diff options
Diffstat (limited to 'extra/source/pam/patches')
11 files changed, 2655 insertions, 0 deletions
diff --git a/extra/source/pam/patches/pam-1.0.90-redhat-modules.patch b/extra/source/pam/patches/pam-1.0.90-redhat-modules.patch new file mode 100644 index 000000000..3ad41ccc6 --- /dev/null +++ b/extra/source/pam/patches/pam-1.0.90-redhat-modules.patch @@ -0,0 +1,23 @@ +diff -up Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules Linux-PAM-1.0.90/modules/Makefile.am +--- Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules 2008-11-29 08:27:35.000000000 +0100 ++++ Linux-PAM-1.0.90/modules/Makefile.am 2008-12-16 13:40:16.000000000 +0100 +@@ -3,6 +3,7 @@ + # + + SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ ++ pam_chroot pam_console pam_postgresok \ + pam_env pam_exec pam_faildelay pam_filter pam_ftp \ + pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ + pam_listfile pam_localuser pam_loginuid pam_mail \ +diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure.in +--- Linux-PAM-1.0.90/configure.in.redhat-modules 2008-12-02 16:25:01.000000000 +0100 ++++ Linux-PAM-1.0.90/configure.in 2008-12-16 13:39:11.000000000 +0100 +@@ -531,6 +531,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil + libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \ + po/Makefile.in \ + modules/Makefile \ ++ modules/pam_chroot/Makefile modules/pam_console/Makefile \ ++ modules/pam_postgresok/Makefile \ + modules/pam_access/Makefile modules/pam_cracklib/Makefile \ + modules/pam_debug/Makefile modules/pam_deny/Makefile \ + modules/pam_echo/Makefile modules/pam_env/Makefile \ diff --git a/extra/source/pam/patches/pam-1.0.91-std-noclose.patch b/extra/source/pam/patches/pam-1.0.91-std-noclose.patch new file mode 100644 index 000000000..735948490 --- /dev/null +++ b/extra/source/pam/patches/pam-1.0.91-std-noclose.patch @@ -0,0 +1,98 @@ +diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c +--- Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 ++++ Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c 2009-03-26 10:02:15.000000000 +0100 +@@ -131,13 +131,21 @@ create_homedir (pam_handle_t *pamh, int + if (child == 0) { + int i; + struct rlimit rlim; ++ int dummyfds[2]; + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL }; + ++ /* replace std file descriptors with a dummy pipe */ ++ if (pipe(dummyfds) == 0) { ++ dup2(dummyfds[0], STDIN_FILENO); ++ dup2(dummyfds[1], STDOUT_FILENO); ++ dup2(dummyfds[1], STDERR_FILENO); ++ } ++ + if (getrlimit(RLIMIT_NOFILE, &rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { + close(i); + } + } +diff -up Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/support.c +--- Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 ++++ Linux-PAM-1.0.91/modules/pam_unix/support.c 2009-03-26 10:08:59.000000000 +0100 +@@ -443,13 +443,16 @@ static int _unix_run_helper_binary(pam_h + + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) +- close(i); ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + +diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c +--- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 ++++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c 2009-03-26 10:07:06.000000000 +0100 +@@ -175,13 +175,16 @@ static int _unix_run_update_binary(pam_h + + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) +- close(i); ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + +diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c +--- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 ++++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c 2009-03-26 10:05:41.000000000 +0100 +@@ -100,16 +100,18 @@ int _unix_run_verify_binary(pam_handle_t + + /* reopen stdout as pipe */ + dup2(fds[1], STDOUT_FILENO); ++ /* and replace also the stdin, stderr so we do not exec the helper with ++ tty as stdin, it will not read anything from there anyway */ ++ dup2(fds[0], STDIN_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + /* XXX - should really tidy up PAM here too */ + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDOUT_FILENO) { +- close(i); +- } ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + diff --git a/extra/source/pam/patches/pam-1.1.0-notally.patch b/extra/source/pam/patches/pam-1.1.0-notally.patch new file mode 100644 index 000000000..9327eecba --- /dev/null +++ b/extra/source/pam/patches/pam-1.1.0-notally.patch @@ -0,0 +1,12 @@ +diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am +--- Linux-PAM-1.1.0/modules/Makefile.am.notally 2009-07-27 17:39:25.000000000 +0200 ++++ Linux-PAM-1.1.0/modules/Makefile.am 2009-09-01 17:40:16.000000000 +0200 +@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de + pam_mkhomedir pam_motd pam_namespace pam_nologin \ + pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ + pam_selinux pam_sepermit pam_shells pam_stress \ +- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ ++ pam_succeed_if pam_tally2 pam_time pam_timestamp \ + pam_tty_audit pam_umask \ + pam_unix pam_userdb pam_warn pam_wheel pam_xauth + diff --git a/extra/source/pam/patches/pam-1.1.1-faillock.patch b/extra/source/pam/patches/pam-1.1.1-faillock.patch new file mode 100644 index 000000000..46f303741 --- /dev/null +++ b/extra/source/pam/patches/pam-1.1.1-faillock.patch @@ -0,0 +1,1712 @@ +diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in +--- Linux-PAM-1.1.1/configure.in.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/configure.in 2010-09-17 15:58:41.000000000 +0200 +@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil + modules/pam_access/Makefile modules/pam_cracklib/Makefile \ + modules/pam_debug/Makefile modules/pam_deny/Makefile \ + modules/pam_echo/Makefile modules/pam_env/Makefile \ +- modules/pam_faildelay/Makefile \ ++ modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \ + modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \ + modules/pam_ftp/Makefile modules/pam_group/Makefile \ + modules/pam_issue/Makefile modules/pam_keyinit/Makefile \ +diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml +--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2010-09-17 16:05:56.000000000 +0200 ++++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2010-09-17 16:08:26.000000000 +0200 +@@ -0,0 +1,38 @@ ++<?xml version='1.0' encoding='UTF-8'?> ++<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" ++ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> ++<section id='sag-pam_faillock'> ++ <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title> ++ <cmdsynopsis> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisauth"]/*)'/> ++ </cmdsynopsis> ++ <cmdsynopsis> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisacct"]/*)'/> ++ </cmdsynopsis> ++ <section id='sag-pam_faillock-description'> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/> ++ </section> ++ <section id='sag-pam_faillock-options'> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/> ++ </section> ++ <section id='sag-pam_faillock-types'> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-types"]/*)'/> ++ </section> ++ <section id='sag-pam_faillock-return_values'> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-return_values"]/*)'/> ++ </section> ++ <section id='sag-pam_faillock-examples'> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/> ++ </section> ++ <section id='sag-pam_faillock-author'> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/> ++ </section> ++</section> +diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am +--- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/Makefile.am 2010-09-17 15:58:41.000000000 +0200 +@@ -3,7 +3,7 @@ + # + + SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ +- pam_chroot pam_console pam_postgresok \ ++ pam_chroot pam_console pam_postgresok pam_faillock \ + pam_env pam_exec pam_faildelay pam_filter pam_ftp \ + pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ + pam_listfile pam_localuser pam_loginuid pam_mail \ +diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c +--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,147 @@ ++/* ++ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++#include <string.h> ++#include <stdlib.h> ++#include <unistd.h> ++#include <errno.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <sys/file.h> ++#include <fcntl.h> ++#include <security/pam_modutil.h> ++ ++#include "faillock.h" ++ ++int ++open_tally (const char *dir, const char *user, int create) ++{ ++ char *path; ++ int flags = O_RDWR; ++ int fd; ++ ++ if (strstr(user, "../") != NULL) ++ /* just a defensive programming as the user must be a ++ * valid user on the system anyway ++ */ ++ return -1; ++ path = malloc(strlen(dir) + strlen(user) + 2); ++ if (path == NULL) ++ return -1; ++ ++ strcpy(path, dir); ++ if (*dir && dir[strlen(dir) - 1] != '/') { ++ strcat(path, "/"); ++ } ++ strcat(path, user); ++ ++ if (create) { ++ flags |= O_CREAT; ++ } ++ ++ fd = open(path, flags, 0600); ++ ++ if (fd != -1) ++ while (flock(fd, LOCK_EX) == -1 && errno == EINTR); ++ ++ return fd; ++} ++ ++#define CHUNK_SIZE (64 * sizeof(struct tally)) ++#define MAX_RECORDS 1024 ++ ++int ++read_tally(int fd, struct tally_data *tallies) ++{ ++ void *data = NULL, *newdata; ++ unsigned int count = 0; ++ ssize_t chunk = 0; ++ ++ do { ++ newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE); ++ if (newdata == NULL) { ++ free(data); ++ return -1; ++ } ++ ++ data = newdata; ++ ++ chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE); ++ if (chunk < 0) { ++ free(data); ++ return -1; ++ } ++ ++ count += chunk/sizeof(struct tally); ++ ++ if (count >= MAX_RECORDS) ++ break; ++ } ++ while (chunk == CHUNK_SIZE); ++ ++ tallies->records = data; ++ tallies->count = count; ++ ++ return 0; ++} ++ ++int ++update_tally(int fd, struct tally_data *tallies) ++{ ++ void *data = tallies->records; ++ unsigned int count = tallies->count; ++ ssize_t chunk; ++ ++ if (tallies->count > MAX_RECORDS) { ++ data = tallies->records + (count - MAX_RECORDS); ++ count = MAX_RECORDS; ++ } ++ ++ if (lseek(fd, 0, SEEK_SET) == (off_t)-1) { ++ return -1; ++ } ++ ++ chunk = pam_modutil_write(fd, data, count * sizeof(struct tally)); ++ ++ if (chunk != (ssize_t)(count * sizeof(struct tally))) { ++ return -1; ++ } ++ ++ if (ftruncate(fd, count * sizeof(struct tally)) == -1) ++ return -1; ++ ++ return 0; ++} +diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h +--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,72 @@ ++/* ++ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++/* ++ * faillock.h - authentication failure data file record structure ++ * ++ * Each record in the file represents an instance of login failure of ++ * the user at the recorded time ++ */ ++ ++ ++#ifndef _FAILLOCK_H ++#define _FAILLOCK_H ++ ++#include <stdint.h> ++ ++#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ ++#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ ++#define TALLY_STATUS_TTY 0x4 /* the source is tty - if both TALLY_FLAG_RHOST and TALLY_FLAG_TTY are not set the source is service */ ++ ++struct tally { ++ char source[52]; /* rhost or tty of the login failure (not necessarily NULL terminated) */ ++ uint16_t reserved; /* reserved for future use */ ++ uint16_t status; /* record status */ ++ uint64_t time; /* time of the login failure */ ++}; ++/* 64 bytes per entry */ ++ ++struct tally_data { ++ struct tally *records; /* array of tallies */ ++ unsigned int count; /* number of records */ ++}; ++ ++#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" ++ ++int open_tally(const char *dir, const char *user, int create); ++int read_tally(int fd, struct tally_data *tallies); ++int update_tally(int fd, struct tally_data *tallies); ++#endif ++ +diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml +--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,123 @@ ++<?xml version="1.0" encoding='UTF-8'?> ++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" ++ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> ++ ++<refentry id="faillock"> ++ ++ <refmeta> ++ <refentrytitle>faillock</refentrytitle> ++ <manvolnum>8</manvolnum> ++ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> ++ </refmeta> ++ ++ <refnamediv id="pam_faillock-name"> ++ <refname>faillock</refname> ++ <refpurpose>Tool for displaying and modifying the authentication failure record files</refpurpose> ++ </refnamediv> ++ ++ <refsynopsisdiv> ++ <cmdsynopsis id="faillock-cmdsynopsis"> ++ <command>faillock</command> ++ <arg choice="opt"> ++ --dir <replaceable>/path/to/tally-directory</replaceable> ++ </arg> ++ <arg choice="opt"> ++ --user <replaceable>username</replaceable> ++ </arg> ++ <arg choice="opt"> ++ --reset ++ </arg> ++ </cmdsynopsis> ++ </refsynopsisdiv> ++ ++ <refsect1 id="faillock-description"> ++ ++ <title>DESCRIPTION</title> ++ ++ <para> ++ The <emphasis>pam_faillock.so</emphasis> module maintains a list of ++ failed authentication attempts per user during a specified interval ++ and locks the account in case there were more than ++ <replaceable>deny</replaceable> consecutive failed authentications. ++ It stores the failure records into per-user files in the tally ++ directory. ++ </para> ++ <para> ++ The <command>faillock</command> command is an application which ++ can be used to examine and modify the contents of the ++ the tally files. It can display the recent failed authentication ++ attempts of the <replaceable>username</replaceable> or clear the tally ++ files of all or individual <replaceable>usernames</replaceable>. ++ </para> ++ </refsect1> ++ ++ <refsect1 id="faillock-options"> ++ ++ <title>OPTIONS</title> ++ <variablelist> ++ <varlistentry> ++ <term> ++ <option>--dir <replaceable>/path/to/tally-directory</replaceable></option> ++ </term> ++ <listitem> ++ <para> ++ The directory where the user files with the failure records are kept. The ++ default is <filename>/var/run/faillock</filename>. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>--user <replaceable>username</replaceable></option> ++ </term> ++ <listitem> ++ <para> ++ The user whose failure records should be displayed or cleared. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>--reset</option> ++ </term> ++ <listitem> ++ <para> ++ Instead of displaying the user's failure records, clear them. ++ </para> ++ </listitem> ++ </varlistentry> ++ </variablelist> ++ </refsect1> ++ ++ <refsect1 id="faillock-files"> ++ <title>FILES</title> ++ <variablelist> ++ <varlistentry> ++ <term><filename>/var/run/faillock/*</filename></term> ++ <listitem> ++ <para>the files logging the authentication failures for users</para> ++ </listitem> ++ </varlistentry> ++ </variablelist> ++ </refsect1> ++ ++ <refsect1 id='faillock-see_also'> ++ <title>SEE ALSO</title> ++ <para> ++ <citerefentry> ++ <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum> ++ </citerefentry>, ++ <citerefentry> ++ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ </citerefentry> ++ </para> ++ </refsect1> ++ ++ <refsect1 id='faillock-author'> ++ <title>AUTHOR</title> ++ <para> ++ faillock was written by Tomas Mraz. ++ </para> ++ </refsect1> ++ ++</refentry> +diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c +--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,231 @@ ++/* ++ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <dirent.h> ++#include <errno.h> ++#include <pwd.h> ++#include <time.h> ++#ifdef HAVE_LIBAUDIT ++#include <libaudit.h> ++#endif ++ ++#include "faillock.h" ++ ++struct options { ++ unsigned int reset; ++ const char *dir; ++ const char *user; ++ const char *progname; ++}; ++ ++static int ++args_parse(int argc, char **argv, struct options *opts) ++{ ++ int i; ++ memset(opts, 0, sizeof(*opts)); ++ ++ opts->dir = FAILLOCK_DEFAULT_TALLYDIR; ++ opts->progname = argv[0]; ++ ++ for (i = 1; i < argc; ++i) { ++ ++ if (strcmp(argv[i], "--dir") == 0) { ++ ++i; ++ if (i >= argc || strlen(argv[i]) == 0) { ++ fprintf(stderr, "%s: No directory supplied.\n", argv[0]); ++ return -1; ++ } ++ opts->dir = argv[i]; ++ } ++ else if (strcmp(argv[i], "--user") == 0) { ++ ++i; ++ if (i >= argc || strlen(argv[i]) == 0) { ++ fprintf(stderr, "%s: No user name supplied.\n", argv[0]); ++ return -1; ++ } ++ opts->user = argv[i]; ++ } ++ else if (strcmp(argv[i], "--reset") == 0) { ++ opts->reset = 1; ++ } ++ else { ++ fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]); ++ return -1; ++ } ++ } ++ return 0; ++} ++ ++static void ++usage(const char *progname) ++{ ++ fprintf(stderr, _("Usage: %s [--dir /path/to/tally-directory] [--user username] [--reset]\n"), ++ progname); ++} ++ ++static int ++do_user(struct options *opts, const char *user) ++{ ++ int fd; ++ int rv; ++ struct tally_data tallies; ++ ++ fd = open_tally(opts->dir, user, 0); ++ ++ if (fd == -1) { ++ if (errno == ENOENT) { ++ return 0; ++ } ++ else { ++ fprintf(stderr, "%s: Error opening the tally file for %s:", ++ opts->progname, user); ++ perror(NULL); ++ return 3; ++ } ++ } ++ if (opts->reset) { ++#ifdef HAVE_LIBAUDIT ++ char buf[64]; ++ int audit_fd; ++#endif ++ ++ while ((rv=ftruncate(fd, 0)) == -1 && errno == EINTR); ++ if (rv == -1) { ++ fprintf(stderr, "%s: Error clearing the tally file for %s:", ++ opts->progname, user); ++ perror(NULL); ++#ifdef HAVE_LIBAUDIT ++ } ++ if ((audit_fd=audit_open()) >= 0) { ++ struct passwd *pwd; ++ ++ if ((pwd=getpwnam(user)) != NULL) { ++ snprintf(buf, sizeof(buf), "faillock reset uid=%u", ++ pwd->pw_uid); ++ audit_log_user_message(audit_fd, AUDIT_USER_ACCT, ++ buf, NULL, NULL, NULL, rv == 0); ++ } ++ close(audit_fd); ++ } ++ if (rv == -1) { ++#endif ++ close(fd); ++ return 4; ++ } ++ } ++ else { ++ unsigned int i; ++ ++ memset(&tallies, 0, sizeof(tallies)); ++ if ((rv=read_tally(fd, &tallies)) == -1) { ++ fprintf(stderr, "%s: Error reading the tally file for %s:", ++ opts->progname, user); ++ perror(NULL); ++ close(fd); ++ return 5; ++ } ++ ++ printf("%s:\n", user); ++ printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid"); ++ ++ for (i = 0; i < tallies.count; i++) { ++ struct tm *tm; ++ char timebuf[80]; ++ uint16_t status = tallies.records[i].status; ++ time_t when = tallies.records[i].time; ++ ++ tm = localtime(&when); ++ strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm); ++ printf("%-19s %-5s %-52.52s %s\n", timebuf, ++ status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"), ++ tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I"); ++ } ++ free(tallies.records); ++ } ++ close(fd); ++ return 0; ++} ++ ++static int ++do_allusers(struct options *opts) ++{ ++ struct dirent **userlist; ++ int rv, i; ++ ++ rv = scandir(opts->dir, &userlist, NULL, alphasort); ++ if (rv < 0) { ++ fprintf(stderr, "%s: Error reading tally directory: ", opts->progname); ++ perror(NULL); ++ return 2; ++ } ++ ++ for (i = 0; i < rv; i++) { ++ if (userlist[i]->d_name[0] == '.') { ++ if ((userlist[i]->d_name[1] == '.' && userlist[i]->d_name[2] == '\0') || ++ userlist[i]->d_name[1] == '\0') ++ continue; ++ } ++ do_user(opts, userlist[i]->d_name); ++ free(userlist[i]); ++ } ++ free(userlist); ++ ++ return 0; ++} ++ ++ ++/*-----------------------------------------------------------------------*/ ++int ++main (int argc, char *argv[]) ++{ ++ struct options opts; ++ ++ if (args_parse(argc, argv, &opts)) { ++ usage(argv[0]); ++ return 1; ++ } ++ ++ if (opts.user == NULL) { ++ return do_allusers(&opts); ++ } ++ ++ return do_user(&opts, opts.user); ++} ++ +diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am +--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,43 @@ ++# ++# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de> ++# Copyright (c) 2008 Red Hat, Inc. ++# Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> ++# ++ ++CLEANFILES = *~ ++MAINTAINERCLEANFILES = $(MANS) README ++ ++EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock ++ ++man_MANS = pam_faillock.8 faillock.8 ++XMLS = README.xml pam_faillock.8.xml faillock.8.xml ++ ++TESTS = tst-pam_faillock ++ ++securelibdir = $(SECUREDIR) ++secureconfdir = $(SCONFIGDIR) ++ ++noinst_HEADERS = faillock.h ++ ++faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include ++pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include ++ ++pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module ++pam_faillock_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) ++if HAVE_VERSIONING ++ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map ++endif ++ ++faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) ++ ++securelib_LTLIBRARIES = pam_faillock.la ++sbin_PROGRAMS = faillock ++ ++pam_faillock_la_SOURCES = pam_faillock.c faillock.c ++faillock_SOURCES = main.c faillock.c ++ ++if ENABLE_REGENERATE_MAN ++noinst_DATA = README ++README: pam_faillock.8.xml ++-include $(top_srcdir)/Make.xml.rules ++endif +diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c +--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,550 @@ ++/* ++ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++#include <stdio.h> ++#include <string.h> ++#include <unistd.h> ++#include <stdint.h> ++#include <stdlib.h> ++#include <errno.h> ++#include <time.h> ++#include <pwd.h> ++#include <syslog.h> ++ ++#ifdef HAVE_LIBAUDIT ++#include <libaudit.h> ++#endif ++ ++#include <security/pam_modules.h> ++#include <security/pam_modutil.h> ++#include <security/pam_ext.h> ++ ++#include "faillock.h" ++ ++#define PAM_SM_AUTH ++#define PAM_SM_ACCOUNT ++ ++#define FAILLOCK_ACTION_PREAUTH 0 ++#define FAILLOCK_ACTION_AUTHSUCC 1 ++#define FAILLOCK_ACTION_AUTHFAIL 2 ++ ++#define FAILLOCK_FLAG_DENY_ROOT 0x1 ++#define FAILLOCK_FLAG_AUDIT 0x2 ++#define FAILLOCK_FLAG_SILENT 0x4 ++#define FAILLOCK_FLAG_NO_LOG_INFO 0x8 ++#define FAILLOCK_FLAG_UNLOCKED 0x10 ++ ++#define MAX_TIME_INTERVAL 604800 /* 7 days */ ++ ++struct options { ++ unsigned int action; ++ unsigned int flags; ++ unsigned short deny; ++ unsigned int fail_interval; ++ unsigned int unlock_time; ++ unsigned int root_unlock_time; ++ const char *dir; ++ const char *user; ++ int failures; ++ uint64_t latest_time; ++ uid_t uid; ++ uint64_t now; ++}; ++ ++static void ++args_parse(pam_handle_t *pamh, int argc, const char **argv, ++ int flags, struct options *opts) ++{ ++ int i; ++ memset(opts, 0, sizeof(*opts)); ++ ++ opts->dir = FAILLOCK_DEFAULT_TALLYDIR; ++ opts->deny = 3; ++ opts->fail_interval = 900; ++ opts->unlock_time = 600; ++ opts->root_unlock_time = MAX_TIME_INTERVAL+1; ++ ++ for (i = 0; i < argc; ++i) { ++ ++ if (strncmp(argv[i], "dir=", 4) == 0) { ++ if (argv[i][4] != '/') { ++ pam_syslog(pamh, LOG_ERR, ++ "Tally directory is not absolute path (%s); keeping default", argv[i]); ++ } else { ++ opts->dir = argv[i]+4; ++ } ++ } ++ else if (strncmp(argv[i], "deny=", 5) == 0) { ++ if (sscanf(argv[i]+5, "%hu", &opts->deny) != 1) { ++ pam_syslog(pamh, LOG_ERR, ++ "Bad number supplied for deny argument"); ++ } ++ } ++ else if (strncmp(argv[i], "fail_interval=", 14) == 0) { ++ unsigned int temp; ++ if (sscanf(argv[i]+14, "%u", &temp) != 1 || ++ temp > MAX_TIME_INTERVAL) { ++ pam_syslog(pamh, LOG_ERR, ++ "Bad number supplied for fail_interval argument"); ++ } else { ++ opts->fail_interval = temp; ++ } ++ } ++ else if (strncmp(argv[i], "unlock_time=", 12) == 0) { ++ unsigned int temp; ++ if (sscanf(argv[i]+12, "%u", &temp) != 1 || ++ temp > MAX_TIME_INTERVAL) { ++ pam_syslog(pamh, LOG_ERR, ++ "Bad number supplied for unlock_time argument"); ++ } else { ++ opts->unlock_time = temp; ++ } ++ } ++ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) { ++ unsigned int temp; ++ if (sscanf(argv[i]+17, "%u", &temp) != 1 || ++ temp > MAX_TIME_INTERVAL) { ++ pam_syslog(pamh, LOG_ERR, ++ "Bad number supplied for root_unlock_time argument"); ++ } else { ++ opts->root_unlock_time = temp; ++ } ++ } ++ else if (strcmp(argv[i], "preauth") == 0) { ++ opts->action = FAILLOCK_ACTION_PREAUTH; ++ } ++ else if (strcmp(argv[i], "authfail") == 0) { ++ opts->action = FAILLOCK_ACTION_AUTHFAIL; ++ } ++ else if (strcmp(argv[i], "authsucc") == 0) { ++ opts->action = FAILLOCK_ACTION_AUTHSUCC; ++ } ++ else if (strcmp(argv[i], "even_deny_root") == 0) { ++ opts->flags |= FAILLOCK_FLAG_DENY_ROOT; ++ } ++ else if (strcmp(argv[i], "audit") == 0) { ++ opts->flags |= FAILLOCK_FLAG_AUDIT; ++ } ++ else if (strcmp(argv[i], "silent") == 0) { ++ opts->flags |= FAILLOCK_FLAG_SILENT; ++ } ++ else if (strcmp(argv[i], "no_log_info") == 0) { ++ opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO; ++ } ++ else { ++ pam_syslog(pamh, LOG_ERR, "Unknown option: %s", argv[i]); ++ } ++ } ++ ++ if (opts->root_unlock_time == MAX_TIME_INTERVAL+1) ++ opts->root_unlock_time = opts->unlock_time; ++ if (flags & PAM_SILENT) ++ opts->flags |= FAILLOCK_FLAG_SILENT; ++} ++ ++static int get_pam_user(pam_handle_t *pamh, struct options *opts) ++{ ++ const char *user; ++ int rv; ++ struct passwd *pwd; ++ ++ if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { ++ return rv; ++ } ++ ++ if (*user == '\0') { ++ return PAM_IGNORE; ++ } ++ ++ if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) { ++ if (opts->flags & FAILLOCK_FLAG_AUDIT) { ++ pam_syslog(pamh, LOG_ERR, "User unknown: %s", user); ++ } ++ else { ++ pam_syslog(pamh, LOG_ERR, "User unknown"); ++ } ++ return PAM_IGNORE; ++ } ++ opts->user = user; ++ opts->uid = pwd->pw_uid; ++ return PAM_SUCCESS; ++} ++ ++static int ++check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) ++{ ++ int tfd; ++ unsigned int i; ++ uint64_t latest_time; ++ int failures; ++ ++ opts->now = time(NULL); ++ ++ tfd = open_tally(opts->dir, opts->user, 0); ++ ++ *fd = tfd; ++ ++ if (tfd == -1) { ++ if (errno == EACCES || errno == ENOENT) { ++ return PAM_SUCCESS; ++ } ++ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); ++ return PAM_SYSTEM_ERR; ++ } ++ ++ if (read_tally(tfd, tallies) != 0) { ++ pam_syslog(pamh, LOG_ERR, "Error reading the tally file for %s: %m", opts->user); ++ return PAM_SYSTEM_ERR; ++ } ++ ++ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { ++ return PAM_SUCCESS; ++ } ++ ++ latest_time = 0; ++ for(i = 0; i < tallies->count; i++) { ++ if ((tallies->records[i].status & TALLY_STATUS_VALID) && ++ tallies->records[i].time > latest_time) ++ latest_time = tallies->records[i].time; ++ } ++ ++ opts->latest_time = latest_time; ++ ++ failures = 0; ++ for(i = 0; i < tallies->count; i++) { ++ if ((tallies->records[i].status & TALLY_STATUS_VALID) && ++ latest_time - tallies->records[i].time < opts->fail_interval) { ++ ++failures; ++ } ++ } ++ ++ opts->failures = failures; ++ ++ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { ++ return PAM_SUCCESS; ++ } ++ ++ if (opts->deny && failures >= opts->deny) { ++ if ((opts->uid && latest_time + opts->unlock_time < opts->now) || ++ (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) { ++#ifdef HAVE_LIBAUDIT ++ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ ++ char buf[64]; ++ int audit_fd; ++ ++ audit_fd = audit_open(); ++ /* If there is an error & audit support is in the kernel report error */ ++ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT)) ++ return PAM_SYSTEM_ERR; ++ ++ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); ++ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, ++ NULL, NULL, NULL, 1); ++ } ++#endif ++ opts->flags |= FAILLOCK_FLAG_UNLOCKED; ++ return PAM_SUCCESS; ++ } ++ return PAM_AUTH_ERR; ++ } ++ return PAM_SUCCESS; ++} ++ ++static void ++reset_tally(pam_handle_t *pamh, struct options *opts, int *fd) ++{ ++ int rv; ++ ++ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); ++ if (rv == -1) { ++ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); ++ } ++} ++ ++static int ++write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) ++{ ++ struct tally *records; ++ unsigned int i; ++ int failures; ++ unsigned int oldest; ++ uint64_t oldtime; ++ const void *source = NULL; ++ ++ if (*fd == -1) { ++ *fd = open_tally(opts->dir, opts->user, 1); ++ } ++ if (*fd == -1) { ++ if (errno == EACCES) { ++ return PAM_SUCCESS; ++ } ++ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); ++ return PAM_SYSTEM_ERR; ++ } ++ ++ oldtime = 0; ++ oldest = 0; ++ failures = 0; ++ ++ for (i = 0; i < tallies->count; ++i) { ++ if (tallies->records[i].time < oldtime) { ++ oldtime = tallies->records[i].time; ++ oldest = i; ++ } ++ if (opts->flags & FAILLOCK_FLAG_UNLOCKED || ++ opts->now - tallies->records[i].time >= opts->fail_interval ) { ++ tallies->records[i].status &= ~TALLY_STATUS_VALID; ++ } else { ++ ++failures; ++ } ++ } ++ ++ if (oldest >= tallies->count || (tallies->records[oldest].status & TALLY_STATUS_VALID)) { ++ oldest = tallies->count; ++ ++ if ((records=realloc(tallies->records, (oldest+1) * sizeof (*tallies->records))) == NULL) { ++ pam_syslog(pamh, LOG_CRIT, "Error allocating memory for tally records: %m"); ++ return PAM_BUF_ERR; ++ } ++ ++ ++tallies->count; ++ tallies->records = records; ++ } ++ ++ memset(&tallies->records[oldest], 0, sizeof (*tallies->records)); ++ ++ tallies->records[oldest].status = TALLY_STATUS_VALID; ++ if (pam_get_item(pamh, PAM_RHOST, &source) != PAM_SUCCESS || source == NULL) { ++ if (pam_get_item(pamh, PAM_TTY, &source) != PAM_SUCCESS || source == NULL) { ++ if (pam_get_item(pamh, PAM_SERVICE, &source) != PAM_SUCCESS || source == NULL) { ++ source = ""; ++ } ++ } ++ else { ++ tallies->records[oldest].status |= TALLY_STATUS_TTY; ++ } ++ } ++ else { ++ tallies->records[oldest].status |= TALLY_STATUS_RHOST; ++ } ++ ++ strncpy(tallies->records[oldest].source, source, sizeof(tallies->records[oldest].source)); ++ /* source does not have to be null terminated */ ++ ++ tallies->records[oldest].time = opts->now; ++ ++ ++failures; ++ ++ if (opts->deny && failures == opts->deny) { ++#ifdef HAVE_LIBAUDIT ++ char buf[64]; ++ int audit_fd; ++ ++ audit_fd = audit_open(); ++ /* If there is an error & audit support is in the kernel report error */ ++ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT)) ++ return PAM_SYSTEM_ERR; ++ ++ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); ++ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, ++ NULL, NULL, NULL, 1); ++ ++ if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { ++ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, ++ NULL, NULL, NULL, 1); ++ } ++ close(audit_fd); ++#endif ++ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) { ++ pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked", ++ opts->user); ++ } ++ } ++ ++ if (update_tally(*fd, tallies) == 0) ++ return PAM_SUCCESS; ++ ++ return PAM_SYSTEM_ERR; ++} ++ ++static void ++faillock_message(pam_handle_t *pamh, struct options *opts) ++{ ++ int64_t left; ++ ++ if (!(opts->flags & FAILLOCK_FLAG_SILENT)) { ++ if (opts->uid) { ++ left = opts->latest_time + opts->unlock_time - opts->now; ++ } ++ else { ++ left = opts->latest_time + opts->root_unlock_time - opts->now; ++ } ++ ++ left /= 60; /* minutes */ ++ ++ pam_info(pamh, _("Account temporarily locked due to %d failed logins"), ++ opts->failures); ++ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); ++ } ++} ++ ++static void ++tally_cleanup(struct tally_data *tallies, int fd) ++{ ++ if (fd != -1) { ++ close(fd); ++ } ++ ++ free(tallies->records); ++} ++ ++/*---------------------------------------------------------------------*/ ++ ++PAM_EXTERN int ++pam_sm_authenticate(pam_handle_t *pamh, int flags, ++ int argc, const char **argv) ++{ ++ struct options opts; ++ int rv, fd = -1; ++ struct tally_data tallies; ++ ++ memset(&tallies, 0, sizeof(tallies)); ++ ++ args_parse(pamh, argc, argv, flags, &opts); ++ ++ pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */ ++ ++ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { ++ return rv; ++ } ++ ++ switch (opts.action) { ++ case FAILLOCK_ACTION_PREAUTH: ++ rv = check_tally(pamh, &opts, &tallies, &fd); ++ if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) { ++ faillock_message(pamh, &opts); ++ } ++ break; ++ ++ case FAILLOCK_ACTION_AUTHSUCC: ++ rv = check_tally(pamh, &opts, &tallies, &fd); ++ if (rv == PAM_SUCCESS && fd != -1) { ++ reset_tally(pamh, &opts, &fd); ++ } ++ break; ++ ++ case FAILLOCK_ACTION_AUTHFAIL: ++ rv = check_tally(pamh, &opts, &tallies, &fd); ++ if (rv == PAM_SUCCESS) { ++ rv = PAM_IGNORE; /* this return value should be ignored */ ++ write_tally(pamh, &opts, &tallies, &fd); ++ } ++ break; ++ } ++ ++ tally_cleanup(&tallies, fd); ++ ++ return rv; ++} ++ ++/*---------------------------------------------------------------------*/ ++ ++PAM_EXTERN int ++pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, ++ int argc UNUSED, const char **argv UNUSED) ++{ ++ return PAM_SUCCESS; ++} ++ ++/*---------------------------------------------------------------------*/ ++ ++PAM_EXTERN int ++pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, ++ int argc, const char **argv) ++{ ++ struct options opts; ++ int rv, fd = -1; ++ struct tally_data tallies; ++ ++ memset(&tallies, 0, sizeof(tallies)); ++ ++ args_parse(pamh, argc, argv, flags, &opts); ++ ++ opts.action = FAILLOCK_ACTION_AUTHSUCC; ++ ++ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { ++ return rv; ++ } ++ ++ check_tally(pamh, &opts, &tallies, &fd); ++ if (fd != -1) { ++ reset_tally(pamh, &opts, &fd); ++ } ++ ++ tally_cleanup(&tallies, fd); ++ ++ return PAM_SUCCESS; ++} ++ ++/*-----------------------------------------------------------------------*/ ++ ++#ifdef PAM_STATIC ++ ++/* static module data */ ++ ++struct pam_module _pam_faillock_modstruct = { ++ MODULE_NAME, ++#ifdef PAM_SM_AUTH ++ pam_sm_authenticate, ++ pam_sm_setcred, ++#else ++ NULL, ++ NULL, ++#endif ++#ifdef PAM_SM_ACCOUNT ++ pam_sm_acct_mgmt, ++#else ++ NULL, ++#endif ++ NULL, ++ NULL, ++ NULL, ++}; ++ ++#endif /* #ifdef PAM_STATIC */ ++ +diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml +--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,396 @@ ++<?xml version="1.0" encoding='UTF-8'?> ++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" ++ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> ++ ++<refentry id="pam_faillock"> ++ ++ <refmeta> ++ <refentrytitle>pam_faillock</refentrytitle> ++ <manvolnum>8</manvolnum> ++ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> ++ </refmeta> ++ ++ <refnamediv id="pam_faillock-name"> ++ <refname>pam_faillock</refname> ++ <refpurpose>Module counting authentication failures during a specified interval</refpurpose> ++ </refnamediv> ++ ++ <refsynopsisdiv> ++ <cmdsynopsis id="pam_faillock-cmdsynopsisauth"> ++ <command>auth ... pam_faillock.so</command> ++ <arg choice="req"> ++ preauth|authfail|authsucc ++ </arg> ++ <arg choice="opt"> ++ dir=<replaceable>/path/to/tally-directory</replaceable> ++ </arg> ++ <arg choice="opt"> ++ even_deny_root ++ </arg> ++ <arg choice="opt"> ++ deny=<replaceable>n</replaceable> ++ </arg> ++ <arg choice="opt"> ++ fail_interval=<replaceable>n</replaceable> ++ </arg> ++ <arg choice="opt"> ++ unlock_time=<replaceable>n</replaceable> ++ </arg> ++ <arg choice="opt"> ++ root_unlock_time=<replaceable>n</replaceable> ++ </arg> ++ <arg choice="opt"> ++ audit ++ </arg> ++ <arg choice="opt"> ++ silent ++ </arg> ++ <arg choice="opt"> ++ no_log_info ++ </arg> ++ </cmdsynopsis> ++ <cmdsynopsis id="pam_faillock-cmdsynopsisacct"> ++ <command>account ... pam_faillock.so</command> ++ <arg choice="opt"> ++ dir=<replaceable>/path/to/tally-directory</replaceable> ++ </arg> ++ <arg choice="opt"> ++ no_log_info ++ </arg> ++ </cmdsynopsis> ++ </refsynopsisdiv> ++ ++ <refsect1 id="pam_faillock-description"> ++ ++ <title>DESCRIPTION</title> ++ ++ <para> ++ This module maintains a list of failed authentication attempts per ++ user during a specified interval and locks the account in case ++ there were more than <replaceable>deny</replaceable> consecutive ++ failed authentications. ++ </para> ++ <para> ++ Normally, failed attempts to authenticate <emphasis>root</emphasis> will ++ <emphasis remap='B'>not</emphasis> cause the root account to become ++ blocked, to prevent denial-of-service: if your users aren't given ++ shell accounts and root may only login via <command>su</command> or ++ at the machine console (not telnet/rsh, etc), this is safe. ++ </para> ++ </refsect1> ++ ++ <refsect1 id="pam_faillock-options"> ++ ++ <title>OPTIONS</title> ++ <variablelist> ++ <varlistentry> ++ <term> ++ <option>{preauth|authfail|authsucc}</option> ++ </term> ++ <listitem> ++ <para> ++ This argument must be set accordingly to the position of this module ++ instance in the PAM stack. ++ </para> ++ <para> ++ The <emphasis>preauth</emphasis> argument must be used when the module ++ is called before the modules which ask for the user credentials such ++ as the password. The module just examines whether the user should ++ be blocked from accessing the service in case there were anomalous ++ number of failed consecutive authentication attempts recently. This ++ call is optional if <emphasis>authsucc</emphasis> is used. ++ </para> ++ <para> ++ The <emphasis>authfail</emphasis> argument must be used when the module ++ is called after the modules which determine the authentication outcome, ++ failed. Unless the user is already blocked due to previous authentication ++ failures, the module will record the failure into the appropriate user ++ tally file. ++ </para> ++ <para> ++ The <emphasis>authsucc</emphasis> argument must be used when the module ++ is called after the modules which determine the authentication outcome, ++ succeded. Unless the user is already blocked due to previous authentication ++ failures, the module will then clear the record of the failures in the ++ respective user tally file. Otherwise it will return authentication error. ++ If this call is not done, the pam_faillock will not distinguish between ++ consecutive and non-consecutive failed authentication attempts. The ++ <emphasis>preauth</emphasis> call must be used in such case. Due to ++ complications in the way the PAM stack can be configured it is also ++ possible to call <emphasis>pam_faillock</emphasis> as an account module. ++ In such configuration the module must be also called in the ++ <emphasis>preauth</emphasis> stage. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>dir=<replaceable>/path/to/tally-directory</replaceable></option> ++ </term> ++ <listitem> ++ <para> ++ The directory where the user files with the failure records are kept. The ++ default is <filename>/var/run/faillock</filename>. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>audit</option> ++ </term> ++ <listitem> ++ <para> ++ Will log the user name into the system log if the user is not found. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>silent</option> ++ </term> ++ <listitem> ++ <para> ++ Don't print informative messages. This option is implicite ++ in the <emphasis>authfail</emphasis> and <emphasis>authsucc</emphasis> ++ functions. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>no_log_info</option> ++ </term> ++ <listitem> ++ <para> ++ Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>deny=<replaceable>n</replaceable></option> ++ </term> ++ <listitem> ++ <para> ++ Deny access if the number of consecutive authentication failures ++ for this user during the recent interval exceeds ++ <replaceable>n</replaceable>. The default is 3. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>fail_interval=<replaceable>n</replaceable></option> ++ </term> ++ <listitem> ++ <para> ++ The length of the interval during which the consecutive ++ authentication failures must happen for the user account ++ lock out is <replaceable>n</replaceable> seconds. ++ The default is 900 (15 minutes). ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>unlock_time=<replaceable>n</replaceable></option> ++ </term> ++ <listitem> ++ <para> ++ The access will be reenabled after ++ <replaceable>n</replaceable> seconds after the lock out. ++ The default is 600 (10 minutes). ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>even_deny_root</option> ++ </term> ++ <listitem> ++ <para> ++ Root account can become locked as well as regular accounts. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>root_unlock_time=<replaceable>n</replaceable></option> ++ </term> ++ <listitem> ++ <para> ++ This option implies <option>even_deny_root</option> option. ++ Allow access after <replaceable>n</replaceable> seconds ++ to root account after the account is locked. In case the ++ option is not specified the value is the same as of the ++ <option>unlock_time</option> option. ++ </para> ++ </listitem> ++ </varlistentry> ++ </variablelist> ++ </refsect1> ++ ++ <refsect1 id="pam_faillock-types"> ++ <title>MODULE TYPES PROVIDED</title> ++ <para> ++ The <option>auth</option> and <option>account</option> module types are ++ provided. ++ </para> ++ </refsect1> ++ ++ <refsect1 id='pam_faillock-return_values'> ++ <title>RETURN VALUES</title> ++ <variablelist> ++ <varlistentry> ++ <term>PAM_AUTH_ERR</term> ++ <listitem> ++ <para> ++ A invalid option was given, the module was not able ++ to retrieve the user name, no valid counter file ++ was found, or too many failed logins. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term>PAM_SUCCESS</term> ++ <listitem> ++ <para> ++ Everything was successful. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term>PAM_IGNORE</term> ++ <listitem> ++ <para> ++ User not present in passwd database. ++ </para> ++ </listitem> ++ </varlistentry> ++ </variablelist> ++ </refsect1> ++ ++ <refsect1 id='pam_faillock-notes'> ++ <title>NOTES</title> ++ <para> ++ <emphasis>pam_faillock</emphasis> setup in the PAM stack is different ++ from the <emphasis>pam_tally2</emphasis> module setup. ++ </para> ++ <para> ++ There is no setuid wrapper for access to the data file such as when the ++ <emphasis remap='B'>pam_faillock.so</emphasis> module is called from ++ a screensaver. As this would make it impossible to share PAM configuration ++ with such services the following workaround is used: If the data file ++ cannot be opened because of insufficient permissions ++ (<errorcode>EACCES</errorcode>) the module returns ++ <errorcode>PAM_SUCCESS</errorcode>. ++ </para> ++ <para> ++ Note that using the module in <option>preauth</option> without the ++ <option>silent</option> option or with <emphasis>requisite</emphasis> ++ control field leaks an information about existence or ++ non-existence of an user account in the system because ++ the failures are not recorded for the unknown users. The message ++ about the user account being locked is never displayed for nonexisting ++ user accounts allowing the adversary to infer that a particular account ++ is not existing on a system. ++ </para> ++ </refsect1> ++ ++ <refsect1 id='pam_faillock-examples'> ++ <title>EXAMPLES</title> ++ <para> ++ Here are two possible configuration examples for <filename>/etc/pam.d/login</filename>. ++ They make <emphasis>pam_faillock</emphasis> to lock the account after 4 consecutive ++ failed logins during the default interval of 15 minutes. Root account will be locked ++ as well. The accounts will be automatically unlocked after 20 minutes. ++ </para> ++ <para> ++ In the first example the module is called only in the <emphasis>auth</emphasis> ++ phase and the module does not print any information about the account blocking ++ by <emphasis>pam_faillock</emphasis>. The <emphasis>preauth</emphasis> call can ++ be added to tell the user that his login is blocked by the module and also to abort ++ the authentication without even asking for password in such case. ++ </para> ++ <programlisting> ++auth required pam_securetty.so ++auth required pam_env.so ++auth required pam_nologin.so ++# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200 ++# to display the message about account being locked ++auth [success=1 default=bad] pam_unix.so ++auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 ++auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200 ++auth required pam_deny.so ++account required pam_unix.so ++password required pam_unix.so shadow ++session required pam_selinux.so close ++session required pam_loginuid.so ++session required pam_unix.so ++session required pam_selinux.so open ++ </programlisting> ++ <para> ++ In the second example the module is called both in the <emphasis>auth</emphasis> ++ and <emphasis>account</emphasis> phases and the module gives the authenticating ++ user message when the account is locked ++ </para> ++ <programlisting> ++auth required pam_securetty.so ++auth required pam_env.so ++auth required pam_nologin.so ++auth required pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200 ++# optionally use requisite above if you do not want to prompt for the password ++# on locked accounts, possibly with removing the silent option as well ++auth sufficient pam_unix.so ++auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 ++auth required pam_deny.so ++account required pam_faillock.so ++# if you drop the above call to pam_faillock.so the lock will be done also ++# on non-consecutive authentication failures ++account required pam_unix.so ++password required pam_unix.so shadow ++session required pam_selinux.so close ++session required pam_loginuid.so ++session required pam_unix.so ++session required pam_selinux.so open ++ </programlisting> ++ </refsect1> ++ ++ <refsect1 id="pam_faillock-files"> ++ <title>FILES</title> ++ <variablelist> ++ <varlistentry> ++ <term><filename>/var/run/faillock/*</filename></term> ++ <listitem> ++ <para>the files logging the authentication failures for users</para> ++ </listitem> ++ </varlistentry> ++ </variablelist> ++ </refsect1> ++ ++ <refsect1 id='pam_faillock-see_also'> ++ <title>SEE ALSO</title> ++ <para> ++ <citerefentry> ++ <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum> ++ </citerefentry>, ++ <citerefentry> ++ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> ++ </citerefentry>, ++ <citerefentry> ++ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> ++ </citerefentry>, ++ <citerefentry> ++ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> ++ </citerefentry> ++ </para> ++ </refsect1> ++ ++ <refsect1 id='pam_faillock-author'> ++ <title>AUTHOR</title> ++ <para> ++ pam_faillock was written by Tomas Mraz. ++ </para> ++ </refsect1> ++ ++</refentry> +diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml +--- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,46 @@ ++<?xml version="1.0" encoding='UTF-8'?> ++<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" ++"http://www.docbook.org/xml/4.3/docbookx.dtd" ++[ ++<!-- ++<!ENTITY pamaccess SYSTEM "pam_faillock.8.xml"> ++--> ++]> ++ ++<article> ++ ++ <articleinfo> ++ ++ <title> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="pam_faillock.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faillock-name"]/*)'/> ++ </title> ++ ++ </articleinfo> ++ ++ <section> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/> ++ </section> ++ ++ <section> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/> ++ </section> ++ ++ <section> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-notes"]/*)'/> ++ </section> ++ ++ <section> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/> ++ </section> ++ ++ <section> ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/> ++ </section> ++ ++</article> +diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock +--- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,2 @@ ++#!/bin/sh ++../../tests/tst-dlopen .libs/pam_faillock.so diff --git a/extra/source/pam/patches/pam-1.1.2-noflex.patch b/extra/source/pam/patches/pam-1.1.2-noflex.patch new file mode 100644 index 000000000..fc965559b --- /dev/null +++ b/extra/source/pam/patches/pam-1.1.2-noflex.patch @@ -0,0 +1,27 @@ +diff -up Linux-PAM-1.1.2/doc/Makefile.am.noflex Linux-PAM-1.1.2/doc/Makefile.am +--- Linux-PAM-1.1.2/doc/Makefile.am.noflex 2008-02-04 16:05:51.000000000 +0100 ++++ Linux-PAM-1.1.2/doc/Makefile.am 2010-09-20 10:40:59.000000000 +0200 +@@ -2,7 +2,7 @@ + # Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> + # + +-SUBDIRS = man specs sag adg mwg ++SUBDIRS = man sag adg mwg + + CLEANFILES = *~ + +diff -up Linux-PAM-1.1.2/Makefile.am.noflex Linux-PAM-1.1.2/Makefile.am +--- Linux-PAM-1.1.2/Makefile.am.noflex 2010-07-08 14:04:19.000000000 +0200 ++++ Linux-PAM-1.1.2/Makefile.am 2010-09-20 10:04:56.000000000 +0200 +@@ -5,9 +5,9 @@ + AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news + + if STATIC_MODULES +-SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests ++SUBDIRS = modules libpam libpamc libpam_misc tests po doc examples xtests + else +-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests ++SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests + endif + + CLEANFILES = *~ diff --git a/extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch b/extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch new file mode 100644 index 000000000..249d2850c --- /dev/null +++ b/extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch @@ -0,0 +1,167 @@ +diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.c +--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.c 2010-11-10 11:46:07.000000000 +0100 +@@ -41,13 +41,14 @@ + #include <sys/types.h> + #include <sys/stat.h> + #include <sys/file.h> ++#include <sys/stat.h> + #include <fcntl.h> + #include <security/pam_modutil.h> + + #include "faillock.h" + + int +-open_tally (const char *dir, const char *user, int create) ++open_tally (const char *dir, const char *user, uid_t uid, int create) + { + char *path; + int flags = O_RDWR; +@@ -69,8 +70,18 @@ open_tally (const char *dir, const char + + fd = open(path, flags, 0600); + +- if (fd != -1) ++ free(path); ++ ++ if (fd != -1) { ++ struct stat st; ++ + while (flock(fd, LOCK_EX) == -1 && errno == EINTR); ++ if (fstat(fd, &st) == 0) { ++ if (st.st_uid != uid) { ++ fchown(fd, uid, -1); ++ } ++ } ++ } + + return fd; + } +diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.h +--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.h 2010-11-10 11:46:07.000000000 +0100 +@@ -45,6 +45,7 @@ + #define _FAILLOCK_H + + #include <stdint.h> ++#include <sys/types.h> + + #define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ + #define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ +@@ -65,7 +66,7 @@ struct tally_data { + + #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" + +-int open_tally(const char *dir, const char *user, int create); ++int open_tally(const char *dir, const char *user, uid_t uid, int create); + int read_tally(int fd, struct tally_data *tallies); + int update_tally(int fd, struct tally_data *tallies); + #endif +diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/main.c +--- Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/main.c 2010-11-10 11:46:07.000000000 +0100 +@@ -106,8 +106,11 @@ do_user(struct options *opts, const char + int fd; + int rv; + struct tally_data tallies; ++ struct passwd *pwd; + +- fd = open_tally(opts->dir, user, 0); ++ pwd = getpwnam(user); ++ ++ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0); + + if (fd == -1) { + if (errno == ENOENT) { +@@ -134,9 +137,8 @@ do_user(struct options *opts, const char + #ifdef HAVE_LIBAUDIT + } + if ((audit_fd=audit_open()) >= 0) { +- struct passwd *pwd; + +- if ((pwd=getpwnam(user)) != NULL) { ++ if (pwd != NULL) { + snprintf(buf, sizeof(buf), "faillock reset uid=%u", + pwd->pw_uid); + audit_log_user_message(audit_fd, AUDIT_USER_ACCT, +diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c +--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c 2010-11-10 11:46:07.000000000 +0100 +@@ -213,7 +213,7 @@ check_tally(pam_handle_t *pamh, struct o + + opts->now = time(NULL); + +- tfd = open_tally(opts->dir, opts->user, 0); ++ tfd = open_tally(opts->dir, opts->user, opts->uid, 0); + + *fd = tfd; + +@@ -289,9 +289,14 @@ reset_tally(pam_handle_t *pamh, struct o + { + int rv; + +- while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); +- if (rv == -1) { +- pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); ++ if (*fd == -1) { ++ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); ++ } ++ else { ++ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); ++ if (rv == -1) { ++ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); ++ } + } + } + +@@ -306,7 +311,7 @@ write_tally(pam_handle_t *pamh, struct o + const void *source = NULL; + + if (*fd == -1) { +- *fd = open_tally(opts->dir, opts->user, 1); ++ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); + } + if (*fd == -1) { + if (errno == EACCES) { +@@ -463,7 +468,7 @@ pam_sm_authenticate(pam_handle_t *pamh, + + case FAILLOCK_ACTION_AUTHSUCC: + rv = check_tally(pamh, &opts, &tallies, &fd); +- if (rv == PAM_SUCCESS && fd != -1) { ++ if (rv == PAM_SUCCESS) { + reset_tally(pamh, &opts, &fd); + } + break; +@@ -511,10 +516,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int + return rv; + } + +- check_tally(pamh, &opts, &tallies, &fd); +- if (fd != -1) { +- reset_tally(pamh, &opts, &fd); +- } ++ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */ ++ reset_tally(pamh, &opts, &fd); + + tally_cleanup(&tallies, fd); + +diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml +--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml 2010-11-10 11:47:14.000000000 +0100 +@@ -277,13 +277,9 @@ + from the <emphasis>pam_tally2</emphasis> module setup. + </para> + <para> +- There is no setuid wrapper for access to the data file such as when the +- <emphasis remap='B'>pam_faillock.so</emphasis> module is called from +- a screensaver. As this would make it impossible to share PAM configuration +- with such services the following workaround is used: If the data file +- cannot be opened because of insufficient permissions +- (<errorcode>EACCES</errorcode>) the module returns +- <errorcode>PAM_SUCCESS</errorcode>. ++ The individual files with the failure records are created as owned by ++ the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module ++ to work correctly when it is called from a screensaver. + </para> + <para> + Note that using the module in <option>preauth</option> without the diff --git a/extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch b/extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch new file mode 100644 index 000000000..885690d09 --- /dev/null +++ b/extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch @@ -0,0 +1,64 @@ +diff -up Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c.nosetreuid Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c +--- Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c.nosetreuid 2009-02-20 14:27:14.