diff --git a/SOURCES/pam-1.1.8-access-update.patch b/SOURCES/pam-1.1.8-access-update.patch
new file mode 100644
index 0000000..4a4b0a4
--- /dev/null
+++ b/SOURCES/pam-1.1.8-access-update.patch
@@ -0,0 +1,392 @@
+diff -up Linux-PAM-1.1.8/modules/pam_access/access.conf.access-update Linux-PAM-1.1.8/modules/pam_access/access.conf
+--- Linux-PAM-1.1.8/modules/pam_access/access.conf.access-update 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_access/access.conf 2017-09-08 14:06:16.420102221 +0200
+@@ -18,7 +18,7 @@
+ # pam_access with X applications that provide PAM_TTY values that are
+ # the display variable like "host:0".]
+ #
+-# permission : users : origins
++# permission:users:origins
+ #
+ # The first field should be a "+" (access granted) or "-" (access denied)
+ # character.
+@@ -79,44 +79,44 @@
+ ##############################################################################
+ #
+ # User "root" should be allowed to get access via cron .. tty5 tty6.
+-#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
++#+:root:cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+ #
+ # User "root" should be allowed to get access from hosts with ip addresses.
+-#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
+-#+ : root : 127.0.0.1
++#+:root:192.168.200.1 192.168.200.4 192.168.200.9
++#+:root:127.0.0.1
+ #
+ # User "root" should get access from network 192.168.201.
+ # This term will be evaluated by string matching.
+ # comment: It might be better to use network/netmask instead.
+ # The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
+-#+ : root : 192.168.201.
++#+:root:192.168.201.
+ #
+ # User "root" should be able to have access from domain.
+ # Uses string matching also.
+-#+ : root : .foo.bar.org
++#+:root:.foo.bar.org
+ #
+ # User "root" should be denied to get access from all other sources.
+-#- : root : ALL
++#-:root:ALL
+ #
+ # User "foo" and members of netgroup "nis_group" should be
+ # allowed to get access from all sources.
+ # This will only work if netgroup service is available.
+-#+ : @nis_group foo : ALL
++#+:@nis_group foo:ALL
+ #
+ # User "john" should get access from ipv4 net/mask
+-#+ : john : 127.0.0.0/24
++#+:john:127.0.0.0/24
+ #
+ # User "john" should get access from ipv4 as ipv6 net/mask
+-#+ : john : ::ffff:127.0.0.0/127
++#+:john:::ffff:127.0.0.0/127
+ #
+ # User "john" should get access from ipv6 host address
+-#+ : john : 2001:4ca0:0:101::1
++#+:john:2001:4ca0:0:101::1
+ #
+ # User "john" should get access from ipv6 host address (same as above)
+-#+ : john : 2001:4ca0:0:101:0:0:0:1
++#+:john:2001:4ca0:0:101:0:0:0:1
+ #
+ # User "john" should get access from ipv6 net/mask
+-#+ : john : 2001:4ca0:0:101::/64
++#+:john:2001:4ca0:0:101::/64
+ #
+ # All other users should be denied to get access from all sources.
+-#- : ALL : ALL
++#-:ALL:ALL
+diff -up Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml.access-update Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml
+--- Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml.access-update 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml 2017-09-08 14:05:41.126320653 +0200
+@@ -21,8 +21,12 @@
+ <para>
+ The <filename>/etc/security/access.conf</filename> file specifies
+ (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>),
+- (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>) or
+- (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
++ (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>),
++ (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>),
++ (<replaceable>user/group</replaceable>,
++ <replaceable>X-$DISPLAY-value</replaceable>), or
++ (<replaceable>user/group</replaceable>,
++ <replaceable>pam-service-name</replaceable>)
+ combinations for which a login will be either accepted or refused.
+ </para>
+ <para>
+@@ -33,7 +37,14 @@
+ combination, or, in case of non-networked logins, the first entry
+ that matches the
+ (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
+- combination. The permissions field of that table entry determines
++ combination, or in the case of non-networked logins without a
++ tty, the first entry that matches the
++ (<replaceable>user/group</replaceable>,
++ <replaceable>X-$DISPLAY-value</replaceable>) or
++ (<replaceable>user/group</replaceable>,
++ <replaceable>pam-service-name/</replaceable>)
++ combination. The permissions field of that table entry
++ determines
+ whether the login will be accepted or refused.
