I think the attached patch is more in shape which can be accepted by Jamie.
The attached patch does the following:
- The default follows the current xscreensaver 5.15 behavior.
- Accept the configure option "--enable-pam-check-account-type" as explained in
the patch.
- Modify driver/xscreensaver.pam appropriately: with
"--enable-pam-check-account-type",
pam entry "account include system-auth" will be enable. Otherwise (by
default),
this line is commented out.
- With "--enable-pam-check-account-type", "PAM_CHECK_ACCOUNT_TYPE" in config.h
gets
on. With this, the result by pam_acct_mgmt or pam_chauthtok stored as
"status2" is
copied to "status".
Everyone, I would apprecite it if you would check the attached patch.
Mamoru
diff -uNr -x '*~' xscreensaver-5.15.a/configure.in xscreensaver-5.15.b/configure.in
--- xscreensaver-5.15.a/configure.in 2011-09-17 03:19:32.000000000 +0900
+++ xscreensaver-5.15.b/configure.in 2012-06-17 04:14:14.000000000 +0900
@@ -245,6 +245,11 @@
[Define this if you have pam_fail_delay function.
see driver/passwd-pam.c.])
+AH_TEMPLATE([PAM_CHECK_ACCOUNT_TYPE],
+ [Make pam actually check the result of account type validation and
+ make xscreensaver refuse to unlock the screen when validation
+ failed.])
+
AH_TEMPLATE([PAM_STRERROR_TWO_ARGS],
[Define if you have PAM and pam_strerror() requires two
arguments.])
@@ -1925,6 +1930,20 @@
xscreensaver will authenticate as.]),
[pam_service_name="$withval"],[pam_service_name="xscreensaver"])
+AC_ARG_ENABLE(pam-check-account-type,
+ [AC_HELP_STRING([--enable-pam-check-account-type],
+ [Make pam actually check the result of account type validation
+ and make xscreensaver refuse to unlock the screen when validation
+ failed. Default is disabled.])],
+ [enable_pam_check_account_type="$enableval"],[enable_pam_check_account_type=no])
+if test "$enable_pam_check_account_type" = yes ; then
+ AC_DEFINE(PAM_CHECK_ACCOUNT_TYPE)
+ true
+elif test "$enable_pam_check_account_type" != no ; then
+ echo "error: must be yes or no: --enable-pam-check-account-type=$enable_pam_check_account_type"
+ exit 1
+fi
+
HANDLE_X_PATH_ARG(with_pam, --with-pam, PAM)
if test "$enable_locking" = yes -a "$with_pam" = yes; then
@@ -3652,6 +3671,11 @@
PASSWD_OBJS="$PASSWD_OBJS \$(PAM_OBJS)"
INSTALL_PAM="install-pam"
fi
+if test "$enable_pam_check_account_type" = yes; then
+ COMMENT_PAM_CHECK_ACCOUNT=""
+else
+ COMMENT_PAM_CHECK_ACCOUNT="#"
+fi
if test "$have_passwd_helper" = yes; then
PASSWD_SRCS="$PASSWD_SRCS \$(PWHELPER_SRCS)"
PASSWD_OBJS="$PASSWD_OBJS \$(PWHELPER_OBJS)"
@@ -3800,6 +3824,7 @@
AC_SUBST(NEED_SETUID)
AC_SUBST(INSTALL_PAM)
AC_SUBST(HAVE_PAM_FAIL_DELAY)
+AC_SUBST(COMMENT_PAM_CHECK_ACCOUNT)
AC_SUBST(NEW_LOGIN_COMMAND)
AC_SUBST(NEW_LOGIN_COMMAND_P)
AC_SUBST(DEFAULT_IMAGES_P)
@@ -3852,6 +3877,7 @@
AC_OUTPUT(Makefile
utils/Makefile
driver/Makefile
+ driver/xscreensaver.pam
hacks/Makefile
hacks/glx/Makefile
po/Makefile.in
diff -uNr -x '*~' xscreensaver-5.15.a/driver/Makefile.in xscreensaver-5.15.b/driver/Makefile.in
--- xscreensaver-5.15.a/driver/Makefile.in 2012-06-17 03:12:28.000000000 +0900
