Accepting request 394329 from Linux-PAM

Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/394329 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=83
2016-05-14 10:23:08 +00:00 · 2016-05-14 10:23:08 +00:00 · 27ac6246a2
commit 27ac6246a2
parent 59356c2ab7 7bd1cebe62
10 changed files with 516 additions and 40 deletions
--- a/Linux-PAM-1.2.1-docs.tar.bz2
+++ b/Linux-PAM-1.2.1-docs.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:1f8860544d935f744546a4bb15167e3e42736c4e37756534117bdfaa822e6b25
 size 491551
--- a/Linux-PAM-1.2.1.tar.bz2
+++ b/Linux-PAM-1.2.1.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9
 size 1279523
--- a/Linux-PAM-1.3.0-docs.tar.bz2
+++ b/Linux-PAM-1.3.0-docs.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:8610b48703f036f6755c1d2bd8bcdeaddd9d99a1631f2d7668ec69b444d972a0
 size 492805
--- a/Linux-PAM-1.3.0.tar.bz2
+++ b/Linux-PAM-1.3.0.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:241aed1ef522f66ed672719ecf2205ec513fd0075ed80cda8e086a5b1a01d1bb
 size 1302820
--- a/common-account.pamd
+++ b/common-account.pamd
@ -1,8 +1,8 @@
 #
-# /etc/pam.d/common-account - authorization settings common to all services
+# /etc/pam.d/common-account - account settings common to all services
 #
 # This file is included from other service-specific PAM config files,
-# and should contain a list of the authorization modules that define
+# and should contain a list of the account modules that define
 # the central access policy for use on the system.  The default is to
 # only deny service to users whose accounts are expired.
 #
--- a/encryption_method_nis.diff
+++ b/encryption_method_nis.diff
@ -1,8 +1,6 @@
-diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
+--- modules/pam_unix/pam_unix_passwd.c
-index 0cfc0f4..2239206 100644
+++ modules/pam_unix/pam_unix_passwd.c	2016/04/11 13:49:32
--- a/modules/pam_unix/pam_unix_passwd.c
+@@ -840,6 +840,29 @@
 +++ b/modules/pam_unix/pam_unix_passwd.c
@@ -796,6 +796,29 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 		 * rebuild the password database file.
 		 */
@ -32,13 +30,11 @@ index 0cfc0f4..2239206 100644
 		/*
 		 * First we encrypt the new password.
 		 */
-diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+--- modules/pam_unix/support.c
-index 19d72e6..dafa9f0 100644
+++ modules/pam_unix/support.c	2016/04/11 13:49:32
--- a/modules/pam_unix/support.c
+@@ -31,8 +31,8 @@
-+++ b/modules/pam_unix/support.c
+ #include "support.h"
-@@ -37,8 +37,8 @@
+ #include "passverify.h"
 #define SELINUX_ENABLED 0
 #endif
 -static char *
 -search_key (const char *key, const char *filename)
@ -47,7 +43,7 @@ index 19d72e6..dafa9f0 100644
 {
   FILE *fp;
   char *buf = NULL;
-@@ -159,7 +159,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
+@@ -153,7 +153,7 @@
 	}
 	/* preset encryption method with value from /etc/login.defs */
@ -56,7 +52,7 @@ index 19d72e6..dafa9f0 100644
 	if (val) {
 	  for (j = 0; j < UNIX_CTRLS_; ++j) {
 	    if (unix_args[j].token && unix_args[j].is_hash_algo
-@@ -177,7 +177,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
+@@ -171,7 +171,7 @@
 	  /* read number of rounds for crypt algo */
 	  if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
@ -65,11 +61,9 @@ index 19d72e6..dafa9f0 100644
 	    if (val) {
 	      *rounds = strtol(val, NULL, 10);
-diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
+--- modules/pam_unix/support.h
-index 6f5b2eb..a35a8a8 100644
+++ modules/pam_unix/support.h	2016/04/11 13:49:32
--- a/modules/pam_unix/support.h
+@@ -174,4 +174,5 @@
 +++ b/modules/pam_unix/support.h
@@ -174,4 +174,5 @@ extern int _unix_read_password(pam_handle_t * pamh
 extern int _unix_run_verify_binary(pam_handle_t *pamh,
 			unsigned int ctrl, const char *user, int *daysleft);
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,55 @@
 -------------------------------------------------------------------
 Mon May  2 10:44:38 CEST 2016 - kukuk@suse.de
 - Remove obsolete README.pam_tally [bsc#977973]
 -------------------------------------------------------------------
 Thu Apr 28 13:51:59 CEST 2016 - kukuk@suse.de
 - Update Linux-PAM to version 1.3.0
 - Rediff encryption_method_nis.diff
 - Link pam_unix against libtirpc and external libnsl to enable
  IPv6 support.
