New upstream version 1.5.3

1 files changed, 44 insertions, 5 deletions

diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
index 01dd1385..c5fa6dfc 100644
--- a/modules/pam_timestamp/pam_timestamp.c
+++ b/modules/pam_timestamp/pam_timestamp.c
@@ -53,7 +53,6 @@
 #include <time.h>
 #include <sys/time.h>
 #include <unistd.h>
-#include <utmp.h>
 #include <syslog.h>
 #include <paths.h>
 #ifdef WITH_OPENSSL
@@ -62,6 +61,12 @@
 #include "hmacsha1.h"
 #endif /* WITH_OPENSSL */
 
+#ifdef USE_LOGIND
+#include <systemd/sd-login.h>
+#else
+#include <utmp.h>
+#endif
+
 #include <security/pam_modules.h>
 #include <security/_pam_macros.h>
 #include <security/pam_ext.h>
@@ -90,7 +95,7 @@
 static int
 check_dir_perms(pam_handle_t *pamh, const char *tdir)
 {
-	char scratch[BUFLEN];
+	char scratch[BUFLEN] = {};
 	struct stat st;
 	int i;
 	/* Check that the directory is "safe". */
@@ -98,7 +103,6 @@ check_dir_perms(pam_handle_t *pamh, const char *tdir)
 		return PAM_AUTH_ERR;
 	}
 	/* Iterate over the path, checking intermediate directories. */
-	memset(scratch, 0, sizeof(scratch));
 	for (i = 0; (tdir[i] != '\0') && (i < (int)sizeof(scratch)); i++) {
 		scratch[i] = tdir[i];
 		if ((scratch[i] == '/') || (tdir[i + 1] == '\0')) {
@@ -200,10 +204,26 @@ timestamp_good(time_t then, time_t now, time_t interval)
 }
 
 static int
-check_login_time(const char *ruser, time_t timestamp)
+check_login_time(
+#ifdef USE_LOGIND
+		 uid_t uid,
+#else
+		 const char *ruser,
+#endif
+		 time_t timestamp)
 {
-	struct utmp utbuf, *ut;
 	time_t oldest_login = 0;
+#ifdef USE_LOGIND
+#define USEC_PER_SEC  ((uint64_t) 1000000ULL)
+	uint64_t usec = 0;
+
+	if (sd_uid_get_login_time(uid, &usec) < 0) {
+	        return PAM_SERVICE_ERR;
+	}
+
+	oldest_login = usec/USEC_PER_SEC;
+#else
+	struct utmp utbuf, *ut;
 
 	setutent();
 	while(
@@ -224,6 +244,7 @@ check_login_time(const char *ruser, time_t timestamp)
 		}
 	}
 	endutent();
+#endif
 	if(oldest_login == 0 || timestamp < oldest_login) {
 		return PAM_AUTH_ERR;
 	}
@@ -532,7 +553,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 			close(fd);
 			return PAM_AUTH_ERR;
 		}
+#ifdef USE_LOGIND
+		struct passwd *pwd = pam_modutil_getpwnam(pamh, ruser);
+		if (pwd != NULL) {
+		  return PAM_SERVICE_ERR;
+		}
+		if (check_login_time(pwd->pw_uid, then) != PAM_SUCCESS)
+#else
 		if (check_login_time(ruser, then) != PAM_SUCCESS)
+#endif
 		{
 			pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' is "
 			       "older than oldest login, disallowing "
@@ -728,6 +757,9 @@ main(int argc, char **argv)
 	fd_set write_fds;
 	char path[BUFLEN];
 	struct stat st;
+#ifdef USE_LOGIND
+	uid_t uid;
+#endif
 
 	/* Check that there's nothing funny going on with stdio. */
 	if ((fstat(STDIN_FILENO, &st) == -1) ||
@@ -783,6 +815,9 @@ main(int argc, char **argv)
 	if (pwd == NULL) {
 		retval = 4;
 	}
+#ifdef USE_LOGIND
+	uid = pwd->pw_uid;
+#endif
 
 	/* Get the name of the target user. */
 	user = strdup(pwd->pw_name);
@@ -833,7 +868,11 @@ main(int argc, char **argv)
 				/* Check the timestamp. */
 				if (lstat(path, &st) != -1) {
 					/* Check oldest login against timestamp */
+#ifdef USE_LOGIND
+					if (check_login_time(uid, st.st_mtime) != PAM_SUCCESS) {
+#else
 					if (check_login_time(user, st.st_mtime) != PAM_SUCCESS) {
+#endif
 						retval = 7;
 					} else if (timestamp_good(st.st_mtime, time(NULL),
 							DEFAULT_TIMESTAMP_TIMEOUT) != PAM_SUCCESS) {