Blame SOURCES/pam-1.2.1-faillock-admin-group.patch

73cfcf
diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c
73cfcf
--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group	2016-04-04 16:37:38.696260359 +0200
73cfcf
+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c	2017-08-21 16:40:01.624706864 +0200
73cfcf
@@ -1,5 +1,5 @@
73cfcf
 /*
73cfcf
- * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
73cfcf
+ * Copyright (c) 2010, 2017 Tomas Mraz <tmraz@redhat.com>
73cfcf
  *
73cfcf
  * Redistribution and use in source and binary forms, with or without
73cfcf
  * modification, are permitted provided that the following conditions
73cfcf
@@ -78,9 +78,11 @@ struct options {
73cfcf
 	unsigned int root_unlock_time;
73cfcf
 	const char *dir;
73cfcf
 	const char *user;
73cfcf
+	const char *admin_group;
73cfcf
 	int failures;
73cfcf
 	uint64_t latest_time;
73cfcf
 	uid_t uid;
73cfcf
+	int is_admin;
73cfcf
 	uint64_t now;
73cfcf
 };
73cfcf
 
73cfcf
@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc,
73cfcf
 				opts->root_unlock_time = temp;
73cfcf
 			}
73cfcf
 		}
73cfcf
+		else if (strncmp(argv[i], "admin_group=", 12) == 0) {
73cfcf
+			opts->admin_group = argv[i] + 12;
73cfcf
+		}
73cfcf
  		else if (strcmp(argv[i], "preauth") == 0) {
73cfcf
 			opts->action = FAILLOCK_ACTION_PREAUTH;
73cfcf
 		}
73cfcf
@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa
73cfcf
 	}
73cfcf
 	opts->user = user;
73cfcf
 	opts->uid = pwd->pw_uid;
73cfcf
+
73cfcf
+	if (pwd->pw_uid == 0) {
73cfcf
+		opts->is_admin = 1;
73cfcf
+		return PAM_SUCCESS;
73cfcf
+	}
73cfcf
+
73cfcf
+	if (opts->admin_group && *opts->admin_group) {
73cfcf
+		opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh,
73cfcf
+			pwd->pw_uid, opts->admin_group);
73cfcf
+	}
73cfcf
+
73cfcf
 	return PAM_SUCCESS;
73cfcf
 }
73cfcf
 
73cfcf
@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o
73cfcf
 		return PAM_SYSTEM_ERR;
73cfcf
 	}
73cfcf
 
73cfcf
-	if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
73cfcf
+	if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
73cfcf
 		return PAM_SUCCESS;
73cfcf
 	}
73cfcf
 
73cfcf
@@ -262,13 +278,9 @@ check_tally(pam_handle_t *pamh, struct o
73cfcf
 
73cfcf
 	opts->failures = failures;
73cfcf
 
73cfcf
-	if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
73cfcf
-		return PAM_SUCCESS;
73cfcf
-	}
73cfcf
-
73cfcf
 	if (opts->deny && failures >= opts->deny) {
73cfcf
-		if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
73cfcf
-			(!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
73cfcf
+		if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
73cfcf
+			(opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
73cfcf
 #ifdef HAVE_LIBAUDIT
73cfcf
 			if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
73cfcf
 				char buf[64];
73cfcf
@@ -401,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o
73cfcf
 		audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
73cfcf
 			NULL, NULL, NULL, 1);
73cfcf
 
73cfcf
-		if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
73cfcf
+		if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
73cfcf
 			audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
73cfcf
 				NULL, NULL, NULL, 1);
73cfcf
 		}
73cfcf
@@ -425,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str
73cfcf
 	int64_t left;
73cfcf
 
73cfcf
 	if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
73cfcf
-		if (opts->uid) {
73cfcf
-			left = opts->latest_time + opts->unlock_time - opts->now;
73cfcf
+		if (opts->is_admin) {
73cfcf
+			left = opts->latest_time + opts->root_unlock_time - opts->now;
73cfcf
 		}
73cfcf
 		else {
73cfcf
-			left = opts->latest_time + opts->root_unlock_time - opts->now;
73cfcf
+			left = opts->latest_time + opts->unlock_time - opts->now;
73cfcf
 		}
73cfcf
 
73cfcf
 		if (left > 0) {
73cfcf
diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml
73cfcf
--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group	2016-05-06 15:24:10.328281818 +0200
73cfcf
+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml	2017-08-21 16:16:09.448033843 +0200
73cfcf
@@ -40,6 +40,9 @@
73cfcf
         root_unlock_time=<replaceable>n</replaceable>
73cfcf
       </arg>
73cfcf
       <arg choice="opt">
73cfcf
+        admin_group=<replaceable>name</replaceable>
73cfcf
+      </arg>
73cfcf
+      <arg choice="opt">
73cfcf
         audit
73cfcf
       </arg>
73cfcf
       <arg choice="opt">
73cfcf
@@ -243,6 +246,20 @@
73cfcf
                 </para>
73cfcf
               </listitem>
73cfcf
             </varlistentry>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>admin_group=<replaceable>name</replaceable></option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  If a group name is specified with this option, members
73cfcf
+                  of the group will be handled by this module the same as
73cfcf
+                  the root account (the options <option>even_deny_root></option>
73cfcf
+                  and <option>root_unlock_time</option> will apply to them.
73cfcf
+                  By default the option is not set.
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
         </variablelist>
73cfcf
   </refsect1>
73cfcf