 -------------------------------------------------------------------
 Thu Apr 14 14:06:18 CEST 2016 - kukuk@suse.de
 - Add /sbin/unix2_chkpwd (moved from pam-modules)
 -------------------------------------------------------------------
 Mon Apr 11 15:09:04 CEST 2016 - kukuk@suse.de
 - Remove (since accepted upstream):
  - 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch
  - 0002-Remove-enable-static-modules-option-and-support-from.patch
  - 0003-fix-nis-checks.patch
  - 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch
  - 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch
 -------------------------------------------------------------------
 Fri Apr  1 15:32:37 CEST 2016 - kukuk@suse.de
 - Add 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch
  - Replace IPv4 only functions
 -------------------------------------------------------------------
 Fri Apr  1 10:37:58 CEST 2016 - kukuk@suse.de
 - Fix typo in common-account.pamd [bnc#959439]
 -------------------------------------------------------------------
 Tue Mar 29 14:25:02 CEST 2016 - kukuk@suse.de
 - Add 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch
  - readd PAM_EXTERN for external PAM modules
 -------------------------------------------------------------------
 Wed Mar 23 11:21:16 CET 2016 - kukuk@suse.de
 - Add 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch
 - Add 0002-Remove-enable-static-modules-option-and-support-from.patch
 - Add 0003-fix-nis-checks.patch
 -------------------------------------------------------------------
 Sat Jul 25 16:03:33 UTC 2015 - joschibrauchle@gmx.de
--- a/pam.spec
+++ b/pam.spec
@ -1,7 +1,7 @@
 #
 # spec file for package pam
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -25,15 +25,18 @@ BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  cracklib-devel
 BuildRequires:  flex
-#BuildRequires:  pkgconfig(libtirpc)
+%if 0%{?suse_version} > 1320
 BuildRequires:  pkgconfig(libnsl)
 BuildRequires:  pkgconfig(libtirpc)
 %endif
 %if %{enable_selinux}
 BuildRequires:  libselinux-devel
 %endif
-%define libpam_so_version 0.84.1
+%define libpam_so_version 0.84.2
 %define libpam_misc_so_version 0.82.1
 %define libpamc_so_version 0.82.1
 #
-Version:        1.2.1
+Version:        1.3.0
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0+ or BSD-3-Clause
@ -51,6 +54,8 @@ Source6:        common-password.pamd
 Source7:        common-session.pamd
 Source8:        etc.environment
 Source9:        baselibs.conf
 Source10:       unix2_chkpwd.c
 Source11:       unix2_chkpwd.8
 Patch0:         fix-man-links.dif
 Patch2:         pam-limit-nproc.patch
 Patch3:         encryption_method_nis.diff
@ -103,7 +108,7 @@ building both PAM-aware applications and modules for use with PAM.
