pam/pam_tally.diff

2008-07-09  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_tally/pam_tally.c: Add support for silent and
        no_log_info options.
        * modules/pam_tally/pam_tally.8.xml: Document silent and
        no_log_info options.

--- Linux-PAM-1.0/modules/pam_tally/pam_tally.8.xml	2007-10-10 16:10:07.000000000 +0200
+++ Linux-PAM/modules/pam_tally/pam_tally.8.xml	2008-08-20 20:56:28.000000000 +0200
@@ -51,6 +51,12 @@
       <arg choice="opt">
         audit
       </arg>
+      <arg choice="opt">
+        silent
+      </arg>
+      <arg choice="opt">
+        no_log_info
+      </arg>
     </cmdsynopsis>
     <cmdsynopsis id="pam_tally-cmdsynopsis2">
       <command>pam_tally</command>
@@ -150,6 +156,26 @@
                 </para>
               </listitem>
             </varlistentry>
+            <varlistentry>
+              <term>
+                <option>silent</option>
+              </term>
+              <listitem>
+                <para>
+                  Don't print informative messages.
+                </para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term>
+                <option>no_log_info</option>
+              </term>
+              <listitem>
+                <para>
+                  Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+                </para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>
--- Linux-PAM-1.0/modules/pam_tally/pam_tally.c	2007-11-20 11:58:11.000000000 +0100
+++ Linux-PAM/modules/pam_tally/pam_tally.c	2008-07-16 10:09:02.000000000 +0200
@@ -97,6 +97,8 @@
 #define	OPT_NO_LOCK_TIME		 020
 #define OPT_NO_RESET			 040
 #define OPT_AUDIT                       0100
+#define OPT_SILENT                      0200
+#define OPT_NOLOGNOTICE                 0400
 
 
 /*---------------------------------------------------------------------*/
@@ -205,6 +207,12 @@
       else if ( ! strcmp ( *argv, "audit") ) {
 	opts->ctrl |= OPT_AUDIT;
       }
+      else if ( ! strcmp ( *argv, "silent") ) {
+	opts->ctrl |= OPT_SILENT;
+      }
+      else if ( ! strcmp ( *argv, "no_log_info") ) {
+	opts->ctrl |= OPT_NOLOGNOTICE;
+      }
       else {
         pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
       }
@@ -524,12 +532,17 @@
       {
       	if ( lock_time + oldtime > time(NULL) )
       	{
-      		pam_syslog(pamh, LOG_NOTICE,
-			 "user %s (%lu) has time limit [%lds left]"
-			 " since last failure.",
-			 user, (unsigned long int) uid,
-			 oldtime+lock_time
-			 -time(NULL));
+	  if (!(opts->ctrl & OPT_SILENT))
+	       pam_info (pamh,
+			 _("Account temporary locked (%lds seconds left)"),
+			 oldtime+lock_time-time(NULL));
+
+	  if (!(opts->ctrl & OPT_NOLOGNOTICE))
+	       pam_syslog (pamh, LOG_NOTICE,
+		 	   "user %s (%lu) has time limit [%lds left]"
+			   " since last failure.",
+			   user, (unsigned long int) uid,
+			   oldtime+lock_time-time(NULL));
       		return PAM_AUTH_ERR;
       	}
       }
@@ -545,9 +558,14 @@
         ( tally > deny ) &&                  /* tally>deny means exceeded    */
         ( ((opts->ctrl & OPT_DENY_ROOT) || uid) )    /* even_deny stops uid check    */
         ) {
-        pam_syslog(pamh, LOG_NOTICE,
-		   "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT,
-		   user, (unsigned long int) uid, tally, deny);
+	if (!(opts->ctrl & OPT_SILENT))
+	  pam_info (pamh, _("Accounted locked due to "TALLY_FMT" failed login"),
+		    tally);
+
+	if (!(opts->ctrl & OPT_NOLOGNOTICE))
+	  pam_syslog(pamh, LOG_NOTICE,
+		     "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT,
+		     user, (unsigned long int) uid, tally, deny);
         return PAM_AUTH_ERR;                 /* Only unconditional failure   */
       }
     }
@@ -594,7 +612,7 @@
 #ifdef PAM_SM_AUTH
 
 PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
 		    int argc, const char **argv)
 {
   int
@@ -612,6 +630,9 @@
   if ( rvcheck != PAM_SUCCESS )
       RETURN_ERROR( rvcheck );
 
+  if (flags & PAM_SILENT)
+    opts->ctrl |= OPT_SILENT;
+
   rvcheck = pam_get_uid(pamh, &uid, &user, opts);
   if ( rvcheck != PAM_SUCCESS )
       RETURN_ERROR( rvcheck );
@@ -625,7 +646,7 @@
 }
 
 PAM_EXTERN int
-pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_setcred(pam_handle_t *pamh, int flags,
 	       int argc, const char **argv)
 {
   int
@@ -643,6 +664,9 @@
   if ( rv != PAM_SUCCESS )
       RETURN_ERROR( rv );
 
+  if (flags & PAM_SILENT)
+    opts->ctrl |= OPT_SILENT;
+
   rv = pam_get_uid(pamh, &uid, &user, opts);
   if ( rv != PAM_SUCCESS )
       RETURN_ERROR( rv );
@@ -667,7 +691,7 @@
 /* To reset failcount of user on successfull login */
 
 PAM_EXTERN int
-pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
 		 int argc, const char **argv)
 {
   int
@@ -685,6 +709,9 @@
   if ( rv != PAM_SUCCESS )
       RETURN_ERROR( rv );
 
+  if (flags & PAM_SILENT)
+    opts->ctrl |= OPT_SILENT;
+
   rv = pam_get_uid(pamh, &uid, &user, opts);
   if ( rv != PAM_SUCCESS )
       RETURN_ERROR( rv );