diff --git a/pam-1.2.1-faillock-admin-group.patch b/pam-1.2.1-faillock-admin-group.patch new file mode 100644 index 0000000..8bd1384 --- /dev/null +++ b/pam-1.2.1-faillock-admin-group.patch @@ -0,0 +1,133 @@ +diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c +--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group 2016-04-04 16:37:38.696260359 +0200 ++++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c 2017-08-21 16:40:01.624706864 +0200 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2010 Tomas Mraz ++ * Copyright (c) 2010, 2017 Tomas Mraz + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -78,9 +78,11 @@ struct options { + unsigned int root_unlock_time; + const char *dir; + const char *user; ++ const char *admin_group; + int failures; + uint64_t latest_time; + uid_t uid; ++ int is_admin; + uint64_t now; + }; + +@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc, + opts->root_unlock_time = temp; + } + } ++ else if (strncmp(argv[i], "admin_group=", 12) == 0) { ++ opts->admin_group = argv[i] + 12; ++ } + else if (strcmp(argv[i], "preauth") == 0) { + opts->action = FAILLOCK_ACTION_PREAUTH; + } +@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa + } + opts->user = user; + opts->uid = pwd->pw_uid; ++ ++ if (pwd->pw_uid == 0) { ++ opts->is_admin = 1; ++ return PAM_SUCCESS; ++ } ++ ++ if (opts->admin_group && *opts->admin_group) { ++ opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh, ++ pwd->pw_uid, opts->admin_group); ++ } ++ + return PAM_SUCCESS; + } + +@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o + return PAM_SYSTEM_ERR; + } + +- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { ++ if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { + return PAM_SUCCESS; + } + +@@ -262,13 +278,9 @@ check_tally(pam_handle_t *pamh, struct o + + opts->failures = failures; + +- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { +- return PAM_SUCCESS; +- } +- + if (opts->deny && failures >= opts->deny) { +- if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || +- (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { ++ if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || ++ (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { + #ifdef HAVE_LIBAUDIT + if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ + char buf[64]; +@@ -401,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o + audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, + NULL, NULL, NULL, 1); + +- if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { ++ if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, + NULL, NULL, NULL, 1); + } +@@ -425,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str + int64_t left; + + if (!(opts->flags & FAILLOCK_FLAG_SILENT)) { +- if (opts->uid) { +- left = opts->latest_time + opts->unlock_time - opts->now; ++ if (opts->is_admin) { ++ left = opts->latest_time + opts->root_unlock_time - opts->now; + } + else { +- left = opts->latest_time + opts->root_unlock_time - opts->now; ++ left = opts->latest_time + opts->unlock_time - opts->now; + } + + if (left > 0) { +diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml +--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group 2016-05-06 15:24:10.328281818 +0200 ++++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml 2017-08-21 16:16:09.448033843 +0200 +@@ -40,6 +40,9 @@ + root_unlock_time=n + + ++ admin_group=name ++ ++ + audit + + +@@ -243,6 +246,20 @@ + + + ++ ++ ++ ++ ++ ++ ++ If a group name is specified with this option, members ++ of the group will be handled by this module the same as ++ the root account (the options ++ and will apply to them. ++ By default the option is not set. ++ ++ ++ + + + diff --git a/pam.spec b/pam.spec index cf661b0..f37b2f8 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.3.0 -Release: 5%{?dist} +Release: 6%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -30,7 +30,8 @@ Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch1: pam-1.2.0-redhat-modules.patch Patch4: pam-1.1.0-console-nochmod.patch Patch5: pam-1.1.0-notally.patch -Patch8: pam-1.2.1-faillock.patch +Patch7: pam-1.2.1-faillock.patch +Patch8: pam-1.2.1-faillock-admin-group.patch Patch9: pam-1.1.6-noflex.patch Patch10: pam-1.1.3-nouserenv.patch Patch13: pam-1.1.6-limits-user.patch @@ -111,7 +112,8 @@ cp %{SOURCE18} . %patch1 -p1 -b .redhat-modules %patch4 -p1 -b .nochmod %patch5 -p1 -b .notally -%patch8 -p1 -b .faillock +%patch7 -p1 -b .faillock +%patch8 -p1 -b .admin-group %patch9 -p1 -b .noflex %patch10 -p1 -b .nouserenv %patch13 -p1 -b .limits @@ -371,6 +373,9 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Mon Aug 21 2017 Tomáš Mráz 1.3.0-6 +- add admin_group option to pam_faillock (#1285550) + * Thu Aug 03 2017 Fedora Release Engineering - 1.3.0-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild