Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------

2006-11-08  Thorsten Kukuk  <kukuk@thkukuk.de>

        * configure.in: Add modules/pam_faildelay/Makefile.
        * doc/sag/Linux-PAM_SAG.xml: Include pam_faildelay.xml.
        * doc/sag/pam_faildelay.xml: New.
        * libpam/pam_static_modules.h: Include static pam_faildelay data.
        * modules/Makefile.am: Add pam_faildelay directory.
        * modules/pam_faildelay/Makefile.am: New.
        * modules/pam_faildelay/README: New, generated from XML file.
        * modules/pam_faildelay/README.xml: New.
        * modules/pam_faildelay/pam_faildelay.8: New, generated from xml.
        * modules/pam_faildelay/pam_faildelay.8.xml: New.
        * modules/pam_faildelay/pam_faildelay.c: New.
        * modules/pam_faildelay/tst-pam_faildelay: New.

8 files changed, 434 insertions, 0 deletions

diff --git a/modules/pam_faildelay/.cvsignore b/modules/pam_faildelay/.cvsignore
new file mode 100644
index 00000000..9fb98574
--- /dev/null
+++ b/modules/pam_faildelay/.cvsignore
@@ -0,0 +1,6 @@
+*.la
+*.lo
+.deps
+.libs
+Makefile
+Makefile.in
diff --git a/modules/pam_faildelay/Makefile.am b/modules/pam_faildelay/Makefile.am
new file mode 100644
index 00000000..ac1bc1d3
--- /dev/null
+++ b/modules/pam_faildelay/Makefile.am
@@ -0,0 +1,31 @@
+#
+# Copyright (c) 2006 Thorsten Kukuk <kukuk@suse.de>
+#
+
+CLEANFILES = *~
+
+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faildelay
+
+man_MANS = pam_faildelay.8
+XMLS = README.xml pam_faildelay.8.xml
+
+TESTS = tst-pam_faildelay
+
+securelibdir = $(SECUREDIR)
+secureconfdir = $(SCONFIGDIR)
+
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+AM_LDFLAGS = -no-undefined -avoid-version -module \
+	-L$(top_builddir)/libpam -lpam
+if HAVE_VERSIONING
+  AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+endif
+
+securelib_LTLIBRARIES = pam_faildelay.la
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_faildelay.8.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
+
diff --git a/modules/pam_faildelay/README b/modules/pam_faildelay/README
new file mode 100644
index 00000000..297362e6
--- /dev/null
+++ b/modules/pam_faildelay/README
@@ -0,0 +1,30 @@
+pam_faildelay — Change the delay on failure per-application
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
+
+pam_faildelay is a PAM module that can be used to set the delay on failure
+per-application.
+
+OPTIONS
+
+debug
+
+    Turns on debugging messages sent to syslog.
+
+delay=N
+
+    Set the delay on failure to N microseconds.
+
+EXAMPLES
+
+The following example will set the delay on failure to 10 seconds:
+
+auth  optional  pam_faildelay.so  delay=10000000
+
+
+AUTHOR
+
+pam_faildelay was written by Bjoern Voigt <bjoern@cs.tu-berlin.de>.
+
diff --git a/modules/pam_faildelay/README.xml b/modules/pam_faildelay/README.xml
new file mode 100644
index 00000000..64d4accc
--- /dev/null
+++ b/modules/pam_faildelay/README.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.docbook.org/xml/4.4/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_faildelay.8.xml">
+-->
+]>
+
+<article>
+
+  <articleinfo>
+
+    <title>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_faildelay.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faildelay-name"]/*)'/>
+    </title>
+
+  </articleinfo>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-description"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-options"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-examples"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-author"]/*)'/>
+  </section>
+
+</article>
diff --git a/modules/pam_faildelay/pam_faildelay.8 b/modules/pam_faildelay/pam_faildelay.8
new file mode 100644
index 00000000..eb0c4539
--- /dev/null
+++ b/modules/pam_faildelay/pam_faildelay.8
@@ -0,0 +1,68 @@
+.\"     Title: pam_faildelay
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.0 <http://docbook.sf.net/>
+.\"      Date: 11/07/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_FAILDELAY" "8" "11/07/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_faildelay \- Change the delay on failure per\-application
+.SH "SYNOPSIS"
+.HP 17
+\fBpam_faildelay.so\fR [debug] [delay=\fImicroseconds\fR]
+.SH "DESCRIPTION"
+.PP
+pam_faildelay is a PAM module that can be used to set the delay on failure per\-application.
