From: Tomas Mraz Date: Mon, 30 Apr 2012 12:46:48 +0000 (+0200) Subject: pam_lastlog: Never lock out the root account. X-Git-Tag: v1.1.6~13 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cf9c75be753a3c12fdecb9f4696b8ad1b28dd799;p=linux-pam pam_lastlog: Never lock out the root account. modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if uid==0. modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation. --- diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index ecac2664..77da9dbc 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -12,7 +12,7 @@ pam_lastlog - PAM module to display date of last login + PAM module to display date of last login and perform inactive account lock out @@ -64,6 +64,12 @@ Some applications may perform this function themselves. In such cases, this module is not necessary. + + If the module is called in the auth or account phase, the accounts that + were not used recently enough will be disallowed to log in. The + check is not performed for the root account so the root is never + locked out. + diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 4111b182..50e5a59c 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -598,6 +598,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, uid = pwd->pw_uid; pwd = NULL; /* tidy up */ + if (uid == 0) + return PAM_SUCCESS; /* obtain the last login date and all the relevant info */ last_fd = last_login_open(pamh, ctrl, uid);