 %setup -q -n Linux-PAM-%{version} -b 1
 %patch0 -p1
 %patch2 -p1
-%patch3 -p1
+%patch3 -p0
 %build
 autoreconf -fiv
@ -117,7 +122,8 @@ export CFLAGS="%optflags -DNDEBUG"
        --libdir=/%{_lib} \
 	--enable-isadir=../../%{_lib}/security \
        --enable-securedir=/%{_lib}/security
-make %{?_smp_mflags};
+make %{?_smp_mflags}
 %__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/.libs/ -lpam
 %check
 make %{?_smp_mflags} check
@ -170,12 +176,6 @@ for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do
  ln -f $RPM_BUILD_ROOT/%{_lib}/security/pam_unix.so $RPM_BUILD_ROOT/%{_lib}/security/$x.so
 done
 #
 # pam_tally is deprecated since ages
 #
 rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so
 rm -f $RPM_BUILD_ROOT/sbin/pam_tally
 rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8*
 #
 # Install READMEs of PAM modules
 #
 DOC=$RPM_BUILD_ROOT%{_defaultdocdir}/pam
@ -187,18 +187,30 @@ mkdir -p $DOC/modules
  done
 )
 #
-# Install misc docu and md5.config
+# pam_tally is deprecated since ages
 #
 rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so
 rm -f $RPM_BUILD_ROOT/sbin/pam_tally
 rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8*
 rm -f $RPM_BUILD_ROOT%{_defaultdocdir}/pam/modules/README.pam_tally
 #
 # Install misc docu
 #
 install -m 644 NEWS COPYING $DOC
 # Install unix2_chkpwd
 install -m 755 $RPM_BUILD_DIR/unix2_chkpwd $RPM_BUILD_ROOT/sbin/
 install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
 # Create filelist with translatins
 %{find_lang} Linux-PAM
 %verifyscript
 %verify_permissions -e /sbin/unix_chkpwd
 %verify_permissions -e /sbin/unix2_chkpwd
 %post
 /sbin/ldconfig
 %set_permissions /sbin/unix_chkpwd
 %set_permissions /sbin/unix2_chkpwd
 %postun -p /sbin/ldconfig
@ -223,6 +235,7 @@ install -m 644 NEWS COPYING $DOC
 %config(noreplace) %{_sysconfdir}/security/namespace.init
 %doc %{_defaultdocdir}/pam/NEWS
 %doc %{_defaultdocdir}/pam/COPYING
 %doc %{_mandir}/man5/environment.5*
 %doc %{_mandir}/man5/*.conf.5*
 %doc %{_mandir}/man5/pam.d.5*
 %doc %{_mandir}/man8/*
@ -288,6 +301,7 @@ install -m 644 NEWS COPYING $DOC
 /sbin/pam_tally2
 /sbin/pam_timestamp_check
 %verify(not mode) %attr(4755,root,shadow) /sbin/unix_chkpwd
 %verify(not mode) %attr(4755,root,shadow) /sbin/unix2_chkpwd
 %attr(0700,root,root) /sbin/unix_update
 %files doc
--- a/unix2_chkpwd.8
+++ b/unix2_chkpwd.8
@ -0,0 +1,79 @@
 .\" Copyright (C) 2003 International Business Machines Corporation
 .\" This file is distributed according to the GNU General Public License.
 .\" See the file COPYING in the top level source directory for details.
 .\"
 .de Sh \" Subsection
 .br
 .if t .Sp
 .ne 5
 .PP
 \fB\\$1\fR
 .PP
 ..
 .de Sp \" Vertical space (when we can't use .PP)
 .if t .sp .5v
 .if n .sp
 ..
 .de Ip \" List item
 .br
 .ie \\n(.$>=3 .ne \\$3
 .el .ne 3
 .IP "\\$1" \\$2
 ..
 .TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual"
 .SH NAME
 unix2_chkpwd \- helper binary that verifies the password of the current user
 .SH "SYNOPSIS"
 .ad l
 .hy 0
 /sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR
 .sp
 .ad
 .hy
 .SH "DESCRIPTION"
 .PP
 \fBunix2_chkpwd\fR is a helper program for applications that verifies 
 the password of the current user.  It is not intended to be run directly from 
 the command line and logs a security violation if done so. 
 It is typically installed setuid root or setgid shadow and called by
 applications, which only wishes to do an user authentification and
 nothing more.
 .SH "OPTIONS"
 .PP
 unix2_chkpwd requires the following arguments:
 .TP
 \fIpam_service\fR
 The name of the service using unix2_chkpwd. This is required to be one of
 the services in /etc/pam.d
 .TP
 \fIusername\fR
 The name of the user whose password you want to verify.
 .SH "INPUTS"
 .PP
 unix2_chkpwd expects the password via stdin.
 .SH "RETURN CODES"
 .PP
 \fBunix2_chkpwd\fR has the following return codes:
 .TP
 1
 unix2_chkpwd was inappropriately called from the command line or the password is incorrect.
 .TP
 0
 The password is correct.
 .SH "HISTORY"
 Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan
 .SH "SEE ALSO"
 .PP
 \fBpam\fR(8)
 .SH AUTHOR
 Emily Ratliff.
--- a/unix2_chkpwd.c
+++ b/unix2_chkpwd.c
@ -0,0 +1,337 @@
 /*
 * Set*id helper program for PAM authentication.
 *
 * It is supposed to be called from pam_unix2's
 * pam_sm_authenticate function if the function notices
 * that it's unable to get the password from the shadow file
 * because it doesn't have sufficient permissions.
