Package: libpam-modules
Version: 0.79-4
Severity: important
Tags: patch
this problem was detected on fedora 7, debugged & patched on debian etch,
and reported from lenny/testing, but the problem is applicable to all
distributions as the problem exists in the latest upstream version
(Linux-PAM 0.99.9.0). please relay this to upstream.
if a user specifies the "audit" option, then it also triggers the
"even_deny_root_account" option. why? the audit option is defined as
decimal 100, not octal 100, which evaluates to true when bit-wise and-ed
with even_deny_root (and no_reset).
attached patch corrects the simple oversight.
i was tempted to gives this a severity of "serious" because i can see some
unfortunate user getting locked out of their host at a remote data center
because all available accounts, including root, are denied login due to a
brute force attack.
but the severity should be irrelevant and a newly updated package pushed
out to all debian versions rather quickly as the problem is easy solved
with the attached patch, right? :-D
corey
--
[EMAIL PROTECTED]
--- Linux-PAM/modules/pam_tally/pam_tally.c~ 2007-10-12 01:49:15.000000000 +0000
+++ Linux-PAM/modules/pam_tally/pam_tally.c 2007-10-12 03:26:04.000000000 +0000
@@ -95,7 +95,7 @@ struct tally_options {
#define OPT_PER_USER 010
#define OPT_NO_LOCK_TIME 020
#define OPT_NO_RESET 040
-#define OPT_AUDIT 100
+#define OPT_AUDIT 0100
/*---------------------------------------------------------------------*/