+ </para>
+
+@@ -65,14 +76,27 @@
+ <para>
+ The third field, the <replaceable>origins</replaceable>
+ field, should be a list of one or more tty names (for non-networked
+- logins), host names, domain names (begin with "."), host addresses,
++ logins), X <varname>$DISPLAY</varname> values or PAM service
++ names (for non-networked logins without a tty), host names,
++ domain names (begin with "."), host addresses,
+ internet network numbers (end with "."), internet network addresses
+ with network mask (where network mask can be a decimal number or an
+ internet address also), <emphasis>ALL</emphasis> (which always matches)
+- or <emphasis>LOCAL</emphasis>. <emphasis>LOCAL</emphasis>
+- keyword matches if and only if the <emphasis>PAM_RHOST</emphasis> is
+- not set and <origin> field is thus set from
+- <emphasis>PAM_TTY</emphasis> or <emphasis>PAM_SERVICE</emphasis>".
++ or <emphasis>LOCAL</emphasis>. The <emphasis>LOCAL</emphasis>
++ keyword matches if and only if
++ <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
++ when called with an <parameter>item_type</parameter> of
++ <emphasis>PAM_RHOST</emphasis>, returns <code>NULL</code> or an
++ empty string (and therefore the
++ <replaceable>origins</replaceable> field is compared against the
++ return value of
++ <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>
++ called with an <parameter>item_type</parameter> of
++ <emphasis>PAM_TTY</emphasis> or, absent that,
++ <emphasis>PAM_SERVICE</emphasis>).
++ </para>
++
++ <para>
+ If supported by the system you can use
+ <emphasis>@netgroupname</emphasis> in host or user patterns. The
+ <emphasis>@@netgroupname</emphasis> syntax is supported in the user
+@@ -115,7 +139,7 @@
+ <emphasis>tty1</emphasis>, ..., <emphasis>tty5</emphasis>,
+ <emphasis>tty6</emphasis>.
+ </para>
+- <para>+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para>
++ <para>+:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para>
+
+ <para>
+ User <emphasis>root</emphasis> should be allowed to get access from
+@@ -123,8 +147,8 @@
+ connection have to be a IPv4 one, a IPv6 connection from a host with
+ one of this IPv4 addresses does work, too.
+ </para>
+- <para>+ : root : 192.168.200.1 192.168.200.4 192.168.200.9</para>
+- <para>+ : root : 127.0.0.1</para>
++ <para>+:root:192.168.200.1 192.168.200.4 192.168.200.9</para>
++ <para>+:root:127.0.0.1</para>
+
+ <para>
+ User <emphasis>root</emphasis> should get access from network
+@@ -134,44 +158,44 @@
+ <emphasis>192.168.201.0/24</emphasis> or
+ <emphasis>192.168.201.0/255.255.255.0</emphasis>.
+ </para>
+- <para>+ : root : 192.168.201.</para>
++ <para>+:root:192.168.201.</para>
+
+ <para>
+ User <emphasis>root</emphasis> should be able to have access from hosts
+ <emphasis>foo1.bar.org</emphasis> and <emphasis>foo2.bar.org</emphasis>
+ (uses string matching also).
+ </para>
+- <para>+ : root : foo1.bar.org foo2.bar.org</para>
++ <para>+:root:foo1.bar.org foo2.bar.org</para>
+
+ <para>
+ User <emphasis>root</emphasis> should be able to have access from
+ domain <emphasis>foo.bar.org</emphasis> (uses string matching also).
+ </para>
+- <para>+ : root : .foo.bar.org</para>
++ <para>+:root:.foo.bar.org</para>
+
+ <para>
+ User <emphasis>root</emphasis> should be denied to get access
+ from all other sources.
+ </para>
+- <para>- : root : ALL</para>
++ <para>-:root:ALL</para>
+
+ <para>
+ User <emphasis>foo</emphasis> and members of netgroup
+ <emphasis>admins</emphasis> should be allowed to get access
+ from all sources. This will only work if netgroup service is available.
+ </para>
+- <para>+ : @admins foo : ALL</para>
++ <para>+:@admins foo:ALL</para>
+
+ <para>
+ User <emphasis>john</emphasis> and <emphasis>foo</emphasis>
+ should get access from IPv6 host address.
+ </para>
+- <para>+ : john foo : 2001:db8:0:101::1</para>
++ <para>+:john foo:2001:db8:0:101::1</para>
+
+ <para>
+ User <emphasis>john</emphasis> should get access from IPv6 net/mask.
+ </para>
+- <para>+ : john : 2001:db8:0:101::/64</para>
++ <para>+:john:2001:db8:0:101::/64</para>
+
+ <para>
+ Disallow console logins to all but the shutdown, sync and all
+@@ -182,10 +206,22 @@
+ <para>
+ All other users should be denied to get access from all sources.
+ </para>
+- <para>- : ALL : ALL</para>
++ <para>-:ALL:ALL</para>
+
+ </refsect1>
+
++ <refsect1 id="access.conf-notes">
++ <title>NOTES</title>
++ <para>
++ The default separators of list items in a field are space, ',', and tabulator
++ characters. Thus conveniently if spaces are put at the beginning and the end of
++ the fields they are ignored. However if the list separator is changed with the
++ <emphasis>listsep</emphasis> option, the spaces will become part of the actual
++ item and the line will be most probably ignored. For this reason, it is not
++ recommended to put spaces around the ':' characters.
++ </para>
++ </refsect1>
++
+ <refsect1 id="access.conf-see_also">
+ <title>SEE ALSO</title>
+ <para>
+diff -up Linux-PAM-1.1.8/modules/pam_access/Makefile.am.access-update Linux-PAM-1.1.8/modules/pam_access/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_access/Makefile.am.access-update 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_access/Makefile.am 2017-09-08 14:10:47.223163175 +0200
+@@ -15,7 +15,8 @@ securelibdir = $(SECUREDIR)
+ secureconfdir = $(SCONFIGDIR)
+
+ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+- -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" $(NIS_CFLAGS)
++ -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" \
++ -DACCESS_CONF_GLOB=\"$(SCONFIGDIR)/access.d/*.conf\" $(NIS_CFLAGS)
+ AM_LDFLAGS = -no-undefined -avoid-version -module
+ if HAVE_VERSIONING
+ AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+diff -up Linux-PAM-1.1.8/modules/pam_access/pam_access.c.access-update Linux-PAM-1.1.8/modules/pam_access/pam_access.c
+--- Linux-PAM-1.1.8/modules/pam_access/pam_access.c.access-update 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_access/pam_access.c 2017-09-08 14:03:45.620762824 +0200
+@@ -44,6 +44,7 @@
+ #include <arpa/inet.h>
+ #include <netdb.h>
+ #include <sys/socket.h>
++#include <glob.h>
+ #ifdef HAVE_RPCSVC_YPCLNT_H
+ #include <rpcsvc/ypclnt.h>
+ #endif
+@@ -90,6 +91,7 @@
+ #define ALL 2
+ #define YES 1
+ #define NO 0
++#define NOMATCH -1
+
+ /*
+ * A structure to bundle up all login-related information to keep the
+@@ -412,13 +414,17 @@ login_access (pam_handle_t *pamh, struct
+ return NO;
+ }
+ #ifdef HAVE_LIBAUDIT
+- if (!item->noaudit && line[0] == '-' && (match == YES || (match == ALL &&
+- nonall_match == YES))) {
++ if (!item->noaudit && (match == YES || (match == ALL &&
++ nonall_match == YES)) && line[0] == '-') {
+ pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_LOCATION,
+ "pam_access", 0);
+ }
+ #endif
+- return (match == NO || (line[0] == '+'));
++ if (match == NO)
++ return NOMATCH;
++ if (line[0] == '+')
++ return YES;
++ return NO;
+ }
+
+
+@@ -524,7 +530,9 @@ user_match (pam_handle_t *pamh, char *to
+ /* Try to split on a pattern (@*[^@]+)(@+.*) */
+ for (at = tok; *at == '@'; ++at);
+
+- if ((at = strchr(at, '@')) != NULL) {
++ if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') {
++ return (group_match (pamh, tok, string, item->debug));
++ } else if ((at = strchr(at, '@')) != NULL) {
+ /* split user@host pattern */
+ if (item->hostname == NULL)
+ return NO;
+@@ -549,9 +557,7 @@ user_match (pam_handle_t *pamh, char *to
+ hostname = item->hostname;
+ }
+ return (netgroup_match (pamh, tok + 1, hostname, string, item->debug));
+- } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')')
+- return (group_match (pamh, tok, string, item->debug));
+- else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
++ } else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
+ return rv;
+ else if (item->only_new_group_syntax == NO &&
+ pam_modutil_user_in_group_nam_nam (pamh,
+@@ -573,7 +579,7 @@ group_match (pam_handle_t *pamh, const c
+
+ if (debug)
+ pam_syslog (pamh, LOG_DEBUG,
+- "group_match: grp=%s, user=%s", grptok, usr);
++ "group_match: grp=%s, user=%s", tok, usr);
+
+ if (strlen(tok) < 3)
+ return NO;
+@@ -808,6 +814,7 @@ pam_sm_authenticate (pam_handle_t *pamh,
+ const char *user=NULL;
+ const void *void_from=NULL;
+ const char *from;
++ const char const *default_config = PAM_ACCESS_CONFIG;
+ struct passwd *user_pw;
+ char hostname[MAXHOSTNAMELEN + 1];
+ int rv;
+@@ -829,7 +836,7 @@ pam_sm_authenticate (pam_handle_t *pamh,
+ */
+ memset(&loginfo, '\0', sizeof(loginfo));
+ loginfo.user = user_pw;
+- loginfo.config_file = PAM_ACCESS_CONFIG;
++ loginfo.config_file = default_config;
+
+ /* parse the argument list */
+
+@@ -900,6 +907,26 @@ pam_sm_authenticate (pam_handle_t *pamh,
+
+ rv = login_access(pamh, &loginfo);
+
++ if (rv == NOMATCH && loginfo.config_file == default_config) {
++ glob_t globbuf;
++ int i, glob_rv;
++
++ /* We do not manipulate locale as setlocale() is not
++ * thread safe. We could use uselocale() in future.
++ */
++ glob_rv = glob(ACCESS_CONF_GLOB, GLOB_ERR, NULL, &globbuf);
++ if (!glob_rv) {
++ /* Parse the *.conf files. */
++ for (i = 0; globbuf.gl_pathv[i] != NULL; i++) {
++ loginfo.config_file = globbuf.gl_pathv[i];
++ rv = login_access(pamh, &loginfo);
++ if (rv != NOMATCH)
++ break;
++ }
++ globfree(&globbuf);
++ }
++ }
++
+ if (loginfo.gai_rv == 0 && loginfo.res)
+ freeaddrinfo(loginfo.res);
+
+diff -up Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml.access-update Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml
+--- Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml.access-update 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml 2017-09-08 14:04:25.365642960 +0200
+@@ -50,16 +50,25 @@
+ The pam_access PAM module is mainly for access management.
+ It provides logdaemon style login access control based on login
+ names, host or domain names, internet addresses or network numbers,
+- or on terminal line names in case of non-networked logins.
++ or on terminal line names, X <varname>$DISPLAY</varname> values,
++ or PAM service names in case of non-networked logins.
+ </para>
+ <para>
+ By default rules for access management are taken from config file
+ <filename>/etc/security/access.conf</filename> if you don't specify
+ another file.
++ Then individual <filename>*.conf</filename> files from the
++ <filename>/etc/security/access.d/</filename> directory are read.
++ The files are parsed one after another in the order of the system locale.
++ The effect of the individual files is the same as if all the files were
++ concatenated together in the order of parsing. This means that once
++ a pattern is matched in some file no further files are parsed.
++ If a config file is explicitly specified with the <option>accessfile</option>
++ option the files in the above directory are not parsed.
+ </para>
+ <para>
+ If Linux PAM is compiled with audit support the module will report
+- when it denies access based on origin (host or tty).
++ when it denies access based on origin (host, tty, etc.).
