summaryrefslogtreecommitdiff
path: root/modules/pam_lastlog
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_lastlog')
-rw-r--r--modules/pam_lastlog/Makefile.am20
-rw-r--r--modules/pam_lastlog/Makefile.in114
-rw-r--r--modules/pam_lastlog/README15
-rw-r--r--modules/pam_lastlog/pam_lastlog.830
-rw-r--r--modules/pam_lastlog/pam_lastlog.8.xml31
-rw-r--r--modules/pam_lastlog/pam_lastlog.c162
6 files changed, 271 insertions, 101 deletions
diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am
index 1c639327..dc0c7c4c 100644
--- a/modules/pam_lastlog/Makefile.am
+++ b/modules/pam_lastlog/Makefile.am
@@ -5,17 +5,20 @@
CLEANFILES = *~
MAINTAINERCLEANFILES = $(MANS) README
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_lastlog
+EXTRA_DIST = $(XMLS)
-man_MANS = pam_lastlog.8
+if HAVE_DOC
+dist_man_MANS = pam_lastlog.8
+endif
XMLS = README.xml pam_lastlog.8.xml
+dist_check_SCRIPTS = tst-pam_lastlog
+TESTS = $(dist_check_SCRIPTS)
-TESTS = tst-pam_lastlog
+securelibdir = $(SECUREDIR)
+secureconfdir = $(SCONFIGDIR)
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+ $(WARN_CFLAGS)
AM_LDFLAGS = -no-undefined -avoid-version -module
if HAVE_VERSIONING
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
@@ -25,7 +28,6 @@ securelib_LTLIBRARIES = pam_lastlog.la
pam_lastlog_la_LIBADD = $(top_builddir)/libpam/libpam.la -lutil
if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_lastlog.8.xml
+dist_noinst_DATA = README
-include $(top_srcdir)/Make.xml.rules
endif
diff --git a/modules/pam_lastlog/Makefile.in b/modules/pam_lastlog/Makefile.in
index 5eafdf8d..85de1bb0 100644
--- a/modules/pam_lastlog/Makefile.in
+++ b/modules/pam_lastlog/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -20,7 +20,17 @@
VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -85,9 +95,6 @@ build_triplet = @build@
host_triplet = @host@
@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map
subdir = modules/pam_lastlog
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
- $(top_srcdir)/build-aux/depcomp \
- $(top_srcdir)/build-aux/test-driver README
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
@@ -103,6 +110,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \
+ $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
@@ -157,7 +166,8 @@ am__v_at_0 = @
am__v_at_1 =
DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp
-am__depfiles_maybe = depfiles
+am__maybe_remake_depfiles = depfiles
+am__depfiles_remade = ./$(DEPDIR)/pam_lastlog.Plo
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@@ -186,8 +196,9 @@ am__can_run_installinfo = \
esac
man8dir = $(mandir)/man8
NROFF = nroff
-MANS = $(man_MANS)
-DATA = $(noinst_DATA)
+MANS = $(dist_man_MANS)
+am__dist_noinst_DATA_DIST = README
+DATA = $(dist_noinst_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
@@ -384,6 +395,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log)
TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver
TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
$(TEST_LOG_FLAGS)
+am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \
+ $(top_srcdir)/build-aux/depcomp \
+ $(top_srcdir)/build-aux/test-driver
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -412,6 +426,8 @@ DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
+ECONF_CFLAGS = @ECONF_CFLAGS@
+ECONF_LIBS = @ECONF_LIBS@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
@@ -420,7 +436,6 @@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
-HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
@@ -456,6 +471,7 @@ LN_S = @LN_S@
LTLIBICONV = @LTLIBICONV@
LTLIBINTL = @LTLIBINTL@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
@@ -492,11 +508,13 @@ SECUREDIR = @SECUREDIR@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@
STRIP = @STRIP@
TIRPC_CFLAGS = @TIRPC_CFLAGS@
TIRPC_LIBS = @TIRPC_LIBS@
USE_NLS = @USE_NLS@
VERSION = @VERSION@
+WARN_CFLAGS = @WARN_CFLAGS@
XGETTEXT = @XGETTEXT@
XGETTEXT_015 = @XGETTEXT_015@
XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
@@ -565,17 +583,20 @@ top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
CLEANFILES = *~
MAINTAINERCLEANFILES = $(MANS) README
+EXTRA_DIST = $(XMLS)
+@HAVE_DOC_TRUE@dist_man_MANS = pam_lastlog.8
+XMLS = README.xml pam_lastlog.8.xml
+dist_check_SCRIPTS = tst-pam_lastlog
+TESTS = $(dist_check_SCRIPTS)
securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_lastlog
-man_MANS = pam_lastlog.8
-XMLS = README.xml pam_lastlog.8.xml
-TESTS = tst-pam_lastlog
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+ $(WARN_CFLAGS)
+
AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1)
securelib_LTLIBRARIES = pam_lastlog.la
pam_lastlog_la_LIBADD = $(top_builddir)/libpam/libpam.la -lutil
-@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README