+.SH "OPTIONS"
+.PP
+\fBdebug\fR
+.RS 3n
+Turns on debugging messages sent to syslog.
+.RE
+.PP
+\fBdelay=\fR\fB\fIN\fR\fR
+.RS 3n
+Set the delay on failure to N microseconds.
+.RE
+.SH "MODULE SERVICES PROVIDED"
+.PP
+Only the
+\fBauth\fR
+service is supported.
+.SH "RETURN VALUES"
+.PP
+PAM_IGNORE
+.RS 3n
+Delay was successful adjusted.
+.RE
+.PP
+PAM_SYSTEM_ERR
+.RS 3n
+The specified delay was not valid.
+.RE
+.SH "EXAMPLES"
+.PP
+The following example will set the delay on failure to 10 seconds:
+.sp
+.RS 3n
+.nf
+auth  optional  pam_faildelay.so  delay=10000000
+      
+.fi
+.RE
+.sp
+.SH "SEE ALSO"
+.PP
+
+\fBpam_fail_delay\fR(3),
+\fBpam.conf\fR(5),
+\fBpam.d\fR(8),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_faildelay was written by Bjoern Voigt <bjoern@cs.tu\-berlin.de>.
diff --git a/modules/pam_faildelay/pam_faildelay.8.xml b/modules/pam_faildelay/pam_faildelay.8.xml
new file mode 100644
index 00000000..dd0fe6dc
--- /dev/null
+++ b/modules/pam_faildelay/pam_faildelay.8.xml
@@ -0,0 +1,133 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+	"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+
+<refentry id="pam_faildelay">
+
+  <refmeta>
+    <refentrytitle>pam_faildelay</refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_faildelay-name">
+    <refname>pam_faildelay</refname>
+    <refpurpose>Change the delay on failure per-application</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis id="pam_faildelay-cmdsynopsis">
+      <command>pam_faildelay.so</command>
+      <arg choice="opt">
+        debug
+      </arg>
+      <arg choice="opt">
+        delay=<replaceable>microseconds</replaceable>
+      </arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id="pam_faildelay-description">
+
+    <title>DESCRIPTION</title>
+
+    <para>
+      pam_faildelay is a PAM module that can be used to set
+      the delay on failure per-application.
+    </para>
+
+  </refsect1>
+
+  <refsect1 id="pam_faildelay-options">
+
+    <title>OPTIONS</title>
+    <variablelist>
+      <varlistentry>
+        <term>
+          <option>debug</option>
+        </term>
+        <listitem>
+          <para>
+            Turns on debugging messages sent to syslog.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>delay=<replaceable>N</replaceable></option>
+        </term>
+        <listitem>
+          <para>
+	    Set the delay on failure to N microseconds.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_faildelay-services">
+    <title>MODULE SERVICES PROVIDED</title>
+    <para>
+      Only the <option>auth</option> service is supported.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_faildelay-return_values'>
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_IGNORE</term>
+        <listitem>
+           <para>
+            Delay was successful adjusted.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SYSTEM_ERR</term>
+        <listitem>
+          <para>
+            The specified delay was not valid.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_faildelay-examples'>
+    <title>EXAMPLES</title>
+    <para>
+      The following example will set the delay on failure to
+      10 seconds:
+      <programlisting>
+auth  optional  pam_faildelay.so  delay=10000000
+      </programlisting>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_faildelay-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+	<refentrytitle>pam_fail_delay</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_faildelay-author'>
+    <title>AUTHOR</title>
+      <para>
+        pam_faildelay was written by Bjoern Voigt &lt;bjoern@cs.tu-berlin.de&gt;.
