|
|
c2a452 |
diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c
|
|
|
c2a452 |
--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.admin-group 2016-04-22 15:25:57.673445386 +0200
|
|
|
c2a452 |
+++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c 2017-09-08 14:39:47.411306464 +0200
|
|
|
c2a452 |
@@ -1,5 +1,5 @@
|
|
|
c2a452 |
/*
|
|
|
c2a452 |
- * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
|
|
c2a452 |
+ * Copyright (c) 2010, 2017 Tomas Mraz <tmraz@redhat.com>
|
|
|
c2a452 |
*
|
|
|
c2a452 |
* Redistribution and use in source and binary forms, with or without
|
|
|
c2a452 |
* modification, are permitted provided that the following conditions
|
|
|
c2a452 |
@@ -78,9 +78,11 @@ struct options {
|
|
|
c2a452 |
unsigned int root_unlock_time;
|
|
|
c2a452 |
const char *dir;
|
|
|
c2a452 |
const char *user;
|
|
|
c2a452 |
+ const char *admin_group;
|
|
|
c2a452 |
int failures;
|
|
|
c2a452 |
uint64_t latest_time;
|
|
|
c2a452 |
uid_t uid;
|
|
|
c2a452 |
+ int is_admin;
|
|
|
c2a452 |
uint64_t now;
|
|
|
c2a452 |
};
|
|
|
c2a452 |
|
|
|
c2a452 |
@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc,
|
|
|
c2a452 |
opts->root_unlock_time = temp;
|
|
|
c2a452 |
}
|
|
|
c2a452 |
}
|
|
|
c2a452 |
+ else if (strncmp(argv[i], "admin_group=", 12) == 0) {
|
|
|
c2a452 |
+ opts->admin_group = argv[i] + 12;
|
|
|
c2a452 |
+ }
|
|
|
c2a452 |
else if (strcmp(argv[i], "preauth") == 0) {
|
|
|
c2a452 |
opts->action = FAILLOCK_ACTION_PREAUTH;
|
|
|
c2a452 |
}
|
|
|
c2a452 |
@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa
|
|
|
c2a452 |
}
|
|
|
c2a452 |
opts->user = user;
|
|
|
c2a452 |
opts->uid = pwd->pw_uid;
|
|
|
c2a452 |
+
|
|
|
c2a452 |
+ if (pwd->pw_uid == 0) {
|
|
|
c2a452 |
+ opts->is_admin = 1;
|
|
|
c2a452 |
+ return PAM_SUCCESS;
|
|
|
c2a452 |
+ }
|
|
|
c2a452 |
+
|
|
|
c2a452 |
+ if (opts->admin_group && *opts->admin_group) {
|
|
|
c2a452 |
+ opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh,
|
|
|
c2a452 |
+ pwd->pw_uid, opts->admin_group);
|
|
|
c2a452 |
+ }
|
|
|
c2a452 |
+
|
|
|
c2a452 |
return PAM_SUCCESS;
|
|
|
c2a452 |
}
|
|
|
c2a452 |
|
|
|
c2a452 |
@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o
|
|
|
c2a452 |
return PAM_SYSTEM_ERR;
|
|
|
c2a452 |
}
|
|
|
c2a452 |
|
|
|
c2a452 |
- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
|
|
c2a452 |
+ if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
|
|
c2a452 |
return PAM_SUCCESS;
|
|
|
c2a452 |
}
|
|
|
c2a452 |
|
|
|
c2a452 |
@@ -262,17 +278,14 @@ check_tally(pam_handle_t *pamh, struct o
|
|
|
c2a452 |
|
|
|
c2a452 |
opts->failures = failures;
|
|
|
c2a452 |
|
|
|
c2a452 |
- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
|
|
c2a452 |
- return PAM_SUCCESS;
|
|
|
c2a452 |
- }
|
|
|
c2a452 |
-
|
|
|
c2a452 |
if (opts->deny && failures >= opts->deny) {
|
|
|
c2a452 |
- if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
|
|
|
c2a452 |
- (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
|
|
|
c2a452 |
+ if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
|
|
|
c2a452 |
+ (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
|
|
|
c2a452 |
#ifdef HAVE_LIBAUDIT
|
|
|
c2a452 |
if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
|
|
|
c2a452 |
char buf[64];
|
|
|
c2a452 |
int audit_fd;
|
|
|
c2a452 |
+ const void *rhost = NULL, *tty = NULL;
|
|
|
c2a452 |
|
|
|
c2a452 |
