diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2023-12-12 20:09:45 +0100 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@strace.io> | 2023-12-12 23:46:06 +0000 |
| commit | 51a06bc8cc2278c6e81c9c08a9381c9eb0d2de96 (patch) | |
| tree | b19a526f7f9ea34045b7ae1aa853ed8f470f31ec /modules/pam_unix/passverify.c | |
| parent | 86506bddaa02e845c87f6513e04e109c4e3c78ff (diff) | |
| download | pam-51a06bc8cc2278c6e81c9c08a9381c9eb0d2de96.tar.gz pam-51a06bc8cc2278c6e81c9c08a9381c9eb0d2de96.tar.bz2 pam-51a06bc8cc2278c6e81c9c08a9381c9eb0d2de96.zip | |
pam_unix: sync expiry checks with shadow
The shadow library uses "greater than or equal to" checks instead of
current "greater than" checks in pam_unix.
The account expiry check is already "greater than or equal to" so this
adjustment can even be argued without making references to other
projects.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Diffstat (limited to 'modules/pam_unix/passverify.c')
| -rw-r--r-- | modules/pam_unix/passverify.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index d5155b4c..a842b70d 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -322,20 +322,20 @@ PAMH_ARG_DECL(int check_shadow_expiry, if (spent->sp_inact >= 0) { long inact = spent->sp_max < LONG_MAX - spent->sp_inact ? spent->sp_max + spent->sp_inact : LONG_MAX; - if (passed > inact) { + if (passed >= inact) { *daysleft = subtract(inact, passed); D(("authtok expired")); return PAM_AUTHTOK_EXPIRED; } } - if (passed > spent->sp_max) { + if (passed >= spent->sp_max) { D(("need a new password 2")); return PAM_NEW_AUTHTOK_REQD; } if (spent->sp_warn >= 0) { long warn = spent->sp_warn > spent->sp_max ? -1 : spent->sp_max - spent->sp_warn; - if (passed > warn) { + if (passed >= warn) { *daysleft = subtract(spent->sp_max, passed); D(("warn before expiry")); } |