +0200
+++ Linux-PAM-1.2.0/modules/pam_faillock/faillock.c 2015-05-15 15:52:13.799506509 +0200 +++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.c 2015-06-25 10:42:21.482374855 +0200
@@ -0,0 +1,158 @@ @@ -0,0 +1,158 @@
+/* +/*
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> + * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
@ -226,9 +226,9 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.2.
+ +
+ return 0; + return 0;
+} +}
diff -up Linux-PAM-1.2.0/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.2.0/modules/pam_faillock/faillock.h diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.h
--- Linux-PAM-1.2.0/modules/pam_faillock/faillock.h.faillock 2015-05-15 15:52:13.799506509 +0200 --- Linux-PAM-1.2.1/modules/pam_faillock/faillock.h.faillock 2015-06-25 10:42:21.482374855 +0200
+++ Linux-PAM-1.2.0/modules/pam_faillock/faillock.h 2015-05-15 15:52:13.799506509 +0200 +++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.h 2015-06-25 10:42:21.482374855 +0200
@@ -0,0 +1,73 @@ @@ -0,0 +1,73 @@
+/* +/*
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> + * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
@ -303,9 +303,9 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.2.
+int update_tally(int fd, struct tally_data *tallies); +int update_tally(int fd, struct tally_data *tallies);
+#endif +#endif
+ +
diff -up Linux-PAM-1.2.0/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.2.0/modules/pam_faillock/faillock.8.xml diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml
--- Linux-PAM-1.2.0/modules/pam_faillock/faillock.8.xml.faillock 2015-05-15 15:52:13.799506509 +0200 --- Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml.faillock 2015-06-25 10:42:21.482374855 +0200
+++ Linux-PAM-1.2.0/modules/pam_faillock/faillock.8.xml 2015-05-15 15:52:13.799506509 +0200 +++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml 2015-06-25 10:42:21.482374855 +0200
@@ -0,0 +1,123 @@ @@ -0,0 +1,123 @@
+<?xml version="1.0" encoding='UTF-8'?> +<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
@ -430,10 +430,10 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-
+ </refsect1> + </refsect1>
+ +
+</refentry> +</refentry>
diff -up Linux-PAM-1.2.0/modules/pam_faillock/main.c.faillock Linux-PAM-1.2.0/modules/pam_faillock/main.c diff -up Linux-PAM-1.2.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/main.c
--- Linux-PAM-1.2.0/modules/pam_faillock/main.c.faillock 2015-05-15 15:52:13.799506509 +0200 --- Linux-PAM-1.2.1/modules/pam_faillock/main.c.faillock 2015-06-25 10:42:21.482374855 +0200
+++ Linux-PAM-1.2.0/modules/pam_faillock/main.c 2015-05-15 15:52:13.799506509 +0200 +++ Linux-PAM-1.2.1/modules/pam_faillock/main.c 2015-06-25 10:42:21.503375287 +0200
@@ -0,0 +1,235 @@ @@ -0,0 +1,232 @@
+/* +/*
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> + * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
+ * + *
@ -563,7 +563,6 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/main.c.faillock Linux-PAM-1.2.0/mo
+ } + }
+ if (opts->reset) { + if (opts->reset) {
+#ifdef HAVE_LIBAUDIT +#ifdef HAVE_LIBAUDIT
+ char buf[64];
+ int audit_fd; + int audit_fd;
+#endif +#endif
+ +
@ -577,10 +576,8 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/main.c.faillock Linux-PAM-1.2.0/mo
+ if ((audit_fd=audit_open()) >= 0) { + if ((audit_fd=audit_open()) >= 0) {
+ +
+ if (pwd != NULL) { + if (pwd != NULL) {
+ snprintf(buf, sizeof(buf), "faillock reset uid=%u", + audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
+ pwd->pw_uid); + "faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0);
+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+ buf, NULL, NULL, NULL, rv == 0);
+ } + }
+ close(audit_fd); + close(audit_fd);
+ } + }
@ -669,10 +666,10 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/main.c.faillock Linux-PAM-1.2.0/mo
+ return do_user(&opts, opts.user); + return do_user(&opts, opts.user);
+} +}
+ +
diff -up Linux-PAM-1.2.0/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.2.0/modules/pam_faillock/Makefile.am diff -up Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am
--- Linux-PAM-1.2.0/modules/pam_faillock/Makefile.am.faillock 2015-05-15 15:52:13.799506509 +0200 --- Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am.faillock 2015-06-25 10:42:21.482374855 +0200
+++ Linux-PAM-1.2.0/modules/pam_faillock/Makefile.am 2015-05-15 15:52:13.799506509 +0200 +++ Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am 2015-06-25 10:42:21.494375102 +0200
@@ -0,0 +1,43 @@ @@ -0,0 +1,44 @@
+# +#
+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de> +# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2008 Red Hat, Inc. +# Copyright (c) 2008 Red Hat, Inc.
