From cf9c75be753a3c12fdecb9f4696b8ad1b28dd799 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 30 Apr 2012 14:46:48 +0200 Subject: pam_lastlog: Never lock out the root account. modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if uid==0. modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation. --- modules/pam_lastlog/pam_lastlog.8.xml | 8 +++++++- modules/pam_lastlog/pam_lastlog.c | 2 ++ 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index ecac2664..77da9dbc 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -12,7 +12,7 @@ pam_lastlog - PAM module to display date of last login + PAM module to display date of last login and perform inactive account lock out @@ -64,6 +64,12 @@ Some applications may perform this function themselves. In such cases, this module is not necessary. + + If the module is called in the auth or account phase, the accounts that + were not used recently enough will be disallowed to log in. The + check is not performed for the root account so the root is never + locked out. + diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 4111b182..50e5a59c 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -598,6 +598,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, uid = pwd->pw_uid; pwd = NULL; /* tidy up */ + if (uid == 0) + return PAM_SUCCESS; /* obtain the last login date and all the relevant info */ last_fd = last_login_open(pamh, ctrl, uid); -- cgit v1.2.3