+ </para>
+ </refsect1>
+
diff --git a/SOURCES/pam-1.1.8-faillock-admin-group.patch b/SOURCES/pam-1.1.8-faillock-admin-group.patch
new file mode 100644
index 0000000..76be07a
--- /dev/null
+++ b/SOURCES/pam-1.1.8-faillock-admin-group.patch
@@ -0,0 +1,151 @@
+diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c
+--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.admin-group 2016-04-22 15:25:57.673445386 +0200
++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c 2017-09-08 14:39:47.411306464 +0200
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
++ * Copyright (c) 2010, 2017 Tomas Mraz <tmraz@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -78,9 +78,11 @@ struct options {
+ unsigned int root_unlock_time;
+ const char *dir;
+ const char *user;
++ const char *admin_group;
+ int failures;
+ uint64_t latest_time;
+ uid_t uid;
++ int is_admin;
+ uint64_t now;
+ };
+
+@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc,
+ opts->root_unlock_time = temp;
+ }
+ }
++ else if (strncmp(argv[i], "admin_group=", 12) == 0) {
++ opts->admin_group = argv[i] + 12;
++ }
+ else if (strcmp(argv[i], "preauth") == 0) {
+ opts->action = FAILLOCK_ACTION_PREAUTH;
+ }
+@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa
+ }
+ opts->user = user;
+ opts->uid = pwd->pw_uid;
++
++ if (pwd->pw_uid == 0) {
++ opts->is_admin = 1;
++ return PAM_SUCCESS;
++ }
++
++ if (opts->admin_group && *opts->admin_group) {
++ opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh,
++ pwd->pw_uid, opts->admin_group);
++ }
++
+ return PAM_SUCCESS;
+ }
+
+@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o
+ return PAM_SYSTEM_ERR;
+ }
+
+- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
++ if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
+ return PAM_SUCCESS;
+ }
+
+@@ -262,17 +278,14 @@ check_tally(pam_handle_t *pamh, struct o
+
+ opts->failures = failures;
+
+- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
+- return PAM_SUCCESS;
+- }
+-
+ if (opts->deny && failures >= opts->deny) {
+- if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
+- (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
++ if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
++ (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
+ #ifdef HAVE_LIBAUDIT
+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
+ char buf[64];
+ int audit_fd;
++ const void *rhost = NULL, *tty = NULL;
+
+ audit_fd = audit_open();
+ /* If there is an error & audit support is in the kernel report error */
+@@ -280,9 +293,11 @@ check_tally(pam_handle_t *pamh, struct o
+ errno == EAFNOSUPPORT))
+ return PAM_SYSTEM_ERR;
+
++ (void)pam_get_item(pamh, PAM_TTY, &tty);
++ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
+- NULL, NULL, NULL, 1);
++ rhost, NULL, tty, 1);
+ }
+ #endif
+ opts->flags |= FAILLOCK_FLAG_UNLOCKED;
+@@ -398,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o
+ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
+ NULL, NULL, NULL, 1);
+
+- if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
++ if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
+ NULL, NULL, NULL, 1);
+ }
+@@ -422,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str
+ int64_t left;
+
+ if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
+- if (opts->uid) {
+- left = opts->latest_time + opts->unlock_time - opts->now;
++ if (opts->is_admin) {
++ left = opts->latest_time + opts->root_unlock_time - opts->now;
+ }
+ else {
+- left = opts->latest_time + opts->root_unlock_time - opts->now;
++ left = opts->latest_time + opts->unlock_time - opts->now;
+ }
+
+ if (left > 0) {
+diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml
+--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.admin-group 2016-04-28 16:43:14.109794294 +0200
++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml 2017-09-08 14:37:33.535130222 +0200
+@@ -40,6 +40,9 @@
+ root_unlock_time=<replaceable>n</replaceable>
+ </arg>
+ <arg choice="opt">
++ admin_group=<replaceable>name</replaceable>
++ </arg>
++ <arg choice="opt">
+ audit
+ </arg>
+ <arg choice="opt">
+@@ -242,6 +245,20 @@
+ </para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>admin_group=<replaceable>name</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ If a group name is specified with this option, members
++ of the group will be handled by this module the same as
++ the root account (the options <option>even_deny_root></option>
++ and <option>root_unlock_time</option> will apply to them.
++ By default the option is not set.
++ </para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ </refsect1>
+
diff --git a/SOURCES/pam-1.1.8-man-space.patch b/SOURCES/pam-1.1.8-man-space.patch
new file mode 100644
index 0000000..774e834
--- /dev/null
+++ b/SOURCES/pam-1.1.8-man-space.patch
@@ -0,0 +1,13 @@
+diff -up Linux-PAM-1.1.8/doc/man/pam.8.xml.space Linux-PAM-1.1.8/doc/man/pam.8.xml
+--- Linux-PAM-1.1.8/doc/man/pam.8.xml.space 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/doc/man/pam.8.xml 2017-09-08 14:22:58.878416174 +0200
+@@ -48,8 +48,7 @@
+ can be set by individual configuration files located in the
+ <filename>/etc/pam.d/</filename> directory. The presence of this
+ directory will cause <emphasis remap='B'>Linux-PAM</emphasis> to
+- <emphasis remap='I'>ignore</emphasis>
+- <filename>/etc/pam.conf</filename>.
++ <emphasis remap='I'>ignore </emphasis><filename>/etc/pam.conf</filename>.
