diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock.c.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/faillock.c

--- Linux-PAM-1.3.1/modules/pam_faillock/faillock.c.faillock-update	2019-10-16 16:49:27.026893768 +0200

+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock.c	2019-12-16 17:55:27.042001068 +0100

@@ -1,5 +1,6 @@

 /*

  * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>

+ * Copyright (c) 2010, 2016, 2017 Red Hat, Inc.

  *

  * Redistribution and use in source and binary forms, with or without

  * modification, are permitted provided that the following conditions

@@ -47,6 +48,8 @@

 #include "faillock.h"

+#define ignore_return(x) if (1==((int)x)) {;}

+

 int

 open_tally (const char *dir, const char *user, uid_t uid, int create)

 {

@@ -54,7 +57,7 @@ open_tally (const char *dir, const char

 	int flags = O_RDWR;

 	int fd;

-	if (strstr(user, "../") != NULL)

+	if (dir == NULL || strstr(user, "../") != NULL)

 	/* just a defensive programming as the user must be a

 	 * valid user on the system anyway

 	 */

@@ -83,7 +86,7 @@ open_tally (const char *dir, const char

 		while (flock(fd, LOCK_EX) == -1 && errno == EINTR);

 		if (fstat(fd, &st) == 0) {

 			if (st.st_uid != uid) {

-				fchown(fd, uid, -1);

+				ignore_return(fchown(fd, uid, -1));

 			}

 		}

 	}

@@ -121,7 +124,7 @@ read_tally(int fd, struct tally_data *ta

 		if (count >= MAX_RECORDS)

 			break;

 	}

-	while (chunk == CHUNK_SIZE); 

+	while (chunk == CHUNK_SIZE);

 	tallies->records = data;

 	tallies->count = count;

diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf.5.xml.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf.5.xml

--- Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf.5.xml.faillock-update	2019-10-16 17:34:58.073276020 +0200

+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf.5.xml	2019-10-16 16:26:05.000000000 +0200

@@ -0,0 +1,243 @@

+

+

+	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">

+

+<refentry id="faillock.conf">

+

+  <refmeta>

+    <refentrytitle>faillock.conf</refentrytitle>

+    <manvolnum>5</manvolnum>

+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>

+  </refmeta>

+

+  <refnamediv id="faillock.conf-name">

+    <refname>faillock.conf</refname>

+    <refpurpose>pam_faillock configuration file</refpurpose>

+  </refnamediv>

+

+  <refsect1 id="faillock.conf-description">

+

+    <title>DESCRIPTION</title>

+    <para>

+       <emphasis remap='B'>faillock.conf</emphasis> provides a way to configure the

+       default settings for locking the user after multiple failed authentication attempts.

+       This file is read by the <emphasis>pam_faillock</emphasis> module and is the

+       preferred method over configuring <emphasis>pam_faillock</emphasis> directly.

+    </para>

+    <para>

+       The file has a very simple <emphasis>name = value</emphasis> format with possible comments

+       starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end

+       of line, and around the <emphasis>=</emphasis> sign is ignored.

+    </para>

+  </refsect1>

+

+  <refsect1 id="faillock.conf-options">

+

+    <title>OPTIONS</title>

+         <variablelist>

+            <varlistentry>

+              <term>

+                <option>dir=<replaceable>/path/to/tally-directory</replaceable></option>

+              </term>

+              <listitem>

+                <para>

+                  The directory where the user files with the failure records are kept. The

+                  default is <filename>/var/run/faillock</filename>.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>audit</option>

+              </term>

+              <listitem>

+                <para>

+                  Will log the user name into the system log if the user is not found.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>silent</option>

+              </term>

+              <listitem>

+                <para>

+                  Don't print informative messages to the user. Please note that when

+                  this option is not used there will be difference in the authentication

+                  behavior for users which exist on the system and non-existing users.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>no_log_info</option>

+              </term>

+              <listitem>

+                <para>

+                  Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>local_users_only</option>

+              </term>

+              <listitem>

+                <para>

+                  Only track failed user authentications attempts for local users

+                  in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.

+                  The <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry>

+                  command will also no longer track user failed

+                  authentication attempts. Enabling this option will prevent a

+                  double-lockout scenario where a user is locked out locally and

+                  in the centralized mechanism.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>deny=<replaceable>n</replaceable></option>

+              </term>

+              <listitem>

+                <para>

+                  Deny access if the number of consecutive authentication failures

+                  for this user during the recent interval exceeds

+                  <replaceable>n</replaceable>. The default is 3.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>fail_interval=<replaceable>n</replaceable></option>

+              </term>

+              <listitem>

+                <para>

+                  The length of the interval during which the consecutive

+                  authentication failures must happen for the user account

+                  lock out is <replaceable>n</replaceable> seconds.