+@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README
all: all-am
.SUFFIXES:
@@ -592,14 +613,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_lastlog/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu modules/pam_lastlog/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
- echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
- cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
@@ -655,21 +675,27 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_lastlog.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_lastlog.Plo@am__quote@ # am--include-marker
+
+$(am__depfiles_remade):
+ @$(MKDIR_P) $(@D)
+ @echo '# dummy' >$@-t && $(am__mv) $@-t $@
+
+am--depfiles: $(am__depfiles_remade)
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -683,10 +709,10 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
-install-man8: $(man_MANS)
+install-man8: $(dist_man_MANS)
@$(NORMAL_INSTALL)
@list1=''; \
- list2='$(man_MANS)'; \
+ list2='$(dist_man_MANS)'; \
test -n "$(man8dir)" \
&& test -n "`echo $$list1$$list2`" \
|| exit 0; \
@@ -721,7 +747,7 @@ uninstall-man8:
@$(NORMAL_UNINSTALL)
@list=''; test -n "$(man8dir)" || exit 0; \
files=`{ for i in $$list; do echo "$$i"; done; \
- l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
sed -n '/\.8[a-z]*$$/p'; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
@@ -809,7 +835,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
if test -n "$$am__remaking_logs"; then \
echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
"recursion detected" >&2; \
- else \
+ elif test -n "$$redo_logs"; then \
am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
fi; \
if $(am__make_dryrun); then :; else \
@@ -899,7 +925,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
fi; \
$$success || exit 1
-check-TESTS:
+check-TESTS: $(dist_check_SCRIPTS)
@list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list
@list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
@@ -909,7 +935,7 @@ check-TESTS:
log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \
$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \
exit $$?;
-recheck: all
+recheck: all $(dist_check_SCRIPTS)
@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
@set +e; $(am__set_TESTS_bases); \
bases=`for i in $$bases; do echo $$i; done \
@@ -942,7 +968,10 @@ tst-pam_lastlog.log: tst-pam_lastlog
@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT)
-distdir: $(DISTFILES)
+distdir: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
@@ -973,6 +1002,7 @@ distdir: $(DISTFILES)
fi; \
done
check-am: all-am
+ $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS)
$(MAKE) $(AM_MAKEFLAGS) check-TESTS
check: check-am
all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA)
@@ -1021,7 +1051,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \
mostlyclean-am
distclean: distclean-am
- -rm -rf ./$(DEPDIR)
+ -rm -f ./$(DEPDIR)/pam_lastlog.Plo
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -1067,7 +1097,7 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
- -rm -rf ./$(DEPDIR)
+ -rm -f ./$(DEPDIR)/pam_lastlog.Plo
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
@@ -1090,15 +1120,16 @@ uninstall-man: uninstall-man8
.MAKE: check-am install-am install-strip
-.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
- clean-generic clean-libtool clean-securelibLTLIBRARIES \
- cscopelist-am ctags ctags-am distclean distclean-compile \
- distclean-generic distclean-libtool distclean-tags distdir dvi \
- dvi-am html html-am info info-am install install-am \
- install-data install-data-am install-dvi install-dvi-am \
- install-exec install-exec-am install-html install-html-am \
- install-info install-info-am install-man install-man8 \
- install-pdf install-pdf-am install-ps install-ps-am \
+.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \
+ check-am clean clean-generic clean-libtool \
+ clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \
+ distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-man8 install-pdf \
+ install-pdf-am install-ps install-ps-am \
install-securelibLTLIBRARIES install-strip installcheck \
installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-compile \
@@ -1106,7 +1137,8 @@ uninstall-man: uninstall-man8
recheck tags tags-am uninstall uninstall-am uninstall-man \
uninstall-man8 uninstall-securelibLTLIBRARIES
-@ENABLE_REGENERATE_MAN_TRUE@README: pam_lastlog.8.xml
+.PRECIOUS: Makefile
+
@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules
# Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/modules/pam_lastlog/README b/modules/pam_lastlog/README
index 38a3065a..c0feca04 100644
--- a/modules/pam_lastlog/README
+++ b/modules/pam_lastlog/README
@@ -11,9 +11,14 @@ login of the user. In addition, the module maintains the /var/log/lastlog file.