+ </para>
+
+
diff --git a/SOURCES/pam-1.1.8-mkhomedir-inroot.patch b/SOURCES/pam-1.1.8-mkhomedir-inroot.patch
new file mode 100644
index 0000000..3936de4
--- /dev/null
+++ b/SOURCES/pam-1.1.8-mkhomedir-inroot.patch
@@ -0,0 +1,29 @@
+diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c.mkhomedir-inroot Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c
+--- Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c.mkhomedir-inroot 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c 2017-11-03 10:20:59.823998481 +0100
+@@ -352,16 +352,18 @@ make_parent_dirs(char *dir, int make)
+ char *cp = strrchr(dir, '/');
+ struct stat st;
+
+- if (!cp || cp == dir)
++ if (!cp)
+ return rc;
+
+- *cp = '\0';
+- if (stat(dir, &st) && errno == ENOENT)
+- rc = make_parent_dirs(dir, 1);
+- *cp = '/';
++ if (cp != dir) {
++ *cp = '\0';
++ if (stat(dir, &st) && errno == ENOENT)
++ rc = make_parent_dirs(dir, 1);
++ *cp = '/';
+
+- if (rc != PAM_SUCCESS)
+- return rc;
++ if (rc != PAM_SUCCESS)
++ return rc;
++ }
+
+ if (make && mkdir(dir, 0755) && errno != EEXIST) {
+ pam_syslog(NULL, LOG_ERR, "unable to create directory %s: %m", dir);
diff --git a/SOURCES/pam-1.1.8-translation-updates.patch b/SOURCES/pam-1.1.8-translation-updates.patch
index 4c0c7f8..a0ba9aa 100644
--- a/SOURCES/pam-1.1.8-translation-updates.patch
+++ b/SOURCES/pam-1.1.8-translation-updates.patch
@@ -762,10 +762,10 @@ diff -urN a/Linux-PAM-1.1.8/po/bn_IN.po b/Linux-PAM-1.1.8/po/bn_IN.po
-
-#~ msgid "Would you like to enter a security context? [N] "
-#~ msgstr "নিরাপত্তা সংক্রান্ত context উল্লেখ করতে ইচ্ছুক কি? [N] "
-diff -urN a/Linux-PAM-1.1.8/po/pt_BR.po b/Linux-PAM-1.1.8/po/pt_BR.po
---- a/Linux-PAM-1.1.8/po/pt_BR.po 2013-11-28 17:24:14.193596625 +0530
-+++ b/Linux-PAM-1.1.8/po/pt_BR.po 2013-11-28 17:27:02.137118305 +0530
-@@ -1,315 +1,335 @@
+diff -up a/Linux-PAM-1.1.8/po/pt_BR.po.translations b/Linux-PAM-1.1.8/po/pt_BR.po
+--- a/Linux-PAM-1.1.8/po/pt_BR.po.translations 2013-09-19 10:02:24.000000000 +0200
++++ b/Linux-PAM-1.1.8/po/pt_BR.po 2017-09-08 14:14:24.857295156 +0200
+@@ -1,516 +1,546 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR Linux-PAM Project
# This file is distributed under the same license as the PACKAGE package.
@@ -1181,15 +1181,18 @@ diff -urN a/Linux-PAM-1.1.8/po/pt_BR.po b/Linux-PAM-1.1.8/po/pt_BR.po
#, c-format
msgid "There was %d failed login attempt since the last successful login."
msgid_plural ""
-@@ -318,199 +338,209 @@
- msgstr[1] "Houveram %d falhas de login desde o último login bem sucedido."
+ "There were %d failed login attempts since the last successful login."
+ msgstr[0] "Houve %d falhas de login desde o último login bem sucedido."
+-msgstr[1] "Houveram %d falhas de login desde o último login bem sucedido."
++msgstr[1] "Houve %d falhas de login desde o último login bem sucedido."
#. TRANSLATORS: only used if dngettext is not supported
-#: modules/pam_lastlog/pam_lastlog.c:548
+#: .././modules/pam_lastlog/pam_lastlog.c:548
#, c-format
msgid "There were %d failed login attempts since the last successful login."
- msgstr "Houveram %d falhas de login desde o último login bem sucedido."
+-msgstr "Houveram %d falhas de login desde o último login bem sucedido."
++msgstr "Houve %d falhas de login desde o último login bem sucedido."
