- Updated patches:

+ debian/patches/008_login_log_failure_in_FTMP
        + debian/patches/401_cppw_src.dpatch
        + debian/patches/429_login_FAILLOG_ENAB
        + debian/patches/463_login_delay_obeys_to_PAM
This commit is contained in:
nekral-guest
2009-05-09 14:30:06 +00:00
parent 9febd5c52e
commit d65a81cc37
5 changed files with 89 additions and 83 deletions
+6 -1
View File
@@ -10,9 +10,14 @@ shadow (1:4.1.3.1-1) UNRELEASED; urgency=low
- passwd: Report password properties changes if the password is not
actually changed. Closes: #525967
- Fixed lastlog. 4.1.3 only reported empty logs. Closes: #524873
- Updated patches:
+ debian/patches/008_login_log_failure_in_FTMP
+ debian/patches/401_cppw_src.dpatch
+ debian/patches/429_login_FAILLOG_ENAB
+ debian/patches/463_login_delay_obeys_to_PAM
* debian/securetty.linux: Added Freescale i.MX ports. Closes: #527095
-- Christian Perrier <bubulle@debian.org> Thu, 07 May 2009 19:20:57 +0200
-- Christian Perrier <bubulle@debian.org> Sat, 09 May 2009 15:44:03 +0200
shadow (1:4.1.3.1-1) unstable; urgency=low
+23 -28
View File
@@ -8,36 +8,31 @@ Index: shadow-4.1.0/src/login.c
===================================================================
--- shadow-4.1.0.orig/src/login.c
+++ shadow-4.1.0/src/login.c
@@ -722,6 +722,29 @@
#endif /* WITH_AUDIT */
@@ -722,6 +722,24 @@
(void) puts ("");
(void) puts (_("Login incorrect"));
fprintf (stderr, "\nLogin incorrect\n");
+ if (getdef_str("FTMP_FILE") != NULL) {
+#if HAVE_UTMPX_H
+ failent = utxent;
+ if (sizeof (failent.ut_tv) == sizeof (struct timeval))
+ gettimeofday((struct timeval *)
+ &failent.ut_tv, NULL);
+ else {
+ struct timeval tv;
+ if (getdef_str("FTMP_FILE") != NULL) {
+#ifdef USE_UTMPX
+ struct utmpx *failent =
+ prepare_utmpx (failent_user,
+ tty,
+ /* FIXME: or fromhost? */hostname,
+ utent);
+#else /* !USE_UTMPX */
+ struct utmp *failent =
+ prepare_utmp (failent_user,
+ tty,
+ hostname,
+ utent);
+#endif /* !USE_UTMPX */
+ failtmp (failent_user, failent);
+ free (failent);
+ }
+
+ gettimeofday (&tv, NULL);
+ failent.ut_tv.tv_sec = tv.tv_sec;
+ failent.ut_tv.tv_usec = tv.tv_usec;
+ }
+#else
+ failent = utent;
+ failent.ut_time = time(NULL);
+#endif
+ strncpy(failent.ut_user, failent_user, sizeof(failent.ut_user));
+#ifdef USER_PROCESS
+ failent.ut_type = USER_PROCESS;
+#endif
+ failtmp(&failent);
+ }
/*
* Let's give it another go around.
if (failcount >= retries) {
SYSLOG ((LOG_NOTICE,
"TOO MANY LOGIN TRIES (%d)%s FOR '%s'",
Index: shadow-4.1.0/lib/getdef.c
===================================================================
--- shadow-4.1.0.orig/lib/getdef.c
+1 -1
View File
@@ -224,7 +224,7 @@ Index: shadow-4.1.0/src/Makefile.am
@@ -59,6 +60,7 @@
chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) $(LIBSKEY) $(LIBMD)
chpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+cppw_LDADD = $(LDADD) $(LIBSELINUX)
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+46 -43
View File
@@ -7,55 +7,58 @@ Fixes: #192849
Note: It could be removed if pam_tally could report the number of failures
preceding a successful login.
