Package: libpam-modules Version: 0.79-4 Severity: important Tags: patch this problem was detected on fedora 7, debugged & patched on debian etch, and reported from lenny/testing, but the problem is applicable to all distributions as the problem exists in the latest upstream version (Linux-PAM 0.99.9.0). please relay this to upstream.
if a user specifies the "audit" option, then it also triggers the "even_deny_root_account" option. why? the audit option is defined as decimal 100, not octal 100, which evaluates to true when bit-wise and-ed with even_deny_root (and no_reset). attached patch corrects the simple oversight. i was tempted to gives this a severity of "serious" because i can see some unfortunate user getting locked out of their host at a remote data center because all available accounts, including root, are denied login due to a brute force attack. but the severity should be irrelevant and a newly updated package pushed out to all debian versions rather quickly as the problem is easy solved with the attached patch, right? :-D corey -- [EMAIL PROTECTED]
--- Linux-PAM/modules/pam_tally/pam_tally.c~ 2007-10-12 01:49:15.000000000 +0000 +++ Linux-PAM/modules/pam_tally/pam_tally.c 2007-10-12 03:26:04.000000000 +0000 @@ -95,7 +95,7 @@ struct tally_options { #define OPT_PER_USER 010 #define OPT_NO_LOCK_TIME 020 #define OPT_NO_RESET 040 -#define OPT_AUDIT 100 +#define OPT_AUDIT 0100 /*---------------------------------------------------------------------*/