Some applications may perform this function themselves. In such cases, this
module is not necessary.
+The module checks LASTLOG_UID_MAX option in /etc/login.defs and does not update
+or display last login records for users with UID higher than its value. If the
+option is not present or its value is invalid, no user ID limit is applied.
+
If the module is called in the auth or account phase, the accounts that were
not used recently enough will be disallowed to log in. The check is not
-performed for the root account so the root is never locked out.
+performed for the root account so the root is never locked out. It is also not
+performed for users with UID higher than the LASTLOG_UID_MAX value.
OPTIONS
@@ -24,7 +29,7 @@ debug
silent
Don't inform the user about any previous login, just update the /var/log/
- lastlog file.
+ lastlog file. This option does not affect display of bad login attempts.
never
@@ -63,6 +68,12 @@ inactive=<days>
number of days after the last login of the user when the user will be
locked out by the module. The default value is 90.
+unlimited
+
+ If the fsize limit is set, this option can be used to override it,
+ preventing failures on systems with large UID values that lead lastlog to
+ become a huge sparse file.
+
EXAMPLES
Add the following line to /etc/pam.d/login to display the last login time of an
diff --git a/modules/pam_lastlog/pam_lastlog.8 b/modules/pam_lastlog/pam_lastlog.8
index 738bd1eb..f21038e7 100644
--- a/modules/pam_lastlog/pam_lastlog.8
+++ b/modules/pam_lastlog/pam_lastlog.8
@@ -1,13 +1,13 @@
'\" t
.\" Title: pam_lastlog
.\" Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 05/18/2017
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 06/08/2020
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\" Language: English
.\"
-.TH "PAM_LASTLOG" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_LASTLOG" "8" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -31,7 +31,7 @@
pam_lastlog \- PAM module to display date of last login and perform inactive account lock out
.SH "SYNOPSIS"
.HP \w'\fBpam_lastlog\&.so\fR\ 'u
-\fBpam_lastlog\&.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] [noupdate] [showfailed] [inactive=<days>]
+\fBpam_lastlog\&.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] [noupdate] [showfailed] [inactive=<days>] [unlimited]
.SH "DESCRIPTION"
.PP
pam_lastlog is a PAM module to display a line of information about the last login of the user\&. In addition, the module maintains the
@@ -40,7 +40,15 @@ file\&.
.PP
Some applications may perform this function themselves\&. In such cases, this module is not necessary\&.
.PP
-If the module is called in the auth or account phase, the accounts that were not used recently enough will be disallowed to log in\&. The check is not performed for the root account so the root is never locked out\&.
+The module checks
+\fBLASTLOG_UID_MAX\fR
+option in
+/etc/login\&.defs
+and does not update or display last login records for users with UID higher than its value\&. If the option is not present or its value is invalid, no user ID limit is applied\&.
+.PP
+If the module is called in the auth or account phase, the accounts that were not used recently enough will be disallowed to log in\&. The check is not performed for the root account so the root is never locked out\&. It is also not performed for users with UID higher than the
+\fBLASTLOG_UID_MAX\fR
+value\&.
.SH "OPTIONS"
.PP
\fBdebug\fR
@@ -52,7 +60,7 @@ Print debug information\&.
.RS 4
Don\*(Aqt inform the user about any previous login, just update the
/var/log/lastlog
-file\&.
+file\&. This option does not affect display of bad login attempts\&.
.RE
.PP
\fBnever\fR
@@ -98,13 +106,20 @@ is specified\&.
.RS 4
This option is specific for the auth or account phase\&. It specifies the number of days after the last login of the user when the user will be locked out by the module\&. The default value is 90\&.
.RE
+.PP
+\fBunlimited\fR
+.RS 4
+If the
+\fIfsize\fR
+limit is set, this option can be used to override it, preventing failures on systems with large UID values that lead lastlog to become a huge sparse file\&.