+      </para>
+  </refsect1>
+
+</refentry>
diff --git a/modules/pam_faildelay/pam_faildelay.c b/modules/pam_faildelay/pam_faildelay.c
new file mode 100644
index 00000000..0fa910b7
--- /dev/null
+++ b/modules/pam_faildelay/pam_faildelay.c
@@ -0,0 +1,123 @@
+/* pam_faildelay module */
+
+/*
+ * Allows an admin to set the delay on failure per-application.
+ * Provides "auth" interface only.
+ *
+ * Use by putting something like this in the relevant pam config:
+ * auth    required        pam_faildelay.so delay=[microseconds]
+ *
+ * eg:
+ * auth    required        pam_faildelay.so delay=10000000
+ * will set the delay on failure to 10 seconds.
+ *
+ *
+ * Based on pam_rootok and parts of pam_unix both by Andrew Morgan
+ *  <morgan@linux.kernel.org>
+ *
+ * Portions Copyright (c) 2005 Darren Tucker <dtucker at zip com au>.
+ *
+ * Redistribution and use in source and binary forms of, with
+ * or without modification, are permitted provided that the following
+ * conditions are met:
+ *
+ * 1. Redistributions of source code must retain any existing copyright
+ *    notice, and this entire permission notice in its entirety,
+ *    including the disclaimer of warranties.
+ *
+ * 2. Redistributions in binary form must reproduce all prior and current
+ *    copyright notices, this list of conditions, and the following
+ *    disclaimer in the documentation and/or other materials provided
+ *    with the distribution.
+ *
+ * 3. The name of any author may not be used to endorse or promote
+ *    products derived from this software without their specific prior
+ *    written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of the
+ * GNU General Public License, in which case the provisions of the GNU
+ * GPL are required INSTEAD OF the above restrictions.  (This clause is
+ * necessary due to a potential conflict between the GNU GPL and the
+ * restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <unistd.h>
+#include <syslog.h>
+#include <string.h>
+
+
+#define PAM_SM_AUTH
+
+#include <security/pam_modules.h>
+#include <security/pam_ext.h>
+
+
+/* --- authentication management functions (only) --- */
+
+PAM_EXTERN
+int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
+			int argc, const char **argv)
+{
+    int i, debug_flag = 0;
+    long int delay = 0;
+
+    /* step through arguments */
+    for (i = 0; i < argc; i++) {
+	if (sscanf(argv[i], "delay=%ld", &delay) == 1) {
+	  /* sscanf did already everything necessary */
+	} else if (strcmp (argv[i], "debug") == 0)
+	  debug_flag = 1;
+	else
+	  pam_syslog (pamh, LOG_ERR, "unknown option; %s", argv[i]);
+    }
+
+    if (debug_flag)
+      pam_syslog (pamh, LOG_DEBUG, "setting fail delay to %ld", delay);
+
+    i = pam_fail_delay(pamh, delay);
+    if (i == PAM_SUCCESS)
+      return PAM_IGNORE;
+    else
+      return i;
+}
+
+PAM_EXTERN
+int pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
+		   int argc UNUSED, const char **argv UNUSED)
+{
+    return PAM_IGNORE;
+}
+
+
+#ifdef PAM_STATIC
+
+/* static module data */
+
+struct pam_module _pam_rootok_modstruct = {
+    "pam_faildelay",
+    pam_sm_authenticate,
+    pam_sm_setcred,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+};
+
+#endif
+
+/* end of module definition */
diff --git a/modules/pam_faildelay/tst-pam_faildelay b/modules/pam_faildelay/tst-pam_faildelay
new file mode 100755
index 00000000..87f7fd44
--- /dev/null
+++ b/modules/pam_faildelay/tst-pam_faildelay
@@ -0,0 +1,2 @@
+#!/bin/sh
+../../tests/tst-dlopen .libs/pam_faildelay.so