audit_fd = audit_open();
|
|
|
c2a452 |
/* If there is an error & audit support is in the kernel report error */
|
|
|
c2a452 |
@@ -280,9 +293,11 @@ check_tally(pam_handle_t *pamh, struct o
|
|
|
c2a452 |
errno == EAFNOSUPPORT))
|
|
|
c2a452 |
return PAM_SYSTEM_ERR;
|
|
|
c2a452 |
|
|
|
c2a452 |
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
|
|
|
c2a452 |
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
|
|
|
c2a452 |
snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
|
|
|
c2a452 |
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
|
|
|
c2a452 |
- NULL, NULL, NULL, 1);
|
|
|
c2a452 |
+ rhost, NULL, tty, 1);
|
|
|
c2a452 |
}
|
|
|
c2a452 |
#endif
|
|
|
c2a452 |
opts->flags |= FAILLOCK_FLAG_UNLOCKED;
|
|
|
c2a452 |
@@ -398,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o
|
|
|
c2a452 |
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
|
|
|
c2a452 |
NULL, NULL, NULL, 1);
|
|
|
c2a452 |
|
|
|
c2a452 |
- if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
|
|
c2a452 |
+ if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
|
|
c2a452 |
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
|
|
|
c2a452 |
NULL, NULL, NULL, 1);
|
|
|
c2a452 |
}
|
|
|
c2a452 |
@@ -422,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str
|
|
|
c2a452 |
int64_t left;
|
|
|
c2a452 |
|
|
|
c2a452 |
if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
|
|
|
c2a452 |
- if (opts->uid) {
|
|
|
c2a452 |
- left = opts->latest_time + opts->unlock_time - opts->now;
|
|
|
c2a452 |
+ if (opts->is_admin) {
|
|
|
c2a452 |
+ left = opts->latest_time + opts->root_unlock_time - opts->now;
|
|
|
c2a452 |
}
|
|
|
c2a452 |
else {
|
|
|
c2a452 |
- left = opts->latest_time + opts->root_unlock_time - opts->now;
|
|
|
c2a452 |
+ left = opts->latest_time + opts->unlock_time - opts->now;
|
|
|
c2a452 |
}
|
|
|
c2a452 |
|
|
|
c2a452 |
if (left > 0) {
|
|
|
c2a452 |
diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml
|
|
|
c2a452 |
--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.admin-group 2016-04-28 16:43:14.109794294 +0200
|
|
|
c2a452 |
+++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml 2017-09-08 14:37:33.535130222 +0200
|
|
|
c2a452 |
@@ -40,6 +40,9 @@
|
|
|
c2a452 |
root_unlock_time=<replaceable>n</replaceable>
|
|
|
c2a452 |
</arg>
|
|
|
c2a452 |
<arg choice="opt">
|
|
|
c2a452 |
+ admin_group=<replaceable>name</replaceable>
|
|
|
c2a452 |
+ </arg>
|
|
|
c2a452 |
+ <arg choice="opt">
|
|
|
c2a452 |
audit
|
|
|
c2a452 |
</arg>
|
|
|
c2a452 |
<arg choice="opt">
|
|
|
c2a452 |
@@ -242,6 +245,20 @@
|
|
|
c2a452 |
</para>
|
|
|
c2a452 |
</listitem>
|
|
|
c2a452 |
</varlistentry>
|
|
|
c2a452 |
+ <varlistentry>
|
|
|
c2a452 |
+ <term>
|
|
|
c2a452 |
+ <option>admin_group=<replaceable>name</replaceable></option>
|
|
|
c2a452 |
+ </term>
|
|
|
c2a452 |
+ <listitem>
|
|
|
c2a452 |
+ <para>
|
|
|
c2a452 |
+ If a group name is specified with this option, members
|
|
|
c2a452 |
+ of the group will be handled by this module the same as
|
|
|
c2a452 |
+ the root account (the options <option>even_deny_root></option>
|
|
|
c2a452 |
+ and <option>root_unlock_time</option> will apply to them.
|
|
|
c2a452 |
+ By default the option is not set.
|
|
|
c2a452 |
+ </para>
|
|
|
c2a452 |
+ </listitem>
|
|
|
c2a452 |
+ </varlistentry>
|
|
|
c2a452 |
</variablelist>
|
|
|
c2a452 |
</refsect1>
|
|
|
c2a452 |
|