From c58a79970f5902b5b61b8ca7e82564a7db212be0 Mon Sep 17 00:00:00 2001 From: openEuler Buildteam Date: Mon, 27 Jul 2020 09:34:43 +0800 Subject: [PATCH] bugfix pam 1.1.8 faillock systemtime --- modules/pam_faillock/pam_faillock.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c index 5b5cc2c..600e3f6 100644 --- a/modules/pam_faillock/pam_faillock.c +++ b/modules/pam_faillock/pam_faillock.c @@ -91,6 +91,7 @@ struct options { int is_admin; uint64_t now; int fatal_error; + int time_jumped; }; static int read_config_file( @@ -121,6 +122,7 @@ args_parse(pam_handle_t *pamh, int argc, const char **argv, opts->fail_interval = 900; opts->unlock_time = 600; opts->root_unlock_time = MAX_TIME_INTERVAL+1; + opts->time_jumped = 0; for (i = 0; i < argc; ++i) { const char *str = pam_str_skip_prefix(argv[i], "conf="); @@ -464,8 +466,6 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies latest_time = tallies->records[i].time; } - opts->latest_time = latest_time; - failures = 0; for (i = 0; i < tallies->count; i++) { if ((tallies->records[i].status & TALLY_STATUS_VALID) && @@ -476,6 +476,19 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies opts->failures = failures; + if (latest_time > opts->now) { + pam_syslog(pamh, LOG_WARNING, "system time jumped about %ld seconds.", (latest_time - opts->now)); + latest_time = opts->now; + opts->time_jumped = 1; + + for(i = 0; i < tallies->count; i++) { + if (tallies->records[i].status & TALLY_STATUS_VALID) + tallies->records[i].time = latest_time; + } + } + + opts->latest_time = latest_time; + if (opts->deny && failures >= opts->deny) { if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { @@ -712,6 +725,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, rv = PAM_IGNORE; /* this return value should be ignored */ write_tally(pamh, &opts, &tallies, &fd); } + if (opts.time_jumped) { + if (update_tally(fd, &tallies) != 0) + rv = PAM_IGNORE; + } break; } } -- 2.23.0