homed: don't block logins into accounts with future change time
This might happen if the system clock is wrong, and we should allow access in this case (though certainly log about it).
This commit is contained in:
parent
55e11ace68
commit
51a95db6dc
|
@ -846,8 +846,8 @@ _public_ PAM_EXTERN int pam_sm_acct_mgmt(
|
||||||
switch (r) {
|
switch (r) {
|
||||||
|
|
||||||
case -ESTALE:
|
case -ESTALE:
|
||||||
(void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "User record is newer than current system time, prohibiting access.");
|
pam_syslog(handle, LOG_WARNING, "User record for '%s' is newer than current system time, assuming incorrect system clock, allowing access.", ur->user_name);
|
||||||
return PAM_ACCT_EXPIRED;
|
break;
|
||||||
|
|
||||||
case -ENOLCK:
|
case -ENOLCK:
|
||||||
(void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "User record is blocked, prohibiting access.");
|
(void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "User record is blocked, prohibiting access.");
|
||||||
|
|
|
@ -45,6 +45,10 @@ void user_record_show(UserRecord *hr, bool show_full_group_info) {
|
||||||
if (hr->last_change_usec != USEC_INFINITY) {
|
if (hr->last_change_usec != USEC_INFINITY) {
|
||||||
char buf[FORMAT_TIMESTAMP_MAX];
|
char buf[FORMAT_TIMESTAMP_MAX];
|
||||||
printf(" Last Change: %s\n", format_timestamp(buf, sizeof(buf), hr->last_change_usec));
|
printf(" Last Change: %s\n", format_timestamp(buf, sizeof(buf), hr->last_change_usec));
|
||||||
|
|
||||||
|
if (hr->last_change_usec > now(CLOCK_REALTIME))
|
||||||
|
printf(" %sModification time lies in the future, system clock wrong?%s\n",
|
||||||
|
ansi_highlight_yellow(), ansi_normal());
|
||||||
}
|
}
|
||||||
|
|
||||||
if (hr->last_password_change_usec != USEC_INFINITY &&
|
if (hr->last_password_change_usec != USEC_INFINITY &&
|
||||||
|
@ -56,10 +60,6 @@ void user_record_show(UserRecord *hr, bool show_full_group_info) {
|
||||||
r = user_record_test_blocked(hr);
|
r = user_record_test_blocked(hr);
|
||||||
switch (r) {
|
switch (r) {
|
||||||
|
|
||||||
case -ESTALE:
|
|
||||||
printf(" Login OK: %sno%s (last change time is in the future)\n", ansi_highlight_red(), ansi_normal());
|
|
||||||
break;
|
|
||||||
|
|
||||||
case -ENOLCK:
|
case -ENOLCK:
|
||||||
printf(" Login OK: %sno%s (record is locked)\n", ansi_highlight_red(), ansi_normal());
|
printf(" Login OK: %sno%s (record is locked)\n", ansi_highlight_red(), ansi_normal());
|
||||||
break;
|
break;
|
||||||
|
@ -72,10 +72,11 @@ void user_record_show(UserRecord *hr, bool show_full_group_info) {
|
||||||
printf(" Login OK: %sno%s (record not valid anymore))\n", ansi_highlight_red(), ansi_normal());
|
printf(" Login OK: %sno%s (record not valid anymore))\n", ansi_highlight_red(), ansi_normal());
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case -ESTALE:
|
||||||
default: {
|
default: {
|
||||||
usec_t y;
|
usec_t y;
|
||||||
|
|
||||||
if (r < 0) {
|
if (r < 0 && r != -ESTALE) {
|
||||||
errno = -r;
|
errno = -r;
|
||||||
printf(" Login OK: %sno%s (%m)\n", ansi_highlight_red(), ansi_normal());
|
printf(" Login OK: %sno%s (%m)\n", ansi_highlight_red(), ansi_normal());
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -2025,19 +2025,20 @@ int user_record_test_blocked(UserRecord *h) {
|
||||||
|
|
||||||
assert(h);
|
assert(h);
|
||||||
|
|
||||||
n = now(CLOCK_REALTIME);
|
|
||||||
if (h->last_change_usec != UINT64_MAX &&
|
|
||||||
h->last_change_usec > n) /* Don't allow log ins when the record is from the future */
|
|
||||||
return -ESTALE;
|
|
||||||
|
|
||||||
if (h->locked > 0)
|
if (h->locked > 0)
|
||||||
return -ENOLCK;
|
return -ENOLCK;
|
||||||
|
|
||||||
|
n = now(CLOCK_REALTIME);
|
||||||
|
|
||||||
if (h->not_before_usec != UINT64_MAX && n < h->not_before_usec)
|
if (h->not_before_usec != UINT64_MAX && n < h->not_before_usec)
|
||||||
return -EL2HLT;
|
return -EL2HLT;
|
||||||
if (h->not_after_usec != UINT64_MAX && n > h->not_after_usec)
|
if (h->not_after_usec != UINT64_MAX && n > h->not_after_usec)
|
||||||
return -EL3HLT;
|
return -EL3HLT;
|
||||||
|
|
||||||
|
if (h->last_change_usec != UINT64_MAX &&
|
||||||
|
h->last_change_usec > n) /* Complain during log-ins when the record is from the future */
|
||||||
|
return -ESTALE;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue