[kbd/f20] Fix vlock doesn't perform PAM account management or credential reinitialization
vcrhonek
vcrhonek at fedoraproject.org
Wed Nov 27 10:02:41 UTC 2013
commit 9c1cdd66423812d1e7af1188d03a50097df26a77
Author: Vitezslav Crhonek <vcrhonek at redhat.com>
Date: Wed Nov 27 11:02:24 2013 +0100
Fix vlock doesn't perform PAM account management or credential reinitialization
kbd-1.15.5-vlock-more-pam.patch | 61 +++++++++++++++++++++++++++++++++++++++
kbd.spec | 10 ++++++-
2 files changed, 70 insertions(+), 1 deletions(-)
---
diff --git a/kbd-1.15.5-vlock-more-pam.patch b/kbd-1.15.5-vlock-more-pam.patch
new file mode 100644
index 0000000..ba34255
--- /dev/null
+++ b/kbd-1.15.5-vlock-more-pam.patch
@@ -0,0 +1,61 @@
+--- a/src/vlock/auth.c
++++ b/src/vlock/auth.c
+@@ -4,7 +4,7 @@
+ PAM authentication routine for vlock, the VT locking program for linux.
+
+ Copyright (C) 1994-1998 Michael K. Johnson <johnsonm at redhat.com>
+- Copyright (C) 2002, 2005 Dmitry V. Levin <ldv at altlinux.org>
++ Copyright (C) 2002, 2005, 2013 Dmitry V. Levin <ldv at altlinux.org>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -36,6 +36,25 @@
+ /* Unrecognized PAM error timeout. */
+ #define ERROR_TIMEOUT 10
+
++static int
++do_account_password_management (pam_handle_t *pamh)
++{
++ int rc;
++
++ /* Whether the authenticated user is allowed to log in? */
++ rc = pam_acct_mgmt (pamh, 0);
++
++ /* Do we need to prompt the user for a new password? */
++ if (rc == PAM_NEW_AUTHTOK_REQD)
++ rc = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
++
++ /* Extend the lifetime of the existing credentials. */
++ if (rc == PAM_SUCCESS)
++ rc = pam_setcred (pamh, PAM_REFRESH_CRED);
++
++ return rc;
++}
++
+ int
+ get_password (pam_handle_t * pamh, const char *username, const char *tty)
+ {
+@@ -84,6 +103,23 @@ get_password (pam_handle_t * pamh, const char *username, const char *tty)
+ switch (rc)
+ {
+ case PAM_SUCCESS:
++ rc = do_account_password_management (pamh);
++
++ if (rc != PAM_SUCCESS)
++ {
++ /*
++ * The user was authenticated but
++ * either account or password management
++ * returned an error.
++ */
++ printf ("%s.\n\n\n",
++ pam_strerror (pamh, rc));
++ fflush (stdout);
++ pam_end (pamh, rc);
++ pamh = 0;
++ break;
++ }
++
+ pam_end (pamh, rc);
+ /* Log the fact of console unlocking. */
+ syslog (LOG_NOTICE,
diff --git a/kbd.spec b/kbd.spec
index bc8fc75..91cbe44 100644
--- a/kbd.spec
+++ b/kbd.spec
@@ -1,6 +1,6 @@
Name: kbd
Version: 1.15.5
-Release: 11%{?dist}
+Release: 12%{?dist}
Summary: Tools for configuring the console (keyboard, virtual terminals, etc.)
Group: System Environment/Base
@@ -27,6 +27,8 @@ Patch4: kbd-1.15.5-loadkeys-regression.patch
Patch5: kbd-1.15.5-sg-decimal-separator.patch
# Patch6: adds xkb and legacy keymaps subdirs to loadkyes search path, bz 1028207
Patch6: kbd-1.15.5-loadkeys-search-path.patch
+# Patch7: implement PAM account and password management, backported from upstream
+Patch7: kbd-1.15.5-vlock-more-pam.patch
BuildRequires: bison, flex, gettext, pam-devel
BuildRequires: console-setup, xkeyboard-config
@@ -69,6 +71,7 @@ cp -fp %{SOURCE6} .
%patch4 -p1 -b .loadkeys-regression
%patch5 -p1 -b .sg-decimal-separator
%patch6 -p1 -b .loadkeys-search-path
+%patch7 -p1 -b .vlock-more-pam
# 7-bit maps are obsolete; so are non-euro maps
pushd data/keymaps/i386
@@ -177,6 +180,11 @@ zgrep -L "U+0041" $RPM_BUILD_ROOT/lib/kbd/keymaps/xkb/* | xargs rm -f
/lib/kbd/keymaps/legacy
%changelog
+* Wed Nov 27 2013 Vitezslav Crhonek <vcrhonek at redhat.com> - 1.15.5-12
+- Fix vlock doesn't perform PAM account management or credential reinitialization
+ (patch by Dmitry V. Levin)
+ Resolves: #913311
+
* Thu Nov 21 2013 Vitezslav Crhonek <vcrhonek at redhat.com> - 1.15.5-11
- Add xkb and legacy keymaps subdirs to loadkyes search path, remove symlink
Related: #1028207
More information about the scm-commits
mailing list