Blame SOURCES/pam-1.3.1-faillock-load-conf-from-file.patch

c55e18
diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock.8.xml.faillock-load-conf-from-file Linux-PAM-1.3.1/modules/pam_faillock/faillock.8.xml
c55e18
--- Linux-PAM-1.3.1/modules/pam_faillock/faillock.8.xml.faillock-load-conf-from-file	2022-05-26 10:57:11.713067506 +0200
c55e18
+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock.8.xml	2022-05-26 10:57:11.747067749 +0200
c55e18
@@ -57,12 +57,29 @@
c55e18
          <variablelist>
c55e18
             <varlistentry>
c55e18
               <term>
c55e18
+                <option>--conf <replaceable>/path/to/config-file</replaceable></option>
c55e18
+              </term>
c55e18
+              <listitem>
c55e18
+                <para>
c55e18
+                  The file where the configuration is located. The default is
c55e18
+                  <filename>/etc/security/faillock.conf</filename>.
c55e18
+                </para>
c55e18
+              </listitem>
c55e18
+            </varlistentry>
c55e18
+            <varlistentry>
c55e18
+              <term>
c55e18
                 <option>--dir <replaceable>/path/to/tally-directory</replaceable></option>
c55e18
               </term>
c55e18
               <listitem>
c55e18
                 <para>
c55e18
-                  The directory where the user files with the failure records are kept. The
c55e18
-                  default is <filename>/var/run/faillock</filename>.
c55e18
+                  The directory where the user files with the failure records are kept.
c55e18
+                </para>
c55e18
+                <para>
c55e18
+                  The priority to set this option is to use the value provided
c55e18
+                  from the command line. If this isn't provided, then the value
c55e18
+                  from the configuration file is used. Finally, if neither of
c55e18
+                  them has been provided, then
c55e18
+                  <filename>/var/run/faillock</filename> is used.
c55e18
                 </para>
c55e18
               </listitem>
c55e18
             </varlistentry>
c55e18
diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock_config.c.faillock-load-conf-from-file Linux-PAM-1.3.1/modules/pam_faillock/faillock_config.c
c55e18
--- Linux-PAM-1.3.1/modules/pam_faillock/faillock_config.c.faillock-load-conf-from-file	2022-05-26 10:57:11.747067749 +0200
c55e18
+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock_config.c	2022-05-26 10:57:11.747067749 +0200
c55e18
@@ -0,0 +1,266 @@
c55e18
+/*
c55e18
+ * Copyright (c) 2022 Tomas Mraz <tm@t8m.info>
c55e18
+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
c55e18
+ *
c55e18
+ * Redistribution and use in source and binary forms, with or without
c55e18
+ * modification, are permitted provided that the following conditions
c55e18
+ * are met:
c55e18
+ * 1. Redistributions of source code must retain the above copyright
c55e18
+ *    notice, and the entire permission notice in its entirety,
c55e18
+ *    including the disclaimer of warranties.
c55e18
+ * 2. Redistributions in binary form must reproduce the above copyright
c55e18
+ *    notice, this list of conditions and the following disclaimer in the
c55e18
+ *    documentation and/or other materials provided with the distribution.
c55e18
+ * 3. The name of the author may not be used to endorse or promote
c55e18
+ *    products derived from this software without specific prior
c55e18
+ *    written permission.
c55e18
+ *
c55e18
+ * ALTERNATIVELY, this product may be distributed under the terms of
c55e18
+ * the GNU Public License, in which case the provisions of the GPL are
c55e18
+ * required INSTEAD OF the above restrictions.  (This clause is
c55e18
+ * necessary due to a potential bad interaction between the GPL and
c55e18
+ * the restrictions contained in a BSD-style copyright.)
c55e18
+ *
c55e18
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
c55e18
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
c55e18
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
c55e18
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
c55e18
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
c55e18
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
c55e18
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
c55e18
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
c55e18
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
c55e18
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
c55e18
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
c55e18
+ */
c55e18
+
c55e18
+#include "config.h"
c55e18
+
c55e18
+#include <ctype.h>
c55e18
+#include <errno.h>
c55e18
+#include <stdio.h>
c55e18
+#include <stdlib.h>
c55e18
+#include <string.h>
c55e18
+#include <syslog.h>
c55e18
+
c55e18
+#include <security/pam_modules.h>
c55e18
+
c55e18
+#include "faillock_config.h"
c55e18
+#include "faillock.h"
c55e18
+
c55e18
+#define FAILLOCK_DEFAULT_CONF "/etc/security/faillock.conf"
c55e18
+#ifdef VENDOR_SCONFIGDIR
c55e18
+#define VENDOR_FAILLOCK_DEFAULT_CONF VENDOR_SCONFIGDIR "/faillock.conf"
c55e18
+#endif
c55e18
+
c55e18
+static void PAM_FORMAT((printf, 3, 4)) PAM_NONNULL((3))
c55e18
+config_log(const pam_handle_t *pamh, int priority, const char *fmt, ...)
c55e18
+{
c55e18
+	va_list args;
c55e18
+
c55e18
+	va_start(args, fmt);
c55e18
+	if (pamh) {
c55e18
+		pam_vsyslog(pamh, priority, fmt, args);
c55e18
+	} else {
c55e18
+		char *buf = NULL;
c55e18
+
c55e18
+		if (vasprintf(&buf, fmt, args) < 0) {
c55e18
+			fprintf(stderr, "vasprintf: %m");
c55e18
+			va_end(args);
c55e18
+			return;
c55e18
+		}
c55e18
+		fprintf(stderr, "%s\n", buf);
c55e18
+		free(buf);
c55e18
+	}
c55e18
+	va_end(args);
c55e18
+}
c55e18
+
c55e18
+/* parse a single configuration file */
c55e18
+int
c55e18
+read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile)
c55e18
+{
c55e18
+	char linebuf[FAILLOCK_CONF_MAX_LINELEN+1];
c55e18
+	const char *fname = (cfgfile != NULL) ? cfgfile : FAILLOCK_DEFAULT_CONF;
c55e18
+	FILE *f = fopen(fname, "r");
c55e18
+
c55e18
+#ifdef VENDOR_FAILLOCK_DEFAULT_CONF
c55e18
+	if (f == NULL && errno == ENOENT && cfgfile == NULL) {
c55e18
+		/*
c55e18
+		 * If the default configuration file in /etc does not exist,
c55e18
+		 * try the vendor configuration file as fallback.
c55e18
+		 */
c55e18
+		f = fopen(VENDOR_FAILLOCK_DEFAULT_CONF, "r");
c55e18
+	}
c55e18
+#endif /* VENDOR_FAILLOCK_DEFAULT_CONF */
c55e18
+
c55e18
+	if (f == NULL) {
c55e18
+		/* ignore non-existent default config file */
c55e18
+		if (errno == ENOENT && cfgfile == NULL)
c55e18
+			return PAM_SUCCESS;
c55e18
+		return PAM_SERVICE_ERR;
c55e18
+	}
c55e18
+
c55e18
+	while (fgets(linebuf, sizeof(linebuf), f) != NULL) {
c55e18
+		size_t len;
c55e18
+		char *ptr;
c55e18
+		char *name;
c55e18
+		int eq;
c55e18
+
c55e18
+		len = strlen(linebuf);
c55e18
+		/* len cannot be 0 unless there is a bug in fgets */
c55e18
+		if (len && linebuf[len - 1] != '\n' && !feof(f)) {
c55e18
+			(void) fclose(f);
c55e18
+			return PAM_SERVICE_ERR;
c55e18
+		}
c55e18
+
c55e18
+		if ((ptr=strchr(linebuf, '#')) != NULL) {
c55e18
+			*ptr = '\0';
c55e18
+		} else {
c55e18
+			ptr = linebuf + len;
c55e18
+		}
c55e18
+
c55e18
+		/* drop terminating whitespace including the \n */
c55e18
+		while (ptr > linebuf) {
c55e18
+			if (!isspace(*(ptr-1))) {
c55e18
+				*ptr = '\0';
c55e18
+				break;
c55e18
+			}
c55e18
+			--ptr;
c55e18
+		}
c55e18
+
c55e18
+		/* skip initial whitespace */
c55e18
+		for (ptr = linebuf; isspace(*ptr); ptr++);
c55e18
+		if (*ptr == '\0')
c55e18
+			continue;
c55e18
+
c55e18
+		/* grab the key name */
c55e18
+		eq = 0;
c55e18
+		name = ptr;
c55e18
+		while (*ptr != '\0') {
c55e18
+			if (isspace(*ptr) || *ptr == '=') {
c55e18
+				eq = *ptr == '=';
c55e18
+				*ptr = '\0';
c55e18
+				++ptr;
c55e18
+				break;
c55e18
+			}
c55e18
+			++ptr;
c55e18
+		}
c55e18
+
c55e18
+		/* grab the key value */
c55e18
+		while (*ptr != '\0') {
c55e18
+			if (*ptr != '=' || eq) {
c55e18
+				if (!isspace(*ptr)) {
c55e18
+					break;
c55e18
+				}
c55e18
+			} else {
c55e18
+				eq = 1;
c55e18
+			}
c55e18
+			++ptr;
c55e18
+		}
c55e18
+
c55e18
+		/* set the key:value pair on opts */
c55e18
+		set_conf_opt(pamh, opts, name, ptr);
c55e18
+	}
c55e18
+
c55e18
+	(void)fclose(f);
c55e18
+	return PAM_SUCCESS;
c55e18
+}
c55e18
+
c55e18
+void
c55e18
+set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name,
c55e18
+			 const char *value)
c55e18
+{
c55e18
+	if (strcmp(name, "dir") == 0) {
c55e18
+		if (value[0] != '/') {
c55e18
+			config_log(pamh, LOG_ERR,
c55e18
+					"Tally directory is not absolute path (%s); keeping value",
c55e18
+					value);
c55e18
+		} else {
c55e18
+			free(opts->dir);
c55e18
+			opts->dir = strdup(value);
c55e18
+			if (opts->dir == NULL) {
c55e18
+				opts->fatal_error = 1;
c55e18
+				config_log(pamh, LOG_CRIT, "Error allocating memory: %m");
c55e18
+			}
c55e18
+		}
c55e18
+	}
c55e18
+	else if (strcmp(name, "deny") == 0) {
c55e18
+		if (sscanf(value, "%hu", &opts->deny) != 1) {
c55e18
+			config_log(pamh, LOG_ERR,
c55e18
+				"Bad number supplied for deny argument");
c55e18
+		}
c55e18
+	}
c55e18
+	else if (strcmp(name, "fail_interval") == 0) {
c55e18
+		unsigned int temp;
c55e18
+		if (sscanf(value, "%u", &temp) != 1 ||
c55e18
+			temp > MAX_TIME_INTERVAL) {
c55e18
+			config_log(pamh, LOG_ERR,
c55e18
+				"Bad number supplied for fail_interval argument");
c55e18
+		} else {
c55e18
+			opts->fail_interval = temp;
c55e18
+		}
c55e18
+	}
c55e18
+	else if (strcmp(name, "unlock_time") == 0) {
c55e18
+		unsigned int temp;
c55e18
+
c55e18
+		if (strcmp(value, "never") == 0) {
c55e18
+			opts->unlock_time = 0;
c55e18
+		}
c55e18
+		else if (sscanf(value, "%u", &temp) != 1 ||
c55e18
+			temp > MAX_TIME_INTERVAL) {
c55e18
+			config_log(pamh, LOG_ERR,
c55e18
+				"Bad number supplied for unlock_time argument");
c55e18
+		}
c55e18
+		else {
c55e18
+			opts->unlock_time = temp;
c55e18
+		}
c55e18
+	}
c55e18
+	else if (strcmp(name, "root_unlock_time") == 0) {
c55e18
+		unsigned int temp;
c55e18
+
c55e18
+		if (strcmp(value, "never") == 0) {
c55e18
+			opts->root_unlock_time = 0;
c55e18
+		}
c55e18
+		else if (sscanf(value, "%u", &temp) != 1 ||
c55e18
+			temp > MAX_TIME_INTERVAL) {
c55e18
+			config_log(pamh, LOG_ERR,
c55e18
+				"Bad number supplied for root_unlock_time argument");
c55e18
+		} else {
c55e18
+			opts->root_unlock_time = temp;
c55e18
+		}
c55e18
+	}
c55e18
+	else if (strcmp(name, "admin_group") == 0) {
c55e18
+		free(opts->admin_group);
c55e18
+		opts->admin_group = strdup(value);
c55e18
+		if (opts->admin_group == NULL) {
c55e18
+			opts->fatal_error = 1;
c55e18
+			config_log(pamh, LOG_CRIT, "Error allocating memory: %m");
c55e18
+		}
c55e18
+	}
c55e18
+	else if (strcmp(name, "even_deny_root") == 0) {
c55e18
