]> granicus.if.org Git - linux-pam/commitdiff
pam_lastlog: Never lock out the root account.
authorTomas Mraz <tmraz@fedoraproject.org>
Mon, 30 Apr 2012 12:46:48 +0000 (14:46 +0200)
committerTomas Mraz <tmraz@fedoraproject.org>
Mon, 30 Apr 2012 12:46:48 +0000 (14:46 +0200)
modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if
uid==0.
modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation.

modules/pam_lastlog/pam_lastlog.8.xml
modules/pam_lastlog/pam_lastlog.c

index ecac2664bc15398784e438557677405fc464c349..77da9dbcc793aa667fd6ba75d26f06ce0239cacb 100644 (file)
@@ -12,7 +12,7 @@
 
   <refnamediv id="pam_lastlog-name">
     <refname>pam_lastlog</refname>
-    <refpurpose>PAM module to display date of last login</refpurpose>
+    <refpurpose>PAM module to display date of last login and perform inactive account lock out</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
       Some applications may perform this function themselves. In such
       cases, this module is not necessary.
     </para>
+    <para>
+      If the module is called in the auth or account phase, the accounts that
+      were not used recently enough will be disallowed to log in. The
+      check is not performed for the root account so the root is never
+      locked out.
+    </para>
   </refsect1>
 
   <refsect1 id="pam_lastlog-options">
index 4111b182b06050265db328fd8bc6304bfd511167..50e5a59c6d00b8307bb53464d752202507eca371 100644 (file)
@@ -598,6 +598,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
     uid = pwd->pw_uid;
     pwd = NULL;                                         /* tidy up */
 
+    if (uid == 0)
+       return PAM_SUCCESS;
 
     /* obtain the last login date and all the relevant info */
     last_fd = last_login_open(pamh, ctrl, uid);