commit cf9c75be753a3c12fdecb9f4696b8ad1b28dd799
Author: Tomas Mraz <tmraz(a)fedoraproject.org>
Date: Mon Apr 30 14:46:48 2012 +0200
pam_lastlog: Never lock out the root account.
modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if
uid==0.
modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation.
modules/pam_lastlog/pam_lastlog.8.xml | 8 +++++++-
modules/pam_lastlog/pam_lastlog.c | 2 ++
2 files changed, 9 insertions(+), 1 deletions(-)
---
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml
b/modules/pam_lastlog/pam_lastlog.8.xml
index ecac266..77da9db 100644
--- a/modules/pam_lastlog/pam_lastlog.8.xml
+++ b/modules/pam_lastlog/pam_lastlog.8.xml
@@ -12,7 +12,7 @@
<refnamediv id="pam_lastlog-name">
<refname>pam_lastlog</refname>
- <refpurpose>PAM module to display date of last login</refpurpose>
+ <refpurpose>PAM module to display date of last login and perform inactive
account lock out</refpurpose>
</refnamediv>
<refsynopsisdiv>
@@ -64,6 +64,12 @@
Some applications may perform this function themselves. In such
cases, this module is not necessary.
</para>
+ <para>
+ If the module is called in the auth or account phase, the accounts that
+ were not used recently enough will be disallowed to log in. The
+ check is not performed for the root account so the root is never
+ locked out.
+ </para>
</refsect1>
<refsect1 id="pam_lastlog-options">
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
index 4111b18..50e5a59 100644
--- a/modules/pam_lastlog/pam_lastlog.c
+++ b/modules/pam_lastlog/pam_lastlog.c
@@ -598,6 +598,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
uid = pwd->pw_uid;
pwd = NULL; /* tidy up */
+ if (uid == 0)
+ return PAM_SUCCESS;
/* obtain the last login date and all the relevant info */
last_fd = last_login_open(pamh, ctrl, uid);
Show replies by date