From e9e593f6ddeaf975b7fe8446d184e6bc387d450b Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Thu, 26 Aug 2010 19:16:18 +0000
Subject: Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------
2010-08-26  Tomas Mraz  <t8m@centrum.cz>

        * modules/pam_nologin/pam_nologin.c (perform_check): Try first
         /var/run/nologin if the nologin file is not explicitly specified.
        * modules/pam_nologin/pam_nologin.8.xml: Document that /var/run/nologin
        is tried first.
---
 modules/pam_nologin/pam_nologin.8.xml | 11 ++++++-----
 modules/pam_nologin/pam_nologin.c     | 16 +++++++++++++---
 2 files changed, 19 insertions(+), 8 deletions(-)

(limited to 'modules/pam_nologin')

diff --git a/modules/pam_nologin/pam_nologin.8.xml b/modules/pam_nologin/pam_nologin.8.xml
index b30b6bed..94c4887b 100644
--- a/modules/pam_nologin/pam_nologin.8.xml
+++ b/modules/pam_nologin/pam_nologin.8.xml
@@ -33,10 +33,10 @@
 
     <para>
       pam_nologin is a PAM module that prevents users from logging into
-      the system when <filename>/etc/nologin</filename> exists. The contents
-      of the <filename>/etc/nologin</filename> file are displayed to the
-      user. The pam_nologin module has no effect on the root user's ability
-      to log in.
+      the system when <filename>/var/run/nologin</filename> or
+      <filename>/etc/nologin</filename>exists. The contents
+      of the file are displayed to the user. The pam_nologin module
+      has no effect on the root user's ability to log in.
     </para>
   </refsect1>
 
@@ -51,6 +51,7 @@
         <listitem>
           <para>
             Use this file instead the default
+            <filename>/var/run/nologin</filename> or
             <filename>/etc/nologin</filename>.
           </para>
         </listitem>
@@ -107,7 +108,7 @@
         <listitem>
           <para>
             Success:  either  the user is root or the
-            <filename>/etc/nologin</filename> file does not exist.
+            nologin file does not exist.
           </para>
         </listitem>
       </varlistentry>
diff --git a/modules/pam_nologin/pam_nologin.c b/modules/pam_nologin/pam_nologin.c
index 54ecc82b..f047c324 100644
--- a/modules/pam_nologin/pam_nologin.c
+++ b/modules/pam_nologin/pam_nologin.c
@@ -33,6 +33,9 @@
 #include <security/pam_modutil.h>
 #include <security/pam_ext.h>
 
+#define DEFAULT_NOLOGIN_PATH "/var/run/nologin"
+#define COMPAT_NOLOGIN_PATH "/etc/nologin"
+
 /*
  * parse some command line options
  */
@@ -49,7 +52,6 @@ parse_args(pam_handle_t *pamh, int argc, const char **argv, struct opt_s *opts)
     memset(opts, 0, sizeof(*opts));
 
     opts->retval_when_nofile = PAM_IGNORE;
-    opts->nologin_file = "/etc/nologin";
 
     for (i=0; i<argc; ++i) {
 	if (!strcmp("successok", argv[i])) {
@@ -70,14 +72,22 @@ static int perform_check(pam_handle_t *pamh, struct opt_s *opts)
 {
     const char *username;
     int retval = opts->retval_when_nofile;
-    int fd;
+    int fd = -1;
 
     if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) || !username) {
 	pam_syslog(pamh, LOG_WARNING, "cannot determine username");
 	return PAM_USER_UNKNOWN;
     }
 
-    if ((fd = open(opts->nologin_file, O_RDONLY, 0)) >= 0) {
+    if (opts->nologin_file == NULL) {
+	if ((fd = open(DEFAULT_NOLOGIN_PATH, O_RDONLY, 0)) < 0) {
+		fd = open(COMPAT_NOLOGIN_PATH, O_RDONLY, 0);
+	}
+    } else {
+	fd = open(opts->nologin_file, O_RDONLY, 0);
+    }
+
+    if (fd >= 0) {
 
 	char *mtmp=NULL;
 	int msg_style = PAM_TEXT_INFO;
-- 
cgit v1.2.3