+                  The default is 900 (15 minutes).

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>unlock_time=<replaceable>n</replaceable></option>

+              </term>

+              <listitem>

+                <para>

+                  The access will be reenabled after

+                  <replaceable>n</replaceable> seconds after the lock out.

+                  The value 0 has the same meaning as value

+                  <emphasis>never</emphasis> - the access

+                  will not be reenabled without resetting the faillock

+                  entries by the <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> command.

+                  The default is 600 (10 minutes).

+                </para>

+                <para>

+                  Note that the default directory that <emphasis>pam_faillock</emphasis>

+                  uses is usually cleared on system boot so the access will be also reenabled

+                  after system reboot. If that is undesirable a different tally directory

+                  must be set with the <option>dir</option> option.

+                </para>

+                <para>

+                  Also note that it is usually undesirable to permanently lock

+                  out the users as they can become easily a target of denial of service

+                  attack unless the usernames are random and kept secret to potential

+                  attackers.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>even_deny_root</option>

+              </term>

+              <listitem>

+                <para>

+                  Root account can become locked as well as regular accounts.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>root_unlock_time=<replaceable>n</replaceable></option>

+              </term>

+              <listitem>

+                <para>

+                  This option implies <option>even_deny_root</option> option.

+                  Allow access after <replaceable>n</replaceable> seconds

+                  to root account after the account is locked. In case the

+                  option is not specified the value is the same as of the

+                  <option>unlock_time</option> option.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>admin_group=<replaceable>name</replaceable></option>

+              </term>

+              <listitem>

+                <para>

+                  If a group name is specified with this option, members

+                  of the group will be handled by this module the same as

+                  the root account (the options <option>even_deny_root</option>

+                  and <option>root_unlock_time</option> will apply to them.

+                  By default the option is not set.

+                </para>

+              </listitem>

+            </varlistentry>

+        </variablelist>

+  </refsect1>

+

+  <refsect1 id='faillock.conf-examples'>

+    <title>EXAMPLES</title>

+    <para>

+      /etc/security/faillock.conf file example:

+    </para>

+    <programlisting>

+deny=4

+unlock_time=1200

+silent

+    </programlisting>

+  </refsect1>

+

+  <refsect1 id="faillock.conf-files">

+    <title>FILES</title>

+    <variablelist>

+      <varlistentry>

+        <term><filename>/etc/security/faillock.conf</filename></term>

+        <listitem>

+          <para>the config file for custom options</para>

+        </listitem>

+      </varlistentry>

+    </variablelist>

+  </refsect1>

+

+  <refsect1 id='faillock.conf-see_also'>

+    <title>SEE ALSO</title>

+    <para>

+      <citerefentry>

+        <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum>

+      </citerefentry>,

+      <citerefentry>

+        <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum>

+      </citerefentry>,

+      <citerefentry>

+        <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>

+      </citerefentry>,

+      <citerefentry>

+        <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>

+      </citerefentry>,

+      <citerefentry>

+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>

+      </citerefentry>

+    </para>

+  </refsect1>

+

+  <refsect1 id='faillock.conf-author'>

+    <title>AUTHOR</title>

+      <para>

+        pam_faillock was written by Tomas Mraz. The support for faillock.conf was written by Brian Ward.

+      </para>

+  </refsect1>

+

+</refentry>

diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf

--- Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf.faillock-update	2019-10-16 17:34:50.607405060 +0200

+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf	2019-10-16 16:26:05.000000000 +0200

@@ -0,0 +1,62 @@

+# Configuration for locking the user after multiple failed

+# authentication attempts.

+#

+# The directory where the user files with the failure records are kept.

+# The default is /var/run/faillock.

+# dir = /var/run/faillock

+#

+# Will log the user name into the system log if the user is not found.

+# Enabled if option is present.

+# audit

+#

+# Don't print informative messages.

+# Enabled if option is present.

+# silent

+#

+# Don't log informative messages via syslog.

+# Enabled if option is present.

+# no_log_info

+#

+# Only track failed user authentications attempts for local users

+# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.

+# The `faillock` command will also no longer track user failed

+# authentication attempts. Enabling this option will prevent a

+# double-lockout scenario where a user is locked out locally and

+# in the centralized mechanism.

+# Enabled if option is present.

+# local_users_only

+#

+# Deny access if the number of consecutive authentication failures

+# for this user during the recent interval exceeds n tries.

+# The default is 3.

