From f955ee172df4d631ecbf522c3b763d8ebc7848f3 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Mon, 8 Jan 2024 11:22:04 +0100 Subject: [PATCH] pam_faillock: create tallydir before creating tallyfile Resolves: RHEL-20943 Signed-off-by: Iker Pedrosa --- pam-1.5.1-faillock-create-tallydir.patch | 36 ++++++++++++++++++++++++ pam.spec | 10 +++++-- 2 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 pam-1.5.1-faillock-create-tallydir.patch diff --git a/pam-1.5.1-faillock-create-tallydir.patch b/pam-1.5.1-faillock-create-tallydir.patch new file mode 100644 index 0000000..72f879a --- /dev/null +++ b/pam-1.5.1-faillock-create-tallydir.patch @@ -0,0 +1,36 @@ +From d54870f993e97fe75e2cd0470a3701d5af22877c Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Tue, 12 Jan 2021 14:45:34 +0800 +Subject: [PATCH] faillock: create tallydir before creating tallyfile + +The default tallydir is "/var/run/faillock", and this default +tallydir may not exist. + +Function open may fail as tallydir does not exist when creating +the tallyfile. Therefore, faillock will not work well. + +Fix this problem by creating tallydir before creating tallyfile +when the tallydir does not exist. + +Signed-off-by: Changqing Li +--- + modules/pam_faillock/faillock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/modules/pam_faillock/faillock.c b/modules/pam_faillock/faillock.c +index 4ea94cbe..091f253a 100644 +--- a/modules/pam_faillock/faillock.c ++++ b/modules/pam_faillock/faillock.c +@@ -74,6 +74,9 @@ open_tally (const char *dir, const char *user, uid_t uid, int create) + + if (create) { + flags |= O_CREAT; ++ if (access(dir, F_OK) != 0) { ++ mkdir(dir, 0755); ++ } + } + + fd = open(path, flags, 0660); +-- +2.43.0 + diff --git a/pam.spec b/pam.spec index c945af6..16b7c00 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.5.1 -Release: 16%{?dist} +Release: 17%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -56,6 +56,8 @@ Patch15: pam-1.5.1-libpam-close-range.patch # https://github.com/linux-pam/linux-pam/commit/c85513220c1bd3150e39c6277422d29cfa44acc7 # https://github.com/linux-pam/linux-pam/commit/1648734a69c31e9ce834da70144ac9a453296807 Patch16: pam-1.5.1-audit-messages-formatting.patch +# https://github.com/linux-pam/linux-pam/commit/d54870f993e97fe75e2cd0470a3701d5af22877c +Patch17: pam-1.5.1-faillock-create-tallydir.patch %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -154,6 +156,7 @@ cp %{SOURCE18} . %patch14 -p1 -b .pam-misc-configurable %patch15 -p1 -b .libpam-close-range %patch16 -p1 -b .audit-messages-formatting +%patch17 -p1 -b .faillock-create-tallydir autoreconf -i @@ -409,7 +412,10 @@ done %doc doc/sag/*.txt doc/sag/html %changelog -* Fri Oct 10 2023 Iker Pedrosa - 1.5.1-16 +* Mon Jan 8 2024 Iker Pedrosa - 1.5.1-17 +- pam_faillock: create tallydir before creating tallyfile. Resolves: RHEL-20943 + +* Fri Nov 10 2023 Iker Pedrosa - 1.5.1-16 - libpam: use close_range() to close file descriptors. Resolves: RHEL-5099 - fix formatting of audit messages. Resolves: RHEL-5100