+		opts->flags |= FAILLOCK_FLAG_DENY_ROOT;
c55e18
+	}
c55e18
+	else if (strcmp(name, "audit") == 0) {
c55e18
+		opts->flags |= FAILLOCK_FLAG_AUDIT;
c55e18
+	}
c55e18
+	else if (strcmp(name, "silent") == 0) {
c55e18
+		opts->flags |= FAILLOCK_FLAG_SILENT;
c55e18
+	}
c55e18
+	else if (strcmp(name, "no_log_info") == 0) {
c55e18
+		opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;
c55e18
+	}
c55e18
+	else if (strcmp(name, "local_users_only") == 0) {
c55e18
+		opts->flags |= FAILLOCK_FLAG_LOCAL_ONLY;
c55e18
+	}
c55e18
+	else if (strcmp(name, "nodelay") == 0) {
c55e18
+		opts->flags |= FAILLOCK_FLAG_NO_DELAY;
c55e18
+	}
c55e18
+	else {
c55e18
+		config_log(pamh, LOG_ERR, "Unknown option: %s", name);
c55e18
+	}
c55e18
+}
c55e18
+
c55e18
+const char *get_tally_dir(const struct options *opts)
c55e18
+{
c55e18
+	return (opts->dir != NULL) ? opts->dir : FAILLOCK_DEFAULT_TALLYDIR;
c55e18
+}
c55e18
diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock_config.h.faillock-load-conf-from-file Linux-PAM-1.3.1/modules/pam_faillock/faillock_config.h
c55e18
--- Linux-PAM-1.3.1/modules/pam_faillock/faillock_config.h.faillock-load-conf-from-file	2022-05-26 10:57:11.747067749 +0200
c55e18
+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock_config.h	2022-05-26 10:57:11.747067749 +0200
c55e18
@@ -0,0 +1,89 @@
c55e18
+/*
c55e18
+ * Copyright (c) 2022 Tomas Mraz <tm@t8m.info>
c55e18
+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
c55e18
+ *
c55e18
+ * Redistribution and use in source and binary forms, with or without
c55e18
+ * modification, are permitted provided that the following conditions
c55e18
+ * are met:
c55e18
+ * 1. Redistributions of source code must retain the above copyright
c55e18
+ *    notice, and the entire permission notice in its entirety,
c55e18
+ *    including the disclaimer of warranties.
c55e18
+ * 2. Redistributions in binary form must reproduce the above copyright
c55e18
+ *    notice, this list of conditions and the following disclaimer in the
c55e18
+ *    documentation and/or other materials provided with the distribution.
c55e18
+ * 3. The name of the author may not be used to endorse or promote
c55e18
+ *    products derived from this software without specific prior
c55e18
+ *    written permission.
c55e18
+ *
c55e18
+ * ALTERNATIVELY, this product may be distributed under the terms of
c55e18
+ * the GNU Public License, in which case the provisions of the GPL are
c55e18
+ * required INSTEAD OF the above restrictions.  (This clause is
c55e18
+ * necessary due to a potential bad interaction between the GPL and
c55e18
+ * the restrictions contained in a BSD-style copyright.)
c55e18
+ *
c55e18
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
c55e18
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
c55e18
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
c55e18
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
c55e18
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
c55e18
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
c55e18
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
c55e18
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
c55e18
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
c55e18
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
c55e18
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
c55e18
+ */
c55e18
+
c55e18
+/*
c55e18
+ * faillock_config.h - load configuration options from file
c55e18
+ *
c55e18
+ */
c55e18
+
c55e18
+#ifndef _FAILLOCK_CONFIG_H
c55e18
+#define _FAILLOCK_CONFIG_H
c55e18
+
c55e18
+#include <limits.h>
c55e18
+#include <stdint.h>
c55e18
+#include <sys/types.h>
c55e18
+
c55e18
+#include <security/pam_ext.h>
c55e18
+
c55e18
+#define FAILLOCK_FLAG_DENY_ROOT		0x1
c55e18
+#define FAILLOCK_FLAG_AUDIT			0x2
c55e18
+#define FAILLOCK_FLAG_SILENT		0x4
c55e18
+#define FAILLOCK_FLAG_NO_LOG_INFO	0x8
c55e18
+#define FAILLOCK_FLAG_UNLOCKED		0x10
c55e18
+#define FAILLOCK_FLAG_LOCAL_ONLY	0x20
c55e18
+#define FAILLOCK_FLAG_NO_DELAY		0x40
c55e18
+
c55e18
+#define FAILLOCK_CONF_MAX_LINELEN 	1023
c55e18
+#define MAX_TIME_INTERVAL			604800 /* 7 days */
c55e18
+
c55e18
+struct options {
c55e18
+	unsigned int action;
c55e18
+	unsigned int flags;
c55e18
+	unsigned short deny;
c55e18
+	unsigned int fail_interval;
c55e18
+	unsigned int unlock_time;
c55e18
+	unsigned int root_unlock_time;
c55e18
+	char *dir;
c55e18
+	const char *user;
c55e18
+	char *admin_group;
c55e18
+	int failures;
c55e18
+	uint64_t latest_time;
c55e18
+	uid_t uid;
c55e18
+	int is_admin;
c55e18
+	uint64_t now;
c55e18
+	int fatal_error;
c55e18
+
c55e18
+	unsigned int reset;
c55e18
+	const char *progname;
c55e18
+};
c55e18
+
c55e18
+int read_config_file(pam_handle_t *pamh, struct options *opts,
c55e18
+					 const char *cfgfile);
c55e18
+void set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name,
c55e18
+		  const char *value);
c55e18
+const char *get_tally_dir(const struct options *opts);
c55e18
+
c55e18
+#endif /* _FAILLOCK_CONFIG_H */
c55e18
diff -up Linux-PAM-1.3.1/modules/pam_faillock/main.c.faillock-load-conf-from-file Linux-PAM-1.3.1/modules/pam_faillock/main.c
c55e18
--- Linux-PAM-1.3.1/modules/pam_faillock/main.c.faillock-load-conf-from-file	2022-05-26 10:57:11.713067506 +0200
c55e18
+++ Linux-PAM-1.3.1/modules/pam_faillock/main.c	2022-05-26 10:57:11.747067749 +0200
c55e18
@@ -48,43 +48,50 @@
c55e18
 #include <libaudit.h>
c55e18
 #endif
c55e18
 