+# deny = 3

+#

+# The length of the interval during which the consecutive

+# authentication failures must happen for the user account

+# lock out is <replaceable>n</replaceable> seconds.

+# The default is 900 (15 minutes).

+# fail_interval = 900

+#

+# The access will be reenabled after n seconds after the lock out.

+# The value 0 has the same meaning as value `never` - the access

+# will not be reenabled without resetting the faillock

+# entries by the `faillock` command.

+# The default is 600 (10 minutes).

+# unlock_time = 600

+#

+# Root account can become locked as well as regular accounts.

+# Enabled if option is present.

+# even_deny_root

+#

+# This option implies the `even_deny_root` option.

+# Allow access after n seconds to root account after the

+# account is locked. In case the option is not specified

+# the value is the same as of the `unlock_time` option.

+# root_unlock_time = 900

+#

+# If a group name is specified with this option, members

+# of the group will be handled by this module the same as

+# the root account (the options `even_deny_root>` and

+# `root_unlock_time` will apply to them.

+# By default, the option is not set.

+# admin_group = <admin_group_name>

diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock.h.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/faillock.h

--- Linux-PAM-1.3.1/modules/pam_faillock/faillock.h.faillock-update	2019-10-16 16:49:27.026893768 +0200

+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock.h	2019-10-16 16:51:40.431628566 +0200

@@ -65,6 +65,7 @@ struct tally_data {

 };

 #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"

+#define FAILLOCK_DEFAULT_CONF "/etc/security/faillock.conf"

 int open_tally(const char *dir, const char *user, uid_t uid, int create);

 int read_tally(int fd, struct tally_data *tallies);

diff -up Linux-PAM-1.3.1/modules/pam_faillock/Makefile.am.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/Makefile.am

--- Linux-PAM-1.3.1/modules/pam_faillock/Makefile.am.faillock-update	2019-10-16 16:49:27.026893768 +0200

+++ Linux-PAM-1.3.1/modules/pam_faillock/Makefile.am	2019-10-16 16:50:15.065078080 +0200

@@ -1,6 +1,6 @@

 #

 # Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>

-# Copyright (c) 2008 Red Hat, Inc.

+# Copyright (c) 2008, 2018 Red Hat, Inc.

 # Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>

 #

@@ -9,8 +9,8 @@ MAINTAINERCLEANFILES = $(MANS) README

 EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock

-man_MANS = pam_faillock.8 faillock.8

-XMLS = README.xml pam_faillock.8.xml faillock.8.xml

+man_MANS = pam_faillock.8 faillock.8 faillock.conf.5

+XMLS = README.xml pam_faillock.8.xml faillock.8.xml faillock.conf.5.xml

 TESTS = tst-pam_faillock

@@ -31,6 +31,8 @@ endif

 faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@

 faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)

+secureconf_DATA = faillock.conf

+

 securelib_LTLIBRARIES = pam_faillock.la

 sbin_PROGRAMS = faillock

diff -up Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.8.xml.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.8.xml

--- Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.8.xml.faillock-update	2019-10-16 16:49:27.030893701 +0200

+++ Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.8.xml	2019-10-16 16:53:39.544606052 +0200

@@ -126,141 +126,13 @@

                 </para>

               </listitem>

             </varlistentry>

-            <varlistentry>

-              <term>

-                <option>dir=<replaceable>/path/to/tally-directory</replaceable></option>

-              </term>

-              <listitem>

-                <para>

-                  The directory where the user files with the failure records are kept. The

-                  default is <filename>/var/run/faillock</filename>.

-                </para>

-              </listitem>

-            </varlistentry>

-            <varlistentry>

-              <term>

-                <option>audit</option>

-              </term>

-              <listitem>

-                <para>

-                  Will log the user name into the system log if the user is not found.

-                </para>

-              </listitem>

-            </varlistentry>

-            <varlistentry>

-              <term>

-                <option>silent</option>

-              </term>

-              <listitem>

-                <para>

-                  Don't print informative messages. This option is implicite

-                  in the <emphasis>authfail</emphasis> and <emphasis>authsucc</emphasis>

-                  functions.

-                </para>

-              </listitem>

-            </varlistentry>

-            <varlistentry>

-              <term>

-                <option>no_log_info</option>

-              </term>

-              <listitem>

-                <para>

-                  Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.

-                </para>

-              </listitem>

-            </varlistentry>

-            <varlistentry>

-              <term>

-                <option>deny=<replaceable>n</replaceable></option>

-              </term>

-              <listitem>

-                <para>

-                  Deny access if the number of consecutive authentication failures

-                  for this user during the recent interval exceeds

-                  <replaceable>n</replaceable>. The default is 3.

-                </para>

-              </listitem>

-            </varlistentry>

-            <varlistentry>

-              <term>

-                <option>fail_interval=<replaceable>n</replaceable></option>

-              </term>

-              <listitem>

-                <para>

-                  The length of the interval during which the consecutive

-                  authentication failures must happen for the user account

-                  lock out is <replaceable>n</replaceable> seconds.

-                  The default is 900 (15 minutes).

-                </para>

-              </listitem>

-            </varlistentry>

-            <varlistentry>

-              <term>

-                <option>unlock_time=<replaceable>n</replaceable></option>

-              </term>

-              <listitem>

-                <para>

-                  The access will be reenabled after

-                  <replaceable>n</replaceable> seconds after the lock out.

-                  The value 0 has the same meaning as value

-                  <emphasis>never</emphasis> - the access

-                  will not be reenabled without resetting the faillock

-                  entries by the <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> command.

-                  The default is 600 (10 minutes).

-                </para>

-                <para>

-                  Note that the default directory that <emphasis>pam_faillock</emphasis>

-                  uses is usually cleared on system boot so the access will be also reenabled

-                  after system reboot. If that is undesirable a different tally directory

-                  must be set with the <option>dir</option> option.

-                </para>

-                <para>

-                  Also note that it is usually undesirable to permanently lock

-                  out the users as they can become easily a target of denial of service

-                  attack unless the usernames are random and kept secret to potential

-                  attackers.

-                </para>

-              </listitem>

-            </varlistentry>

-            <varlistentry>

-              <term>

-                <option>even_deny_root</option>

-              </term>

-              <listitem>

-                <para>

-                  Root account can become locked as well as regular accounts.

-                </para>

-              </listitem>

-            </varlistentry>

-            <varlistentry>

-              <term>

-                <option>root_unlock_time=<replaceable>n</replaceable></option>

-              </term>

-              <listitem>

-                <para>

-                  This option implies <option>even_deny_root</option> option.

-                  Allow access after <replaceable>n</replaceable> seconds

-                  to root account after the account is locked. In case the

-                  option is not specified the value is the same as of the

-                  <option>unlock_time</option> option.

-                </para>

-              </listitem>

-            </varlistentry>

-            <varlistentry>

-              <term>

-                <option>admin_group=<replaceable>name</replaceable></option>

-              </term>

-              <listitem>

-                <para>

-                  If a group name is specified with this option, members

-                  of the group will be handled by this module the same as

-                  the root account (the options <option>even_deny_root></option>

-                  and <option>root_unlock_time</option> will apply to them.

-                  By default the option is not set.

-                </para>

-              </listitem>

-            </varlistentry>

         </variablelist>

+        <para>

+          The options for configuring the module behavior are described in the 

+          <citerefentry><refentrytitle>faillock.conf</refentrytitle><manvolnum>5</manvolnum>

+          </citerefentry> manual page. The options specified on the module command

+          line override the values from the configuration file.

+        </para>

   </refsect1>

   <refsect1 id="pam_faillock-types">

@@ -306,19 +178,23 @@

   <refsect1 id='pam_faillock-notes'>

     <title>NOTES</title>

     <para>

-      <emphasis>pam_faillock</emphasis> setup in the PAM stack is different

+      Configuring options on the module command line is not recommend. The

+      <emphasis>/etc/security/faillock.conf</emphasis> should be used instead.

+    </para>

+    <para>

+      The setup of <emphasis>pam_faillock</emphasis> in the PAM stack is different

       from the <emphasis>pam_tally2</emphasis> module setup.

     </para>

     <para>

-      The individual files with the failure records are created as owned by

+      Individual files with the failure records are created as owned by

       the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module

       to work correctly when it is called from a screensaver.

     </para>

     <para>

       Note that using the module in <option>preauth</option> without the

-      <option>silent</option> option or with <emphasis>requisite</emphasis>

-      control field leaks an information about existence or

-      non-existence of an user account in the system because

+      <option>silent</option> option specified in <filename>/etc/security/faillock.conf</filename>

+      or with <emphasis>requisite</emphasis> control field leaks an information about

+      existence or non-existence of an user account in the system because

       the failures are not recorded for the unknown users. The message

       about the user account being locked is never displayed for nonexisting

       user accounts allowing the adversary to infer that a particular account

@@ -341,15 +217,26 @@

       be added to tell the user that his login is blocked by the module and also to abort

       the authentication without even asking for password in such case.