+.RE
.SH "MODULE TYPES PROVIDED"
.PP
The
\fBauth\fR
and
\fBaccount\fR
-module type allows to lock out users which did not login recently enough\&. The
+module type allows one to lock out users who did not login recently enough\&. The
\fBsession\fR
module type is provided for displaying the information about the last login and/or updating the lastlog and wtmp files\&.
.SH "RETURN VALUES"
@@ -171,6 +186,7 @@ Lastlog logging file
.RE
.SH "SEE ALSO"
.PP
+\fBlimits.conf\fR(5),
\fBpam.conf\fR(5),
\fBpam.d\fR(5),
\fBpam\fR(8)
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
index 77da9dbc..a2f14fc2 100644
--- a/modules/pam_lastlog/pam_lastlog.8.xml
+++ b/modules/pam_lastlog/pam_lastlog.8.xml
@@ -48,6 +48,9 @@
<arg choice="opt">
inactive=&lt;days&gt;
</arg>
+ <arg choice="opt">
+ unlimited
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -65,10 +68,18 @@
cases, this module is not necessary.
</para>
<para>
+ The module checks <option>LASTLOG_UID_MAX</option> option in
+ <filename>/etc/login.defs</filename> and does not update or display
+ last login records for users with UID higher than its value.
+ If the option is not present or its value is invalid, no user ID
+ limit is applied.
+ </para>
+ <para>
If the module is called in the auth or account phase, the accounts that
were not used recently enough will be disallowed to log in. The
check is not performed for the root account so the root is never
- locked out.
+ locked out. It is also not performed for users with UID higher
+ than the <option>LASTLOG_UID_MAX</option> value.
</para>
</refsect1>
@@ -94,6 +105,7 @@
<para>
Don't inform the user about any previous login,
just update the <filename>/var/log/lastlog</filename> file.
+ This option does not affect display of bad login attempts.
</para>
</listitem>
</varlistentry>
@@ -187,6 +199,18 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>unlimited</option>
+ </term>
+ <listitem>
+ <para>
+ If the <emphasis>fsize</emphasis> limit is set, this option can be
+ used to override it, preventing failures on systems with large UID
+ values that lead lastlog to become a huge sparse file.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -194,7 +218,7 @@
<title>MODULE TYPES PROVIDED</title>
<para>
The <option>auth</option> and <option>account</option> module type
- allows to lock out users which did not login recently enough.
+ allows one to lock out users who did not login recently enough.
The <option>session</option> module type is provided for displaying
the information about the last login and/or updating the lastlog and
wtmp files.
@@ -292,6 +316,9 @@
<title>SEE ALSO</title>
<para>
<citerefentry>
+ <refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
index 1a796b99..abd048df 100644
--- a/modules/pam_lastlog/pam_lastlog.c
+++ b/modules/pam_lastlog/pam_lastlog.c
@@ -1,6 +1,6 @@
-/* pam_lastlog module */
-
/*
+ * pam_lastlog module
+ *
* Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11
*
* This module does the necessary work to display the last login
@@ -20,10 +20,13 @@
#endif
#include <pwd.h>
#include <stdlib.h>
+#include <ctype.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/resource.h>
#include <syslog.h>
#include <unistd.h>
@@ -50,6 +53,10 @@ struct lastlog {
# define _PATH_BTMP "/var/log/btmp"
#endif
+#ifndef PATH_LOGIN_DEFS
+# define PATH_LOGIN_DEFS "/etc/login.defs"
+#endif
+
/* XXX - time before ignoring lock. Is 1 sec enough? */
#define LASTLOG_IGNORE_LOCK_TIME 1
@@ -59,33 +66,24 @@ struct lastlog {
#define DEFAULT_INACTIVE_DAYS 90
#define MAX_INACTIVE_DAYS 100000
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_SESSION
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-
#include <security/pam_modules.h>
#include <security/_pam_macros.h>
#include <security/pam_modutil.h>
#include <security/pam_ext.h>
+#include "pam_inline.h"
/* argument parsing */
-#define LASTLOG_DATE 01 /* display the date of the last login */
-#define LASTLOG_HOST 02 /* display the last host used (if set) */
-#define LASTLOG_LINE 04 /* display the last terminal used */
-#define LASTLOG_NEVER 010 /* display a welcome message for first login */
-#define LASTLOG_DEBUG 020 /* send info to syslog(3) */
-#define LASTLOG_QUIET 040 /* keep quiet about things */
-#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */
-#define LASTLOG_BTMP 0200 /* display failed login info from btmp */
-#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */
+#define LASTLOG_DATE 01 /* display the date of the last login */
+#define LASTLOG_HOST 02 /* display the last host used (if set) */
+#define LASTLOG_LINE 04 /* display the last terminal used */
+#define LASTLOG_NEVER 010 /* display a welcome message for first login */
+#define LASTLOG_DEBUG 020 /* send info to syslog(3) */
+#define LASTLOG_QUIET 040 /* keep quiet about things */
+#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */
+#define LASTLOG_BTMP 0200 /* display failed login info from btmp */
+#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */
+#define LASTLOG_UNLIMITED 01000 /* unlimited file size (ignore 'fsize' limit) */
static int
_pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv,
@@ -95,13 +93,14 @@ _pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv,
*inactive = DEFAULT_INACTIVE_DAYS;
- /* does the appliction require quiet? */
+ /* does the application require quiet? */
if (flags & PAM_SILENT) {
ctrl |= LASTLOG_QUIET;
}
/* step through arguments */
for (; argc-- > 0; ++argv) {
+ const char *str;
char *ep = NULL;
long l;
@@ -109,9 +108,9 @@ _pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv,
ctrl |= LASTLOG_DEBUG;
} else if (!strcmp(*argv,"silent")) {
ctrl |= LASTLOG_QUIET;
- } else if (!strncmp(*argv,"inactive=", 9)) {
- l = strtol(*argv+9, &ep, 10);
- if (ep != *argv+9 && l > 0 && l < MAX_INACTIVE_DAYS)
+ } else if ((str = pam_str_skip_prefix(*argv, "inactive=")) != NULL) {
+ l = strtol(str, &ep, 10);
+ if (ep != str && l > 0 && l < MAX_INACTIVE_DAYS)
*inactive = l;
else {
pam_syslog(pamh, LOG_ERR, "bad option value: %s", *argv);
@@ -130,11 +129,6 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE);
- /* does the appliction require quiet? */
- if (flags & PAM_SILENT) {
- ctrl |= LASTLOG_QUIET;
- }
-
/* step through arguments */
for (; argc-- > 0; ++argv) {
@@ -158,11 +152,19 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
ctrl &= ~(LASTLOG_WTMP|LASTLOG_UPDATE);
} else if (!strcmp(*argv,"showfailed")) {
ctrl |= LASTLOG_BTMP;
+ } else if (!strcmp(*argv,"unlimited")) {
+ ctrl |= LASTLOG_UNLIMITED;
} else {
pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
}
}
+ /* does the application require quiet? */
+ if (flags & PAM_SILENT) {
+ ctrl |= LASTLOG_QUIET;
+ ctrl &= ~LASTLOG_BTMP;
+ }
+
D(("ctrl = %o", ctrl));
return ctrl;
}
@@ -172,6 +174,7 @@ get_tty(pam_handle_t *pamh)
{
const void *void_terminal_line = NULL;
const char *terminal_line;
+ const char *str;
if (pam_get_item(pamh, PAM_TTY, &void_terminal_line) != PAM_SUCCESS
|| void_terminal_line == NULL) {
@@ -179,14 +182,47 @@ get_tty(pam_handle_t *pamh)
} else {
terminal_line = void_terminal_line;
}
- if (!strncmp("/dev/", terminal_line, 5)) {
- /* strip leading "/dev/" from tty. */
- terminal_line += 5;
- }
+
+ /* strip leading "/dev/" from tty. */
+ str = pam_str_skip_prefix(terminal_line, "/dev/");
+ if (str != NULL)
+ terminal_line = str;
+
D(("terminal = %s", terminal_line));
return terminal_line;
}
+#define MAX_UID_VALUE 0xFFFFFFFFUL
+
+static uid_t
+get_lastlog_uid_max(pam_handle_t *pamh)
+{
+ uid_t uid_max = MAX_UID_VALUE;
+ unsigned long ul;
+ char *s, *ep;
+
+ s = pam_modutil_search_key(pamh, PATH_LOGIN_DEFS, "LASTLOG_UID_MAX");
+ if (s == NULL)
+ return uid_max;
+
+ ep = s + strlen(s);
+ while (ep > s && isspace(*(--ep))) {
+ *ep = '\0';
+ }
+ errno = 0;
+ ul = strtoul(s, &ep, 10);
+ if (!(ul >= MAX_UID_VALUE
+ || (uid_t)ul >= MAX_UID_VALUE
+ || (errno != 0 && ul == 0)
+ || s == ep
+ || *ep != '\0')) {
+ uid_max = (uid_t)ul;
+ }
+ free(s);
+
+ return uid_max;
+}
+
static int
last_login_open(pam_handle_t *pamh, int announce, uid_t uid)
{
@@ -336,6 +372,12 @@ static int
last_login_write(pam_handle_t *pamh, int announce, int last_fd,
uid_t uid, const char *user)
{
+ static struct rlimit no_limit = {
+ RLIM_INFINITY,
+ RLIM_INFINITY
+ };
+ struct rlimit old_limit;
+ int setrlimit_res;
struct flock last_lock;
struct lastlog last_login;
time_t ll_time;
@@ -390,6 +432,31 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd,
sleep(LASTLOG_IGNORE_LOCK_TIME);
}
+ /*
+ * Failing to set the 'fsize' limit is not a fatal error. We try to write
+ * lastlog anyway, under the risk of dying due to a SIGXFSZ.
+ */
+ D(("setting limit for 'fsize'"));
+
+ if ((announce & LASTLOG_UNLIMITED) == 0) { /* don't set to unlimited */
+ setrlimit_res = -1;
+ } else if (getrlimit(RLIMIT_FSIZE, &old_limit) == 0) {
+ if (old_limit.rlim_cur == RLIM_INFINITY) { /* already unlimited */
+ setrlimit_res = -1;
+ } else {
+ setrlimit_res = setrlimit(RLIMIT_FSIZE, &no_limit);
+ if (setrlimit_res != 0)
+ pam_syslog(pamh, LOG_WARNING, "Could not set limit for 'fsize': %m");
+ }
+ } else {
+ setrlimit_res = -1;
+ if (errno == EINVAL) {
+ pam_syslog(pamh, LOG_INFO, "Limit for 'fsize' not supported: %m");
+ } else {
+ pam_syslog(pamh, LOG_WARNING, "Could not get limit for 'fsize': %m");
+ }
+ }
+
D(("writing to the lastlog file"));
if (pam_modutil_write (last_fd, (char *) &last_login,
sizeof (last_login)) != sizeof(last_login)) {
@@ -397,6 +464,18 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd,
retval = PAM_SERVICE_ERR;
}
+ /*
+ * Failing to restore the 'fsize' limit is a fatal error.
+ */
+ D(("restoring limit for 'fsize'"));
+ if (setrlimit_res == 0) {
+ setrlimit_res = setrlimit(RLIMIT_FSIZE, &old_limit);
+ if (setrlimit_res != 0) {
+ pam_syslog(pamh, LOG_ERR, "Could not restore limit for 'fsize': %m");
+ retval = PAM_SERVICE_ERR;
+ }
+ }
+
last_lock.l_type = F_UNLCK;
(void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */
D(("unlocked"));
@@ -418,6 +497,10 @@ last_login_date(pam_handle_t *pamh, int announce, uid_t uid, const char *user, t
int retval;
int last_fd;
+ if (uid > get_lastlog_uid_max(pamh)) {
+ return PAM_SUCCESS;
+ }
+
/* obtain the last login date and all the relevant info */
last_fd = last_login_open(pamh, announce, uid);
if (last_fd < 0) {
@@ -586,9 +669,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
/* which user? */
- if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL
- || *user == '\0') {
- pam_syslog(pamh, LOG_ERR, "cannot determine the user's name");
+ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) {
+ pam_syslog(pamh, LOG_NOTICE, "cannot determine user name");
return PAM_USER_UNKNOWN;
}
@@ -596,13 +678,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
pwd = pam_modutil_getpwnam (pamh, user);
if (pwd == NULL) {
- pam_syslog(pamh, LOG_ERR, "user unknown");
+ pam_syslog(pamh, LOG_NOTICE, "user unknown");
return PAM_USER_UNKNOWN;
}
uid = pwd->pw_uid;
pwd = NULL; /* tidy up */
- if (uid == 0)
+ if (uid == 0 || uid > get_lastlog_uid_max(pamh))
return PAM_SUCCESS;
/* obtain the last login date and all the relevant info */