-#: modules/pam_limits/pam_limits.c:1079
+#: .././modules/pam_limits/pam_limits.c:1079
diff --git a/SOURCES/pam-1.1.8-tty-audit-uid-range.patch b/SOURCES/pam-1.1.8-tty-audit-uid-range.patch
new file mode 100644
index 0000000..4d5f63f
--- /dev/null
+++ b/SOURCES/pam-1.1.8-tty-audit-uid-range.patch
@@ -0,0 +1,167 @@
+diff -up Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c.uid-range Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c
+--- Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c.uid-range 2017-09-08 14:46:58.869496414 +0200
++++ Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c 2017-10-09 17:42:13.947599041 +0200
+@@ -198,6 +198,54 @@ cleanup_old_status (pam_handle_t *pamh,
+ free (data);
+ }
+
++enum uid_range { UID_RANGE_NONE, UID_RANGE_MM, UID_RANGE_MIN,
++ UID_RANGE_ONE, UID_RANGE_ERR };
++
++static enum uid_range
++parse_uid_range(pam_handle_t *pamh, const char *s,
++ uid_t *min_uid, uid_t *max_uid)
++{
++ const char *range = s;
++ const char *pmax;
++ char *endptr;
++ enum uid_range rv = UID_RANGE_MM;
++
++ if ((pmax=strchr(range, ':')) == NULL)
++ return UID_RANGE_NONE;
++ ++pmax;
++
++ if (range[0] == ':')
++ rv = UID_RANGE_ONE;
++ else {
++ errno = 0;
++ *min_uid = strtoul (range, &endptr, 10);
++ if (errno != 0 || (range == endptr) || *endptr != ':') {
++ pam_syslog(pamh, LOG_DEBUG,
++ "wrong min_uid value in '%s'", s);
++ return UID_RANGE_ERR;
++ }
++ }
++
++ if (*pmax == '\0') {
++ if (rv == UID_RANGE_ONE)
++ return UID_RANGE_ERR;
++
++ return UID_RANGE_MIN;
++ }
++
++ errno = 0;
++ *max_uid = strtoul (pmax, &endptr, 10);
++ if (errno != 0 || (pmax == endptr) || *endptr != '\0') {
++ pam_syslog(pamh, LOG_DEBUG,
++ "wrong max_uid value in '%s'", s);
++ return UID_RANGE_ERR;
++ }
++
++ if (rv == UID_RANGE_ONE)
++ *min_uid = *max_uid;
++ return rv;
++}
++
+ int
+ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
+ {
+@@ -207,6 +255,7 @@ pam_sm_open_session (pam_handle_t *pamh,
+ struct audit_tty_status *old_status, new_status;
+ const char *user;
+ int i, fd, open_only;
++ struct passwd *pwd;
+ #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ int log_passwd;
+ #endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+@@ -219,6 +268,14 @@ pam_sm_open_session (pam_handle_t *pamh,
+ return PAM_SESSION_ERR;
+ }
+
++ pwd = pam_modutil_getpwnam(pamh, user);
++ if (pwd == NULL)
++ {
++ pam_syslog(pamh, LOG_WARNING,
++ "open_session unknown user '%s'", user);
++ return PAM_SESSION_ERR;
++ }
++
+ command = CMD_NONE;
+ open_only = 0;
+ #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+@@ -236,13 +293,31 @@ pam_sm_open_session (pam_handle_t *pamh,
+ copy = strdup (strchr (argv[i], '=') + 1);
+ if (copy == NULL)
+ return PAM_SESSION_ERR;
+- for (tok = strtok_r (copy, ",", &tok_data); tok != NULL;
++ for (tok = strtok_r (copy, ",", &tok_data);
++ tok != NULL && command != this_command;
+ tok = strtok_r (NULL, ",", &tok_data))
+ {
+- if (fnmatch (tok, user, 0) == 0)
++ uid_t min_uid = 0, max_uid = 0;
++ switch (parse_uid_range(pamh, tok, &min_uid, &max_uid))
+ {
+- command = this_command;
+- break;
++ case UID_RANGE_NONE:
++ if (fnmatch (tok, user, 0) == 0)
++ command = this_command;
++ break;
++ case UID_RANGE_MM:
++ if (pwd->pw_uid >= min_uid && pwd->pw_uid <= max_uid)
++ command = this_command;
++ break;
++ case UID_RANGE_MIN:
++ if (pwd->pw_uid >= min_uid)
++ command = this_command;
++ break;
++ case UID_RANGE_ONE:
++ if (pwd->pw_uid == max_uid)
++ command = this_command;
++ break;
++ case UID_RANGE_ERR:
++ break;
+ }
+ }
+ free (copy);
+diff -up Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml.uid-range Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml
+--- Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml.uid-range 2013-08-28 10:53:40.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml 2017-09-08 14:46:58.895497022 +0200
+@@ -44,10 +44,10 @@
+ </term>
+ <listitem>
+ <para>
+- For each user matching one of comma-separated glob
+- <option><replaceable>patterns</replaceable></option>, disable
+- TTY auditing. This overrides any previous <option>enable</option>
+- option matching the same user name on the command line.