@ -694,7 +691,7 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.2
+ +
+noinst_HEADERS = faillock.h +noinst_HEADERS = faillock.h
+ +
+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@
+pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+ +
+pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module +pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module
@ -703,6 +700,7 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.2
+ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+endif +endif
+ +
+faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) +faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
+ +
+securelib_LTLIBRARIES = pam_faillock.la +securelib_LTLIBRARIES = pam_faillock.la
@ -716,10 +714,10 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.2
+README: pam_faillock.8.xml +README: pam_faillock.8.xml
+-include $(top_srcdir)/Make.xml.rules +-include $(top_srcdir)/Make.xml.rules
+endif +endif
diff -up Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.c diff -up Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c
--- Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.c.faillock 2015-05-15 15:52:13.800506532 +0200 --- Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c.faillock 2015-06-25 10:42:21.483374875 +0200
+++ Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.c 2015-05-15 15:52:13.800506532 +0200 +++ Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c 2015-10-16 14:07:38.451616869 +0200
@@ -0,0 +1,556 @@ @@ -0,0 +1,571 @@
+/* +/*
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> + * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
+ * + *
@ -847,21 +845,30 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
+ } + }
+ else if (strncmp(argv[i], "unlock_time=", 12) == 0) { + else if (strncmp(argv[i], "unlock_time=", 12) == 0) {
+ unsigned int temp; + unsigned int temp;
+ if (sscanf(argv[i]+12, "%u", &temp) != 1 || +
+ if (strcmp(argv[i]+12, "never") == 0) {
+ opts->unlock_time = 0;
+ }
+ else if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
+ temp > MAX_TIME_INTERVAL) { + temp > MAX_TIME_INTERVAL) {
+ pam_syslog(pamh, LOG_ERR, + pam_syslog(pamh, LOG_ERR,
+ "Bad number supplied for unlock_time argument"); + "Bad number supplied for unlock_time argument");
+ } else { + }
+ else {
+ opts->unlock_time = temp; + opts->unlock_time = temp;
+ } + }
+ } + }
+ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) { + else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) {
+ unsigned int temp; + unsigned int temp;
+ if (sscanf(argv[i]+17, "%u", &temp) != 1 || +
+ if (strcmp(argv[i]+17, "never") == 0) {
+ opts->root_unlock_time = 0;
+ }
+ else if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
+ temp > MAX_TIME_INTERVAL) { + temp > MAX_TIME_INTERVAL) {
+ pam_syslog(pamh, LOG_ERR, + pam_syslog(pamh, LOG_ERR,
+ "Bad number supplied for root_unlock_time argument"); + "Bad number supplied for root_unlock_time argument");
+ } else { + } else {
+ opts->root_unlock_time = temp; + opts->root_unlock_time = temp;
+ } + }
+ } + }
@ -980,8 +987,8 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
+ } + }
+ +
+ if (opts->deny && failures >= opts->deny) { + if (opts->deny && failures >= opts->deny) {
+ if ((opts->uid && latest_time + opts->unlock_time < opts->now) || + if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
+ (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) { + (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
+#ifdef HAVE_LIBAUDIT +#ifdef HAVE_LIBAUDIT
+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ + if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
+ char buf[64]; + char buf[64];
@ -1145,11 +1152,17 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
+ left = opts->latest_time + opts->root_unlock_time - opts->now; + left = opts->latest_time + opts->root_unlock_time - opts->now;
+ } + }
+ +
+ left /= 60; /* minutes */ + if (left > 0) {
+ left = (left + 59)/60; /* minutes */
+ +
+ pam_info(pamh, _("Account temporarily locked due to %d failed logins"), + pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
+ opts->failures); + opts->failures);
+ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); + pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
+ }
+ else {
+ pam_info(pamh, _("Account locked due to %d failed logins"),
+ opts->failures);
+ }
+ } + }
+} +}
+ +
@ -1276,10 +1289,10 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
+ +
+#endif /* #ifdef PAM_STATIC */ +#endif /* #ifdef PAM_STATIC */
+ +
diff -up Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.8.xml diff -up Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml
--- Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.8.xml.faillock 2015-05-15 15:52:13.800506532 +0200 --- Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2015-06-25 10:42:21.483374875 +0200
+++ Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.8.xml 2015-05-15 15:52:13.800506532 +0200 +++ Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml 2015-10-16 14:04:45.810864576 +0200
@@ -0,0 +1,392 @@ @@ -0,0 +1,396 @@
+<?xml version="1.0" encoding='UTF-8'?> +<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
@ -1481,6 +1494,10 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
+ <para> + <para>
+ The access will be reenabled after + The access will be reenabled after
+ <replaceable>n</replaceable> seconds after the lock out. + <replaceable>n</replaceable> seconds after the lock out.