 *
 * Copyright (C) 2002 SuSE Linux AG
 *
 * Written by okir@suse.de, loosely based on unix_chkpwd
 * by Andrew Morgan.
 */
 #include <security/pam_appl.h>
 #include <security/_pam_macros.h>
 #include <sys/types.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <syslog.h>
 #include <unistd.h>
 #include <pwd.h>
 #include <signal.h>
 #include <fcntl.h>
 #include <ctype.h>
 #include <errno.h>
 #define BUFLEN	1024
 #ifndef LOGINDEFS
 #define LOGINDEFS	"/etc/login.defs"
 #endif
 #define LOGINDEFS_FAIL_DELAY_KEY	"FAIL_DELAY"
 #define DEFAULT_FAIL_DELAY_S	10
 #define PASSWD_CRACKER_DELAY_MS	100
 enum {
 	UNIX_PASSED = 0,
 	UNIX_FAILED = 1
 };
 static char *	program_name;
 static char	pass[64];
 static int	npass = -1;
 /*
 * Log error messages
 */
 static void
 _log_err(int err, const char *format,...)
 {
 	va_list args;
 	va_start(args, format);
 	openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH);
 	vsyslog(err, format, args);
 	va_end(args);
 	closelog();
 }
 static void
 su_sighandler(int sig)
 {
 	if (sig > 0) {
 		_log_err(LOG_NOTICE, "caught signal %d.", sig);
 		exit(sig);
 	}
 }
 /*
 * Setup signal handlers
 */
 static void
 setup_signals(void)
 {
 	struct sigaction action;
 	memset((void *) &action, 0, sizeof(action));
 	action.sa_handler = su_sighandler;
 	action.sa_flags = SA_RESETHAND;
 	sigaction(SIGILL, &action, NULL);
 	sigaction(SIGTRAP, &action, NULL);
 	sigaction(SIGBUS, &action, NULL);
 	sigaction(SIGSEGV, &action, NULL);
 	action.sa_handler = SIG_IGN;
 	action.sa_flags = 0;
 	sigaction(SIGTERM, &action, NULL);
 	sigaction(SIGHUP, &action, NULL);
 	sigaction(SIGINT, &action, NULL);
 	sigaction(SIGQUIT, &action, NULL);
 	sigaction(SIGALRM, &action, NULL);
 }
 static int
 _converse(int num_msg, const struct pam_message **msg,
 		struct pam_response **resp, void *appdata_ptr)
 {
 	struct	pam_response *reply;
 	int	num;
 	if (!(reply = malloc(sizeof(*reply) * num_msg)))
 		return PAM_CONV_ERR;
 	for (num = 0; num < num_msg; num++) {
 		reply[num].resp_retcode = PAM_SUCCESS;
 		reply[num].resp = NULL;
 		switch (msg[num]->msg_style) {
 		case PAM_PROMPT_ECHO_ON:
 			return PAM_CONV_ERR;
 		case PAM_PROMPT_ECHO_OFF:
 			/* read the password from stdin */
 			if (npass < 0) {
 				npass = read(STDIN_FILENO, pass, sizeof(pass)-1);
 				if (npass < 0) {
 					_log_err(LOG_DEBUG, "error reading password");
 					return UNIX_FAILED;
 				}
 				pass[npass] = '\0';
 			}
 			reply[num].resp = strdup(pass);
 			break;
 		case PAM_TEXT_INFO:
 		case PAM_ERROR_MSG:
 			/* ignored */
 			break;
 		default:
 			/* Must be an error of some sort... */
 			return PAM_CONV_ERR;
 		}
 	}
 	*resp = reply;
 	return PAM_SUCCESS;
 }
 static int
 _authenticate(const char *service, const char *user)
 {
 	struct pam_conv conv = { _converse, NULL };
 	pam_handle_t	*pamh;
 	int		err;
 	err = pam_start(service, user, &conv, &pamh);
 	if (err != PAM_SUCCESS) {
 		_log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)",
 				service, user, err);
 		return UNIX_FAILED;
 	}
 	err = pam_authenticate(pamh, 0);
 	if (err != PAM_SUCCESS)
 		_log_err(LOG_ERR, "pam_authenticate(%s, %s): %s",
 				service, user,
 				pam_strerror(pamh, err));
 	if (err == PAM_SUCCESS)
 	{
 		err = pam_acct_mgmt(pamh, 0);
 		if (err == PAM_SUCCESS)
 		{
 			int err2 = pam_setcred(pamh, PAM_REFRESH_CRED);
 			if (err2 != PAM_SUCCESS)
 				_log_err(LOG_ERR, "pam_setcred(%s, %s): %s",
 					service, user,
 					pam_strerror(pamh, err2));
 				/*
 				 * ignore errors on refresh credentials.
