pam_lastlog: Never lock out the root account.

modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if
uid==0.
modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation.

2 files changed, 9 insertions, 1 deletions

diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
index ecac2664..77da9dbc 100644
--- a/modules/pam_lastlog/pam_lastlog.8.xml
+++ b/modules/pam_lastlog/pam_lastlog.8.xml
@@ -12,7 +12,7 @@
 
   <refnamediv id="pam_lastlog-name">
     <refname>pam_lastlog</refname>
-    <refpurpose>PAM module to display date of last login</refpurpose>
+    <refpurpose>PAM module to display date of last login and perform inactive account lock out</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
@@ -64,6 +64,12 @@
       Some applications may perform this function themselves. In such
       cases, this module is not necessary.
     </para>
+    <para>
+      If the module is called in the auth or account phase, the accounts that
+      were not used recently enough will be disallowed to log in. The
+      check is not performed for the root account so the root is never
+      locked out.
+    </para>
   </refsect1>
 
   <refsect1 id="pam_lastlog-options">
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
index 4111b182..50e5a59c 100644
--- a/modules/pam_lastlog/pam_lastlog.c
+++ b/modules/pam_lastlog/pam_lastlog.c
@@ -598,6 +598,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
     uid = pwd->pw_uid;
     pwd = NULL;                                         /* tidy up */
 
+    if (uid == 0)
+	return PAM_SUCCESS;
 
     /* obtain the last login date and all the relevant info */
     last_fd = last_login_open(pamh, ctrl, uid);