+ The value 0 has the same meaning as value
+ <emphasis>never</emphasis> - the access
+ will not be reenabled without resetting the faillock
+ entries by the <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> command.
+ The default is 600 (10 minutes). + The default is 600 (10 minutes).
+ </para> + </para>
+ </listitem> + </listitem>
@ -1672,9 +1689,9 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
+ </refsect1> + </refsect1>
+ +
+</refentry> +</refentry>
diff -up Linux-PAM-1.2.0/modules/pam_faillock/README.xml.faillock Linux-PAM-1.2.0/modules/pam_faillock/README.xml diff -up Linux-PAM-1.2.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/README.xml
--- Linux-PAM-1.2.0/modules/pam_faillock/README.xml.faillock 2015-05-15 15:52:13.800506532 +0200 --- Linux-PAM-1.2.1/modules/pam_faillock/README.xml.faillock 2015-06-25 10:42:21.483374875 +0200
+++ Linux-PAM-1.2.0/modules/pam_faillock/README.xml 2015-05-15 15:52:13.800506532 +0200 +++ Linux-PAM-1.2.1/modules/pam_faillock/README.xml 2015-06-25 10:42:21.483374875 +0200
@@ -0,0 +1,46 @@ @@ -0,0 +1,46 @@
+<?xml version="1.0" encoding='UTF-8'?> +<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
@ -1722,9 +1739,9 @@ diff -up Linux-PAM-1.2.0/modules/pam_faillock/README.xml.faillock Linux-PAM-1.2.
+ </section> + </section>
+ +
+</article> +</article>
diff -up Linux-PAM-1.2.0/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.2.0/modules/pam_faillock/tst-pam_faillock diff -up Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock
--- Linux-PAM-1.2.0/modules/pam_faillock/tst-pam_faillock.faillock 2015-05-15 15:52:13.800506532 +0200 --- Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock.faillock 2015-06-25 10:42:21.483374875 +0200
+++ Linux-PAM-1.2.0/modules/pam_faillock/tst-pam_faillock 2015-05-15 15:52:13.800506532 +0200 +++ Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock 2015-06-25 10:42:21.483374875 +0200
@@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@
+#!/bin/sh +#!/bin/sh
+../../tests/tst-dlopen .libs/pam_faillock.so +../../tests/tst-dlopen .libs/pam_faillock.so

View File

@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications Summary: An extensible library which provides authentication for applications
Name: pam Name: pam
Version: 1.2.1 Version: 1.2.1
Release: 2%{?dist} Release: 3%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ # The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway. # - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -30,7 +30,7 @@ Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Patch1: pam-1.2.0-redhat-modules.patch Patch1: pam-1.2.0-redhat-modules.patch
Patch4: pam-1.1.0-console-nochmod.patch Patch4: pam-1.1.0-console-nochmod.patch
Patch5: pam-1.1.0-notally.patch Patch5: pam-1.1.0-notally.patch
Patch8: pam-1.2.0-faillock.patch Patch8: pam-1.2.1-faillock.patch
Patch9: pam-1.1.6-noflex.patch Patch9: pam-1.1.6-noflex.patch
Patch10: pam-1.1.3-nouserenv.patch Patch10: pam-1.1.3-nouserenv.patch
Patch13: pam-1.1.6-limits-user.patch Patch13: pam-1.1.6-limits-user.patch
@ -369,6 +369,9 @@ fi
%doc doc/adg/*.txt doc/adg/html %doc doc/adg/*.txt doc/adg/html
%changelog %changelog
* Fri Oct 16 2015 Tomáš Mráz <tmraz@redhat.com> 1.2.1-3
- pam_faillock: add possibility to set unlock_time to never
* Wed Aug 12 2015 Tomáš Mráz <tmraz@redhat.com> 1.2.1-2 * Wed Aug 12 2015 Tomáš Mráz <tmraz@redhat.com> 1.2.1-2
- drop the nproc limit setting, it is causing more harm than it solves - drop the nproc limit setting, it is causing more harm than it solves