 				 * If this did not work we use the old once.
 				 */
 		} else {
 			_log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s",
 				service, user,
 				pam_strerror(pamh, err));
 		}
 	}
 	pam_end(pamh, err);
 	if (err != PAM_SUCCESS)
 		return UNIX_FAILED;
 	return UNIX_PASSED;
 }
 static char *
 getuidname(uid_t uid)
 {
 	struct passwd *pw;
 	static char username[32];
 	pw = getpwuid(uid);
 	if (pw == NULL)
 		return NULL;
 	strncpy(username, pw->pw_name, sizeof(username));
 	username[sizeof(username) - 1] = '\0';
 	endpwent();
 	return username;
 }
 static int
 sane_pam_service(const char *name)
 {
 	const char *sp;
 	char	path[128];
 	if (strlen(name) > 32)
 		return 0;
 	for (sp = name; *sp; sp++) {
 		if (!isalnum(*sp) && *sp != '_' && *sp != '-')
 			return 0;
 	}
 	snprintf(path, sizeof(path), "/etc/pam.d/%s", name);
 	return access(path, R_OK) == 0;
 }
 static int
 get_system_fail_delay (void)
 {
 	FILE *fs;
 	char buf[BUFLEN];
 	long int delay = -1;
 	char *s;
 	int l;
 	fs = fopen(LOGINDEFS, "r");
 	if (NULL == fs) {
 		goto bail_out;
 	}
 	while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) {
 		if  (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) {
 			continue;
 		}
 		s = buf + strspn(buf, " \t");
 		l = strcspn(s, " \t");
 		if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) {
 			continue;
 		}
 		s += l;
 		s += strspn(s, " \t");
 		errno = 0;
 		delay = strtol(s, NULL, 10);
 		if (errno) {
 			delay = -1;
 		}
 		break;
 	}
 	fclose (fs);
 bail_out:
 	delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay;
 	return (int)delay;
 }
 int
 main(int argc, char *argv[])
 {
 	const char *program_name;
 	char	*service, *user;
 	int	fd;
 	int result = UNIX_FAILED;
 	uid_t	uid;
 	uid = getuid();
 	/*
 	 * Make sure standard file descriptors are connected.
 	 */
 	while ((fd = open("/dev/null", O_RDWR)) <= 2)
 		;
 	close(fd);
 	/*
 	 * Get the program name
 	 */
 	if (argc == 0)
 		program_name = "unix2_chkpwd";
 	else if ((program_name = strrchr(argv[0], '/')) != NULL)
 		program_name++;
 	else
 		program_name = argv[0];
 	/*
 	 * Catch or ignore as many signal as possible.
 	 */
 	setup_signals();
 	/*
 	 * Check argument list
 	 */
 	if (argc < 2 || argc > 3) {
 		_log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc);
 		return UNIX_FAILED;
 	}
 	/*
 	 * Get the service name and do some sanity checks on it
 	 */
 	service = argv[1];
 	if (!sane_pam_service(service)) {
 		_log_err(LOG_ERR, "Illegal service name '%s'", service);
 		return UNIX_FAILED;
 	}
 	/*
 	 * Discourage users messing around (fat chance)
 	 */
 	if (isatty(STDIN_FILENO) && uid != 0) {
 		_log_err(LOG_NOTICE,
 			"Inappropriate use of Unix helper binary [UID=%d]",
 			 uid);
 		fprintf(stderr,
 			"This binary is not designed for running in this way\n"
 			"-- the system administrator has been informed\n");
 		sleep(10);	/* this should discourage/annoy the user */
 		return UNIX_FAILED;
 	}
 	/*
 	 * determine the caller's user name
 	 */
 	user = getuidname(uid);
 	if (argc == 3 && strcmp(user, argv[2])) {
 		user = argv[2];
 	}
 	result = _authenticate(service, user);
 	/* Discourage use of this program as a
 	 * password cracker */
 	usleep(PASSWD_CRACKER_DELAY_MS * 1000);
 	if (result != UNIX_PASSED && uid != 0)
 		sleep(get_system_fail_delay());
 	return result;
 }