Tree - rpms/pam - CentOS Git server

rpms / pam

Blame SOURCES/pam-1.2.1-faillock-admin-group.patch

Blob History Raw

		73cfcf	`diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c`
		73cfcf	`--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group 2016-04-04 16:37:38.696260359 +0200`
		73cfcf	`+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c 2017-08-21 16:40:01.624706864 +0200`
		73cfcf	`@@ -1,5 +1,5 @@`
		73cfcf	`/*`
		73cfcf	`- * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>`
		73cfcf	`+ * Copyright (c) 2010, 2017 Tomas Mraz <tmraz@redhat.com>`
		73cfcf	`*`
		73cfcf	`* Redistribution and use in source and binary forms, with or without`
		73cfcf	`* modification, are permitted provided that the following conditions`
		73cfcf	`@@ -78,9 +78,11 @@ struct options {`
		73cfcf	`unsigned int root_unlock_time;`
		73cfcf	`const char *dir;`
		73cfcf	`const char *user;`
		73cfcf	`+ const char *admin_group;`
		73cfcf	`int failures;`
		73cfcf	`uint64_t latest_time;`
		73cfcf	`uid_t uid;`
		73cfcf	`+ int is_admin;`
		73cfcf	`uint64_t now;`
		73cfcf	`};`
		73cfcf
		73cfcf	`@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc,`
		73cfcf	`opts->root_unlock_time = temp;`
		73cfcf	`}`
		73cfcf	`}`
		73cfcf	`+ else if (strncmp(argv[i], "admin_group=", 12) == 0) {`
		73cfcf	`+ opts->admin_group = argv[i] + 12;`
		73cfcf	`+ }`
		73cfcf	`else if (strcmp(argv[i], "preauth") == 0) {`
		73cfcf	`opts->action = FAILLOCK_ACTION_PREAUTH;`
		73cfcf	`}`
		73cfcf	`@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa`
		73cfcf	`}`
		73cfcf	`opts->user = user;`
		73cfcf	`opts->uid = pwd->pw_uid;`
		73cfcf	`+`
		73cfcf	`+ if (pwd->pw_uid == 0) {`
		73cfcf	`+ opts->is_admin = 1;`
		73cfcf	`+ return PAM_SUCCESS;`
		73cfcf	`+ }`
		73cfcf	`+`
		73cfcf	`+ if (opts->admin_group && *opts->admin_group) {`
		73cfcf	`+ opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh,`
		73cfcf	`+ pwd->pw_uid, opts->admin_group);`
		73cfcf	`+ }`
		73cfcf	`+`
		73cfcf	`return PAM_SUCCESS;`
		73cfcf	`}`
		73cfcf
		73cfcf	`@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o`
		73cfcf	`return PAM_SYSTEM_ERR;`
		73cfcf	`}`
		73cfcf
		73cfcf	`- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {`
		73cfcf	`+ if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {`
		73cfcf	`return PAM_SUCCESS;`
		73cfcf	`}`
		73cfcf
		73cfcf	`@@ -262,13 +278,9 @@ check_tally(pam_handle_t *pamh, struct o`
		73cfcf
		73cfcf	`opts->failures = failures;`
		73cfcf
		73cfcf	`- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {`
		73cfcf	`- return PAM_SUCCESS;`
		73cfcf	`- }`
		73cfcf	`-`
		73cfcf	`if (opts->deny && failures >= opts->deny) {`
		73cfcf	`- if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) \|\|`
		73cfcf	`- (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {`
		73cfcf	`+ if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) \|\|`
		73cfcf	`+ (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {`
		73cfcf	`#ifdef HAVE_LIBAUDIT`
		73cfcf	`if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */`
		73cfcf	`char buf[64];`
		73cfcf	`@@ -401,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o`
		73cfcf	`audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,`
		73cfcf	`NULL, NULL, NULL, 1);`
		73cfcf
		73cfcf	`- if (opts->uid != 0 \|\| (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {`
		73cfcf	`+ if (!opts->is_admin \|\| (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {`
		73cfcf	`audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,`
		73cfcf	`NULL, NULL, NULL, 1);`
		73cfcf	`}`
		73cfcf	`@@ -425,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str`
		73cfcf	`int64_t left;`
		73cfcf
		73cfcf	`if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {`
		73cfcf	`- if (opts->uid) {`
		73cfcf	`- left = opts->latest_time + opts->unlock_time - opts->now;`
		73cfcf	`+ if (opts->is_admin) {`
		73cfcf	`+ left = opts->latest_time + opts->root_unlock_time - opts->now;`
		73cfcf	`}`
		73cfcf	`else {`
		73cfcf	`- left = opts->latest_time + opts->root_unlock_time - opts->now;`
		73cfcf	`+ left = opts->latest_time + opts->unlock_time - opts->now;`
		73cfcf	`}`
		73cfcf
		73cfcf	`if (left > 0) {`
		73cfcf	`diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml`
		73cfcf	`--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group 2016-05-06 15:24:10.328281818 +0200`
		73cfcf	`+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml 2017-08-21 16:16:09.448033843 +0200`
		73cfcf	`@@ -40,6 +40,9 @@`
		73cfcf	`root_unlock_time=<replaceable>n</replaceable>`
		73cfcf	`</arg>`
		73cfcf	`<arg choice="opt">`
		73cfcf	`+ admin_group=<replaceable>name</replaceable>`
		73cfcf	`+ </arg>`
		73cfcf	`+ <arg choice="opt">`
		73cfcf	`audit`
		73cfcf	`</arg>`
		73cfcf	`<arg choice="opt">`
		73cfcf	`@@ -243,6 +246,20 @@`
		73cfcf	`</para>`
		73cfcf	`</listitem>`
		73cfcf	`</varlistentry>`
		73cfcf	`+ <varlistentry>`
		73cfcf	`+ <term>`
		73cfcf	`+ <option>admin_group=<replaceable>name</replaceable></option>`
		73cfcf	`+ </term>`
		73cfcf	`+ <listitem>`
		73cfcf	`+ <para>`
		73cfcf	`+ If a group name is specified with this option, members`
		73cfcf	`+ of the group will be handled by this module the same as`
		73cfcf	`+ the root account (the options <option>even_deny_root></option>`
		73cfcf	`+ and <option>root_unlock_time</option> will apply to them.`
		73cfcf	`+ By default the option is not set.`
		73cfcf	`+ </para>`
		73cfcf	`+ </listitem>`
		73cfcf	`+ </varlistentry>`
		73cfcf	`</variablelist>`
		73cfcf	`</refsect1>`
		73cfcf

rpms / pam

Source Code

Blame SOURCES/pam-1.2.1-faillock-admin-group.patch