+++ xscreensaver-5.15.b/driver/Makefile.in 2012-06-17 04:00:50.000000000 +0900
@@ -239,7 +239,7 @@
MEN = $(MEN_1) @MEN_OSX@
EXTRAS = README Makefile.in \
- XScreenSaver.ad.in XScreenSaver-Xm.ad xscreensaver.pam \
+ XScreenSaver.ad.in XScreenSaver-Xm.ad xscreensaver.pam.in \
xscreensaver-demo.glade2 xscreensaver-demo.glade2p \
screensaver-properties.desktop.in \
.gdbinit
@@ -414,8 +414,8 @@
rm -f $(install_prefix)$(manNdir)/$$instname* ; \
done
-install-pam:
- @src="$(srcdir)/xscreensaver.pam" ; \
+install-pam: xscreensaver.pam
+ @src="xscreensaver.pam" ; \
dest=`sed -n 's/.*PAM_SERVICE_NAME[ ]*"\([^"]*\)".*$$/\1/p' \
< ../config.h` ; \
dir="$(install_prefix)$(PAM_DIR)" ; \
diff -uNr -x '*~' xscreensaver-5.15.a/driver/passwd-pam.c xscreensaver-5.15.b/driver/passwd-pam.c
--- xscreensaver-5.15.a/driver/passwd-pam.c 2008-08-15 12:52:14.000000000 +0900
+++ xscreensaver-5.15.b/driver/passwd-pam.c 2012-06-17 04:01:29.000000000 +0900
@@ -258,7 +258,8 @@
{
int status2;
- /* We don't actually care if the account modules fail or succeed,
+ /* We don't actually care if the account modules fail or succeed
+ * (by default, can be overridden by configure settings),
* but we need to run them anyway because certain pam modules
* depend on side effects of the account modules getting run.
*/
@@ -282,6 +283,13 @@
blurb(), status2, PAM_STRERROR(pamh, status2));
}
+ /* If pam is requested to actually check the result of account type
+ validation as in configure, do here.
+ */
+#ifdef PAM_CHECK_ACCOUNT_TYPE
+ status = status2;
+#endif
+
/* Each time we successfully authenticate, refresh credentials,
for Kerberos/AFS/DCE/etc. If this fails, just ignore that
failure and blunder along; it shouldn't matter.
diff -uNr -x '*~' xscreensaver-5.15.a/driver/xscreensaver.pam xscreensaver-5.15.b/driver/xscreensaver.pam
--- xscreensaver-5.15.a/driver/xscreensaver.pam 2006-04-27 07:33:01.000000000 +0900
+++ xscreensaver-5.15.b/driver/xscreensaver.pam 1970-01-01 09:00:00.000000000 +0900
@@ -1,16 +0,0 @@
-#%PAM-1.0
-
-# Fedora Core 5:
-auth include system-auth
-
-# Fedora Core 2:
-#auth required pam_stack.so service=system-auth
-
-# Red Hat 7.3:
-#auth required /lib/security/pam_stack.so service=system-auth
-
-# SuSE 9.0: (along with "configure --with-passwd-helper" and "unix2_chkpwd")
-# auth required pam_unix2.so nullok
-
-# Distant past:
-# auth required /lib/security/pam_pwdb.so shadow nullok
diff -uNr -x '*~' xscreensaver-5.15.a/driver/xscreensaver.pam.in xscreensaver-5.15.b/driver/xscreensaver.pam.in
--- xscreensaver-5.15.a/driver/xscreensaver.pam.in 1970-01-01 09:00:00.000000000 +0900
+++ xscreensaver-5.15.b/driver/xscreensaver.pam.in 2012-06-17 04:54:59.000000000 +0900
@@ -0,0 +1,13 @@
+#%PAM-1.0
+
+# Fedora Core 5:
+auth include system-auth
+
+# SuSE 9.0: (along with "configure --with-passwd-helper" and "unix2_chkpwd")
+# auth required pam_unix2.so nullok
+
+# Distant past:
+# auth required /lib/security/pam_pwdb.so shadow nullok
+
+# Account validation
+@COMMENT_PAM_CHECK_ACCOUNT@account include system-auth