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c 2010-11-11 12:31:04.000000000 +0100 +@@ -103,7 +103,6 @@ struct pam_limit_s { + /* argument parsing */ + + #define PAM_DEBUG_ARG 0x0001 +-#define PAM_DO_SETREUID 0x0002 + #define PAM_UTMP_EARLY 0x0004 + #define PAM_NO_AUDIT 0x0008 + +@@ -127,8 +126,6 @@ _pam_parse (const pam_handle_t *pamh, in + ctrl |= PAM_DEBUG_ARG; + } else if (!strncmp(*argv,"conf=",5)) { + pl->conf_file = *argv+5; +- } else if (!strncmp(*argv,"change_uid",10)) { +- ctrl |= PAM_DO_SETREUID; + } else if (!strcmp(*argv,"utmp_early")) { + ctrl |= PAM_UTMP_EARLY; + } else if (!strcmp(*argv,"noaudit")) { +@@ -777,10 +774,6 @@ out: + return retval; + } + +- if (ctrl & PAM_DO_SETREUID) { +- setreuid(pwd->pw_uid, -1); +- } +- + retval = setup_limits(pamh, pwd->pw_name, pwd->pw_uid, ctrl, pl); + if (retval & LOGIN_ERR) + pam_error(pamh, _("Too many logins for '%s'."), pwd->pw_name); +diff -up Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml.nosetreuid Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml +--- Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml.nosetreuid 2009-06-01 09:03:20.000000000 +0200 ++++ Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml 2010-11-11 12:32:35.000000000 +0100 +@@ -23,9 +23,6 @@ + <cmdsynopsis id="pam_limits-cmdsynopsis"> + <command>pam_limits.so</command> + <arg choice="opt"> +- change_uid +- </arg> +- <arg choice="opt"> + conf=<replaceable>/path/to/limits.conf</replaceable> + </arg> + <arg choice="opt"> +@@ -72,19 +69,6 @@ + <variablelist> + <varlistentry> + <term> +- <option>change_uid</option> +- </term> +- <listitem> +- <para> +- Change real uid to the user for who the limits are set up. Use this +- option if you have problems like login not forking a shell for user +- who has no processes. Be warned that something else may break when +- you do this. +- </para> +- </listitem> +- </varlistentry> +- <varlistentry> +- <term> + <option>conf=<replaceable>/path/to/limits.conf</replaceable></option> + </term> + <listitem> diff --git a/extra/source/pam/patches/pam-1.1.3-limits-range.patch b/extra/source/pam/patches/pam-1.1.3-limits-range.patch new file mode 100644 index 000000000..c357eb282 --- /dev/null +++ b/extra/source/pam/patches/pam-1.1.3-limits-range.patch @@ -0,0 +1,351 @@ +Index: modules/pam_limits/limits.conf.5.xml +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_limits/limits.conf.5.xml,v +retrieving revision 1.9 +retrieving revision 1.11 +diff -u -p -r1.9 -r1.11 +--- modules/pam_limits/limits.conf.5.xml 20 Feb 2009 13:27:14 -0000 1.9 ++++ modules/pam_limits/limits.conf.5.xml 14 Dec 2010 08:40:40 -0000 1.11 +@@ -53,7 +53,38 @@ + <listitem> + <para> + the wildcard <emphasis remap='B'>%</emphasis>, for maxlogins limit only, +- can also be used with <emphasis remap='b'>%group</emphasis> syntax. ++ can also be used with <emphasis remap='B'>%group</emphasis> syntax. If the ++ <emphasis remap='B'>%</emphasis> wildcard is used alone it is identical ++ to using <emphasis remap='B'>*</emphasis> with maxsyslogins limit. With ++ a group specified after <emphasis remap='B'>%</emphasis> it limits the total ++ number of logins of all users that are member of the group. ++ </para> ++ </listitem> ++ <listitem> ++ <para> ++ an uid range specified as <replaceable><min_uid></replaceable><emphasis ++ remap='B'>:</emphasis><replaceable><max_uid></replaceable>. If min_uid ++ is omitted, the match is exact for the max_uid. If max_uid is omitted, all ++ uids greater than or equal min_uid match. ++ </para> ++ </listitem> ++ <listitem> ++ <para> ++ a gid range specified as <emphasis ++ remap='B'>@</emphasis><replaceable><min_gid></replaceable><emphasis ++ remap='B'>:</emphasis><replaceable><max_gid></replaceable>. If min_gid ++ is omitted, the match is exact for the max_gid. If max_gid is omitted, all ++ gids greater than or equal min_gid match. For the exact match all groups including ++ the user's supplementary groups are examined. For the range matches only ++ the user's primary group is examined. ++ </para> ++ </listitem> ++ <listitem> ++ <para> ++ a gid specified as <emphasis ++ remap='B'>%:</emphasis><replaceable><gid></replaceable> applicable ++ to maxlogins limit only. It limits the total number of logins of all users ++ that are member of the group with the specified gid. + </para> + </listitem> + </itemizedlist> +@@ -182,7 +213,7 @@ + <varlistentry> + <term><option>maxsyslogins</option></term> + <listitem> +- <para>maximum number of logins on system</para> ++ <para>maximum number of all logins on system</para> + </listitem> + </varlistentry> + <varlistentry> +@@ -272,12 +303,15 @@ + </para> + <programlisting> + * soft core 0 +-* hard rss 10000 ++* hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 + @faculty hard nproc 50 + ftp hard nproc 0 + @student - maxlogins 4 ++:123 hard cpu 5000 ++@500: soft cpu 10000 ++600:700 hard locks 10 + </programlisting> + </refsect1> + +Index: modules/pam_limits/pam_limits.c +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_limits/pam_limits.c,v +retrieving revision 1.48 +retrieving revision 1.49 +diff -u -p -r1.48 -r1.49 +--- modules/pam_limits/pam_limits.c 18 Nov 2010 09:37:32 -0000 1.48 ++++ modules/pam_limits/pam_limits.c 14 Dec 2010 08:40:40 -0000 1.49 +@@ -55,6 +55,12 @@ + #define LIMITS_DEF_DEFAULT 4 /* limit was set by an default entry */ + #define LIMITS_DEF_NONE 5 /* this limit was not set yet */ + ++#define LIMIT_RANGE_ERR -1 /* error in specified uid/gid range */ ++#define LIMIT_RANGE_NONE 0 /* no range specified */ ++#define LIMIT_RANGE_ONE 1 /* exact uid/gid specified (:max_uid)*/ ++#define LIMIT_RANGE_MIN 2 /* only minimum uid/gid specified (min_uid:) */ ++#define LIMIT_RANGE_MM 3 /* both min and max uid/gid specified (min_uid:max_uid) */ ++ + static const char *limits_def_names[] = { + "USER", + "GROUP", +@@ -520,8 +526,57 @@ process_limit (const pam_handle_t *pamh, + return; + } + +-static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl, +- struct pam_limit_s *pl) ++static int ++parse_uid_range(pam_handle_t *pamh, const char *domain, ++ uid_t *min_uid, uid_t *max_uid) ++{ ++ const char *range = domain; ++ char *pmax; ++ char *endptr; ++ int rv = LIMIT_RANGE_MM; ++ ++ if ((pmax=strchr(range, ':')) == NULL) ++ return LIMIT_RANGE_NONE; ++ ++pmax; ++ ++ if (range[0] == '@' || range[0] == '%') ++ ++range; ++ ++ if (range[0] == ':') ++ rv = LIMIT_RANGE_ONE; ++ else { ++ errno = 0; ++ *min_uid = strtoul (range, &endptr, 10); ++ if (errno != 0 || (range == endptr) || *endptr != ':') { ++ pam_syslog(pamh, LOG_DEBUG, ++ "wrong min_uid/gid value in '%s'", domain); ++ return LIMIT_RANGE_ERR; ++ } ++ } ++ ++ if (*pmax == '\0') { ++ if (rv == LIMIT_RANGE_ONE) ++ return LIMIT_RANGE_ERR; ++ else ++ return LIMIT_RANGE_MIN; ++ } ++ ++ errno = 0; ++ *max_uid = strtoul (pmax, &endptr, 10); ++ if (errno != 0 || (pmax == endptr) || *endptr != '\0') { ++ pam_syslog(pamh, LOG_DEBUG, ++ "wrong max_uid/gid value in '%s'", domain); ++ return LIMIT_RANGE_ERR; ++ } ++ ++ if (rv == LIMIT_RANGE_ONE) ++ *min_uid = *max_uid; ++ return rv; ++} ++ ++static int ++parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, ++ int ctrl, struct pam_limit_s *pl) + { + FILE *fil; + char buf[LINE_LENGTH]; +@@ -543,8 +598,10 @@ static int parse_config_file(pam_handle_ + char item[LINE_LENGTH]; + char value[LINE_LENGTH]; + int i; ++ int rngtype; + size_t j; + char *tptr,*line; ++ uid_t min_uid = (uid_t)-1, max_uid = (uid_t)-1; + + line = buf; + /* skip the leading white space */ +@@ -572,6 +629,11 @@ static int parse_config_file(pam_handle_ + for(j=0; j < strlen(ltype); j++) + ltype[j]=tolower(ltype[j]); + ++ if ((rngtype=parse_uid_range(pamh, domain, &min_uid, &max_uid)) < 0) { ++ pam_syslog(pamh, LOG_WARNING, "invalid uid range '%s' - skipped", domain); ++ continue; ++ } ++ + if (i == 4) { /* a complete line */ + for(j=0; j < strlen(item); j++) + item[j]=tolower(item[j]); +@@ -581,47 +643,133 @@ static int parse_config_file(pam_handle_ + if (strcmp(uname, domain) == 0) /* this user have a limit */ + process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); + else if (domain[0]=='@') { +- if (ctrl & PAM_DEBUG_ARG) { ++ if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", + uname, domain + 1); +- } +- if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) +- process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, ++ } ++ switch(rngtype) { ++ case LIMIT_RANGE_NONE: ++ if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) ++ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, ++ pl); ++ break; ++ case LIMIT_RANGE_ONE: ++ if (pam_modutil_user_in_group_nam_gid(pamh, uname, (gid_t)max_uid)) ++ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, + pl); ++ break; ++ case LIMIT_RANGE_MM: ++ if (gid > (gid_t)max_uid) ++ break; ++ /* fallthrough */ ++ case LIMIT_RANGE_MIN: ++ if (gid >= (gid_t)min_uid) ++ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, ++ pl); ++ } + } else if (domain[0]=='%') { +- if (ctrl & PAM_DEBUG_ARG) { ++ if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", + uname, domain + 1); +- } +- if (strcmp(domain,"%") == 0) +- process_limit(pamh, LIMITS_DEF_ALL, ltype, item, value, ctrl, +- pl); +- else if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) { +- strcpy(pl->login_group, domain+1); +- process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, +- pl); + } +- } else if (strcmp(domain, "*") == 0) +- process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, +- pl); ++ switch(rngtype) { ++ case LIMIT_RANGE_NONE: ++ if (strcmp(domain,"%") == 0) ++ process_limit(pamh, LIMITS_DEF_ALL, ltype, item, value, ctrl, ++ pl); ++ else if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) { ++ strcpy(pl->login_group, domain+1); ++ process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, ++ pl); ++ } ++ break; ++ case LIMIT_RANGE_ONE: ++ if (pam_modutil_user_in_group_nam_gid(pamh, uname, (gid_t)max_uid)) { ++ struct group *grp; ++ grp = pam_modutil_getgrgid(pamh, (gid_t)max_uid); ++ strncpy(pl->login_group, grp->gr_name, sizeof(pl->login_group)); ++ pl->login_group[sizeof(pl->login_group)-1] = '\0'; ++ process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, ++ pl); ++ } ++ break; ++ case LIMIT_RANGE_MIN: ++ case LIMIT_RANGE_MM: ++ pam_syslog(pamh, LOG_WARNING, "range unsupported for %%group matching - ignored"); ++ } ++ } else { ++ switch(rngtype) { ++ case LIMIT_RANGE_NONE: ++ if (strcmp(domain, "*") == 0) ++ process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, ++ pl); ++ break; ++ case LIMIT_RANGE_ONE: ++ if (uid != max_uid) ++ break; ++ /* fallthrough */ ++ case LIMIT_RANGE_MM: ++ if (uid > max_uid) ++ break; ++ /* fallthrough */ ++ case LIMIT_RANGE_MIN: ++ if (uid >= min_uid) ++ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); ++ } ++ } + } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */ + if (strcmp(uname, domain) == 0) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, "no limits for '%s'", uname); + } +- fclose(fil); +- return PAM_IGNORE; +- } else if (domain[0] == '@' && pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) { ++ } else if (domain[0] == '@') { ++ switch(rngtype) { ++ case LIMIT_RANGE_NONE: ++ if (!pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) ++ continue; /* next line */ ++ break; ++ case LIMIT_RANGE_ONE: ++ if (!pam_modutil_user_in_group_nam_gid(pamh, uname, (gid_t)max_uid)) ++ continue; /* next line */ ++ break; ++ case LIMIT_RANGE_MM: ++ if (gid > (gid_t)max_uid) ++ continue; /* next line */ ++ /* fallthrough */ ++ case LIMIT_RANGE_MIN: ++ if (gid < (gid_t)min_uid) ++ continue; /* next line */ ++ } + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "no limits for '%s' in group '%s'", + uname, domain+1); + } +- fclose(fil); +- return PAM_IGNORE; ++ } else { ++ switch(rngtype) { ++ case LIMIT_RANGE_NONE: ++ continue; /* next line */ ++ case LIMIT_RANGE_ONE: ++ if (uid != max_uid) ++ continue; /* next line */ ++ break; ++ case LIMIT_RANGE_MM: ++ if (uid > max_uid) ++ continue; /* next line */ ++ /* fallthrough */ ++ case LIMIT_RANGE_MIN: ++ if (uid >= min_uid) ++ break; ++ continue; /* next line */ ++ } ++ if (ctrl & PAM_DEBUG_ARG) { ++ pam_syslog(pamh, LOG_DEBUG, "no limits for '%s'", uname); ++ } + } ++ fclose(fil); ++ return PAM_IGNORE; + } else { + pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line); + } +@@ -731,7 +879,7 @@ pam_sm_open_session (pam_handle_t *pamh, + return PAM_ABORT; + } + +- retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl); ++ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); + if (retval == PAM_IGNORE) { + D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE)); + return PAM_SUCCESS; +@@ -755,7 +903,7 @@ pam_sm_open_session (pam_handle_t *pamh, + /* Parse the *.conf files. */ + for (i = 0; globbuf.gl_pathv[i] != NULL; i++) { + pl->conf_file = globbuf.gl_pathv[i]; +- retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl); ++ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); + if (retval == PAM_IGNORE) { + D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file)); + globfree(&globbuf); diff --git a/extra/source/pam/patches/pam-1.1.3-nouserenv.patch b/extra/source/pam/patches/pam-1.1.3-nouserenv.patch new file mode 100644 index 000000000..f3a742c8d --- /dev/null +++ b/extra/source/pam/patches/pam-1.1.3-nouserenv.patch @@ -0,0 +1,27 @@ +diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c +--- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200 ++++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100 +@@ -10,7 +10,7 @@ + #define DEFAULT_READ_ENVFILE 1 + + #define DEFAULT_USER_ENVFILE ".pam_environment" +-#define DEFAULT_USER_READ_ENVFILE 1 ++#define DEFAULT_USER_READ_ENVFILE 0 + + #include "config.h" + +diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml +--- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200 ++++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100 +@@ -147,7 +147,10 @@ + <listitem> + <para> + Turns on or off the reading of the user specific environment +- file. 0 is off, 1 is on. By default this option is on. ++ file. 0 is off, 1 is on. By default this option is off as user ++ supplied environment variables in the PAM environment could affect ++ behavior of subsequent modules in the stack without the consent ++ of the system administrator. + </para> + </listitem> + </varlistentry> diff --git a/extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch b/extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch new file mode 100644 index 000000000..6117b26ea --- /dev/null +++ b/extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch @@ -0,0 +1,54 @@ +diff -up Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c.incomplete Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c +--- Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c.incomplete 2008-12-18 14:09:36.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c 2010-11-11 14:45:02.000000000 +0100 +@@ -187,12 +187,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in + { + retval = pam_get_authtok (pamh, PAM_AUTHTOK, &newpass, NULL); + if (retval != PAM_SUCCESS && retval != PAM_TRY_AGAIN) +- return retval; ++ { ++ if (retval == PAM_CONV_AGAIN) ++ retval = PAM_INCOMPLETE; ++ return retval; ++ } + tries++; + +- if (newpass == NULL || retval == PAM_TRY_AGAIN) +- continue; +- + if (options.debug) + { + if (newpass) +@@ -201,12 +202,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, in + pam_syslog (pamh, LOG_DEBUG, "got no auth token"); + } + +- if (retval != PAM_SUCCESS || newpass == NULL) +- { +- if (retval == PAM_CONV_AGAIN) +- retval = PAM_INCOMPLETE; +- return retval; +- } ++ if (newpass == NULL || retval == PAM_TRY_AGAIN) ++ continue; + + if (options.debug) + pam_syslog (pamh, LOG_DEBUG, "check against old password file"); +@@ -219,7 +216,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, in + newpass = NULL; + /* Remove password item, else following module will use it */ + pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL); +- continue; + } + } + +@@ -230,8 +226,7 @@ pam_sm_chauthtok (pam_handle_t *pamh, in + return PAM_MAXTRIES; + } + +- /* Remember new password */ +- return pam_set_item (pamh, PAM_AUTHTOK, newpass); ++ return PAM_SUCCESS; + } + + diff --git a/extra/source/pam/patches/pam-1.1.3-securetty-console.patch b/extra/source/pam/patches/pam-1.1.3-securetty-console.patch new file mode 100644 index 000000000..94fa6ecf0 --- /dev/null +++ b/extra/source/pam/patches/pam-1.1.3-securetty-console.patch @@ -0,0 +1,120 @@ +Index: modules/pam_securetty/pam_securetty.8.xml +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.8.xml,v +retrieving revision 1.4 +retrieving revision 1.6 +diff -u -p -r1.4 -r1.6 +--- modules/pam_securetty/pam_securetty.8.xml 18 Aug 2008 13:29:25 -0000 1.4 ++++ modules/pam_securetty/pam_securetty.8.xml 25 Nov 2010 16:58:59 -0000 1.6 +@@ -33,7 +33,9 @@ + user is logging in on a "secure" tty, as defined by the listing + in <filename>/etc/securetty</filename>. pam_securetty also checks + to make sure that <filename>/etc/securetty</filename> is a plain +- file and not world writable. ++ file and not world writable. It will also allow root logins on ++ the tty specified with <option>console=</option> switch on the ++ kernel command line. + </para> + <para> + This module has no effect on non-root users and requires that the +@@ -61,6 +63,18 @@ + </para> + </listitem> + </varlistentry> ++ <varlistentry> ++ <term> ++ <option>noconsole</option> ++ </term> ++ <listitem> ++ <para> ++ Do not automatically allow root logins on the kernel console ++ device, as specified on the kernel command line, if it is ++ not also specified in the <filename>/etc/securetty</filename> file. ++ </para> ++ </listitem> ++ </varlistentry> + </variablelist> + </refsect1> + +Index: modules/pam_securetty/pam_securetty.c +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.c,v +retrieving revision 1.14 +retrieving revision 1.15 +diff -u -p -r1.14 -r1.15 +--- modules/pam_securetty/pam_securetty.c 10 Sep 2009 10:19:58 -0000 1.14 ++++ modules/pam_securetty/pam_securetty.c 24 Nov 2010 12:28:01 -0000 1.15 +@@ -2,6 +2,7 @@ + + #define SECURETTY_FILE "/etc/securetty" + #define TTY_PREFIX "/dev/" ++#define CMDLINE_FILE "/proc/cmdline" + + /* + * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. +@@ -22,6 +23,7 @@ + #include <pwd.h> + #include <string.h> + #include <ctype.h> ++#include <limits.h> + + /* + * here, we make a definition for the externally accessible function +@@ -38,6 +40,7 @@ + #include <security/pam_ext.h> + + #define PAM_DEBUG_ARG 0x0001 ++#define PAM_NOCONSOLE_ARG 0x0002 + + static int + _pam_parse (const pam_handle_t *pamh, int argc, const char **argv) +@@ -51,6 +54,8 @@ _pam_parse (const pam_handle_t *pamh, in + + if (!strcmp(*argv,"debug")) + ctrl |= PAM_DEBUG_ARG; ++ else if (!strcmp(*argv, "noconsole")) ++ ctrl |= PAM_NOCONSOLE_ARG; + else { + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } +@@ -144,6 +149,40 @@ securetty_perform_check (pam_handle_t *p + } + fclose(ttyfile); + ++ if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { ++ FILE *cmdlinefile; ++ ++ /* Allow access from the kernel console, if enabled */ ++ cmdlinefile = fopen(CMDLINE_FILE, "r"); ++ ++ if (cmdlinefile != NULL) { ++ char line[LINE_MAX], *p; ++ ++ line[0] = 0; ++ fgets(line, sizeof(line), cmdlinefile); ++ fclose(cmdlinefile); ++ ++ for (p = line; p; p = strstr(p+1, "console=")) { ++ char *e; ++ ++ /* Test whether this is a beginning of a word? */ ++ if (p > line && p[-1] != ' ') ++ continue; ++ ++ /* Ist this our console? */ ++ if (strncmp(p + 8, uttyname, strlen(uttyname))) ++ continue; ++ ++ /* Is there any garbage after the TTY name? */ ++ e = p + 8 + strlen(uttyname); ++ if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) { ++ retval = 0; ++ break; ++ } ++ } ++ } ++ } ++ + if (retval) { + pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !", + uttyname); |