c55e18
+#include "pam_inline.h"
c55e18
 #include "faillock.h"
c55e18
-
c55e18
-struct options {
c55e18
-	unsigned int reset;
c55e18
-	const char *dir;
c55e18
-	const char *user;
c55e18
-	const char *progname;
c55e18
-};
c55e18
+#include "faillock_config.h"
c55e18
 
c55e18
 static int
c55e18
 args_parse(int argc, char **argv, struct options *opts)
c55e18
 {
c55e18
 	int i;
c55e18
+	int rv;
c55e18
+	const char *dir = NULL;
c55e18
+	const char *conf = NULL;
c55e18
+
c55e18
 	memset(opts, 0, sizeof(*opts));
c55e18
 
c55e18
-	opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
c55e18
 	opts->progname = argv[0];
c55e18
 
c55e18
 	for (i = 1; i < argc; ++i) {
c55e18
-
c55e18
-		if (strcmp(argv[i], "--dir") == 0) {
c55e18
+		if (strcmp(argv[i], "--conf") == 0) {
c55e18
+			++i;
c55e18
+			if (i >= argc || strlen(argv[i]) == 0) {
c55e18
+				fprintf(stderr, "%s: No configuration file supplied.\n",
c55e18
+						argv[0]);
c55e18
+				return -1;
c55e18
+			}
c55e18
+			conf = argv[i];
c55e18
+		}
c55e18
+		else if (strcmp(argv[i], "--dir") == 0) {
c55e18
 			++i;
c55e18
 			if (i >= argc || strlen(argv[i]) == 0) {
c55e18
-				fprintf(stderr, "%s: No directory supplied.\n", argv[0]);				
c55e18
+				fprintf(stderr, "%s: No records directory supplied.\n",
c55e18
+						argv[0]);
c55e18
 				return -1;
c55e18
 			}
c55e18
-		        opts->dir = argv[i];
c55e18
-		} 
c55e18
+			dir = argv[i];
c55e18
+		}
c55e18
 		else if (strcmp(argv[i], "--user") == 0) {
c55e18
 			++i;
c55e18
 			if (i >= argc || strlen(argv[i]) == 0) {
c55e18
-				fprintf(stderr, "%s: No user name supplied.\n", argv[0]);				
c55e18
+				fprintf(stderr, "%s: No user name supplied.\n", argv[0]);
c55e18
 				return -1;
c55e18
 			}
c55e18
-		        opts->user = argv[i];
c55e18
+			opts->user = argv[i];
c55e18
 		}
c55e18
- 		else if (strcmp(argv[i], "--reset") == 0) {
c55e18
+		else if (strcmp(argv[i], "--reset") == 0) {
c55e18
 			opts->reset = 1;
c55e18
 		}
c55e18
 		else {
c55e18
@@ -92,6 +99,21 @@ args_parse(int argc, char **argv, struct
c55e18
 			return -1;
c55e18
 		}
c55e18
 	}
c55e18
+
c55e18
+	if ((rv = read_config_file(NULL, opts, conf)) != PAM_SUCCESS) {
c55e18
+		fprintf(stderr, "Configuration file missing or broken");
c55e18
+		return rv;
c55e18
+	}
c55e18
+
c55e18
+	if (dir != NULL) {
c55e18
+		free(opts->dir);
c55e18
+		opts->dir = strdup(dir);
c55e18
+		if (opts->dir == NULL) {
c55e18
+			fprintf(stderr, "Error allocating memory: %m");
c55e18
+			return -1;
c55e18
+		}
c55e18
+	}
c55e18
+
c55e18
 	return 0;
c55e18
 }
c55e18
 
c55e18
@@ -109,10 +131,11 @@ do_user(struct options *opts, const char
c55e18
 	int rv;
c55e18
 	struct tally_data tallies;
c55e18
 	struct passwd *pwd;
c55e18
+	const char *dir = get_tally_dir(opts);
c55e18
 
c55e18
 	pwd = getpwnam(user);
c55e18
 
c55e18
-	fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0);
c55e18
+	fd = open_tally(dir, user, pwd != NULL ? pwd->pw_uid : 0, 0);
c55e18
 
c55e18
 	if (fd == -1) {
c55e18
 		if (errno == ENOENT) {
c55e18
@@ -189,11 +212,11 @@ do_allusers(struct options *opts)
c55e18
 {
c55e18
 	struct dirent **userlist;
c55e18
 	int rv, i;
c55e18
+	const char *dir = get_tally_dir(opts);
c55e18
 
c55e18
-	rv = scandir(opts->dir, &userlist, NULL, alphasort);
c55e18
+	rv = scandir(dir, &userlist, NULL, alphasort);
c55e18
 	if (rv < 0) {
c55e18
-		fprintf(stderr, "%s: Error reading tally directory: ", opts->progname);
c55e18
-		perror(NULL);
c55e18
+		fprintf(stderr, "%s: Error reading tally directory: %m\n", opts->progname);
c55e18
 		return 2;
c55e18
 	}
c55e18
 
c55e18
diff -up Linux-PAM-1.3.1/modules/pam_faillock/Makefile.am.faillock-load-conf-from-file Linux-PAM-1.3.1/modules/pam_faillock/Makefile.am
c55e18
--- Linux-PAM-1.3.1/modules/pam_faillock/Makefile.am.faillock-load-conf-from-file	2022-05-26 10:57:11.727067606 +0200
c55e18
+++ Linux-PAM-1.3.1/modules/pam_faillock/Makefile.am	2022-05-26 10:57:59.032406450 +0200
c55e18
@@ -17,7 +17,7 @@ TESTS = tst-pam_faillock
c55e18
 securelibdir = $(SECUREDIR)
c55e18
 secureconfdir = $(SCONFIGDIR)
c55e18
 
c55e18
-noinst_HEADERS = faillock.h
c55e18
+noinst_HEADERS = faillock.h faillock_config.h
c55e18
 
c55e18
 faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@
c55e18
 pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
c55e18
@@ -36,8 +36,8 @@ secureconf_DATA = faillock.conf
c55e18
 securelib_LTLIBRARIES = pam_faillock.la
c55e18
 sbin_PROGRAMS = faillock
c55e18
 
c55e18
-pam_faillock_la_SOURCES = pam_faillock.c faillock.c
c55e18
-faillock_SOURCES = main.c faillock.c
c55e18
+pam_faillock_la_SOURCES = pam_faillock.c faillock.c faillock_config.c
c55e18
+faillock_SOURCES = main.c faillock.c faillock_config.c
c55e18
 
c55e18
 if ENABLE_REGENERATE_MAN
c55e18
 noinst_DATA = README
c55e18
diff -up Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.faillock-load-conf-from-file Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c
c55e18
--- Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.faillock-load-conf-from-file	2022-05-26 10:57:11.727067606 +0200
c55e18
+++ Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c	2022-05-26 10:57:11.748067756 +0200
c55e18
@@ -38,7 +38,6 @@
c55e18
 #include <stdio.h>
c55e18
 #include <string.h>
c55e18
 #include <unistd.h>
c55e18
-#include <stdint.h>
c55e18
 #include <stdlib.h>
c55e18
 #include <errno.h>
c55e18
 #include <time.h>
c55e18
@@ -54,83 +53,50 @@
c55e18
 #include <security/pam_modutil.h>
c55e18
 #include <security/pam_ext.h>
c55e18
 
c55e18
+#include "pam_inline.h"
c55e18
 #include "faillock.h"
c55e18
-
c55e18
-#define PAM_SM_AUTH
c55e18
-#define PAM_SM_ACCOUNT
c55e18
+#include "faillock_config.h"
c55e18
 
c55e18
 #define FAILLOCK_ACTION_PREAUTH  0
c55e18
 #define FAILLOCK_ACTION_AUTHSUCC 1
c55e18
 #define FAILLOCK_ACTION_AUTHFAIL 2
c55e18
 
c55e18
-#define FAILLOCK_FLAG_DENY_ROOT		0x1
c55e18
-#define FAILLOCK_FLAG_AUDIT		0x2
c55e18
-#define FAILLOCK_FLAG_SILENT		0x4
c55e18
-#define FAILLOCK_FLAG_NO_LOG_INFO	0x8
c55e18
-#define FAILLOCK_FLAG_UNLOCKED		0x10
c55e18
-#define FAILLOCK_FLAG_LOCAL_ONLY	0x20
c55e18
-
c55e18
-#define MAX_TIME_INTERVAL 604800 /* 7 days */
c55e18
-#define FAILLOCK_CONF_MAX_LINELEN 1023
c55e18
-#define FAILLOCK_ERROR_CONF_OPEN -3
c55e18
-#define FAILLOCK_ERROR_CONF_MALFORMED -4
c55e18
-
c55e18
-#define PATH_PASSWD "/etc/passwd"
c55e18
-
c55e18
-struct options {
c55e18
-	unsigned int action;
c55e18
-	unsigned int flags;
c55e18
-	unsigned short deny;
c55e18
-	unsigned int fail_interval;
c55e18
-	unsigned int unlock_time;
c55e18
-	unsigned int root_unlock_time;
c55e18
-	char *dir;
c55e18
-	const char *conf;
c55e18
-	const char *user;
c55e18
-	char *admin_group;
c55e18
-	int failures;
c55e18
-	uint64_t latest_time;
c55e18
-	uid_t uid;
c55e18
-	int is_admin;
c55e18
-	uint64_t now;
c55e18
-	int fatal_error;
c55e18
-};
c55e18
-
c55e18
-int read_config_file(
c55e18
-	pam_handle_t *pamh,
c55e18
-	struct options *opts,
c55e18
-	const char *cfgfile
c55e18
-);
c55e18
-
c55e18
-void set_conf_opt(
c55e18
-	pam_handle_t *pamh,
c55e18
-	struct options *opts,
c55e18
-	const char *name,
c55e18
-	const char *value
c55e18
-);
c55e18
-
c55e18
-static void
c55e18
+static int
c55e18
 args_parse(pam_handle_t *pamh, int argc, const char **argv,
c55e18
 		int flags, struct options *opts)
c55e18
 {
c55e18
 	int i;
c55e18
+	int config_arg_index = -1;
c55e18
 	int rv;
c55e18
+	const char *conf = NULL;
c55e18
+
c55e18
 	memset(opts, 0, sizeof(*opts));
c55e18
 