++ For each user matching <option><replaceable>patterns</replaceable></option>,
++ disable TTY auditing. This overrides any previous <option>enable</option>
++ option matching the same user name on the command line. See NOTES
++ for further description of <option><replaceable>patterns</replaceable></option>.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -57,10 +57,10 @@
+ </term>
+ <listitem>
+ <para>
+- For each user matching one of comma-separated glob
+- <option><replaceable>patterns</replaceable></option>, enable
+- TTY auditing. This overrides any previous <option>disable</option>
+- option matching the same user name on the command line.
++ For each user matching <option><replaceable>patterns</replaceable></option>,
++ enable TTY auditing. This overrides any previous <option>disable</option>
++ option matching the same user name on the command line. See NOTES
++ for further description of <option><replaceable>patterns</replaceable></option>.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -139,6 +139,16 @@
+ To view the data that was logged by the kernel to audit use
+ the command <command>aureport --tty</command>.
+ </para>
++ <para>
++ The <option><replaceable>patterns</replaceable></option> are comma separated
++ lists of glob patterns or ranges of uids. A range is specified as
++ <replaceable>min_uid</replaceable>:<replaceable>max_uid</replaceable> where
++ one of these values can be empty. If <replaceable>min_uid</replaceable> is
++ empty only user with the uid <replaceable>max_uid</replaceable> will be
++ matched. If <replaceable>max_uid</replaceable> is empty users with the uid
++ greater than or equal to <replaceable>min_uid</replaceable> will be
++ matched.
++ </para>
+ </refsect1>
+
+ <refsect1 id='pam_tty_audit-examples'>
diff --git a/SPECS/pam.spec b/SPECS/pam.spec
index 0cbf153..0faa1d3 100644
--- a/SPECS/pam.spec
+++ b/SPECS/pam.spec
@@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.1.8
-Release: 18%{?dist}
+Release: 22%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -64,6 +64,11 @@ Patch49: pam-1.1.8-relax-audit.patch
Patch50: pam-1.1.8-lastlog-localtime.patch
Patch51: pam-1.1.8-man-delay.patch
Patch52: pam-1.1.8-succeed-if-large-uid.patch
+Patch53: pam-1.1.8-access-update.patch
+Patch54: pam-1.1.8-man-space.patch
+Patch55: pam-1.1.8-tty-audit-uid-range.patch
+Patch56: pam-1.1.8-faillock-admin-group.patch
+Patch57: pam-1.1.8-mkhomedir-inroot.patch
%define _pamlibdir %{_libdir}
%define _moduledir %{_libdir}/security
@@ -161,6 +166,11 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch50 -p1 -b .localtime
%patch51 -p1 -b .delay
%patch52 -p1 -b .large-uid
+%patch53 -p1 -b .access-update
+%patch54 -p1 -b .space
+%patch55 -p1 -b .uid-range
+%patch56 -p1 -b .admin-group
+%patch57 -p1 -b .mkhomedir-inroot
%build
autoreconf -i
@@ -409,6 +419,23 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
+* Fri Nov 3 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.8-22
+- pam_mkhomedir: do not fail creating parent dir if in /
+
+* Thu Nov 2 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.8-21
+- pam(8) Manual page missing space fix (#1382302)
+
+* Mon Oct 9 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.8-20
+- pam_tty_audit: add support for uid range matching
+
+* Fri Sep 8 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.8-19
+- pam_access: (group) match syntax is prioritized over network@netgroup
+ match (#1358881), add support for additional /etc/security/access.d/*.conf
+ files, improve documentation (#1421735)
+- pam_lastlog: fix pt_BR translation (#1185697)
+- pam_faillock: support admin_group with users equivalent to root in
+ faillock handling (#1285550)
+
* Tue Jul 19 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.8-18
- pam_succeed_if: fix handling of large uids, tty, and rhost