     </para>

+    <para>

+      /etc/security/faillock.conf file example:

+    </para>

+    <programlisting>

+deny=4

+unlock_time=1200

+silent

+    </programlisting>

+    <para>

+      /etc/pam.d/config file example:

+    </para>

     <programlisting>

 auth     required       pam_securetty.so

 auth     required       pam_env.so

 auth     required       pam_nologin.so

-# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200

+# optionally call: auth requisite pam_faillock.so preauth

 # to display the message about account being locked

 auth     [success=1 default=bad] pam_unix.so

-auth     [default=die]  pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200

-auth     sufficient     pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200

+auth     [default=die]  pam_faillock.so authfail

+auth     sufficient     pam_faillock.so authsucc

 auth     required       pam_deny.so

 account  required       pam_unix.so

 password required       pam_unix.so shadow

@@ -361,17 +248,18 @@ session  required       pam_selinux.so o

     <para>

       In the second example the module is called both in the <emphasis>auth</emphasis>

       and <emphasis>account</emphasis> phases and the module gives the authenticating

-      user message when the account is locked 

+      user message when the account is locked if <option>silent</option> option is not

+      specified in the <filename>faillock.conf</filename>.

     </para>

     <programlisting>

 auth     required       pam_securetty.so

 auth     required       pam_env.so

 auth     required       pam_nologin.so

-auth     required       pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200

+auth     required       pam_faillock.so preauth

 # optionally use requisite above if you do not want to prompt for the password

-# on locked accounts, possibly with removing the silent option as well

+# on locked accounts

 auth     sufficient     pam_unix.so

-auth     [default=die]  pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200

+auth     [default=die]  pam_faillock.so authfail

 auth     required       pam_deny.so

 account  required       pam_faillock.so

 # if you drop the above call to pam_faillock.so the lock will be done also

@@ -394,6 +282,12 @@ session  required       pam_selinux.so o

           <para>the files logging the authentication failures for users</para>

         </listitem>

       </varlistentry>

+      <varlistentry>

+        <term><filename>/etc/security/faillock.conf</filename></term>

+        <listitem>

+          <para>the config file for pam_faillock options</para>

+        </listitem>

+      </varlistentry>

     </variablelist>

   </refsect1>

@@ -404,6 +298,9 @@ session  required       pam_selinux.so o

         <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum>

       </citerefentry>,

       <citerefentry>

+        <refentrytitle>faillock.conf</refentrytitle><manvolnum>5</manvolnum>

+      </citerefentry>,

+      <citerefentry>

         <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>

       </citerefentry>,

       <citerefentry>

diff -up Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c

--- Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.faillock-update	2019-10-16 16:49:27.030893701 +0200

+++ Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c	2019-12-16 17:55:11.403270018 +0100

@@ -1,5 +1,6 @@

 /*

- * Copyright (c) 2010, 2017 Tomas Mraz <tmraz@redhat.com>

+ * Copyright (c) 2010, 2017, 2019 Tomas Mraz <tmraz@redhat.com>

+ * Copyright (c) 2010, 2017, 2019 Red Hat, Inc.

  *

  * Redistribution and use in source and binary forms, with or without

  * modification, are permitted provided that the following conditions

@@ -43,6 +44,7 @@

 #include <time.h>

 #include <pwd.h>

 #include <syslog.h>

+#include <ctype.h>

 #ifdef HAVE_LIBAUDIT

 #include <libaudit.h>

@@ -66,8 +68,14 @@

 #define FAILLOCK_FLAG_SILENT		0x4

 #define FAILLOCK_FLAG_NO_LOG_INFO	0x8

 #define FAILLOCK_FLAG_UNLOCKED		0x10

+#define FAILLOCK_FLAG_LOCAL_ONLY	0x20

 #define MAX_TIME_INTERVAL 604800 /* 7 days */

+#define FAILLOCK_CONF_MAX_LINELEN 1023

+#define FAILLOCK_ERROR_CONF_OPEN -3

+#define FAILLOCK_ERROR_CONF_MALFORMED -4

+

+#define PATH_PASSWD "/etc/passwd"

 struct options {

 	unsigned int action;

@@ -76,117 +84,295 @@ struct options {

 	unsigned int fail_interval;

 	unsigned int unlock_time;

 	unsigned int root_unlock_time;

-	const char *dir;

+	char *dir;

+	const char *conf;

 	const char *user;

-	const char *admin_group;

+	char *admin_group;

 	int failures;

 	uint64_t latest_time;

 	uid_t uid;

 	int is_admin;

 	uint64_t now;

+	int fatal_error;

 };

+int read_config_file(

+	pam_handle_t *pamh,

+	struct options *opts,

+	const char *cfgfile

+);

+

+void set_conf_opt(

+	pam_handle_t *pamh,

+	struct options *opts,

+	const char *name,