c55e18
-	opts->dir = strdup(FAILLOCK_DEFAULT_TALLYDIR);
c55e18
-	opts->conf = FAILLOCK_DEFAULT_CONF;
c55e18
 	opts->deny = 3;
c55e18
 	opts->fail_interval = 900;
c55e18
 	opts->unlock_time = 600;
c55e18
 	opts->root_unlock_time = MAX_TIME_INTERVAL+1;
c55e18
 
c55e18
-	if ((rv=read_config_file(pamh, opts, opts->conf)) != PAM_SUCCESS) {
c55e18
-		pam_syslog(pamh, LOG_DEBUG,
c55e18
-					"Configuration file missing");
c55e18
+	for (i = 0; i < argc; ++i) {
c55e18
+		const char *str = pam_str_skip_prefix(argv[i], "conf=");
c55e18
+
c55e18
+		if (str != NULL) {
c55e18
+			conf = str;
c55e18
+			config_arg_index = i;
c55e18
+		}
c55e18
+	}
c55e18
+
c55e18
+	if ((rv = read_config_file(pamh, opts, conf)) != PAM_SUCCESS) {
c55e18
+		pam_syslog(pamh, LOG_ERR,
c55e18
+					"Configuration file missing or broken");
c55e18
+		return rv;
c55e18
 	}
c55e18
 
c55e18
 	for (i = 0; i < argc; ++i) {
c55e18
-		if (strcmp(argv[i], "preauth") == 0) {
c55e18
+		if (i == config_arg_index) {
c55e18
+			continue;
c55e18
+		}
c55e18
+		else if (strcmp(argv[i], "preauth") == 0) {
c55e18
 			opts->action = FAILLOCK_ACTION_PREAUTH;
c55e18
 		}
c55e18
 		else if (strcmp(argv[i], "authfail") == 0) {
c55e18
@@ -163,226 +129,26 @@ args_parse(pam_handle_t *pamh, int argc,
c55e18
 	if (flags & PAM_SILENT)
c55e18
 		opts->flags |= FAILLOCK_FLAG_SILENT;
c55e18
 
c55e18
-	if (opts->dir == NULL) {
c55e18
-		pam_syslog(pamh, LOG_CRIT, "Error allocating memory: %m");
c55e18
-		opts->fatal_error = 1;
c55e18
-	}
c55e18
-}
c55e18
-
c55e18
-/* parse a single configuration file */
c55e18
-int
c55e18
-read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile)
c55e18
-{
c55e18
-	FILE *f;
c55e18
-	char linebuf[FAILLOCK_CONF_MAX_LINELEN+1];
c55e18
-
c55e18
-	f = fopen(cfgfile, "r");
c55e18
-	if (f == NULL) {
c55e18
-		/* ignore non-existent default config file */
c55e18
-		if (errno == ENOENT && strcmp(cfgfile, FAILLOCK_DEFAULT_CONF) == 0)
c55e18
-			return 0;
c55e18
-		return FAILLOCK_ERROR_CONF_OPEN;
c55e18
-	}
c55e18
-
c55e18
-	while (fgets(linebuf, sizeof(linebuf), f) != NULL) {
c55e18
-		size_t len;
c55e18
-		char *ptr;
c55e18
-		char *name;
c55e18
-		int eq;
c55e18
-
c55e18
-		len = strlen(linebuf);
c55e18
-		/* len cannot be 0 unless there is a bug in fgets */
c55e18
-		if (len && linebuf[len - 1] != '\n' && !feof(f)) {
c55e18
-			(void) fclose(f);
c55e18
-			return FAILLOCK_ERROR_CONF_MALFORMED;
c55e18
-		}
c55e18
-
c55e18
-		if ((ptr=strchr(linebuf, '#')) != NULL) {
c55e18
-			*ptr = '\0';
c55e18
-		} else {
c55e18
-			ptr = linebuf + len;
c55e18
-		}
c55e18
-
c55e18
-		/* drop terminating whitespace including the \n */
c55e18
-		while (ptr > linebuf) {
c55e18
-			if (!isspace(*(ptr-1))) {
c55e18
-				*ptr = '\0';
c55e18
-				break;
c55e18
-			}
c55e18
-			--ptr;
c55e18
-		}
c55e18
-
c55e18
-		/* skip initial whitespace */
c55e18
-		for (ptr = linebuf; isspace(*ptr); ptr++);
c55e18
-		if (*ptr == '\0')
c55e18
-			continue;
c55e18
-
c55e18
-		/* grab the key name */
c55e18
-		eq = 0;
c55e18
-		name = ptr;
c55e18
-		while (*ptr != '\0') {
c55e18
-			if (isspace(*ptr) || *ptr == '=') {
c55e18
-				eq = *ptr == '=';
c55e18
-				*ptr = '\0';
c55e18
-				++ptr;
c55e18
-				break;
c55e18
-			}
c55e18
-			++ptr;
c55e18
-		}
c55e18
-
c55e18
-		/* grab the key value */
c55e18
-		while (*ptr != '\0') {
c55e18
-			if (*ptr != '=' || eq) {
c55e18
-				if (!isspace(*ptr)) {
c55e18
-					break;
c55e18
-				}
c55e18
-			} else {
c55e18
-				eq = 1;
c55e18
-			}
c55e18
-			++ptr;
c55e18
-		}
c55e18
-
c55e18
-		/* set the key:value pair on opts */
c55e18
-		set_conf_opt(pamh, opts, name, ptr);
c55e18
-	}
c55e18
-
c55e18
-	(void)fclose(f);
c55e18
+	if (opts->fatal_error)
c55e18
+		return PAM_BUF_ERR;
c55e18
 	return PAM_SUCCESS;
c55e18
 }
c55e18
 