Index: shadow-4.1.0/src/login.c
Index: shadow-4.1.3.1/src/login.c
===================================================================
--- shadow-4.1.0.orig/src/login.c
+++ shadow-4.1.0/src/login.c
@@ -130,9 +130,9 @@
static void setup_tty (void);
static void check_flags (int, char *const *);
--- shadow-4.1.3.1.orig/src/login.c 2009-05-04 19:38:24.668839562 +0200
+++ shadow-4.1.3.1/src/login.c 2009-05-04 19:50:43.360832944 +0200
@@ -131,9 +131,9 @@
const char *host,
/*@null@*/const struct utmp *utent);
+static struct faillog faillog;
+
#ifndef USE_PAM
-static struct faillog faillog;
-
-#ifndef USE_PAM
static struct faillog faillog;
+#ifndef USE_PAM
static void bad_time_notify (void);
static void check_nologin (void);
#endif
@@ -673,6 +673,8 @@
static void check_nologin (bool login_to_root);
#else
@@ -792,6 +792,9 @@
SYSLOG ((LOG_NOTICE,
"TOO MANY LOGIN TRIES (%d)%s FOR `%s'",
"TOO MANY LOGIN TRIES (%d)%s FOR '%s'",
failcount, fromhost, failent_user));
+ if (pwd && getdef_bool("FAILLOG_ENAB"))
+ failure (pwent.pw_uid, tty, &faillog);
+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
+ failure (pwd->pw_uid, tty, &faillog);
+ }
fprintf(stderr,
_("Maximum number of tries exceeded (%d)\n"),
failcount);
@@ -690,6 +692,13 @@
@@ -809,6 +812,14 @@
pam_strerror (pamh, retcode)));
failed = true;
}
+ if (pwd && getdef_bool("FAILLOG_ENAB") &&
+ ! failcheck (pwent.pw_uid, &faillog, failed)) {
+ SYSLOG((LOG_CRIT,
+ "exceeded failure limit for `%s' %s",
+ failent_user, fromhost));
+ failed = 1;
+ }
+ if ( (NULL != pwd)
+ && getdef_bool("FAILLOG_ENAB")
+ && ! failcheck (pwd->pw_uid, &faillog, failed)) {
+ SYSLOG((LOG_CRIT,
+ "exceeded failure limit for `%s' %s",
+ failent_user, fromhost));
+ failed = 1;
+ }
if (!failed) {
break;
@@ -766,6 +731,8 @@
#endif /* WITH_AUDIT */
@@ -832,6 +843,10 @@
(void) puts ("");
(void) puts (_("Login incorrect"));
fprintf (stderr, "\nLogin incorrect\n");
+ if (pwd && getdef_bool("FAILLOG_ENAB"))
+ failure (pwent.pw_uid, tty, &faillog);
if (getdef_str("FTMP_FILE") != NULL) {
#if HAVE_UTMPX_H
failent = utxent;
@@ -1099,6 +1110,7 @@
+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
+ failure (pwd->pw_uid, tty, &faillog);
+ }
+
if (getdef_str("FTMP_FILE") != NULL) {
#ifdef USE_UTMPX
struct utmpx *failent =
@@ -1281,6 +1296,7 @@
*/
#ifndef USE_PAM
motd (); /* print the message of the day */
@@ -63,19 +66,19 @@ Index: shadow-4.1.0/src/login.c
if ( getdef_bool ("FAILLOG_ENAB")
&& (0 != faillog.fail_cnt)) {
failprint (&faillog);
@@ -1112,6 +1124,7 @@
username, (int) faillog.fail_cnt));
@@ -1293,6 +1309,7 @@
username, (int) faillog.fail_cnt));
}
}
+#ifndef USE_PAM
if ( getdef_bool ("LASTLOG_ENAB")
&& (0 != lastlog.ll_time)) {
time_t ll_time = lastlog.ll_time;
Index: shadow-4.1.0/lib/getdef.c
&& (ll.ll_time != 0)) {
time_t ll_time = ll.ll_time;
Index: shadow-4.1.3.1/lib/getdef.c
===================================================================
--- shadow-4.1.0.orig/lib/getdef.c
+++ shadow-4.1.0/lib/getdef.c
@@ -57,6 +57,7 @@
--- shadow-4.1.3.1.orig/lib/getdef.c 2009-05-04 19:38:24.672844662 +0200
+++ shadow-4.1.3.1/lib/getdef.c 2009-05-04 19:50:14.720839237 +0200
@@ -61,6 +61,7 @@
{"ENV_SUPATH", NULL},
{"ERASECHAR", NULL},
{"FAIL_DELAY", NULL},
@@ -83,7 +86,7 @@ Index: shadow-4.1.0/lib/getdef.c
{"FAKE_SHELL", NULL},
{"FTMP_FILE", NULL},
{"GID_MAX", NULL},
@@ -93,7 +94,6 @@
@@ -103,7 +104,6 @@
{"ENV_HZ", NULL},
{"ENVIRON_FILE", NULL},
{"ENV_TZ", NULL},
+13 -10
View File
@@ -15,15 +15,15 @@ Index: shadow-4.1.0/src/login.c
#if defined(HAVE_STRFTIME) && !defined(USE_PAM)
char ptime[80];
#endif
- int delay;
int retries;
- unsigned int delay;
unsigned int retries;
bool failed;
bool subroot = false;
@@ -354,6 +353,7 @@
char *pam_user;
char **ptr_pam_user = &pam_user;
#else
+ int delay;
+ unsigned int delay;
struct spwd *spwd = NULL;
#endif
/*
@@ -31,17 +31,20 @@ Index: shadow-4.1.0/src/login.c
}
environ = newenvp; /* make new environment active */
- delay = getdef_num ("FAIL_DELAY", 1);
retries = getdef_num ("LOGIN_RETRIES", RETRIES);
- delay = getdef_unum ("FAIL_DELAY", 1);
retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
#ifdef USE_PAM
@@ -594,17 +593,12 @@
@@ -594,20 +593,15 @@
/*
* hostname & tty are either set to NULL or their correct values,
- * depending on how much we know. We also set PAM's fail delay to
- * ours.
+ * depending on how much we know.
*
* PAM_RHOST and PAM_TTY are used for authentication, only use
* information coming from login or from the caller (e.g. no utmp)
*/
retcode = pam_set_item (pamh, PAM_RHOST, hostname);
PAM_FAIL_CHECK;
@@ -68,8 +71,8 @@ Index: shadow-4.1.0/src/login.c
retcode = pam_authenticate (pamh, 0);
@@ -956,14 +948,17 @@
pw_auth ("!", username, reason, (char *) 0);
}
free (username);
username = NULL;
+#ifndef USE_PAM
/*
@@ -77,9 +80,9 @@ Index: shadow-4.1.0/src/login.c
* to login the user again. If the earlier alarm occurs
* before the sleep() below completes, login will exit.
*/
+ delay = getdef_num ("FAIL_DELAY", 1);
+ delay = getdef_unum ("FAIL_DELAY", 1);
if (delay > 0) {
sleep (delay);
(void) sleep (delay);
}
+#endif