c55e18
-void set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const char *value)
c55e18
-{
c55e18
-	if (strcmp(name, "dir") == 0) {
c55e18
-		if (value[0] != '/') {
c55e18
-			pam_syslog(pamh, LOG_ERR,
c55e18
-				"Tally directory is not absolute path (%s); keeping default", value);
c55e18
-		} else {
c55e18
-			free(opts->dir);
c55e18
-			opts->dir = strdup(value);
c55e18
-		}
c55e18
-	}
c55e18
-	else if (strcmp(name, "deny") == 0) {
c55e18
-		if (sscanf(value, "%hu", &opts->deny) != 1) {
c55e18
-			pam_syslog(pamh, LOG_ERR,
c55e18
-				"Bad number supplied for deny argument");
c55e18
-		}
c55e18
-	}
c55e18
-	else if (strcmp(name, "fail_interval") == 0) {
c55e18
-		unsigned int temp;
c55e18
-		if (sscanf(value, "%u", &temp) != 1 ||
c55e18
-			temp > MAX_TIME_INTERVAL) {
c55e18
-			pam_syslog(pamh, LOG_ERR,
c55e18
-				"Bad number supplied for fail_interval argument");
c55e18
-		} else {
c55e18
-			opts->fail_interval = temp;
c55e18
-		}
c55e18
-	}
c55e18
-	else if (strcmp(name, "unlock_time") == 0) {
c55e18
-		unsigned int temp;
c55e18
-
c55e18
-		if (strcmp(value, "never") == 0) {
c55e18
-			opts->unlock_time = 0;
c55e18
-		}
c55e18
-		else if (sscanf(value, "%u", &temp) != 1 ||
c55e18
-			temp > MAX_TIME_INTERVAL) {
c55e18
-			pam_syslog(pamh, LOG_ERR,
c55e18
-				"Bad number supplied for unlock_time argument");
c55e18
-		}
c55e18
-		else {
c55e18
-			opts->unlock_time = temp;
c55e18
-		}
c55e18
-	}
c55e18
-	else if (strcmp(name, "root_unlock_time") == 0) {
c55e18
-		unsigned int temp;
c55e18
-
c55e18
-		if (strcmp(value, "never") == 0) {
c55e18
-			opts->root_unlock_time = 0;
c55e18
-		}
c55e18
-		else if (sscanf(value, "%u", &temp) != 1 ||
c55e18
-			temp > MAX_TIME_INTERVAL) {
c55e18
-			pam_syslog(pamh, LOG_ERR,
c55e18
-				"Bad number supplied for root_unlock_time argument");
c55e18
-		} else {
c55e18
-			opts->root_unlock_time = temp;
c55e18
-		}
c55e18
-	}
c55e18
-	else if (strcmp(name, "admin_group") == 0) {
c55e18
-		free(opts->admin_group);
c55e18
-		opts->admin_group = strdup(value);
c55e18
-		if (opts->admin_group == NULL) {
c55e18
-			opts->fatal_error = 1;
c55e18
-			pam_syslog(pamh, LOG_CRIT, "Error allocating memory: %m");
c55e18
-		}
c55e18
-	}
c55e18
-	else if (strcmp(name, "even_deny_root") == 0) {
c55e18
-		opts->flags |= FAILLOCK_FLAG_DENY_ROOT;
c55e18
-	}
c55e18
-	else if (strcmp(name, "audit") == 0) {
c55e18
-		opts->flags |= FAILLOCK_FLAG_AUDIT;
c55e18
-	}
c55e18
-	else if (strcmp(name, "silent") == 0) {
c55e18
-		opts->flags |= FAILLOCK_FLAG_SILENT;
c55e18
-	}
c55e18
-	else if (strcmp(name, "no_log_info") == 0) {
c55e18
-		opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;
c55e18
-	}
c55e18
-	else if (strcmp(name, "local_users_only") == 0) {
c55e18
-		opts->flags |= FAILLOCK_FLAG_LOCAL_ONLY;
c55e18
-	}
c55e18
-	else {
c55e18
-		pam_syslog(pamh, LOG_ERR, "Unknown option: %s", name);
c55e18
-	}
c55e18
-}
c55e18
-
c55e18
-static int check_local_user (pam_handle_t *pamh, const char *user)
c55e18
+static int
c55e18
+check_local_user (pam_handle_t *pamh, const char *user)
c55e18
 {
c55e18
-	struct passwd pw, *pwp;
c55e18
-	char buf[4096];
c55e18
-	int found = 0;
c55e18
-	FILE *fp;
c55e18
-	int errn;
c55e18
-
c55e18
-	fp = fopen(PATH_PASSWD, "r");
c55e18
-	if (fp == NULL) {
c55e18
-		pam_syslog(pamh, LOG_ERR, "unable to open %s: %m",
c55e18
-			   PATH_PASSWD);
c55e18
-		return -1;
c55e18
-	}
c55e18
-
c55e18
-	for (;;) {
c55e18
-		errn = fgetpwent_r(fp, &pw, buf, sizeof (buf), &pwp);
c55e18
-		if (errn == ERANGE) {
c55e18
-			pam_syslog(pamh, LOG_WARNING, "%s contains very long lines; corrupted?",
c55e18
-				   PATH_PASSWD);
c55e18
-			/* we can continue here as next call will read further */
c55e18
-			continue;
c55e18
-		}
c55e18
-		if (errn != 0)
c55e18
-			break;
c55e18
-		if (strcmp(pwp->pw_name, user) == 0) {
c55e18
-			found = 1;
c55e18
-			break;
c55e18
-		}
c55e18
-	}
c55e18
-
c55e18
-	fclose (fp);
c55e18
-
c55e18
-	if (errn != 0 && errn != ENOENT) {
c55e18
-		pam_syslog(pamh, LOG_ERR, "unable to enumerate local accounts: %m");
c55e18
-		return -1;
c55e18
-	} else {
c55e18
-		return found;
c55e18
-	}
c55e18
+	return pam_modutil_check_user_in_passwd(pamh, user, NULL) == PAM_SUCCESS;
c55e18
 }
c55e18
 
c55e18
-static int get_pam_user(pam_handle_t *pamh, struct options *opts)
c55e18
+static int
c55e18
+get_pam_user(pam_handle_t *pamh, struct options *opts)
c55e18
 {
c55e18
 	const char *user;
c55e18
 	int rv;
c55e18
 	struct passwd *pwd;
c55e18
 
c55e18
 	if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
c55e18
-		return rv;
c55e18
+		return rv == PAM_CONV_AGAIN ? PAM_INCOMPLETE : rv;
c55e18
 	}
c55e18
 
c55e18
 	if (*user == '\0') {
c55e18
@@ -391,10 +157,10 @@ static int get_pam_user(pam_handle_t *pa
c55e18
 
c55e18
 	if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) {
c55e18
 		if (opts->flags & FAILLOCK_FLAG_AUDIT) {
c55e18
-			pam_syslog(pamh, LOG_ERR, "User unknown: %s", user);
c55e18
+			pam_syslog(pamh, LOG_NOTICE, "User unknown: %s", user);
c55e18
 		}
c55e18
 		else {
c55e18
-			pam_syslog(pamh, LOG_ERR, "User unknown");
c55e18
+			pam_syslog(pamh, LOG_NOTICE, "User unknown");
c55e18
 		}
c55e18
 		return PAM_IGNORE;
c55e18
 	}
c55e18
@@ -421,10 +187,11 @@ check_tally(pam_handle_t *pamh, struct o
c55e18
 	unsigned int i;
c55e18
 	uint64_t latest_time;
c55e18
 	int failures;
c55e18
+	const char *dir = get_tally_dir(opts);
c55e18
 
c55e18
 	opts->now = time(NULL);
c55e18
 
c55e18
-	tfd = open_tally(opts->dir, opts->user, opts->uid, 0);
c55e18
+	tfd = open_tally(dir, opts->user, opts->uid, 0);
c55e18
 
c55e18
 	*fd = tfd;
c55e18
 
c55e18
@@ -446,7 +213,7 @@ check_tally(pam_handle_t *pamh, struct o
c55e18
 	}
c55e18
 
c55e18
 	latest_time = 0;
c55e18
-	for(i = 0; i < tallies->count; i++) {
c55e18
+	for (i = 0; i < tallies->count; i++) {
c55e18
 		if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
c55e18
 			tallies->records[i].time > latest_time)
c55e18
 			latest_time = tallies->records[i].time;
c55e18
@@ -455,7 +222,7 @@ check_tally(pam_handle_t *pamh, struct o
c55e18
 	opts->latest_time = latest_time;
c55e18
 
c55e18
 	failures = 0;
c55e18
-	for(i = 0; i < tallies->count; i++) {
c55e18
+	for (i = 0; i < tallies->count; i++) {
c55e18
 		if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
c55e18
 			latest_time - tallies->records[i].time < opts->fail_interval) {
c55e18
 			++failures;
c55e18
@@ -498,9 +265,10 @@ static void
c55e18
 reset_tally(pam_handle_t *pamh, struct options *opts, int *fd)
c55e18
 {
c55e18
 	int rv;
c55e18
+	const char *dir = get_tally_dir(opts);
c55e18
 
c55e18
 	if (*fd == -1) {
c55e18
-		*fd = open_tally(opts->dir, opts->user, opts->uid, 1);
c55e18
+		*fd = open_tally(dir, opts->user, opts->uid, 1);
c55e18
 	}
c55e18
 	else {
c55e18
 		while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
c55e18
@@ -519,9 +287,10 @@ write_tally(pam_handle_t *pamh, struct o
c55e18
 	unsigned int oldest;
c55e18
 	uint64_t oldtime;
c55e18
 	const void *source = NULL;
c55e18
+	const char *dir = get_tally_dir(opts);
c55e18
 
c55e18
 	if (*fd == -1) {
c55e18
-		*fd = open_tally(opts->dir, opts->user, opts->uid, 1);
c55e18
+		*fd = open_tally(dir, opts->user, opts->uid, 1);
c55e18
 	}
c55e18
 	if (*fd == -1) {
c55e18
 		if (errno == EACCES) {
c55e18
@@ -536,7 +305,7 @@ write_tally(pam_handle_t *pamh, struct o
c55e18
 	failures = 0;
c55e18
 
c55e18
 	for (i = 0; i < tallies->count; ++i) {
c55e18
-		if (tallies->records[i].time < oldtime) {
c55e18
+		if (oldtime == 0 || tallies->records[i].time < oldtime) {
c55e18
 			oldtime = tallies->records[i].time;
c55e18
 			oldest = i;
c55e18
 		}
c55e18
@@ -630,16 +399,26 @@ faillock_message(pam_handle_t *pamh, str
c55e18
 			left = opts->latest_time + opts->unlock_time - opts->now;
c55e18
 		}
c55e18
 
c55e18
+		pam_info(pamh, _("The account is locked due to %u failed logins."),
c55e18
+			(unsigned int)opts->failures);
c55e18
 		if (left > 0) {
c55e18
 			left = (left + 59)/60; /* minutes */
c55e18
 
c55e18
-			pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
c55e18
-				opts->failures);
c55e18
-			pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
c55e18
-		}
c55e18
-		else {
c55e18
-			pam_info(pamh, _("Account locked due to %d failed logins"),
c55e18
-				opts->failures);
c55e18
+#if defined HAVE_DNGETTEXT && defined ENABLE_NLS
c55e18
+			pam_info(
c55e18
+				pamh,
c55e18
+				dngettext(PACKAGE,
c55e18
+					"(%d minute left to unlock)",
c55e18
+					"(%d minutes left to unlock)",
c55e18
+					(int)left),
c55e18
+				(int)left);
c55e18
+#else
c55e18
+			if (left == 1)
c55e18
+				pam_info(pamh, _("(%d minute left to unlock)"), (int)left);
c55e18
+			else
c55e18
+				/* TRANSLATORS: only used if dngettext is not supported. */
c55e18
+				pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
c55e18
+#endif
c55e18
 		}
c55e18
 	}
c55e18
 }
c55e18
@@ -663,7 +442,7 @@ opts_cleanup(struct options *opts)
c55e18
 
c55e18
 /*---------------------------------------------------------------------*/
c55e18
 
c55e18
-PAM_EXTERN int
c55e18
+int
c55e18
 pam_sm_authenticate(pam_handle_t *pamh, int flags,
c55e18
 		    int argc, const char **argv)
c55e18
 {
c55e18
@@ -673,13 +452,13 @@ pam_sm_authenticate(pam_handle_t *pamh,
c55e18
 
c55e18
 	memset(&tallies, 0, sizeof(tallies));
c55e18
 
c55e18
-	args_parse(pamh, argc, argv, flags, &opts);
c55e18
-	if (opts.fatal_error) {
c55e18
-		rv = PAM_BUF_ERR;
c55e18
+	rv = args_parse(pamh, argc, argv, flags, &opts);
c55e18
+	if (rv != PAM_SUCCESS)
c55e18
 		goto err;
c55e18
-	}
c55e18
 
c55e18
-	pam_fail_delay(pamh, 2000000);	/* 2 sec delay for on failure */
c55e18
+	if (!(opts.flags & FAILLOCK_FLAG_NO_DELAY)) {
c55e18
+		pam_fail_delay(pamh, 2000000);	/* 2 sec delay on failure */
c55e18
+	}
c55e18
 
c55e18
 	if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
c55e18
 		goto err;
c55e18
@@ -722,7 +501,7 @@ err:
c55e18
 
c55e18
 /*---------------------------------------------------------------------*/
c55e18
 
c55e18
-PAM_EXTERN int
c55e18
+int
c55e18
 pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
c55e18
 	       int argc UNUSED, const char **argv UNUSED)
c55e18
 {
c55e18
@@ -731,7 +510,7 @@ pam_sm_setcred(pam_handle_t *pamh UNUSED
c55e18
 
c55e18
 /*---------------------------------------------------------------------*/
c55e18
 
c55e18
-PAM_EXTERN int
c55e18
+int
c55e18
 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
c55e18
 		 int argc, const char **argv)
c55e18
 {
c55e18
@@ -741,12 +520,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
c55e18
 
c55e18
 	memset(&tallies, 0, sizeof(tallies));
c55e18
 
c55e18
-	args_parse(pamh, argc, argv, flags, &opts);
c55e18
+	rv = args_parse(pamh, argc, argv, flags, &opts);
c55e18
 
c55e18
-	if (opts.fatal_error) {
c55e18
-		rv = PAM_BUF_ERR;
c55e18
+	if (rv != PAM_SUCCESS)
c55e18
 		goto err;
c55e18
-	}
c55e18
 
c55e18
 	opts.action = FAILLOCK_ACTION_AUTHSUCC;
c55e18
 
c55e18
@@ -770,28 +547,3 @@ err:
c55e18
 
c55e18
 /*-----------------------------------------------------------------------*/
c55e18
 
c55e18
-#ifdef PAM_STATIC
c55e18
-
c55e18
-/* static module data */
c55e18
-
c55e18
-struct pam_module _pam_faillock_modstruct = {
c55e18
-     MODULE_NAME,
c55e18
-#ifdef PAM_SM_AUTH
c55e18
-     pam_sm_authenticate,
c55e18
-     pam_sm_setcred,
c55e18
-#else
c55e18
-     NULL,
c55e18
-     NULL,
c55e18
-#endif
c55e18
-#ifdef PAM_SM_ACCOUNT
c55e18
-     pam_sm_acct_mgmt,
c55e18
-#else
c55e18
-     NULL,
c55e18
-#endif
c55e18
-     NULL,
c55e18
-     NULL,
c55e18
-     NULL,
c55e18
-};
c55e18
-
c55e18
-#endif   /* #ifdef PAM_STATIC */
c55e18
-
c55e18
diff --git a/modules/pam_faillock/faillock.h b/modules/pam_faillock/faillock.h
c55e18
index b22a9dfb..0ea0ffba 100644
c55e18
--- a/modules/pam_faillock/faillock.h
c55e18
+++ b/modules/pam_faillock/faillock.h
c55e18
diff -up Linux-PAM-1.5.1/modules/pam_faillock/faillock.h.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/faillock.h
c55e18
--- Linux-PAM-1.5.1/modules/pam_faillock/faillock.h.faillock-load-conf-from-file	2020-11-25 17:57:02.000000000 +0100
c55e18
+++ Linux-PAM-1.5.1/modules/pam_faillock/faillock.h	2022-05-25 15:33:03.885551825 +0200
c55e18
@@ -67,7 +67,6 @@ struct tally_data {
c55e18
 };
c55e18
 
c55e18
 #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
c55e18
-#define FAILLOCK_DEFAULT_CONF "/etc/security/faillock.conf"
c55e18
 
c55e18
 int open_tally(const char *dir, const char *user, uid_t uid, int create);
c55e18
 int read_tally(int fd, struct tally_data *tallies);
c55e18
diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
c55e18
index ddbb90e7..f46fca99 100644
c55e18
--- a/modules/pam_faillock/pam_faillock.c
c55e18
+++ b/modules/pam_faillock/pam_faillock.c
c55e18
@@ -134,10 +134,96 @@ args_parse(pam_handle_t *pamh, int argc, const char **argv,
c55e18
 	return PAM_SUCCESS;
c55e18
 }
c55e18
 
c55e18
+static int
c55e18
+check_user_in_passwd(pam_handle_t *pamh,
c55e18
+				 const char *user_name,
c55e18
+				 const char *file_name)
c55e18
+{
c55e18
+	int rc;
c55e18
+	size_t user_len;
c55e18
+	FILE *fp;
c55e18
+	char line[BUFSIZ];
c55e18
+
c55e18
+	/* Validate the user name.  */
c55e18
+	if ((user_len = strlen(user_name)) == 0) {
c55e18
+		pam_syslog(pamh, LOG_NOTICE, "user name is not valid");
c55e18
+		return PAM_SERVICE_ERR;
c55e18
+	}
c55e18
+
c55e18
+	if (user_len > sizeof(line) - sizeof(":")) {
c55e18
+		pam_syslog(pamh, LOG_NOTICE, "user name is too long");
c55e18
+		return PAM_SERVICE_ERR;
c55e18
+	}
c55e18
+
c55e18
+	if (strchr(user_name, ':') != NULL) {
c55e18
+		/*
c55e18
+		 * "root:x" is not a local user name even if the passwd file
c55e18
+		 * contains a line starting with "root:x:".
c55e18
+		 */
c55e18
+		return PAM_PERM_DENIED;
c55e18
+	}
c55e18
+
c55e18
+	/* Open the passwd file.  */
c55e18
+	if (file_name == NULL) {
c55e18
+		file_name = "/etc/passwd";
c55e18
+	}
c55e18
+	if ((fp = fopen(file_name, "r")) == NULL) {
c55e18
+		pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name);
c55e18
+		return PAM_SERVICE_ERR;
c55e18
+	}
c55e18
+
c55e18
+	/*
c55e18
+	 * Scan the file using fgets() instead of fgetpwent_r() because
c55e18
+	 * the latter is not flexible enough in handling long lines
c55e18
+	 * in passwd files.
c55e18
+	 */
c55e18
+	rc = PAM_PERM_DENIED;
c55e18
+	while (fgets(line, sizeof(line), fp) != NULL) {
c55e18
+		size_t line_len;
c55e18
+		const char *str;
c55e18
+
c55e18
+		/*
c55e18
+		 * Does this line start with the user name
c55e18
+		 * followed by a colon?
c55e18
+		 */
c55e18
+		if (strncmp(user_name, line, user_len) == 0 &&
c55e18
+		    line[user_len] == ':') {
c55e18
+			rc = PAM_SUCCESS;
c55e18
+			/*
c55e18
+			 * Continue reading the file to avoid timing attacks.
c55e18
+			 */
c55e18
+		}
c55e18
+		/* Has a newline been read?  */
c55e18
+		line_len = strlen(line);
c55e18
+		if (line_len < sizeof(line) - 1 ||
c55e18
+		    line[line_len - 1] == '\n') {
c55e18
+			/* Yes, continue with the next line.  */
c55e18
+			continue;
c55e18
+		}
c55e18
+
c55e18
+		/* No, read till the end of this line first.  */
c55e18
+		while ((str = fgets(line, sizeof(line), fp)) != NULL) {
c55e18
+			line_len = strlen(line);
c55e18
+			if (line_len == 0 ||
c55e18
+			    line[line_len - 1] == '\n') {
c55e18
+				break;
c55e18
+			}
c55e18
+		}
c55e18
+		if (str == NULL) {
c55e18
+			/* fgets returned NULL, we are done.  */
c55e18
+			break;
c55e18
+		}
c55e18
+		/* Continue with the next line.  */
c55e18
+	}
c55e18
+
c55e18
+	fclose(fp);
c55e18
+	return rc;
c55e18
+}
c55e18
+
c55e18
 static int
c55e18
 check_local_user (pam_handle_t *pamh, const char *user)
c55e18
 {
c55e18
-	return pam_modutil_check_user_in_passwd(pamh, user, NULL) == PAM_SUCCESS;
c55e18
+	return check_user_in_passwd(pamh, user, NULL) == PAM_SUCCESS;
c55e18
 }
c55e18
 
c55e18
 static int